# videocompressor.online — Production Compliance Recheck Date: 2026-06-03 Task: t_6afc5ebe Tenant: site-videocompressor-20260603 Domain: https://videocompressor.online Source commit checked: 613eacab43048e1e5ac3af0f714d97eccab32fe5 Reviewer: 墨盾 Not formal legal advice; this is a launch compliance/risk recheck. ## Verdict COMPLIANCE_CONDITIONAL_GO. P0 blockers: none found for the v0 local-first/no-upload scope. The deployed fixed domain is now reachable. Core compliance boundaries are mostly aligned: no account, no payment, no server-side media storage, no upload API discovered, platform names are used descriptively, footer has Privacy/Terms/contact/no-affiliation, and production copy avoids the prohibited claims such as unlimited, lossless, no quality loss, supports all formats, official/approved/sponsored/partner. Conditional issues remain before a clean final launch handoff: 1. Privacy Policy omits the runtime third-party static dependency `unpkg.com/@ffmpeg/core`, which loads ffmpeg-core JS/WASM when compression starts. 2. Public Privacy Policy contains internal wording: “This is product compliance guidance, not legal advice.” That should not appear in a user-facing privacy policy. 3. Terms are too thin: add Wyoming / Nextfield Labs governing-law baseline and a clearer limitation-of-liability / as-is disclaimer. 4. `support@videocompressor.online` is visible and domain-based, but DNS MX lookup returned empty; email routing should be configured/verified before using it as the legal/privacy contact. 5. `npm audit --omit=dev` reports 2 moderate production vulnerabilities via Next/PostCSS; not a compliance P0 for a static site, but should be tracked as a security P2/P1 depending on infra policy. ## Evidence checked ### Inputs read - `/root/.hermes/reports/site-videocompressor-20260603/compliance-v0.md` - `/root/.hermes/reports/site-videocompressor-20260603/frontend-implementation.md` - Parent handoffs for backend architecture and frontend deploy - Cloned source repo: `https://github.com/mengjian-github/videocompressor` - Checked commit: `613eacab43048e1e5ac3af0f714d97eccab32fe5` ### Production route smoke All required fixed-domain routes returned HTTP 200: | Route | HTTP | Title / note | |---|---:|---| | `/` | 200 | Video Compressor Online — Private Browser MP4 Compression | | `/mp4-compressor` | 200 | MP4 Compressor — Browser H.264 Video Compression | | `/compress-video-for-discord` | 200 | Compress Video for Discord — Aim for 10MB | | `/compress-video-for-whatsapp` | 200 | Compress Video for WhatsApp — Aim for 16MB | | `/compress-video-for-instagram` | 200 | Compress Video for Instagram — 1080p and 720p Prep | | `/privacy-video-compressor` | 200 | Private Video Compressor — How No-upload Local Compression Works | | `/privacy` | 200 | Privacy Policy | | `/terms` | 200 | Terms of Service | | `/sitemap.xml` | 200 | present | | `/robots.txt` | 200 | present | DNS check: - NS: `coraline.ns.cloudflare.com`, `nico.ns.cloudflare.com` - A/AAAA: Cloudflare addresses present - MX: empty - TXT: empty ### Build/source verification Commands run in cloned repo: ```bash npm install --ignore-scripts npm run build npm run verify npm audit --omit=dev --json ``` Results: - `npm run build`: passed; Next.js generated 13 static pages. - `npm run verify`: passed after build; route contract verified for `/`, matrix pages, `/privacy`, `/terms`, sitemap, robots, headers, OG, favicon. - `npm audit --omit=dev`: 2 moderate vulnerabilities via `next -> postcss` (`GHSA-qx2v-qp2m-jg93`). ## Compliance checklist ### 1. No-upload / local processing Status: PASS with P1 disclosure follow-up. Evidence: - Source uses browser-local ffmpeg.wasm in `src/components/VideoCompressor.tsx`. - No source route/API found for `POST /api/upload`, `POST /api/compress`, R2/D1/queue/server-side media handling. - Browser network instrumentation during a synthetic file-selection/compression attempt showed calls only to: - `https://plausible.io/api/event` - `https://unpkg.com/@ffmpeg/core@0.12.10/dist/umd/ffmpeg-core.js` - `https://unpkg.com/@ffmpeg/core@0.12.10/dist/umd/ffmpeg-core.wasm` - first-party Next worker chunk - No media upload request to videocompressor.online or storage/transcoding endpoint was observed. Risk note: - The unpkg requests do not upload media, but they are a third-party runtime dependency. Privacy Policy currently lists Cloudflare and Plausible, not unpkg. Add disclosure such as: “When you start compression, the browser may load ffmpeg.wasm engine files from a third-party CDN such as unpkg; your selected video is not sent to that CDN.” ### 2. Analytics boundary Status: PASS for implementation shape; dashboard receipt not verified. Evidence: - Production page loads Plausible script with `data-domain="videocompressor.online"`. - Source `trackEvent` only passes bucketed/safe props: - `preset`, `target_size_bucket` - `size_bucket`, `mime_category`, `device_class` - `resolution_option`, `quality_option` - `input_size_bucket`, `output_size_bucket`, `success_target_met` - `reason` - No filename/local path/video content/thumbnail/blob URL/hash is passed into analytics event props. Residual: - Plausible dashboard-side event receipt was not independently verified here. - If GA4, Clarity, ads, heatmaps, or session replay are later added, this verdict no longer covers cookie/consent/replay risk. ### 3. Claims / marketing copy Status: PASS. Checked production pages for high-risk claims: - No `unlimited video compression` / `no limits` claim found. - No `lossless` / `no quality loss` claim found. - No `supports all formats` / `compress any video size` claim found. - No `official`, `approved`, `certified`, `sponsored`, `partner` platform claim found. - Target-size copy uses “aim”, “best-effort”, “not guaranteed”, “target-missed recovery” language. - Terms uses “not guarantees” in the correct negative context. ### 4. Platform trademarks / nominative use Status: PASS. Evidence: - Platform names appear in descriptive routes/presets: Discord 10MB, WhatsApp 16MB, Instagram Prep. - Footer says the site is independent and not affiliated with Discord, WhatsApp, Instagram, Meta, or email providers. - Terms says platform names are used only to describe sharing scenarios and target-size presets, and the site is independent/not endorsed. - No platform logos were observed in production header/footer/tool UI. Recommended tightening: - Terms should use the fuller phrase from compliance v0: “not affiliated with, endorsed by, sponsored by, certified by, or officially connected to those platforms.” ### 5. Legal pages / footer Status: CONDITIONAL PASS. Pass: - `/privacy` and `/terms` are live on fixed domain. - Footer links to Privacy Policy, Terms of Service, and `support@videocompressor.online`. - Footer appears on production pages and includes no-affiliation language. - Contact uses site domain, not Gmail. - No refund policy required because v0 has no payment/subscription. P1 issues: - Privacy Policy contains internal report wording: “This is product compliance guidance, not legal advice.” Replace with normal policy copy, e.g. “This Privacy Policy explains how videocompressor.online handles data.” - Privacy Policy third-party services section should include the ffmpeg core CDN dependency (`unpkg.com`) or vendor ffmpeg assets first-party. - Terms lacks a clear Wyoming / Nextfield Labs governing law baseline. - Terms lacks a robust limitation-of-liability / provided-as-is section. - DNS MX is empty, so `support@videocompressor.online` is not yet proven receivable. ### 6. Security / sensitive information quick check Status: PASS with dependency follow-up. Evidence: - No frontend secrets/API keys found in reviewed source snippets. - No login/payment/OAuth/Stripe surface in v0. - No server media custody in v0. - Browser console on production homepage: no JS errors. Follow-up: - Track Next/PostCSS moderate advisory from `npm audit --omit=dev`. - Consider vendoring `@ffmpeg/core` into `public/` if launch policy prefers first-party static dependencies. ## P0 blockers None. ## P1 follow-ups 1. Update `/privacy` user-facing copy to remove “product compliance guidance, not legal advice.” 2. Add ffmpeg core CDN disclosure to `/privacy`, or vendor ffmpeg core assets first-party and update implementation. 3. Strengthen `/terms` with Wyoming governing law and limitation-of-liability/as-is language. 4. Configure and verify MX/email routing for `support@videocompressor.online`; current `dig MX videocompressor.online` is empty. 5. Verify Plausible dashboard event receipt for production domain. ## P2 follow-ups 1. Track/remediate `npm audit --omit=dev` moderate Next/PostCSS advisory when Next upgrade path is safe. 2. Keep “server-side upload/cloud compression” behind a new compliance review; current verdict only covers v0 no-upload/local-first mode. 3. If any GA4/Clarity/ad pixel/session replay is added, add cookie/consent review before loading it in production. ## Metadata ```json { "compliance_verdict": "COMPLIANCE_CONDITIONAL_GO", "p0_blockers": [], "p1_followups": [ "Remove internal 'product compliance guidance, not legal advice' wording from public Privacy Policy.", "Disclose runtime ffmpeg core CDN dependency in Privacy Policy or vendor ffmpeg core first-party.", "Strengthen Terms with Wyoming governing law and clearer limitation-of-liability/as-is language.", "Configure/verify MX or email routing for support@videocompressor.online; current MX lookup is empty.", "Verify Plausible dashboard event receipt for production domain." ], "p2_followups": [ "Track npm audit moderate Next/PostCSS advisory.", "Trigger new compliance review before any server-side upload/cloud compression mode.", "Run cookie/consent review before adding GA4, Clarity, ads, heatmaps, or session replay." ], "checks_run": [ "kanban_show t_6afc5ebe", "loaded projects/site-qa, compliance-docs-pipeline, kanban-worker skills", "sent START to telegram:-1003750190535:8032", "read compliance-v0.md and frontend-implementation.md", "production route smoke for fixed domain routes + sitemap + robots", "browser production homepage snapshot and console check", "browser script/link/footer/claim inspection", "browser runtime network instrumentation during file-selection/compression attempt", "git clone source repo and verify commit 613eacab43048e1e5ac3af0f714d97eccab32fe5", "read VideoCompressor.tsx, Analytics.tsx, Privacy page, Terms page, site config", "npm install --ignore-scripts", "npm run build", "npm run verify", "npm audit --omit=dev --json", "DNS MX/NS/A/AAAA/TXT check" ], "next_inputs": [ "/root/.hermes/reports/site-videocompressor-20260603/compliance-recheck.md", "Product Acceptance can proceed with compliance P0 clear, but should carry the P1 copy/email/CDN disclosures into final launch checklist." ], "artifact_paths": [ "/root/.hermes/reports/site-videocompressor-20260603/compliance-recheck.md" ] } ```