Compliance Overview

Summary

• Compitum is a local routing engine. It operates offline by default, uses locally cached licensed inputs for evaluation, and emits structured, auditable artifacts. No judge-based calls or dataset fetching are performed by default scripts.

Data Flow (Default)

• Inputs: user prompts (free text), model metadata, configuration (including constraints), and evaluation CSVs (when generating evidence).

• Processing: local computation only; no network by default. Utility computed as U = performance − lambda · cost under constraints (A x ≤ b).

• Outputs: local JSON/CSV/HTML in reports/ and docs/. A SHA-256 artifact manifest is generated.

Privacy & Data Handling

• PII: Prompts may contain free text; by policy, users should avoid PII. Compitum does not retain or transmit PII by default.

• Retention: Artifacts are local; retention is under the user’s control. No telemetry is collected.

• DSR/Deletion: Delete local artifacts in reports/ and cache folders to satisfy internal retention requirements.

Security Posture

• Offline by default: no judge calls; scripts do not auto-fetch datasets.

• Integrity: mutation testing (score 1.0), 100% line+branch coverage, lint/type/security checks (ruff/mypy/bandit) are clean; docs build without warnings.

• Supply chain: versions pinned in pyproject.toml; optional SBOM and lock snapshot targets (make sbom, make lock). Packaging excludes *.mp4 and *.sqlite.

• Secrets hygiene: .gitignore patterns and optional local secrets scanning (see CONTRIBUTING).

Licensing & Third Parties

• Project license: MIT (see LICENSE).

• RouterBench: inputs follow upstream licenses; we do not redistribute proprietary datasets. Evaluation uses local caches.

• Tokenization/backends (tiktoken/tokencost/HF) are optional libraries used locally; no calls are made upstream by default.

Policy Controls via Constraints

• Constraints (A x ≤ b) encode hard limits (e.g., region availability, rate caps). Infeasible routes are rejected by construction.

• The routing certificate exposes constraints.feasible and constraints.shadow_prices for each decision, enabling audit trails and policy reviews.

Auditability & Evidence

• Routing certificate: structured JSON for every decision (CLI: --trace, API: cert.to_json()), with utility components, constraints, boundary diagnostics, and drift monitors.

• Evidence pack: per-baseline win rates, frontier gap (with 95% CIs), per-task summaries, and a panel summary.

• Artifact manifest: reports/artifact_manifest.json lists key outputs with SHA-256 checksums.

Compliance Checklists (Quick)

• GDPR/Data Minimization: avoid PII in prompts; no network; artifacts local; delete artifacts to satisfy retention.

• SOC2-style hygiene: source control (GitHub), CI quality gates (tests/lint/types/security), artifact checksums, optional SBOM/lock, no auto-network.

• Export/Use: open-source research code (MIT); respect export control laws; no redistribution of proprietary datasets.

Operational Notes

• Offline reproduction: see Peer Review Package and Artifact README (Reproducibility).

• Fairness and evaluation: see RouterBench Fairness Notes and Panel Summary.

• Certificate schema: see Certificate Schema (download assets/certificate.schema.json).

Contact

• For compliance documentation requests (e.g., SBOM format, license reports, no-network CI logs), please open an issue. We will collaborate without changing scientific pipelines.