Compliance Module
The compliance module is an append-only audit-event log with WORM-anchored Merkle chain and async export, designed for SOC2 Type 1 walkthroughs. The module records every security- and policy-relevant action, drains it through a single-writer hash chain into Aurora, anchors chain heads every 15 minutes into an S3 Object Lock bucket, and exposes a read API + admin browse UI plus an async CSV/NDJSON export pipeline.
Where to read
Section titled “Where to read”| Doc | Audience | Read when |
|---|---|---|
| Overview | Anyone new to the module | You need the 5-minute version |
| Architecture | Developers, auditors | You need to see how the pieces connect |
| Operator runbook | Operators | You need to do something to the running system |
| Auditor walkthrough | Auditors, operators preparing for SOC2 | You need to demonstrate compliance to a third party |
| Developer guide | Developers extending the module | You need to add a new event type or wire a new emit site |
| On-call notes | On-call | An alarm fired |
| Changelog | Anyone tracing history | You need to know which PR shipped which capability |
Master plan
Section titled “Master plan”docs/plans/2026-05-06-011-feat-compliance-audit-event-log-plan.md is the canonical record of the 11-unit master arc that produced the module.
Maintenance
Section titled “Maintenance”Append a row to the changelog when shipping new compliance work. The other docs update on the cadence the master arc evolves; the operator runbook and on-call notes especially benefit from quarterly review against alarms actually fired in production.