CompALGO SDK: Algorand smart contract compliance analysis + on-chain proof anchoring
Project description
๐ CompALGO โ Algorand Smart Contract Compliance Analyzer
Static Analysis + On-Chain Proof Anchoring for Algorand Smart Contracts
SOC 2 โข PCI DSS โข FedRAMP โข Smart Contract Security
๐ฏ What is CompALGO?
CompALGO is a comprehensive compliance and security toolkit for Algorand smart contracts that provides two powerful capabilities:
1. ๐ก๏ธ Smart Contract Security Analysis
Analyze PyTeal and TEAL contracts for vulnerabilities and compliance issues during development with 8 policy packs covering PCI-DSS, SOC2, and security best practices.
2. ๐ Compliance Proof Anchoring
Create cryptographically verifiable compliance verdicts and anchor them immutably on the Algorand blockchain for audit trails and regulatory evidence.
๐ Documentation
- CLI User Flows & Examples - Complete guide with step-by-step workflows
- Security Rules Reference - All P0 rules and detection logic
- Quick Start Guide - Get started in 5 minutes
โจ Features
Proof-of-Compliance Anchoring
- โ Create structured compliance event objects
- โ Hash compliance data locally (SHA-256)
- โ Anchor proof hashes on Algorand via transaction notes
- โ Provide verifiable on-chain timestamps
- โ Query and verify historical proofs
- โ Works on testnet and mainnet (~0.001 ALGO per proof)
Smart Contract Security Analysis
- ๐ Static analysis for PyTeal and TEAL
- ๐ก๏ธ 15+ security rules (access control, reentrancy, overflow)
- ๐ณ PCI-DSS compliance for payment/DeFi apps
- ๐ Smart scoring system (0-100)
- ๐จ Beautiful interactive CLI
- ๐ Export formats (JSON, HTML, Markdown)
- ๐ค CI/CD ready (GitHub Actions, GitLab CI)
- ๐ 100% local - code never leaves your machine
๐ Why Algorand?
- Immutable Proof-of-Compliance โ Cryptographic anchors on Layer-1
- Low-Cost High-Frequency โ Enterprise scale at ~0.001 ALGO per proof
- Fast Finality โ Proofs verifiable in ~3.3 seconds
- Carbon Neutral โ Sustainable enterprise compliance
- No Bridge Risk โ Layer-1 security without wrapped tokens
Algorand is not just storage โ it's the trust layer for CompliLedger.
๐ฆ Installation
# Install CompALGO
pip install compalgo
# With interactive menu mode
pip install compalgo[interactive]
# With file watching (auto-check on save)
pip install compalgo[watch]
# Development install
git clone https://github.com/compliledger/compalgo.git
cd compalgo
pip install -e .
๐ฌ Quickstart
1๏ธโฃ Scan a Contract
# Quick security scan with default policy
compalgo check examples/escrow.py
# Scan with specific policy and threshold
compalgo check contracts/payment.py --policy pci-dss-standard --threshold 90
# Scan entire directory
compalgo check contracts/
2๏ธโฃ Generate Compliance Verdict
# Scan and create verdict JSON
compalgo check examples/escrow.py --verdict-out verdict.json
# View all available policies
compalgo list-policies
3๏ธโฃ Anchor Proof on Algorand
# Set your Algorand account (testnet)
export ALGO_MNEMONIC="your 25 word mnemonic here"
# Anchor the verdict hash on Algorand blockchain
compalgo anchor --verdict verdict.json
# Output:
# โ
Anchored! TXID: CTOE5M6ZZD...
# Explorer: https://testnet.algoexplorer.io/tx/CTOE5M6ZZD...
4๏ธโฃ Verify Proof
# Verify verdict against blockchain
compalgo verify --verdict verdict.json --txid CTOE5M6ZZD...
# Output:
# โ
VALID
5๏ธโฃ Python API
from compalgo import ComplianceChecker, CompliLedgerClient
from compalgo.core.verdict import build_verdict
# Scan contract
checker = ComplianceChecker(policy_pack="algorand-baseline", threshold=80)
result = checker.check_file("contract.py")
# Build compliance verdict
verdict = build_verdict(
contract=result.file_path,
violations=result.violations,
framework="SOC2",
control_id="CC6.1",
fail_on="medium"
)
# Anchor on Algorand
client = CompliLedgerClient(
algod_url="https://testnet-api.algonode.cloud",
algod_token="",
sender_mnemonic="your mnemonic",
network="testnet"
)
anchor_result = client.mint_verdict(verdict)
print(f"TXID: {anchor_result.txid}")
print(f"Explorer: {anchor_result.explorer_url}")
# Verify
is_valid = client.verify_verdict(verdict, anchor_result.txid)
assert is_valid # โ
True
๐ Supported Frameworks
| Framework | Controls | Use Case |
|---|---|---|
| SOC 2 | Trust Services | SaaS & Web3 infrastructure |
| PCI DSS | Payment Security | Payment & crypto custody |
| FedRAMP | Federal Baseline | Government cloud services |
| Algorand Security | Smart contracts | dApp development |
๐ป CLI Commands & User Flows
CompALGO provides a comprehensive CLI for all workflows. See CLI_USER_FLOWS.md for complete examples.
Quick Reference
# Scan contracts
compalgo check contract.py # Quick scan
compalgo check contracts/ --policy pci-dss-standard # Directory scan
compalgo check contract.py --threshold 95 # Custom threshold
compalgo check contract.py --verdict-out v.json # Generate verdict
# Export reports
compalgo report contract.py -o report.json --format json
compalgo report contract.py -o report.md --format markdown
compalgo report contract.py -o report.html --format html
# Policy management
compalgo list-policies # Show all policies
# Blockchain anchoring
export ALGO_MNEMONIC="your 25 word mnemonic"
compalgo anchor --verdict verdict.json # Anchor on testnet
compalgo anchor --verdict v.json --network mainnet # Anchor on mainnet
# Verification
compalgo verify --verdict verdict.json --txid TXID # Verify proof
Available User Flows
- Quick Analysis Flow - Fast security scan
- Full Compliance Flow - Check โ Anchor โ Verify
- Multi-File Analysis - Scan entire projects
- Policy Comparison - Test multiple policies
- Report Generation - Export JSON/HTML/Markdown
- CI/CD Integration - GitHub Actions, GitLab CI
- Audit & Verification - Independent proof verification
๐ See CLI_USER_FLOWS.md for complete step-by-step examples
Available Policy Packs
Run compalgo list-policies to see all 9 available policy packs:
| Policy Pack | Rules | Threshold | Target |
|---|---|---|---|
| algorand-baseline โญ | 9 | 80 | Algorand-specific (PyTeal/TEAL) |
| security-baseline โญ | 10 | 75 | General security patterns (all chains) |
| pci-dss-algorand | 3 | 80 | Algorand payment subset |
| pci-dss-basic | 7 | 85 | Payment/DeFi (essential) |
| pci-dss-standard | 15 | 90 | Payment/DeFi (comprehensive) |
| pci-secure-software | 7 | 90 | Software vendors |
| pci-tokenization | 4 | 90 | Token service providers |
โญ = Recommended for most Algorand projects
๐ Compliance Verdict Examples
PCI DSS Payment Contract Analysis
from compalgo import ComplianceChecker, CompliLedgerClient
from compalgo.core.verdict import build_verdict
# Scan payment contract with PCI-DSS Standard policy
checker = ComplianceChecker(policy_pack="pci-dss-standard", threshold=90)
result = checker.check_file("contracts/payment_app.py")
print(f"Score: {result.score}/100")
print(f"Violations: {len(result.violations)}")
# Build compliance verdict
verdict = build_verdict(
contract=result.file_path,
violations=result.violations,
framework="PCI-DSS",
control_id="6.5.1",
fail_on="high"
)
# If compliant, anchor proof on Algorand
if result.passed:
client = CompliLedgerClient(
algod_url="https://testnet-api.algonode.cloud",
algod_token="",
sender_mnemonic=os.getenv("ALGO_MNEMONIC"),
network="testnet"
)
anchor_result = client.mint_verdict(verdict)
print(f"โ
Proof anchored: {anchor_result.explorer_url}")
SOC 2 Access Control Verification
from compalgo import ComplianceChecker
from compalgo.core.verdict import build_verdict
# Check contract for SOC 2 compliance (access controls)
checker = ComplianceChecker(policy_pack="algorand-baseline", threshold=80)
result = checker.check_file("contracts/auth_contract.py")
# Build SOC 2 verdict
verdict = build_verdict(
contract=result.file_path,
violations=result.violations,
framework="SOC2",
control_id="CC6.1", # Logical and Physical Access Controls
fail_on="medium"
)
# Verdict includes: status, severity, rules_triggered, timestamp
print(f"Status: {verdict.status}")
print(f"Severity: {verdict.severity}")
print(f"Rules triggered: {verdict.rules_triggered}")
Multi-Policy Comparison
from compalgo import ComplianceChecker
policies = ["algorand-baseline", "pci-dss-basic", "pci-dss-standard"]
contract = "contracts/payment.py"
for policy in policies:
checker = ComplianceChecker(policy_pack=policy)
result = checker.check_file(contract)
print(f"{policy}: Score={result.score}, Passed={result.passed}")
๐ก๏ธ Smart Contract Security Checks
Algorand-Specific Rules
Access Control
- โ Missing sender verification
- โ Unprotected admin functions
- โ Missing RBAC
Input Validation
- โ Unvalidated transaction amounts
- โ Missing bounds checks
- โ Unsafe type conversions
State Management
- โ Unprotected global state mutations
- โ Missing state existence checks
- โ Race conditions
Asset Security
- โ Unsafe asset transfers
- โ Missing asset freeze checks
- โ Clawback vulnerabilities
Payment Security (PCI-DSS)
- โ Forbidden data storage (CVV, PIN)
- โ Cardholder data exposure
- โ Payment input validation
- โ Transaction limits
- โ Refund mechanisms
- โ Audit logging
Logic & Optimization
- โ Reentrancy risks
- โ Integer overflow/underflow
- โ Unchecked return values
- โ Gas optimization
Example Security Report
โญโโโโโโโโโโโโโโโโโโโโโโ โ ๏ธ 5 Violation(s) Found โโโโโโโโโโโโโโโโโโโโโโโฎ
โ ๐ด CRITICAL: 2 issue(s) โ
โ โข Missing sender verification in admin function โ
โ โ contracts/payment_app.py:45 โ
โ ๐ก Add: Assert(Txn.sender() == Global.creator_address()) โ
โ โ
โ โข Cardholder data stored in global state (PCI-DSS 3.4) โ
โ โ contracts/payment_app.py:78 โ
โ ๐ก Use local state or encryption โ
โ โ
โ โ ๏ธ HIGH: 3 issue(s) โ
โ โข Payment amount not validated (PCI-DSS 6.5.1) โ
โ โข Missing transaction logging โ
โ โข Potential integer overflow โ
โ โ
โ Score: 62/100 - NON COMPLIANT โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โ
42 checks passed โ ๏ธ 3 warnings โ 2 critical
๐ Policy Packs
| Policy Pack | Status | Controls | Focus Area |
|---|---|---|---|
algorand-baseline |
โ Available | 15+ | PyTeal/TEAL security |
pci-dss-algorand |
โ Available | 7 | Payment & DeFi |
soc2-algorand |
๐ง v0.2.0 | 25+ | Trust Services |
fedramp-algorand |
๐ง v0.3.0 | 50+ | Federal security |
iso-27001 |
๐ง v0.4.0 | 114 | InfoSec mgmt |
# Use specific policy
compliledger check contracts/ --policy pci-dss-algorand
# Use multiple policies
compliledger check contracts/ --policy algorand-baseline,pci-dss-algorand
๐ค CI/CD Integration
GitHub Actions
name: CompliLedger Security
on: [pull_request, push]
jobs:
security-analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install CompliLedger
run: pip install compliledger-algorand
- name: Run Security Analysis
run: |
compliledger check contracts/ \
--fail-on-critical \
--threshold 80
- name: Anchor Proof (main branch only)
if: github.ref == 'refs/heads/main'
env:
ALGORAND_MNEMONIC: ${{ secrets.ALGORAND_MNEMONIC }}
run: |
compliledger anchor \
--framework SOC2 \
--control CC6.1 \
--status pass
Pre-Commit Hook
#!/bin/bash
# .git/hooks/pre-commit
echo "๐ Running CompliLedger security analysis..."
compliledger check contracts/ --threshold 75 --fail-on-critical
if [ $? -ne 0 ]; then
echo "โ Security check failed. Fix issues before committing."
exit 1
fi
echo "โ
Security check passed!"
๐ฌ Python API
Proof Anchoring API
from compliledger_algorand import CompliLedgerClient
# Initialize
client = CompliLedgerClient(
algod_url="https://testnet-api.algonode.cloud",
algod_token="",
sender_mnemonic="your mnemonic",
network="testnet"
)
# Create and anchor
event = client.create_compliance_event(
framework="SOC2",
control_id="CC6.1",
status="pass",
resource="payment-service"
)
proof = client.mint_proof(event)
# Verify
is_valid = client.verify_proof(event, proof.txid)
assert is_valid
# Query history
proofs = client.query_proofs(
framework="SOC2",
from_date="2025-01-01"
)
Smart Contract Analysis API
from compliledger_algorand.analyzer import ComplianceChecker
# Initialize checker
checker = ComplianceChecker(
policy_pack="algorand-baseline",
threshold=80
)
# Check single file
result = checker.check_file("contracts/payment_app.py")
print(f"Score: {result.score}/100")
print(f"Violations: {len(result.violations)}")
for v in result.violations:
print(f"{v.severity}: {v.message} at line {v.line_number}")
# Check directory
results = checker.check_directory("contracts/")
# Generate report
checker.generate_report(
results,
format="html",
output_path="compliance_report.html"
)
๐๏ธ How It Works
Proof Anchoring Flow
1. Developer creates compliance event
โ
2. SDK hashes event locally (SHA-256)
โ
3. Hash written to Algorand transaction note
โ
4. Blockchain provides immutable timestamp
โ
5. Anyone can verify proof on-chain
โ
6. Original data stays private
Smart Contract Analysis Flow
1. Developer writes PyTeal/TEAL contract
โ
2. SDK parses code (AST extraction)
โ
3. Pattern matching against security rules
โ
4. Severity scoring (0-100)
โ
5. Generate actionable remediation suggestions
โ
6. Export reports or fail CI/CD
๐ฏ Use Cases
Compliance Proof Anchoring
- SOC 2 control checks in CI/CD
- PCI DSS evidence for Web3 payment systems
- FedRAMP audit trails
- SBOM verification
- Evidence immutability for legal workflows
- Regulator-ready reporting
Smart Contract Security
- Pre-deployment security audits
- Continuous compliance monitoring
- Payment contract PCI-DSS validation
- DeFi protocol security checks
- NFT marketplace access control verification
- Automated security in CI/CD pipelines
๐บ๏ธ Roadmap
v0.1.0 (Current)
- โ Basic proof anchoring on Algorand
- โ PyTeal/TEAL static analysis
- โ 15+ security rules
- โ PCI-DSS policy pack
- โ Interactive CLI
- โ CI/CD integration
v0.2.0 (Q1 2025)
- ๐ง SOC 2 policy pack for dApps
- ๐ง Advanced reentrancy detection
- ๐ง Box storage security checks
- ๐ง State proof verification
- ๐ง GitHub App integration
v0.3.0 (Q2 2025)
- ๐ง FedRAMP policy pack
- ๐ง Zero-knowledge proof support
- ๐ง Proof-of-Compliance NFTs
- ๐ง Multi-signature proof anchoring
- ๐ง VS Code extension
v0.4.0 (Q3 2025)
- ๐ง ISO 27001 policy pack
- ๐ง AI-powered auto-fix suggestions
- ๐ง Compliance marketplace
- ๐ง Cross-chain proof verification
- ๐ง Enterprise API service
๐ Why 100% Local?
Your smart contract code never leaves your machine:
- โ No Data Leakage โ Code stays on your machine
- โ Works Offline โ Zero network dependency for analysis
- โ Deterministic โ Same code = same results always
- โ Fast โ <100ms analysis vs 2-5s with cloud AI
- โ Free Forever โ No per-check costs
- โ Auditable โ Open source, verify everything
True privacy for blockchain development.
๐ Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CompliLedger Algorand SDK โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ CLI Tool Python API CI Integration โ
โ compliledger CompliLedgerClient GitHub Actions โ
โ check/anchor ComplianceChecker GitLab CI โ
โ verify/report mint_proof() Pre-commit hooks โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Proof Anchoring Engine โ
โ Event Creator โ Hasher โ Algorand Txn โ Verifier โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Smart Contract Analysis Engine โ
โ PyTeal/TEAL Parser โ AST โ Pattern Matcher โ Scorer โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Policy Engine โ
โ Rules | Severity | Evidence | Control Mapping โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Algorand Integration โ
โ Algod Client | Transaction Builder | Explorer Links โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Project Structure
compliledger-algorand/
โโโ cli/ # Command-line interface
โโโ client/ # Proof anchoring client
โ โโโ algorand.py # Algorand integration
โ โโโ events.py # Event creation
โ โโโ verification.py # Proof verification
โโโ analyzer/ # Smart contract analysis
โ โโโ parser.py # PyTeal/TEAL parser
โ โโโ checker.py # Pattern matcher
โ โโโ scorer.py # Severity scoring
โ โโโ reporter.py # Report generation
โโโ policies/ # Compliance rules
โ โโโ algorand_baseline.json
โ โโโ pci_dss_algorand.json
โ โโโ soc2_algorand.json
โ โโโ fedramp_algorand.json
โโโ integrations/ # CI/CD plugins
โ โโโ github/
โ โโโ gitlab/
โโโ tests/ # Test suite
๐ฐ Pricing
| Tier | Checks/Month | Proofs/Month | Price | Features |
|---|---|---|---|---|
| Freemium | 100 | 100 | Free | Core policies, CLI |
| Pro | 1,000 | 1,000 | $99/mo | All policies, API access |
| Enterprise | Unlimited | Unlimited | $999/mo | Custom rules, SLA, support |
Algorand transaction fees (โ0.001 ALGO per proof) paid separately
๐ค Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Areas we need help:
- Additional policy packs (ISO 27001, HIPAA, GDPR)
- Advanced PyTeal patterns
- Performance optimizations
- Documentation improvements
- Testing coverage
๐ License
MIT License for core SDK (open-source)
Proprietary for enterprise features
See LICENSE for details.
๐ About CompliLedger
CompliLedger is building the Proof-of-Compliance layer for Web3 โ combining AI agents, blockchain attestations, and smart contract security.
Algorand is our primary trust anchor.
๐ Additional Resources
Built for the Algorand ecosystem ๐ท
If you're building on Algorand and care about compliance, we'd love your help.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
compalgo-0.1.2.tar.gz
(63.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
compalgo-0.1.2-py3-none-any.whl
(36.8 kB
view details)
File details
Details for the file compalgo-0.1.2.tar.gz.
File metadata
- Download URL: compalgo-0.1.2.tar.gz
- Upload date:
- Size: 63.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ce335a4017148a1ba5631e8479112bc0f49a67387389215073894e0306846e53
|
|
| MD5 |
4b561c960e7256346ecb55445364fe17
|
|
| BLAKE2b-256 |
7da101a010b59283ca8600a08e02009220f2795644be417f9797066e646b01af
|
File details
Details for the file compalgo-0.1.2-py3-none-any.whl.
File metadata
- Download URL: compalgo-0.1.2-py3-none-any.whl
- Upload date:
- Size: 36.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4dff747d885f86b59f8fe2fd0ba26db75d8b1a8401e7edc2aeeb9e9c87a0853b
|
|
| MD5 |
a86e7812c68893cb10b5148ef670c429
|
|
| BLAKE2b-256 |
803fff2362cdfa834561476cc4ae0c0ea4efab8a3dbbed8bc4a7c18f208d4d3a
|
