Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: Benjamin_Boenisch/breakpilot-compliance:feat/infisical-secrets
Branches Tags
Benjamin_Boenisch/breakpilot-compliance:main Benjamin_Boenisch/breakpilot-compliance:feat/advisor-rag-collections Benjamin_Boenisch/breakpilot-compliance:feat/infisical-secrets Benjamin_Boenisch/breakpilot-compliance:feat/advisor-structural-grounding Benjamin_Boenisch/breakpilot-compliance:feat/advisor-corpus-authority Benjamin_Boenisch/breakpilot-compliance:feat/platform-foundation Benjamin_Boenisch/breakpilot-compliance:chore/wip-salvage-2026-06-21 Benjamin_Boenisch/breakpilot-compliance:docs/checker-matrix Benjamin_Boenisch/breakpilot-compliance:feat/dedup-doc-check-controls Benjamin_Boenisch/breakpilot-compliance:chore/mc-mapping-prod-deploy Benjamin_Boenisch/breakpilot-compliance:feat/dsms-stufe3-version-chains Benjamin_Boenisch/breakpilot-compliance:feat/dsms-stufe2-evidence-techfile Benjamin_Boenisch/breakpilot-compliance:feat/iace-llm-fm-frontend Benjamin_Boenisch/breakpilot-compliance:feat/norm-crossref-batch1 Benjamin_Boenisch/breakpilot-compliance:feature/quaidal-ingestion Benjamin_Boenisch/breakpilot-compliance:feat/iace-electrical-fixes Benjamin_Boenisch/breakpilot-compliance:feature/fisa-702-drittland-risiko Benjamin_Boenisch/breakpilot-compliance:feat/dead-code-cleanup Benjamin_Boenisch/breakpilot-compliance:feature/payment-compliance-module Benjamin_Boenisch/breakpilot-compliance:feature/betriebsrat-compliance-module
Benjamin_Boenisch/breakpilot-compliance:last-build/main
..
pull from: Benjamin_Boenisch/breakpilot-compliance:feat/advisor-structural-grounding
Branches Tags
Benjamin_Boenisch/breakpilot-compliance:feat/advisor-rag-collections Benjamin_Boenisch/breakpilot-compliance:main Benjamin_Boenisch/breakpilot-compliance:feat/infisical-secrets Benjamin_Boenisch/breakpilot-compliance:feat/advisor-structural-grounding Benjamin_Boenisch/breakpilot-compliance:feat/advisor-corpus-authority Benjamin_Boenisch/breakpilot-compliance:feat/platform-foundation Benjamin_Boenisch/breakpilot-compliance:chore/wip-salvage-2026-06-21 Benjamin_Boenisch/breakpilot-compliance:docs/checker-matrix Benjamin_Boenisch/breakpilot-compliance:feat/dedup-doc-check-controls Benjamin_Boenisch/breakpilot-compliance:chore/mc-mapping-prod-deploy Benjamin_Boenisch/breakpilot-compliance:feat/dsms-stufe3-version-chains Benjamin_Boenisch/breakpilot-compliance:feat/dsms-stufe2-evidence-techfile Benjamin_Boenisch/breakpilot-compliance:feat/iace-llm-fm-frontend Benjamin_Boenisch/breakpilot-compliance:feat/norm-crossref-batch1 Benjamin_Boenisch/breakpilot-compliance:feature/quaidal-ingestion Benjamin_Boenisch/breakpilot-compliance:feat/iace-electrical-fixes Benjamin_Boenisch/breakpilot-compliance:feature/fisa-702-drittland-risiko Benjamin_Boenisch/breakpilot-compliance:feat/dead-code-cleanup Benjamin_Boenisch/breakpilot-compliance:feature/payment-compliance-module Benjamin_Boenisch/breakpilot-compliance:feature/betriebsrat-compliance-module
Benjamin_Boenisch/breakpilot-compliance:last-build/main

1 Commits
feat/infisical-secrets .. feat/advisor-structural-grounding

Author SHA1 Message Date
Benjamin Admin 14588bfb09 feat(advisor): Quellenanker auch fuer strukturelle Verweise (Step A.1) 
Erweitert die Korpus-Autoritaet-Regel: Kapitel/Abschnitt/Teil/Anhang nur nennen,
wenn in der Quelle belegt — keine aus Struktur-/Trainingswissen ergaenzte Gliederung
("Kapitel 3 BDSG"). Grund: Prod-Grounding-Check zeigte §38/20-Personen sauber
gegroundet, aber "Kapitel 3 BDSG" stand NICHT im Chunk (Modell-ergaenzt).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-22 20:24:57 +02:00
7 changed files with 13 additions and 232 deletions
Expand all files Collapse all files
.claude/CLAUDE.md
+2 -3
View File
@@ -130,11 +130,10 @@ rsync -avz --exclude node_modules --exclude .next --exclude .git \
**breakpilot-core MUSS laufen!** Dieses Projekt nutzt Core-Services:
- Valkey (Session-Cache)
- Vault (Secrets)
- RAG-Service (Vektorsuche fuer Compliance-Dokumente)
- Nginx (Reverse Proxy)
Secrets liegen in Infisical (`secrets.meghsakha.com`); die Projektverknuepfung steht in `.infisical.json`. Lokal mit `infisical run --env=dev -- docker compose up` (oder `make dev`) starten — `.env`/`.env.local` werden nicht mehr verwendet.
**Externe Services (Production):**
- PostgreSQL 17 (sslmode=require) — Schemas: `compliance`, `public`
- Qdrant @ `qdrant-dev.breakpilot.ai` (HTTPS, API-Key)
@@ -317,7 +316,7 @@ ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/brea
### 5. Sensitive Dateien
**NIEMALS aendern oder committen:**
- `.env`, `.env.local`, Infisical-Tokens, SSL-Zertifikate
- `.env`, `.env.local`, Vault-Tokens, SSL-Zertifikate
- `*.pdf`, `*.docx`, kompilierte Binaries, grosse Medien
---
.claude/rules/compliance-checklist.md
+1 -1
View File
@@ -92,7 +92,7 @@ Wenn Hochrisiko:
- [ ] **Transit:** TLS 1.3 für alle Verbindungen
- [ ] **Rest:** Datenbank-Verschlüsselung
- [ ] **Secrets:** Infisical (`secrets.meghsakha.com`) für Credentials
- [ ] **Secrets:** Vault für Credentials
### Zugriffskontrollen
.infisical.json
-5
View File
@@ -1,5 +0,0 @@
{
"workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23",
"defaultEnvironment": "",
"gitBranchToEnvironmentMapping": null
}
INFISICAL_SETUP.md
-157
View File
@@ -1,157 +0,0 @@
# Infisical Setup for Local Development
This is the per-developer onboarding for accessing the `breakpilot-compliance` secrets while developing locally. Once this is done, **everything you launch through `make dev` (or `infisical run …`) gets the dev secrets injected as environment variables** — including any Claude Code session that spawns those commands.
Secrets live in the self-hosted Infisical instance at **`secrets.meghsakha.com`**. The project link is committed in `.infisical.json`, so you don't need to know the project ID.
---
## 1. Install the Infisical CLI
**macOS (recommended):**
```bash
brew install infisical/get-cli/infisical
```
**Other platforms / manual install:**
See <https://infisical.com/docs/cli/overview>. Verify with:
```bash
infisical --version
# infisical version 0.43.x (or newer)
```
---
## 2. Log in to the self-hosted instance
```bash
infisical login --domain https://secrets.meghsakha.com
```
This opens a browser for SSO. The login is persisted to your OS keychain — you only do this once per machine.
Sanity check:
```bash
cd ~/projects/breakpilot-compliance # wherever you cloned the repo
infisical --domain https://secrets.meghsakha.com secrets --env=dev
```
You should see a table of secret names + values. If you get an auth error, re-run `infisical login`.
---
## 3. Verify the project link
The repo already contains `.infisical.json` pointing at the `breakpilot-compliance` project:
```bash
cat .infisical.json
# { "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23", ... }
```
If the file is missing (rare — only if you reset the repo), recreate it:
```bash
infisical init --domain https://secrets.meghsakha.com
```
Pick the `breakpilot-compliance` project from the picker.
---
## 4. Launch the stack
```bash
make dev
```
This runs `infisical run --env=dev -- docker compose up`. Every service in the compose stack sees its secrets as normal env vars — no `.env` file ever touches disk.
Other targets:
| Target | What it does |
|--------|--------------|
| `make dev-build` | Same as `make dev` but rebuilds images first |
| `make dev-down` | Stop the stack (no secrets needed) |
| `make dev-logs` | Tail logs |
| `make dev-ps` | List running containers |
| `make secrets` | Print all secrets in `dev` (read-only) |
| `make secrets-set KEY=FOO VALUE=bar` | Add or update a secret in `dev` |
To target a different environment:
```bash
make dev ENV=staging
make secrets ENV=prod
```
---
## 5. Using secrets from Claude Code
When Claude Code runs commands in this repo via its Bash tool, the commands inherit your shell's environment. Two patterns:
**Pattern A — let Claude launch the stack normally**
Claude just runs `make dev`. The Infisical CLI inside that command resolves secrets at run time and passes them to docker compose. Claude doesn't see plaintext secrets in its context, but the running services do.
**Pattern B — let Claude run a one-off script with secrets**
If Claude needs to execute a Python/Go script that requires secrets, wrap the command:
```bash
infisical run --env=dev -- python scripts/some_one_off.py
```
This works for any subprocess: pytest, alembic, go run, npm scripts. If Claude proposes a command that reads env vars and runs raw, ask it to wrap it in `infisical run --env=dev --` first.
**What Claude should not do:**
- `infisical export --env=dev > .env` — defeats the whole point and the `.gitignore` will still try to keep the file out.
- `infisical secrets get KEY --env=dev --raw` and pasting the value into a code edit — secrets must stay out of the repo.
If you want Claude to never accidentally dump secrets, add this to your `.claude/settings.json` permissions (project-level or user-level):
```json
{
"permissions": {
"deny": [
"Bash(infisical export*)",
"Bash(infisical secrets get*)"
]
}
}
```
---
## Troubleshooting
| Symptom | Fix |
|---------|-----|
| `please either run infisical init or pass --projectId` | `.infisical.json` is missing or unreadable — re-run `infisical init` |
| `unauthorized` / `please log in` | Re-run `infisical login --domain https://secrets.meghsakha.com` |
| `make dev` says secret is empty | Check the name in `make secrets` matches what docker-compose expects, then update the service config or rename the secret in Infisical |
| Browser SSO doesn't open | Use `infisical login --domain https://secrets.meghsakha.com --method=user` and paste the URL manually |
---
## What the dev env contains
Run `make secrets` to see the live list. As of this writing the dev env includes (at minimum):
- `BREAKPILOT_DB_PASSWORD`
- `BREAKPILOT_QDRANT_API_KEY`
- `LITELLM_API_KEY`
Every other variable in `.env.example` either has a sane default in `docker-compose.yml` or needs to be added to Infisical. To add one:
```bash
make secrets-set KEY=ANTHROPIC_API_KEY VALUE=sk-ant-xxxx
```
Or via the web UI: <https://secrets.meghsakha.com>.
Makefile
-57
View File
@@ -1,57 +0,0 @@
# breakpilot-compliance — developer workflow
#
# Secrets are managed in Infisical (secrets.meghsakha.com). The project
# link lives in .infisical.json. To get started:
# 1) infisical login --domain https://secrets.meghsakha.com (once per machine)
# 2) make dev
#
# .env / .env.local are NOT used in this repo anymore. Anything that needs
# secrets MUST be launched through `infisical run` so the values come from
# the secrets store instead of disk.
INFISICAL ?= infisical
INFISICAL_DOMAIN ?= https://secrets.meghsakha.com
ENV ?= dev
INFISICAL_RUN := $(INFISICAL) --domain $(INFISICAL_DOMAIN) run --env=$(ENV) --
INFISICAL_SECRETS := $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets --env=$(ENV)
.PHONY: help dev dev-build dev-down dev-logs dev-ps secrets secrets-set check-loc
help:
@echo "Targets:"
@echo " dev Start the full compose stack with secrets injected from Infisical"
@echo " dev-build Same as dev, but force a rebuild first"
@echo " dev-down Stop the compose stack (no secrets needed)"
@echo " dev-logs Tail logs from all services"
@echo " dev-ps Show running containers"
@echo " secrets List all secrets in the current env ($(ENV))"
@echo " secrets-set Set a secret (KEY=... VALUE=...)"
@echo " check-loc Run the 500-line LOC guard"
dev:
$(INFISICAL_RUN) docker compose up
dev-build:
$(INFISICAL_RUN) docker compose up --build
dev-down:
docker compose down
dev-logs:
docker compose logs -f
dev-ps:
docker compose ps
secrets:
$(INFISICAL_SECRETS)
secrets-set:
@if [ -z "$(KEY)" ] || [ -z "$(VALUE)" ]; then \
echo "Usage: make secrets-set KEY=MY_KEY VALUE=my_value"; exit 1; \
fi
$(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets set $(KEY)=$(VALUE) --env=$(ENV)
check-loc:
bash scripts/check-loc.sh
README.md
+6 -9
View File
@@ -42,26 +42,23 @@ All containers share the external `breakpilot-network` Docker network and depend
## Quick Start
**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+, [Infisical CLI](https://infisical.com/docs/cli/overview)
**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+
```bash
git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
cd breakpilot-compliance
# One-time per machine: log in to the self-hosted Infisical instance
infisical login --domain https://secrets.meghsakha.com
# Copy and populate secrets (never commit .env)
cp .env.example .env
# Start the full stack with secrets injected from Infisical (env=dev)
make dev
# Start all services
docker compose up -d
```
Secrets are pulled from Infisical (`secrets.meghsakha.com`) at runtime; `.env` files are not used. See [INFISICAL_SETUP.md](./INFISICAL_SETUP.md) for full onboarding, and `make help` for the rest of the targets (`dev-build`, `dev-down`, `secrets`, `secrets-set`).
For the Orca/Hetzner production target (x86_64), use the override:
```bash
make dev ENV=prod # or:
infisical run --env=prod -- docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
```
---
admin-compliance/agent-core/soul/compliance-advisor.soul.md
+4
View File
@@ -46,6 +46,10 @@ FAKTEN, nicht nur fuer Fundstellen (ergaenzt **Quellentreue**).
Schwelle aus — auch nicht beilaeufig im Fliesstext ohne Fundstelle. Sag offen, dass du ihn aus
deinen geprueften Quellen nicht belegen kannst, nenne Pflicht/Thema allgemein, und biete den
naechsten Schritt an (gezielt nachschlagen / mit DSB oder Anwalt verifizieren).
- **Strukturelle Verweise** (Kapitel, Abschnitt, Teil, Anhang) nennst du ebenfalls NUR, wenn sie so
in der Quelle stehen — ergaenze KEINE aus Struktur- oder Trainingswissen abgeleitete Gliederung
(z.B. "Kapitel 3 BDSG"), auch wenn sie plausibel oder korrekt erscheint. Die Quellenanker-Pflicht
gilt fuer Fundstellen UND Gliederungs-Ebenen.
- **Konflikt-Transparenz**: Weicht der Kontext von dem ab, was dir "gelaeufig" vorkommt, gewinnt
IMMER der Kontext. Mach es ruhig transparent — z.B. "Die aktuelle Quelle nennt 20; eine evtl.
aeltere, gelaeufige Annahme (10) gilt hier nicht."