ALEX is a privacy-focused SaaS application for detecting sensitive information in files and datasets, applying redactions, and operating privacy workflows with auditability.
The project combines:
- a FastAPI backend for authentication, scanning, reporting, audit logging, and internal governance APIs
- a React frontend for customer-facing product workflows and the internal Compliance Workspace
- a growing internal control layer for security, governance, retention, incident handling, testing visibility, and release review
- Backend: FastAPI, SQLAlchemy, WebAuthn-based authentication, structured security/audit logging
- Frontend: React, React Router, Tailwind-style utility classes
- Database: SQLAlchemy-backed
DATABASE_URLwith local SQLite fallback for development - Auth model: passkeys/WebAuthn plus bearer access tokens and refresh cookies
- Internal operations: route-backed Compliance Workspace for employees, policies, vendors, incidents, risks, access reviews, training, testing, audit logs, and code review
main.py FastAPI application entrypoint
routers/ API route modules
services/ business logic, security, compliance, reporting
database/ database setup and SQLAlchemy models
dependencies/ FastAPI dependency guards
utils/ shared helpers and feature gating
frontend/ React application
tests/ backend test coverage
models/ ML/training-related code and local model asset location
uploads/ local upload storage in development
redacted/ generated redacted outputs in development
logs/ runtime logs in development
- WebAuthn authentication and token-based session flow
- File upload, scanning, redaction, and downloadable reports
- Tenant-aware access controls and plan-aware limits
- Immutable-style audit logging and security alerts
- Scan retention and archive lifecycle controls
- Admin reporting and security dashboard APIs
- Internal Compliance Workspace with route-backed modules
- Pre-production Code Review workflow for release/change review
- Public product pages including Trust, Pricing, About, Careers, and Privacy
ALEX currently expects these runtime assets:
DejaVuSans.ttf- versioned in the repository
- required for report generation/startup validation
models/xgboost_model.pkl- required for scan startup/runtime
- not committed to the repository
- must be generated or supplied locally before full scan functionality will work
Legacy/generated font cache pickles and archived model pickles are intentionally not tracked.
python -m venv venv
venv\Scripts\activateThe backend now ships with a pinned root dependency manifest for reproducible installs:
pip install -r requirements.txtThis manifest pins the FastAPI/auth stack, migration tooling, scan pipeline/ML dependencies, Presidio redaction dependencies, report-generation packages, and the libSQL smoke-test client used by the repository utilities.
cd frontend
npm install
cd ..Create a local .env file in the repository root.
Important variables include:
SECRET_KEYENVDATABASE_URLORIGINRP_IDRP_NAMECORS_ORIGINSACCESS_TOKEN_EXPIRE_MINUTESREFRESH_TOKEN_EXPIRE_MINUTESCHALLENGE_TTL_MINUTES
For local development, ORIGIN and RP_ID should align with your local frontend host. If ENV=production, startup validation still enforces HTTPS except for explicit localhost development usage.
Before full startup:
- keep
DejaVuSans.ttfin the repository root - place or generate
models/xgboost_model.pkl
Apply the versioned schema before starting the backend:
alembic upgrade headIf startup reports a schema version mismatch, migrate the database before retrying.
Either of these reflects the current app entrypoint:
python main.pyor
uvicorn main:app --reloadThe backend runs on http://127.0.0.1:8000 by default.
cd frontend
npm startThe frontend is configured to proxy API calls to http://127.0.0.1:8000.
On startup, ALEX validates:
- environment configuration
- database connectivity
- current migration/schema revision
- required schema state
- writable runtime directories (
uploads,redacted,logs) - required report/font assets
- PDF report dependency availability
This is intentional: startup should fail fast when the runtime is incomplete or the database has not been migrated.
GET /healthGET /readyGET /scans/supported-file-typesPOST /scansGET /protected/meGET /scansGET /admin/overviewGET /admin/audit-eventsGET /admin/security-dashboardGET /compliance/overviewGET /compliance/code-reviews
The internal workspace is route-backed and currently includes:
- Overview
- Employees
- Policies
- Vendors
- Incidents
- Risks
- Access Reviews
- Training
- Code Review
- Testing & Validation
- Audit Log
This area is intended to support operational maturity and enterprise-readiness work without claiming certification.
- Local runtime directories such as
uploads/,redacted/, andlogs/are intentionally ignored. - Local databases, caches, and generated build output are ignored.
- Generated font cache files and archived pickle artifacts are not part of the public source of truth.
Backend tests:
python -m pytest testsBackend dependency validation:
python -m pip checkDatabase migrations:
alembic upgrade head
alembic downgrade -1Frontend production build:
cd frontend
npm run buildThis repository is an active product codebase, not a polished SDK or template. Some startup dependencies, especially the local scan model artifact, still require developer setup. The codebase is production-minded, but the repository remains under active refinement as the platform evolves.