Skip to content

v1.3.0 — Country-Aware Privacy Compliance

Choose a tag to compare

View all tags
@greenarmor greenarmor released this 17 Jun 11:28
· 5 commits to master since this release
v1.3.0
d9d63ea

Release v1.3.0 (Minor)

This is a minor release. It adds new features (country-aware init, comprehensive privacy packs, MCP suggest_packs tool) without breaking changes. Existing projects continue to work — the new country field is optional.

Previous release: v1.2.8
Release date: 2026-06-17

Highlights

Country-Aware Privacy Compliance

ges init now requires a country of origin, automatically installing the correct privacy pack for that jurisdiction. This replaces the previous approach where users had to manually identify and install the right country pack.

Comprehensive Global Privacy Packs (172 Controls)

All 15 country packs have been rewritten from thin placeholders (2-4 controls each) to comprehensive, article-level controls (6-14 controls each). Every control references specific legal articles, regulator guidance, and includes 2-4 verification checks.

MCP suggest_packs Tool (Codebase Analysis)

New MCP tool that analyzes the project codebase to detect AI, blockchain, and healthcare dependencies, then ranks privacy pack recommendations by priority. This enables AI assistants to intelligently suggest which packs a project needs.

What's New

1. Country-of-Origin Selection (ges init)

The init wizard now guides users through:

  1. Region selection — Europe, Asia-Pacific, Americas, Africa, Middle East, or Global/EU-wide
  2. Country selection — Shows available countries with their law name and regulator
  3. Additional packs — Optional multi-select for installing extra country packs

CLI usage:

# Interactive
ges init

# Non-interactive with country flag
ges init --name "MyApp" --type saas --frameworks GDPR,OWASP --country BR

What gets auto-installed:

Country Code Country Pack ID Law
BR Brazil br-lgpd LGPD (Law 13,709/2018)
CA Canada ca-pipeda PIPEDA (10 Fair Information Principles)
US-CA California us-cpra CCPA/CPRA (2020)
GB United Kingdom uk-gdpr UK GDPR & DPA 2018
CH Switzerland ch-fadp revFADP (2023)
EU European Union gdpr EU GDPR (Regulation 2016/679)
SG Singapore sg-pdpa PDPA (amended 2020/2021)
PH Philippines ph-dpa Data Privacy Act of 2012
JP Japan jp-appi APPI (2022 revision)
KR South Korea kr-pipa PIPA (2023 amendment)
CN China cn-pipl PIPL (2021)
IN India in-dpdpa DPDPA (2023)
ZA South Africa za-popia POPIA (Act 4 of 2013)
AE UAE ae-pdpl Federal Decree-Law No. 45 of 2021
SA Saudi Arabia sa-pdpl PDPL (Royal Decree M/19, amended M/148/2023)

The privacy-core pack (40 baseline controls across 10 domains) is always installed alongside the country pack.

2. Comprehensive Privacy Pack Rewrite

All 15 country packs now have detailed, article-level controls organized into 4 regional files:

Region File Packs Total Controls
privacy-europe.ts UK GDPR (14), Switzerland FADP (8) 22
privacy-asia.ts Singapore PDPA (12), Philippines DPA (10), Japan APPI (10), South Korea PIPA (10), China PIPL (11), India DPDPA (8) 61
privacy-americas.ts Brazil LGPD (10), Canada PIPEDA (10), California CPRA (9) 29
privacy-africa-me.ts South Africa POPIA (8), UAE PDPL (6), Saudi Arabia PDPL (6) 20
privacy-core.ts Universal baseline (40) 40
Total 16 packs 172 controls

Each control includes:

  • Legal article reference — e.g., LGPD Article 41, PIPEDA Schedule 1 Principle 4.7, CPRA Section 1798.120
  • Detailed implementation guidance — citing the law, regulator, and official guidance
  • 2-4 verification checks — specific, testable compliance assertions

3. MCP suggest_packs Tool

New tool (31st MCP tool, was 30) that analyzes a project codebase and recommends privacy/compliance packs.

What it analyzes:

  • package.json dependencies (Node.js) — detects openai, langchain, anthropic, ethers, web3, hardhat, fhir, hl7
  • requirements.txt / pyproject.toml (Python) — detects openai, langchain, torch
  • Dockerfile / docker-compose.yml — indicates production deployment
  • android/ or ios/ directories — indicates mobile app
  • .ges/config.json — reads existing country, project type, installed packs

Recommendation engine:

  • Checks which packs are already installed
  • Recommends country pack based on detected country
  • Recommends AI pack if LLM dependencies detected
  • Recommends Blockchain pack if web3 dependencies detected
  • Recommends HIPAA pack if healthcare indicators detected
  • Recommends ISO 27001/27701 for production deployments
  • Returns ranked table with priority (CRITICAL, HIGH, MEDIUM) and rationale
  • Does NOT auto-install — outputs recommendations for user action

Example output:

## Codebase Analysis
- Node.js project (package.json detected)
- AI/LLM dependencies detected (openai/langchain/anthropic)

## Recommended Packs (2)

| Priority | Pack ID | Reason |
|----------|---------|--------|
| HIGH | ai | AI/LLM application detected. Adds controls for prompt logging, output validation, PII detection. |
| MEDIUM | iso27701 | ISO 27701 extends ISO 27001 with privacy information management. |

4. MCP init_project — Country Support

The MCP init_project tool gains two new parameters:

  • country — Country code that auto-installs the matching privacy pack
  • additional_packs — Comma-separated pack IDs for extra privacy packs

5. ProjectConfig Schema

  • New optional country field on ProjectConfig type and Zod validator
  • Stored in .ges/config.json and .ges/metadata.json
  • Backward compatible — existing configs without country still validate

Architecture Changes

Layered Privacy Framework

                    ┌─────────────────────┐
                    │   privacy-core      │  40 controls, 10 domains
                    │   (universal)       │  installed for every project
                    └──────────┬──────────┘
                               │
           ┌───────────────────┼───────────────────┐
           │                   │                   │
  ┌────────┴────────┐ ┌───────┴───────┐ ┌────────┴────────┐
  │  Country Pack   │ │ Country Pack  │ │ Country Pack    │
  │  (br-lgpd)      │ │ (sg-pdpa)     │ │ (us-cpra)       │
  │  10 controls    │ │ 12 controls   │ │ 9 controls      │
  └─────────────────┘ └───────────────┘ └─────────────────┘

Each country pack adds jurisdiction-specific requirements on top of the universal privacy-core baseline. Organizations install only packs for countries they operate in. Each country scores independently in the dashboard.

Regional File Organization

Country packs are organized into regional files instead of a single monolithic file:

packages/policy-engine/src/packs/
  privacy-core.ts          # Universal baseline (40 controls)
  privacy-europe.ts        # UK GDPR, Switzerland FADP
  privacy-asia.ts          # Singapore, Philippines, Japan, Korea, China, India
  privacy-americas.ts      # Brazil, Canada, California
  privacy-africa-me.ts     # South Africa, UAE, Saudi Arabia
  countries.ts             # Country-to-pack mapping utility

Country-to-Pack Mapping

New module (countries.ts) provides:

  • PRIVACY_COUNTRIES — Array of all 16 country entries with code, name, region, packId, frameworkName, lawName, regulator
  • getCountryByCode(code) — Look up country info by code
  • getCountryPackId(code) — Get the pack ID for a country code
  • getCountriesByRegion(region) — Filter countries by region

Files Changed

File Change
packages/policy-engine/src/packs/privacy-europe.ts New — UK GDPR (14), Switzerland FADP (8)
packages/policy-engine/src/packs/privacy-asia.ts New — 6 APAC country packs (61 controls)
packages/policy-engine/src/packs/privacy-americas.ts New — Brazil LGPD, Canada PIPEDA, California CPRA
packages/policy-engine/src/packs/privacy-africa-me.ts New — South Africa POPIA, UAE PDPL, Saudi PDPL
packages/policy-engine/src/packs/privacy-core.ts New — Universal baseline (40 controls, 10 domains)
packages/policy-engine/src/packs/countries.ts New — Country-to-pack mapping utility
packages/policy-engine/src/packs/privacy-countries.ts Deleted — Replaced by regional files
packages/policy-engine/src/index.ts Updated imports from 4 regional files, export country utilities
packages/core/src/types/index.ts Added country field to ProjectConfig, 15 new FrameworkName values
packages/core/src/schemas/index.ts Added country to ProjectConfigSchema, 15 new framework values
packages/cli/src/commands/init.ts Rewritten with country selection, auto-pack install
packages/mcp-server/src/server.ts init_project gains country/additional_packs, new suggest_packs tool
packages/mcp-server/src/server.test.ts Updated tool count assertion (30 to 31)
packages/doc-generator/src/index.ts metadata.json now includes country field

Test Results

  • 432 tests passing across all 15 test suites
  • All 16 packages build clean
  • E2E verified:
    • ges init --country BR installs privacy-core + br-lgpd correctly
    • ges init --country US-CA installs privacy-core + us-cpra correctly
    • MCP init_project with country: "SG" installs sg-pdpa correctly
    • MCP suggest_packs detects AI dependencies and recommends ai pack
    • All 15 country packs install and score independently in dashboard
    • 172 total privacy controls verified across all packs

Upgrade Guide

No breaking changes. The country field is optional — existing configs without it continue to work.

npm update @greenarmor/ges
# or
pnpm update @greenarmor/ges

To add country awareness to an existing project:

ges init --force --country BR

Or install a country pack manually:

ges policy install br-lgpd
Assets 2
Loading