Skip to content

feat: legal compliance remediation#290

Merged
rhuanbarreto merged 17 commits into
mainfrom
legal/compliance-remediation
May 10, 2026
Merged

feat: legal compliance remediation#290
rhuanbarreto merged 17 commits into
mainfrom
legal/compliance-remediation

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

Full legal compliance remediation addressing all gaps identified in a comprehensive audit of the CLI, website, telemetry, and Plugins Service.

  • SPDX headers: Added // SPDX-License-Identifier: Apache-2.0 + copyright to all 156 source/test files
  • First-run privacy notice: One-time disclosure shown on first interactive CLI session (TTY, non-CI, telemetry enabled)
  • ToS in login flow: Users see the Terms of Service URL before GitHub OAuth
  • LIA link in telemetry status: archgate telemetry status now links to the Legitimate Interest Assessment
  • Telemetry docs: Updated with legal basis section, retention table (1 year), data subject rights, reverse proxy transparency
  • Privacy docs: Updated with data controller (Dasolve AS), CCPA, ToS reference, subprocessor info
  • Cookieless PostHog: Docs site switched to persistence: "memory" — no cookies or localStorage
  • License scanning: New bun run license:check script validates all 365 dependency licenses against an Apache-2.0-compatible allowlist
  • SPDX script: scripts/add-spdx-headers.ts for future files

Companion PR

  • archgate/website — Terms of Service, Legitimate Interest Assessment, Privacy Policy updates

Legal decisions

Decision Choice
Consent model Opt-out + published Legitimate Interest Assessment (GDPR Art. 6(1)(f))
PostHog retention 1 year
Website tracking Cookieless (persistence: "memory")
Jurisdiction Norway (defendant's domicile)
Data controller Dasolve AS (Org.nr 936 035 019)

Test plan

  • bun run validate passes (lint, typecheck, format, 738 tests, 24 ADR rules, knip, build)
  • bun run license:check passes (365 packages, all permissive)
  • First-run notice appears once on fresh install, never again after
  • archgate telemetry status shows LIA URL
  • archgate login shows ToS URL before OAuth flow
  • Docs site PostHog sends no cookies (verify in DevTools → Application → Cookies)

…license scanning

Phase 1: Critical legal compliance
- Add SPDX-License-Identifier + copyright header to all 156 source files
- Implement first-run privacy disclosure (one-time notice on first TTY session)
- Add ToS notice to login flow (shown before GitHub OAuth)
- Add LIA URL to `archgate telemetry status` output

Phase 2: Documentation
- Update telemetry.mdx with legal basis, retention table, data subject rights
- Update privacy-policy.mdx with controller info, retention, ToS link, CCPA
- Switch docs site PostHog to cookieless tracking (persistence: "memory")

Phase 3: Engineering
- Add scripts/check-licenses.ts — automated dependency license audit
- Add scripts/add-spdx-headers.ts — one-time SPDX header insertion tool
- Add "license:check" script to package.json

All 738 tests pass, all 24 ADR rules pass, build compiles.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented May 10, 2026

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: b72e86c
Status: ✅  Deploy successful!
Preview URL: https://bfeae80f.archgate-cli.pages.dev
Branch Preview URL: https://legal-compliance-remediation.archgate-cli.pages.dev

View logs

rhuanbarreto and others added 16 commits May 10, 2026 20:27
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Cite LGPD Art. 7, IX c/c Art. 10 alongside GDPR Art. 6(1)(f) as legal basis
- Add ANPD as complaint authority for Brazilian users
- Link to PT-BR privacy policy for full LGPD rights (Art. 18)

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…tibility) ADRs with rules

- LEGAL-001: Enforces SPDX-License-Identifier header in all src/ and tests/ .ts files
- LEGAL-002: Verifies all dependencies use Apache-2.0-compatible licenses

Both ADRs include companion .rules.ts files for automated CI enforcement.
The `legal` domain now governs open-source licensing compliance.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
…ample rules

Add reusable example documentation for the two LEGAL-domain rules so other
Archgate users can adopt them in their own projects:

- spdx-license-headers: enforce per-file SPDX-License-Identifier headers
- license-compatibility: verify dependency licenses against a permissive allowlist

Both examples include EN + PT-BR translations with customization guidance.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The no-copyleft-deps rule now globs node_modules/*/package.json and
node_modules/@*/*/package.json to check ALL installed packages (direct
and transitive), not just the ones listed in package.json. This catches
copyleft licenses that may be introduced deep in the dependency tree.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
…rs it

The LEGAL-002 archgate rule now recursively scans all node_modules
packages (direct + transitive), making scripts/check-licenses.ts
redundant. Removed the script and the package.json license:check entry.

Also updated ADR text and example docs to reflect the rule-only approach.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…mplementation

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@rhuanbarreto rhuanbarreto merged commit ac71728 into main May 10, 2026
11 checks passed
@rhuanbarreto rhuanbarreto deleted the legal/compliance-remediation branch May 10, 2026 21:35
@archgatebot archgatebot Bot mentioned this pull request May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant