https://github.com/nborwankar/tandc
Terms & Conditions risk analyzer — CLI + local web UI for surfacing user-relevant risks in T&Cs via the Anthropic Claude API
https://github.com/nborwankar/tandc
anthropic claude claude-api consumer-protection fastapi llm-application privacy-policy python risk-analysis terms-of-service text-analysis typer
Last synced: 18 days ago
JSON representation
Terms & Conditions risk analyzer — CLI + local web UI for surfacing user-relevant risks in T&Cs via the Anthropic Claude API
- Host: GitHub
- URL: https://github.com/nborwankar/tandc
- Owner: nborwankar
- License: mit
- Created: 2026-05-22T05:52:54.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-05-22T14:17:16.000Z (about 1 month ago)
- Last Synced: 2026-05-22T14:49:01.123Z (about 1 month ago)
- Topics: anthropic, claude, claude-api, consumer-protection, fastapi, llm-application, privacy-policy, python, risk-analysis, terms-of-service, text-analysis, typer
- Language: Python
- Size: 542 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# tandc — Terms & Conditions risk analyzer
Surfaces what's risky for users in a website or software T&C /
privacy policy: personal-data use, missing PII protections,
unilateral changes, arbitration / class-action waivers, and more.
## Status
Stage 1 v1 (CLI) and v2 (local web UI) shipped 2026-05-21 on
`main`. See [PLAN.md](PLAN.md) for the roadmap, [DONE.md](DONE.md)
for the ship log, and [docs/superpowers/specs/](docs/superpowers/specs/)
for the design history.
## How it works
A small pure-library core (`tandc.core`) does the analysis pipeline. Two front-ends share it: a `typer` CLI and a FastAPI local web UI. The web UI exposes a single `POST /analyze` JSON endpoint that a future Stage 2 Chrome extension will also call — same backend, different UX layer.
```
┌─ CLI ──────────────────┐ ┌─ Web UI ──────────────────────────────┐
│ tandc analyze │ │ browser tab @ 127.0.0.1:8765 │
│ tandc analyze file.pdf │ │ form: URL / paste / file (HTML/PDF) │
└──────────┬─────────────┘ └─────────────────┬─────────────────────┘
│ │ fetch()
│ ▼ POST /analyze
│ ┌─────────────────────────────────────┐
│ │ FastAPI (tandc.web.app) │
│ │ POST /analyze (api.py) │
│ │ GET / (static HTML/JS/CSS) │
│ │ GET /docs (OpenAPI auto) │
│ └─────────────────┬───────────────────┘
▼ ▼
┌────────────────────────────────────────────────────────────────────────┐
│ tandc.core.analyze() / analyze_prepared() │
│ │
│ loader → cache → Claude (Sonnet/Opus) → schema → render │
│ (URL+httpx, (SHA-256 (system-prompt (Pydantic (rich for │
│ PDF, content- caching, v2, CLI; │
│ paste) hash file 2-retry on Core 4 + Markdown + │
│ cache at malformed) Flag 4) JSON for │
│ ~/.tandc/) files) │
└────────────────────────────────────────────────────────────────────────┘
│
▼
./reports/-/{input.txt,
fetch_meta.json,
report.json,
report.md}
```
Reports follow a fixed taxonomy: **4 Core findings** (personal data, PII protection, continuity, liability/dispute) each with severity + verbatim evidence quotes, plus **4 Flags** (content licensing, account access, payment/subscription, jurisdictional) with presence + note.
## Setup
You need: git, Python 3.11+, a virtual-env manager (conda or venv — both shown below), and an Anthropic API key from .
```bash
# 1. Clone
git clone https://github.com/nborwankar/tandc.git
cd tandc
# 2. Create a virtual environment — pick ONE of the two:
# (a) conda (recommended if you have it)
conda create -n tandc python=3.11 -y
conda activate tandc
# (b) venv (stdlib, no extra install needed)
python3.11 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# 3. Install the package
# Users (just want to run the tool):
pip install -e .
# Contributors (also need pytest, ruff, etc.):
pip install -e ".[dev]"
# 4. Set your API key (and add this line to ~/.zshrc or your shell rc file)
export ANTHROPIC_API_KEY=sk-ant-... # get one at https://console.anthropic.com/settings/keys
# 5. Verify
tandc --help
```
tandc reads `ANTHROPIC_API_KEY` from the process environment — it does **not** load `.env` files automatically. If you keep secrets in `~/.env` or a per-project `.env`, source it before invoking (e.g. add `set -a; source ~/.env; set +a` to your shell rc, or to a wrapper script).
## Usage — CLI (v1)
```bash
tandc analyze https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
cat policy.txt | tandc analyze -
tandc analyze https://slack.com/terms-of-service/user --opus
tandc cache list
```
Reports are written under `./reports/-/`.
Three more T&C URLs known to fetch and analyze cleanly, if you want to try the tool against different services:
- Dropbox —
- Discord —
- Wikimedia Foundation —
(Some sites — notably OpenAI's policy pages — return HTTP 403 to automated fetches and won't work directly; paste the text via stdin instead.)
## Usage — local web UI (v2)
The recommended way to start the server is the launcher script — it
sets up the conda PATH, checks the API key, and execs `tandc serve`:
```bash
./scripts/serve.sh # 127.0.0.1:8765 (default)
./scripts/serve.sh --port 9000
./scripts/serve.sh --host 0.0.0.0 # LAN-accessible (opt-in)
./scripts/serve.sh --reload --debug # dev mode
```
Then open `http://127.0.0.1:8765/` in any browser. Submit a URL,
pasted text, or upload an HTML / TXT / PDF file; the rendered
report appears inline. FastAPI-generated API docs live at
`/docs`.
Exit codes (matches the CLI):
| Code | Meaning |
|------|---------|
| 0 | clean shutdown |
| 4 | `ANTHROPIC_API_KEY` not set |
| 5 | port already in use |
### Hitting the API directly
```bash
curl -X POST http://127.0.0.1:8765/analyze \
-H 'Content-Type: application/json' \
-d '{"url":"https://example.com/terms","use_cache":true}'
curl -X POST http://127.0.0.1:8765/analyze \
-H 'Content-Type: application/json' \
-d '{"text":"...policy body...","source_url":"https://..."}'
curl -X POST http://127.0.0.1:8765/analyze \
-F "file=@policy.pdf;type=application/pdf"
```
Web mode writes the same `./reports/-/` bundle the CLI
does. The response JSON includes `report_dir` (absolute path) and
`cache_hit` (bool).