The 40 rails

Multi-framework compliance lifecycle.

Framework dictionary CRUD.

Cross-framework crosswalks.

Evidence packs + regulator-shaped reports.

Deterministic agent catalogue + invocation. Roster is the canonical @regunav/engines agents-catalog.

Roles, RACI, approver chains.

Platform self-monitoring.

Vendor due-diligence surface.

Consultants onboarding clients.

Demo-tenant seeding.

Industry-specific framework bundles.

Tenant setup, framework activation.

Upload customer policies → cross-mapped to frameworks.

Append-only WORM event log.

Customer-side compliance audits.

Content-addressable taxonomy of all compliance nouns. Bundle-hash pinned per tenant for replay.

Tenant-level risk navigator. Combines risk-scoring, vendor-risk, obligation-tracker, drift signals, and policy/handbook gap analysis into a composite view with top-N actionable risks.

Governance rail — RACI matrix, decision rights, multi-step approval chains, board-decision log, delegation register, conflict-of-interest register. Maps ISO/IEC 42001 §5 + §6 + EU AI Act Art. 26.

SSOT catalogue of 20 stock compliance workflows (DSAR-30d, AI-incident-Art-73, vendor-DDQ, ISO 42001 internal audit, FRIA-on-deploy, GPAI Art-53 summary, etc.) with SLAs, RACI, evidence outputs, billability.

Drift events from the regunav-reconciler Worker — declared infrastructure + CC installation state vs actual state, every 5 min. Banking-grade auditable: WORM hash-chained to D1 audit_events.

Canonical event-index rail. POST /v1/events emits a row that must conform to packages/manifests/src/event-index-schema.json (14 typed fields). GET /v1/events filters by time/tenant/source/kind/phase/severity/actor/entity/action. Owns the index storage, routes to event-agents, runs the 7 reconciler-covers-events drift checks, enforces Amendment 2 latency budgets. Single source of truth for 'what happened, when, to what, by whom'.

Workspace + Team + Principal management.

In-app, email, Slack, MS Teams notifications.

GDPR Art 15-22 Data Subject Access Requests.

Explicit risk register with treatment plans.

Customer policy versioning + lifecycle.

Third-party AI vendor scoring + procurement.

EU AI Act Art. 4 AI-literacy register. Tracks staff training completions per module + framework.

Regulator-shaped incident-notification workflows. EU AI Act Art. 73 + GDPR Art. 33 + DORA Art. 19 + NIS2.

EU AI Act Art. 53(1)(c) GPAI training-data summary disclosure surface for foundation-model providers.

Adversarial-testing rail. EU AI Act Art. 15 robustness + GPAI Art. 55 systemic-risk evaluations. Drives the red-team-evals engine.

Public read surface for the ReguNav Compliance-to-Architecture Framework™ v0.1. The 8-layer ontology (Authority → Obligation → Control → Evidence → Architecture → Policy-as-Code → Audit-Trail → AI-Governance) machine-readable across every populated framework.

Auto-label artefacts (policies, standards, vendor docs, evidence, reports) with frameworks/clauses/obligations/controls/jurisdictions/risk-class/severity/freshness so they're searchable + filterable across the entire platform. Drives the metadata engine.

Native zero-dependency BM25 full-text + faceted search.

AI procurement + buyer-side compliance.

Cyber + AI liability insurance integration.

EU AI Act Art 50 + Art 53 GPAI public summaries.

Legal hold + eDiscovery integration.

EU AI Act Art 87 whistleblower protections.

Specialist marketplace.