Add compliance-soc for continuous compliance posture monitoring

[maximelb]

Summary

• Adds a new compliance-soc with 2 agents that continuously assess compliance posture across SOC 2, ISO 27001, PCI-DSS v4, and CIS v8
• compliance-auditor (daily, opus, $5/run): discovers all connected data sources (Okta, AWS, Azure AD, EDR, O365, etc.), verifies data flow, analyzes telemetry for compliance-relevant events (privileged access changes, root usage, FIM proof, detection health), calculates weighted framework scores, tracks gaps as persistent cases
• endpoint-compliance-checker (weekly, opus, $5/run): full fleet LCQL sweep across 8 checks (monitoring gaps, service changes, autoruns, account compliance, unauthorized software, FIM verification, network compliance, driver integrity), plus targeted active inventory on anomalous endpoints
• Framework selection configurable via compliance-frameworks SOP; defaults to all 4 frameworks
• Shared compliance-state and compliance-gaps lookup tables for trend tracking and persistent gap-to-case mapping
• Gap cases are created once and updated daily until resolved (no duplicates)
• Daily closed cases serve as continuous monitoring evidence for auditors
• ~$170/mo total cost

Test plan

• Deploy compliance-auditor to a test org with mixed data sources (EDR + at least one adapter)
• Verify daily case creation with structured notes per control area
• Verify framework scoring with N/A exclusion for missing data sources
• Verify gap case creation and daily follow-up updates
• Verify gap case closure when gap is resolved
• Deploy endpoint-compliance-checker and verify weekly self-gating via lookup
• Verify LCQL sweep covers full fleet (not sampling)
• Verify SOP-based framework selection overrides defaults
• Verify both agents preserve each other's entries in shared lookup tables

🤖 Generated with Claude Code