Skip to content

arkoinc-ca/compliance-browser

Repository files navigation

compliance-browser

Self-hostable web application for browsing the compliance catalog, composing jurisdiction profiles, and viewing assessment results.

Status License

v0 — pre-release; Phase 3, target Aug 2026


DISCLAIMER

This toolkit is software. It identifies potential compliance gaps in code and provides runtime technical controls. It does not constitute legal advice and does not guarantee regulatory compliance. It does not appoint Data Protection Officers, execute Data Processing Agreements, conduct Privacy Impact Assessments, certify compliance with any law or standard, or replace organizational policy, legal counsel, staff training, or incident response processes.

Compliance with applicable laws — including but not limited to PIPEDA, Quebec Law 25, GDPR, CCPA/CPRA, CASL, and applicable AI regulations — is the responsibility of your organization and its qualified advisors. Outputs from this toolkit are technical findings, not legal determinations. Always engage qualified legal counsel for compliance decisions.


Why AGPL-3.0?

compliance-browser is licensed under the GNU Affero General Public License v3.0.

If you modify this application and make it available over a network — including hosting it as part of a commercial product — AGPL §13 requires you to make your modified source available to users. This is intentional: compliance-critical user interfaces should remain open. Modifications improve the commons.

See compliance-enforce for the same rationale applied to the sidecar service.


CRITICAL: AGPL §13 source-link compliance

Every deployed page of this application must render a visible "Source" link pointing to:

https://github.com/arkoinc-ca/compliance-browser

This requirement is enforced as Phase 3 acceptance gate P3-G06. PRs that remove, hide, or conditionally suppress this link will not be merged.

Implementation: a shared <SourceLink /> component is placed in the application layout. It must render on every route. See CLAUDE.md for the technical requirement.


What it does

compliance-browser is a static-export Next.js web application. It provides:

  • Catalog browser — navigate the compliance-catalog OSCAL control library by jurisdiction, regulation, and control ID.
  • Profile composer — select regulations and build a custom jurisdiction profile (e.g., PIPEDA + Law 25 + CASL for a Quebec-based SaaS).
  • Assessment results viewer — upload or link OSCAL Assessment Results and SARIF files from compliance-assess and view findings in a readable interface.

Tech stack

Component Choice
Framework Next.js 15+ (App Router)
Language TypeScript (strict)
Styling Tailwind CSS
Rendering Static export (output: 'export') — no server runtime
Hosting Vercel (SSG); see docs/deployment/hosting-decision.md
Linting ESLint + Prettier

Static export means every page is pre-rendered to HTML at build time. There is no Next.js server runtime in production. Dynamic data (catalog updates) is consumed at build time from the compliance-catalog repo.


Hosting

Default deployment targets Vercel static hosting. For self-hosting, the out/ directory produced by next build is a standard static site compatible with any CDN or web server.

See docs/deployment/hosting-decision.md for the full hosting decision record.

Security headers

vercel.json at the repo root configures HTTP security headers applied to every route on Vercel:

Header Value
Content-Security-Policy default-src 'self'; img-src 'self' data:; … (see file for full value)
Strict-Transport-Security max-age=63072000; includeSubDomains; preload
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy camera=(), microphone=(), geolocation=(), payment=()

First-deploy note: on the first deploy after adding the CSP, switch the Content-Security-Policy key to Content-Security-Policy-Report-Only to verify Next.js 16 inline scripts are not blocked. Flip back to enforcing once confirmed. The comment in vercel.json records this guidance.

To add or change a header, edit vercel.json and redeploy. Do not add headers via next.config.ts; they are silently ignored for output: 'export' builds.


License

Licensed under AGPL-3.0. See "Why AGPL-3.0?" above. The compliance catalog consumed by this application is CC-BY-4.0 (see compliance-catalog).

About

Self-hostable web app: catalog browser, profile composer, assessment-results viewer. Next.js + Vercel. AGPL-3.0.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors