refactor: phase 0 guardrails + phase 1 step 2 (models.py split)

Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits, 81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths / 484 operations). ## Phase 0 — Architecture guardrails Three defense-in-depth layers to keep the architecture rules enforced regardless of who opens Claude Code in this repo: 1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file that would exceed the 500-line hard cap. Auto-loads in every Claude session in this repo. 2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh) enforces the LOC cap locally, freezes migrations/ without [migration-approved], and protects guardrail files without [guardrail-change]. 3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity + sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python packages (compliance/{services,repositories,domain,schemas}), and tsc --noEmit for admin-compliance + developer-portal. Per-language conventions documented in AGENTS.python.md, AGENTS.go.md, AGENTS.typescript.md at the repo root — layering, tooling, and explicit "what you may NOT do" lists. Root CLAUDE.md is prepended with the six non-negotiable rules. Each of the 10 services gets a README.md. scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the current baseline of 205 hard + 161 soft violations so Phases 1-4 can drain it incrementally. CI gates only CHANGED files in PRs so the legacy baseline does not block unrelated work. ## Deprecation sweep 47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config -> ConfigDict in source_policy_router.py (schemas.py intentionally skipped; it is the Phase 1 Step 3 split target). datetime.utcnow() -> datetime.now(timezone.utc) everywhere including SQLAlchemy default= callables. All DB columns already declare timezone=True, so this is a latent-bug fix at the Python side, not a schema change. DeprecationWarning count dropped from 158 to 35. ## Phase 1 Step 1 — Contract test harness tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json against tests/contracts/openapi.baseline.json on every test run. Fails on removed paths, removed status codes, or new required request body fields. Regenerate only via tests/contracts/regenerate_baseline.py after a consumer-updated contract change. This is the safety harness for all subsequent refactor commits. ## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim) compliance/db/models.py is decomposed into seven sibling aggregate modules following the existing repo pattern (dsr_models.py, vvt_models.py, ...): regulation_models.py (134) — Regulation, Requirement control_models.py (279) — Control, Mapping, Evidence, Risk ai_system_models.py (141) — AISystem, AuditExport service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk audit_session_models.py (177) — AuditSession, AuditSignOff isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit, AuditTrail, Readiness models.py becomes an 85-line re-export shim in dependency order so existing imports continue to work unchanged. Schema is byte-identical: __tablename__, column definitions, relationship strings, back_populates, cascade directives all preserved. All new sibling files are under the 500-line hard cap; largest is isms_audit_models.py at 468. No file in compliance/db/ now exceeds the hard cap. ## Phase 1 Step 3 — infrastructure only backend-compliance/compliance/{schemas,domain,repositories}/ packages are created as landing zones with docstrings. compliance/domain/ exports DomainError / NotFoundError / ConflictError / ValidationError / PermissionError — the base classes services will use to raise domain-level errors instead of HTTPException. PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents the nine-step execution plan for Phase 1: snapshot baseline, characterization tests, split models.py (this commit), split schemas.py (next), extract services, extract repositories, mypy --strict, coverage. ## Verification backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt PYTHONPATH=. pytest compliance/tests/ tests/contracts/ -> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 13:18:29 +02:00
parent 1dfea51919
commit 3320ef94fc
84 changed files with 52849 additions and 1731 deletions
--- a/backend-compliance/compliance/tests/test_audit_routes.py
+++ b/backend-compliance/compliance/tests/test_audit_routes.py
@@ -8,7 +8,7 @@ Run with: pytest backend/compliance/tests/test_audit_routes.py -v

 import pytest
 import hashlib
-from datetime import datetime
+from datetime import datetime, timezone
 from unittest.mock import MagicMock
 from uuid import uuid4

@@ -78,7 +78,7 @@ def sample_session():
        completed_items=0,
        compliant_count=0,
        non_compliant_count=0,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -94,7 +94,7 @@ def sample_signoff(sample_session, sample_requirement):
        signature_hash=None,
        signed_at=None,
        signed_by=None,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -214,7 +214,7 @@ class TestAuditSessionLifecycle:
        assert sample_session.status == AuditSessionStatusEnum.DRAFT

        sample_session.status = AuditSessionStatusEnum.IN_PROGRESS
-        sample_session.started_at = datetime.utcnow()
+        sample_session.started_at = datetime.now(timezone.utc)

        assert sample_session.status == AuditSessionStatusEnum.IN_PROGRESS
        assert sample_session.started_at is not None
@@ -231,7 +231,7 @@ class TestAuditSessionLifecycle:
        sample_session.status = AuditSessionStatusEnum.IN_PROGRESS

        sample_session.status = AuditSessionStatusEnum.COMPLETED
-        sample_session.completed_at = datetime.utcnow()
+        sample_session.completed_at = datetime.now(timezone.utc)

        assert sample_session.status == AuditSessionStatusEnum.COMPLETED
        assert sample_session.completed_at is not None
@@ -353,7 +353,7 @@ class TestSignOff:
    def test_signoff_with_signature_creates_hash(self, sample_session, sample_requirement):
        """Signing off with signature should create SHA-256 hash."""
        result = AuditResultEnum.COMPLIANT
-        timestamp = datetime.utcnow().isoformat()
+        timestamp = datetime.now(timezone.utc).isoformat()
        data = f"{result.value}|{sample_requirement.id}|{sample_session.auditor_name}|{timestamp}"
        signature_hash = hashlib.sha256(data.encode()).hexdigest()

@@ -382,7 +382,7 @@ class TestSignOff:

        # First sign-off should trigger auto-start
        sample_session.status = AuditSessionStatusEnum.IN_PROGRESS
-        sample_session.started_at = datetime.utcnow()
+        sample_session.started_at = datetime.now(timezone.utc)

        assert sample_session.status == AuditSessionStatusEnum.IN_PROGRESS

@@ -390,7 +390,7 @@ class TestSignOff:
        """Updating an existing sign-off should work."""
        sample_signoff.result = AuditResultEnum.NON_COMPLIANT
        sample_signoff.notes = "Updated: needs improvement"
-        sample_signoff.updated_at = datetime.utcnow()
+        sample_signoff.updated_at = datetime.now(timezone.utc)

        assert sample_signoff.result == AuditResultEnum.NON_COMPLIANT
        assert "Updated" in sample_signoff.notes
@@ -423,7 +423,7 @@ class TestGetSignOff:

        # With signature
        sample_signoff.signature_hash = "abc123"
-        sample_signoff.signed_at = datetime.utcnow()
+        sample_signoff.signed_at = datetime.now(timezone.utc)
        sample_signoff.signed_by = "Test Auditor"

        assert sample_signoff.signature_hash == "abc123"
--- a/backend-compliance/compliance/tests/test_auto_risk_updater.py
+++ b/backend-compliance/compliance/tests/test_auto_risk_updater.py
@@ -4,7 +4,7 @@ Tests for the AutoRiskUpdater Service.
 Sprint 6: CI/CD Evidence Collection & Automatic Risk Updates (2026-01-18)
 """

-from datetime import datetime
+from datetime import datetime, timezone
 from unittest.mock import MagicMock

 from ..services.auto_risk_updater import (
@@ -188,7 +188,7 @@ class TestGenerateAlerts:
        scan_result = ScanResult(
            scan_type=ScanType.DEPENDENCY,
            tool="Trivy",
-            timestamp=datetime.utcnow(),
+            timestamp=datetime.now(timezone.utc),
            commit_sha="abc123",
            branch="main",
            control_id="SDLC-002",
@@ -209,7 +209,7 @@ class TestGenerateAlerts:
        scan_result = ScanResult(
            scan_type=ScanType.SAST,
            tool="Semgrep",
-            timestamp=datetime.utcnow(),
+            timestamp=datetime.now(timezone.utc),
            commit_sha="def456",
            branch="main",
            control_id="SDLC-001",
@@ -228,7 +228,7 @@ class TestGenerateAlerts:
        scan_result = ScanResult(
            scan_type=ScanType.CONTAINER,
            tool="Trivy",
-            timestamp=datetime.utcnow(),
+            timestamp=datetime.now(timezone.utc),
            commit_sha="ghi789",
            branch="main",
            control_id="SDLC-006",
@@ -247,7 +247,7 @@ class TestGenerateAlerts:
        scan_result = ScanResult(
            scan_type=ScanType.SAST,
            tool="Semgrep",
-            timestamp=datetime.utcnow(),
+            timestamp=datetime.now(timezone.utc),
            commit_sha="jkl012",
            branch="main",
            control_id="SDLC-001",
@@ -369,7 +369,7 @@ class TestScanResult:
        result = ScanResult(
            scan_type=ScanType.DEPENDENCY,
            tool="Trivy",
-            timestamp=datetime.utcnow(),
+            timestamp=datetime.now(timezone.utc),
            commit_sha="xyz789",
            branch="develop",
            control_id="SDLC-002",
--- a/backend-compliance/compliance/tests/test_compliance_routes.py
+++ b/backend-compliance/compliance/tests/test_compliance_routes.py
@@ -8,7 +8,7 @@ Run with: pytest compliance/tests/test_compliance_routes.py -v
 """

 import pytest
-from datetime import datetime
+from datetime import datetime, timezone
 from unittest.mock import MagicMock
 from uuid import uuid4

@@ -41,8 +41,8 @@ def sample_regulation():
        name="Datenschutz-Grundverordnung",
        full_name="Verordnung (EU) 2016/679",
        is_active=True,
-        created_at=datetime.utcnow(),
-        updated_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
+        updated_at=datetime.now(timezone.utc),
    )


@@ -57,8 +57,8 @@ def sample_requirement(sample_regulation):
        description="Personenbezogene Daten duerfen nur verarbeitet werden, wenn eine Rechtsgrundlage vorliegt.",
        priority=4,
        is_applicable=True,
-        created_at=datetime.utcnow(),
-        updated_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
+        updated_at=datetime.now(timezone.utc),
    )


@@ -74,8 +74,8 @@ def sample_ai_system():
        classification=AIClassificationEnum.UNCLASSIFIED,
        status=AISystemStatusEnum.DRAFT,
        obligations=[],
-        created_at=datetime.utcnow(),
-        updated_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
+        updated_at=datetime.now(timezone.utc),
    )


@@ -96,8 +96,8 @@ class TestCreateRequirement:
            description="Geeignete technische Massnahmen",
            priority=3,
            is_applicable=True,
-            created_at=datetime.utcnow(),
-            updated_at=datetime.utcnow(),
+            created_at=datetime.now(timezone.utc),
+            updated_at=datetime.now(timezone.utc),
        )

        assert req.regulation_id == sample_regulation.id
@@ -196,7 +196,7 @@ class TestUpdateRequirement:
    def test_update_audit_status_sets_audit_date(self, sample_requirement):
        """Updating audit_status should set last_audit_date."""
        sample_requirement.audit_status = "compliant"
-        sample_requirement.last_audit_date = datetime.utcnow()
+        sample_requirement.last_audit_date = datetime.now(timezone.utc)

        assert sample_requirement.audit_status == "compliant"
        assert sample_requirement.last_audit_date is not None
@@ -287,7 +287,7 @@ class TestAISystemCRUD:

    def test_update_ai_system_with_assessment(self, sample_ai_system):
        """After assessment, system should have assessment_date and result."""
-        sample_ai_system.assessment_date = datetime.utcnow()
+        sample_ai_system.assessment_date = datetime.now(timezone.utc)
        sample_ai_system.assessment_result = {
            "overall_risk": "high",
            "risk_factors": [{"factor": "education sector", "severity": "high"}],
--- a/backend-compliance/compliance/tests/test_isms_routes.py
+++ b/backend-compliance/compliance/tests/test_isms_routes.py
@@ -15,7 +15,7 @@ Run with: pytest backend/compliance/tests/test_isms_routes.py -v
 """

 import pytest
-from datetime import datetime, date
+from datetime import datetime, date, timezone
 from unittest.mock import MagicMock
 from uuid import uuid4

@@ -56,7 +56,7 @@ def sample_scope():
        status=ApprovalStatusEnum.DRAFT,
        version="1.0",
        created_by="admin@breakpilot.de",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -65,7 +65,7 @@ def sample_approved_scope(sample_scope):
    """Create an approved ISMS scope for testing."""
    sample_scope.status = ApprovalStatusEnum.APPROVED
    sample_scope.approved_by = "ceo@breakpilot.de"
-    sample_scope.approved_at = datetime.utcnow()
+    sample_scope.approved_at = datetime.now(timezone.utc)
    sample_scope.effective_date = date.today()
    sample_scope.review_date = date(date.today().year + 1, date.today().month, date.today().day)
    sample_scope.approval_signature = "sha256_signature_hash"
@@ -88,7 +88,7 @@ def sample_policy():
        authored_by="iso@breakpilot.de",
        status=ApprovalStatusEnum.DRAFT,
        version="1.0",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -116,7 +116,7 @@ def sample_objective():
        related_controls=["OPS-003"],
        status="active",
        progress_percentage=0.0,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -136,7 +136,7 @@ def sample_soa_entry():
        coverage_level="full",
        evidence_description="ISMS Policy v2.0, signed by CEO",
        version="1.0",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -158,7 +158,7 @@ def sample_finding():
        identified_date=date.today(),
        due_date=date(2026, 3, 31),
        status=FindingStatusEnum.OPEN,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -178,7 +178,7 @@ def sample_major_finding():
        identified_date=date.today(),
        due_date=date(2026, 2, 28),
        status=FindingStatusEnum.OPEN,
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -198,7 +198,7 @@ def sample_capa(sample_finding):
        planned_completion=date(2026, 2, 15),
        effectiveness_criteria="Document approved and distributed to audit team",
        status="planned",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -219,7 +219,7 @@ def sample_management_review():
            {"name": "ISO", "role": "ISMS Manager"},
        ],
        status="draft",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -239,7 +239,7 @@ def sample_internal_audit():
        lead_auditor="internal.auditor@breakpilot.de",
        audit_team=["internal.auditor@breakpilot.de", "qa@breakpilot.de"],
        status="planned",
-        created_at=datetime.utcnow(),
+        created_at=datetime.now(timezone.utc),
    )


@@ -502,7 +502,7 @@ class TestISMSReadinessCheck:
        """Readiness check should identify potential major findings."""
        check = ISMSReadinessCheckDB(
            id=str(uuid4()),
-            check_date=datetime.utcnow(),
+            check_date=datetime.now(timezone.utc),
            triggered_by="admin@breakpilot.de",
            overall_status="not_ready",
            certification_possible=False,
@@ -532,7 +532,7 @@ class TestISMSReadinessCheck:
        """Readiness check should show status for each ISO chapter."""
        check = ISMSReadinessCheckDB(
            id=str(uuid4()),
-            check_date=datetime.utcnow(),
+            check_date=datetime.now(timezone.utc),
            triggered_by="admin@breakpilot.de",
            overall_status="ready",
            certification_possible=True,
@@ -606,7 +606,7 @@ class TestAuditTrail:
            entity_name="ISMS Scope v1.0",
            action="approve",
            performed_by="ceo@breakpilot.de",
-            performed_at=datetime.utcnow(),
+            performed_at=datetime.now(timezone.utc),
            checksum="sha256_hash",
        )

@@ -630,7 +630,7 @@ class TestAuditTrail:
            new_value="approved",
            change_summary="Policy approved by CEO",
            performed_by="ceo@breakpilot.de",
-            performed_at=datetime.utcnow(),
+            performed_at=datetime.now(timezone.utc),
            checksum="sha256_hash",
        )