25 Commits

Author	SHA1	Message	Date
Benjamin Admin	b4d2be83eb	Merge gitea/main: resolve ci.yaml conflict, keep Coolify deploy ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 13:26:17 +01:00
Sharang Parnerkar	f1710fdb9e	fix: migrate deployment from Hetzner to Coolify (#1) ... ## Summary - Add Coolify deployment configuration (docker-compose, healthchecks, network setup) - Replace deploy-hetzner CI job with Coolify webhook deploy - Externalize postgres, qdrant, S3 for Coolify environment ## All changes since branch creation - Coolify docker-compose with Traefik labels and healthchecks - CI pipeline: deploy-hetzner → deploy-coolify (simple webhook curl) - SQLAlchemy 2.x text() compatibility fixes - Alpine-compatible Dockerfile fixes Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #1	2026-03-13 10:45:35 +00:00
Benjamin Admin	050f353192	feat(canonical-controls): Canonical Control Library — rechtssichere Security Controls ... Eigenstaendig formulierte Security Controls mit unabhaengiger Taxonomie und Open-Source-Verankerung (OWASP, NIST, ENISA). Keine BSI-Nomenklatur. - Migration 044: 5 DB-Tabellen (frameworks, controls, sources, licenses, mappings) - 10 Seed Controls mit 39 Open-Source-Referenzen - License Gate: Quellen-Berechtigungspruefung (analysis/excerpt/embeddings/product) - Too-Close-Detektor: 5 Metriken (exact-phrase, token-overlap, ngram, embedding, LCS) - REST API: 8 Endpoints unter /v1/canonical/ - Go Loader mit Multi-Index (ID, domain, severity, framework) - Frontend: Control Library Browser + Provenance Wiki - CI/CD: validate-controls.py Job (schema, no-leak, open-anchors) - 67 Tests (8 Go + 59 Python), alle PASS - MkDocs Dokumentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 19:55:06 +01:00
Benjamin Admin	999cc81c78	feat(rag): Phase J — Security Guidelines & Standards (NIST, OWASP, ENISA) ... Add phase_security() with 15 documents across 3 sub-phases: - J1: 7 NIST standards (SP 800-53, 800-218, 800-63, 800-207, 8259A/B, AI RMF) - J2: 6 OWASP projects (Top 10, API Security, ASVS, MASVS, SAMM, Mobile Top 10) - J3: 2 ENISA guides (Procurement Hospitals, Cloud Security SMEs) All documents are commercially licensed (Public Domain / CC BY / CC BY-SA). Wire up 'security' phase in dispatcher and workflow yaml. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 16:14:44 +01:00
Benjamin Admin	42ec3cad6d	feat(rag): Phase I DACH-Erweiterung — Gesetze, Templates, Urteile ... New ingestion phase 'dach' adds missing documents from DACH catalog: I1: UStG (Retention), MStV (Impressum) I2: DSK Muster-VVT, DSK KP5 DSFA, BfDI Beispiel-VVT (DL-DE/BY-2.0) I3: BSI IT-Grundschutz Kompendium 2024 (CC BY-SA 4.0) I4: 7 Gerichtsentscheidungen as Praxisanker: - DE: LG Bonn 1&1, BGH Planet49, BGH Art.82 (2x) - AT: OGH Schutzzweck, OGH Art.15+82 EuGH-Vorlage - CH: BVGer DSG-Auskunft, BGer Datensperre Trigger: workflow_dispatch phase=dach Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 14:36:59 +01:00
Benjamin Admin	9945a62a50	fix(rag): docker cp into /workspace_scripts, then copy at runtime ... docker cp fails when target dir doesn't exist in a created container. Copy scripts to /workspace_scripts, then cp them at container start. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 14:24:36 +01:00
Benjamin Admin	eef1c2e7d3	fix(rag): Use docker cp to inject checked-out scripts ... The runner container can't access host paths directly, so the deploy dir scripts were always stale. Now uses docker create + docker cp + docker start to copy the freshly checked-out scripts into the ingestion container before starting it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 13:37:57 +01:00
Benjamin Admin	a0e2a35e66	fix(rag): Git pull deploy dir before ingestion ... The RAG workflow mounts scripts from /opt/breakpilot-compliance/scripts (deploy dir) but this may not have the latest fixes if CI hasn't deployed yet. Add explicit git pull before running ingestion. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 13:13:33 +01:00
Benjamin Admin	57f390190d	fix(rag): Arithmetic error, dedup auth, EGBGB timeout ... - collection_count() returns 0 (not ?) on failure — fixes arithmetic error - Pass QDRANT_API_KEY to ingestion container for dedup checks - Include api-key header in collection_count() and dedup scroll queries - Lower large-file threshold to 256KB (EGBGB 310KB was timing out) - More targeted EGBGB XML extraction (Art. 246a + Anlage only) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 12:05:07 +01:00
Benjamin Admin	c88653b221	fix(rag): Dedup check, BGB split, GewO timeout, arithmetic fix ... - Add Qdrant dedup check in upload_file() — skip if regulation_id already exists - Split BGB (2.7MB) into 5 targeted parts via XML extraction: AGB §§305-310, Fernabsatz §§312-312k, Kaufrecht §§433-480, Widerruf §§355-361, Digitale Produkte §§327-327u - Lower large-file threshold 512KB→384KB (fixes GewO 432KB timeout) - Fix arithmetic syntax error when collection_count returns "?" - Replace EGBGB PDF (was empty) with XML extraction - Add unzip to Alpine container for XML archives Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 09:39:09 +01:00
Benjamin Admin	0b47612272	fix(rag): Always run download phase before ingestion phases ... The gesetze phase failed because it expects text files created by the download phase. Now the workflow automatically runs download first for any phase that depends on it. Also adds git and python3 to the alpine container for repo cloning and text extraction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 23:13:33 +01:00
Benjamin Admin	0b836f7e2d	fix(ci): Run docker compose from helper container with deploy dir mounted ... The runner container has Docker socket but no host filesystem access. docker compose needs to read YAML files, so run build+deploy inside a helper container that has both Docker socket and the deploy dir mounted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 18:31:19 +01:00
Benjamin Admin	18d9eec654	fix(ci): Use --entrypoint sh for alpine/git (default entrypoint is git) ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 18:14:58 +01:00
Benjamin Admin	339505feed	fix(ci): Fix Hetzner deploy — host filesystem access + network + dependencies ... Problems fixed: 1. Deploy step couldn't access /opt/breakpilot-compliance (host path not mounted in runner container). Now uses alpine/git helper container with host bind-mount for git ops, then docker compose with host paths. 2. breakpilot-network was external:true but Core doesn't run on Hetzner. Override in hetzner.yml creates the network automatically. 3. core-health-check blocks startup waiting for Core. Override in hetzner.yml makes it exit immediately. 4. RAG ingestion script now respects RAG_URL/QDRANT_URL env vars. 5. RAG workflow discovers network dynamically from running containers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 18:11:05 +01:00
Benjamin Admin	23b9808bf3	debug(ci): Discovery step to find RAG service on Hetzner ... Temporary commit to discover Docker container names and networks on Hetzner, since breakpilot-network doesn't exist there. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 17:58:46 +01:00
Benjamin Admin	c3654bc9ea	fix(ci): Spawn ingestion container on breakpilot-network ... Instead of trying to connect the runner to breakpilot-network, spawn a new alpine container directly on it via docker run. Added debug output for network/container visibility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 17:53:06 +01:00
Benjamin Admin	363bf9606a	fix(ci): Connect runner to breakpilot-network for RAG ingestion ... - Join breakpilot-network so bp-core-rag-service is reachable - Make RAG_URL/QDRANT_URL in script respect env vars (${VAR:-default}) - Remove complex fallback logic — fail fast if network not available Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 17:48:13 +01:00
Benjamin Admin	e88c0aeeb3	fix(ci): RAG ingestion uses git-cloned workspace instead of deploy dir ... The runner container doesn't always have /opt/breakpilot-compliance mounted. Use the git-cloned workspace (current dir) and add multi-fallback for RAG API URL (container network → localhost → host.docker.internal). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 17:43:37 +01:00
Benjamin Admin	995de9e0f4	fix(ci): RAG ingestion uses docker:27-cli with host network access ... Runner needs access to /opt/breakpilot-compliance and Docker network for RAG service (bp-core-rag-service:8097). Falls back to host.docker.internal if container network unavailable. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 16:17:16 +01:00
Benjamin Admin	4e08364bc6	feat(ci): Add manual RAG ingestion workflow for Gitea Actions ... Adds workflow_dispatch-triggered job to run ingest-legal-corpus.sh on Hetzner. Supports phase selection (verbraucherschutz, gesetze, eu, etc.). Usage: Gitea UI → Actions → "RAG Ingestion" → Run (select phase) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 16:14:44 +01:00
Benjamin Admin	5d99d5d47a	feat(ci): Automatisches Deploy auf Hetzner via Gitea Actions ... - Gitea Actions CI um deploy-hetzner Job erweitert - Automatischer Build + Deploy bei Push auf main (nach Tests) - docker-compose.hetzner.yml Override (amd64 statt arm64) - Deploy-Dir: /opt/breakpilot-compliance/ - Baut parallel: admin, backend, ai-sdk, developer-portal - Health Checks nach Deploy Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 00:08:27 +01:00
Benjamin Boenisch	2d909a8f8e	fix(ci): update Go to 1.24 for ai-compliance-sdk ... The ai-compliance-sdk go.mod requires go >= 1.24.0 but CI was using golang:1.23-alpine. Updated both Gitea Actions and Woodpecker pipelines. Also updated golangci-lint to v1.62 for Go 1.24 compatibility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-15 17:43:27 +01:00
Benjamin Boenisch	6b60c2b0f7	fix(ci): replace actions/checkout with manual git clone ... The act_runner cannot create /home/act_runner cache dir inside container images. Replace actions/checkout@v4 with manual git clone using GITHUB_SERVER_URL and GITHUB_REPOSITORY env vars. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-15 16:58:31 +01:00
Benjamin Boenisch	8776643045	fix(ci): use docker runner label instead of ubuntu-latest ... The Gitea Actions runner on meghsakha uses label "docker". Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-15 16:53:33 +01:00
Benjamin Boenisch	fb625bdb97	ci: add Gitea Actions workflow for external CI ... Adds .gitea/workflows/ci.yaml with lint and test jobs. Runs on gitea.meghsakha.com with Gitea Actions runner. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-15 16:39:01 +01:00