fix(ai-sdk): national-law subsidiarity in authority rerank (DSGVO > BDSG) #40

Merged

Benjamin_Boenisch merged 1 commits from feat/authority-rerank-subsidiarity into main 2026-06-27 04:12:08 +00:00

Conversation 0 Commits 1 Files Changed 3

+98 -1

Benjamin_Boenisch commented 2026-06-26 19:58:47 +00:00

Owner

Copy Link

Copy Source

Summary

The authority reranker (wired in legal_rag_client.go:168) had no national-subsidiarity dimension, so a general BDSG § could outrank the primary DSGVO article. Surfaced by the KB-2026.1 BDSG pilot.

• authorityScore: DE binding_law in an EU-primary domain WITHOUT a co-primary topic match → soft demote (subsidiarityPen 0.18), not exclusion. National special rules stay co-primary via the topic ontology (DSB §38, special categories §22, ...).
• queryDomain: regulation-name fallback (DSGVO/BDSG/CRA) so a question phrased around the act is domain-scoped even without a topical keyword (fixes cr_07: BDSG Teil-3 §64).
• data_protection keyword stem auftragsverarbeit.

Pure ranking logic, no data manipulation; soft demotes keep national rules visible.

⚠️ Note: the reranker itself was committed on main (9cfe6f83) but the deployed dev binary predates it — merging this activates the reranker on dev (binding>guidance, DSGVO>BDSG-subsidiary).

Evidence

• go build/vet/test ./... green; 6 new table tests.
• KB-2026.1 DSGVO+BDSG build: degraded 3→0, must_not=0 (dp_05/08/11/cr_07 → DSGVO; dp_01 §38 co-primary).
• Legacy bp_compliance_ce (current dev corpus): NEUTRAL — 0 degraded, 0 improved.
• Smoke gate (macmini): DSB/Rechtsgrundlage/TOMs/AV → DSGVO ✓; control-intent → CRA+NIST ✓; EDPB-intent path unchanged.

Test plan

• CI green (lint + go test)
• After merge → Orca dev deploy → post-deploy smoke: DSB→Art.37+§38, Rechtsgrundlage→Art.6, TOMs→Art.32, AV→Art.28, EDPB-intent stays EDPB, control-intent stays ENISA/NIST

🤖 Generated with Claude Code

## Summary The authority reranker (wired in `legal_rag_client.go:168`) had no national-subsidiarity dimension, so a general BDSG § could outrank the primary DSGVO article. Surfaced by the KB-2026.1 BDSG pilot. - **authorityScore**: DE `binding_law` in an EU-primary domain WITHOUT a co-primary topic match → **soft demote** (`subsidiarityPen` 0.18), not exclusion. National special rules stay co-primary via the topic ontology (DSB §38, special categories §22, ...). - **queryDomain**: regulation-name fallback (DSGVO/BDSG/CRA) so a question phrased around the act is domain-scoped even without a topical keyword (fixes cr_07: BDSG Teil-3 §64). - data_protection keyword stem `auftragsverarbeit`. Pure ranking logic, no data manipulation; soft demotes keep national rules visible. ⚠️ **Note:** the reranker itself was committed on main (`9cfe6f83`) but the deployed dev binary predates it — **merging this activates the reranker on dev** (binding>guidance, DSGVO>BDSG-subsidiary). ## Evidence - `go build/vet/test ./...` green; 6 new table tests. - KB-2026.1 DSGVO+BDSG build: **degraded 3→0**, must_not=0 (dp_05/08/11/cr_07 → DSGVO; dp_01 §38 co-primary). - Legacy `bp_compliance_ce` (current dev corpus): **NEUTRAL** — 0 degraded, 0 improved. - Smoke gate (macmini): DSB/Rechtsgrundlage/TOMs/AV → DSGVO ✓; control-intent → CRA+NIST ✓; EDPB-intent path unchanged. ## Test plan - [ ] CI green (lint + go test) - [ ] After merge → Orca dev deploy → post-deploy smoke: DSB→Art.37+§38, Rechtsgrundlage→Art.6, TOMs→Art.32, AV→Art.28, EDPB-intent stays EDPB, control-intent stays ENISA/NIST 🤖 Generated with Claude Code

Benjamin_Boenisch added 1 commit 2026-06-26 19:58:48 +00:00

fix(ai-sdk): national-law subsidiarity in authority rerank (DSGVO > BDSG for general questions) ... 623d80b6c8

The authority reranker (wired in legal_rag_client.go:168) had no national-subsidiarity
dimension, so a general BDSG paragraph could outrank the primary DSGVO article. Surfaced by
the KB-2026.1 BDSG pilot (dp_05/08/11 + cr_07).

- authorityScore: DE binding_law in an EU-primary domain WITHOUT a co-primary topic match
  -> soft demote (subsidiarityPen 0.18), not exclusion. National special rules stay
  co-primary via the topic ontology (DSB Art.37+§38, special categories Art.9+§22, ...).
- queryDomain: fall back to a regulation-name mention (DSGVO/BDSG/CRA) so a question phrased
  around the act is domain-scoped even without a topical keyword (fixes cr_07: BDSG Teil-3 §64).
- data_protection keyword stem 'auftragsverarbeit' (catches Auftragsverarbeitungsvertrag).

Pure ranking logic, no data manipulation; soft demotes keep national rules visible.
Build result (DSGVO+BDSG): degraded=0, must_not=0. go build/vet/test ./... green; 6 new table tests.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Benjamin_Boenisch merged commit 88ca2b0b03 into main 2026-06-27 04:12:08 +00:00

Benjamin_Boenisch referenced this pull request 2026-06-27 05:20:29 +00:00

feat(ai-sdk): ePrivacy/cookie topic — §25 TDDDG co-primary for cookie questions #41

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

config

Env vars, secrets management, startup validation

data-integrity

Transactions, indexes, pagination

frontend

Next.js, client-side concerns

observability

Logging, audit trails, health checks

reliability

Error handling, retries, circuit breakers

security

Auth, secrets, injection, tenant isolation

severity: critical

System-level risk, data breach or full outage

severity: high

Significant risk, must fix before go-live

severity: medium

Important but not blocking go-live

testing

Test coverage, integration tests

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sharang (Sharang Parnerkar) Benjamin_Boenisch

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#40