Version 1.0 (Launch Edition)
CompZ is a lightweight, open-source compliance attestation SDK designed specifically for the Zcash privacy ecosystem.
It enables:
- Input of AI or rule-based compliance results
- Deterministic normalization
- SHA-256 hashing
- Anchoring the hash onto Zcash testnet/mainnet
- Zero-knowledge-style verification without revealing compliance data
CompZ integrates cleanly with:
- CompliLedger
- COMP-LEO
- Any SBOM / SCA / Compliance engine
CompZ v1.0 includes:
- β Zcash attestation module
- β ComplianceResult schema
- β PCI/SOC2/FedRAMP mini-rule engine
- β CLI tools
- β REST API Gateway
- β End-to-end documentation
- β Example JSON & example Zcash txids
CompZ operates in two modes to maximize accessibility and adoption:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β COMPZ SDK (v1.0) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β MODE 1: DEMO MODE (Zero Setup) β
β ββββββββββββββββββββββββββββββββββββββββββββββ β
β β Developer's Application β β
β β ββ pip install compz β β
β β ββ client = CompZClient() # No config! β β
β β ββ client.anchor(data) # Just works β β
β ββββββββββββββββ¬ββββββββββββββββββββββββββββββ β
β β HTTPS β
β βΌ β
β ββββββββββββββββββββββββ β
β β CompZ Demo Gateway β β Hosted by CompZ β
β β (api.compz.dev) β (Rate-limited, testnet) β
β β - Zcash testnet β β
β β - Free tier β β
β β - 100 calls/hour β β
β ββββββββββββββββββββββββ β
β β
β MODE 2: SELF-HOSTED (Production) β
β ββββββββββββββββββββββββββββββββββββββββββββββ β
β β Developer's Infrastructure β β
β β ββ docker-compose up β β
β β ββ Local Zcash node β β
β β ββ Full control & privacy β β
β ββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββ
β Compliance Engine (AI/Rule) β
βββββββββββββ¬βββββββββββββββββββ
β
βΌ compliance_result.json
normalize_json() β canonical JSON
βΌ
hash_compliance()
βΌ SHA-256 deterministic hash
βββββββββββββΌβββββββββββββ
β CompZ SDK Client β
β (Dual-Mode) β
βββββββββββββ¬βββββββββββββ
β
βββββββββββββββββββ¬βββββββββββββββββββ
β β β
DEMO MODE SELF-HOSTED ENTERPRISE
β β β
βΌ βΌ βΌ
CompZ Gateway Local Zcash Private Node
(Public, Free) (Docker) (Full Control)
β β β
βββββββββββββββββββ΄βββββββββββββββββββ
β
Send Zcash tx w/ memo: compz:v1:<hash>
βΌ
return txid
βΌ
verify_against_tx(txid, json)
βΌ
VALID / INVALID PROOF CHECK
| Feature | Demo Mode | Self-Hosted | Enterprise |
|---|---|---|---|
| Setup Time | 30 seconds | 30 minutes | 1-2 hours |
| Infrastructure | None needed | Docker | Custom VPS |
| Network | Testnet only | Test/Mainnet | Mainnet |
| Rate Limits | 100/hour | Unlimited | Unlimited |
| Privacy | Gateway sees data | Full privacy | Full privacy |
| Cost | Free | $0.001/tx | $0.001/tx |
| Best For | Testing, demos | Development | Production |
Must be deterministic and schema-safe.
CompZ uses canonical JSON:
- Sorted keys (recursive)
- Remove empty/null fields
- UTF-8 NFC normalized
- No whitespace
- No timestamp drift
- Remove UI/debug fields
sha256(normalized_json).hex()
Prefixed as:
0x<hash>
class ComplianceResult(BaseModel):
repo_id: str
commit_hash: str
frameworks: List[str]
control_evaluations: List[dict] # id/pass/reason
risk_score: float
timestamp: str # ISO 8601- Canonical JSON
- Stable key ordering
- Remove empty fields
- Remove
_ui,_internal,_debugfields - UTF-8 strict encoding
- SHA-256 of normalized JSON
- Returns hex string
- Used for anchoring + verification
Supports:
- Zcashd RPC
- Lightwalletd gRPC
Functions:
send_transaction_with_memo(memo)
get_memo_by_txid(txid)
Features:
- Transparent pool
- Testnet by default
- Valid memo encoding (β€ 512 bytes)
Pipeline:
- Normalize
- Hash
- Memo:
compz:v1:<hash> - Send Zcash transaction
- Return
{hash, txid, network, timestamp}
Steps:
- Recompute normalized hash
- Fetch tx from Zcash
- Extract memo
- Compare
- Return:
{
"valid": true,
"local_hash": "...",
"onchain_hash": "...",
"txid": "..."
}Rule engine for:
- PCI DSS
- SOC2 Security
- FedRAMP Moderate
Outputs:
{
"framework": "...",
"total_controls": n,
"passed": x,
"failed": y,
"controls": [...]
}Merged into ComplianceResult.
| Control | Validation |
|---|---|
| PCI 1.1.1 | firewall_rules exists |
| PCI 2.2 | secure_defaults == true |
| PCI 3.4 | encryption.enabled == true |
| PCI 8.2 | mfa.enabled |
| PCI 10.2 | logging.enabled |
| Control | Validation |
|---|---|
| CC1.1 | access_policies exists |
| CC3.2 | risk.assessment exists |
| CC6.1 | change_control.process exists |
| CC7.1 | monitoring.enabled |
| CC8.1 | dr_plan exists |
| ID | Requirement |
|---|---|
| AC-2 | accounts.managed == true |
| AC-3 | access_controls.enforced |
| AU-2 | audit.events_defined |
| AU-6 | audit.review_process |
| CM-2 | config.baseline exists |
| CM-6 | config.settings exists |
| SC-13 | crypto.enabled |
| SI-2 | vuln.scanning_enabled |
Runs evaluator. Returns ComplianceResult.
Runs CompZ Anchor.
Returns {hash, txid}.
Verifies using JSON + txid.
Returns {valid, reason, hash, onchain_hash}.
Health indicator.
Anchors compliance JSON to Zcash testnet.
Verifies JSON against on-chain memo.
Requirements:
- VPS: 2 vCPU, 4GB RAM, 100GB SSD (~$10-20/month)
- Docker & Docker Compose
- Domain name (e.g., api.compz.dev)
- SSL certificate (Let's Encrypt)
Components:
- Zcash testnet node (zcashd in Docker)
- FastAPI gateway service
- Redis (rate limiting)
- Nginx (reverse proxy + SSL)
Setup Time: 1-2 hours (excluding node sync)
Requirements:
- Docker & Docker Compose
- 50-100GB storage
- Environment variables
Setup:
docker-compose up -d
# Wait for sync (2-4 hours)
# Configure .env file
# Ready to use- β Project structure setup
- β Core models (Pydantic schemas)
- β normalize.py (canonical JSON)
- β hash.py (SHA-256)
- β Basic tests
- β CompZ client (dual-mode logic)
- β Zcash RPC client (self-hosted mode)
- β Demo mode stubs
- β VPS setup (start node sync)
- β FastAPI gateway service
- β Rate limiting & security
- β Docker Compose setup
- β Deploy to VPS
- β CLI tools (compz-anchor, compz-verify)
- β Example scripts
- β Documentation
- β PyPI packaging
- β End-to-end testing
- β Demo video/screenshots
- β Launch checklist
- β Public GitHub repo
- β Functional CompZ SDK
- β Working CLI
- β Example compliance JSON
- β PCI/SOC2/FedRAMP rule sets
- β Zcash testnet txids
- β API docs
- β Demo script
- Web UI
- Docker images
- Integration testing suite
| Risk | Mitigation |
|---|---|
| Zcash RPC downtime | Use trusted public testnet RPC providers |
| Memo parsing issues | Use strict compz:v1:<hash> format |
| Hash mismatch | Freeze canonical JSON logic |
| Zcash fees | Use dust outputs & testnet faucet |
| Short timelines | Limit controls to small, verifiable set |
Build CompZ as a standalone, open-source SDK with:
- normalize.py
- hash.py
- evaluator.py
- zcash_client.py
- anchor.py
- verify.py
- CLI tools
- Example JSON
Pipeline: Evaluator β normalize β hash β anchor (Zcash) β verify
Must be deterministic, stable, minimal, and Zcash-focused.