chore: init vm-cc compliance scaffold

.gitignore

@@ -0,0 +1,7 @@
+.DS_Store
+*.tmp
+*.log
+node_modules/
+target/
+venv/
+__pycache__/

README.md

@@ -0,0 +1,34 @@
+# VaultMesh Continuous Compliance (vm-cc)
+
+vm-cc is the continuous compliance and evidence orchestration layer. It ingests evidence from skills, ops, ledger, MCP, and contracts receipts, evaluates rules, and produces reports/proofs without duplicating the command-center control plane.
+
+## Scope vs command-center
+- command-center: fleet control plane, EventEnvelope transport, runtime orchestration, receipt export.
+- vm-cc: compliance intake, rule evaluation, reporting, proofs; consumes receipts, ledger attestations, and ops evidence.
+
+## Layout
+- config/: source/rule/redaction/schedule configs
+- schemas/: JSON/YAML schemas for evidence, rules, reports
+- 00-frameworks/: frameworks and mappings (e.g., CIS→rules)
+- 10-controls/: control definitions
+- 20-collectors/: collectors to pull evidence from vm-skills, ops, ledger, mcp
+- 30-evidence/: raw evidence drops (per-run folders)
+- 40-rules/: executable rules
+- 50-reports/: human-readable reports
+- 60-proofs/: signed/attested artifacts
+- 70-violations/: findings and escalations
+- 80-remediation/: playbooks/automation for fixes
+- 90-automation/: pipelines/glue for end-to-end runs
+- scripts/: thin CLI wrappers to orchestrate collect → evaluate → report → sign
+
+## Rule result contract (example)
+```
+{
+  "rule_id": "authority-hierarchy",
+  "passed": true,
+  "severity": "HIGH",
+  "timestamp": "2025-12-27T12:00:00Z",
+  "evidence": ["30-evidence/2025-12-27/authority.json"],
+  "details": { "checked_transitions": 42 }
+}
+```

config/redaction.yaml

@@ -0,0 +1,21 @@
+# Redaction policy for evidence before reporting/proofs.
+# Define fields to drop or mask by source.
+
+vm_skills:
+  drop:
+    - "*.png"  # example if screenshots are present
+  mask:
+    - "**/secrets/**"
+
+ops:
+  drop: []
+  mask:
+    - "**/private_keys/**"
+
+vm_ledger:
+  drop: []
+  mask: []
+
+vm_mcp:
+  drop: []
+  mask: []

config/rules.yaml

@@ -0,0 +1,24 @@
+# Rule registry. Each entry binds a rule id to a source and evaluation script.
+# Keep rule definitions in 40-rules/; this file ties them to schedules and severity.
+
+rules:
+  - id: authority-hierarchy
+    severity: HIGH
+    entry: "40-rules/authority_hierarchy.yaml"
+    evidence:
+      - vm_mcp
+      - vm_ledger
+
+  - id: skills-health
+    severity: MEDIUM
+    entry: "40-rules/skills_health.yaml"
+    evidence:
+      - vm_skills
+      - ops
+
+  - id: receipts-schema
+    severity: HIGH
+    entry: "40-rules/receipts_schema.yaml"
+    evidence:
+      - vm_contracts
+      - vm_ledger

config/schedules.yaml

@@ -0,0 +1,13 @@
+# Schedules for rule execution. Cron-like or duration strings.
+
+schedules:
+  - name: hourly-critical
+    every: "1h"
+    rules:
+      - authority-hierarchy
+      - receipts-schema
+
+  - name: daily-health
+    every: "24h"
+    rules:
+      - skills-health

config/sources.yaml

@@ -0,0 +1,33 @@
+# Define evidence sources and where collectors should look.
+# Keep paths external to code so collectors are layout-agnostic.
+
+vm_skills:
+  path: "../vm-skills"
+  evidence:
+    - "*/outputs/status_matrix.json"
+    - "*/outputs/audit_report.md"
+    - "*/outputs/PROOF.json"
+    - "*/outputs/ROOT.txt"
+
+ops:
+  path: "../ops"
+  evidence:
+    - "20-identity/**"
+    - "60-backups/**"
+    - "70-audits/**"
+
+vm_ledger:
+  path: "../vm-ledger"
+  evidence:
+    - "log/entries.cborseq"
+    - "ledger-cli verify --format json"  # command invocation placeholder
+
+vm_mcp:
+  path: "../vm-mcp"
+  evidence:
+    - "governance/constitution.lock"
+
+vm_contracts:
+  path: "../vm-contracts"
+  evidence:
+    - "receipt_v1.schema.json"