Self-hostable web application for browsing the compliance catalog, composing jurisdiction profiles, and viewing assessment results.
v0 — pre-release; Phase 3, target Aug 2026
DISCLAIMER
This toolkit is software. It identifies potential compliance gaps in code and provides runtime technical controls. It does not constitute legal advice and does not guarantee regulatory compliance. It does not appoint Data Protection Officers, execute Data Processing Agreements, conduct Privacy Impact Assessments, certify compliance with any law or standard, or replace organizational policy, legal counsel, staff training, or incident response processes.
Compliance with applicable laws — including but not limited to PIPEDA, Quebec Law 25, GDPR, CCPA/CPRA, CASL, and applicable AI regulations — is the responsibility of your organization and its qualified advisors. Outputs from this toolkit are technical findings, not legal determinations. Always engage qualified legal counsel for compliance decisions.
compliance-browser is licensed under the GNU Affero General Public License v3.0.
If you modify this application and make it available over a network — including hosting it as part of a commercial product — AGPL §13 requires you to make your modified source available to users. This is intentional: compliance-critical user interfaces should remain open. Modifications improve the commons.
See compliance-enforce for the same rationale applied to the sidecar service.
Every deployed page of this application must render a visible "Source" link pointing to:
This requirement is enforced as Phase 3 acceptance gate P3-G06. PRs that remove, hide, or conditionally suppress this link will not be merged.
Implementation: a shared <SourceLink /> component is placed in the application layout. It must render on every route. See CLAUDE.md for the technical requirement.
compliance-browser is a static-export Next.js web application. It provides:
- Catalog browser — navigate the
compliance-catalogOSCAL control library by jurisdiction, regulation, and control ID. - Profile composer — select regulations and build a custom jurisdiction profile (e.g., PIPEDA + Law 25 + CASL for a Quebec-based SaaS).
- Assessment results viewer — upload or link OSCAL Assessment Results and SARIF files from
compliance-assessand view findings in a readable interface.
| Component | Choice |
|---|---|
| Framework | Next.js 15+ (App Router) |
| Language | TypeScript (strict) |
| Styling | Tailwind CSS |
| Rendering | Static export (output: 'export') — no server runtime |
| Hosting | Vercel (SSG); see docs/deployment/hosting-decision.md |
| Linting | ESLint + Prettier |
Static export means every page is pre-rendered to HTML at build time. There is no Next.js server runtime in production. Dynamic data (catalog updates) is consumed at build time from the compliance-catalog repo.
Default deployment targets Vercel static hosting. For self-hosting, the out/ directory produced by next build is a standard static site compatible with any CDN or web server.
See docs/deployment/hosting-decision.md for the full hosting decision record.
vercel.json at the repo root configures HTTP security headers applied to every route on Vercel:
| Header | Value |
|---|---|
Content-Security-Policy |
default-src 'self'; img-src 'self' data:; … (see file for full value) |
Strict-Transport-Security |
max-age=63072000; includeSubDomains; preload |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
DENY |
Referrer-Policy |
strict-origin-when-cross-origin |
Permissions-Policy |
camera=(), microphone=(), geolocation=(), payment=() |
First-deploy note: on the first deploy after adding the CSP, switch the Content-Security-Policy key to Content-Security-Policy-Report-Only to verify Next.js 16 inline scripts are not blocked. Flip back to enforcing once confirmed. The comment in vercel.json records this guidance.
To add or change a header, edit vercel.json and redeploy. Do not add headers via next.config.ts; they are silently ignored for output: 'export' builds.
Licensed under AGPL-3.0. See "Why AGPL-3.0?" above. The compliance catalog consumed by this application is CC-BY-4.0 (see compliance-catalog).