package iace // ComplianceTrigger maps a CE hazard pattern to a regulatory requirement. // When a pattern fires for a project, the corresponding triggers tell // the user which DSGVO/AI Act/CRA/NIS2/Data Act obligations apply and // which SDK module they should visit. type ComplianceTrigger struct { Regulation string `json:"regulation"` // e.g. "DSGVO Art. 35" TriggerCondDE string `json:"trigger_cond_de"` // Why this triggers (German) Severity string `json:"severity"` // "high", "medium", "low" Module string `json:"module"` // SDK module key ModuleLink string `json:"module_link"` // Frontend route ActionDE string `json:"action_de"` // Recommended action (German) RAGQuery string `json:"rag_query"` // Search query for RAG enrichment } // TriggerResult pairs a fired pattern with one of its compliance triggers. type TriggerResult struct { HazardID string `json:"hazard_id"` HazardName string `json:"hazard_name"` PatternID string `json:"pattern_id"` Trigger ComplianceTrigger `json:"trigger"` } // ComplianceTriggerSummary is the top-level response for the crossover engine. type ComplianceTriggerSummary struct { Triggers []TriggerResult `json:"triggers"` Total int `json:"total"` Summary map[string]bool `json:"summary"` // dsfa_required, ai_act_relevant, etc. } // GetComplianceTriggerMap returns pattern-ID-keyed compliance triggers. // Each entry lists the regulatory obligations that a fired pattern implies. func GetComplianceTriggerMap() map[string][]ComplianceTrigger { m := make(map[string][]ComplianceTrigger) // --- Cobot / camera / biometric patterns --- m["HP059"] = []ComplianceTrigger{ { Regulation: "DSGVO Art. 35", TriggerCondDE: "Kamera-Personenerkennung verarbeitet biometrische Daten", Severity: "high", Module: "dsfa", ModuleLink: "/sdk/dsfa", ActionDE: "Datenschutz-Folgenabschaetzung fuer Kamera-System durchfuehren", RAGQuery: "DSFA biometrische Daten Kameraerkennung", }, { Regulation: "AI Act Art. 6", TriggerCondDE: "Autonome Sicherheitsentscheidung durch KI-System", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Hochrisiko-KI-Einstufung pruefen und dokumentieren", RAGQuery: "AI Act Hochrisiko autonome Sicherheitsentscheidung", }, } m["HP060"] = []ComplianceTrigger{ { Regulation: "DSGVO Art. 35", TriggerCondDE: "Werkzeug-Tracking erfordert Personenerkennung", Severity: "high", Module: "dsfa", ModuleLink: "/sdk/dsfa", ActionDE: "DSFA fuer Werkzeug-Tracking mit Personenerkennung erstellen", RAGQuery: "DSFA Personenerkennung Werkzeug-Tracking", }, } // --- AI/ML safety-critical patterns --- m["HP040"] = []ComplianceTrigger{ { Regulation: "AI Act Art. 6", TriggerCondDE: "KI trifft sicherheitsrelevante Entscheidung", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Hochrisiko-Klassifizierung und Konformitaetsbewertung einleiten", RAGQuery: "AI Act Art 6 Hochrisiko Sicherheitsentscheidung", }, { Regulation: "AI Act Art. 9", TriggerCondDE: "Risikomanagement fuer Hochrisiko-KI erforderlich", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Risikomanagementsystem nach Art. 9 AI Act aufsetzen", RAGQuery: "AI Act Art 9 Risikomanagementsystem Hochrisiko", }, } m["HP041"] = []ComplianceTrigger{ { Regulation: "AI Act Art. 14", TriggerCondDE: "Menschliche Aufsicht ueber KI-System erforderlich", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Human-Oversight-Mechanismus implementieren und dokumentieren", RAGQuery: "AI Act Art 14 menschliche Aufsicht Human Oversight", }, } m["HP042"] = []ComplianceTrigger{ { Regulation: "AI Act Art. 6", TriggerCondDE: "Bias in sicherheitsrelevanter KI moeglich", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Bias-Analyse und Datenqualitaetspruefung durchfuehren", RAGQuery: "AI Act Bias Diskriminierung Sicherheits-KI", }, } m["HP043"] = []ComplianceTrigger{ { Regulation: "AI Act Art. 11", TriggerCondDE: "Technische Dokumentation fuer KI-System erforderlich", Severity: "medium", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Technische Dokumentation nach Anhang IV AI Act erstellen", RAGQuery: "AI Act Art 11 technische Dokumentation Anhang IV", }, } m["HP044"] = []ComplianceTrigger{ { Regulation: "AI Act Art. 13", TriggerCondDE: "Transparenz-Anforderungen fuer KI-System", Severity: "medium", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Transparenzhinweise und Nutzerdokumentation bereitstellen", RAGQuery: "AI Act Art 13 Transparenz KI Nutzerinformation", }, } // --- Cyber Resilience Act (software/firmware) --- m["HP033"] = []ComplianceTrigger{ { Regulation: "CRA Art. 10", TriggerCondDE: "Schwachstellenmanagement fuer Software-Komponente", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Vulnerability-Management-Prozess nach CRA einrichten", RAGQuery: "CRA Art 10 Schwachstellenmanagement Software", }, { Regulation: "CRA Art. 13", TriggerCondDE: "Sicherheitsupdates muessen bereitgestellt werden", Severity: "medium", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Update-Strategie und Patch-Management dokumentieren", RAGQuery: "CRA Art 13 Sicherheitsupdates Patch-Management", }, } m["HP158"] = []ComplianceTrigger{ { Regulation: "CRA Art. 10", TriggerCondDE: "Schwachstelle in Firmware erfordert Vulnerability-Handling", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Schwachstellenmeldung und Patch-Prozess nach CRA etablieren", RAGQuery: "CRA Art 10 Firmware Schwachstelle Meldepflicht", }, { Regulation: "CRA Art. 11", TriggerCondDE: "Meldepflicht bei bekannter Schwachstelle", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Meldeprozess an ENISA/BSI fuer Schwachstellen einrichten", RAGQuery: "CRA Art 11 Meldepflicht ENISA Schwachstelle", }, } m["HP159"] = []ComplianceTrigger{ { Regulation: "CRA Art. 10", TriggerCondDE: "Datenintegritaet der Software muss sichergestellt sein", Severity: "medium", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Integritaetsschutz fuer Software-Artefakte implementieren", RAGQuery: "CRA Art 10 Datenintegritaet Software Signierung", }, } m["HP160"] = []ComplianceTrigger{ { Regulation: "NIS2 Art. 21", TriggerCondDE: "Cybersicherheits-Risikomanagement erforderlich", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "Cybersicherheits-Risikomanagement nach NIS2 Art. 21 aufsetzen", RAGQuery: "NIS2 Art 21 Cybersicherheit Risikomanagement", }, { Regulation: "CRA Anhang I", TriggerCondDE: "Wesentliche Cybersicherheits-Anforderungen nach CRA", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "CRA Anhang I Checkliste fuer Produkt-Cybersicherheit abarbeiten", RAGQuery: "CRA Anhang I wesentliche Anforderungen Cybersicherheit", }, } // --- Logging/monitoring patterns --- m["HP131"] = []ComplianceTrigger{ { Regulation: "DSGVO Art. 6", TriggerCondDE: "Rechtsgrundlage fuer Protokollierung personenbez. Daten", Severity: "medium", Module: "dsfa", ModuleLink: "/sdk/dsfa", ActionDE: "Rechtsgrundlage fuer Protokollierung pruefen und dokumentieren", RAGQuery: "DSGVO Art 6 Rechtsgrundlage Protokollierung Logging", }, } // --- AGV / movement profile patterns (HP199-HP213) --- agvIDs := genPatternRange("HP", 199, 213) for _, pid := range agvIDs { m[pid] = []ComplianceTrigger{ { Regulation: "DSGVO Art. 35", TriggerCondDE: "AGV-Bewegungsprofile koennen Rueckschluesse auf Personen erlauben", Severity: "high", Module: "dsfa", ModuleLink: "/sdk/dsfa", ActionDE: "DSFA fuer AGV-Bewegungsdaten erstellen", RAGQuery: "DSFA Bewegungsprofile AGV Personenbezug", }, { Regulation: "EU Data Act Art. 3", TriggerCondDE: "Maschinendaten-Zugangsrecht fuer Nutzer nach Data Act", Severity: "medium", Module: "vendor-compliance", ModuleLink: "/sdk/vendor-compliance", ActionDE: "Datenzugangsrechte nach EU Data Act fuer Maschinendaten pruefen", RAGQuery: "EU Data Act Art 3 Maschinendaten Zugangsrecht", }, } } // --- Cyber-security patterns HP800-HP814 --- cyberIDs1 := genPatternRange("HP", 800, 814) for _, pid := range cyberIDs1 { m[pid] = []ComplianceTrigger{ { Regulation: "NIS2 Art. 21", TriggerCondDE: "Cybersicherheits-Risikomanagement fuer vernetzte Komponente", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "NIS2 Cybersicherheits-Massnahmen pruefen und dokumentieren", RAGQuery: "NIS2 Art 21 Cybersicherheit vernetzte Maschine", }, { Regulation: "CRA Art. 10", TriggerCondDE: "Schwachstellenmanagement fuer vernetzte Komponente", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "CRA-konforme Schwachstellenbehandlung einrichten", RAGQuery: "CRA Art 10 Schwachstellenmanagement vernetzte Maschine", }, } } // --- Cyber-security patterns HP815-HP829 --- cyberIDs2 := genPatternRange("HP", 815, 829) for _, pid := range cyberIDs2 { m[pid] = []ComplianceTrigger{ { Regulation: "NIS2 Art. 21", TriggerCondDE: "Netzwerk-Sicherheitsmassnahmen nach NIS2", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "NIS2-Sicherheitskonzept fuer Netzwerkkomponenten erstellen", RAGQuery: "NIS2 Art 21 Netzwerk Sicherheit Massnahmen", }, { Regulation: "CRA Art. 10", TriggerCondDE: "CRA-Anforderungen fuer Software mit Netzwerkzugang", Severity: "medium", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "CRA-Konformitaet fuer Netzwerk-Software sicherstellen", RAGQuery: "CRA Software Netzwerkzugang Sicherheitsanforderungen", }, } } // --- AI/ML-specific cyber patterns HP830-HP844 --- aiCyberIDs := genPatternRange("HP", 830, 844) for _, pid := range aiCyberIDs { m[pid] = []ComplianceTrigger{ { Regulation: "AI Act Art. 6", TriggerCondDE: "KI/ML-System in sicherheitsrelevantem Kontext", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "Hochrisiko-Einstufung und AI-Act-Konformitaet pruefen", RAGQuery: "AI Act Hochrisiko KI ML sicherheitsrelevant", }, { Regulation: "DSGVO Art. 22", TriggerCondDE: "Automatisierte Entscheidungsfindung durch KI moeglich", Severity: "high", Module: "dsfa", ModuleLink: "/sdk/dsfa", ActionDE: "Automatisierte Einzelentscheidung nach Art. 22 DSGVO pruefen", RAGQuery: "DSGVO Art 22 automatisierte Entscheidung KI Profiling", }, } } // --- NIS2 network/HMI patterns HP845-HP864 --- nis2IDs := genPatternRange("HP", 845, 864) for _, pid := range nis2IDs { m[pid] = []ComplianceTrigger{ { Regulation: "NIS2 Art. 21", TriggerCondDE: "Netzwerk-/HMI-Komponente erfordert NIS2-Massnahmen", Severity: "high", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "NIS2-Sicherheitsanforderungen fuer HMI/Netzwerk umsetzen", RAGQuery: "NIS2 Art 21 HMI Netzwerk Sicherheit", }, } } return m } // GetTagBasedTriggers returns compliance triggers that fire based on // component tag combinations rather than specific pattern IDs. func GetTagBasedTriggers(tags []string) []ComplianceTrigger { tagSet := make(map[string]bool, len(tags)) for _, t := range tags { tagSet[t] = true } var triggers []ComplianceTrigger // has_software + programmable → CRA Art. 10 if tagSet["has_software"] && tagSet["programmable"] { triggers = append(triggers, ComplianceTrigger{ Regulation: "CRA Art. 10", TriggerCondDE: "Programmierbare Software-Komponente erfordert CRA-Konformitaet", Severity: "medium", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "CRA-Anforderungen fuer programmierbare Software pruefen", RAGQuery: "CRA Art 10 programmierbare Software Sicherheit", }) } // sensor_part + has_software → EU Data Act Art. 3 if tagSet["sensor_part"] && tagSet["has_software"] { triggers = append(triggers, ComplianceTrigger{ Regulation: "EU Data Act Art. 3", TriggerCondDE: "Sensor mit Software erzeugt Maschinendaten — Zugangsrecht nach Data Act", Severity: "medium", Module: "vendor-compliance", ModuleLink: "/sdk/vendor-compliance", ActionDE: "Datenzugangsrechte fuer Sensor-/Maschinendaten nach Data Act pruefen", RAGQuery: "EU Data Act Art 3 Sensordaten Maschinendaten Zugang", }) } // has_ai → AI Act Art. 6 (generic) if tagSet["has_ai"] { triggers = append(triggers, ComplianceTrigger{ Regulation: "AI Act Art. 6", TriggerCondDE: "KI-Komponente erkannt — Hochrisiko-Einstufung pruefen", Severity: "high", Module: "ai-act", ModuleLink: "/sdk/ai-act", ActionDE: "AI-Act-Klassifizierung fuer KI-Komponente durchfuehren", RAGQuery: "AI Act Art 6 Klassifizierung KI-System Hochrisiko", }) } // is_networked → NIS2 Art. 21 if tagSet["is_networked"] { triggers = append(triggers, ComplianceTrigger{ Regulation: "NIS2 Art. 21", TriggerCondDE: "Vernetzte Komponente unterliegt NIS2-Sicherheitspflichten", Severity: "medium", Module: "cyber", ModuleLink: "/sdk/security-backlog", ActionDE: "NIS2-Anforderungen fuer vernetzte Infrastruktur bewerten", RAGQuery: "NIS2 Art 21 vernetzte Infrastruktur Pflichten", }) } return triggers } // genPatternRange generates pattern IDs like "HP800", "HP801", ..., "HP814". func genPatternRange(prefix string, from, to int) []string { ids := make([]string, 0, to-from+1) for i := from; i <= to; i++ { ids = append(ids, prefix+padInt(i)) } return ids } // padInt formats an integer with leading zeros to 3 digits minimum. func padInt(n int) string { if n < 10 { return "00" + triggerItoa(n) } if n < 100 { return "0" + triggerItoa(n) } return triggerItoa(n) } // triggerItoa converts a non-negative integer to a string without importing strconv. func triggerItoa(n int) string { if n == 0 { return "0" } var buf [20]byte pos := len(buf) for n > 0 { pos-- buf[pos] = byte('0' + n%10) n /= 10 } return string(buf[pos:]) }