Comp AI - Repository Analysis: Executive Summary

What Is This?

Comp AI is an open-source, AI-powered Governance, Risk, and Compliance (GRC) platform that helps organizations achieve and maintain compliance with security frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and others.

The Problem It Solves

Compliance is traditionally a manual, document-heavy, expensive process. Organizations must:

Write and maintain dozens of security policies
Track hundreds of controls and evidence items
Answer lengthy security questionnaires from customers
Monitor cloud infrastructure for misconfigurations
Train employees on security awareness
Manage vendor risk assessments
Prepare for and respond to audits

Comp AI automates the majority of this work using LLMs, browser automation, cloud API scanning, and a structured workflow engine.

Target Users

Persona	How They Use It
Compliance Officers	Manage frameworks, policies, controls, evidence, and audit preparation
Security Engineers	Run cloud security scans, remediate findings, manage integrations
Auditors	Review controls, create findings, assess evidence (read-only + findings)
Employees	Complete security training, acknowledge policies (via Portal)
Contractors	Same as employees, separate role for access scoping
Vendors/Customers	View trust portal, request compliance documents, complete questionnaires

Key Capabilities

+------------------------------------------------------------------+
|                          Comp AI Platform                         |
+------------------------------------------------------------------+
|                                                                    |
|  [Policy Engine]     AI-generates and maintains security policies  |
|  [Control Tracking]  Maps controls to frameworks with evidence     |
|  [Risk Management]   Assess, score, and treat organizational risks |
|  [Cloud Security]    Scan AWS/GCP/Azure + AI-powered remediation   |
|  [Questionnaires]    RAG-powered auto-answering of security Q&A    |
|  [Vendor Management] AI risk assessment with web research          |
|  [Trust Portal]      Public compliance documentation portal        |
|  [Device Compliance] Electron agent for endpoint compliance        |
|  [Audit Workflow]    Findings, evidence, SOA management            |
|  [Integrations]      30+ cloud/SaaS service connectors             |
|  [Browser Automation] Stagehand-powered automated evidence tasks   |
|                                                                    |
+------------------------------------------------------------------+

Tech Stack At a Glance

Layer	Technology
Frontend	Next.js 16, React 19, TailwindCSS 4, Radix UI
Backend API	NestJS 11, TypeScript
Database	PostgreSQL + Prisma 7.6, pgvector for embeddings
Auth	Better Auth (session-based, cross-subdomain cookies)
AI/LLM	Vercel AI SDK, OpenAI (GPT-5/4o), Anthropic (Claude Opus/Sonnet), Groq (Llama)
Background Jobs	Trigger.dev v4
Browser Automation	Browserbase + Stagehand + Playwright
Email	Resend + React Email
Payments	Stripe
Analytics	PostHog
Hosting	AWS ECS (Docker), Vercel-compatible

Architecture Overview

                    +-----------+
                    |  Browser  |
                    +-----+-----+
                          |
          +---------------+---------------+
          |               |               |
    +-----v-----+  +-----v-----+  +------v------+
    |  Main App |  |  Portal   |  | Trust Portal|
    | Next.js   |  | Next.js   |  | (public)    |
    | :3000     |  | :3002     |  |             |
    +-----+-----+  +-----+-----+  +------+------+
          |               |               |
          +-------+-------+-------+-------+
                  |                        
           +------v------+                
           |  NestJS API |  <-- Single source of truth
           |  :3001      |      for auth, RBAC, business logic
           +------+------+                
                  |                        
     +------------+------------+           
     |            |            |           
+----v----+ +----v----+ +-----v-----+    
|Postgres | |Trigger  | |  S3/AWS   |    
|+pgvector| |  .dev   | |  Services |    
+---------+ +---------+ +-----------+

What Makes This Interesting

Multi-model AI strategy: Uses 6+ LLM models, each chosen for specific cost/capability tradeoffs
RAG for compliance: Vector embeddings of policies and knowledge base power questionnaire auto-answering
AI cloud remediation: Claude Opus generates executable AWS/GCP/Azure fix commands from security findings
Integration DSL: Declarative JSON-based check definitions alongside code-based checks
Session-based auth only: No JWTs - cross-subdomain cookies with Better Auth
Flat RBAC model: Simple resource:action permissions with 5 built-in + custom roles
Full audit trail: Every mutation is automatically logged with before/after diffs

Document Index

File	Contents
01-architecture.md	System architecture, component interactions, data flow
02-tech-stack.md	Languages, frameworks, dependencies, and why
03-data-model.md	Database schema, key entities, relationships
04-auth-and-rbac.md	Authentication, authorization, permissions model
05-ai-and-llm.md	LLM integration, RAG, guardrails, prompt engineering
06-entry-points.md	Execution flow, key code paths, state transitions
07-design-patterns.md	Patterns, tradeoffs, clever implementations
08-key-files.md	Essential files map with responsibilities