Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
23c6ac6f32be178aa79aeb533e7649ae2230b6ee
breakpilot-compliance/README.md
T
Sharang Parnerkar d82f86fc95
CI / detect-changes (pull_request) Successful in 9s
Details
CI / branch-name (pull_request) Successful in 1s
Details
CI / guardrail-integrity (pull_request) Successful in 7s
Details
CI / secret-scan (pull_request) Successful in 11s
Details
CI / dep-audit (pull_request) Failing after 58s
Details
CI / sbom-scan (pull_request) Failing after 1m4s
Details
CI / build-sha-integrity (pull_request) Successful in 6s
Details
CI / validate-canonical-controls (pull_request) Successful in 4s
Details
CI / loc-budget (pull_request) Successful in 25s
Details
CI / go-lint (pull_request) Failing after 22s
Details
CI / python-lint (pull_request) Failing after 13s
Details
CI / nodejs-lint (pull_request) Failing after 1m15s
Details
CI / nodejs-build (pull_request) Successful in 3m12s
Details
CI / test-go (pull_request) Successful in 57s
Details
CI / iace-gt-coverage (pull_request) Successful in 16s
Details
CI / test-python-backend (pull_request) Successful in 25s
Details
CI / test-python-document-crawler (pull_request) Successful in 14s
Details
CI / test-python-dsms-gateway (pull_request) Successful in 10s
Details
feat: wire breakpilot-compliance to Infisical for local dev 
- Add .infisical.json linking the repo to the breakpilot-compliance
  project on the self-hosted secrets.meghsakha.com instance.
- Add Makefile with infisical-aware targets (make dev, dev-build,
  dev-down, secrets, secrets-set). `make dev` runs `infisical run
  --env=dev -- docker compose up`, so secrets are injected at run
  time and .env files no longer touch disk.
- Add INFISICAL_SETUP.md with per-developer onboarding (CLI install,
  login, verify project link, run targets, Claude Code usage patterns,
  troubleshooting).
- Update README Quick Start to drop the cp .env.example .env step and
  point at make dev + INFISICAL_SETUP.md.
- Remove HashiCorp Vault references from CLAUDE.md (core-services list
  + sensitive-files list) and compliance-checklist.md TOM section;
  replace with Infisical.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-22 21:00:58 +02:00

132 lines
5.7 KiB
Markdown
Raw Blame History

# breakpilot-compliance
**DSGVO/AI-Act compliance platform — 10 services, Go · Python · TypeScript**
[![CI](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions/workflows/ci.yaml/badge.svg)](https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions)
![Go](https://img.shields.io/badge/Go-1.24-00ADD8?logo=go&logoColor=white)
![Python](https://img.shields.io/badge/Python-3.12-3776AB?logo=python&logoColor=white)
![Node.js](https://img.shields.io/badge/Node.js-20-339933?logo=node.js&logoColor=white)
![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178C6?logo=typescript&logoColor=white)
![FastAPI](https://img.shields.io/badge/FastAPI-0.123-009688?logo=fastapi&logoColor=white)
![DSGVO](https://img.shields.io/badge/DSGVO-compliant-green)
![AI Act](https://img.shields.io/badge/EU%20AI%20Act-compliant-green)
![LOC guard](https://img.shields.io/badge/LOC%20guard-500%20hard%20cap-orange)
![Services](https://img.shields.io/badge/services-10-blueviolet)
---
## Overview
breakpilot-compliance is a multi-tenant DSGVO/EU AI Act compliance platform that provides an SDK for consent management, data subject requests (DSR), audit logging, iACE impact assessments, and document archival. It ships as 10 containerised services covering an admin dashboard, a developer portal, a Python/FastAPI backend, a Go AI compliance engine, TTS, and a decentralised document store on IPFS. Every service is deployed automatically via Gitea Actions → Orca on every push to `main`.
---
## Architecture
| Service | Tech | Port | Container |
|---------|------|------|-----------|
| admin-compliance | Next.js 15 | 3007 | bp-compliance-admin |
| backend-compliance | Python / FastAPI 0.123 | 8002 | bp-compliance-backend |
| ai-compliance-sdk | Go 1.24 / Gin | 8093 | bp-compliance-ai-sdk |
| developer-portal | Next.js 15 | 3006 | bp-compliance-developer-portal |
| breakpilot-compliance-sdk | TypeScript SDK (React/Vue/Angular/vanilla) | — | — |
| consent-sdk | JS/TS Consent SDK | — | — |
| compliance-tts-service | Python / Piper TTS | 8095 | bp-compliance-tts |
| document-crawler | Python / FastAPI | 8098 | bp-compliance-document-crawler |
| dsms-gateway | Python / FastAPI / IPFS | 8082 | bp-compliance-dsms-gateway |
| dsms-node | IPFS Kubo v0.24.0 | — | bp-compliance-dsms-node |
All containers share the external `breakpilot-network` Docker network and depend on `breakpilot-core` (Valkey, Vault, RAG service, Nginx reverse proxy).
---
## Quick Start
**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+, [Infisical CLI](https://infisical.com/docs/cli/overview)
```bash
git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
cd breakpilot-compliance
# One-time per machine: log in to the self-hosted Infisical instance
infisical login --domain https://secrets.meghsakha.com
# Start the full stack with secrets injected from Infisical (env=dev)
make dev
```
Secrets are pulled from Infisical (`secrets.meghsakha.com`) at runtime; `.env` files are not used. See [INFISICAL_SETUP.md](./INFISICAL_SETUP.md) for full onboarding, and `make help` for the rest of the targets (`dev-build`, `dev-down`, `secrets`, `secrets-set`).
For the Orca/Hetzner production target (x86_64), use the override:
```bash
make dev ENV=prod # or:
infisical run --env=prod -- docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
```
---
## Development Workflow
Use feature branches off `main`. Supported prefixes: `feat/`, `feature/`, `hotfix/`.
```bash
git checkout main && git pull origin main
git checkout -b feat/my-change
# ... make changes ...
git push origin feat/my-change
# Open a PR → squash merge to main
```
Push to `main` triggers:
1. **Gitea Actions** — lint → test → validate (see CI Pipeline below)
2. **Orca** — automatic build + deploy (~3 min total)
Monitor status: <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions>
---
## CI Pipeline
Defined in `.gitea/workflows/ci.yaml`.
| Job | What it checks |
|-----|----------------|
| `loc-budget` | All source files ≤ 500 LOC; soft target 300 |
| `guardrail-integrity` | Commits touching guardrail files carry `[guardrail-change]` |
| `go-lint` | `golangci-lint` on `ai-compliance-sdk/` |
| `python-lint` | `ruff` + `mypy` on Python services |
| `nodejs-lint` | `tsc --noEmit` + ESLint on Next.js services |
| `test-go-ai-compliance` | `go test ./...` in `ai-compliance-sdk/` |
| `test-python-backend-compliance` | `pytest` in `backend-compliance/` |
| `test-python-document-crawler` | `pytest` in `document-crawler/` |
| `test-python-dsms-gateway` | `pytest test_main.py` in `dsms-gateway/` |
| `sbom-scan` | License + vulnerability scan via `syft` + `grype` |
| `validate-canonical-controls` | OpenAPI contract baseline diff |
---
## File Budget
| Limit | Value | How to check |
|-------|-------|--------------|
| Soft target | 300 LOC | `bash scripts/check-loc.sh` |
| Hard cap | 500 LOC | Same; also enforced by `PreToolUse` hook + git pre-commit + CI |
| Exceptions | `.claude/rules/loc-exceptions.txt` | Require written rationale + `[guardrail-change]` commit marker |
The `.claude/settings.json` `PreToolUse` hook blocks Claude Code from writing or editing files that would exceed the hard cap. The git pre-commit hook re-checks. CI is the final gate.
---
## Links
| | URL |
|-|-----|
| Admin dashboard | <https://admin-dev.breakpilot.ai> |
| Developer portal | <https://developers-dev.breakpilot.ai> |
| Backend API | <https://api-dev.breakpilot.ai> |
| AI SDK API | <https://sdk-dev.breakpilot.ai> |
| Gitea repo | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance> |
| Gitea Actions | <https://gitea.meghsakha.com/Benjamin_Boenisch/breakpilot-compliance/actions> |
Reference in New Issue View Git Blame Copy Permalink