3320ef94fc
Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits,
81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths /
484 operations).
## Phase 0 — Architecture guardrails
Three defense-in-depth layers to keep the architecture rules enforced
regardless of who opens Claude Code in this repo:
1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file
that would exceed the 500-line hard cap. Auto-loads in every Claude
session in this repo.
2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh)
enforces the LOC cap locally, freezes migrations/ without
[migration-approved], and protects guardrail files without
[guardrail-change].
3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity +
sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python
packages (compliance/{services,repositories,domain,schemas}), and
tsc --noEmit for admin-compliance + developer-portal.
Per-language conventions documented in AGENTS.python.md, AGENTS.go.md,
AGENTS.typescript.md at the repo root — layering, tooling, and explicit
"what you may NOT do" lists. Root CLAUDE.md is prepended with the six
non-negotiable rules. Each of the 10 services gets a README.md.
scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the
current baseline of 205 hard + 161 soft violations so Phases 1-4 can
drain it incrementally. CI gates only CHANGED files in PRs so the
legacy baseline does not block unrelated work.
## Deprecation sweep
47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config ->
ConfigDict in source_policy_router.py (schemas.py intentionally skipped;
it is the Phase 1 Step 3 split target). datetime.utcnow() ->
datetime.now(timezone.utc) everywhere including SQLAlchemy default=
callables. All DB columns already declare timezone=True, so this is a
latent-bug fix at the Python side, not a schema change.
DeprecationWarning count dropped from 158 to 35.
## Phase 1 Step 1 — Contract test harness
tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json
against tests/contracts/openapi.baseline.json on every test run. Fails on
removed paths, removed status codes, or new required request body fields.
Regenerate only via tests/contracts/regenerate_baseline.py after a
consumer-updated contract change. This is the safety harness for all
subsequent refactor commits.
## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim)
compliance/db/models.py is decomposed into seven sibling aggregate modules
following the existing repo pattern (dsr_models.py, vvt_models.py, ...):
regulation_models.py (134) — Regulation, Requirement
control_models.py (279) — Control, Mapping, Evidence, Risk
ai_system_models.py (141) — AISystem, AuditExport
service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk
audit_session_models.py (177) — AuditSession, AuditSignOff
isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA
isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit,
AuditTrail, Readiness
models.py becomes an 85-line re-export shim in dependency order so
existing imports continue to work unchanged. Schema is byte-identical:
__tablename__, column definitions, relationship strings, back_populates,
cascade directives all preserved.
All new sibling files are under the 500-line hard cap; largest is
isms_audit_models.py at 468. No file in compliance/db/ now exceeds
the hard cap.
## Phase 1 Step 3 — infrastructure only
backend-compliance/compliance/{schemas,domain,repositories}/ packages
are created as landing zones with docstrings. compliance/domain/
exports DomainError / NotFoundError / ConflictError / ValidationError /
PermissionError — the base classes services will use to raise
domain-level errors instead of HTTPException.
PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents
the nine-step execution plan for Phase 1: snapshot baseline,
characterization tests, split models.py (this commit), split schemas.py
(next), extract services, extract repositories, mypy --strict, coverage.
## Verification
backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt
PYTHONPATH=. pytest compliance/tests/ tests/contracts/
-> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Breakpilot Compliance & Audit Framework
Uebersicht
Enterprise-ready GRC (Governance, Risk, Compliance) Framework fuer die Breakpilot EdTech-Plattform.
Kernfunktionen
| Feature | Status | Beschreibung |
|---|---|---|
| 19 EU-Regulations | Aktiv | DSGVO, AI Act, CRA, NIS2, Data Act, etc. |
| 558 Requirements | Aktiv | Automatisch extrahiert aus EUR-Lex + BSI-TR PDFs |
| 44 Controls | Aktiv | Technische und organisatorische Massnahmen |
| 474 Control-Mappings | Aktiv | Keyword-basiertes Auto-Mapping |
| KI-Interpretation | Aktiv | Claude API fuer Anforderungsanalyse |
| Executive Dashboard | Aktiv | Ampel-Status, Trends, Top-Risiken |
Architektur
backend/compliance/
├── api/
│ ├── routes.py # 52 FastAPI Endpoints
│ └── schemas.py # Pydantic Response Models
├── db/
│ ├── models.py # SQLAlchemy Models
│ └── repository.py # CRUD Operations
├── data/
│ ├── regulations.py # 19 Regulations Seed
│ ├── controls.py # 44 Controls Seed
│ ├── requirements.py # Requirements Seed
│ └── service_modules.py # 30 Service-Module
├── services/
│ ├── ai_compliance_assistant.py # Claude Integration
│ ├── llm_provider.py # LLM Abstraction Layer
│ ├── pdf_extractor.py # BSI-TR PDF Parser
│ └── regulation_scraper.py # EUR-Lex Scraper
└── tests/ # Pytest Tests (in /backend/tests/)
Schnellstart
1. Backend starten
cd backend
docker-compose up -d
# ODER
uvicorn main:app --reload --port 8000
2. Datenbank initialisieren
# Regulations, Controls, Requirements seeden
curl -X POST http://localhost:8000/api/v1/compliance/seed \
-H "Content-Type: application/json" \
-d '{"force": false}'
# Service-Module seeden
curl -X POST http://localhost:8000/api/v1/compliance/modules/seed \
-H "Content-Type: application/json" \
-d '{"force": false}'
3. KI-Interpretation aktivieren
# Vault-gesteuerte API-Keys
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=breakpilot-dev-token
# Status pruefen
curl http://localhost:8000/api/v1/compliance/ai/status
# Einzelne Anforderung interpretieren
curl -X POST http://localhost:8000/api/v1/compliance/ai/interpret \
-H "Content-Type: application/json" \
-d '{"requirement_id": "REQ-ID", "save_to_db": true}'
API-Endpoints
Dashboard & Executive View
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/compliance/dashboard |
Dashboard-Daten mit Scores |
| GET | /api/v1/compliance/dashboard/executive |
Executive Dashboard (Ampel, Trends) |
| GET | /api/v1/compliance/dashboard/trend |
Score-Trend (12 Monate) |
Regulations & Requirements
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/compliance/regulations |
Alle 19 Regulations |
| GET | /api/v1/compliance/regulations/{code} |
Eine Regulation |
| GET | /api/v1/compliance/requirements |
558 Requirements (paginiert) |
| GET | /api/v1/compliance/requirements/{id} |
Einzelnes Requirement |
Controls & Mappings
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/compliance/controls |
Alle 44 Controls |
| GET | /api/v1/compliance/controls/{id} |
Ein Control |
| GET | /api/v1/compliance/controls/by-domain/{domain} |
Controls nach Domain |
| GET | /api/v1/compliance/mappings |
474 Control-Mappings |
KI-Features
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/compliance/ai/status |
LLM Provider Status |
| POST | /api/v1/compliance/ai/interpret |
Requirement interpretieren |
| POST | /api/v1/compliance/ai/batch |
Batch-Interpretation |
| POST | /api/v1/compliance/ai/suggest-controls |
Control-Vorschlaege |
Scraper & Import
| Method | Endpoint | Beschreibung |
|---|---|---|
| POST | /api/v1/compliance/scraper/fetch |
EUR-Lex Live-Fetch |
| POST | /api/v1/compliance/scraper/extract-pdf |
BSI-TR PDF Extraktion |
| GET | /api/v1/compliance/scraper/status |
Scraper-Status |
Evidence & Risks
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/compliance/evidence |
Alle Nachweise |
| POST | /api/v1/compliance/evidence/collect |
CI/CD Evidence Upload |
| GET | /api/v1/compliance/risks |
Risk Register |
| GET | /api/v1/compliance/risks/matrix |
Risk Matrix View |
Datenmodell
RegulationDB
class RegulationDB(Base):
id: str # UUID
code: str # "GDPR", "AIACT", etc.
name: str # Kurzname
full_name: str # Vollstaendiger Name
regulation_type: enum # eu_regulation, bsi_standard, etc.
source_url: str # EUR-Lex URL
effective_date: date # Inkrafttreten
RequirementDB
class RequirementDB(Base):
id: str # UUID
regulation_id: str # FK zu Regulation
article: str # "Art. 32"
paragraph: str # "(1)(a)"
title: str # Kurztitel
requirement_text: str # Original-Text
breakpilot_interpretation: str # KI-Interpretation
priority: int # 1-5
ControlDB
class ControlDB(Base):
id: str # UUID
control_id: str # "PRIV-001"
domain: enum # gov, priv, iam, crypto, sdlc, ops, ai
control_type: enum # preventive, detective, corrective
title: str # Kontroll-Titel
pass_criteria: str # Messbare Kriterien
code_reference: str # z.B. "middleware/pii_redactor.py:45"
status: enum # pass, partial, fail, planned
Frontend-Integration
Compliance Dashboard
/admin/compliance # Haupt-Dashboard
/admin/compliance/controls # Control Catalogue
/admin/compliance/evidence # Evidence Management
/admin/compliance/risks # Risk Matrix
/admin/compliance/scraper # Regulation Scraper
/admin/compliance/audit-workspace # Audit Workspace
Neue Komponenten (Sprint 1+2)
ComplianceTrendChart.tsx- Recharts-basierter Trend-ChartTrafficLightIndicator.tsx- Ampel-Status AnzeigeLanguageSwitch.tsx- DE/EN Terminologie-UmschaltungGlossaryTooltip.tsx- Erklaerungen fuer Fachbegriffe
i18n-System
import { getTerm, Language } from '@/lib/compliance-i18n'
// Nutzung
const label = getTerm('de', 'control') // "Massnahme"
const label = getTerm('en', 'control') // "Control"
Tests
# Alle Compliance-Tests ausfuehren
cd backend
pytest tests/test_compliance_*.py -v
# Einzelne Test-Dateien
pytest tests/test_compliance_api.py -v # API Endpoints
pytest tests/test_compliance_ai.py -v # KI-Integration
pytest tests/test_compliance_repository.py -v # Repository
pytest tests/test_compliance_pdf_extractor.py -v # PDF Parser
Umgebungsvariablen
# LLM Provider
COMPLIANCE_LLM_PROVIDER=anthropic # oder "mock" fuer Tests
ANTHROPIC_API_KEY=sk-ant-... # Falls nicht ueber Vault
# Vault Integration
VAULT_ADDR=http://localhost:8200
VAULT_TOKEN=breakpilot-dev-token
# Datenbank
DATABASE_URL=postgresql://user:pass@localhost:5432/breakpilot
Regulations-Uebersicht
| Code | Name | Typ | Requirements |
|---|---|---|---|
| GDPR | DSGVO | EU-Verordnung | ~50 |
| AIACT | AI Act | EU-Verordnung | ~80 |
| CRA | Cyber Resilience Act | EU-Verordnung | ~60 |
| NIS2 | NIS2-Richtlinie | EU-Richtlinie | ~40 |
| DATAACT | Data Act | EU-Verordnung | ~35 |
| DGA | Data Governance Act | EU-Verordnung | ~30 |
| DSA | Digital Services Act | EU-Verordnung | ~25 |
| EUCSA | EU Cybersecurity Act | EU-Verordnung | ~20 |
| EAA | European Accessibility Act | EU-Richtlinie | ~15 |
| BSI-TR-03161-1 | Mobile Anwendungen Teil 1 | BSI-Standard | ~30 |
| BSI-TR-03161-2 | Mobile Anwendungen Teil 2 | BSI-Standard | ~100 |
| BSI-TR-03161-3 | Mobile Anwendungen Teil 3 | BSI-Standard | ~50 |
| ... | 7 weitere | ... | ~50 |
Control-Domains
| Domain | Beschreibung | Anzahl Controls |
|---|---|---|
gov |
Governance & Organisation | 5 |
priv |
Datenschutz & Privacy | 7 |
iam |
Identity & Access Management | 5 |
crypto |
Kryptografie | 4 |
sdlc |
Secure Development | 6 |
ops |
Betrieb & Monitoring | 5 |
ai |
KI-spezifisch | 5 |
cra |
CRA & Supply Chain | 4 |
aud |
Audit & Nachvollziehbarkeit | 3 |
Erweiterungen
Neue Regulation hinzufuegen
- Eintrag in
data/regulations.py - Requirements ueber Scraper importieren
- Control-Mappings generieren
# EUR-Lex Regulation importieren
curl -X POST http://localhost:8000/api/v1/compliance/scraper/fetch \
-H "Content-Type: application/json" \
-d '{"regulation_code": "NEW_REG", "url": "https://eur-lex.europa.eu/..."}'
Neues Control hinzufuegen
- Eintrag in
data/controls.py - Re-Seed ausfuehren
- Mappings werden automatisch generiert
Multi-Projekt-Architektur (Migration 039)
Jeder Tenant kann mehrere Compliance-Projekte anlegen. Neue Tabelle compliance_projects, sdk_states erweitert um project_id.
Projekt-API Endpoints
| Method | Endpoint | Beschreibung |
|---|---|---|
| GET | /api/v1/projects |
Alle Projekte des Tenants |
| POST | /api/v1/projects |
Neues Projekt erstellen |
| GET | /api/v1/projects/{id} |
Einzelnes Projekt |
| PATCH | /api/v1/projects/{id} |
Projekt aktualisieren |
| DELETE | /api/v1/projects/{id} |
Projekt archivieren |
Siehe compliance/api/project_routes.py und migrations/039_compliance_projects.sql.
Changelog
v2.0 (2026-01-17)
- Executive Dashboard mit Ampel-Status
- Trend-Charts (Recharts)
- DE/EN Terminologie-Umschaltung
- 52 API-Endpoints
- 558 Requirements aus 19 Regulations
- 474 Auto-Mappings
- KI-Interpretation (Claude API)
v1.0 (2026-01-16)
- Basis-Dashboard
- EUR-Lex Scraper
- BSI-TR PDF Parser
- Control Catalogue
- Evidence Management