Initial commit: breakpilot-compliance - Compliance SDK Platform

Services: Admin-Compliance, Backend-Compliance, AI-Compliance-SDK, Consent-SDK, Developer-Portal, PCA-Platform, DSMS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 23:47:28 +01:00
commit 4435e7ea0a
734 changed files with 251369 additions and 0 deletions
--- a/ai-compliance-sdk/internal/ucca/models.go
+++ b/ai-compliance-sdk/internal/ucca/models.go
@@ -0,0 +1,523 @@
+package ucca
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// ============================================================================
+// Constants / Enums
+// ============================================================================
+
+// Feasibility represents the overall assessment result
+type Feasibility string
+
+const (
+	FeasibilityYES         Feasibility = "YES"
+	FeasibilityCONDITIONAL Feasibility = "CONDITIONAL"
+	FeasibilityNO          Feasibility = "NO"
+)
+
+// RiskLevel represents the overall risk classification
+type RiskLevel string
+
+const (
+	RiskLevelMINIMAL      RiskLevel = "MINIMAL"
+	RiskLevelLOW          RiskLevel = "LOW"
+	RiskLevelMEDIUM       RiskLevel = "MEDIUM"
+	RiskLevelHIGH         RiskLevel = "HIGH"
+	RiskLevelUNACCEPTABLE RiskLevel = "UNACCEPTABLE"
+)
+
+// Complexity represents implementation complexity
+type Complexity string
+
+const (
+	ComplexityLOW    Complexity = "LOW"
+	ComplexityMEDIUM Complexity = "MEDIUM"
+	ComplexityHIGH   Complexity = "HIGH"
+)
+
+// Severity represents rule severity
+type Severity string
+
+const (
+	SeverityINFO  Severity = "INFO"
+	SeverityWARN  Severity = "WARN"
+	SeverityBLOCK Severity = "BLOCK"
+)
+
+// Domain represents the business domain
+type Domain string
+
+const (
+	// Industrie & Produktion
+	DomainAutomotive           Domain = "automotive"
+	DomainMechanicalEngineering Domain = "mechanical_engineering"
+	DomainPlantEngineering     Domain = "plant_engineering"
+	DomainElectricalEngineering Domain = "electrical_engineering"
+	DomainAerospace            Domain = "aerospace"
+	DomainChemicals            Domain = "chemicals"
+	DomainFoodBeverage         Domain = "food_beverage"
+	DomainTextiles             Domain = "textiles"
+	DomainPackaging            Domain = "packaging"
+
+	// Energie & Versorgung
+	DomainUtilities Domain = "utilities"
+	DomainEnergy    Domain = "energy"
+	DomainOilGas    Domain = "oil_gas"
+
+	// Land- & Forstwirtschaft
+	DomainAgriculture Domain = "agriculture"
+	DomainForestry    Domain = "forestry"
+	DomainFishing     Domain = "fishing"
+
+	// Bau & Immobilien
+	DomainConstruction       Domain = "construction"
+	DomainRealEstate         Domain = "real_estate"
+	DomainFacilityManagement Domain = "facility_management"
+
+	// Gesundheit & Soziales
+	DomainHealthcare    Domain = "healthcare"
+	DomainMedicalDevices Domain = "medical_devices"
+	DomainPharma         Domain = "pharma"
+	DomainElderlyCare    Domain = "elderly_care"
+	DomainSocialServices Domain = "social_services"
+
+	// Bildung & Forschung
+	DomainEducation          Domain = "education"
+	DomainHigherEducation    Domain = "higher_education"
+	DomainVocationalTraining Domain = "vocational_training"
+	DomainResearch           Domain = "research"
+
+	// Finanzen & Versicherung
+	DomainFinance    Domain = "finance"
+	DomainBanking    Domain = "banking"
+	DomainInsurance  Domain = "insurance"
+	DomainInvestment Domain = "investment"
+
+	// Handel & Logistik
+	DomainRetail     Domain = "retail"
+	DomainEcommerce  Domain = "ecommerce"
+	DomainWholesale  Domain = "wholesale"
+	DomainLogistics  Domain = "logistics"
+
+	// IT & Telekommunikation
+	DomainITServices    Domain = "it_services"
+	DomainTelecom       Domain = "telecom"
+	DomainCybersecurity Domain = "cybersecurity"
+
+	// Recht & Beratung
+	DomainLegal       Domain = "legal"
+	DomainConsulting  Domain = "consulting"
+	DomainTaxAdvisory Domain = "tax_advisory"
+
+	// Oeffentlicher Sektor
+	DomainPublic  Domain = "public_sector"
+	DomainDefense Domain = "defense"
+	DomainJustice Domain = "justice"
+
+	// Marketing & Medien
+	DomainMarketing     Domain = "marketing"
+	DomainMedia         Domain = "media"
+	DomainEntertainment Domain = "entertainment"
+
+	// HR & Personal
+	DomainHR         Domain = "hr"
+	DomainRecruiting Domain = "recruiting"
+
+	// Tourismus & Gastronomie
+	DomainHospitality Domain = "hospitality"
+	DomainTourism     Domain = "tourism"
+
+	// Sonstige
+	DomainNonprofit Domain = "nonprofit"
+	DomainSports    Domain = "sports"
+	DomainGeneral   Domain = "general"
+)
+
+// ValidDomains contains all valid domain values
+var ValidDomains = map[Domain]bool{
+	DomainAutomotive: true, DomainMechanicalEngineering: true, DomainPlantEngineering: true,
+	DomainElectricalEngineering: true, DomainAerospace: true, DomainChemicals: true,
+	DomainFoodBeverage: true, DomainTextiles: true, DomainPackaging: true,
+	DomainUtilities: true, DomainEnergy: true, DomainOilGas: true,
+	DomainAgriculture: true, DomainForestry: true, DomainFishing: true,
+	DomainConstruction: true, DomainRealEstate: true, DomainFacilityManagement: true,
+	DomainHealthcare: true, DomainMedicalDevices: true, DomainPharma: true,
+	DomainElderlyCare: true, DomainSocialServices: true,
+	DomainEducation: true, DomainHigherEducation: true, DomainVocationalTraining: true, DomainResearch: true,
+	DomainFinance: true, DomainBanking: true, DomainInsurance: true, DomainInvestment: true,
+	DomainRetail: true, DomainEcommerce: true, DomainWholesale: true, DomainLogistics: true,
+	DomainITServices: true, DomainTelecom: true, DomainCybersecurity: true,
+	DomainLegal: true, DomainConsulting: true, DomainTaxAdvisory: true,
+	DomainPublic: true, DomainDefense: true, DomainJustice: true,
+	DomainMarketing: true, DomainMedia: true, DomainEntertainment: true,
+	DomainHR: true, DomainRecruiting: true,
+	DomainHospitality: true, DomainTourism: true,
+	DomainNonprofit: true, DomainSports: true, DomainGeneral: true,
+}
+
+// AutomationLevel represents the degree of automation
+type AutomationLevel string
+
+const (
+	AutomationAssistive      AutomationLevel = "assistive"
+	AutomationSemiAutomated  AutomationLevel = "semi_automated"
+	AutomationFullyAutomated AutomationLevel = "fully_automated"
+)
+
+// TrainingAllowed represents if training with data is permitted
+type TrainingAllowed string
+
+const (
+	TrainingYES         TrainingAllowed = "YES"
+	TrainingCONDITIONAL TrainingAllowed = "CONDITIONAL"
+	TrainingNO          TrainingAllowed = "NO"
+)
+
+// ============================================================================
+// Input Structs
+// ============================================================================
+
+// UseCaseIntake represents the user's input describing their planned AI use case
+type UseCaseIntake struct {
+	// Free-text description of the use case
+	UseCaseText string `json:"use_case_text"`
+
+	// Business domain
+	Domain Domain `json:"domain"`
+
+	// Title for the assessment (optional)
+	Title string `json:"title,omitempty"`
+
+	// Data types involved
+	DataTypes DataTypes `json:"data_types"`
+
+	// Purpose of the processing
+	Purpose Purpose `json:"purpose"`
+
+	// Level of automation
+	Automation AutomationLevel `json:"automation"`
+
+	// Output characteristics
+	Outputs Outputs `json:"outputs"`
+
+	// Hosting configuration
+	Hosting Hosting `json:"hosting"`
+
+	// Model usage configuration
+	ModelUsage ModelUsage `json:"model_usage"`
+
+	// Retention configuration
+	Retention Retention `json:"retention"`
+
+	// Financial regulations context (DORA, MaRisk, BAIT)
+	// Only applicable for financial domains (banking, finance, insurance, investment)
+	FinancialContext *FinancialContext `json:"financial_context,omitempty"`
+
+	// Opt-in to store raw text (otherwise only hash)
+	StoreRawText bool `json:"store_raw_text,omitempty"`
+}
+
+// DataTypes specifies what kinds of data are processed
+type DataTypes struct {
+	PersonalData     bool `json:"personal_data"`
+	Article9Data     bool `json:"article_9_data"`     // Special categories (health, religion, etc.)
+	MinorData        bool `json:"minor_data"`         // Data of children
+	LicensePlates    bool `json:"license_plates"`     // KFZ-Kennzeichen
+	Images           bool `json:"images"`             // Photos/images of persons
+	Audio            bool `json:"audio"`              // Voice recordings
+	LocationData     bool `json:"location_data"`      // GPS/location tracking
+	BiometricData    bool `json:"biometric_data"`     // Fingerprints, face recognition
+	FinancialData    bool `json:"financial_data"`     // Bank accounts, salaries
+	EmployeeData     bool `json:"employee_data"`      // HR/employment data
+	CustomerData     bool `json:"customer_data"`      // Customer information
+	PublicData       bool `json:"public_data"`        // Publicly available data only
+}
+
+// Purpose specifies the processing purpose
+type Purpose struct {
+	CustomerSupport    bool `json:"customer_support"`
+	Marketing          bool `json:"marketing"`
+	Analytics          bool `json:"analytics"`
+	Automation         bool `json:"automation"`
+	EvaluationScoring  bool `json:"evaluation_scoring"`  // Scoring/ranking of persons
+	DecisionMaking     bool `json:"decision_making"`     // Automated decisions
+	Profiling          bool `json:"profiling"`
+	Research           bool `json:"research"`
+	InternalTools      bool `json:"internal_tools"`
+	PublicService      bool `json:"public_service"`
+}
+
+// Outputs specifies output characteristics
+type Outputs struct {
+	RecommendationsToUsers bool `json:"recommendations_to_users"`
+	RankingsOrScores       bool `json:"rankings_or_scores"`      // Outputs rankings/scores
+	LegalEffects           bool `json:"legal_effects"`           // Has legal consequences
+	AccessDecisions        bool `json:"access_decisions"`        // Grants/denies access
+	ContentGeneration      bool `json:"content_generation"`      // Generates text/media
+	DataExport             bool `json:"data_export"`             // Exports data externally
+}
+
+// Hosting specifies where the AI runs
+type Hosting struct {
+	Provider     string `json:"provider,omitempty"` // e.g., "Azure", "AWS", "Hetzner", "On-Prem"
+	Region       string `json:"region"`             // "eu", "third_country", "on_prem"
+	DataResidency string `json:"data_residency,omitempty"` // Where data is stored
+}
+
+// ModelUsage specifies how the model is used
+type ModelUsage struct {
+	RAG       bool `json:"rag"`       // Retrieval-Augmented Generation only
+	Finetune  bool `json:"finetune"`  // Fine-tuning with data
+	Training  bool `json:"training"`  // Full training with data
+	Inference bool `json:"inference"` // Inference only
+}
+
+// Retention specifies data retention
+type Retention struct {
+	StorePrompts      bool `json:"store_prompts"`
+	StoreResponses    bool `json:"store_responses"`
+	RetentionDays     int  `json:"retention_days,omitempty"`
+	AnonymizeAfterUse bool `json:"anonymize_after_use"`
+}
+
+// ============================================================================
+// Financial Regulations Structs (DORA, MaRisk, BAIT)
+// ============================================================================
+
+// FinancialEntityType represents the type of financial institution
+type FinancialEntityType string
+
+const (
+	FinancialEntityCreditInstitution     FinancialEntityType = "CREDIT_INSTITUTION"
+	FinancialEntityPaymentServiceProvider FinancialEntityType = "PAYMENT_SERVICE_PROVIDER"
+	FinancialEntityEMoneyInstitution     FinancialEntityType = "E_MONEY_INSTITUTION"
+	FinancialEntityInvestmentFirm        FinancialEntityType = "INVESTMENT_FIRM"
+	FinancialEntityInsuranceCompany      FinancialEntityType = "INSURANCE_COMPANY"
+	FinancialEntityCryptoAssetProvider   FinancialEntityType = "CRYPTO_ASSET_PROVIDER"
+	FinancialEntityOther                 FinancialEntityType = "OTHER_FINANCIAL"
+)
+
+// SizeCategory represents the significance category of a financial institution
+type SizeCategory string
+
+const (
+	SizeCategorySignificant     SizeCategory = "SIGNIFICANT"
+	SizeCategoryLessSignificant SizeCategory = "LESS_SIGNIFICANT"
+	SizeCategorySmall           SizeCategory = "SMALL"
+)
+
+// ProviderLocation represents the location of an ICT service provider
+type ProviderLocation string
+
+const (
+	ProviderLocationEU              ProviderLocation = "EU"
+	ProviderLocationEEA             ProviderLocation = "EEA"
+	ProviderLocationAdequacyDecision ProviderLocation = "ADEQUACY_DECISION"
+	ProviderLocationThirdCountry    ProviderLocation = "THIRD_COUNTRY"
+)
+
+// FinancialEntity describes the financial institution context
+type FinancialEntity struct {
+	Type         FinancialEntityType `json:"type"`
+	Regulated    bool               `json:"regulated"`
+	SizeCategory SizeCategory       `json:"size_category"`
+}
+
+// ICTService describes ICT service characteristics for DORA compliance
+type ICTService struct {
+	IsCritical        bool             `json:"is_critical"`
+	IsOutsourced      bool             `json:"is_outsourced"`
+	ProviderLocation  ProviderLocation `json:"provider_location"`
+	ConcentrationRisk bool             `json:"concentration_risk"`
+}
+
+// FinancialAIApplication describes financial-specific AI application characteristics
+type FinancialAIApplication struct {
+	AffectsCustomerDecisions bool `json:"affects_customer_decisions"`
+	AlgorithmicTrading       bool `json:"algorithmic_trading"`
+	RiskAssessment           bool `json:"risk_assessment"`
+	AMLKYC                   bool `json:"aml_kyc"`
+	ModelValidationDone      bool `json:"model_validation_done"`
+}
+
+// FinancialContext aggregates all financial regulation-specific information
+type FinancialContext struct {
+	FinancialEntity FinancialEntity        `json:"financial_entity"`
+	ICTService      ICTService             `json:"ict_service"`
+	AIApplication   FinancialAIApplication `json:"ai_application"`
+}
+
+// ============================================================================
+// Output Structs
+// ============================================================================
+
+// AssessmentResult represents the complete evaluation result
+type AssessmentResult struct {
+	// Overall verdict
+	Feasibility Feasibility `json:"feasibility"`
+	RiskLevel   RiskLevel   `json:"risk_level"`
+	Complexity  Complexity  `json:"complexity"`
+	RiskScore   int         `json:"risk_score"` // 0-100
+
+	// Triggered rules
+	TriggeredRules []TriggeredRule `json:"triggered_rules"`
+
+	// Required controls/mitigations
+	RequiredControls []RequiredControl `json:"required_controls"`
+
+	// Recommended architecture patterns
+	RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"`
+
+	// Patterns that must NOT be used
+	ForbiddenPatterns []ForbiddenPattern `json:"forbidden_patterns"`
+
+	// Matching didactic examples
+	ExampleMatches []ExampleMatch `json:"example_matches"`
+
+	// Special flags
+	DSFARecommended bool            `json:"dsfa_recommended"`
+	Art22Risk       bool            `json:"art22_risk"` // Art. 22 GDPR automated decision risk
+	TrainingAllowed TrainingAllowed `json:"training_allowed"`
+
+	// Summary for humans
+	Summary         string `json:"summary"`
+	Recommendation  string `json:"recommendation"`
+	AlternativeApproach string `json:"alternative_approach,omitempty"`
+}
+
+// TriggeredRule represents a rule that was triggered during evaluation
+type TriggeredRule struct {
+	Code        string   `json:"code"`        // e.g., "R-001"
+	Category    string   `json:"category"`    // e.g., "A. Datenklassifikation"
+	Title       string   `json:"title"`
+	Description string   `json:"description"`
+	Severity    Severity `json:"severity"`
+	ScoreDelta  int      `json:"score_delta"`
+	GDPRRef     string   `json:"gdpr_ref,omitempty"` // e.g., "Art. 9 DSGVO"
+	Rationale   string   `json:"rationale"`          // Why this rule triggered
+}
+
+// RequiredControl represents a control that must be implemented
+type RequiredControl struct {
+	ID          string   `json:"id"`
+	Title       string   `json:"title"`
+	Description string   `json:"description"`
+	Severity    Severity `json:"severity"`
+	Category    string   `json:"category"` // "technical" or "organizational"
+	GDPRRef     string   `json:"gdpr_ref,omitempty"`
+}
+
+// PatternRecommendation represents a recommended architecture pattern
+type PatternRecommendation struct {
+	PatternID   string `json:"pattern_id"` // e.g., "P-RAG-ONLY"
+	Title       string `json:"title"`
+	Description string `json:"description"`
+	Rationale   string `json:"rationale"`
+	Priority    int    `json:"priority"` // 1=highest
+}
+
+// ForbiddenPattern represents a pattern that must NOT be used
+type ForbiddenPattern struct {
+	PatternID   string `json:"pattern_id"`
+	Title       string `json:"title"`
+	Description string `json:"description"`
+	Reason      string `json:"reason"`
+	GDPRRef     string `json:"gdpr_ref,omitempty"`
+}
+
+// ExampleMatch represents a matching didactic example
+type ExampleMatch struct {
+	ExampleID   string  `json:"example_id"`
+	Title       string  `json:"title"`
+	Description string  `json:"description"`
+	Similarity  float64 `json:"similarity"` // 0.0 - 1.0
+	Outcome     string  `json:"outcome"`    // What happened / recommendation
+	Lessons     string  `json:"lessons"`    // Key takeaways
+}
+
+// ============================================================================
+// Database Entity
+// ============================================================================
+
+// Assessment represents a stored assessment in the database
+type Assessment struct {
+	ID                      uuid.UUID       `json:"id"`
+	TenantID                uuid.UUID       `json:"tenant_id"`
+	NamespaceID             *uuid.UUID      `json:"namespace_id,omitempty"`
+	Title                   string          `json:"title"`
+	PolicyVersion           string          `json:"policy_version"`
+	Status                  string          `json:"status"` // "completed", "draft"
+
+	// Input
+	Intake                  UseCaseIntake   `json:"intake"`
+	UseCaseTextStored       bool            `json:"use_case_text_stored"`
+	UseCaseTextHash         string          `json:"use_case_text_hash"`
+
+	// Results
+	Feasibility             Feasibility     `json:"feasibility"`
+	RiskLevel               RiskLevel       `json:"risk_level"`
+	Complexity              Complexity      `json:"complexity"`
+	RiskScore               int             `json:"risk_score"`
+	TriggeredRules          []TriggeredRule `json:"triggered_rules"`
+	RequiredControls        []RequiredControl `json:"required_controls"`
+	RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"`
+	ForbiddenPatterns       []ForbiddenPattern `json:"forbidden_patterns"`
+	ExampleMatches          []ExampleMatch  `json:"example_matches"`
+	DSFARecommended         bool            `json:"dsfa_recommended"`
+	Art22Risk               bool            `json:"art22_risk"`
+	TrainingAllowed         TrainingAllowed `json:"training_allowed"`
+
+	// LLM Explanation (optional)
+	ExplanationText        *string    `json:"explanation_text,omitempty"`
+	ExplanationGeneratedAt *time.Time `json:"explanation_generated_at,omitempty"`
+	ExplanationModel       *string    `json:"explanation_model,omitempty"`
+
+	// Domain
+	Domain                  Domain     `json:"domain"`
+
+	// Audit
+	CreatedAt               time.Time  `json:"created_at"`
+	UpdatedAt               time.Time  `json:"updated_at"`
+	CreatedBy               uuid.UUID  `json:"created_by"`
+}
+
+// ============================================================================
+// API Request/Response Types
+// ============================================================================
+
+// AssessRequest is the API request for creating an assessment
+type AssessRequest struct {
+	Intake UseCaseIntake `json:"intake"`
+}
+
+// AssessResponse is the API response for an assessment
+type AssessResponse struct {
+	Assessment Assessment       `json:"assessment"`
+	Result     AssessmentResult `json:"result"`
+	Escalation *Escalation      `json:"escalation,omitempty"`
+}
+
+// ExplainRequest is the API request for generating an explanation
+type ExplainRequest struct {
+	Language string `json:"language,omitempty"` // "de" or "en", default "de"
+}
+
+// ExplainResponse is the API response for an explanation
+type ExplainResponse struct {
+	ExplanationText string        `json:"explanation_text"`
+	GeneratedAt     time.Time     `json:"generated_at"`
+	Model           string        `json:"model"`
+	LegalContext    *LegalContext `json:"legal_context,omitempty"`
+}
+
+// ExportFormat specifies the export format
+type ExportFormat string
+
+const (
+	ExportFormatJSON     ExportFormat = "json"
+	ExportFormatMarkdown ExportFormat = "md"
+)