feat(sdk): Multi-Tenancy, Versionierung, Change-Requests, Dokumentengenerierung (Phase 1-6)
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 32s
CI / test-python-backend-compliance (push) Successful in 30s
CI / test-python-document-crawler (push) Successful in 21s
CI / test-python-dsms-gateway (push) Successful in 18s
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 32s
CI / test-python-backend-compliance (push) Successful in 30s
CI / test-python-document-crawler (push) Successful in 21s
CI / test-python-dsms-gateway (push) Successful in 18s
6-Phasen-Implementation fuer cloud-faehiges, mandantenfaehiges Compliance SDK:
Phase 1: Multi-Tenancy Fix
- Shared tenant_utils.py Dependency (UUID-Validierung, kein "default" mehr)
- VVT tenant_id Column + tenant-scoped Queries
- DSFA/Vendor DEFAULT_TENANT_ID von "default" auf UUID migriert
- Migration 035
Phase 2: Stammdaten-Erweiterung
- Company Profile um JSONB-Felder erweitert (processing_systems, ai_systems, technical_contacts)
- Regulierungs-Flags (NIS2, AI Act, ISO 27001)
- GET /template-context Endpoint
- Migration 036
Phase 3: Dokument-Versionierung
- 5 Versions-Tabellen (DSFA, VVT, TOM, Loeschfristen, Obligations)
- Shared versioning_utils.py Helper
- /{id}/versions Endpoints auf allen 5 Dokumenttypen
- Migration 037
Phase 4: Change-Request System
- Zentrale CR-Inbox mit CRUD + Accept/Reject/Edit Workflow
- Regelbasierte CR-Engine (VVT DPIA → DSFA CR, Datenkategorien → Loeschfristen CR)
- Audit-Trail
- Migration 038
Phase 5: Dokumentengenerierung
- 5 Template-Generatoren (DSFA, VVT, TOM, Loeschfristen, Obligations)
- Preview + Apply Endpoints (erzeugt CRs, keine direkten Dokumente)
Phase 6: Frontend-Integration
- Change-Request Inbox Page mit Stats, Filtern, Modals
- VersionHistory Timeline-Komponente
- SDKSidebar CR-Badge (60s Polling)
- Company Profile: 2 neue Wizard-Steps + "Dokumente generieren" CTA
Docs: 5 neue MkDocs-Seiten, CLAUDE.md aktualisiert
Tests: 97 neue Tests (alle bestanden)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -0,0 +1,141 @@
|
||||
"""Obligation template generator — creates standard DSGVO obligations."""
|
||||
|
||||
_DSGVO_OBLIGATIONS = [
|
||||
{
|
||||
"title": "Verzeichnis der Verarbeitungstätigkeiten führen",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 30",
|
||||
"description": "Das Verzeichnis muss alle Verarbeitungstätigkeiten mit personenbezogenen Daten dokumentieren.",
|
||||
"category": "documentation",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "Datenschutz-Folgenabschätzung durchführen",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 35",
|
||||
"description": "Für Verarbeitungen mit hohem Risiko muss eine DSFA vor Beginn der Verarbeitung durchgeführt werden.",
|
||||
"category": "risk_assessment",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "Technisch-organisatorische Maßnahmen implementieren",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 32",
|
||||
"description": "Angemessene TOMs zum Schutz personenbezogener Daten unter Berücksichtigung des Stands der Technik.",
|
||||
"category": "technical",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "Betroffenenrechte sicherstellen",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 12-22",
|
||||
"description": "Auskunft, Berichtigung, Löschung, Datenportabilität, Widerspruch — alle Rechte müssen binnen eines Monats erfüllt werden.",
|
||||
"category": "data_subject_rights",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "Datenschutzverletzungen melden",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 33-34",
|
||||
"description": "Meldung an die Aufsichtsbehörde binnen 72 Stunden; Benachrichtigung Betroffener bei hohem Risiko.",
|
||||
"category": "incident_response",
|
||||
"priority": "critical",
|
||||
},
|
||||
{
|
||||
"title": "Auftragsverarbeitungsverträge abschließen",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 28",
|
||||
"description": "Schriftliche AV-Verträge mit allen Dienstleistern, die personenbezogene Daten verarbeiten.",
|
||||
"category": "vendor_management",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "Datenschutzbeauftragten benennen",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 37",
|
||||
"description": "Pflicht bei ≥20 Mitarbeitern in der automatisierten Verarbeitung oder bei Verarbeitung besonderer Kategorien.",
|
||||
"category": "governance",
|
||||
"priority": "medium",
|
||||
},
|
||||
{
|
||||
"title": "Löschkonzept implementieren",
|
||||
"regulation": "DSGVO",
|
||||
"article": "Art. 17",
|
||||
"description": "Recht auf Löschung — systematisches Löschkonzept mit definierten Fristen pro Datenkategorie.",
|
||||
"category": "data_lifecycle",
|
||||
"priority": "high",
|
||||
},
|
||||
]
|
||||
|
||||
_AI_ACT_OBLIGATIONS = [
|
||||
{
|
||||
"title": "KI-System-Register führen",
|
||||
"regulation": "EU AI Act",
|
||||
"article": "Art. 49",
|
||||
"description": "Alle KI-Systeme müssen in der EU-Datenbank registriert werden (Hochrisiko).",
|
||||
"category": "documentation",
|
||||
"priority": "high",
|
||||
},
|
||||
{
|
||||
"title": "KI-Risikomanagement einrichten",
|
||||
"regulation": "EU AI Act",
|
||||
"article": "Art. 9",
|
||||
"description": "Risikomanagementsystem für den gesamten Lebenszyklus von Hochrisiko-KI-Systemen.",
|
||||
"category": "risk_assessment",
|
||||
"priority": "critical",
|
||||
},
|
||||
{
|
||||
"title": "KI-Transparenzpflichten erfüllen",
|
||||
"regulation": "EU AI Act",
|
||||
"article": "Art. 52",
|
||||
"description": "Nutzer müssen über die Interaktion mit KI-Systemen informiert werden.",
|
||||
"category": "transparency",
|
||||
"priority": "high",
|
||||
},
|
||||
]
|
||||
|
||||
_NIS2_OBLIGATIONS = [
|
||||
{
|
||||
"title": "Cybersicherheits-Risikomanagement",
|
||||
"regulation": "NIS2",
|
||||
"article": "Art. 21",
|
||||
"description": "Angemessene und verhältnismäßige technische, betriebliche und organisatorische Maßnahmen.",
|
||||
"category": "cybersecurity",
|
||||
"priority": "critical",
|
||||
},
|
||||
{
|
||||
"title": "Meldepflichten NIS2",
|
||||
"regulation": "NIS2",
|
||||
"article": "Art. 23",
|
||||
"description": "Frühwarnung binnen 24h, Vorfallmeldung binnen 72h, Abschlussbericht binnen 1 Monat.",
|
||||
"category": "incident_response",
|
||||
"priority": "critical",
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
def generate_obligation_drafts(ctx: dict) -> list[dict]:
|
||||
"""Generate obligation drafts based on regulatory flags.
|
||||
|
||||
Args:
|
||||
ctx: Flat dict from company-profile/template-context
|
||||
|
||||
Returns:
|
||||
List of obligation dicts ready for creation
|
||||
"""
|
||||
obligations = list(_DSGVO_OBLIGATIONS)
|
||||
|
||||
if ctx.get("subject_to_ai_act") or ctx.get("has_ai_systems"):
|
||||
obligations.extend(_AI_ACT_OBLIGATIONS)
|
||||
|
||||
if ctx.get("subject_to_nis2"):
|
||||
obligations.extend(_NIS2_OBLIGATIONS)
|
||||
|
||||
# Enrich with company context
|
||||
for i, o in enumerate(obligations, 1):
|
||||
o["obligation_id"] = f"OBL-AUTO-{i:03d}"
|
||||
o["status"] = "open"
|
||||
o["responsible"] = ctx.get("dpo_name", "")
|
||||
o["review_cycle_months"] = ctx.get("review_cycle_months", 12)
|
||||
|
||||
return obligations
|
||||
Reference in New Issue
Block a user