mova-compliance-audit
> **Contract Skill** — A ready-to-use MOVA HITL workflow. Requires the `openclaw-mova` plugin.
# MOVA Compliance Audit
Submit an organization's documents to MOVA for automated regulatory compliance audit — with framework-specific rule matching, a structured findings report, and a mandatory human sign-off gate backed by a tamper-proof audit trail.
## What it does
1. **Document ingestion** — OCR extraction and structure parsing from uploaded file or URL
2. **Rules engine check** — automated evaluation against the selected regulatory framework (GDPR, PCI-DSS, ISO 27001, SOC 2)
3. **Findings report** — checklist with pass/fail items, severity codes, and recommended remediation actions
4. **Human gate** — compliance officer reviews findings and chooses: approve / approve with conditions / reject / request corrections
5. **Audit receipt** — every check, source, and decision is signed, timestamped, and stored in an immutable MOVA audit trail for regulatory inspection
**Mandatory escalation rules enforced by policy:**
- Critical findings present → mandatory human review, cannot auto-approve
- Regulated framework (GDPR, PCI-DSS) → full audit report artifact required
- Rejection or conditions → remediation items must be recorded with reason
## Requirements
**Plugin:** MOVA OpenClaw plugin must be installed in your OpenClaw workspace.
**Data flows:**
- Document URL/ID + org metadata → `api.mova-lab.eu` (MOVA platform, EU-hosted)
- Document content → OCR extraction connector (read-only, no data stored)
- Extracted structure → compliance rules engine (framework-specific, read-only)
- Audit journal → MOVA R2 storage, cryptographically signed
- No data sent to third parties beyond the above
## Demo
**Step 1 — Document submitted for GDPR audit**
**Step 2 — AI findings: 3 critical violations, missing DPIA, reject recommended**
**Step 3 — Audit receipt + signed decision log**
## Quick start
Say "run GDPR compliance audit on this document" and provide a document URL or ID:
```
document_url: https://example.com/privacy-policy.pdf
framework: gdpr
org_name: Acme Corp
```
The agent submits the document, shows the AI findings checklist with pass/fail items and severity, then asks for your compliance decision.
## Why contract execution matters
- **Framework rules are policy, not prompts** — GDPR and PCI-DSS checks trigger mandatory gates that cannot be bypassed by the AI
- **Full checklist traceability** — every pass/fail item is linked to a specific rule ID and source citation
- **Immutable audit trail** — when a regulator asks "who signed off this audit and what did they see?" — the answer is in the system with an exact timestamp
- **EU AI Act / GDPR Article 22 ready** — automated compliance decisions require human oversight, full explainability, and a documented decision chain
## What the user receives
| Output | Description |
|--------|-------------|
| Framework | Selected regulatory standard (GDPR, PCI-DSS, ISO 27001, SOC 2) |
| Checklist score | Pass / fail count per framework section |
| Critical findings | Count and list of critical violations |
| Findings list | Per-item: rule ID, description, severity (critical / high / medium / low) |
| Remediation hints | Recommended corrective actions per finding |
| Recommended action | AI-suggested compliance decision |
| Decision options | approve / approve_with_conditions / reject / request_corrections |
| Audit receipt ID | Permanent signed record of the compliance decision |
| Compact journal | Full event log: ingest → rules check → human decision |
## When to trigger
Activate when the user:
- Uploads a document and mentions compliance, regulation, or audit
- Says "check GDPR compliance", "run PCI-DSS audit", "validate ISO 27001", "SOC 2 check"
- Asks to prepare for a regulatory inspection
**Before starting**, confirm: "Run compliance audit on [document] — framework: [FRAMEWORK]?"
If framework is not specified — ask once: GDPR, PCI-DSS, ISO 27001, or SOC 2.
If document URL is missing — ask once for a direct HTTPS link or document ID.
## Step 1 — Submit document for audit
Call tool `mova_hitl_start_compliance` with:
- `document_url`: direct HTTPS link to the document
- `document_id`: unique identifier (e.g. DOC-2026-001)
- `framework`: one of `gdpr` / `pci_dss` / `iso_27001` / `soc2`
- `org_name`: organization name
## Step 2 — Show findings and decision options
If `status = "waiting_human"` — show the audit findings summary:
```
Document: document_id
Framework: FRAMEWORK
Score: PASS_COUNT / TOTAL_CHECKS passed
Critical: CRITICAL_COUNT critical findings
Findings: [list top findings with rule ID and severity]
Recommended action: ACTION ← RECOMMENDED
```
Then ask compliance officer to choose:
| Option | Description |
|---|---|
| `approve` | Sign off audit report as compliant |
| `approve_with_conditions` | Approve with listed remediation items |
| `reject` | Document fails compliance — block processing |
| `request_corrections` | Return document for corrections |
Call tool `mova_hitl_decide` with:
- `contract_id`: from the response above — this is `ctr-cau-xxxxxxxx`, NOT the document ID
- `option`: chosen decision
- `reason`: officer reasoning (required for reject and request_corrections)
## Step 3 — Show audit receipt
Call tool `mova_hitl_audit` with `contract_id`.
Call tool `mova_hitl_audit_compact` with `contract_id` for the full signed event chain.
## Connect your real compliance systems
By default MOVA uses a sandbox mock. To route checks against your live infrastructure, call `mova_list_connectors` with `keyword: "compliance"`.
Relevant connectors:
| Connector ID | What it covers |
|---|---|
| `connector.ocr.document_extract_v1` | Document OCR and structure extraction |
| `connector.compliance.rules_engine_v1` | Framework-specific compliance rule evaluation |
Call `mova_register_connector` with `connector_id`, `endpoint`, optional `auth_header` and `auth_value`.
## Rules
- NEVER make HTTP requests manually
- NEVER invent or simulate compliance results — if a tool call fails, show the exact error
- Use MOVA plugin tools directly — do NOT use exec or shell
- CONTRACT_ID is `ctr-cau-xxxxxxxx` from the mova_hitl_start_compliance response — NOT the document ID
标签
skill
ai
