feat: legal compliance remediation#290
Merged
Merged
Conversation
…license scanning Phase 1: Critical legal compliance - Add SPDX-License-Identifier + copyright header to all 156 source files - Implement first-run privacy disclosure (one-time notice on first TTY session) - Add ToS notice to login flow (shown before GitHub OAuth) - Add LIA URL to `archgate telemetry status` output Phase 2: Documentation - Update telemetry.mdx with legal basis, retention table, data subject rights - Update privacy-policy.mdx with controller info, retention, ToS link, CCPA - Switch docs site PostHog to cookieless tracking (persistence: "memory") Phase 3: Engineering - Add scripts/check-licenses.ts — automated dependency license audit - Add scripts/add-spdx-headers.ts — one-time SPDX header insertion tool - Add "license:check" script to package.json All 738 tests pass, all 24 ADR rules pass, build compiles. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Deploying archgate-cli with
|
| Latest commit: |
b72e86c
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://bfeae80f.archgate-cli.pages.dev |
| Branch Preview URL: | https://legal-compliance-remediation.archgate-cli.pages.dev |
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Cite LGPD Art. 7, IX c/c Art. 10 alongside GDPR Art. 6(1)(f) as legal basis - Add ANPD as complaint authority for Brazilian users - Link to PT-BR privacy policy for full LGPD rights (Art. 18) Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…tibility) ADRs with rules - LEGAL-001: Enforces SPDX-License-Identifier header in all src/ and tests/ .ts files - LEGAL-002: Verifies all dependencies use Apache-2.0-compatible licenses Both ADRs include companion .rules.ts files for automated CI enforcement. The `legal` domain now governs open-source licensing compliance. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
…ample rules Add reusable example documentation for the two LEGAL-domain rules so other Archgate users can adopt them in their own projects: - spdx-license-headers: enforce per-file SPDX-License-Identifier headers - license-compatibility: verify dependency licenses against a permissive allowlist Both examples include EN + PT-BR translations with customization guidance. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The no-copyleft-deps rule now globs node_modules/*/package.json and node_modules/@*/*/package.json to check ALL installed packages (direct and transitive), not just the ones listed in package.json. This catches copyleft licenses that may be introduced deep in the dependency tree. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
…rs it The LEGAL-002 archgate rule now recursively scans all node_modules packages (direct + transitive), making scripts/check-licenses.ts redundant. Removed the script and the package.json license:check entry. Also updated ADR text and example docs to reflect the rule-only approach. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…mplementation Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full legal compliance remediation addressing all gaps identified in a comprehensive audit of the CLI, website, telemetry, and Plugins Service.
// SPDX-License-Identifier: Apache-2.0+ copyright to all 156 source/test filesarchgate telemetry statusnow links to the Legitimate Interest Assessmentpersistence: "memory"— no cookies or localStoragebun run license:checkscript validates all 365 dependency licenses against an Apache-2.0-compatible allowlistscripts/add-spdx-headers.tsfor future filesCompanion PR
Legal decisions
persistence: "memory")Test plan
bun run validatepasses (lint, typecheck, format, 738 tests, 24 ADR rules, knip, build)bun run license:checkpasses (365 packages, all permissive)archgate telemetry statusshows LIA URLarchgate loginshows ToS URL before OAuth flow