Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a64da74bbe9810122e0c97051cdb759995346bb
breakpilot-compliance/backend-compliance/compliance
T
History
Benjamin Admin 662327e8b4
CI / nodejs-build (push) Successful in 2m47s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / detect-changes (push) Successful in 10s
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / validate-canonical-controls (push) Successful in 16s
Details
CI / loc-budget (push) Failing after 17s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 42s
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-go (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details
feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features 
Massiv-Update auf Basis BMW-Test-Iterationen (v1→v9):

Core Compliance-Check
- Sonnet check_type Klassifikation: text/process/review fuer alle 1874 MCs
  in compliance.doc_check_controls (script + Sidecar /data/mc_classification.db).
  rag_document_checker filtert auf check_type='text' fuer doc_check.
  Plus fits_doc_type-Audit (v2) + ui_only-Audit fuer DSA/E-Commerce-MCs in
  falscher doc_type-Schublade.
- scope_requires-Filter: biometric/ai_decision/child_targeting MCs werden
  per business_profile gefiltert (FRT skipped fuer BMW etc.).
- Embedding-Match (BGE-M3) als Phase-3 nach Regex-Match:
  Per-doc_type-Threshold-Override (impressum 0.50, dse/cookie 0.60),
  Short-Field-Rescue (15-Wort-Chunks) fuer Pflichtfelder im Impressum.
  Title+check_question als Embedding-Input fuer mehr Kontext.
- Cookie-Text-Routing: consent-tester gibt cmp_cookie_text aus dem
  CMP-Reconstruct zurueck, Backend bevorzugt das gegen DOM-Extraction
  wenn richer (BMW 1824 vs 600 Worte).

Vendor-Redundanz + EU-Alternativen + Cost-Saving
- vendor_redundancy.analyze() — funktionale Kategorisierung der CMP-Vendors,
  Detektion von Mehrfach-Anbietern pro Kategorie, EU-Alternative-Lookup
  (Matomo, IONOS, HERE, Friendly Captcha, Smart AdServer, ...).
- vendor_cost_estimator: Tier-Inferenz aus Cookie-Footprint (Cookie-Anzahl
  + Premium-Feature-Cookies + Third-Party-Quote → starter/professional/
  enterprise/premier).
- Self-Service-Werbung (Google/Meta/Pinterest/...) = 0 Lizenz-Kosten
  (nur Media-Spend, separat). DSP-Plattformen behalten enge Range.
- Tier-aware Saving-Range: bei Enterprise/Premier nutzen wir den
  oberen 40-100%-Band der Listpreise, nicht starter→premier.
- Multi-Function-Tools (Matomo Pro, SAP CX, IONOS Cloud, Userlike, Smart
  AdServer, HERE Maps, Vimeo Pro, LamaPoll) — ein Tool ersetzt mehrere
  Kategorien gleichzeitig.

Cookie-Wissens-DB + Funktionale Klassifikation
- cookie_knowledge_db: 50 kuratierte Top-Cookies (Google/Meta/Adobe/MS/...)
  mit vendor, exact_purpose, data_collected, IAB-TCF-IDs, reid_risk,
  schrems_ii_status, EuGH-Urteile, EU-Alternative.
- cookie_function_classifier: pro Cookie funktionale Rolle (tracking_id,
  ad_pixel, session_id, ab_test, csrf, ...) + blocking_impact.

Country-Inferenz aus Rechtsform
- cookie_link_validator: Country-Field wird aus Vendor-Name abgeleitet
  (A/S=DK, GmbH=DE, Inc=US, B.V.=NL, ...) plus Vendor-Lookup-Table.
  Reduziert false-positive no_country-Flags bei eindeutig-EU-Vendors
  (Adform DK, Pinterest IE).

Action-Recipes + Doc-Anchor-Locator
- finding_action_recipes: pro Finding-Typ (no_cookies_listed, no_country,
  broken_opt_out, "Auftragsverarbeiter erwaehnen", "Art. 22 Profiling",
  ...) eine strukturierte Anweisung mit what/why/fix_text/where/example.
  Zum 1:1-Einfuegen in Kunden-Dokumente.
- doc_anchor_locator: Embedding-basiert (BGE-M3 cosine) — sucht den
  passenden Absatz im existierenden Kundendokument fuer jeden Finding.
  Per-Run Thread-Local-Cache. Fallback: keyword-Match.
- Email-Rendering integriert Recipe + Anchor pro Doc-Pruefungs-Fail
  + Vendor-Flag-Liste mit aufklappbarer Action-Liste.
- Score-Erklaerung pro Vendor-Zeile (3/5-Untertitel + Tooltip).

Migration-Pipeline (Compliance-Check -> Customer Banner/Documents)
- migration_to_banner.py: Vendor-Liste -> CookieBannerConfig mit
  4 Kategorien + Review-Flags.
- migration_to_document.py: Vendor-Liste -> Cookie-Policy + VVT-Register
  + Privacy-Policy-Pre-Fills.
- agent_migration_routes: 3 Preview-Endpoints (banner-preview,
  document-preview, summary). Persistierung der cmp_vendors in
  /data/compliance_audits.db check_payloads-Tabelle.

Borlabs-Parity Cookie-Banner-Features
- Consent-Historie im Banner: window.bpShowConsentHistory() + localStorage.
- Content-Blocker: cookie-banner-content-blocker.ts — YouTube/Maps/Video
  Placeholder bis Einwilligung.
- Google Consent Mode v2 erweitert: wait_for_update + region=EEA/CH/GB.
- Consent-Log Export (CSV/JSON) per einwilligungen_export_routes.

Bug-Fixes
- canonical_control_routes: _jsonish-Helper fuer string-typed jsonb,
  similar-controls-Endpoint mit _has_embedding_col()-Cache (kein 500 mehr).
- Control-Library Frontend: defensive .map-Coercer in 2 Detail-Views.
- Embedding-Service-Batching (32er Batches statt 165 in einem Call).
- KeyError 'control_id' in MC-Result-Aggregation (defensive .get).
- Master-Controls-Klick-Through von /sdk/master-controls auf
  /sdk/control-library?control=<id> mit URL-Param-Auto-Open.
- Dockerfile: /data pre-chowned auf appuser (Audit-DB-Schreibrecht).
- Cookie-Text-Routing-Bug (cmp_reconstructed > DOM-extraction).
- doc_type-aware MC-Filter (statt all-text-MCs).
- Master-Contract-Dedup (60 BMW-Internal-Eintraege = 1 Adobe-Vertrag).
- A3-v2-Audit hat 24 UI-Sprache-MCs als 'process' reklassifiziert.

Tests
- test_migration_mappers.py (9 Tests)
- test_migration_endpoints.py (4 Tests)

Skripte (one-shot)
- classify_mc_check_type.py (v1) + _v2 (PK=control_id,doc_type)
- audit_mc_doctype_fit.py (v1 fits) + _v2 (ui_only + scope_requires)

BMW-Run-Bilanz v1 (broken) -> v9 (alle Fixes):
  DSE     7,5% -> 81-83%
  Impressum 4%   -> 100% (6 echte MCs alle erfuellt)
  Cookie  0%    -> 79-83% (CMP-Text-Routing + Embedding)
  Plus: 10 Konsolidierungs-Kategorien, geschaetzte Saving 200k-3M / Jahr
  Plus: Action-Recipes + Doc-Anchors fuer jeden Fail

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 18:30:08 +02:00
..
api
feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features
2026-05-18 18:30:08 +02:00
data
fix: normative_strength 'may' statt 'can' (DB-Constraint)
2026-03-25 08:35:16 +01:00
db
feat(cmp): Phase 2 — script blocking + cookie tracking
2026-05-11 22:52:26 +02:00
domain
refactor: phase 0 guardrails + phase 1 step 2 (models.py split)
2026-04-07 13:18:29 +02:00
repositories
refactor: phase 0 guardrails + phase 1 step 2 (models.py split)
2026-04-07 13:18:29 +02:00
schemas
feat(cmp): timezone→geo_country mapping + timezone parameter
2026-05-12 14:43:13 +02:00
scripts
fix(quality): Ruff/CVE/TS-Fixes, 104 neue Tests, Complexity-Refactoring
2026-03-07 19:00:33 +01:00
services
feat(compliance-check): MC-Classification + Embedding + Vendor-Redundanz + Action-Recipes + Borlabs-Features
2026-05-18 18:30:08 +02:00
tests
refactor: phase 0 guardrails + phase 1 step 2 (models.py split)
2026-04-07 13:18:29 +02:00
__init__.py
Initial commit: breakpilot-compliance - Compliance SDK Platform
2026-02-11 23:47:28 +01:00
README_AI.md
Initial commit: breakpilot-compliance - Compliance SDK Platform
2026-02-11 23:47:28 +01:00
README.md
feat(sdk): Multi-Projekt-Architektur — mehrere Projekte pro Tenant
2026-03-09 14:53:50 +01:00
SERVICE_COVERAGE.md
Initial commit: breakpilot-compliance - Compliance SDK Platform
2026-02-11 23:47:28 +01:00
SPRINT3_INTEGRATION.md
Initial commit: breakpilot-compliance - Compliance SDK Platform
2026-02-11 23:47:28 +01:00
SPRINT_4_SUMMARY.md
Initial commit: breakpilot-compliance - Compliance SDK Platform
2026-02-11 23:47:28 +01:00

README.md

Breakpilot Compliance & Audit Framework

Uebersicht

Enterprise-ready GRC (Governance, Risk, Compliance) Framework fuer die Breakpilot EdTech-Plattform.

Kernfunktionen

Feature Status Beschreibung
19 EU-Regulations Aktiv DSGVO, AI Act, CRA, NIS2, Data Act, etc.
558 Requirements Aktiv Automatisch extrahiert aus EUR-Lex + BSI-TR PDFs
44 Controls Aktiv Technische und organisatorische Massnahmen
474 Control-Mappings Aktiv Keyword-basiertes Auto-Mapping
KI-Interpretation Aktiv Claude API fuer Anforderungsanalyse
Executive Dashboard Aktiv Ampel-Status, Trends, Top-Risiken

Architektur

backend/compliance/
├── api/
│   ├── routes.py         # 52 FastAPI Endpoints
│   └── schemas.py        # Pydantic Response Models
├── db/
│   ├── models.py         # SQLAlchemy Models
│   └── repository.py     # CRUD Operations
├── data/
│   ├── regulations.py    # 19 Regulations Seed
│   ├── controls.py       # 44 Controls Seed
│   ├── requirements.py   # Requirements Seed
│   └── service_modules.py # 30 Service-Module
├── services/
│   ├── ai_compliance_assistant.py  # Claude Integration
│   ├── llm_provider.py             # LLM Abstraction Layer
│   ├── pdf_extractor.py            # BSI-TR PDF Parser
│   └── regulation_scraper.py       # EUR-Lex Scraper
└── tests/                # Pytest Tests (in /backend/tests/)

Schnellstart

1. Backend starten

cd backend
docker-compose up -d
# ODER
uvicorn main:app --reload --port 8000

2. Datenbank initialisieren

# Regulations, Controls, Requirements seeden
curl -X POST http://localhost:8000/api/v1/compliance/seed \
  -H "Content-Type: application/json" \
  -d '{"force": false}'

# Service-Module seeden
curl -X POST http://localhost:8000/api/v1/compliance/modules/seed \
  -H "Content-Type: application/json" \
  -d '{"force": false}'

3. KI-Interpretation aktivieren

# Vault-gesteuerte API-Keys
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=breakpilot-dev-token

# Status pruefen
curl http://localhost:8000/api/v1/compliance/ai/status

# Einzelne Anforderung interpretieren
curl -X POST http://localhost:8000/api/v1/compliance/ai/interpret \
  -H "Content-Type: application/json" \
  -d '{"requirement_id": "REQ-ID", "save_to_db": true}'

API-Endpoints

Dashboard & Executive View

Method Endpoint Beschreibung
GET /api/v1/compliance/dashboard Dashboard-Daten mit Scores
GET /api/v1/compliance/dashboard/executive Executive Dashboard (Ampel, Trends)
GET /api/v1/compliance/dashboard/trend Score-Trend (12 Monate)

Regulations & Requirements

Method Endpoint Beschreibung
GET /api/v1/compliance/regulations Alle 19 Regulations
GET /api/v1/compliance/regulations/{code} Eine Regulation
GET /api/v1/compliance/requirements 558 Requirements (paginiert)
GET /api/v1/compliance/requirements/{id} Einzelnes Requirement

Controls & Mappings

Method Endpoint Beschreibung
GET /api/v1/compliance/controls Alle 44 Controls
GET /api/v1/compliance/controls/{id} Ein Control
GET /api/v1/compliance/controls/by-domain/{domain} Controls nach Domain
GET /api/v1/compliance/mappings 474 Control-Mappings

KI-Features

Method Endpoint Beschreibung
GET /api/v1/compliance/ai/status LLM Provider Status
POST /api/v1/compliance/ai/interpret Requirement interpretieren
POST /api/v1/compliance/ai/batch Batch-Interpretation
POST /api/v1/compliance/ai/suggest-controls Control-Vorschlaege

Scraper & Import

Method Endpoint Beschreibung
POST /api/v1/compliance/scraper/fetch EUR-Lex Live-Fetch
POST /api/v1/compliance/scraper/extract-pdf BSI-TR PDF Extraktion
GET /api/v1/compliance/scraper/status Scraper-Status

Evidence & Risks

Method Endpoint Beschreibung
GET /api/v1/compliance/evidence Alle Nachweise
POST /api/v1/compliance/evidence/collect CI/CD Evidence Upload
GET /api/v1/compliance/risks Risk Register
GET /api/v1/compliance/risks/matrix Risk Matrix View

Datenmodell

RegulationDB

class RegulationDB(Base):
    id: str                    # UUID
    code: str                  # "GDPR", "AIACT", etc.
    name: str                  # Kurzname
    full_name: str             # Vollstaendiger Name
    regulation_type: enum      # eu_regulation, bsi_standard, etc.
    source_url: str            # EUR-Lex URL
    effective_date: date       # Inkrafttreten

RequirementDB

class RequirementDB(Base):
    id: str                    # UUID
    regulation_id: str         # FK zu Regulation
    article: str               # "Art. 32"
    paragraph: str             # "(1)(a)"
    title: str                 # Kurztitel
    requirement_text: str      # Original-Text
    breakpilot_interpretation: str  # KI-Interpretation
    priority: int              # 1-5

ControlDB

class ControlDB(Base):
    id: str                    # UUID
    control_id: str            # "PRIV-001"
    domain: enum               # gov, priv, iam, crypto, sdlc, ops, ai
    control_type: enum         # preventive, detective, corrective
    title: str                 # Kontroll-Titel
    pass_criteria: str         # Messbare Kriterien
    code_reference: str        # z.B. "middleware/pii_redactor.py:45"
    status: enum               # pass, partial, fail, planned

Frontend-Integration

Compliance Dashboard

/admin/compliance           # Haupt-Dashboard
/admin/compliance/controls  # Control Catalogue
/admin/compliance/evidence  # Evidence Management
/admin/compliance/risks     # Risk Matrix
/admin/compliance/scraper   # Regulation Scraper
/admin/compliance/audit-workspace  # Audit Workspace

Neue Komponenten (Sprint 1+2)

  • ComplianceTrendChart.tsx - Recharts-basierter Trend-Chart
  • TrafficLightIndicator.tsx - Ampel-Status Anzeige
  • LanguageSwitch.tsx - DE/EN Terminologie-Umschaltung
  • GlossaryTooltip.tsx - Erklaerungen fuer Fachbegriffe

i18n-System

import { getTerm, Language } from '@/lib/compliance-i18n'

// Nutzung
const label = getTerm('de', 'control')  // "Massnahme"
const label = getTerm('en', 'control')  // "Control"

Tests

# Alle Compliance-Tests ausfuehren
cd backend
pytest tests/test_compliance_*.py -v

# Einzelne Test-Dateien
pytest tests/test_compliance_api.py -v      # API Endpoints
pytest tests/test_compliance_ai.py -v       # KI-Integration
pytest tests/test_compliance_repository.py -v  # Repository
pytest tests/test_compliance_pdf_extractor.py -v  # PDF Parser

Umgebungsvariablen

# LLM Provider
COMPLIANCE_LLM_PROVIDER=anthropic  # oder "mock" fuer Tests
ANTHROPIC_API_KEY=sk-ant-...       # Falls nicht ueber Vault

# Vault Integration
VAULT_ADDR=http://localhost:8200
VAULT_TOKEN=breakpilot-dev-token

# Datenbank
DATABASE_URL=postgresql://user:pass@localhost:5432/breakpilot

Regulations-Uebersicht

Code Name Typ Requirements
GDPR DSGVO EU-Verordnung ~50
AIACT AI Act EU-Verordnung ~80
CRA Cyber Resilience Act EU-Verordnung ~60
NIS2 NIS2-Richtlinie EU-Richtlinie ~40
DATAACT Data Act EU-Verordnung ~35
DGA Data Governance Act EU-Verordnung ~30
DSA Digital Services Act EU-Verordnung ~25
EUCSA EU Cybersecurity Act EU-Verordnung ~20
EAA European Accessibility Act EU-Richtlinie ~15
BSI-TR-03161-1 Mobile Anwendungen Teil 1 BSI-Standard ~30
BSI-TR-03161-2 Mobile Anwendungen Teil 2 BSI-Standard ~100
BSI-TR-03161-3 Mobile Anwendungen Teil 3 BSI-Standard ~50
... 7 weitere ... ~50

Control-Domains

Domain Beschreibung Anzahl Controls
gov Governance & Organisation 5
priv Datenschutz & Privacy 7
iam Identity & Access Management 5
crypto Kryptografie 4
sdlc Secure Development 6
ops Betrieb & Monitoring 5
ai KI-spezifisch 5
cra CRA & Supply Chain 4
aud Audit & Nachvollziehbarkeit 3

Erweiterungen

Neue Regulation hinzufuegen

  1. Eintrag in data/regulations.py
  2. Requirements ueber Scraper importieren
  3. Control-Mappings generieren
# EUR-Lex Regulation importieren
curl -X POST http://localhost:8000/api/v1/compliance/scraper/fetch \
  -H "Content-Type: application/json" \
  -d '{"regulation_code": "NEW_REG", "url": "https://eur-lex.europa.eu/..."}'

Neues Control hinzufuegen

  1. Eintrag in data/controls.py
  2. Re-Seed ausfuehren
  3. Mappings werden automatisch generiert

Multi-Projekt-Architektur (Migration 039)

Jeder Tenant kann mehrere Compliance-Projekte anlegen. Neue Tabelle compliance_projects, sdk_states erweitert um project_id.

Projekt-API Endpoints

Method Endpoint Beschreibung
GET /api/v1/projects Alle Projekte des Tenants
POST /api/v1/projects Neues Projekt erstellen
GET /api/v1/projects/{id} Einzelnes Projekt
PATCH /api/v1/projects/{id} Projekt aktualisieren
DELETE /api/v1/projects/{id} Projekt archivieren

Siehe compliance/api/project_routes.py und migrations/039_compliance_projects.sql.

Changelog

v2.0 (2026-01-17)

  • Executive Dashboard mit Ampel-Status
  • Trend-Charts (Recharts)
  • DE/EN Terminologie-Umschaltung
  • 52 API-Endpoints
  • 558 Requirements aus 19 Regulations
  • 474 Auto-Mappings
  • KI-Interpretation (Claude API)

v1.0 (2026-01-16)

  • Basis-Dashboard
  • EUR-Lex Scraper
  • BSI-TR PDF Parser
  • Control Catalogue
  • Evidence Management
Reference in New Issue View Git Blame Copy Permalink