feat: add compliance modules 2-5 (dashboard, security templates, process manager, evidence collector)

Module 2: Extended Compliance Dashboard with roadmap, module-status, next-actions, snapshots, score-history Module 3: 7 German security document templates (IT-Sicherheitskonzept, Datenschutz, Backup, Logging, Incident-Response, Zugriff, Risikomanagement) Module 4: Compliance Process Manager with CRUD, complete/skip/seed, ~50 seed tasks, 3-tab UI Module 5: Evidence Collector Extended with automated checks, control-mapping, coverage report, 4-tab UI Also includes: canonical control library enhancements (verification method, categories, dedup), control generator improvements, RAG client extensions 52 tests pass, frontend builds clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 21:03:04 +01:00
parent 13d13c8226
commit 49ce417428
35 changed files with 8741 additions and 422 deletions
--- a/backend-compliance/migrations/048_processing_path_expand.sql
+++ b/backend-compliance/migrations/048_processing_path_expand.sql
@@ -0,0 +1,17 @@
+-- 048: Expand processing_path CHECK constraint for new pipeline paths
+-- New values: prefilter_skip, no_control, store_failed, error
+
+ALTER TABLE canonical_processed_chunks
+    DROP CONSTRAINT IF EXISTS canonical_processed_chunks_processing_path_check;
+
+ALTER TABLE canonical_processed_chunks
+    ADD CONSTRAINT canonical_processed_chunks_processing_path_check
+    CHECK (processing_path IN (
+        'structured',       -- Rule 1/2: structured from original text
+        'llm_reform',       -- Rule 3: LLM reformulated
+        'skipped',          -- Legacy: skipped for other reasons
+        'prefilter_skip',   -- Local LLM determined chunk has no requirement
+        'no_control',       -- Processing ran but no control could be derived
+        'store_failed',     -- Control generated but DB store failed
+        'error'             -- Processing error occurred
+    ));
--- a/backend-compliance/migrations/049_target_audience.sql
+++ b/backend-compliance/migrations/049_target_audience.sql
@@ -0,0 +1,8 @@
+-- 049: Add target_audience field to canonical_controls
+-- Distinguishes who a control is relevant for: enterprises, authorities, providers, or all.
+
+ALTER TABLE canonical_controls ADD COLUMN IF NOT EXISTS
+    target_audience VARCHAR(20) DEFAULT NULL
+    CHECK (target_audience IN ('enterprise', 'authority', 'provider', 'all'));
+
+CREATE INDEX IF NOT EXISTS idx_cc_target_audience ON canonical_controls(target_audience);
--- a/backend-compliance/migrations/050_score_snapshots.sql
+++ b/backend-compliance/migrations/050_score_snapshots.sql
@@ -0,0 +1,22 @@
+-- Score Snapshots: Historical compliance score tracking
+-- Migration 050
+
+CREATE TABLE IF NOT EXISTS compliance_score_snapshots (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    score DECIMAL(5,2) NOT NULL,
+    controls_total INTEGER DEFAULT 0,
+    controls_pass INTEGER DEFAULT 0,
+    controls_partial INTEGER DEFAULT 0,
+    evidence_total INTEGER DEFAULT 0,
+    evidence_valid INTEGER DEFAULT 0,
+    risks_total INTEGER DEFAULT 0,
+    risks_high INTEGER DEFAULT 0,
+    snapshot_date DATE NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, snapshot_date)
+);
+
+CREATE INDEX IF NOT EXISTS idx_score_snap_tenant ON compliance_score_snapshots(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_score_snap_date ON compliance_score_snapshots(snapshot_date);
--- a/backend-compliance/migrations/051_security_templates.sql
+++ b/backend-compliance/migrations/051_security_templates.sql
--- a/backend-compliance/migrations/052_process_tasks.sql
+++ b/backend-compliance/migrations/052_process_tasks.sql
@@ -0,0 +1,53 @@
+-- Process Manager: Recurring compliance tasks with audit trail
+-- Migration 052
+
+CREATE TABLE compliance_process_tasks (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    task_code VARCHAR(50) NOT NULL,
+    title VARCHAR(500) NOT NULL,
+    description TEXT,
+    category VARCHAR(50) NOT NULL
+        CHECK (category IN ('dsgvo','nis2','bsi','iso27001','ai_act','internal')),
+    priority VARCHAR(20) NOT NULL DEFAULT 'medium'
+        CHECK (priority IN ('critical','high','medium','low')),
+    frequency VARCHAR(20) NOT NULL DEFAULT 'yearly'
+        CHECK (frequency IN ('weekly','monthly','quarterly','semi_annual','yearly','once')),
+    assigned_to VARCHAR(255),
+    responsible_team VARCHAR(255),
+    linked_control_ids JSONB DEFAULT '[]',
+    linked_module VARCHAR(100),
+    last_completed_at TIMESTAMPTZ,
+    next_due_date DATE,
+    due_reminder_days INTEGER DEFAULT 14,
+    status VARCHAR(20) NOT NULL DEFAULT 'pending'
+        CHECK (status IN ('pending','in_progress','completed','overdue','skipped')),
+    completion_date TIMESTAMPTZ,
+    completion_result TEXT,
+    completion_evidence_id UUID,
+    follow_up_actions JSONB DEFAULT '[]',
+    is_seed BOOLEAN DEFAULT FALSE,
+    notes TEXT,
+    tags JSONB DEFAULT '[]',
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, task_code)
+);
+
+CREATE TABLE compliance_process_task_history (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    task_id UUID NOT NULL REFERENCES compliance_process_tasks(id) ON DELETE CASCADE,
+    completed_by VARCHAR(255),
+    completed_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    result TEXT,
+    evidence_id UUID,
+    notes TEXT,
+    status VARCHAR(20) NOT NULL
+);
+
+CREATE INDEX idx_process_tasks_tenant ON compliance_process_tasks(tenant_id);
+CREATE INDEX idx_process_tasks_status ON compliance_process_tasks(status);
+CREATE INDEX idx_process_tasks_due ON compliance_process_tasks(next_due_date);
+CREATE INDEX idx_process_tasks_category ON compliance_process_tasks(category);
+CREATE INDEX idx_task_history_task ON compliance_process_task_history(task_id);
--- a/backend-compliance/migrations/053_evidence_checks.sql
+++ b/backend-compliance/migrations/053_evidence_checks.sql
@@ -0,0 +1,62 @@
+-- Evidence Checks: Automated compliance verification
+-- Migration 053
+
+CREATE TABLE compliance_evidence_checks (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    project_id UUID,
+    check_code VARCHAR(50) NOT NULL,
+    title VARCHAR(500) NOT NULL,
+    description TEXT,
+    check_type VARCHAR(30) NOT NULL
+        CHECK (check_type IN ('tls_scan','header_check','certificate_check',
+               'config_scan','api_scan','dns_check','port_scan')),
+    target_url TEXT,
+    target_config JSONB DEFAULT '{}',
+    linked_control_ids JSONB DEFAULT '[]',
+    frequency VARCHAR(20) DEFAULT 'monthly'
+        CHECK (frequency IN ('daily','weekly','monthly','quarterly','manual')),
+    last_run_at TIMESTAMPTZ,
+    next_run_at TIMESTAMPTZ,
+    is_active BOOLEAN DEFAULT TRUE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, project_id, check_code)
+);
+
+CREATE TABLE compliance_evidence_check_results (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    check_id UUID NOT NULL REFERENCES compliance_evidence_checks(id) ON DELETE CASCADE,
+    tenant_id UUID NOT NULL,
+    run_status VARCHAR(20) NOT NULL DEFAULT 'running'
+        CHECK (run_status IN ('running','passed','failed','warning','error')),
+    result_data JSONB NOT NULL DEFAULT '{}',
+    summary TEXT,
+    findings_count INTEGER DEFAULT 0,
+    critical_findings INTEGER DEFAULT 0,
+    evidence_id UUID,
+    duration_ms INTEGER,
+    run_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE compliance_evidence_control_map (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL,
+    evidence_id UUID NOT NULL,
+    control_code VARCHAR(50) NOT NULL,
+    mapping_type VARCHAR(20) DEFAULT 'supports'
+        CHECK (mapping_type IN ('supports','partially_supports','required')),
+    verified_at TIMESTAMPTZ,
+    verified_by VARCHAR(255),
+    notes TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (tenant_id, evidence_id, control_code)
+);
+
+CREATE INDEX idx_evidence_checks_tenant ON compliance_evidence_checks(tenant_id);
+CREATE INDEX idx_evidence_checks_type ON compliance_evidence_checks(check_type);
+CREATE INDEX idx_evidence_checks_active ON compliance_evidence_checks(is_active);
+CREATE INDEX idx_check_results_check ON compliance_evidence_check_results(check_id);
+CREATE INDEX idx_check_results_status ON compliance_evidence_check_results(run_status);
+CREATE INDEX idx_evidence_control_map_tenant ON compliance_evidence_control_map(tenant_id);
+CREATE INDEX idx_evidence_control_map_control ON compliance_evidence_control_map(control_code);