Marshal Lab
Your AI Governance & Compliance Journey
“Protect the mission. Govern responsibly.”
Harden a self‑hosted AI stack with policy‑as‑code, audit logs and compliance dashboards.
Learning Path – Step‑by‑Step
1. Vision & Governance Blueprint
Resource | Description | Action |
|---|---|---|
▶️ Kick-off Video | Governance goals, success‑metric definitions, compliance landscape overview | |
📄 Governance Diagram PDF | VM → Coolify → Docker services (Flowise, n8n, FastAPI/Node, Vault, OPA, Falco, Trivy, Grafana/Loki/Tempo) | |
✅ Metrics Checklist | 0 % unauthorized access, audit‑log completeness ≥ 99.9 %, policy‑violation alert ≤ 5 min, secret rotation ≤ 30 days |
2. Tool Foundations - Governance Edition
Resource | Description | Action |
|---|---|---|
▶️ Tooling Overview Video | Walk‑through of Vault, OPA/Gatekeeper, Falco, Trivy, Grafana + Loki + Tempo and how they integrate with Coolify | |
📂 Starter Repo | Docker‑Compose files pre‑wired for OPA policy loading, Vault secret injection and Falco/Trivy hooks | |
📄 Setup Guide | Step‑by‑step VM provisioning, Coolify install, Vault init, OPA policy repo linking, TLS cert generation |
3. Project 1: Enterprise-Ready Agentic RAG Chatbot
Resource | Description | Action |
|---|---|---|
▶️ RAG Chatbot Walkthrough | Deploy full stack, add OPA policy checks, Falco runtime alerts and audit‑log pipeline | |
📂 Full-stack Compose |
| |
📂 OPA Policy Pack | Sample Rego policies ( | |
📂 FastAPI Privacy Service |
| |
📂 Audit Log Hook | n8n workflow that captures every chat interaction, signs JSON, writes to Vault audit device, streams to Loki | |
📄 Security Hardening Guide | Falco rule set, Trivy scan configuration, mutual‑TLS setup, Vault‑Agent injector usage |
4. Project 2: Governance-Driven Automation Workflow
Resource | Description | Action |
|---|---|---|
▶️ Automation Overview | Build a lead‑capture pipeline (Tally → n8n → Vault‑encrypted PostgreSQL via NocoDB) with OPA validation | |
📂 n8n Workflow Template | Tally webhook → OPA‑validated | |
📂 OPA-Validated Validation | Node.js | |
📂 Enrichment Service | FastAPI service calling Clearbit (or similar) with OpenTelemetry spans sent to Tempo | |
📂 Dead-Letter & Alert Repo | n8n sub‑workflow that writes failed leads to | |
📄 Compliance Run Book | Operational guide covering webhook validation, rate‑limiting, DLQ handling, audit‑log verification and manual retry procedures |
5. Polish, Test and Deploy
Resource | Description | Action |
|---|---|---|
▶️ Polish & Deploy Video | UI polish, final security checklist, one‑click Coolify deployment to production | |
📄 CI/CD Blueprint | GitHub Actions workflow: lint Rego, run Trivy scans, unit‑test FastAPI/Node services, build Docker images, push to private registry, trigger Coolify staging deploy | |
📂 Secret & Policy Rotation Guide | Vault cron job rotates API keys every 30 days; OPA policies version‑controlled in Git and auto‑redeployed via Coolify webhook | |
📂 Alert Config Snippets | Grafana + Alertmanager rules for policy‑violation spikes, Falco security events, secret‑access anomalies, audit‑log ingestion failures | |
🌐 Live Demo Link | Public demo of the fully‑governed RAG chatbot and the end‑to‑end compliance automation pipeline |
6. Next Level Preview
Resource | Description | Action |
|---|---|---|
▶️ Teaser Video | Graduate to the Visionary track as you step away from hands‑on tooling and focus on AI strategy, governance frameworks and business impact. |
Who Is This For?
Security-First Builders
Extend your no‑code pipelines (Flowise / n8n) with policy‑enforced data handling and immutable audit logs.
Compliance-Savvy Devs
Write FastAPI/Node services that automatically validate against OPA policies and expose compliance metrics to Grafana.
Risk & Ops Engineers
Deploy, rotate and monitor secrets with Vault, enforce runtime security with Falco and get real‑time alerts on policy violations.
Product Leaders & Founders
Demonstrate “privacy‑by‑design” and “governance‑by‑design” to investors and regulators with ready‑to‑export audit reports.
What You'll Achieve
- Secure, audited AI agent – Policy‑enforced prompt flow, privacy‑masking service and immutable audit‑log pipeline.
- Zero‑trust stack – Mutual TLS, Vault‑managed secrets, Falco runtime alerts and OPA admission control across all services.
- Compliance‑ready observability – Grafana dashboards showing policy‑violation metrics, audit‑log completeness and secret‑access latency.
- Governance‑driven automation – Lead‑capture workflow with OPA validation, dead‑letter handling, enrichment and Slack alerts.
- Enterprise‑grade reliability – Automated secret rotation, Trivy image scanning, CI/CD with policy checks and incident‑response playbooks.
- Extensibility – Add new Rego policies, plug‑in additional security tools or replace any no‑code node with a custom micro‑service without re‑architecting.
Next Steps
Level Up - Ready to move from hands‑on governance to strategic AI oversight? Jump to the Visionary Lab for AI policy frameworks, road‑mapping and executive‑level governance.