Benjamin Admin
4a5924b8c4
[guardrail-change]
Phase 18 adds an EU Cyber Resilience Act compliance track to IACE:
the engine now fires patterns that surface the manufacturer-side CRA
obligations whenever a project's components carry digital elements.
Patterns (HP1910-HP1918, hazard_patterns_cra.go):
HP1910 Missing SBOM
HP1911 Unsigned firmware/software updates
HP1912 Factory-default credentials still active
HP1913 No coordinated vulnerability disclosure (CVD) policy
HP1914 No documented security patch SLA
HP1915 Missing user-facing hardening guide
HP1916 No incident-notification process to ENISA / CSIRT
HP1917 No security assessment prior to placing on market
HP1918 AI component without cybersecurity risk assessment
Each pattern carries ClarificationQuestionsDE so the operator gets
auditor-grade questions to take back to the Anlagenbauer instead of
the engine inventing prose. PatternMatch carries DefaultAvoidability
(P=1 for all CRA patterns), feeding the PLr graph from Phase 17.
Measures (M540-M548, measures_library_cra.go):
M540 SBOM (SPDX or CycloneDX) with each machine release
M541 Signed updates with rollback protection
M542 Forced default-password change at first boot
M543 Published CVD policy (security.txt / PSIRT)
M544 Documented patch SLA with CVSS-tier response times
M545 User-facing hardening guide in the machine docs
M546 ENISA incident-notification process (24h/72h/14d)
M547 Authenticated update channel + integrity check
M548 Pre-market security assessment / pen-test
The library is urheberrechtlich neutral: identifiers only
(Verordnung (EU) 2024/2847, DIN EN 40000-1-2 Entwurf, IEC 62443,
ETSI EN 303 645, ISO/IEC 5962, ISO/IEC 29147). No normative text
is reproduced — DIN/Beuth proprietary content is referenced by
section number only.
Category-compatibility:
cyber_resilience pattern category accepts measures with
HazardCategory cyber_resilience, cyber_network, or
software_control. Updated in both the runtime helper
(iace_handler_init_helpers.go) and its test-mirror
(pattern_coverage_test.go) — both must move in lockstep.
Frontend (clarifications page):
When at least one clarification references "2024/2847" or
"40000-1-2" in its norm_references, a blue info-banner is
rendered at the top of the page:
"Cyber Resilience Act (CRA) — Hinweis zur Geltung
Diese Klärungsliste enthält Fragen zur Verordnung (EU)
2024/2847 (CRA). Die CRA gilt für Produkte mit digitalen
Elementen, die ab dem 11.12.2027 auf dem EU-Markt bereit-
gestellt werden. ..."
Reminds the user that the CRA pflichten are forward-looking
while still allowing the manufacturer to bake them in now.
LOC exceptions:
Added three pre-existing files to .claude/rules/loc-exceptions.txt
(manufacturer_safety_features.go, iace_handler_clarifications.go,
routes.go). All three grew across Phases 16-17 and are tagged as
Phase 5+ refactor backlog. [guardrail-change] marker required.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ai-compliance-sdk
Go/Gin service providing AI-Act compliance analysis: iACE impact assessments, UCCA rules engine, hazard library, training/academy, audit, escalation, portfolio, RBAC, RAG, whistleblower, workshop.
Port: 8090 → exposed 8093 (container: bp-compliance-ai-sdk)
Stack: Go 1.24, Gin, pgx, Postgres.
Architecture
Clean-arch refactor is complete:
cmd/server/main.go # Thin entrypoint, 7 LOC — wiring in internal/app/
internal/
├── app/
│ ├── app.go # Server initialization + lifecycle
│ └── routes.go # Route registration
├── api/handlers/ # 8 sub-resource handler files:
│ │ # iace_handler_projects, hazards, mitigations,
│ │ # techfile, monitoring, refdata, rag, components
├── iace/ # Store split into 7 files:
│ │ # store_projects, components, hazards,
│ │ # hazard_library, mitigations, evidence, audit
│ └── hazard_library/ # Split into 10 category files
└── ...
See ../AGENTS.go.md for the full convention.
Linting (Phase 5): .golangci.yml added — run golangci-lint run --timeout 5m ./....
Run locally
cd ai-compliance-sdk
go mod download
export COMPLIANCE_DATABASE_URL=...
go run ./cmd/server
Tests
go test -race -cover ./...
golangci-lint run --timeout 5m ./...
Co-located *_test.go, table-driven. Repo layer uses testcontainers-go (or the compose Postgres) — no SQL mocks.
Public API surface
Handlers under internal/api/handlers/ (8 sub-resource files). Health at GET /health. iACE, UCCA, training, academy, portfolio, escalation, audit, rag, whistleblower, workshop subresources. Every route is a contract.
Environment
| Var | Purpose |
|---|---|
COMPLIANCE_DATABASE_URL |
Postgres DSN |
LLM_GATEWAY_URL |
LLM router for rag/iACE |
QDRANT_URL |
Vector search |
Don't touch
DB schema. Hand-rolled migrations elsewhere own it.