IBM Bob Hackathon 2026

Scan the plan.
Avoid the Ban.

A compliance copilot for AWS Terraform that runs inside IBM Bob. Cites ASEAN financial regulators from a deterministic corpus. Ships a regulator-grade evidence pack in twelve seconds.

Watch the demo View on GitHub
IBM Bob — Accord mode
$ audit examples/asialease-aws/environments/prod-sg
parse_terraform ✓ 8 resources
infer_data_classification ✓ 1 PII · 2 financial
get_iam_baseline (SG) ✓ violations detected
render_evidence_pack ✓ audit/prod-sg/
CRITICAL · MAS TRM S13
Wildcard IAM policy s3:* on aws_iam_role_policy.prod-app
Cited: MAS TRM Section S13 — least privilege, no wildcard policies
Total: 2 CRITICAL · 1 WARN · 0 INFO · 12s

Built for the regulator-grade enterprise stack

IBM Bob
aws
Terraform
MCP
ASEAN

Why this exists

General AI tools were not built for compliance.

01

They hallucinate citations.

Ask GPT-4 about OJK POJK 11/2022 Article 32 and it invents a clause number that does not exist. Accord grounds every finding in a deterministic corpus. No clause in the corpus, no finding.

02

Linters miss posture conflicts.

MAS TRM S15 needs 90-day log retention, but your S3 lifecycle deletes after 30. A static linter sees two unrelated resources. Accord's Layer-2 reasoning surfaces cross-resource conflicts.

03

Evidence packs ship automatically.

Compliance teams rebuild evidence the day before an inspection. Accord renders findings, reports, diagrams, and governance trail after every workflow. Zero rebuild work.

Built for IBM Bob

Accord doesn't sit on Bob.
It plugs into Bob.

Custom mode, MCP server, governance trail. Three primitives Bob ships. Three places Accord uses them as designed.

Bob primitive — Custom Mode

A mode, not a wrapper.

Defined in .bob/custom_modes.yaml with tool access scoped to [read, mcp]. No edit, no command. A compliance auditor is advisory, never execution. Bob enforces the boundary.

Bob primitive — MCP

Eighteen deterministic tools.

Registered in .bob/mcp.json. Bob auto-discovers the server on workspace open. Every tool returns Pydantic-validated dicts. Tools never call the LLM back.

Bob primitive — Governance

Every finding, logged first.

Accord calls log_decision() before any finding returns. Rule citation, model used, prompt hash, response hash, regulator tags. If logging fails, the audit aborts.

What it does

Four workflows.
One mode.

Each fires when Bob detects a trigger phrase in chat. Each prints a checklist before it works, emits one line per step, and logs to the governance trail before returning.

Audit.

Parses Terraform, classifies data, applies country rules, emits citations.

"audit this PR"

Fix.

Plans minimal diffs from corpus patterns. Cascade-checks references. Per-finding approval.

"fix this terraform"

Apply.

Blocked on unresolved CRITICAL findings. Requires named-environment approval. Logs every decision before terraform runs.

"apply to staging-sg"

Verify.

Scans running AWS. Classifies live resources. Writes a drift report against Terraform state.

"scan running AWS"
0

MCP tools

0

Codified rules

0

ASEAN regulators live

0

Seconds per audit

Architecture

Three layers.
Deterministic at the base.

Every audit walks the same path. Parse, classify, check, reason, render. The LLM orchestrates. The tools do the work. No hidden state. No invented rule numbers.

Developer in IBM Bob trigger phrase Accord Mode custom_modes.yaml + MCP LAYER 1 · AUDIT parse_terraform country rule lookups (6) check_required_resources LAYER 2 · REASONING infer_data_classification get_posture_envelope find_conflicts_for_rules LAYER 3 · EVIDENCE render_audit_artifacts render_evidence_pack scan_live_aws · cost rules.yaml corpus OJK 6 · MAS 7 · envelopes 4 governance trail decisions/ · every finding audit/<target>/ findings · report · evidence.zip

Layer 1 — Audit

Pure data fetchers.

Six country-rule lookups plus the Terraform parser. Each returns a Pydantic-validated dict. They never call the LLM back. They never have side effects beyond logging.

Returns: typed rule data, never invented.

Layer 2 — Reasoning

Cross-rule synthesis.

Classifies resources, fetches expected postures, detects conflicts between rules. This is where Accord goes beyond a line-by-line linter. The LLM surfaces conflicts and recommends the stricter posture.

Returns: classified findings + conflict graph.

Layer 3 — Evidence

Regulator-shaped output.

Renders the artifact a compliance team submits during inspection. Findings JSON, report markdown, Mermaid architecture diagram, governance trail. Plus runtime verification against live AWS.

Returns: subpoena-ready evidence pack.

Live demo

Audit. Fix. Apply.
Verify. Destroy.

End to end inside IBM Bob with Accord mode. Real RDS deploy. Real audit. Real destroy.

Try it

Audit your first Terraform
in three steps.

1

Clone and install.

bash 
git clone https://github.com/TantyoIntan/bob-hackathon-accord.git
cd bob-hackathon-accord
python3.11 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
2

Open in IBM Bob.

Download Bob from bob.ibm.com. File → Open Folder → select bob-hackathon-accord/. Reload window (Ctrl+Shift+P → "Reload Window") so Bob picks up .bob/mcp.json.

3

Switch to Accord. Type audit.

Bottom-left mode selector → Accord. Then in chat:

bob 
audit examples/asialease-aws/environments/prod-sg

Bob fires 14+ MCP tools and writes findings plus evidence pack to audit/prod-sg/ in twelve seconds.

Where it's going

ASEAN first.
Multi-cloud last.

v1.1

ASEAN expansion

Taiwan (FSC) corpus.

FSC Taiwan rule pack with cross-strait residency rules. Bilingual citations in English and Traditional Chinese.

v1.2

Bob integration

PR review and CI/CD gates.

GitHub PR comment hooks. Bob mode triggered from CI runners. Approval-gate enforcement before merge.

v2.0

Full ASEAN

Philippines, Malaysia, Thailand, Vietnam.

BSP Philippines, BNM Malaysia, BoT Thailand, SBV Vietnam. Corpus expansion by regulator demand and partner validation.

v2.x

Beyond AWS

Continuous monitoring. Multi-cloud.

Scheduled drift monitoring. Azure and GCP parsers and rule packs. Last because of weight, not because of priority.

Built by

TI

Tantyo Intan

TantyoIntan
VN

Vincent Natan

VincentNatan

Audit your Terraform
in twelve seconds.

Clone the repo. Open in Bob. Switch to Accord. Type audit.

View on GitHub Download .zip