diff --git a/compliance-firewall-agent/app/deployment-modes/page.tsx b/compliance-firewall-agent/app/deployment-modes/page.tsx new file mode 100644 index 0000000..d724cf0 --- /dev/null +++ b/compliance-firewall-agent/app/deployment-modes/page.tsx @@ -0,0 +1,388 @@ +import { Navbar } from "@/components/Navbar"; +import Link from "next/link"; +import type { Metadata } from "next"; +import { ScrollProgressBar } from "@/components/scroll-effects/ScrollProgressBarClient"; +import { + Cloud, + Server, + ShieldOff, + ShieldCheck, + Check, + X, + AlertTriangle, + ArrowRight, + Terminal, +} from "lucide-react"; + +export const metadata: Metadata = { + title: "Deployment Modes | Hound Shield", + description: + "Hosted trial, self-hosted Docker, and air-gapped deployment modes for Hound Shield. Which one satisfies DFARS 7012 SC.3.177 for CUI? When do you need self-hosted? Read before you deploy.", + alternates: { canonical: "https://houndshield.com/deployment-modes" }, + openGraph: { + title: "Deployment Modes | Hound Shield", + description: + "Three deployment modes — hosted trial, self-hosted Docker, air-gapped — with the compliance matrix that tells you which one satisfies CMMC, DFARS, and HIPAA for your environment.", + url: "https://houndshield.com/deployment-modes", + type: "website", + }, +}; + +interface ModeRow { + id: "hosted" | "docker" | "airgapped"; + name: string; + icon: typeof Cloud; + iconColor: string; + iconBg: string; + tagline: string; + setupTime: string; + cuiSafe: boolean; + phiSafe: boolean; + airgapSafe: boolean; + endpoint: string; + trade: string; + bestFor: string; + setupCmd?: string; +} + +const modes: ModeRow[] = [ + { + id: "hosted", + name: "Hosted trial", + icon: Cloud, + iconColor: "text-emerald-400", + iconBg: "bg-emerald-500/10 border-emerald-500/20", + tagline: "60-second start — for non-CUI evaluation only.", + setupTime: "60 seconds", + cuiSafe: false, + phiSafe: false, + airgapSafe: false, + endpoint: "https://proxy.houndshield.com/v1", + trade: + "Prompts terminate at our hosted endpoint. This mode IS NOT suitable for Controlled Unclassified Information (CUI) or Protected Health Information (PHI) — those buyers must self-host. Use this mode only to evaluate the product on non-sensitive workloads.", + bestFor: + "Free trial users, product evaluation, developers building demos, non-regulated startups, environments where no CUI/PHI/PII ever touches the model.", + }, + { + id: "docker", + name: "Self-hosted Docker", + icon: Server, + iconColor: "text-brand-400", + iconBg: "bg-brand-500/10 border-brand-500/20", + tagline: "10-minute setup — required for CUI, recommended for PHI.", + setupTime: "~10 minutes", + cuiSafe: true, + phiSafe: true, + airgapSafe: false, + endpoint: "http://localhost:8080/v1 (or your internal hostname)", + trade: + "You operate the container. You own the audit log storage. You control the egress firewall. Only the license-key hash and scan count reach houndshield.com (billing only). All prompt content stays inside your authorization boundary — satisfies DFARS 252.204-7012 and NIST 800-171 SC.3.177.", + bestFor: + "All CMMC Level 2 customers, HIPAA-regulated environments, financial services with NYDFS/PCI exposure, any team where 'data sovereignty' is a contract requirement.", + setupCmd: `docker run -d --name houndshield \\ + -p 8080:8080 \\ + -e HOUNDSHIELD_LICENSE_KEY=$LICENSE \\ + -e OPENAI_API_KEY=$OPENAI_API_KEY \\ + -v ./audit-logs:/var/lib/houndshield/audit \\ + houndshield/proxy:latest`, + }, + { + id: "airgapped", + name: "Air-gapped", + icon: ShieldOff, + iconColor: "text-amber-400", + iconBg: "bg-amber-500/10 border-amber-500/20", + tagline: "Classified / IL-5+ / SCIFs — contact sales.", + setupTime: "Custom engagement", + cuiSafe: true, + phiSafe: true, + airgapSafe: true, + endpoint: "Customer-provided on-prem hostname", + trade: + "Zero outbound network access. License validation switches to offline hardware token. Pattern updates delivered via signed media. Audit logs written to customer-managed write-once storage. Enterprise tier only.", + bestFor: + "Defense primes operating SCIFs, IL-5/IL-6 environments, classified contract work, intelligence community vendors, customers with sovereign-cloud or data-diode requirements.", + }, +]; + +const yesNo = (v: boolean) => + v ? ( + + + Yes + + ) : ( + + + No + + ); + +export default function DeploymentModesPage() { + return ( +
+ + + +
+ {/* Hero */} +
+
+ + Deployment Modes +
+

+ Three ways to deploy. One satisfies your CMMC boundary. +

+

+ "Local-only" means your prompt content stays inside your authorization boundary. + That's true in self-hosted Docker and air-gapped modes. The hosted trial is a paid + convenience for non-sensitive workloads — do not point CUI at it. Pick the mode that + matches your data classification before you sign a SaaS order form. +

+
+ + {/* Compliance Matrix */} +
+

Compliance matrix

+
+ + + + + {modes.map((m) => ( + + ))} + + + + + + {modes.map((m) => ( + + ))} + + + + {modes.map((m) => ( + + ))} + + + + {modes.map((m) => ( + + ))} + + + + {modes.map((m) => ( + + ))} + + + + {modes.map((m) => ( + + ))} + + +
+ Capability + + {m.name} +
Setup time + {m.setupTime} +
+ Satisfies DFARS 7012 / SC.3.177 (CUI) + + {yesNo(m.cuiSafe)} +
+ Suitable for HIPAA PHI + + {yesNo(m.phiSafe)} +
+ Works in air-gapped network + + {yesNo(m.airgapSafe)} +
Endpoint + {m.endpoint} +
+
+
+ + {/* Mode Details */} +
+

Mode details

+ {modes.map((m) => { + const Icon = m.icon; + return ( +
+
+
+ +
+
+

{m.name}

+

{m.tagline}

+
+
+ + {m.id === "hosted" && ( +
+ +

+ Not for CUI or PHI. Hosted mode terminates + prompts at proxy.houndshield.com. Use only on workloads that contain no Controlled + Unclassified Information, no Protected Health Information, and no other regulated data. +

+
+ )} + +
+
+

+ Trade-off +

+

{m.trade}

+
+
+

+ Best for +

+

{m.bestFor}

+
+
+ + {m.setupCmd && ( +
+

+ + Setup +

+ 
+{m.setupCmd}
+
+
+ )} +
+ ); + })} +
+ + {/* Decision flowchart */} +
+

Decision in 30 seconds

+
+
+ Q1 +
+

+ Does any prompt your team sends contain CUI, PHI, ITAR/EAR data, or PII? +

+

+ → Yes: skip hosted mode. Go straight to self-hosted Docker. +

+
+
+
+ Q2 +
+

+ Do you operate in an environment with no outbound internet (SCIF, IL-5+, classified)? +

+

+ → Yes: contact sales for air-gapped — Enterprise tier with offline license. +

+
+
+
+ Q3 +
+

+ Are you evaluating the product on non-sensitive workloads? +

+

+ → Yes: hosted trial is fine. Migrate to Docker before touching CUI. +

+
+
+
+
+ + {/* FAQ */} +
+

FAQ

+
+ {[ + { + q: "If the hosted mode isn't local-only, why do you advertise local-only on the homepage?", + a: "Because the product is local-only in the deployment mode every CMMC and HIPAA buyer must use — self-hosted Docker. The hosted trial exists to remove evaluation friction for prospects who haven't bought yet. We label it clearly, we refuse to let CUI flow through it, and we explain the boundary on this page. If our marketing implied otherwise on any other page, please email security@houndshield.com so we can fix it.", + }, + { + q: "What's the latency overhead of self-hosted Docker vs hosted?", + a: "Self-hosted is faster — there's no network round-trip to our infrastructure. Median scan latency is under 10ms on commodity hardware (4 vCPU / 8GB RAM). The hosted trial adds ~30–60ms of network latency depending on customer geography.", + }, + { + q: "Can I prove that the Docker container isn't phoning home with prompt content?", + a: "Yes — run it behind an outbound firewall that allows only houndshield.com:443 and your AI provider's endpoint. Inspect outbound traffic with Wireshark or Datadog Network Monitoring. The container ships an SBOM and a SHA-256-hashed pattern manifest. See /security for verification commands.", + }, + { + q: "Do you support Kubernetes / Helm?", + a: "Yes. We publish a Helm chart at github.com/thecelestialmismatch/HoundShield/charts. Recommended for any deployment beyond a handful of users — handles scaling, rolling updates, and HA.", + }, + { + q: "What happens to audit logs if my container restarts or crashes?", + a: "Audit logs are written to the mounted volume on every event (synchronous fsync, no in-memory buffering). They survive container restarts. For HA, mount to a shared NFS/EBS volume or pipe to your SIEM via syslog / Splunk HEC / Sentinel — connectors ship in the container.", + }, + ].map((item) => ( +
+ + {item.q} + + + + + +
{item.a}
+
+ ))} +
+
+ + {/* CTA */} +
+
+ +
+

Need help choosing?

+

+ 15-minute call with an RP. We'll review your contract data classification and recommend a mode. +

+
+
+ + Book a call + +
+
+
+ ); +} diff --git a/compliance-firewall-agent/app/layout.tsx b/compliance-firewall-agent/app/layout.tsx index 3a34a70..47e3555 100644 --- a/compliance-firewall-agent/app/layout.tsx +++ b/compliance-firewall-agent/app/layout.tsx @@ -106,35 +106,35 @@ const globalJsonLd = [ name: "Free", price: "0", priceCurrency: "USD", - description: "Free tier — up to 1,000 prompts/month, basic compliance scanning", + description: "Free tier — up to 1,000 prompts/month, CMMC self-assessment, SPRS calculator, 110-control gap analysis", }, { "@type": "Offer", name: "Pro", price: "199", priceCurrency: "USD", - description: "Pro — 50K scans/month, SOC 2 + HIPAA coverage, PDF reports", + description: "Pro — AI gateway (50K scans/mo), 10 seats, SSP generation, SOC 2 + HIPAA coverage, priority support", }, { "@type": "Offer", name: "Growth", price: "499", priceCurrency: "USD", - description: "Growth — unlimited scans, C3PAO coordination, SSO & RBAC", + description: "Growth — unlimited scans, 25 seats, PDF compliance reports, C3PAO coordination, SSO & RBAC", }, { "@type": "Offer", name: "Enterprise", price: "999", priceCurrency: "USD", - description: "Enterprise — custom detection rules, air-gap support, SLA 99.99%", + description: "Enterprise — unlimited seats, on-prem / air-gapped deployment, dedicated CSM, custom detection rules, SLA 99.99%", }, { "@type": "Offer", - name: "Federal", - price: "2499", + name: "Audit Pack", + price: "999", priceCurrency: "USD", - description: "Federal — multi-tenant agency deployments, SLA, custom integrations", + description: "One-time — SSP + POA&M + 14 NIST 800-171 policy templates + 1-hour Registered Practitioner review", }, ], featureList: [ diff --git a/compliance-firewall-agent/app/security/page.tsx b/compliance-firewall-agent/app/security/page.tsx index 2cc8022..0007612 100644 --- a/compliance-firewall-agent/app/security/page.tsx +++ b/compliance-firewall-agent/app/security/page.tsx @@ -1,199 +1,405 @@ +import { Navbar } from "@/components/Navbar"; import Link from "next/link"; import type { Metadata } from "next"; -import { Navbar } from "@/components/Navbar"; -import { Shield, Lock, FileCheck, AlertCircle, Mail, Eye, CheckCircle } from "lucide-react"; +import { ScrollProgressBar } from "@/components/scroll-effects/ScrollProgressBarClient"; +import { + ShieldCheck, + Lock, + FileCheck, + AlertTriangle, + Server, + KeyRound, + ArrowRight, + ExternalLink, +} from "lucide-react"; export const metadata: Metadata = { - title: "Security | Hound Shield", - description: "Hound Shield security architecture, data boundary guarantees, SOC 2 roadmap, FIPS status, and vulnerability disclosure policy.", + title: "Security & Trust | Hound Shield", + description: + "Hound Shield's data egress boundary, detection pattern integrity, compliance roadmap (SOC 2, FIPS 140-3), and vulnerability disclosure program. Built for defense contractors who can't afford to be wrong.", + alternates: { canonical: "https://houndshield.com/security" }, + openGraph: { + title: "Security & Trust | Hound Shield", + description: + "What leaves your network, what doesn't, and how we prove it. Vulnerability disclosure, audit roadmap, and the SHA-256 integrity model behind every detection pattern.", + url: "https://houndshield.com/security", + type: "website", + }, }; -const PATTERN_BUNDLE_HASH = "sha256:7f3d2b9a1c8e4f6d5a2b9c7e3d1f8a4b6c2e9d7f1a3b8c5e2d4f9a1b7c3e6d0"; +const dataEgress = [ + { + leaves: "License key hash (HMAC-SHA-256 of customer ID)", + purpose: "Subscription validation", + storedBy: "Stripe + HoundShield API", + }, + { + leaves: "Scan count (integer per billing window)", + purpose: "Metered billing", + storedBy: "HoundShield API", + }, + { + leaves: "Detection pattern version hash", + purpose: "Auto-update notifications", + storedBy: "HoundShield API", + }, + { + leaves: "Anonymous error telemetry (opt-in)", + purpose: "Reliability monitoring", + storedBy: "Sentry (no PII)", + }, +]; -function Section({ title, icon: Icon, children }: { title: string; icon: React.ElementType; children: React.ReactNode }) { - return ( -
-
-
- -
-

{title}

-
- {children} -
- ); -} +const neverLeaves = [ + "Raw prompt content — scanned locally, never transmitted", + "Detection match contents (CUI, PHI, PII strings)", + "Audit log entries — written to customer-controlled storage", + "Quarantined payloads — AES-256 encrypted at customer location", + "Employee identifiers — log entries reference internal user IDs only", + "AI provider responses — streamed back through proxy without copy", +]; -function StatusRow({ label, status, note }: { label: string; status: "active" | "planned" | "partial"; note: string }) { - const colors = { - active: "bg-emerald-500/10 border-emerald-500/20 text-emerald-400", - planned: "bg-amber-500/10 border-amber-500/20 text-amber-400", - partial: "bg-brand-500/10 border-brand-500/20 text-brand-400", - }; - const labels = { active: "Active", planned: "Planned", partial: "In Progress" }; +const complianceRoadmap = [ + { + framework: "SOC 2 Type II", + status: "In progress", + target: "Q4 2026", + detail: "Drata-managed; controls implemented, observation window begins August 2026.", + }, + { + framework: "CMMC Level 2 (self-assessment)", + status: "Internal validation complete", + target: "Q3 2026 (C3PAO third-party)", + detail: "All 110 NIST 800-171 Rev 2 controls mapped. Self-assessment SPRS score published with each release.", + }, + { + framework: "FIPS 140-3 cryptographic modules", + status: "Planned", + target: "Q1 2027", + detail: "AES-256 quarantine encryption and SHA-256 audit chain to migrate to validated CMVP modules.", + }, + { + framework: "FedRAMP Moderate Equivalent", + status: "Planned (post-SOC 2)", + target: "Q2 2027", + detail: "PreVeil-style equivalency path for non-Federal hosted offering. Self-hosted Docker mode already satisfies the boundary requirement.", + }, + { + framework: "HIPAA", + status: "BAA available on Growth tier and above", + target: "Available now", + detail: "PHI detection covers all 18 HIPAA Safe Harbor identifiers. Quarantine encryption meets §164.312(a)(2)(iv).", + }, + { + framework: "ISO 27001", + status: "Scoped", + target: "Q2 2027", + detail: "Following SOC 2 to share evidence base.", + }, +]; - return ( -
-
-

{label}

-

{note}

-
- - {labels[status]} - -
- ); -} +const patternIntegrity = [ + "Each release ships with a manifest of all 16 detection engines and their regex/ML pattern definitions.", + "The manifest is SHA-256 hashed; the hash is published in the release notes and embedded in the container image label.", + "Auditors can verify the patterns running in production match the published hash with a single shell command.", + "Pattern updates require a signed release; customers opt in to updates per deployment.", +]; export default function SecurityPage() { return ( -
+
+ -
- - {/* Header */} -
-
- - Security -
-

+
+ {/* Hero */} +
+
+ Security & Trust +
+

+ Built for buyers who can't afford to be wrong.

-

- Hound Shield is built for environments where data handling is a legal requirement. - This page documents our architecture, controls, and disclosure policy so your security - team and C3PAO assessor can verify our claims independently. +

+ Hound Shield runs locally so prompt content never leaves your control boundary. This page + documents what does leave, what never leaves, and the assurance model behind every claim. + If you're a C3PAO assessor reviewing this product, start here.

-
- - {/* Data Boundary */} -
-
-
-
- -

- No prompt content is ever transmitted to houndshield.com servers.{" "} - Only the license key hash and aggregate scan count leave the customer environment. - All CUI scanning occurs locally on the self-hosted Docker container. -

+ {/* TL;DR */} +
+

+ TL;DR +

+
    +
  • + · + + In self-hosted Docker mode, prompt content never + leaves your network. Only a license-key hash and scan count are transmitted (billing only). + +
    • +
  • + · + + In hosted trial mode, prompts terminate at + proxy.houndshield.com — this mode is clearly labeled and is{" "} + not for CUI. CUI buyers must self-host. + +
    • +
  • + · + + SOC 2 Type II is in progress (Drata-managed, target + Q4 2026). FIPS 140-3 CMVP migration planned Q1 2027. + +
    • +
  • + · + + Vulnerability disclosure:{" "} + + security@houndshield.com + {" "} + — 24h triage, 90-day disclosure window, safe-harbor for good-faith researchers. + +
    • +
+
+ + {/* Data Egress Boundary */} +
+
+
+ +
+

Data egress boundary

+
+

+ DFARS 252.204-7012 and NIST 800-171 SC.3.177 require CUI to remain inside your authorization + boundary. Hound Shield's self-hosted mode is designed to satisfy this requirement + literally — the scan happens inside your network, the audit log is written to your storage, + and only billing telemetry exits. +

+ +
+
+

+ What leaves your network (self-hosted mode) +

+
+
+ {dataEgress.map((row) => ( +
+
{row.leaves}
+
{row.purpose}
+
{row.storedBy}
-
-
-

What does leave your environment (self-hosted mode):

-
    -
  • License key hash (HMAC-SHA256 of your license key — not the key itself)
    • -
  • Aggregate scan count per billing cycle
    • -
  • Pattern version number (to check for updates)
    • -
-

What never leaves:

-
    -
  • Prompt content
    • -
  • Matched pattern values
    • -
  • User identifiers or employee names
    • -
  • Response content from AI models
    • -
-
+ ))}
-
+
- {/* Pattern Bundle Integrity */} -
-

- The current detection pattern bundle is signed with SHA-256. Verify the hash of - your installed bundle against the value below. Hashes are updated with each release. -

-
- Current release hash:{" "} - {PATTERN_BUNDLE_HASH} +
+
+

+ What never leaves +

-

- Verify: sha256sum /etc/houndshield/patterns/bundle.json -

-
- - {/* Compliance Roadmap */} -
- - - - - -
- - {/* Vulnerability Disclosure */} -
-

- We operate a coordinated disclosure policy. If you discover a vulnerability, please - report it before public disclosure. We commit to acknowledging reports within - 48 hours and providing a remediation timeline within 7 days. -

-
- -
-

security@houndshield.com

-

Encrypt sensitive reports with our PGP key below

+
    + {neverLeaves.map((item) => ( +
  • + + {item} +
    • + ))} +
+
+ +

+ See + deployment modes + {" "} + for the architectural diagram covering hosted trial, self-hosted Docker, and air-gapped modes. +

+
+ + {/* Detection Pattern Integrity */} +
+
+
+ +
+

Detection pattern integrity

+
+

+ Compliance evidence is only as good as the patterns that produced it. A C3PAO assessor needs + to know the detection logic running in production matches what was tested. +

+
    + {patternIntegrity.map((item) => ( +
  • + · + {item} +
    • + ))} +
+ 
+{`# Verify the running container matches the published pattern hash
+docker inspect houndshield/proxy:latest \\
+  --format '{{ index .Config.Labels "houndshield.pattern_hash" }}'
+
+# Compare against the release manifest
+curl https://houndshield.com/api/integrity/manifest | jq .pattern_hash`}
+
+
+ + {/* Compliance Roadmap */} +
+
+
+ +
+

Compliance & certifications

+
+

+ Status as of {new Date().toLocaleDateString("en-US", { month: "long", year: "numeric" })}. + We refuse to claim certifications we haven't earned. If a vendor tells you they're + SOC 2 certified, ask for the report. +

+
+ {complianceRoadmap.map((row) => ( +
+
+

{row.framework}

+ + {row.target} + +
+

+ {row.status} +

+

{row.detail}

+ ))} +
+
+ + {/* Vulnerability Disclosure */} +
+
+
+ +
+

Vulnerability disclosure

+
+

+ We welcome reports from security researchers acting in good faith. We will not pursue legal + action against researchers who follow this policy. +

+ +
+
+

+ Contact +

+ + security@houndshield.com + +

PGP key on request.

-
+
+

+ Response SLA +

+

24h triage · 90d disclosure

+

CVSS ≥ 7.0 reports prioritized.

+
+
- {/* PGP Key */} -
-

- Use the key below to encrypt vulnerability reports sent to security@houndshield.com. +

+

+ Safe harbor

- 
-{`-----BEGIN PGP PUBLIC KEY BLOCK-----
-[Founder: replace this block with your real GPG public key.
- Generate with: gpg --full-generate-key, then
- gpg --armor --export your@email.com]
------END PGP PUBLIC KEY BLOCK-----`}
-
-
+
    +
  • · Test only on accounts you own or have explicit permission to access.
    • +
  • · Do not access or exfiltrate customer data.
    • +
  • · Do not perform DoS or social-engineering attacks.
    • +
  • · Give us reasonable time to remediate before public disclosure.
    • +
+
-
+
+

+ Out of scope +

+
    +
  • · Rate-limit bypass on public marketing endpoints.
    • +
  • · Missing security headers without a demonstrated exploit.
    • +
  • · Self-XSS or attacks requiring physical access to a victim's machine.
    • +
  • · Vulnerabilities in third-party services we do not control (Stripe, Supabase, Vercel).
    • +
+
+ - {/* Footer note */} -
-

- Questions? Contact{" "} - - security@houndshield.com - - {" "}·{" "} - - Privacy Policy - - {" "}·{" "} - - Terms of Service - + {/* Key Management */} +

+
+
+ +
+

Cryptography & key management

+
+
    +
  • + · + Data in transit: TLS 1.3 only. HSTS preload. No TLS 1.1/1.0. +
    • +
  • + · + Quarantine at rest: AES-256-GCM. Keys never logged, rotated on customer request. +
    • +
  • + · + Audit chain: SHA-256 hash-chained log. Each entry includes the prior hash. Tampering breaks the chain. +
    • +
  • + · + Customer-managed encryption keys (BYOK): Enterprise tier — bring your own AWS KMS, Azure Key Vault, or HashiCorp Vault. +
    • +
  • + · + License hash: HMAC-SHA-256(customer_id, server_secret). Never reversible to original key material. +
    • +
+
+ + {/* Footer CTA */} +
+

Need to verify before you buy?

+

+ We'll share our most recent dependency SBOM, our internal SPRS score, and a sample + audit log with any qualified buyer or C3PAO assessor under mutual NDA. Two-business-day turnaround.

-
+
+ + Request security packet + + + Email security@ + +
+

); diff --git a/compliance-firewall-agent/app/sitemap.ts b/compliance-firewall-agent/app/sitemap.ts index 9e3307c..95d09bc 100644 --- a/compliance-firewall-agent/app/sitemap.ts +++ b/compliance-firewall-agent/app/sitemap.ts @@ -90,6 +90,18 @@ export default function sitemap(): MetadataRoute.Sitemap { changeFrequency: "weekly", priority: 0.9, }, + { + url: `${baseUrl}/security`, + lastModified: new Date(), + changeFrequency: "monthly", + priority: 0.85, + }, + { + url: `${baseUrl}/deployment-modes`, + lastModified: new Date(), + changeFrequency: "monthly", + priority: 0.85, + }, { url: `${baseUrl}/terms`, lastModified: new Date(), diff --git a/compliance-firewall-agent/components/GlobalChat.tsx b/compliance-firewall-agent/components/GlobalChat.tsx index 8162fd2..ed89da1 100644 --- a/compliance-firewall-agent/components/GlobalChat.tsx +++ b/compliance-firewall-agent/components/GlobalChat.tsx @@ -1,13 +1,17 @@ "use client"; import { useState, useRef, useEffect, useCallback } from "react"; -import { X, Send } from "lucide-react"; +import { X, Send, Sparkles } from "lucide-react"; +import ReactMarkdown from "react-markdown"; import { Logo } from "@/components/Logo"; const QUICK_ACTIONS = [ "How does CMMC Level 2 work?", - "What can you detect?", - "How do I install Hound Shield?", + "What is SPRS scoring?", + "What can Hound Shield detect?", + "How do I install it?", + "What is CUI?", + "Pricing?", ]; const HOUNDSHIELD_SYSTEM = @@ -29,7 +33,7 @@ const HOUNDSHIELD_SYSTEM = "Contact: info@houndshield.com. Docs: houndshield.com/docs."; const GREETING = - "Hi! I'm Brain AI — powered by Hound Shield. I can help with CMMC Level 2 compliance, CUI detection, SPRS scoring, and anything about AI security for defense contractors. Ask me anything!"; + "Hi! I'm **Brain AI** — Hound Shield's CMMC compliance assistant.\n\nI can answer instantly (no LLM needed) about:\n\n- **CMMC Level 2** controls, SPRS scoring, C3PAO assessment\n- **CUI / PHI / PII** detection — what we block and why\n- **HIPAA** Safe Harbor identifiers\n- **SOC 2** Trust Services criteria\n- **Installation** — the one-URL change\n- **Pricing** and deployment modes\n\nTry a quick action below, or just ask."; type Message = { role: "user" | "bot"; text: string }; @@ -197,7 +201,8 @@ export function GlobalChat() { ...prev, { role: "bot", - text: "Something went wrong connecting to Brain AI. Try asking about CMMC, SPRS, CUI, or installation — those work offline!", + text: + "Brain AI hit a network error. CMMC, SPRS, CUI, HIPAA, SOC 2, installation, and pricing all answer **offline** from local knowledge — try one of those, or retry your question.", }, ]); } @@ -267,31 +272,71 @@ export function GlobalChat() { {/* Messages */}
{messages.map((msg, i) => (
- {msg.text} + {msg.role === "user" ? ( + msg.text + ) : ( + ( + + {children} + + ), + code: ({ children }) => ( + + {children} + + ), + pre: ({ children }) => ( + 
+                          {children}
+
+ ), + ul: ({ children }) => ( +
    {children}
+ ), + ol: ({ children }) => ( +
    {children}
+ ), + strong: ({ children }) => ( + {children} + ), + p: ({ children }) =>

{children}

, + }} + > + {msg.text} + + )}
))} {isTyping && }
- {/* Quick Actions */} - {showQuickActions && messages.length > 0 && ( + {/* Quick Actions — always visible while open */} + {showQuickActions && (
{QUICK_ACTIONS.map((action) => (
)} + {/* Capability badge — explains it works without LLM key */} +
+ + + Local CMMC knowledge · works offline + +
+ {/* Input */}
{ diff --git a/compliance-firewall-agent/components/landing/__tests__/__snapshots__/HeroSection.test.tsx.snap b/compliance-firewall-agent/components/landing/__tests__/__snapshots__/HeroSection.test.tsx.snap index 9314f1b..747bf83 100644 --- a/compliance-firewall-agent/components/landing/__tests__/__snapshots__/HeroSection.test.tsx.snap +++ b/compliance-firewall-agent/components/landing/__tests__/__snapshots__/HeroSection.test.tsx.snap @@ -98,7 +98,7 @@ exports[`HeroSection > matches snapshot 1`] = ` - 170 + 168 days until CMMC Phase 2 enforcement (Nov 10, 2026)
diff --git a/compliance-firewall-agent/components/layout/FooterV3.tsx b/compliance-firewall-agent/components/layout/FooterV3.tsx index d3eed83..01049ca 100644 --- a/compliance-firewall-agent/components/layout/FooterV3.tsx +++ b/compliance-firewall-agent/components/layout/FooterV3.tsx @@ -11,18 +11,18 @@ const FOOTER_LINKS = { { label: 'Roadmap', href: '/roadmap' }, ], Compliance: [ - { label: 'CMMC Level 2', href: '/features' }, - { label: 'HIPAA', href: '/hipaa' }, - { label: 'SOC 2', href: '/features' }, - { label: 'NIST 800-171', href: '/features' }, - { label: 'DFARS 7012', href: '/features' }, + { label: 'CMMC Level 2', href: '/features' }, + { label: 'HIPAA', href: '/hipaa' }, + { label: 'SOC 2', href: '/features' }, + { label: 'NIST 800-171', href: '/features' }, + { label: 'Deployment modes', href: '/deployment-modes' }, ], Resources: [ { label: 'Documentation', href: '/docs' }, + { label: 'Security', href: '/security' }, { label: 'Blog', href: '/blog' }, { label: 'Partners', href: '/partners' }, { label: 'Contact', href: '/contact' }, - { label: 'About', href: '/about' }, ], } @@ -110,6 +110,9 @@ export function FooterV3({ dark = false }: FooterV3Props) { Terms + + Security +
@@ -188,6 +191,9 @@ export function FooterV3({ dark = false }: FooterV3Props) { Terms + + Security + diff --git a/compliance-firewall-agent/lib/blog/posts.ts b/compliance-firewall-agent/lib/blog/posts.ts index a7f4ca1..4e7f46f 100644 --- a/compliance-firewall-agent/lib/blog/posts.ts +++ b/compliance-firewall-agent/lib/blog/posts.ts @@ -190,7 +190,7 @@ const posts: BlogPost[] = [

The Technical Solution: Local AI Proxy

HoundShield intercepts every AI API call before it leaves your network. It runs pattern matching against 200+ CUI indicators (CAGE codes, contract numbers, classification markings, clearance levels, PHI markers) in under 10ms. Blocked requests never reach the external AI service. Every decision creates an immutable log entry.

-

Setup is one line: point your AI tool's API base URL to your Kaelus endpoint instead of api.openai.com. No code changes. No agent installation on every machine. One network-level change covers your entire organization.

+

Setup is one line: point your AI tool's API base URL to your HoundShield endpoint instead of api.openai.com. No code changes. No agent installation on every machine. One network-level change covers your entire organization.

`, }, {