kolm
log in sign up
Compliance packs · recipe + evidence binder

Build to the regulation. Ship the receipt.

A compliance pack is a versioned bundle of (recipe.json, evidence.md, dpia.md, mrm.md, controls.md). It encodes what your auditor will ask, what the K-score gate must enforce, and what the signed receipt must carry. One file your security review can read end-to-end.

01 · healthcare

HIPAA Safe Harbor

PHI redactor across 18 ยง164.514(b)(2) identifier categories. Two-hour onboarding from clone to signed artifact.

K floor 0.92preset lora-fastverifier regex
02 · finance

Fed SR 11-7

Model risk management for transaction classification. Schema-validated outputs, MRM doc maps to development / validation / governance.

K floor 0.90preset fc-toolsverifier json_schema
03 · finance

SOX-lite ITGC

Disclosure-statement classifier. COSO ITGC test points mapped to receipt fields: change management, access, ops.

K floor 0.88preset lora-fastverifier answer_key
01 · HIPAA Safe Harbor PHI redactor

From clone to signed artifact in two hours.

The fast path for a health-plan or claims-processing team that needs an on-device PHI redactor with a defensible evidence binder. Synthetic seed corpus ships with the pack; bring your own labeled data when you have it.

Two-hour path

  1. 00:00. init. kolm init --pack hipaa-phi-redactor scaffolds kolm.yaml, the synthetic seed corpus, the verifier, and the audit-log shape.
  2. 00:05. data. Drop your own labeled examples into examples/ or skip and use seeds. The 18 Safe Harbor categories are pre-mapped to [NAME], [MRN], [SSN], [PHONE], [EMAIL], [GEO], [DATE], [ACCT], [POLICY], [URL], [IP], [VIN], [DEVICE].
  3. 00:30. compile. kolm compile. Pattern path runs in seconds; the LoRA-tier upgrade takes ~45 minutes on a single A10. Gate fires at K-score 0.92.
  4. 01:30. sign. kolm sign --credential emits the kolm-credential/0.1 provenance credential and signs the artifact body with HMAC-SHA256.
  5. 01:50. inspect. kolm inspect dist/phi-redactor.kolm --verify on. Receipt body verifies, CID round-trips, credential signature checks. Hand the binder to security review.

The reference build under apps/showcase/healthcare/ is reproducible byte-for-byte: rebuild on your machine and the CID matches.

Scope. This pack ships the Safe Harbor identifier path. Expert Determination requires a qualified statistician’s sign-off. The pack’s evidence.md includes scope language you can paste into your DPA.
pack path
data/compliance-packs/hipaa-phi-redactor/
k threshold
0.92
preset
lora-fast
base model
Qwen/Qwen2.5-3B-Instruct
verifier
regex · must_not_contain SSN / email / phone
refuses
re-identification · PHI extraction · synthetic PHI generation
files
recipe.json
evidence.md
dpia.md
mrm.md
controls.md
examples/seed.jsonl
02 · Fed SR 11-7 model risk management

Schema-locked outputs your validators can replay.

For transaction or counterparty classification under Fed SR 11-7 / OCC 2011-12. Every output is validated against a JSON schema before it leaves the runtime. The MRM doc maps to the three SR 11-7 components: model development, validation, governance.

What the pack enforces

The verifier rejects any output that doesn’t carry category, amount, currency, confidence. The flags array is an enum: aml, ofac, structuring, high-risk-geo, pep, fraud-likely. No free text in the structured fields. Validators replay receipts against the captured schema and the schema CID matches the live runtime, or the call is rejected.

The MRM doc walks each SR 11-7 component with the kolm artifact as evidence:

  1. Model development. recipe.json + training set hash + base model CID + K-score breakdown.
  2. Model validation. Held-out eval set + verifier code + K-score gate logs.
  3. Model governance. Credential signer + receipt chain + rollback artifact CIDs.
Scope. The pack does not waive the bank’s independent validation requirement. It gives the validators a replayable artifact instead of a black box.
pack path
data/compliance-packs/finance-sr11-7/
k threshold
0.90
preset
fc-tools · lora_rank 32
verifier
json_schema
required fields
category: string (enum)
amount: number
currency: string (ISO 4217)
confidence: number 0..1
flags: array of enum
files
recipe.json
evidence.md
mrm.md
controls.md
schema.json
examples/seed.jsonl
03 · SOX-lite · ITGC for AI

Disclosure classification with a receipt chain auditors can walk.

Routes statements in 10-K / 10-Q filings into forward_looking / historical / risk_factor. Each call emits an HMAC-chained receipt. The controls.md doc maps COSO ITGC test points directly to receipt fields a SOX auditor will look for.

COSO ITGC test points → receipt fields

Three IT general control areas, each mapped to one or more concrete receipt fields:

  1. Change management. The artifact CID + manifest.hashes are the immutable evidence of what was in production at any given time. Re-derive the CID from the on-disk artifact; if it doesn’t match the receipt, the change wasn’t logged.
  2. Access. credential.signer identifies the principal that signed the deployment. The credential schema binds signer + artifact + CID + signed_at.
  3. Operations. receipt.chain is the per-call HMAC-SHA256 chain. Any tamper invalidates the chain locally; auditors can replay a sample against the host secret.
Scope. SOX-lite is a starting point, not a complete SOX 404 program. Pair with your existing ITGC framework. The pack gives your AI surface an auditor-friendly shape; the rest of the audit is unchanged.
pack path
data/compliance-packs/sox-lite/
k threshold
0.88
preset
lora-fast · lora_rank 8
verifier
answer_key
answer keys
forward_looking
historical
risk_factor
files
recipe.json
evidence.md
controls.md
examples/seed.jsonl

Bring your own framework.

The three packs above are starting points. A compliance pack is just files in a directory; copy any of them, retarget the verifier and the K threshold, write the evidence doc your reviewers want, and ship. The contract is the artifact, the K-score gate, and the signed receipt. the framing on top is yours.

Compile a pack Healthcare landing Docs · packs reference