Compliance · at design time

Compliance becomes a derivative of the architecture.

Regulatory evidence shouldn't be reverse-engineered from code at audit. In the chain, the rules are present while the design is made — so the audit isn't a project, it's a projection of what the architecture already knows.

audit-readiness cycle
4–6 mo → 30 hr
rule packs · HIPAA, SOC 2, HITRUST, PCI-DSS, FDA
5
evidence derived from the architecture
100%

The shift

Compliance is no longer a frame around the work. It's load-bearing inside it.

Bolted on at audit
  • Compliance enters six months after launch.
  • Auditors reverse-engineer the design from code.
  • Evidence is a retrofit project — slow, manual, costly.
  • A drift becomes an incident, then a finding.
Designed in
  • Rules are present while the decision is made.
  • The architecture carries its own provenance.
  • Evidence falls out of the chain — a projection.
  • A drift is flagged before it reaches production.

Two products carry it

Codex

The rule layer

Carries regulatory knowledge as versioned rule packs, distributed by signal + fetch and available at design time. Rules are applied to the spec, the behavior, and the tests — not checked after the fact.

versioned packs · pack hierarchy
canary promotion · ACL-wrapped

Proof

The verification

Verifies that the implementation conforms to what was designed — structural, behavioral, and schema conformance, checked against the assertion corpus. It surfaces every drift, and answers "did the decision survive?" with a proof.

structural · behavioral · schema
violations surface — never block

The chain remembers which rules applied to which decision — forever.

Take a single decision — split inventory by region. Data residency isn't a feature; it's a regulation, a posture, a contractual obligation. Codex applies each rule to the decision and records it. When the SLA and the residency policy disagree, the conflict is surfaced for resolution, not silently resolved.

Regulatory rule packs

  • HIPAA

    Health data privacy & security

  • SOC 2

    Trust services criteria

  • HITRUST

    Common security framework

  • PCI-DSS

    Payment card data security

  • FDA

    Regulated software controls

delivered by signal + fetch · versioned · canary-promoted

The governing principle

Violations surface. They never block.

Proof is an assurance surface, not a gate. You execute as you choose; the chain tells you exactly where you've drifted from the design — with the lineage to fix it. A flagged edge case that would have been a compliance incident is caught before it ships, not after.

  1. PASS

    EU residency — 100% of personal data within EU shards

    vs decision

  2. DRIFT

    cross-region audit emission — 4 events missing subject metadata

    SOC 2 · queued

  3. FLAG

    dual-region records exhibit conflict-resolution drift

    caught by Facet

Run an audit-readiness pilot.

We run a real regulatory surface against your domain and show you the evidence falling out of the architecture — in hours, not months.