feat(canonical-controls): Canonical Control Library — rechtssichere Security Controls

Eigenstaendig formulierte Security Controls mit unabhaengiger Taxonomie und Open-Source-Verankerung (OWASP, NIST, ENISA). Keine BSI-Nomenklatur. - Migration 044: 5 DB-Tabellen (frameworks, controls, sources, licenses, mappings) - 10 Seed Controls mit 39 Open-Source-Referenzen - License Gate: Quellen-Berechtigungspruefung (analysis/excerpt/embeddings/product) - Too-Close-Detektor: 5 Metriken (exact-phrase, token-overlap, ngram, embedding, LCS) - REST API: 8 Endpoints unter /v1/canonical/ - Go Loader mit Multi-Index (ID, domain, severity, framework) - Frontend: Control Library Browser + Provenance Wiki - CI/CD: validate-controls.py Job (schema, no-leak, open-anchors) - 67 Tests (8 Go + 59 Python), alle PASS - MkDocs Dokumentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 19:55:06 +01:00
parent 8442115e7c
commit 050f353192
20 changed files with 3935 additions and 0 deletions
--- a/admin-compliance/app/api/sdk/v1/canonical/route.ts
+++ b/admin-compliance/app/api/sdk/v1/canonical/route.ts
@@ -0,0 +1,123 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+/**
+ * Proxy: GET /api/sdk/v1/canonical?endpoint=...
+ *
+ * Routes to backend canonical control endpoints:
+ *   endpoint=frameworks   → GET /api/v1/canonical/frameworks
+ *   endpoint=controls     → GET /api/v1/canonical/controls(?severity=...&domain=...)
+ *   endpoint=control&id=  → GET /api/v1/canonical/controls/{id}
+ *   endpoint=sources      → GET /api/v1/canonical/sources
+ *   endpoint=licenses     → GET /api/v1/canonical/licenses
+ */
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint') || 'frameworks'
+
+    let backendPath: string
+
+    switch (endpoint) {
+      case 'frameworks':
+        backendPath = '/api/v1/canonical/frameworks'
+        break
+
+      case 'controls': {
+        const severity = searchParams.get('severity')
+        const domain = searchParams.get('domain')
+        const params = new URLSearchParams()
+        if (severity) params.set('severity', severity)
+        if (domain) params.set('domain', domain)
+        const qs = params.toString()
+        backendPath = `/api/v1/canonical/controls${qs ? `?${qs}` : ''}`
+        break
+      }
+
+      case 'control': {
+        const controlId = searchParams.get('id')
+        if (!controlId) {
+          return NextResponse.json({ error: 'Missing control id' }, { status: 400 })
+        }
+        backendPath = `/api/v1/canonical/controls/${encodeURIComponent(controlId)}`
+        break
+      }
+
+      case 'sources':
+        backendPath = '/api/v1/canonical/sources'
+        break
+
+      case 'licenses':
+        backendPath = '/api/v1/canonical/licenses'
+        break
+
+      default:
+        return NextResponse.json({ error: `Unknown endpoint: ${endpoint}` }, { status: 400 })
+    }
+
+    const response = await fetch(`${BACKEND_URL}${backendPath}`)
+
+    if (!response.ok) {
+      if (response.status === 404) {
+        return NextResponse.json(null, { status: 404 })
+      }
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Canonical control proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}
+
+/**
+ * Proxy: POST /api/sdk/v1/canonical?endpoint=similarity-check&id=...
+ *
+ * Routes to: POST /api/v1/canonical/controls/{id}/similarity-check
+ */
+export async function POST(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url)
+    const endpoint = searchParams.get('endpoint')
+    const controlId = searchParams.get('id')
+
+    if (endpoint !== 'similarity-check' || !controlId) {
+      return NextResponse.json({ error: 'Invalid endpoint or missing id' }, { status: 400 })
+    }
+
+    const body = await request.json()
+    const response = await fetch(
+      `${BACKEND_URL}/api/v1/canonical/controls/${encodeURIComponent(controlId)}/similarity-check`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      }
+    )
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      return NextResponse.json(
+        { error: 'Backend error', details: errorText },
+        { status: response.status }
+      )
+    }
+
+    return NextResponse.json(await response.json())
+  } catch (error) {
+    console.error('Similarity check proxy error:', error)
+    return NextResponse.json(
+      { error: 'Failed to connect to backend' },
+      { status: 503 }
+    )
+  }
+}