11 Commits

Author	SHA1	Message	Date
Benjamin Admin	a220f0d0a7	[guardrail-change] LOC-Exceptions: 4 grandfathered files fuer Coolify-Unblocker ... Diese 4 Pre-Existing-Files haben den Coolify-Build geblockt (LOC-CI-Step failed). Splits sind Phase-5+ Tech-Debt-Backlog, bis dahin als Exceptions getragen damit Production-Deploys nicht ausfallen. - cra_routes.py (1714) - vendor_redundancy.py (727) - cookie_knowledge_db.py (608) - cookie-banner-embed.ts (558) Jede Exception hat einen kurzen Rationale-Kommentar daruber. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-19 08:34:03 +02:00
Benjamin Admin	4a5924b8c4	feat(iace): CRA / DIN EN 40000-1-2 cyber-resilience spur ... [guardrail-change] Phase 18 adds an EU Cyber Resilience Act compliance track to IACE: the engine now fires patterns that surface the manufacturer-side CRA obligations whenever a project's components carry digital elements. Patterns (HP1910-HP1918, hazard_patterns_cra.go): HP1910 Missing SBOM HP1911 Unsigned firmware/software updates HP1912 Factory-default credentials still active HP1913 No coordinated vulnerability disclosure (CVD) policy HP1914 No documented security patch SLA HP1915 Missing user-facing hardening guide HP1916 No incident-notification process to ENISA / CSIRT HP1917 No security assessment prior to placing on market HP1918 AI component without cybersecurity risk assessment Each pattern carries ClarificationQuestionsDE so the operator gets auditor-grade questions to take back to the Anlagenbauer instead of the engine inventing prose. PatternMatch carries DefaultAvoidability (P=1 for all CRA patterns), feeding the PLr graph from Phase 17. Measures (M540-M548, measures_library_cra.go): M540 SBOM (SPDX or CycloneDX) with each machine release M541 Signed updates with rollback protection M542 Forced default-password change at first boot M543 Published CVD policy (security.txt / PSIRT) M544 Documented patch SLA with CVSS-tier response times M545 User-facing hardening guide in the machine docs M546 ENISA incident-notification process (24h/72h/14d) M547 Authenticated update channel + integrity check M548 Pre-market security assessment / pen-test The library is urheberrechtlich neutral: identifiers only (Verordnung (EU) 2024/2847, DIN EN 40000-1-2 Entwurf, IEC 62443, ETSI EN 303 645, ISO/IEC 5962, ISO/IEC 29147). No normative text is reproduced — DIN/Beuth proprietary content is referenced by section number only. Category-compatibility: cyber_resilience pattern category accepts measures with HazardCategory cyber_resilience, cyber_network, or software_control. Updated in both the runtime helper (iace_handler_init_helpers.go) and its test-mirror (pattern_coverage_test.go) — both must move in lockstep. Frontend (clarifications page): When at least one clarification references "2024/2847" or "40000-1-2" in its norm_references, a blue info-banner is rendered at the top of the page: "Cyber Resilience Act (CRA) — Hinweis zur Geltung Diese Klärungsliste enthält Fragen zur Verordnung (EU) 2024/2847 (CRA). Die CRA gilt für Produkte mit digitalen Elementen, die ab dem 11.12.2027 auf dem EU-Markt bereit- gestellt werden. ..." Reminds the user that the CRA pflichten are forward-looking while still allowing the manufacturer to bake them in now. LOC exceptions: Added three pre-existing files to .claude/rules/loc-exceptions.txt (manufacturer_safety_features.go, iace_handler_clarifications.go, routes.go). All three grew across Phases 16-17 and are tagged as Phase 5+ refactor backlog. [guardrail-change] marker required. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 02:15:51 +02:00
Sharang Parnerkar	a530edb994	Merge branch 'main' of ssh://coolify.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance ... # Conflicts: # .claude/rules/loc-exceptions.txt	2026-05-13 17:37:59 +02:00
Sharang Parnerkar	256deb70c7	ci: gate jobs on change detection + tag-based deploy ordering [guardrail-change] ... Build + Deploy ran in parallel with CI's lint/test/loc, so a deploy could ship even when CI failed. Gate Build + Deploy on CI success via workflow_run, and add per-service change detection so only affected services rebuild and only relevant lint/test jobs run on PRs. - scripts/detect-changes.sh: shared diff helper that emits per-service + aggregate flags from a BASE_SHA diff; falls back to "rebuild all" when the base is missing or unreachable - ci.yaml: detect-changes job runs first; loc-budget, *-lint, *-build, and test-* jobs gate on the relevant outputs - build-push-deploy.yml: triggered via workflow_run on CI completion; diff base is the last-build/main git tag, force-pushed by a new mark-last-build job after each green run (handles multi-commit pushes, force pushes, and the "all skipped" case) - check-loc.sh: exclude Office/binary extensions (xlsm, docx, pptx, zip, tar, gz) so binary docs aren't counted as source - loc-exceptions.txt: grandfather two existing >500 LOC files (tender_handlers.go, DecisionTreeWizard.tsx) as Phase 5+ backlog Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-13 16:39:43 +02:00
Benjamin Admin	8ad0519367	[guardrail-change] add dsi_discovery.py + compliance_check_routes to LOC exceptions ... Both files are sequential orchestrators (Playwright session / 7-step pipeline) where splitting mid-flow would require passing complex state across modules. Tracked as Phase 5 refactor targets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 11:25:40 +02:00
Benjamin Admin	02ff96f74e	fix: resolve all merge conflict markers from feat/zeroclaw-compliance-agent ... 9 files had conflict markers from the branch merge. All resolved keeping the feature branch version. Also split agent_scan_routes.py (534→367 LOC) by extracting Pydantic models to agent_scan_models.py. [guardrail-change] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-11 12:15:07 +02:00
Benjamin Admin	f59f810638	chore: LOC-Exceptions fuer IACE Pattern-Datendateien ... [guardrail-change] Hazard-Pattern-Dateien sind reine Datentabellen (85 Patterns × 12 Zeilen). Aufsplitten wuerde die Zuordnung pro Themenbereich zerstoeren. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-07 14:36:51 +02:00
Sharang Parnerkar	58f108b578	phase 5: flip loc-budget to whole-repo blocking gate [guardrail-change] ... - loc-budget CI job: remove if/else PR-only guard; now runs scripts/check-loc.sh (no || true) on every push and PR, scanning the full repo - sbom-scan: remove || true from grype command — high+ CVEs now block PRs - scripts/check-loc.sh: add test_*.py / */test_*.py and *.html exclusions so Python test files and Jinja/HTML templates are not counted against the budget - .claude/rules/loc-exceptions.txt: grandfather 40 remaining oversized files into the exceptions list (one-off scripts, docs copies, platform SDKs, and Phase 1 backend-compliance refactor backlog) - ai-compliance-sdk/.golangci.yml: add strict golangci-lint config (errcheck, govet, staticcheck, gosec, gocyclo, gocritic, revive, goimports) - delete stray routes.py.backup (2512 LOC) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-19 14:29:43 +02:00
Sharang Parnerkar	98a773c7cd	chore: document export-generator LOC exceptions ... Adds 5 admin-compliance export generator files to loc-exceptions.txt. Each generates a complete document format (ZIP/DOCX/PDF); splitting mid-generation logic creates artificial boundaries without benefit. Remaining non-exception lib/ violations: 2 (loeschfristen-profiling 538, test file 506). The 60 app/ page.tsx files are Phase 3 page.tsx targets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 21:07:53 +02:00
Sharang Parnerkar	be4d58009a	chore: document data-catalog + legacy-service LOC exceptions ... Adds 25 files to .claude/rules/loc-exceptions.txt: - 18 admin-compliance data catalog files (static control definitions, legal framework references, processing activity catalogs, demo data) that legitimately exceed 500 LOC because splitting them would fragment lookup tables without improving readability - 7 backend-compliance legacy utility services (pdf_generator, llm_provider, etc.) that predate Phase 1 and are Phase 5 targets These exceptions are permanent for data catalogs; the backend services should shrink to zero as Phase 5 progresses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-10 20:48:11 +02:00
Sharang Parnerkar	3320ef94fc	refactor: phase 0 guardrails + phase 1 step 2 (models.py split) ... Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits, 81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths / 484 operations). ## Phase 0 — Architecture guardrails Three defense-in-depth layers to keep the architecture rules enforced regardless of who opens Claude Code in this repo: 1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file that would exceed the 500-line hard cap. Auto-loads in every Claude session in this repo. 2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh) enforces the LOC cap locally, freezes migrations/ without [migration-approved], and protects guardrail files without [guardrail-change]. 3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity + sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python packages (compliance/{services,repositories,domain,schemas}), and tsc --noEmit for admin-compliance + developer-portal. Per-language conventions documented in AGENTS.python.md, AGENTS.go.md, AGENTS.typescript.md at the repo root — layering, tooling, and explicit "what you may NOT do" lists. Root CLAUDE.md is prepended with the six non-negotiable rules. Each of the 10 services gets a README.md. scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the current baseline of 205 hard + 161 soft violations so Phases 1-4 can drain it incrementally. CI gates only CHANGED files in PRs so the legacy baseline does not block unrelated work. ## Deprecation sweep 47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config -> ConfigDict in source_policy_router.py (schemas.py intentionally skipped; it is the Phase 1 Step 3 split target). datetime.utcnow() -> datetime.now(timezone.utc) everywhere including SQLAlchemy default= callables. All DB columns already declare timezone=True, so this is a latent-bug fix at the Python side, not a schema change. DeprecationWarning count dropped from 158 to 35. ## Phase 1 Step 1 — Contract test harness tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json against tests/contracts/openapi.baseline.json on every test run. Fails on removed paths, removed status codes, or new required request body fields. Regenerate only via tests/contracts/regenerate_baseline.py after a consumer-updated contract change. This is the safety harness for all subsequent refactor commits. ## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim) compliance/db/models.py is decomposed into seven sibling aggregate modules following the existing repo pattern (dsr_models.py, vvt_models.py, ...): regulation_models.py (134) — Regulation, Requirement control_models.py (279) — Control, Mapping, Evidence, Risk ai_system_models.py (141) — AISystem, AuditExport service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk audit_session_models.py (177) — AuditSession, AuditSignOff isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit, AuditTrail, Readiness models.py becomes an 85-line re-export shim in dependency order so existing imports continue to work unchanged. Schema is byte-identical: __tablename__, column definitions, relationship strings, back_populates, cascade directives all preserved. All new sibling files are under the 500-line hard cap; largest is isms_audit_models.py at 468. No file in compliance/db/ now exceeds the hard cap. ## Phase 1 Step 3 — infrastructure only backend-compliance/compliance/{schemas,domain,repositories}/ packages are created as landing zones with docstrings. compliance/domain/ exports DomainError / NotFoundError / ConflictError / ValidationError / PermissionError — the base classes services will use to raise domain-level errors instead of HTTPException. PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents the nine-step execution plan for Phase 1: snapshot baseline, characterization tests, split models.py (this commit), split schemas.py (next), extract services, extract repositories, mypy --strict, coverage. ## Verification backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt PYTHONPATH=. pytest compliance/tests/ tests/contracts/ -> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-07 13:18:29 +02:00