<!--
SPDX-License-Identifier: CC-BY-4.0
Copyright (c) 2024-2026 Acme Corp.
-->

# Acme Demo — Architecture

```
┌────────────┐    ┌─────────────┐    ┌────────────┐
│  Browser   │ →  │  Express    │ →  │  Postgres  │
│  (React)   │    │  API server │    │            │
└────────────┘    └─────┬───────┘    └────────────┘
                        │
                        ▼
                  ┌─────────────┐
                  │ Audit JAR   │  (vendor/acme-internal/AcmeAudit.jar)
                  │  → log4j    │
                  │  → MySQL    │
                  │    Conn     │
                  │  → OpenSSL  │
                  └─────────────┘
```

## Components

- **Web client (React 18)** — `src/`
- **API server (Express)** — `server/`
- **Crypto / legacy helpers** — `lib/`
- **Vendored binaries** — `vendor/`

## License posture

This is a multi-license codebase by design — see the SBOM in CuratorPro
for the full breakdown. The "trouble spots" you should highlight in the
audit walkthrough:

- AGPL-3.0 (ghostscript) — network-use clause
- GPL-2.0 (mysql-connector) — verify Classpath exception applies
- Proprietary internal JAR — no SPDX header, requires manual sign-off
