https://github.com/manziosee/auditshield
Keep your business audit-ready anywhere in the world. Manage employees, encrypted documents, payroll, and regulatory obligations in one secure multi-tenant SaaS.
https://github.com/manziosee/auditshield
angular angular-material apollo-angular apollographql celery django-rest-framework fernet-encryption jwt-authentication postgresql pymupdf redis scss strawberry-graphql tesseract typescript weasyprint
Last synced: 17 days ago
JSON representation
Keep your business audit-ready anywhere in the world. Manage employees, encrypted documents, payroll, and regulatory obligations in one secure multi-tenant SaaS.
- Host: GitHub
- URL: https://github.com/manziosee/auditshield
- Owner: manziosee
- License: mit
- Created: 2026-02-24T17:57:51.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-03-18T19:39:49.000Z (about 1 month ago)
- Last Synced: 2026-03-19T08:47:26.624Z (about 1 month ago)
- Topics: angular, angular-material, apollo-angular, apollographql, celery, django-rest-framework, fernet-encryption, jwt-authentication, postgresql, pymupdf, redis, scss, strawberry-graphql, tesseract, typescript, weasyprint
- Language: TypeScript
- Homepage: https://auditshield-ten.vercel.app
- Size: 592 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# π‘οΈ AuditShield
### **The Global SME Compliance Platform**
> _Keep your business audit-ready β anywhere in the world._
> Manage employees, encrypted documents, payroll, and regulatory obligations in one secure multi-tenant SaaS.
[](LICENSE)
[](https://fly.io)
---
### π§ Built With
**Backend**
**Database & Cache**
**Frontend**
**Infrastructure**
---
## What is AuditShield?
**AuditShield** is a **multi-tenant SaaS compliance platform** built for small and medium enterprises (SMEs) operating across multiple countries. It centralises everything an SME needs to stay audit-ready:
- π **Employee records** β full lifecycle management with department hierarchy
- π **Encrypted document vault** β AES-128 Fernet encryption at rest, OCR text extraction, expiry alerts
- β
**Compliance tracker** β tax, social security, and labour law obligations mapped to global authorities
- π° **Payroll engine** β country-specific tax rules, payroll runs, and payslip generation
- π **PDF report generation** β async via Celery + WeasyPrint, download when ready
- π **Multi-country** β 16+ countries, 17+ currencies, global authority mapping
- π **Immutable audit trail** β every write recorded automatically by middleware
- π **Notifications** β in-app + email with unread badge and mark-all-read
- π **Dual API** β REST (DRF + Swagger) **and** GraphQL (Strawberry + Apollo)
Every company is a **fully isolated tenant** with UUID-keyed records and scoped row-level queries. No data leaks across tenants β ever.
---
## Table of Contents
- [Features](#features)
- [Innovation Features](#innovation-features)
- [Tech Stack](#tech-stack)
- [Architecture](#architecture)
- [Quick Start (Docker)](#quick-start-docker)
- [Local Development (without Docker)](#local-development-without-docker)
- [Environment Variables](#environment-variables)
- [API Documentation](#api-documentation)
- [New API Endpoints](#new-api-endpoints)
- [Deployment β Fly.io](#deployment--flyio)
- [Deployment β Docker Compose Production](#deployment--docker-compose-production)
- [User Roles](#user-roles)
- [Project Structure](#project-structure)
- [Makefile Commands](#makefile-commands)
- [License](#license)
---
## Features
### Core Platform
| π·οΈ Area | β¨ Capabilities |
|---------|----------------|
| π’ **Multi-tenancy** | Each company is a fully isolated tenant β UUID PKs, cascading row-level scoping |
| π₯ **Employees** | Full CRUD, department management, bulk Excel/CSV import, one-click export, risk scoring |
| π **Documents** | Fernet AES-128 encryption at rest, OCR extraction, version control, expiry tracking & email alerts |
| π€ **AI Extraction** | OCR auto-extracts employee name, salary, start/end dates from uploaded contracts |
| β
**Compliance** | Tax, social security & labour law tracker; authority dashboards; full CRUD; bulk updates |
| π§ **Health Pulse** | Rolling 6-month compliance trend + 30-day AI risk prediction |
| π **Gap Analysis** | Auto-detects missing requirements vs your country + industry |
| π
**Deadline Calendar** | Monthly calendar view of all compliance deadlines with iCal export |
| π€ **Self-Service Portal** | Employees see only their own payslips, documents, and compliance status |
| π **Reports** | Async PDF generation (WeasyPrint + Celery); scheduled delivery via email |
| π° **Payroll** | Country-specific tax rule engine, payroll runs, payslip generation, variance alerts |
| π **Geography** | 16+ countries, 17+ currencies, live exchange rate support |
| π **Auth** | JWT rotate-on-refresh, Argon2 hashing, brute-force lockout (django-axes) |
| π **Audit Trail** | Immutable middleware log of every POST/PUT/PATCH/DELETE; CSV/PDF export |
| π **Notifications** | In-app + email alerts, unread badge, mark-all-read |
| ποΈ **Portfolio** | Super-admin sees all tenant companies with live compliance scores |
| π **Webhooks** | Outbound HMAC-signed webhooks for all platform events |
| π **GraphQL** | Strawberry endpoint β Apollo-compatible at `/graphql/` |
| π **REST API** | Full DRF REST API with OpenAPI/Swagger docs at `/api/docs/` |
### New Features (v2)
| π·οΈ Area | β¨ Capabilities |
|---------|----------------|
| βοΈ **E-Signatures** | Request legally-binding document signatures from employees; track signing status per signer |
| π **Onboarding** | Configurable onboarding checklists with task types (document, form, training, sign); progress tracking |
| π **Training & Certifications** | Track employee certifications with validity periods, expiry alerts, and compliance reports |
| π **Policy Management** | Version-controlled policies with mandatory employee acknowledgment tracking and audit trail |
| π¨ **Incident Log** | Report and investigate compliance violations, data breaches, and safety incidents; update trail |
| β
**Approval Workflows** | Configurable multi-step approval chains for documents, expenses, leave; full audit trail |
| π **Vendor Compliance** | Vendor registry with compliance scores, insurance tracking, contract expiry monitoring |
| π **Custom Forms** | Drag-and-drop form builder; collect employee and vendor data with structured field types |
| π€ **Partner / White-Label** | Partner portal with custom branding, sub-company management, revenue dashboards |
| π **Integration Hub** | Connect QuickBooks, Xero, BambooHR, Slack, Google Workspace via OAuth; sync status & logs |
| π **Employee Risk Scores** | Composite risk scoring per employee based on document status, training gaps, compliance history |
| π
**Scheduled Reports** | Schedule PDF reports for automatic email delivery (daily/weekly/monthly) |
| π **Audit Prep Assistant** | Step-by-step audit readiness checklist with live progress score per regulatory framework |
| π± **Mobile PWA** | Progressive Web App β installable on iOS/Android, offline capability, responsive design |
---
## Innovation Features
### π§ Compliance Health Pulse
`GET /api/v1/compliance/health-pulse/`
Returns rolling 6-month history + linear regression prediction:
```json
{
"current_score": 78,
"trend": "improving",
"predicted_30d": 83,
"risk_level": "moderate",
"days_to_threshold": null,
"history": [
{"month": "2025-10", "score": 65},
{"month": "2025-11", "score": 70},
{"month": "2025-12", "score": 72},
{"month": "2026-01", "score": 74},
{"month": "2026-02", "score": 76},
{"month": "2026-03", "score": 78}
]
}
```
### π Compliance Gap Analysis
`GET /api/v1/compliance/gap-analysis/`
Compares your company's tracked requirements against the global requirement library for your country + industry. Returns prioritised list of missing requirements:
```json
{
"total_gaps": 4,
"coverage_percent": 76,
"gaps": [
{
"requirement_id": "...",
"title": "Annual Tax Return Filing",
"authority": "IRS",
"priority": "high",
"is_mandatory": true,
"frequency": "annually"
}
]
}
```
### β οΈ Payroll Variance Check
`POST /api/v1/payroll/runs/{id}/variance-check/`
Compares current run against the previous completed run. Flags salary spikes >15%, missing employees, and new additions.
### π€ Audit Trail Export
`GET /api/v1/audit-logs/export/?format=csv&date_from=2026-01-01&date_to=2026-03-31`
Downloads the audit trail as CSV (or JSON) for external auditors. Supports date range, method, and status filters.
### ποΈ Portfolio Dashboard
`GET /api/v1/companies/portfolio/` _(super_admin only)_
Returns all tenant companies with live compliance scores, employee counts, and last activity β for accounting firms managing multiple clients.
### π Webhooks
`/api/v1/webhooks/` β Full CRUD for webhook endpoints.
Configure outbound HTTP webhooks for platform events:
- `employee.created` / `employee.updated`
- `payroll.run.completed`
- `document.expired` / `document.expiring_soon`
- `compliance.overdue`
All deliveries are HMAC-SHA256 signed with `X-AuditShield-Signature` header. Automatic retry on failure.
---
## Tech Stack
### π Backend
| Technology | Version | Purpose |
|-----------|:-------:|---------|
|  **Python** | 3.12 | Runtime |
|  **Django** | 5.0 | Web framework |
|  **Django REST Framework** | 3.15 | REST API |
|  **Strawberry GraphQL** | 0.236 | GraphQL (Apollo-compatible) |
|  **PostgreSQL** | 16 | Primary database (Docker / self-hosted) |
|  **SQLite** | 3 | Lightweight DB (Fly.io / CI) |
|  **Redis** | 7 | Celery message broker + cache |
|  **Celery** + Beat | 5.3 | Async task queue + scheduler |
| **Gunicorn** gthread | β | Production WSGI server |
| **drf-spectacular** | 0.27 | Auto OpenAPI / Swagger docs |
| **WeasyPrint** | 61 | PDF report generation |
| **pytesseract** | 0.3 | OCR text extraction from documents |
| **cryptography** (Fernet) | 42 | AES-128 file encryption at rest |
| **django-axes** | 6.4 | Brute-force login protection |
| **Argon2** | β | Strongest password hashing |
### π
°οΈ Frontend
| Technology | Version | Purpose |
|-----------|:-------:|---------|
|  **Angular** | 18 | SPA framework β standalone components + signals |
|  **TypeScript** | 5 | Strict type-safe development |
|  **Angular Material** | 18 | UI component library |
|  **Apollo Angular** | 7 | GraphQL client |
| **RxJS** | 7 | Reactive streams & observables |
### ποΈ Infrastructure
| Technology | Purpose |
|-----------|---------|
|  **Docker Compose** | Dev (7 services) + Production stacks |
|  **Nginx** | Reverse proxy, SSL termination, static serving |
|  **Fly.io** | Backend cloud deployment with persistent volume |
|  **GitHub Actions** | CI/CD β lint, test, coverage, auto-deploy |
---
## Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User's Browser β
β Angular 18 SPA (TypeScript + Signals) β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β HTTPS
ββββββββββββββΌβββββββββββββ
β Nginx :80/:443 β
β /api/v1/* β Django β
β /graphql/ β Django β
β /* β Angular β
ββββββββββββββ¬βββββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββββββββ
β Django 5 + DRF + Strawberry GQL β
β ββββββββββββββββββββββββββββββββββββββ β
β β JWT Auth β Tenant β AuditLog β β
β β middlewareβ scoping β middleware β β
β ββββββββββββββββββββββββββββββββββββββ β
β REST API ββββ GraphQL API β
ββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
ββββββββββββββ΄ββββββββββββββ
β β
βββββββββΌβββββββββ βββββββββββΌββββββββ
β PostgreSQL 16 β β Redis 7 β
β (app data) β β broker + cache β
ββββββββββββββββββ βββββββββββ¬ββββββββ
β
ββββββββββββββββΌββββββββββββββ
β Celery Workers + Beat β
β π OCR Β· π PDF reports β
β π§ Emails Β· πΎ Backups β
β π Reminders Β· π§Ή Cleanup β
ββββββββββββββββββββββββββββββ
```
---
## Quick Start (Docker)
> **Prerequisites**: Docker Desktop β₯ 24 with the Compose v2 plugin
```bash
# 1. Clone
git clone https://github.com/manziosee/auditshield.git
cd auditshield
# 2. Environment file
cp .env.example .env
# 3. Generate required secret keys
make gen-secret # β paste as DJANGO_SECRET_KEY in .env
make gen-fernet # β paste as FILE_ENCRYPTION_KEY in .env
# Also set DATABASE_URL in .env:
# DATABASE_URL=postgresql://auditshield:auditshield@db:5432/auditshield
# 4. Start the full stack (PostgreSQL + Redis + Django + Celery + Angular + Nginx)
make dev
# 5. Create your admin user
make createsuperuser
# 6. (Optional) Seed realistic demo data across all 18 modules
docker compose exec backend python manage.py seed_demo_data
# Login: admin@technova.com / Demo@12345
# 7. Open the app π
```
| Service | URL |
|---------|-----|
| π **Frontend** | http://localhost:4200 |
| π **API** | http://localhost:8000/api/v1/ |
| π **Swagger UI** | http://localhost:8000/api/docs/ |
| π **GraphiQL** | http://localhost:8000/graphql/ |
| πΈ **Flower (Celery)** | http://localhost:5555 |
### Demo Credentials
After running `seed_demo_data`:
| Role | Email | Password |
|------|-------|----------|
| Admin | admin@technova.com | Demo@12345 |
| HR | hr@technova.com | Demo@12345 |
| Accountant | accountant@technova.com | Demo@12345 |
| Auditor | auditor@technova.com | Demo@12345 |
| Employee | emp1@technova.com | Demo@12345 |
---
## Local Development (without Docker)
### Backend
```bash
cd backend
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements/development.txt
# In .env: set TURSO_DATABASE_URL=file:db.sqlite3 (remove DATABASE_URL line)
python manage.py migrate
python manage.py seed_global_data # loads countries, currencies, authorities
python manage.py createsuperuser
python manage.py runserver # β http://localhost:8000
```
### Frontend
```bash
cd frontend
npm install
npm start # β http://localhost:4200
```
### Celery (optional β needed for PDF gen, OCR, email)
```bash
cd backend
celery -A auditshield worker --loglevel=info -Q default,documents,reports,notifications
celery -A auditshield beat --loglevel=info --scheduler django_celery_beat.schedulers:DatabaseScheduler
```
---
## Environment Variables
| Variable | Required | Description |
|----------|:--------:|-------------|
| `DJANGO_SECRET_KEY` | β
| Django secret key (50+ chars) |
| `FILE_ENCRYPTION_KEY` | β
| Fernet key β document encryption at rest |
| `DATABASE_URL` | π³ Docker | PostgreSQL `postgresql://user:pass@host/db` |
| `TURSO_DATABASE_URL` | βοΈ Fly.io/CI | SQLite `file:db.sqlite3` |
| `REDIS_URL` | β
| `redis://:password@host:6379/0` |
| `CELERY_BROKER_URL` | β
| Celery broker (Redis) |
| `DJANGO_ALLOWED_HOSTS` | π Prod | Comma-separated hostnames |
| `CORS_ALLOWED_ORIGINS` | π Prod | Comma-separated frontend origins |
| `EMAIL_HOST_USER` | optional | SMTP username |
| `EMAIL_HOST_PASSWORD` | optional | SMTP app password |
| `SENTRY_DSN` | optional | Sentry error tracking |
| `DB_NAME / DB_USER / DB_PASSWORD` | π³ Docker | PostgreSQL credentials |
---
## API Documentation
> All endpoints require `Authorization: Bearer ` except `/health/`, `/auth/register/`, `/auth/login/`.
### Login
```http
POST /api/v1/auth/login/
Content-Type: application/json
{ "email": "admin@company.com", "password": "yourpassword" }
```
### Key Endpoints
| Method | Endpoint | Description |
|--------|----------|-------------|
| `GET` | `/health/` | Health check β no auth |
| `POST` | `/api/v1/auth/register/` | Register company + admin |
| `POST` | `/api/v1/auth/login/` | Obtain JWT tokens |
| `GET/PATCH` | `/api/v1/companies/me/` | Company profile |
| `GET` | `/api/v1/companies/export/` | Export all company data |
| `GET/POST` | `/api/v1/employees/` | List / create employees |
| `GET/PATCH/DELETE` | `/api/v1/employees/{id}/` | Employee detail |
| `POST` | `/api/v1/employees/bulk-import/` | Import from Excel/CSV |
| `GET/POST` | `/api/v1/employees/departments/` | List / create departments |
| `GET/POST` | `/api/v1/documents/` | List / upload documents |
| `GET` | `/api/v1/documents/{id}/download/` | Download decrypted file |
| `DELETE` | `/api/v1/documents/{id}/` | Delete document |
| `GET` | `/api/v1/compliance/dashboard/` | Compliance score + stats |
| `GET/POST` | `/api/v1/compliance/records/` | List / create records |
| `PATCH/DELETE` | `/api/v1/compliance/records/{id}/` | Update / delete record |
| `GET` | `/api/v1/reports/` | List reports |
| `POST` | `/api/v1/reports/` | Generate report (async) |
| `POST` | `/api/v1/notifications/mark-all-read/` | Mark all read |
| `GET` | `/api/v1/notifications/unread-count/` | Unread count |
| `GET` | `/api/v1/audit-logs/` | Audit trail |
| `GET` | `/api/v1/geo/countries/` | Countries list |
| `GET` | `/api/v1/geo/currencies/` | Currencies list |
> π¦ **Postman collection** β [`postman_collection.json`](postman_collection.json)
>
> π **Swagger** β `/api/docs/` Β· **ReDoc** β `/api/redoc/` Β· **GraphiQL** β `/graphql/`
---
## Deployment β Fly.io
```bash
# Install CLI
curl -L https://fly.io/install.sh | sh && flyctl auth login
# Create persistent SQLite volume
flyctl volumes create auditshield_data --region jnb --size 3 --config backend/fly.toml
# Set secrets
flyctl secrets set \
DJANGO_SECRET_KEY="" \
FILE_ENCRYPTION_KEY="" \
DJANGO_ALLOWED_HOSTS="auditshield-backend.fly.dev" \
CORS_ALLOWED_ORIGINS="https://your-frontend.fly.dev" \
--config backend/fly.toml
# Deploy
flyctl deploy --config backend/fly.toml
```
**Auto-deploy on push to `main`**: Add `FLY_API_TOKEN` to GitHub repo secrets β (**Settings β Secrets β Actions**).
### Live Production URLs
| | URL |
|---|---|
| π **API Base** | https://auditshield-backend.fly.dev/api/v1/ |
| π **Swagger UI** | https://auditshield-backend.fly.dev/api/docs/ |
| π **ReDoc** | https://auditshield-backend.fly.dev/api/redoc/ |
| π **GraphiQL** | https://auditshield-backend.fly.dev/graphql/ |
| β€οΈ **Health check** | https://auditshield-backend.fly.dev/health/ |
---
## Deployment β Docker Compose Production
```bash
git clone https://github.com/manziosee/auditshield.git && cd auditshield
cp .env.example .env # fill in production values
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
docker compose exec backend python manage.py createsuperuser
```
Place SSL certs in `nginx/ssl/` and configure your domain in `nginx/nginx.prod.conf`.
---
## User Roles
| Role | Access |
|------|--------|
| π `super_admin` | Full platform access |
| π§ `admin` | Company admin β full access to own tenant |
| π©βπΌ `hr` | Employees, documents, compliance |
| π§Ύ `accountant` | Payroll, financial reports |
| π `auditor` | Read-only + audit logs |
| π€ `employee` | Own profile and documents only |
---
## Project Structure
```
auditshield/
βββ π backend/
β βββ auditshield/settings/ # base / development / production
β βββ apps/
β β βββ accounts/ # User + JWT auth
β β βββ companies/ # Company (tenant) + onboarding
β β βββ employees/ # Employee + Department
β β βββ documents/ # Encrypted upload + OCR
β β βββ compliance/ # Authority + Requirements + Records
β β βββ reports/ # PDF generation (WeasyPrint)
β β βββ notifications/ # In-app + email alerts
β β βββ audit_logs/ # Immutable activity trail
β β βββ geography/ # Country + Currency + ExchangeRate
β β βββ payroll/ # TaxRule + PayrollRun + Payslip
β βββ core/ # Shared: TenantModel, middleware, utils
β βββ Dockerfile.dev / Dockerfile.prod
β βββ entrypoint.sh # Fly.io startup script
β βββ fly.toml # Fly.io deployment config
β
βββ π
°οΈ frontend/src/app/
β βββ core/ # Guards, interceptors, services, models
β βββ features/
β β βββ auth/ # Login + Register pages
β β βββ dashboard/ # KPI cards + live charts
β β βββ employees/ # List, Detail, Form (CRUD)
β β βββ documents/ # List, Upload, Detail (CRUD)
β β βββ compliance/ # Tracker + Add/Edit/Delete
β β βββ reports/ # List + Generate
β β βββ notifications/ # Notification centre
β β βββ audit-logs/ # Audit log viewer
β β βββ company/ # Company settings
β βββ shared/layout/ # Shell β sidebar + topbar
β
βββ π nginx/ # nginx.dev.conf / nginx.prod.conf
βββ πΎ scripts/backup/ # GPG-encrypted backup + restore
βββ βοΈ .github/workflows/ # CI/CD pipelines
βββ π³ docker-compose.yml # Dev stack
βββ π³ docker-compose.prod.yml # Production overrides
βββ π¦ postman_collection.json # Full Postman API collection
βββ π§ Makefile
βββ π .env.example
```
---
## Makefile Commands
```bash
make dev # Start dev stack (docker compose up --build)
make stop # Stop all services
make logs # Tail all service logs
make migrate # Run database migrations
make makemigrations # Create new migrations
make shell # Django shell_plus
make createsuperuser # Create admin user
make seed # Seed global countries, currencies, authorities
make test # Run Django test suite
make lint # Ruff linter
make coverage # Tests with coverage report
make deploy # Deploy backend to Fly.io
make build-prod # Build production Docker images
make backup # GPG-encrypted DB + media backup
make gen-secret # Generate DJANGO_SECRET_KEY
make gen-fernet # Generate FILE_ENCRYPTION_KEY
```
---
**MIT License** β Copyright Β© 2026 [Osee Manzi](mailto:oseemanzi3@gmail.com)
_Built with β€οΈ to make compliance accessible for every SME, everywhere._