AI-powered compliance drift detection agent with guided remediation and full OpenTelemetry observability. Watch a simulated scan against PCI-DSS v4.0 policies.
Interactive demo with mock data
$ python3 -m agent.main --policy pci-dss-v4.yaml
Press "Run Scan" to start...
Container running as root user
PCI-DSS v4.0 Req 6.3.2 — web-app container runs as UID 0. Attack scenario: container escape grants host-level root access.
Sensitive data in environment variables
PCI-DSS v4.0 Req 3.5.1 — DATABASE_PASSWORD exposed as plaintext env var. Risk: credential leak via process listing.
TLS not enforced on API endpoint
PCI-DSS v4.0 Req 4.2.1 — api-gateway exposes port 8080 (HTTP) without TLS termination.
No resource limits configured
PCI-DSS v4.0 Req 6.3.2 — web-app container has no CPU/memory limits. Risk: denial of service via resource exhaustion.
Image pulled from untrusted registry
PCI-DSS v4.0 Req 6.3.1 — db container uses postgres:latest from Docker Hub without digest pinning.
Health check endpoint not configured
PCI-DSS v4.0 Req 10.7 — web-app container has no liveness or readiness probe.
The MCP server exposes remediation tools that Claude can call conversationally. Every action follows a dry-run → approve → apply → verify workflow.
MCP Server ready. Press "Remediate Finding" to simulate a guided fix...
Every agent run emits distributed traces, metrics, and logs via OpenTelemetry. The trace waterfall shows exactly where time and tokens are spent across the pipeline.
ComplianceGuard Agent (OpenTelemetry SDK)
│ OTLP/gRPC
OTel Collector
│
├── traces → Grafana Tempo
├── metrics → Prometheus
└── viz → Grafana (dashboards + trace waterfall)
Metrics exported to Prometheus, tagged by model. Classification stage dominates runtime — sequential Claude API calls are the optimization target.