High-density security evidence intelligence for FedRAMP and high-assurance workloads.
ATO-Copilot is a Mission Terminal for automating evidence readiness in the Authority to Operate (ATO) lifecycle. It transforms the "documentation hunt" into an evidence-driven workflow by mapping unstructured artifacts to NIST 800-53 controls with line-level provenance and reviewer scrutiny prediction.
Compliance packages fail slowly because evidence is scattered and reviewers ask predictable questions too late. ATO-Copilot turns prep into a focused security terminal:
- Automated Mapping: Instantly correlates logs, CSVs, and artifacts to NIST control families (AC-2, AU-6, CM-6).
- Predictive Scrutiny: Generates the difficult questions a reviewer is likely to ask before you submit.
- Deep Traceability: Provides a reasoning trace with source provenance (hashes, line numbers, row IDs).
- Actionable Gaps: Flags exactly what is missing and provides a concrete "Next Action."
Fallback link: docs/sample-evidence-demo-15s.mp4
- Frontend: Next.js (App Router), Tailwind CSS, Lucide Icons.
- Backend: FastAPI (Python), Uvicorn.
- Intelligence: Deterministic JSON heuristics + Optional OpenRouter (GPT-4/5) for expanded reviewer guidance.
- Design: High-density, dark-mode terminal aesthetic (
#0B0E14).
The terminal can enrich deterministic mappings with live AI-generated reviewer guidance. It uses the golden dataset as the source of truth, then asks a model to generate the "Interrogatory Phase" questions.
Demo note: all included evidence artifacts are synthetic examples. This repository contains no CUI, customer data, or official assessment output.
-
Install frontend dependencies:
npm install
-
Install backend dependencies:
python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt -
Setup environment:
cp .env.example .env.local
-
Configure
.env.localif model insights are enabled:USE_MODEL_INSIGHTS=true OPENROUTER_API_KEY=your_openrouter_api_key_here OPENROUTER_MODEL=openai/gpt-5.2
-
Run the app:
npm run api npm run dev
docs/PRD.md- Product requirements and design ethos.docs/golden_dataset.json- Deterministic demo source of truth.docs/sample-evidence/- Mock logs/CSVs for live upload demos.api/- FastAPI backend logic and agentic evidence review.app/- Next.js frontend terminal UI.