feat: Phase 2 — RAG integration in Requirements + DSFA Draft

Add legal context enrichment from Qdrant vector corpus to the two
highest-priority modules (Requirements AI assistant and DSFA drafting
engine).

Go SDK:
- Add SearchCollection() with collection override + whitelist validation
- Refactor Search() to delegate to shared searchInternal()

Python backend:
- New ComplianceRAGClient proxying POST /sdk/v1/rag/search (error-tolerant)
- AI assistant: enrich interpret_requirement() and suggest_controls() with RAG
- Requirements API: add ?include_legal_context=true query parameter

Admin (Next.js):
- Extract shared queryRAG() utility from chat route
- Inject RAG legal context into v1 and v2 draft pipelines

Tests for all three layers (Go, Python, TypeScript shared utility).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ai-compliance-sdk/internal/api/handlers/rag_handlers.go

@@ -21,9 +21,20 @@ func NewRAGHandlers(corpusVersionStore *ucca.CorpusVersionStore) *RAGHandlers {
 	}
 }
 
+// AllowedCollections is the whitelist of Qdrant collections that can be queried.
+var AllowedCollections = map[string]bool{
+	"bp_compliance_ce":           true,
+	"bp_compliance_recht":        true,
+	"bp_compliance_gesetze":      true,
+	"bp_compliance_datenschutz":  true,
+	"bp_dsfa_corpus":             true,
+	"bp_legal_templates":         true,
+}
+
 // SearchRequest represents a RAG search request.
 type SearchRequest struct {
 	Query       string   `json:"query" binding:"required"`
+	Collection  string   `json:"collection,omitempty"`
 	Regulations []string `json:"regulations,omitempty"`
 	TopK        int      `json:"top_k,omitempty"`
 }
@@ -41,7 +52,15 @@ func (h *RAGHandlers) Search(c *gin.Context) {
 		req.TopK = 5
 	}
 
-	results, err := h.ragClient.Search(c.Request.Context(), req.Query, req.Regulations, req.TopK)
+	// Validate collection if specified
+	if req.Collection != "" {
+		if !AllowedCollections[req.Collection] {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Unknown collection: " + req.Collection + ". Allowed: bp_compliance_ce, bp_compliance_recht, bp_compliance_gesetze, bp_compliance_datenschutz, bp_dsfa_corpus, bp_legal_templates"})
+			return
+		}
+	}
+
+	results, err := h.ragClient.SearchCollection(c.Request.Context(), req.Collection, req.Query, req.Regulations, req.TopK)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "RAG search failed: " + err.Error()})
 		return

ai-compliance-sdk/internal/api/handlers/rag_handlers_test.go

@@ -0,0 +1,109 @@
+package handlers
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+func TestAllowedCollections(t *testing.T) {
+	allowed := []string{
+		"bp_compliance_ce",
+		"bp_compliance_recht",
+		"bp_compliance_gesetze",
+		"bp_compliance_datenschutz",
+		"bp_dsfa_corpus",
+		"bp_legal_templates",
+	}
+
+	for _, c := range allowed {
+		if !AllowedCollections[c] {
+			t.Errorf("Expected %s to be in AllowedCollections", c)
+		}
+	}
+
+	disallowed := []string{
+		"bp_unknown",
+		"",
+		"some_random_collection",
+	}
+
+	for _, c := range disallowed {
+		if AllowedCollections[c] {
+			t.Errorf("Expected %s to NOT be in AllowedCollections", c)
+		}
+	}
+}
+
+func TestSearch_InvalidCollection_Returns400(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	handler := &RAGHandlers{}
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+
+	body := SearchRequest{
+		Query:      "test query",
+		Collection: "bp_evil_collection",
+		TopK:       5,
+	}
+	bodyBytes, _ := json.Marshal(body)
+	c.Request, _ = http.NewRequest("POST", "/sdk/v1/rag/search", bytes.NewReader(bodyBytes))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Search(c)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("Expected 400, got %d", w.Code)
+	}
+
+	var resp map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &resp)
+
+	errMsg, ok := resp["error"].(string)
+	if !ok || errMsg == "" {
+		t.Error("Expected error message in response")
+	}
+}
+
+func TestSearch_WithCollectionParam_BindsCorrectly(t *testing.T) {
+	// Test that the SearchRequest struct correctly binds the collection field
+	body := `{"query":"DSGVO Art. 35","collection":"bp_compliance_recht","top_k":3}`
+	var req SearchRequest
+	err := json.Unmarshal([]byte(body), &req)
+	if err != nil {
+		t.Fatalf("Failed to unmarshal: %v", err)
+	}
+
+	if req.Query != "DSGVO Art. 35" {
+		t.Errorf("Expected query 'DSGVO Art. 35', got '%s'", req.Query)
+	}
+	if req.Collection != "bp_compliance_recht" {
+		t.Errorf("Expected collection 'bp_compliance_recht', got '%s'", req.Collection)
+	}
+	if req.TopK != 3 {
+		t.Errorf("Expected top_k 3, got %d", req.TopK)
+	}
+}
+
+func TestSearch_EmptyCollection_IsAllowed(t *testing.T) {
+	// Empty collection should be allowed (falls back to default in the handler)
+	body := `{"query":"test"}`
+	var req SearchRequest
+	err := json.Unmarshal([]byte(body), &req)
+	if err != nil {
+		t.Fatalf("Failed to unmarshal: %v", err)
+	}
+
+	if req.Collection != "" {
+		t.Errorf("Expected empty collection, got '%s'", req.Collection)
+	}
+
+	// Empty string is not in AllowedCollections, but the handler
+	// should skip validation for empty collection
+}