Compliance as Code — SOC 2 / ISO 27001
licit as the central compliance tool: provenance, changelog, FRIA, Annex IV, and monthly evidence bundle.
Architecture diagram
Context
licit is the central compliance tool. Generates monthly evidence bundles for SOC 2 and ISO 27001 audits combining provenance, security, and regulatory documentation.
Flow with 4 tools
⬡ Phase 01 — licit
Complete compliance
Full compliance flow: trace, changelog, FRIA, Annex IV, report, gaps, verify.
⬡ licit
licit init
licit trace
licit changelog
licit fria
licit annex-iv
licit connect vigil --sarif vigil.sarif
licit report --format html
licit gaps
licit verify --min-score 80 ◇ Phase 02 — vigil
Security evidence
SARIF as evidence for audits.
◇ vigil
vigil scan src/ --format sarif --output vigil.sarifWhy licit is critical here
For SOC 2 audits: provenance answers who wrote this code, vigil SARIF documents vulnerabilities, changelog shows agent controls, and FRIA/Annex IV meet legal requirements.