Skip to content

arkoinc-ca/compliance-enforce

Repository files navigation

compliance-enforce

Sidecar service for PII scrubbing, DSR intake, consent ledger, retention scheduling, structured audit emission, and bias-math APIs.

Status License

v0 — pre-release; targets Phase 5, Q4 2026


DISCLAIMER

This toolkit is software. It identifies potential compliance gaps in code and provides runtime technical controls. It does not constitute legal advice and does not guarantee regulatory compliance. It does not appoint Data Protection Officers, execute Data Processing Agreements, conduct Privacy Impact Assessments, certify compliance with any law or standard, or replace organizational policy, legal counsel, staff training, or incident response processes.

Compliance with applicable laws — including but not limited to PIPEDA, Quebec Law 25, GDPR, CCPA/CPRA, CASL, and applicable AI regulations — is the responsibility of your organization and its qualified advisors. Outputs from this toolkit are technical findings, not legal determinations. Always engage qualified legal counsel for compliance decisions.


Why AGPL-3.0?

compliance-enforce is licensed under the GNU Affero General Public License v3.0.

The AGPL extends the GPL's copyleft to network use: if you modify this service and make it available over a network (including as a hosted SaaS product), you must make your modified source code available to users of that service (AGPL §13). This requirement is intentional. It ensures that operators who build on this enforcer contribute modifications back to the community, preventing proprietary forks of compliance-critical code.

Client SDKs (Python, TypeScript, Go, Java, .NET) that call the sidecar over HTTP/gRPC will be Apache-2.0 or MIT — only the sidecar service itself is AGPL. See compliance-catalog (CC-BY-4.0) and compliance-assess (Apache-2.0) for non-copyleft components.


What it does

compliance-enforce is a deployable HTTP/gRPC sidecar. Integrate it alongside your application to add technical compliance controls at runtime without modifying your core service logic.

Endpoint group Function
/v1/scrub-pii PII detection and redaction via Microsoft Presidio
/v1/audit/event Structured audit-event emission (structlog → your SIEM/log sink)
/v1/dsr/* Data subject request intake, routing, and status tracking
/v1/consent/* Consent receipt storage, lookup, and withdrawal recording
/v1/retention/check Retention-window enforcement against configured schedules
/v1/bias/four-fifths 4/5ths rule bias quantification for NYC LL144 and similar
/v1/policy/evaluate OPA/Rego policy evaluation for custom compliance rules

What it does NOT do

  • Does not transform consent receipts into legal sufficiency — consent legality is a legal determination.
  • Does not certify or attest compliance with any regulation.
  • Does not eliminate your organization's obligation to appoint a DPO, execute DPAs, or conduct PIAs.
  • Does not perform the independent external bias audit required by NYC Local Law 144 (DCWP §5-300–304) — external auditors only.

Architecture

compliance-enforce
├── HTTP/gRPC service boundary
├── Policy engine: OPA/Rego (policy rules as code)
├── PII engine: Microsoft Presidio (detection + redaction)
├── Fairness engine: Fairlearn (4/5ths rule math)
├── Audit emitter: structlog → OpenTelemetry collector
└── Storage adapters: pluggable (SQLite default; Postgres for production)

Language decision: Python or Go. This is locked in decisions/0005-enforcer-language.md (authored at the project root, not in this repo) at the start of Phase 5 (Week 1). When this repo is split out to github.com/arkoinc-ca/compliance-enforce, the canonical link will be https://github.com/arkoinc-ca/compliance-toolkit/blob/main/decisions/0005-enforcer-language.md. Do not begin implementation work before that decision record exists.


Planned SDKs

Client SDKs (Apache-2.0 / MIT) are planned for:

  • Python
  • TypeScript / JavaScript
  • Go
  • Java
  • .NET (C#)

SDK repositories will be created under arkoinc-ca in Phase 5.


Quickstart (v0 foundation)

Language decision is now locked: Python 3.11+ asyncio + FastAPI (see decisions/0005-enforcer-language.md).

pip install -e ".[dev]"
compliance-enforce              # starts HTTP server on 0.0.0.0:8888

# Or with uv:
uv sync && uv run compliance-enforce

Available endpoints (foundation)

Method Path Description
GET /healthz Liveness probe
GET /v1/info Service metadata + source URL
GET /metrics Prometheus metrics
GET /openapi.json OpenAPI 3.x spec

Configuration

Env var Default Description
COMPLIANCE_ENFORCE_SOURCE_URL GitHub URL AGPL §13 source-link header
COMPLIANCE_ENFORCE_STATE_BACKEND memory State backend: memory / postgres / redis
COMPLIANCE_ENFORCE_HOST 0.0.0.0 Bind host
COMPLIANCE_ENFORCE_PORT 8888 Bind port

Export OpenAPI spec

python scripts/export_openapi.py   # writes openapi.json to repo root

Running tests

pip install -e ".[dev]"
pytest -q
mypy src
ruff check src tests

License

Licensed under AGPL-3.0. See the "Why AGPL-3.0?" section above. Client SDKs will carry permissive licenses (Apache-2.0 or MIT).

About

Sidecar service: PII scrubbing, DSR intake, consent ledger, retention scheduling, audit emission, bias math. AGPL-3.0.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors