package ucca import ( "time" "github.com/google/uuid" ) // ============================================================================ // Constants / Enums // ============================================================================ // Feasibility represents the overall assessment result type Feasibility string const ( FeasibilityYES Feasibility = "YES" FeasibilityCONDITIONAL Feasibility = "CONDITIONAL" FeasibilityNO Feasibility = "NO" ) // RiskLevel represents the overall risk classification type RiskLevel string const ( RiskLevelMINIMAL RiskLevel = "MINIMAL" RiskLevelLOW RiskLevel = "LOW" RiskLevelMEDIUM RiskLevel = "MEDIUM" RiskLevelHIGH RiskLevel = "HIGH" RiskLevelUNACCEPTABLE RiskLevel = "UNACCEPTABLE" ) // Complexity represents implementation complexity type Complexity string const ( ComplexityLOW Complexity = "LOW" ComplexityMEDIUM Complexity = "MEDIUM" ComplexityHIGH Complexity = "HIGH" ) // Severity represents rule severity type Severity string const ( SeverityINFO Severity = "INFO" SeverityWARN Severity = "WARN" SeverityBLOCK Severity = "BLOCK" ) // Domain represents the business domain type Domain string const ( // Industrie & Produktion DomainAutomotive Domain = "automotive" DomainMechanicalEngineering Domain = "mechanical_engineering" DomainPlantEngineering Domain = "plant_engineering" DomainElectricalEngineering Domain = "electrical_engineering" DomainAerospace Domain = "aerospace" DomainChemicals Domain = "chemicals" DomainFoodBeverage Domain = "food_beverage" DomainTextiles Domain = "textiles" DomainPackaging Domain = "packaging" // Energie & Versorgung DomainUtilities Domain = "utilities" DomainEnergy Domain = "energy" DomainOilGas Domain = "oil_gas" // Land- & Forstwirtschaft DomainAgriculture Domain = "agriculture" DomainForestry Domain = "forestry" DomainFishing Domain = "fishing" // Bau & Immobilien DomainConstruction Domain = "construction" DomainRealEstate Domain = "real_estate" DomainFacilityManagement Domain = "facility_management" // Gesundheit & Soziales DomainHealthcare Domain = "healthcare" DomainMedicalDevices Domain = "medical_devices" DomainPharma Domain = "pharma" DomainElderlyCare Domain = "elderly_care" DomainSocialServices Domain = "social_services" // Bildung & Forschung DomainEducation Domain = "education" DomainHigherEducation Domain = "higher_education" DomainVocationalTraining Domain = "vocational_training" DomainResearch Domain = "research" // Finanzen & Versicherung DomainFinance Domain = "finance" DomainBanking Domain = "banking" DomainInsurance Domain = "insurance" DomainInvestment Domain = "investment" // Handel & Logistik DomainRetail Domain = "retail" DomainEcommerce Domain = "ecommerce" DomainWholesale Domain = "wholesale" DomainLogistics Domain = "logistics" // IT & Telekommunikation DomainITServices Domain = "it_services" DomainTelecom Domain = "telecom" DomainCybersecurity Domain = "cybersecurity" // Recht & Beratung DomainLegal Domain = "legal" DomainConsulting Domain = "consulting" DomainTaxAdvisory Domain = "tax_advisory" // Oeffentlicher Sektor DomainPublic Domain = "public_sector" DomainDefense Domain = "defense" DomainJustice Domain = "justice" // Marketing & Medien DomainMarketing Domain = "marketing" DomainMedia Domain = "media" DomainEntertainment Domain = "entertainment" // HR & Personal DomainHR Domain = "hr" DomainRecruiting Domain = "recruiting" // Tourismus & Gastronomie DomainHospitality Domain = "hospitality" DomainTourism Domain = "tourism" // Sonstige DomainNonprofit Domain = "nonprofit" DomainSports Domain = "sports" DomainGeneral Domain = "general" ) // ValidDomains contains all valid domain values var ValidDomains = map[Domain]bool{ DomainAutomotive: true, DomainMechanicalEngineering: true, DomainPlantEngineering: true, DomainElectricalEngineering: true, DomainAerospace: true, DomainChemicals: true, DomainFoodBeverage: true, DomainTextiles: true, DomainPackaging: true, DomainUtilities: true, DomainEnergy: true, DomainOilGas: true, DomainAgriculture: true, DomainForestry: true, DomainFishing: true, DomainConstruction: true, DomainRealEstate: true, DomainFacilityManagement: true, DomainHealthcare: true, DomainMedicalDevices: true, DomainPharma: true, DomainElderlyCare: true, DomainSocialServices: true, DomainEducation: true, DomainHigherEducation: true, DomainVocationalTraining: true, DomainResearch: true, DomainFinance: true, DomainBanking: true, DomainInsurance: true, DomainInvestment: true, DomainRetail: true, DomainEcommerce: true, DomainWholesale: true, DomainLogistics: true, DomainITServices: true, DomainTelecom: true, DomainCybersecurity: true, DomainLegal: true, DomainConsulting: true, DomainTaxAdvisory: true, DomainPublic: true, DomainDefense: true, DomainJustice: true, DomainMarketing: true, DomainMedia: true, DomainEntertainment: true, DomainHR: true, DomainRecruiting: true, DomainHospitality: true, DomainTourism: true, DomainNonprofit: true, DomainSports: true, DomainGeneral: true, } // AutomationLevel represents the degree of automation type AutomationLevel string const ( AutomationAssistive AutomationLevel = "assistive" AutomationSemiAutomated AutomationLevel = "semi_automated" AutomationFullyAutomated AutomationLevel = "fully_automated" ) // TrainingAllowed represents if training with data is permitted type TrainingAllowed string const ( TrainingYES TrainingAllowed = "YES" TrainingCONDITIONAL TrainingAllowed = "CONDITIONAL" TrainingNO TrainingAllowed = "NO" ) // ============================================================================ // Input Structs // ============================================================================ // UseCaseIntake represents the user's input describing their planned AI use case type UseCaseIntake struct { // Free-text description of the use case UseCaseText string `json:"use_case_text"` // Business domain Domain Domain `json:"domain"` // Title for the assessment (optional) Title string `json:"title,omitempty"` // Data types involved DataTypes DataTypes `json:"data_types"` // Purpose of the processing Purpose Purpose `json:"purpose"` // Level of automation Automation AutomationLevel `json:"automation"` // Output characteristics Outputs Outputs `json:"outputs"` // Hosting configuration Hosting Hosting `json:"hosting"` // Model usage configuration ModelUsage ModelUsage `json:"model_usage"` // Retention configuration Retention Retention `json:"retention"` // Financial regulations context (DORA, MaRisk, BAIT) // Only applicable for financial domains (banking, finance, insurance, investment) FinancialContext *FinancialContext `json:"financial_context,omitempty"` // BetrVG / works council context (Germany) EmployeeMonitoring bool `json:"employee_monitoring,omitempty"` // System can monitor employee behavior/performance HRDecisionSupport bool `json:"hr_decision_support,omitempty"` // System supports HR decisions (hiring, evaluation, termination) WorksCouncilConsulted bool `json:"works_council_consulted,omitempty"` // Works council has been consulted // Domain-specific contexts (AI Act Annex III high-risk domains) HRContext *HRContext `json:"hr_context,omitempty"` EducationContext *EducationContext `json:"education_context,omitempty"` HealthcareContext *HealthcareContext `json:"healthcare_context,omitempty"` LegalDomainContext *LegalDomainContext `json:"legal_context,omitempty"` PublicSectorContext *PublicSectorContext `json:"public_sector_context,omitempty"` CriticalInfraContext *CriticalInfraContext `json:"critical_infra_context,omitempty"` AutomotiveContext *AutomotiveContext `json:"automotive_context,omitempty"` RetailContext *RetailContext `json:"retail_context,omitempty"` ITSecurityContext *ITSecurityContext `json:"it_security_context,omitempty"` LogisticsContext *LogisticsContext `json:"logistics_context,omitempty"` ConstructionContext *ConstructionContext `json:"construction_context,omitempty"` MarketingContext *MarketingContext `json:"marketing_context,omitempty"` ManufacturingContext *ManufacturingContext `json:"manufacturing_context,omitempty"` AgricultureContext *AgricultureContext `json:"agriculture_context,omitempty"` SocialServicesCtx *SocialServicesContext `json:"social_services_context,omitempty"` HospitalityContext *HospitalityContext `json:"hospitality_context,omitempty"` InsuranceContext *InsuranceContext `json:"insurance_context,omitempty"` InvestmentContext *InvestmentContext `json:"investment_context,omitempty"` DefenseContext *DefenseContext `json:"defense_context,omitempty"` SupplyChainContext *SupplyChainContext `json:"supply_chain_context,omitempty"` FacilityContext *FacilityContext `json:"facility_context,omitempty"` SportsContext *SportsContext `json:"sports_context,omitempty"` // Opt-in to store raw text (otherwise only hash) StoreRawText bool `json:"store_raw_text,omitempty"` } // HRContext captures HR/recruiting-specific compliance data (AI Act Annex III Nr. 4 + AGG) type HRContext struct { AutomatedScreening bool `json:"automated_screening"` // KI sortiert Bewerber vor AutomatedRejection bool `json:"automated_rejection"` // KI generiert Absagen CandidateRanking bool `json:"candidate_ranking"` // KI erstellt Bewerber-Rankings BiasAuditsDone bool `json:"bias_audits_done"` // Regelmaessige Bias-Audits AGGCategoriesVisible bool `json:"agg_categories_visible"` // System kann Name/Foto/Alter erkennen HumanReviewEnforced bool `json:"human_review_enforced"` // Mensch prueft jede KI-Empfehlung PerformanceEvaluation bool `json:"performance_evaluation"` // KI bewertet Mitarbeiterleistung } // EducationContext captures education-specific compliance data (AI Act Annex III Nr. 3) type EducationContext struct { GradeInfluence bool `json:"grade_influence"` // KI beeinflusst Noten ExamEvaluation bool `json:"exam_evaluation"` // KI bewertet Pruefungen StudentSelection bool `json:"student_selection"` // KI beeinflusst Zugang/Auswahl MinorsInvolved bool `json:"minors_involved"` // Minderjaehrige betroffen TeacherReviewRequired bool `json:"teacher_review_required"` // Lehrkraft prueft KI-Ergebnis LearningAdaptation bool `json:"learning_adaptation"` // KI passt Lernpfade an } // HealthcareContext captures healthcare-specific compliance data (AI Act Annex III Nr. 5 + MDR) type HealthcareContext struct { DiagnosisSupport bool `json:"diagnosis_support"` // KI unterstuetzt Diagnosen TreatmentRecommend bool `json:"treatment_recommendation"` // KI empfiehlt Behandlungen TriageDecision bool `json:"triage_decision"` // KI priorisiert Patienten PatientDataProcessed bool `json:"patient_data_processed"` // Gesundheitsdaten verarbeitet MedicalDevice bool `json:"medical_device"` // System ist Medizinprodukt ClinicalValidation bool `json:"clinical_validation"` // Klinisch validiert } // LegalDomainContext captures legal/justice-specific compliance data (AI Act Annex III Nr. 8) type LegalDomainContext struct { LegalAdvice bool `json:"legal_advice"` // KI gibt Rechtsberatung ContractAnalysis bool `json:"contract_analysis"` // KI analysiert Vertraege CourtPrediction bool `json:"court_prediction"` // KI prognostiziert Urteile AccessToJustice bool `json:"access_to_justice"` // KI beeinflusst Zugang zu Recht ClientConfidential bool `json:"client_confidential"` // Mandantengeheimnis betroffen } // PublicSectorContext captures public sector compliance data (Art. 27 FRIA) type PublicSectorContext struct { AdminDecision bool `json:"admin_decision"` // KI beeinflusst Verwaltungsentscheidungen CitizenService bool `json:"citizen_service"` // KI in Buergerservices BenefitAllocation bool `json:"benefit_allocation"` // KI verteilt Leistungen/Mittel PublicSafety bool `json:"public_safety"` // KI in oeffentlicher Sicherheit TransparencyEnsured bool `json:"transparency_ensured"` // Transparenz gegenueber Buergern } // CriticalInfraContext captures critical infrastructure data (NIS2 + Annex III Nr. 2) type CriticalInfraContext struct { GridControl bool `json:"grid_control"` // KI steuert Netz/Infrastruktur SafetyCritical bool `json:"safety_critical"` // Sicherheitskritische Steuerung AnomalyDetection bool `json:"anomaly_detection"` // KI erkennt Anomalien RedundancyExists bool `json:"redundancy_exists"` // Redundante Systeme vorhanden IncidentResponse bool `json:"incident_response"` // Incident Response Plan vorhanden } // AutomotiveContext captures automotive/aerospace safety data type AutomotiveContext struct { AutonomousDriving bool `json:"autonomous_driving"` // Autonomes Fahren / ADAS SafetyRelevant bool `json:"safety_relevant"` // Sicherheitsrelevante Funktion TypeApprovalNeeded bool `json:"type_approval_needed"` // Typgenehmigung erforderlich FunctionalSafety bool `json:"functional_safety"` // ISO 26262 relevant } // RetailContext captures retail/e-commerce compliance data type RetailContext struct { PricingPersonalized bool `json:"pricing_personalized"` // Personalisierte Preise CustomerProfiling bool `json:"customer_profiling"` // Kundenprofilbildung RecommendationEngine bool `json:"recommendation_engine"` // Empfehlungssystem CreditScoring bool `json:"credit_scoring"` // Bonitaetspruefung bei Kauf DarkPatterns bool `json:"dark_patterns"` // Manipulative UI-Muster moeglich } // ITSecurityContext captures IT/cybersecurity/telecom data type ITSecurityContext struct { EmployeeSurveillance bool `json:"employee_surveillance"` // Mitarbeiterueberwachung NetworkMonitoring bool `json:"network_monitoring"` // Netzwerkueberwachung ThreatDetection bool `json:"threat_detection"` // Bedrohungserkennung AccessControl bool `json:"access_control_ai"` // KI-gestuetzte Zugriffskontrolle DataRetention bool `json:"data_retention_logs"` // Umfangreiche Log-Speicherung } // LogisticsContext captures logistics/transport compliance data type LogisticsContext struct { DriverTracking bool `json:"driver_tracking"` // Fahrer-/Kurier-Tracking RouteOptimization bool `json:"route_optimization"` // Routenoptimierung mit Personenbezug WorkloadScoring bool `json:"workload_scoring"` // Leistungsbewertung Lagerarbeiter PredictiveMaint bool `json:"predictive_maintenance"` // Vorausschauende Wartung } // ConstructionContext captures construction/real estate data type ConstructionContext struct { SafetyMonitoring bool `json:"safety_monitoring"` // Baustellensicherheit per KI TenantScreening bool `json:"tenant_screening"` // KI-gestuetzte Mieterauswahl BuildingAutomation bool `json:"building_automation"` // Gebaeudesteuerung WorkerSafety bool `json:"worker_safety"` // Arbeitsschutzueberwachung } // MarketingContext captures marketing/media compliance data type MarketingContext struct { DeepfakeContent bool `json:"deepfake_content"` // Synthetische Inhalte (Deepfakes) ContentModeration bool `json:"content_moderation"` // Automatische Inhaltsmoderation BehavioralTargeting bool `json:"behavioral_targeting"` // Verhaltensbasiertes Targeting MinorsTargeted bool `json:"minors_targeted"` // Minderjaehrige als Zielgruppe AIContentLabeled bool `json:"ai_content_labeled"` // KI-Inhalte als solche gekennzeichnet } // ManufacturingContext captures manufacturing/CE safety data type ManufacturingContext struct { MachineSafety bool `json:"machine_safety"` // Maschinensicherheit QualityControl bool `json:"quality_control"` // KI in Qualitaetskontrolle ProcessControl bool `json:"process_control"` // KI steuert Fertigungsprozess CEMarkingRequired bool `json:"ce_marking_required"` // CE-Kennzeichnung erforderlich SafetyValidated bool `json:"safety_validated"` // Sicherheitsvalidierung durchgefuehrt } // AgricultureContext captures agriculture/forestry compliance data type AgricultureContext struct { PesticideAI bool `json:"pesticide_ai"` // KI steuert Pestizideinsatz AnimalWelfare bool `json:"animal_welfare"` // KI beeinflusst Tierhaltung EnvironmentalData bool `json:"environmental_data"` // Umweltdaten verarbeitet } // SocialServicesContext captures social services/nonprofit data type SocialServicesContext struct { VulnerableGroups bool `json:"vulnerable_groups"` // Schutzbeduerftiger Personenkreis BenefitDecision bool `json:"benefit_decision"` // KI beeinflusst Leistungszuteilung CaseManagement bool `json:"case_management"` // KI in Fallmanagement } // HospitalityContext captures hospitality/tourism data type HospitalityContext struct { GuestProfiling bool `json:"guest_profiling"` // Gaeste-Profilbildung DynamicPricing bool `json:"dynamic_pricing"` // Dynamische Preisgestaltung ReviewManipulation bool `json:"review_manipulation"` // KI beeinflusst Bewertungen } // InsuranceContext captures insurance-specific data (beyond FinancialContext) type InsuranceContext struct { RiskClassification bool `json:"risk_classification"` // KI klassifiziert Versicherungsrisiken ClaimsAutomation bool `json:"claims_automation"` // Automatisierte Schadenbearbeitung PremiumCalculation bool `json:"premium_calculation"` // KI berechnet Praemien individuell FraudDetection bool `json:"fraud_detection"` // Betrugserkennung } // InvestmentContext captures investment-specific data type InvestmentContext struct { AlgoTrading bool `json:"algo_trading"` // Algorithmischer Handel InvestmentAdvice bool `json:"investment_advice"` // KI-gestuetzte Anlageberatung RoboAdvisor bool `json:"robo_advisor"` // Automatisierte Vermoegensberatung } // DefenseContext captures defense/dual-use data type DefenseContext struct { DualUse bool `json:"dual_use"` // Dual-Use Technologie ExportControlled bool `json:"export_controlled"` // Exportkontrolle relevant ClassifiedData bool `json:"classified_data"` // Verschlusssachen verarbeitet } // SupplyChainContext captures textile/packaging/supply chain data (LkSG) type SupplyChainContext struct { SupplierMonitoring bool `json:"supplier_monitoring"` // KI ueberwacht Lieferanten HumanRightsCheck bool `json:"human_rights_check"` // Menschenrechtspruefung in Lieferkette EnvironmentalImpact bool `json:"environmental_impact"` // Umweltauswirkungen analysiert } // FacilityContext captures facility management data type FacilityContext struct { AccessControlAI bool `json:"access_control_ai"` // KI-Zutrittskontrolle OccupancyTracking bool `json:"occupancy_tracking"` // Belegungsueberwachung EnergyOptimization bool `json:"energy_optimization"` // Energieoptimierung } // SportsContext captures sports/general data type SportsContext struct { AthleteTracking bool `json:"athlete_tracking"` // Athleten-Performance-Tracking FanProfiling bool `json:"fan_profiling"` // Fan-/Zuschauer-Profilbildung DopingDetection bool `json:"doping_detection"` // KI in Doping-Kontrolle } // DataTypes specifies what kinds of data are processed type DataTypes struct { PersonalData bool `json:"personal_data"` Article9Data bool `json:"article_9_data"` // Special categories (health, religion, etc.) MinorData bool `json:"minor_data"` // Data of children LicensePlates bool `json:"license_plates"` // KFZ-Kennzeichen Images bool `json:"images"` // Photos/images of persons Audio bool `json:"audio"` // Voice recordings LocationData bool `json:"location_data"` // GPS/location tracking BiometricData bool `json:"biometric_data"` // Fingerprints, face recognition FinancialData bool `json:"financial_data"` // Bank accounts, salaries EmployeeData bool `json:"employee_data"` // HR/employment data CustomerData bool `json:"customer_data"` // Customer information PublicData bool `json:"public_data"` // Publicly available data only } // Purpose specifies the processing purpose type Purpose struct { CustomerSupport bool `json:"customer_support"` Marketing bool `json:"marketing"` Analytics bool `json:"analytics"` Automation bool `json:"automation"` EvaluationScoring bool `json:"evaluation_scoring"` // Scoring/ranking of persons DecisionMaking bool `json:"decision_making"` // Automated decisions Profiling bool `json:"profiling"` Research bool `json:"research"` InternalTools bool `json:"internal_tools"` PublicService bool `json:"public_service"` } // Outputs specifies output characteristics type Outputs struct { RecommendationsToUsers bool `json:"recommendations_to_users"` RankingsOrScores bool `json:"rankings_or_scores"` // Outputs rankings/scores LegalEffects bool `json:"legal_effects"` // Has legal consequences AccessDecisions bool `json:"access_decisions"` // Grants/denies access ContentGeneration bool `json:"content_generation"` // Generates text/media DataExport bool `json:"data_export"` // Exports data externally } // Hosting specifies where the AI runs type Hosting struct { Provider string `json:"provider,omitempty"` // e.g., "Azure", "AWS", "Hetzner", "On-Prem" Region string `json:"region"` // "eu", "third_country", "on_prem" DataResidency string `json:"data_residency,omitempty"` // Where data is stored } // ModelUsage specifies how the model is used type ModelUsage struct { RAG bool `json:"rag"` // Retrieval-Augmented Generation only Finetune bool `json:"finetune"` // Fine-tuning with data Training bool `json:"training"` // Full training with data Inference bool `json:"inference"` // Inference only } // Retention specifies data retention type Retention struct { StorePrompts bool `json:"store_prompts"` StoreResponses bool `json:"store_responses"` RetentionDays int `json:"retention_days,omitempty"` AnonymizeAfterUse bool `json:"anonymize_after_use"` } // ============================================================================ // Financial Regulations Structs (DORA, MaRisk, BAIT) // ============================================================================ // FinancialEntityType represents the type of financial institution type FinancialEntityType string const ( FinancialEntityCreditInstitution FinancialEntityType = "CREDIT_INSTITUTION" FinancialEntityPaymentServiceProvider FinancialEntityType = "PAYMENT_SERVICE_PROVIDER" FinancialEntityEMoneyInstitution FinancialEntityType = "E_MONEY_INSTITUTION" FinancialEntityInvestmentFirm FinancialEntityType = "INVESTMENT_FIRM" FinancialEntityInsuranceCompany FinancialEntityType = "INSURANCE_COMPANY" FinancialEntityCryptoAssetProvider FinancialEntityType = "CRYPTO_ASSET_PROVIDER" FinancialEntityOther FinancialEntityType = "OTHER_FINANCIAL" ) // SizeCategory represents the significance category of a financial institution type SizeCategory string const ( SizeCategorySignificant SizeCategory = "SIGNIFICANT" SizeCategoryLessSignificant SizeCategory = "LESS_SIGNIFICANT" SizeCategorySmall SizeCategory = "SMALL" ) // ProviderLocation represents the location of an ICT service provider type ProviderLocation string const ( ProviderLocationEU ProviderLocation = "EU" ProviderLocationEEA ProviderLocation = "EEA" ProviderLocationAdequacyDecision ProviderLocation = "ADEQUACY_DECISION" ProviderLocationThirdCountry ProviderLocation = "THIRD_COUNTRY" ) // FinancialEntity describes the financial institution context type FinancialEntity struct { Type FinancialEntityType `json:"type"` Regulated bool `json:"regulated"` SizeCategory SizeCategory `json:"size_category"` } // ICTService describes ICT service characteristics for DORA compliance type ICTService struct { IsCritical bool `json:"is_critical"` IsOutsourced bool `json:"is_outsourced"` ProviderLocation ProviderLocation `json:"provider_location"` ConcentrationRisk bool `json:"concentration_risk"` } // FinancialAIApplication describes financial-specific AI application characteristics type FinancialAIApplication struct { AffectsCustomerDecisions bool `json:"affects_customer_decisions"` AlgorithmicTrading bool `json:"algorithmic_trading"` RiskAssessment bool `json:"risk_assessment"` AMLKYC bool `json:"aml_kyc"` ModelValidationDone bool `json:"model_validation_done"` } // FinancialContext aggregates all financial regulation-specific information type FinancialContext struct { FinancialEntity FinancialEntity `json:"financial_entity"` ICTService ICTService `json:"ict_service"` AIApplication FinancialAIApplication `json:"ai_application"` } // ============================================================================ // Output Structs // ============================================================================ // AssessmentResult represents the complete evaluation result type AssessmentResult struct { // Overall verdict Feasibility Feasibility `json:"feasibility"` RiskLevel RiskLevel `json:"risk_level"` Complexity Complexity `json:"complexity"` RiskScore int `json:"risk_score"` // 0-100 // Triggered rules TriggeredRules []TriggeredRule `json:"triggered_rules"` // Required controls/mitigations RequiredControls []RequiredControl `json:"required_controls"` // Recommended architecture patterns RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"` // Patterns that must NOT be used ForbiddenPatterns []ForbiddenPattern `json:"forbidden_patterns"` // Matching didactic examples ExampleMatches []ExampleMatch `json:"example_matches"` // Special flags DSFARecommended bool `json:"dsfa_recommended"` Art22Risk bool `json:"art22_risk"` // Art. 22 GDPR automated decision risk TrainingAllowed TrainingAllowed `json:"training_allowed"` // BetrVG Conflict Score (0-100) — works council escalation risk BetrvgConflictScore int `json:"betrvg_conflict_score"` BetrvgConsultationRequired bool `json:"betrvg_consultation_required"` // Input (needed for escalation logic) Intake UseCaseIntake `json:"-"` // not serialized, internal use only // Summary for humans Summary string `json:"summary"` Recommendation string `json:"recommendation"` AlternativeApproach string `json:"alternative_approach,omitempty"` } // TriggeredRule represents a rule that was triggered during evaluation type TriggeredRule struct { Code string `json:"code"` // e.g., "R-001" Category string `json:"category"` // e.g., "A. Datenklassifikation" Title string `json:"title"` Description string `json:"description"` Severity Severity `json:"severity"` ScoreDelta int `json:"score_delta"` GDPRRef string `json:"gdpr_ref,omitempty"` // e.g., "Art. 9 DSGVO" Rationale string `json:"rationale"` // Why this rule triggered } // RequiredControl represents a control that must be implemented type RequiredControl struct { ID string `json:"id"` Title string `json:"title"` Description string `json:"description"` Severity Severity `json:"severity"` Category string `json:"category"` // "technical" or "organizational" GDPRRef string `json:"gdpr_ref,omitempty"` } // PatternRecommendation represents a recommended architecture pattern type PatternRecommendation struct { PatternID string `json:"pattern_id"` // e.g., "P-RAG-ONLY" Title string `json:"title"` Description string `json:"description"` Rationale string `json:"rationale"` Priority int `json:"priority"` // 1=highest } // ForbiddenPattern represents a pattern that must NOT be used type ForbiddenPattern struct { PatternID string `json:"pattern_id"` Title string `json:"title"` Description string `json:"description"` Reason string `json:"reason"` GDPRRef string `json:"gdpr_ref,omitempty"` } // ExampleMatch represents a matching didactic example type ExampleMatch struct { ExampleID string `json:"example_id"` Title string `json:"title"` Description string `json:"description"` Similarity float64 `json:"similarity"` // 0.0 - 1.0 Outcome string `json:"outcome"` // What happened / recommendation Lessons string `json:"lessons"` // Key takeaways } // ============================================================================ // Database Entity // ============================================================================ // Assessment represents a stored assessment in the database type Assessment struct { ID uuid.UUID `json:"id"` TenantID uuid.UUID `json:"tenant_id"` NamespaceID *uuid.UUID `json:"namespace_id,omitempty"` Title string `json:"title"` PolicyVersion string `json:"policy_version"` Status string `json:"status"` // "completed", "draft" // Input Intake UseCaseIntake `json:"intake"` UseCaseTextStored bool `json:"use_case_text_stored"` UseCaseTextHash string `json:"use_case_text_hash"` // Results Feasibility Feasibility `json:"feasibility"` RiskLevel RiskLevel `json:"risk_level"` Complexity Complexity `json:"complexity"` RiskScore int `json:"risk_score"` TriggeredRules []TriggeredRule `json:"triggered_rules"` RequiredControls []RequiredControl `json:"required_controls"` RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"` ForbiddenPatterns []ForbiddenPattern `json:"forbidden_patterns"` ExampleMatches []ExampleMatch `json:"example_matches"` DSFARecommended bool `json:"dsfa_recommended"` Art22Risk bool `json:"art22_risk"` TrainingAllowed TrainingAllowed `json:"training_allowed"` // BetrVG Conflict Score (0-100) — works council escalation risk BetrvgConflictScore int `json:"betrvg_conflict_score"` BetrvgConsultationRequired bool `json:"betrvg_consultation_required"` // Corpus Versioning (RAG) CorpusVersionID *uuid.UUID `json:"corpus_version_id,omitempty"` CorpusVersion string `json:"corpus_version,omitempty"` // LLM Explanation (optional) ExplanationText *string `json:"explanation_text,omitempty"` ExplanationGeneratedAt *time.Time `json:"explanation_generated_at,omitempty"` ExplanationModel *string `json:"explanation_model,omitempty"` // Domain Domain Domain `json:"domain"` // Audit CreatedAt time.Time `json:"created_at"` UpdatedAt time.Time `json:"updated_at"` CreatedBy uuid.UUID `json:"created_by"` } // ============================================================================ // API Request/Response Types // ============================================================================ // AssessRequest is the API request for creating an assessment type AssessRequest struct { Intake UseCaseIntake `json:"intake"` } // AssessResponse is the API response for an assessment type AssessResponse struct { Assessment Assessment `json:"assessment"` Result AssessmentResult `json:"result"` Escalation *Escalation `json:"escalation,omitempty"` } // ExplainRequest is the API request for generating an explanation type ExplainRequest struct { Language string `json:"language,omitempty"` // "de" or "en", default "de" } // ExplainResponse is the API response for an explanation type ExplainResponse struct { ExplanationText string `json:"explanation_text"` GeneratedAt time.Time `json:"generated_at"` Model string `json:"model"` LegalContext *LegalContext `json:"legal_context,omitempty"` } // ExportFormat specifies the export format type ExportFormat string const ( ExportFormatJSON ExportFormat = "json" ExportFormatMarkdown ExportFormat = "md" ) // ============================================================================ // AI Act Decision Tree Types // ============================================================================ // GPAICategory represents the GPAI classification result type GPAICategory string const ( GPAICategoryNone GPAICategory = "none" GPAICategoryStandard GPAICategory = "standard" GPAICategorySystemic GPAICategory = "systemic" ) // GPAIClassification represents the result of the GPAI axis evaluation type GPAIClassification struct { IsGPAI bool `json:"is_gpai"` IsSystemicRisk bool `json:"is_systemic_risk"` Category GPAICategory `json:"gpai_category"` ApplicableArticles []string `json:"applicable_articles"` Obligations []string `json:"obligations"` } // DecisionTreeAnswer represents a user's answer to a decision tree question type DecisionTreeAnswer struct { QuestionID string `json:"question_id"` Value bool `json:"value"` Note string `json:"note,omitempty"` } // DecisionTreeQuestion represents a single question in the decision tree type DecisionTreeQuestion struct { ID string `json:"id"` Axis string `json:"axis"` // "high_risk" or "gpai" Question string `json:"question"` Description string `json:"description"` // Additional context ArticleRef string `json:"article_ref"` // e.g., "Art. 5", "Anhang III" SkipIf string `json:"skip_if,omitempty"` // Question ID — skip if that was answered "no" } // DecisionTreeDefinition represents the full decision tree structure for the frontend type DecisionTreeDefinition struct { ID string `json:"id"` Name string `json:"name"` Version string `json:"version"` Questions []DecisionTreeQuestion `json:"questions"` } // DecisionTreeEvalRequest is the API request for evaluating the decision tree type DecisionTreeEvalRequest struct { SystemName string `json:"system_name"` SystemDescription string `json:"system_description,omitempty"` Answers map[string]DecisionTreeAnswer `json:"answers"` } // DecisionTreeResult represents the combined evaluation result type DecisionTreeResult struct { ID uuid.UUID `json:"id"` TenantID uuid.UUID `json:"tenant_id"` ProjectID *uuid.UUID `json:"project_id,omitempty"` SystemName string `json:"system_name"` SystemDescription string `json:"system_description,omitempty"` Answers map[string]DecisionTreeAnswer `json:"answers"` HighRiskResult AIActRiskLevel `json:"high_risk_result"` GPAIResult GPAIClassification `json:"gpai_result"` CombinedObligations []string `json:"combined_obligations"` ApplicableArticles []string `json:"applicable_articles"` CreatedAt time.Time `json:"created_at"` UpdatedAt time.Time `json:"updated_at"` }