Comparing 38a347a82a..5f8009e844 - breakpilot-compliance - Gitea: Git with a cup of tea

Benjamin_Boenisch/breakpilot-compliance

Author	SHA1	Message	Date
Benjamin Admin	5f8009e844	fix(security): remove hardcoded Qdrant key + allowlist doc false-positives CI / detect-changes (pull_request) Successful in 8s Details CI / branch-name (pull_request) Successful in 1s Details CI / guardrail-integrity (pull_request) Successful in 5s Details CI / secret-scan (pull_request) Successful in 6s Details CI / dep-audit (pull_request) Failing after 54s Details CI / sbom-scan (pull_request) Failing after 1m3s Details CI / build-sha-integrity (pull_request) Successful in 5s Details CI / validate-canonical-controls (pull_request) Successful in 4s Details CI / loc-budget (pull_request) Successful in 17s Details CI / go-lint (pull_request) Failing after 13s Details CI / python-lint (pull_request) Failing after 13s Details CI / nodejs-lint (pull_request) Failing after 1m8s Details CI / nodejs-build (pull_request) Successful in 3m0s Details CI / test-go (pull_request) Successful in 1m0s Details CI / iace-gt-coverage (pull_request) Successful in 22s Details CI / test-python-backend (pull_request) Successful in 30s Details CI / test-python-document-crawler (pull_request) Successful in 13s Details CI / test-python-dsms-gateway (pull_request) Successful in 16s Details secret-scan (gitleaks) had never run on a PR (broken checkout). A real Qdrant dev API key was hardcoded in 4 pre-existing files; removed in favour of env / gitea-secret references (scripts read QDRANT_API_KEY from os.environ; rag-ingest workflow references a gitea Actions secret). The remaining ~52 findings are doc curl examples + .env.example placeholders + a rule_key identifier, allowlisted in .gitleaks.toml (default ruleset kept). gitleaks now reports 0 findings. ACTION REQUIRED: rotate the Qdrant dev API key — the leaked value is in git history. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 14:37:54 +02:00
Benjamin Admin	079bb56922	fix(ci): clone PR head branch, not the unbuildable merge-ref CI / detect-changes (pull_request) Successful in 6s Details CI / branch-name (pull_request) Successful in 1s Details CI / guardrail-integrity (pull_request) Successful in 11s Details CI / secret-scan (pull_request) Failing after 6s Details CI / dep-audit (pull_request) Failing after 56s Details CI / sbom-scan (pull_request) Failing after 1m9s Details CI / build-sha-integrity (pull_request) Successful in 14s Details CI / validate-canonical-controls (pull_request) Successful in 8s Details CI / loc-budget (pull_request) Successful in 18s Details CI / go-lint (pull_request) Failing after 26s Details CI / python-lint (pull_request) Failing after 13s Details CI / nodejs-lint (pull_request) Failing after 1m15s Details CI / nodejs-build (pull_request) Successful in 3m9s Details CI / test-go (pull_request) Successful in 1m7s Details CI / iace-gt-coverage (pull_request) Successful in 22s Details CI / test-python-backend (pull_request) Successful in 30s Details CI / test-python-document-crawler (pull_request) Successful in 18s Details CI / test-python-dsms-gateway (pull_request) Successful in 12s Details All 17 checkout blocks cloned via --branch GITHUB_REF_NAME; on pull_request that is a merge ref git clone --branch cannot resolve, so every checkout-based gate (detect-changes, guardrail-integrity, secret-scan, sbom-scan, dep-audit, build-sha-integrity, validate-canonical-controls) failed before running. Now clone GITHUB_HEAD_REF with GITHUB_REF_NAME fallback: PR uses its source branch, push keeps prior behaviour. Additive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 14:16:29 +02:00
Benjamin Admin	24bb449a79	fix(ci): detect-changes.sh always emits outputs (kill the cascade) CI / detect-changes (pull_request) Failing after 2s Details CI / branch-name (pull_request) Successful in 1s Details CI / guardrail-integrity (pull_request) Failing after 2s Details CI / secret-scan (pull_request) Failing after 2s Details CI / dep-audit (pull_request) Failing after 1s Details CI / sbom-scan (pull_request) Failing after 2s Details CI / build-sha-integrity (pull_request) Failing after 3s Details CI / validate-canonical-controls (pull_request) Failing after 1s Details CI / loc-budget (pull_request) Has been skipped Details CI / go-lint (pull_request) Has been skipped Details CI / python-lint (pull_request) Has been skipped Details CI / nodejs-lint (pull_request) Has been skipped Details CI / iace-gt-coverage (pull_request) Has been skipped Details CI / test-python-document-crawler (pull_request) Has been skipped Details CI / nodejs-build (pull_request) Has been skipped Details CI / test-go (pull_request) Has been skipped Details CI / test-python-backend (pull_request) Has been skipped Details CI / test-python-dsms-gateway (pull_request) Has been skipped Details detect-changes used set -e; an aborting git/grep killed it before writing GITHUB_OUTPUT -> the job outputs mapping evaluated to %!t(string=) and failed detect-changes + every job that needs it. Drop set -e, treat base/diff failure as rebuild-all, add an EXIT trap that emits rebuild-all + exit 0 on any early exit. Verified locally: empty/unreachable BASE_SHA + real diff all emit a full 11-key set. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 13:15:54 +02:00
Benjamin Admin	8af9584d09	test(dse): adopt canonical v3 tests + criteria/GT/validation CI / detect-changes (pull_request) Failing after 5s Details CI / branch-name (pull_request) Successful in 2s Details CI / guardrail-integrity (pull_request) Failing after 4s Details CI / secret-scan (pull_request) Failing after 4s Details CI / dep-audit (pull_request) Failing after 2s Details CI / sbom-scan (pull_request) Failing after 2s Details CI / build-sha-integrity (pull_request) Failing after 3s Details CI / validate-canonical-controls (pull_request) Failing after 3s Details CI / loc-budget (pull_request) Has been skipped Details CI / go-lint (pull_request) Has been skipped Details CI / python-lint (pull_request) Has been skipped Details CI / nodejs-lint (pull_request) Has been skipped Details CI / nodejs-build (pull_request) Has been skipped Details CI / test-go (pull_request) Has been skipped Details CI / iace-gt-coverage (pull_request) Has been skipped Details CI / test-python-backend (pull_request) Has been skipped Details CI / test-python-document-crawler (pull_request) Has been skipped Details CI / test-python-dsms-gateway (pull_request) Has been skipped Details Replace the reconstructed test_dse_agent.py with the canonical version and add the companion unit tests (classification_gate, embedding_recall) covering the recovered v3 modules. Include the curated DSE criteria backup + changelog (legal-note rationale per control), the v1 validation writeup, and the multi-company DSE ground-truth fulltexts (elli/eto/mercedes/safetykon) used for threshold calibration. 18 DSE tests green offline (DB/embedding/LLM stubbed). dev-only, no deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 12:35:16 +02:00
Benjamin Admin	ce6b4c58e3	feat(agent-ui): add Architektur tab explaining the doc-check pipeline Mirror the CE module's /sdk/iace/.../architektur tab for /sdk/agent: a hand-authored schema (data-flow lanes, step-by-step pipeline accordion, module-engine cards, Pruefer-Matrix) explaining orchestrator phases A-F, the parallel specialist agents (Impressum/AGB/DSE), the 4-layer DSE engine, and the verification/decision-method meta-model. Adds a page-level Check \| Architektur tab toggle (the page was flat). Static content (the Python doc-check has no architecture endpoint, unlike the Go IACE module); can be data-fed later. NOTE: not yet lint/type/browser-verified -- the worktree has no node_modules. Needs a visual check + next lint / tsc in an env with the toolchain. dev-only, no deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 11:25:28 +02:00
Benjamin Admin	f6d018234b	feat(dse): recover v3 DSE engine from container + wire into live check path The calibrated DSE engine (4-layer: regex-boost / keyword / BGE-M3 embedding recall @0.65 / semantic-validator) existed ONLY in the running macmini container (docker cp'd, never committed) — at risk of loss on any container rebuild. This recovers it into git and wires it into the live check path. - Recover dse/{agent,v3_engine,_embedding_recall,_classification_gate, regex_boost,mcs,deep_check}.py. DSEAgent (v3, BaseSpecialistAgent) replaces the keyword-only stub: delegates MC-loading to the main engine (rag_document_checker._load_controls), deterministic cached embedding recall (reachability-gated), semantic-validator LLM layer honoring skip_llm, third-country -> HIGH on documented transfer. - Wire "dse" into _agent_outputs._TOPIC_AGENTS -> live check emits a validated DSE tab (was snapshot/legacy-only). - Tests rewritten for v3 (DB/embedding/LLM stubbed offline): regex-boost detection, embedding-recall reachability guard, result->Finding conversion, third-country HIGH; topic-wiring asserts "dse". - deep_check.py recovered for preservation (alternate LLM-judge path, unwired). Runtime data deps for full live behavior (note for prod): doc_check_controls in DB + /data/mc_classification.db embedding sidecar + embedding-service; all degrade gracefully (keyword layer carries) if absent. dev-only, no deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 11:15:52 +02:00
Benjamin Admin	32e45f0797	feat(agb): wire validated routed AGB engine into live check path Consolidate the AGB C-lean engine (71% FP -> ~0, validated vs 7-company Opus GT) onto the canonical checker library and into the live check path. - AGBAgent.evaluate now runs routed C-lean: keyword (L1/L2) -> business- model gate -> per-item decision_method routing (embedding/reference/llm via services/checkers/) -> severity re-tiering (LOW -> recommendation), honoring context.skip_llm. - New agb/_pipeline.py orchestrates the routing; agent.py stays thin. - Remove the 3 AGB-local checker duplicates (_reference_check, _embedding_rescue, _llm_judge); services/checkers/ is now canonical. - Wire "agb" into _agent_outputs._TOPIC_AGENTS so the live check emits a validated AGB tab (was snapshot-only). - Run topic agents concurrently (asyncio.gather) + emit each tab via SSE as it finishes -> progressive results, no wait on the slowest agent. - Tests: checker units (mocked), routed agent (gate/rescue/re-tier), topic wiring; existing AGB tests made offline-safe. dev-only, no deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 10:40:08 +02:00
Benjamin Admin	9d79cf1576	docs+feat(platform): Pruefer-Matrix-Foundation einfrieren (Evidenz, Mapping, Checker-Library, AGB-Kalibrierung) Know-how-Freeze der Website-Compliance-Runde (DSE/Cookie/Impressum/AGB). docs: platform_evidence_v1 (Evidenz-/Qualitaetsnachweis, echte Zahlen), nutzungsbedingungen_mapping (neues Modul = Mapping, empirisch belegt), platform_checker_matrix (Meta-Modell verification_method x decision_method), verification_method, platform_validation_v1. code: checkers/ (reusable Pruefer-Library base+reference+embedding+llm, im Container validiert), agb/ (decision_method-Routing + Checker-Prototypen, 71% FP -> ~0 validiert). Dev-only, kein Prod-Push; Benchmark-GTs/Korpora im internen Archiv (data-retention). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 09:23:21 +02:00

Diff Content Not Available