The picture
Three automated tripwires run weekly (Mon 09:00 UTC,.github/workflows/regulatory-watch.yml), plus one human-driven deep-dive agent:
Every issue is labeled
regulatory,compliance and links back to the affected
specs from REGULATORY_COMPLIANCE_TRACKER.md.
1. Federal Register watcher
scripts/audit/check-regulatory-changes.ts (npm run audit:regulatory-changes).
- Pulls FR documents published in the lookback window (
--days=7in CI). - Maps each to tracked regulations via distinctive CFR/CMS tokens parsed from
REGULATORY_COMPLIANCE_TRACKER.md. - AI semantic fallback (optional): when
AI_GATEWAY_API_KEYis set, documents that the keyword matcher misses get a semantic pass (scripts/audit/lib/ai-spec-matcher.ts) routed through the PF-111 Vercel AI Gateway — one gateway/secret shared with the runtime edge functions + eval harness, so no per-feature Anthropic key is needed (#1125). Degrades to keyword-only if the key is absent or the call fails. Model isanthropic/claude-sonnet-4.6by default (the GR standard lane;REGULATORY_AI_MODELto override). - Files an issue per material new document and records it in
REGULATORY_CHANGES_LOG.jsonso it’s never re-filed.
2. Curated source watcher
scripts/audit/check-source-regulatory-changes.ts (npm run audit:regulatory-sources).
- Watch list lives in
REGULATORY_SOURCES.json— AHCCCS policy manuals, AZ ADHS licensing, Arizona CSPMP, CMS BH/prior-auth pages, ASTP/ONC certification, SAMHSA Part 2. Each entry maps to the specs it affects. - Fetches each page, normalizes to text (strips scripts/styles/markup), and content-hashes it. A changed hash files one issue; the first observation only records a baseline (no issue), so adding a source doesn’t spam.
- State lives in
SOURCE_REGULATORY_CHANGES_LOG.json.
REGULATORY_SOURCES.json with id, name,
jurisdiction, url, and the mapped specIds. Next run baselines it.
3. Deadline alerts
scripts/audit/check-regulatory-deadlines.ts (npm run audit:regulatory-deadlines:ci).
- Reads
REGULATORY_DEADLINE_CALENDAR.json. - In CI (
--file-issue) it upserts a single rolling issue, “Upcoming & overdue compliance deadlines”, listing everything overdue or due within 60 days. The issue is closed automatically when nothing is overdue or upcoming. - Locally, run without flags for a console report, or
--fail-on-overdueto gate.
REGULATORY_DEADLINE_CALENDAR.json and REGULATORY_COMPLIANCE_TRACKER.md.
4. Deep-dive agent
automation/agents/regulatory-change-watcher.md (Sonnet; WebSearch/WebFetch).
For interactive investigation the scripts can’t do — reasoning about a specific
rule’s impact, researching an AHCCCS policy change, or scoping a new deadline.
Read-only: it surfaces a prioritized impact analysis; it does not file issues or
edit specs.
State persistence (why the workflow commits back)
The two watchers keep “what have I already seen” state inREGULATORY_CHANGES_LOG.json and SOURCE_REGULATORY_CHANGES_LOG.json. The
weekly workflow runs with contents: write and commits those logs back after
each run. Without that, every run would start blind and re-file duplicate issues.
The commit uses [skip ci] so it doesn’t trigger other workflows.
Optional configuration
Artifacts at a glance
Running locally
gh CLI authenticated (GH_TOKEN); dry-run and the
plain deadline report need no auth.