<!--
SPDX-License-Identifier: CC-BY-4.0
Copyright (c) 2024-2026 Acme Corp.
-->
# Acme Demo — Architecture
```
┌────────────┐ ┌─────────────┐ ┌────────────┐
│ Browser │ → │ Express │ → │ Postgres │
│ (React) │ │ API server │ │ │
└────────────┘ └─────┬───────┘ └────────────┘
│
▼
┌─────────────┐
│ Audit JAR │ (vendor/acme-internal/AcmeAudit.jar)
│ → log4j │
│ → MySQL │
│ Conn │
│ → OpenSSL │
└─────────────┘
```
## Components
- **Web client (React 18)** — `src/`
- **API server (Express)** — `server/`
- **Crypto / legacy helpers** — `lib/`
- **Vendored binaries** — `vendor/`
## License posture
This is a multi-license codebase by design — see the SBOM in CuratorPro
for the full breakdown. The "trouble spots" you should highlight in the
audit walkthrough:
- AGPL-3.0 (ghostscript) — network-use clause
- GPL-2.0 (mysql-connector) — verify Classpath exception applies
- Proprietary internal JAR — no SPDX header, requires manual sign-off