Skip to content

07. Compliance Standards: The Rules of Engagement

Status: Active / Golden Version: 1.0 (Consolidated Jan 2026)

"A formal inventory of the 'Invisible Rules'—Legal, Security, and Architectural standards that protect the platform from liability and rot."

1. The "Big 5" Compliance Frameworks

We assess the system against these five industrial standards.

ID Domain Standard The Guardrail (Enforcer)
STD-FIN Finance GAAP/SOC2 LedgerService Immutability Check + Audit Log.
STD-SEC Security OWASP Top 10 safeAction Envelope + RLS (Row Level Security).
STD-ARC Architecture Clean Architecture depcruise (Toxic Import) + Client/Server Separation.
STD-PRI Privacy GDPR/CCPA PII Isolation + "Right to Delete" Protocols.
STD-ACC Accessibility WCAG 2.1 AA eslint-plugin-jsx-a11y + Automated Lighthouse scans.

2. STD-ARC: Architectural Integrity (Client/Server)

Risk: Leaking secrets to the browser or trusting client-side logic (The "God Mode" Hack).

Rule A: The "Red Line" (Network Boundary)

  • Logic Location: ALL business logic lives in packages/modules/*.
  • UI Location: ALL UI lives in apps/platform.
  • The Bridge: src/actions/* is the ONLY allowed crossing point.

Rule B: The "No-Trust" Client

  • Never import a Service/Repository directly into a Client Component (.tsx).
  • Guardrail: audit:imports (Dependency Cruiser) fails the build if src/app/** imports packages/modules/** directly. It must go through src/actions.

3. STD-FIN: Financial Integrity

Risk: Embezzlement, Fraud, or "Broken Books".

Rule A: Immutability

  • Concept: Once a Journal Entry (je_*) is posted, it cannot be deleted.
  • Correction: Errors are fixed by posting a "Reverse Entry" (General Journal).
  • Guardrail: LedgerService.delete() throws a Runtime Error. (To be implemented).

Rule B: The Audit Trail

  • Concept: Every mutation (Create/Update) writes a parallel record to system_audit_log.
  • Guardrail: BaseRepository automatically writes to system_audit_log in the same atomic batch. Use scripts/audit-logs.ts to verify coverage.

4. STD-SEC: Security (OWASP)

Risk: Data Theft, Ransomware.

Rule A: Authorization (ReBAC)

  • Concept: We do not use simple RBAC (Admin vs User). We use ReBAC (Relationship-Based Access Control).
  • Assertion: "I can confirm this invoice because I am the Treasurer of This Building."
  • Guardrail: Every Server Action MUST call requireUser() and verify context before fetching data.

Rule B: Input Sanitization

  • Guardrail: All Server Actions must use Zod Codecs.
    • Input: Schema.parse(input) (strips extra fields).
    • Output: DTO.parse(output) (strips internal secrets).

5. STD-PRI: Privacy (GDPR)

Risk: Major Legal Fines + Loss of Trust.

Rule A: Data Minimization

  • Concept: Don't query fields you don't need.
  • Guardrail: GraphQL/Firestore Projections.

Rule B: The "Forget Me" Paradox

  • Conflict: GDPR says "Delete me". GAAP says "Keep financial records for 7 years".
  • Resolution: We "Soft Delete" (Anonymize) PII in the Directory, but keep the actorId reference in the Ledger.

6. STD-ACC: Accessibility

Risk: Discrimination Lawsuits + Poor UX.

Rule A: Semantic HTML

  • Concept: Use <button>, not <div onClick>.
  • Guardrail: ESLint A11y plugin is active.

Rule B: Keyboard Navigation

  • Concept: Every interactive element must be reachable via Tab.
  • Guardrail: Playwright Accessibility Scan (axe-core).