breakpilot-compliance/ai-compliance-sdk/internal/ucca/legal_rag_context.go

package ucca

import (
	"context"
	"fmt"
	"strings"
	"time"
)

// GetLegalContextForAssessment retrieves relevant legal context for an assessment.
func (c *LegalRAGClient) GetLegalContextForAssessment(ctx context.Context, assessment *Assessment) (*LegalContext, error) {
	queryParts := []string{}

	if assessment.Domain != "" {
		queryParts = append(queryParts, fmt.Sprintf("KI-Anwendung im Bereich %s", assessment.Domain))
	}

	if assessment.Intake.DataTypes.Article9Data {
		queryParts = append(queryParts, "besondere Kategorien personenbezogener Daten Art. 9 DSGVO")
	}
	if assessment.Intake.DataTypes.PersonalData {
		queryParts = append(queryParts, "personenbezogene Daten")
	}
	if assessment.Intake.DataTypes.MinorData {
		queryParts = append(queryParts, "Daten von Minderjährigen")
	}

	if assessment.Intake.Purpose.EvaluationScoring {
		queryParts = append(queryParts, "automatisierte Bewertung Scoring")
	}
	if assessment.Intake.Purpose.DecisionMaking {
		queryParts = append(queryParts, "automatisierte Entscheidung Art. 22 DSGVO")
	}
	if assessment.Intake.Purpose.Profiling {
		queryParts = append(queryParts, "Profiling")
	}

	if assessment.DSFARecommended {
		queryParts = append(queryParts, "Datenschutz-Folgenabschätzung Art. 35 DSGVO")
	}
	if assessment.Art22Risk {
		queryParts = append(queryParts, "automatisierte Einzelentscheidung rechtliche Wirkung")
	}

	query := strings.Join(queryParts, " ")
	if query == "" {
		query = "DSGVO Anforderungen KI-System Datenschutz"
	}

	regulationIDs := c.determineRelevantRegulations(assessment)

	results, err := c.Search(ctx, query, regulationIDs, 5)
	if err != nil {
		return nil, err
	}

	regSet := make(map[string]bool)
	for _, r := range results {
		regSet[r.RegulationCode] = true
	}

	regulations := make([]string, 0, len(regSet))
	for r := range regSet {
		regulations = append(regulations, r)
	}

	articles := make([]string, 0)
	for _, r := range results {
		if len(r.Pages) > 0 {
			key := fmt.Sprintf("%s S. %v", r.RegulationShort, r.Pages)
			articles = append(articles, key)
		}
	}

	return &LegalContext{
		Query:            query,
		Results:          results,
		RelevantArticles: articles,
		Regulations:      regulations,
		GeneratedAt:      time.Now().UTC(),
	}, nil
}

// determineRelevantRegulations determines which regulations to search based on the assessment.
func (c *LegalRAGClient) determineRelevantRegulations(assessment *Assessment) []string {
	ids := []string{"eu_2016_679"}

	for _, rule := range assessment.TriggeredRules {
		gdprRef := rule.GDPRRef
		if strings.Contains(gdprRef, "AI Act") || strings.Contains(gdprRef, "KI-VO") {
			if !contains(ids, "eu_2024_1689") {
				ids = append(ids, "eu_2024_1689")
			}
		}
		if strings.Contains(gdprRef, "NIS2") || strings.Contains(gdprRef, "NIS-2") {
			if !contains(ids, "eu_2022_2555") {
				ids = append(ids, "eu_2022_2555")
			}
		}
		if strings.Contains(gdprRef, "CRA") || strings.Contains(gdprRef, "Cyber Resilience") {
			if !contains(ids, "eu_2024_2847") {
				ids = append(ids, "eu_2024_2847")
			}
		}
		if strings.Contains(gdprRef, "Maschinenverordnung") || strings.Contains(gdprRef, "Machinery") {
			if !contains(ids, "eu_2023_1230") {
				ids = append(ids, "eu_2023_1230")
			}
		}
	}

	for _, ctrl := range assessment.RequiredControls {
		if strings.HasPrefix(ctrl.ID, "AI-") {
			if !contains(ids, "eu_2024_1689") {
				ids = append(ids, "eu_2024_1689")
			}
			break
		}
	}

	for _, ctrl := range assessment.RequiredControls {
		if strings.HasPrefix(ctrl.ID, "CRYPTO-") || strings.HasPrefix(ctrl.ID, "IAM-") || strings.HasPrefix(ctrl.ID, "SEC-") {
			if !contains(ids, "eu_2022_2555") {
				ids = append(ids, "eu_2022_2555")
			}
			if !contains(ids, "eu_2024_2847") {
				ids = append(ids, "eu_2024_2847")
			}
			break
		}
	}

	return ids
}