RFC-WF-0016
Reference Compliance Matrix & Control IDs (RCMC)
Status: Draft Standard
Version: 1.0.0
Date: 20 Nov 2025
Category: Standards Track
Author: FullAgenticStack Initiative
Dependencies: RFC-WF-0001 (WFCS), RFC-WF-0003 (CCP), RFC-WF-0004 (ACSM), RFC-WF-0005 (CRCD), RFC-WF-0006 (EAS), RFC-WF-0007 (OoC), RFC-WF-0008 (RCP), RFC-WF-0009 (TMSI), RFC-WF-0010 (IDS), RFC-WF-0011 (CATS), RFC-WF-0015 (PPGP)
License: Open Specification (Public, Royalty-Free)
Abstract
This document specifies the Reference Compliance Matrix & Control IDs (RCMC) for WhatsApp-first systems. RCMC defines a canonical catalog of control identifiers and a mapping from controls to RFC requirements, enabling consistent certification reporting, audit tooling interoperability, and unambiguous compliance communication (e.g., “WFS-C-013 failed”). RCMC serves as the normative bridge between the specification set and the Compliance Audit Toolkit (CATS).
Index Terms— compliance controls, control IDs, certification, audit interoperability, requirement mapping, WhatsApp-first.
I. Introduction
RFCs define requirements, but audits need stable identifiers to track them over time. Without control IDs, compliance reporting becomes ambiguous (“you failed the idempotency part”). RCMC provides a standard naming and categorization system for controls, plus a required mapping from each control to the RFC sections it enforces.
RCMC is essential for:
- consistent certification levels
- diffing compliance across versions
- automated remediation guidance
- ecosystem-wide shared terminology
II. Scope
RCMC specifies:
- Control ID format and naming rules
- Mandatory control metadata fields
- Control categories and minimum catalog
- Mapping from controls to RFC requirements
- Versioning rules for controls
- Report interoperability requirements with CATS outputs
RCMC does not define pricing or certification branding; it defines the technical control catalog.
III. Normative Language
MUST, MUST NOT, SHOULD, SHOULD NOT, MAY are normative.
IV. Definitions
Control: A testable compliance requirement with pass/fail criteria.
Control ID: A stable identifier for a control (e.g., WFS-C-013).
Matrix: A mapping from controls to RFC clauses and evidence expectations.
V. Control ID Format (Normative)
Controls MUST use the format:
WFS-<Domain>-<NNN>
Where:
-
WFSis the standard prefix -
<Domain>is one of:-
C(Core/Foundation) -
X(Conversion Web→WhatsApp) -
P(Command Protocol & Safety) -
S(Security & Threat Invariants) -
I(Idempotency & Delivery Semantics) -
E(Evidence) -
O(Observability over Conversation) -
R(Recovery & Compensation) -
G(Governance & Policy Packs) -
A(Agent Integration) -
D(Discovery & Interop)
-
<NNN>is a zero-padded numeric identifier (000–999)
Example: WFS-I-013 for idempotency duplicate-effect prevention.
VI. Control Metadata (Required Fields)
Each control entry in the matrix MUST include:
control_idtitle-
category(Domain) -
severity(critical|high|medium|low) -
method(static|runtime|hybrid) -
requirement(normative summary) -
references(list of RFC clause pointers) -
evidence_expected(what artifacts prove pass/fail) pass_criteria-
fail_examples(at least one) -
remediation(short guidance)
VII. Reference Compliance Matrix (Canonical File)
A. Distribution
Implementations and toolkits MUST be able to reference a canonical matrix file:
-
/.well-known/wfs/rcmc.json(recommended; may be advertised via WKD)
B. Minimal Structure
The matrix MUST be machine-readable JSON (YAML optional). Minimal shape:
{
"matrix_version": "1.0.0",
"generated_at": "2026-02-22T00:00:00Z",
"controls": [ ... ]
}
VIII. Minimum Control Catalog (v1.0.0)
Below is the minimum catalog set. (Entries shown condensed; full matrix file enumerates pass/fail details.)
A. Core/Foundation (WFS-C-xxx)
- WFS-C-001 Full Capability Parity (incl. admin/recovery) — critical
- WFS-C-002 Multimodal Input Parity (text+audio STT) — critical
- WFS-C-003 No Dashboard-Only Mutations — critical
B. Conversion (WFS-X-xxx)
- WFS-X-001 Buttons → numbered actions or explicit commands — high
- WFS-X-002 Forms → conversational sequential flows — high
C. Command Safety (WFS-P-xxx)
- WFS-P-001 Canonical Envelope Before Execution — critical
- WFS-P-002 Confirmation Required for Mutations — critical
- WFS-P-003 Strengthened Confirmation for Destructive — high
D. Security (WFS-S-xxx)
- WFS-S-001 Scope Gating for Mutations — critical
- WFS-S-002 Step-up for Admin High-Impact — critical
- WFS-S-003 Ambiguity Rejection for Targets/Intents — high
- WFS-S-004 Evidence Completeness for Security Decisions — high
E. Idempotency (WFS-I-xxx)
- WFS-I-001 Idempotency Key Derivation Determinism — critical
- WFS-I-002 Atomic Dedup Check-and-Set — critical
- WFS-I-003 Outcome Replay for Duplicates — high
F. Evidence (WFS-E-xxx)
- WFS-E-001 EAS Schema Conformance — critical
- WFS-E-002 Append-only Evidence (No Mutations) — high
- WFS-E-003 Trace Binding to Conversation/Message IDs — high
G. Observability (WFS-O-xxx)
- WFS-O-001 Conversational Status/Health Available — high
- WFS-O-002 Error Transparency (why failed/denied) — high
- WFS-O-003 Evidence Drill-down via Conversation — medium
- WFS-O-004 Redaction & Least Privilege in OoC — critical
H. Recovery (WFS-R-xxx)
-
WFS-R-001 Recovery Options Discoverable (
RCP.OPTIONS) — high -
WFS-R-002 Governed Retry (
RCP.RETRY) — high - WFS-R-003 Governed Compensation where applicable — critical
I. Governance (WFS-G-xxx)
- WFS-G-001 Policy Pack Versioning and Binding — high
- WFS-G-002 Fail-Closed for Missing High-Impact Policies — critical
- WFS-G-003 Policy Enforcement Proof in Evidence — high
J. Agent Integration (WFS-A-xxx)
- WFS-A-001 Proposal/Execution Separation — critical
- WFS-A-002 HITL for S2/S3/R3 Actions — high
- WFS-A-003 Agent Actions Evidence Linkage — high
K. Discovery (WFS-D-xxx)
- WFS-D-001 Well-known Discovery Document Present — medium
- WFS-D-002 Registry/Evidence Endpoints Discoverable — medium
IX. Versioning Rules for Controls
- The matrix MUST be versioned with SemVer.
- Adding controls is MINOR.
- Changing pass/fail semantics is MAJOR.
- Deprecating controls MUST include
deprecated_sinceand optional replacements.
X. Reporting Interoperability with CATS
CATS audit outputs MUST reference controls using control_id. Reports MUST include:
- pass/fail per control
- evidence references per control
- remediation guidance per failed control
- matrix version used
XI. Relationship to Other RFCs
RCMC binds requirements from WFCS/CCP/ACSM/IDS/EAS/OoC/RCP and governance RFCs to stable controls consumable by CATS and certification tooling.
XII. Security Considerations
Publishing a full control matrix publicly can help attackers understand your defenses. Systems MAY publish redacted versions publicly, and keep full details privileged. Tooling MUST support both.
XIII. Conclusion
RCMC gives WhatsApp-first a certifiable backbone: stable control IDs and a normative mapping to RFC requirements. This transforms “compliance” from opinion into repeatable audits and comparable reports, enabling ecosystem tooling and reliable certification programs.
References
[1] RFC-WF-0001, WhatsApp-First Compliance Core (WFCS).
[2] RFC-WF-0003, Conversational Command Protocol (CCP).
[3] RFC-WF-0004, Administrative Command Security Model (ACSM).
[4] RFC-WF-0005, Command Registry & Capability Declaration (CRCD).
[5] RFC-WF-0006, Evidence Artifact Schema (EAS).
[6] RFC-WF-0007, Observability over Conversation (OoC).
[7] RFC-WF-0008, Recovery & Compensation Protocol (RCP).
[8] RFC-WF-0009, Threat Model & Security Invariants (TMSI).
[9] RFC-WF-0010, Idempotency & Delivery Semantics (IDS).
[10] RFC-WF-0011, Compliance Audit Toolkit Spec (CATS).
[11] RFC-WF-0015, Policy Packs & Governance Profiles (PPGP).
Concepts and Technologies
Control catalogs, stable control IDs, compliance matrices, SemVer for requirements, audit interoperability, evidence-backed certification reporting, redacted public compliance, remediation mapping.
Top comments (0)