Design decisions

The tool is designed to produce review evidence, not conclusions.

These notes explain several product choices that shape Compliance Flag's output and trust posture.

It never says "compliant."

Compliance Flag flags potential review questions. It does not approve a communication, certify a page, or decide whether the firm satisfied a rule. A clean output only means the current scan did not flag an issue within its scope, prompt, model behavior, and bundled sources.

That boundary is deliberate. The useful artifact is a reviewer packet that preserves evidence for qualified personnel, not a software verdict that pretends to replace judgment.

Sources carry provenance dates.

Bundled rule and regulatory materials are point-in-time inputs. The project documents source URLs, retrieval dates, and current-as-of notes so reviewers can see what the scanner had available during analysis.

Important matters still need review against authoritative current sources, including SEC.gov and eCFR. The website and reports should make that limitation easy to see.

Captures are saved beside reports.

The report is only useful if the reviewer can inspect the same content the scanner reviewed. Compliance Flag saves source captures and metadata next to the JSON and HTML output so later review does not depend on a live page remaining unchanged.

For web pages, source captures are saved as text artifacts rather than silently mixing live-page behavior with report rendering. The point is repeatable evidence, not a polished screenshot of whatever the page became later.

Structured output is validated before writing.

AI output is treated as an untrusted draft until it matches the expected report schema. Schema validation keeps the rendered report predictable and makes downstream checks easier to reason about.

This does not make a finding correct. It makes the artifact inspectable: severity, rule citation, excerpt, explanation, and remediation fields have explicit places to live.

The open parts are part of the product.

The prompts, report schema, lint logic, examples, and source notes are public so a reviewer, developer, CCO, or client can inspect the mechanism instead of relying on a black-box claim.

Previous Project Status Related Regulatory Sources

Compliance Flag and Quillmark LLC are not law firms and do not provide legal, compliance, regulatory, investment, tax, accounting, or financial advice. The project, workflow outputs, articles, and examples are for informational and operational use only and should be reviewed by qualified personnel before use. Compliance Flag and Quillmark LLC do not determine that any communication meets all applicable requirements and are not affiliated with, endorsed by, or acting on behalf of the SEC or any other regulator. Regulatory and enforcement references are based on source materials and may not reflect later developments.

Compliance Flag is a Quillmark Open Source initiative. Compliance Flag is not endorsed by, sponsored by, or affiliated with any AI model provider.