merge: sync with origin/main, take upstream on conflicts

# Conflicts: # admin-compliance/lib/sdk/types.ts # admin-compliance/lib/sdk/vendor-compliance/types.ts
2026-04-16 16:26:48 +02:00
parent e04816cfe5 712fa8cb74
commit c43d9da6d0
352 changed files with 181673 additions and 2188 deletions
--- a/backend-compliance/compliance/api/routes.py
+++ b/backend-compliance/compliance/api/routes.py
@@ -25,6 +25,7 @@ from sqlalchemy.orm import Session

 from classroom_engine.database import get_db

+from .audit_trail_utils import log_audit_trail
 from ..db import (
    ControlDomainEnum,
    ControlRepository,
@@ -312,8 +313,39 @@ async def get_control(
    svc: ControlExportService = Depends(get_ctrl_export_service),
 ) -> ControlResponse:
    """Get a specific control by control_id."""
-    with translate_domain_errors():
-        return svc.get_control(control_id)
+    repo = ControlRepository(db)
+    control = repo.get_by_control_id(control_id)
+    if not control:
+        raise HTTPException(status_code=404, detail=f"Control {control_id} not found")
+
+    evidence_repo = EvidenceRepository(db)
+    evidence = evidence_repo.get_by_control(control.id)
+
+    return ControlResponse(
+        id=control.id,
+        control_id=control.control_id,
+        domain=control.domain.value if control.domain else None,
+        control_type=control.control_type.value if control.control_type else None,
+        title=control.title,
+        description=control.description,
+        pass_criteria=control.pass_criteria,
+        implementation_guidance=control.implementation_guidance,
+        code_reference=control.code_reference,
+        documentation_url=control.documentation_url,
+        is_automated=control.is_automated,
+        automation_tool=control.automation_tool,
+        automation_config=control.automation_config,
+        owner=control.owner,
+        review_frequency_days=control.review_frequency_days,
+        status=control.status.value if control.status else None,
+        status_notes=control.status_notes,
+        status_justification=control.status_justification,
+        last_reviewed_at=control.last_reviewed_at,
+        next_review_at=control.next_review_at,
+        created_at=control.created_at,
+        updated_at=control.updated_at,
+        evidence_count=len(evidence),
+    )


@router.put(
@@ -325,8 +357,83 @@ async def update_control(
    svc: ControlExportService = Depends(get_ctrl_export_service),
 ) -> ControlResponse:
    """Update a control."""
-    with translate_domain_errors():
-        return svc.update_control(control_id, update)
+    repo = ControlRepository(db)
+    control = repo.get_by_control_id(control_id)
+    if not control:
+        raise HTTPException(status_code=404, detail=f"Control {control_id} not found")
+
+    update_data = update.model_dump(exclude_unset=True)
+
+    # Convert status string to enum and validate transition
+    if "status" in update_data:
+        try:
+            new_status_enum = ControlStatusEnum(update_data["status"])
+        except ValueError:
+            raise HTTPException(status_code=400, detail=f"Invalid status: {update_data['status']}")
+
+        # Validate status transition (Anti-Fake-Evidence)
+        from ..services.control_status_machine import validate_transition
+        current_status = control.status.value if control.status else "planned"
+        evidence_list = db.query(EvidenceDB).filter(EvidenceDB.control_id == control.id).all()
+        allowed, violations = validate_transition(
+            current_status=current_status,
+            new_status=update_data["status"],
+            evidence_list=evidence_list,
+            status_justification=update_data.get("status_justification") or update_data.get("status_notes"),
+        )
+        if not allowed:
+            raise HTTPException(
+                status_code=409,
+                detail={
+                    "error": "Status transition not allowed",
+                    "current_status": current_status,
+                    "requested_status": update_data["status"],
+                    "violations": violations,
+                }
+            )
+
+        update_data["status"] = new_status_enum
+
+    updated = repo.update(control.id, **update_data)
+    db.commit()
+
+    # Audit trail for status changes
+    new_status = updated.status.value if updated.status else None
+    if "status" in update.model_dump(exclude_unset=True) and current_status != new_status:
+        log_audit_trail(
+            db, "control", control.id, updated.control_id or updated.title,
+            "status_change",
+            performed_by=update.owner or "system",
+            field_changed="status",
+            old_value=current_status,
+            new_value=new_status,
+        )
+        db.commit()
+
+    return ControlResponse(
+        id=updated.id,
+        control_id=updated.control_id,
+        domain=updated.domain.value if updated.domain else None,
+        control_type=updated.control_type.value if updated.control_type else None,
+        title=updated.title,
+        description=updated.description,
+        pass_criteria=updated.pass_criteria,
+        implementation_guidance=updated.implementation_guidance,
+        code_reference=updated.code_reference,
+        documentation_url=updated.documentation_url,
+        is_automated=updated.is_automated,
+        automation_tool=updated.automation_tool,
+        automation_config=updated.automation_config,
+        owner=updated.owner,
+        review_frequency_days=updated.review_frequency_days,
+        status=updated.status.value if updated.status else None,
+        status_notes=updated.status_notes,
+        status_justification=updated.status_justification,
+        last_reviewed_at=updated.last_reviewed_at,
+        next_review_at=updated.next_review_at,
+        created_at=updated.created_at,
+        updated_at=updated.updated_at,
+    )


@router.put(
@@ -339,8 +446,43 @@ async def review_control(
    svc: ControlExportService = Depends(get_ctrl_export_service),
 ) -> ControlResponse:
    """Mark a control as reviewed with new status."""
-    with translate_domain_errors():
-        return svc.review_control(control_id, review)
+    repo = ControlRepository(db)
+    control = repo.get_by_control_id(control_id)
+    if not control:
+        raise HTTPException(status_code=404, detail=f"Control {control_id} not found")
+
+    try:
+        status_enum = ControlStatusEnum(review.status)
+    except ValueError:
+        raise HTTPException(status_code=400, detail=f"Invalid status: {review.status}")
+
+    updated = repo.mark_reviewed(control.id, status_enum, review.status_notes)
+    db.commit()
+
+    return ControlResponse(
+        id=updated.id,
+        control_id=updated.control_id,
+        domain=updated.domain.value if updated.domain else None,
+        control_type=updated.control_type.value if updated.control_type else None,
+        title=updated.title,
+        description=updated.description,
+        pass_criteria=updated.pass_criteria,
+        implementation_guidance=updated.implementation_guidance,
+        code_reference=updated.code_reference,
+        documentation_url=updated.documentation_url,
+        is_automated=updated.is_automated,
+        automation_tool=updated.automation_tool,
+        automation_config=updated.automation_config,
+        owner=updated.owner,
+        review_frequency_days=updated.review_frequency_days,
+        status=updated.status.value if updated.status else None,
+        status_notes=updated.status_notes,
+        status_justification=updated.status_justification,
+        last_reviewed_at=updated.last_reviewed_at,
+        next_review_at=updated.next_review_at,
+        created_at=updated.created_at,
+        updated_at=updated.updated_at,
+    )


@router.get(