4435e7ea0a
Services: Admin-Compliance, Backend-Compliance, AI-Compliance-SDK, Consent-SDK, Developer-Portal, PCA-Platform, DSMS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
524 lines
19 KiB
Go
524 lines
19 KiB
Go
package ucca
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// ============================================================================
|
|
// Constants / Enums
|
|
// ============================================================================
|
|
|
|
// Feasibility represents the overall assessment result
|
|
type Feasibility string
|
|
|
|
const (
|
|
FeasibilityYES Feasibility = "YES"
|
|
FeasibilityCONDITIONAL Feasibility = "CONDITIONAL"
|
|
FeasibilityNO Feasibility = "NO"
|
|
)
|
|
|
|
// RiskLevel represents the overall risk classification
|
|
type RiskLevel string
|
|
|
|
const (
|
|
RiskLevelMINIMAL RiskLevel = "MINIMAL"
|
|
RiskLevelLOW RiskLevel = "LOW"
|
|
RiskLevelMEDIUM RiskLevel = "MEDIUM"
|
|
RiskLevelHIGH RiskLevel = "HIGH"
|
|
RiskLevelUNACCEPTABLE RiskLevel = "UNACCEPTABLE"
|
|
)
|
|
|
|
// Complexity represents implementation complexity
|
|
type Complexity string
|
|
|
|
const (
|
|
ComplexityLOW Complexity = "LOW"
|
|
ComplexityMEDIUM Complexity = "MEDIUM"
|
|
ComplexityHIGH Complexity = "HIGH"
|
|
)
|
|
|
|
// Severity represents rule severity
|
|
type Severity string
|
|
|
|
const (
|
|
SeverityINFO Severity = "INFO"
|
|
SeverityWARN Severity = "WARN"
|
|
SeverityBLOCK Severity = "BLOCK"
|
|
)
|
|
|
|
// Domain represents the business domain
|
|
type Domain string
|
|
|
|
const (
|
|
// Industrie & Produktion
|
|
DomainAutomotive Domain = "automotive"
|
|
DomainMechanicalEngineering Domain = "mechanical_engineering"
|
|
DomainPlantEngineering Domain = "plant_engineering"
|
|
DomainElectricalEngineering Domain = "electrical_engineering"
|
|
DomainAerospace Domain = "aerospace"
|
|
DomainChemicals Domain = "chemicals"
|
|
DomainFoodBeverage Domain = "food_beverage"
|
|
DomainTextiles Domain = "textiles"
|
|
DomainPackaging Domain = "packaging"
|
|
|
|
// Energie & Versorgung
|
|
DomainUtilities Domain = "utilities"
|
|
DomainEnergy Domain = "energy"
|
|
DomainOilGas Domain = "oil_gas"
|
|
|
|
// Land- & Forstwirtschaft
|
|
DomainAgriculture Domain = "agriculture"
|
|
DomainForestry Domain = "forestry"
|
|
DomainFishing Domain = "fishing"
|
|
|
|
// Bau & Immobilien
|
|
DomainConstruction Domain = "construction"
|
|
DomainRealEstate Domain = "real_estate"
|
|
DomainFacilityManagement Domain = "facility_management"
|
|
|
|
// Gesundheit & Soziales
|
|
DomainHealthcare Domain = "healthcare"
|
|
DomainMedicalDevices Domain = "medical_devices"
|
|
DomainPharma Domain = "pharma"
|
|
DomainElderlyCare Domain = "elderly_care"
|
|
DomainSocialServices Domain = "social_services"
|
|
|
|
// Bildung & Forschung
|
|
DomainEducation Domain = "education"
|
|
DomainHigherEducation Domain = "higher_education"
|
|
DomainVocationalTraining Domain = "vocational_training"
|
|
DomainResearch Domain = "research"
|
|
|
|
// Finanzen & Versicherung
|
|
DomainFinance Domain = "finance"
|
|
DomainBanking Domain = "banking"
|
|
DomainInsurance Domain = "insurance"
|
|
DomainInvestment Domain = "investment"
|
|
|
|
// Handel & Logistik
|
|
DomainRetail Domain = "retail"
|
|
DomainEcommerce Domain = "ecommerce"
|
|
DomainWholesale Domain = "wholesale"
|
|
DomainLogistics Domain = "logistics"
|
|
|
|
// IT & Telekommunikation
|
|
DomainITServices Domain = "it_services"
|
|
DomainTelecom Domain = "telecom"
|
|
DomainCybersecurity Domain = "cybersecurity"
|
|
|
|
// Recht & Beratung
|
|
DomainLegal Domain = "legal"
|
|
DomainConsulting Domain = "consulting"
|
|
DomainTaxAdvisory Domain = "tax_advisory"
|
|
|
|
// Oeffentlicher Sektor
|
|
DomainPublic Domain = "public_sector"
|
|
DomainDefense Domain = "defense"
|
|
DomainJustice Domain = "justice"
|
|
|
|
// Marketing & Medien
|
|
DomainMarketing Domain = "marketing"
|
|
DomainMedia Domain = "media"
|
|
DomainEntertainment Domain = "entertainment"
|
|
|
|
// HR & Personal
|
|
DomainHR Domain = "hr"
|
|
DomainRecruiting Domain = "recruiting"
|
|
|
|
// Tourismus & Gastronomie
|
|
DomainHospitality Domain = "hospitality"
|
|
DomainTourism Domain = "tourism"
|
|
|
|
// Sonstige
|
|
DomainNonprofit Domain = "nonprofit"
|
|
DomainSports Domain = "sports"
|
|
DomainGeneral Domain = "general"
|
|
)
|
|
|
|
// ValidDomains contains all valid domain values
|
|
var ValidDomains = map[Domain]bool{
|
|
DomainAutomotive: true, DomainMechanicalEngineering: true, DomainPlantEngineering: true,
|
|
DomainElectricalEngineering: true, DomainAerospace: true, DomainChemicals: true,
|
|
DomainFoodBeverage: true, DomainTextiles: true, DomainPackaging: true,
|
|
DomainUtilities: true, DomainEnergy: true, DomainOilGas: true,
|
|
DomainAgriculture: true, DomainForestry: true, DomainFishing: true,
|
|
DomainConstruction: true, DomainRealEstate: true, DomainFacilityManagement: true,
|
|
DomainHealthcare: true, DomainMedicalDevices: true, DomainPharma: true,
|
|
DomainElderlyCare: true, DomainSocialServices: true,
|
|
DomainEducation: true, DomainHigherEducation: true, DomainVocationalTraining: true, DomainResearch: true,
|
|
DomainFinance: true, DomainBanking: true, DomainInsurance: true, DomainInvestment: true,
|
|
DomainRetail: true, DomainEcommerce: true, DomainWholesale: true, DomainLogistics: true,
|
|
DomainITServices: true, DomainTelecom: true, DomainCybersecurity: true,
|
|
DomainLegal: true, DomainConsulting: true, DomainTaxAdvisory: true,
|
|
DomainPublic: true, DomainDefense: true, DomainJustice: true,
|
|
DomainMarketing: true, DomainMedia: true, DomainEntertainment: true,
|
|
DomainHR: true, DomainRecruiting: true,
|
|
DomainHospitality: true, DomainTourism: true,
|
|
DomainNonprofit: true, DomainSports: true, DomainGeneral: true,
|
|
}
|
|
|
|
// AutomationLevel represents the degree of automation
|
|
type AutomationLevel string
|
|
|
|
const (
|
|
AutomationAssistive AutomationLevel = "assistive"
|
|
AutomationSemiAutomated AutomationLevel = "semi_automated"
|
|
AutomationFullyAutomated AutomationLevel = "fully_automated"
|
|
)
|
|
|
|
// TrainingAllowed represents if training with data is permitted
|
|
type TrainingAllowed string
|
|
|
|
const (
|
|
TrainingYES TrainingAllowed = "YES"
|
|
TrainingCONDITIONAL TrainingAllowed = "CONDITIONAL"
|
|
TrainingNO TrainingAllowed = "NO"
|
|
)
|
|
|
|
// ============================================================================
|
|
// Input Structs
|
|
// ============================================================================
|
|
|
|
// UseCaseIntake represents the user's input describing their planned AI use case
|
|
type UseCaseIntake struct {
|
|
// Free-text description of the use case
|
|
UseCaseText string `json:"use_case_text"`
|
|
|
|
// Business domain
|
|
Domain Domain `json:"domain"`
|
|
|
|
// Title for the assessment (optional)
|
|
Title string `json:"title,omitempty"`
|
|
|
|
// Data types involved
|
|
DataTypes DataTypes `json:"data_types"`
|
|
|
|
// Purpose of the processing
|
|
Purpose Purpose `json:"purpose"`
|
|
|
|
// Level of automation
|
|
Automation AutomationLevel `json:"automation"`
|
|
|
|
// Output characteristics
|
|
Outputs Outputs `json:"outputs"`
|
|
|
|
// Hosting configuration
|
|
Hosting Hosting `json:"hosting"`
|
|
|
|
// Model usage configuration
|
|
ModelUsage ModelUsage `json:"model_usage"`
|
|
|
|
// Retention configuration
|
|
Retention Retention `json:"retention"`
|
|
|
|
// Financial regulations context (DORA, MaRisk, BAIT)
|
|
// Only applicable for financial domains (banking, finance, insurance, investment)
|
|
FinancialContext *FinancialContext `json:"financial_context,omitempty"`
|
|
|
|
// Opt-in to store raw text (otherwise only hash)
|
|
StoreRawText bool `json:"store_raw_text,omitempty"`
|
|
}
|
|
|
|
// DataTypes specifies what kinds of data are processed
|
|
type DataTypes struct {
|
|
PersonalData bool `json:"personal_data"`
|
|
Article9Data bool `json:"article_9_data"` // Special categories (health, religion, etc.)
|
|
MinorData bool `json:"minor_data"` // Data of children
|
|
LicensePlates bool `json:"license_plates"` // KFZ-Kennzeichen
|
|
Images bool `json:"images"` // Photos/images of persons
|
|
Audio bool `json:"audio"` // Voice recordings
|
|
LocationData bool `json:"location_data"` // GPS/location tracking
|
|
BiometricData bool `json:"biometric_data"` // Fingerprints, face recognition
|
|
FinancialData bool `json:"financial_data"` // Bank accounts, salaries
|
|
EmployeeData bool `json:"employee_data"` // HR/employment data
|
|
CustomerData bool `json:"customer_data"` // Customer information
|
|
PublicData bool `json:"public_data"` // Publicly available data only
|
|
}
|
|
|
|
// Purpose specifies the processing purpose
|
|
type Purpose struct {
|
|
CustomerSupport bool `json:"customer_support"`
|
|
Marketing bool `json:"marketing"`
|
|
Analytics bool `json:"analytics"`
|
|
Automation bool `json:"automation"`
|
|
EvaluationScoring bool `json:"evaluation_scoring"` // Scoring/ranking of persons
|
|
DecisionMaking bool `json:"decision_making"` // Automated decisions
|
|
Profiling bool `json:"profiling"`
|
|
Research bool `json:"research"`
|
|
InternalTools bool `json:"internal_tools"`
|
|
PublicService bool `json:"public_service"`
|
|
}
|
|
|
|
// Outputs specifies output characteristics
|
|
type Outputs struct {
|
|
RecommendationsToUsers bool `json:"recommendations_to_users"`
|
|
RankingsOrScores bool `json:"rankings_or_scores"` // Outputs rankings/scores
|
|
LegalEffects bool `json:"legal_effects"` // Has legal consequences
|
|
AccessDecisions bool `json:"access_decisions"` // Grants/denies access
|
|
ContentGeneration bool `json:"content_generation"` // Generates text/media
|
|
DataExport bool `json:"data_export"` // Exports data externally
|
|
}
|
|
|
|
// Hosting specifies where the AI runs
|
|
type Hosting struct {
|
|
Provider string `json:"provider,omitempty"` // e.g., "Azure", "AWS", "Hetzner", "On-Prem"
|
|
Region string `json:"region"` // "eu", "third_country", "on_prem"
|
|
DataResidency string `json:"data_residency,omitempty"` // Where data is stored
|
|
}
|
|
|
|
// ModelUsage specifies how the model is used
|
|
type ModelUsage struct {
|
|
RAG bool `json:"rag"` // Retrieval-Augmented Generation only
|
|
Finetune bool `json:"finetune"` // Fine-tuning with data
|
|
Training bool `json:"training"` // Full training with data
|
|
Inference bool `json:"inference"` // Inference only
|
|
}
|
|
|
|
// Retention specifies data retention
|
|
type Retention struct {
|
|
StorePrompts bool `json:"store_prompts"`
|
|
StoreResponses bool `json:"store_responses"`
|
|
RetentionDays int `json:"retention_days,omitempty"`
|
|
AnonymizeAfterUse bool `json:"anonymize_after_use"`
|
|
}
|
|
|
|
// ============================================================================
|
|
// Financial Regulations Structs (DORA, MaRisk, BAIT)
|
|
// ============================================================================
|
|
|
|
// FinancialEntityType represents the type of financial institution
|
|
type FinancialEntityType string
|
|
|
|
const (
|
|
FinancialEntityCreditInstitution FinancialEntityType = "CREDIT_INSTITUTION"
|
|
FinancialEntityPaymentServiceProvider FinancialEntityType = "PAYMENT_SERVICE_PROVIDER"
|
|
FinancialEntityEMoneyInstitution FinancialEntityType = "E_MONEY_INSTITUTION"
|
|
FinancialEntityInvestmentFirm FinancialEntityType = "INVESTMENT_FIRM"
|
|
FinancialEntityInsuranceCompany FinancialEntityType = "INSURANCE_COMPANY"
|
|
FinancialEntityCryptoAssetProvider FinancialEntityType = "CRYPTO_ASSET_PROVIDER"
|
|
FinancialEntityOther FinancialEntityType = "OTHER_FINANCIAL"
|
|
)
|
|
|
|
// SizeCategory represents the significance category of a financial institution
|
|
type SizeCategory string
|
|
|
|
const (
|
|
SizeCategorySignificant SizeCategory = "SIGNIFICANT"
|
|
SizeCategoryLessSignificant SizeCategory = "LESS_SIGNIFICANT"
|
|
SizeCategorySmall SizeCategory = "SMALL"
|
|
)
|
|
|
|
// ProviderLocation represents the location of an ICT service provider
|
|
type ProviderLocation string
|
|
|
|
const (
|
|
ProviderLocationEU ProviderLocation = "EU"
|
|
ProviderLocationEEA ProviderLocation = "EEA"
|
|
ProviderLocationAdequacyDecision ProviderLocation = "ADEQUACY_DECISION"
|
|
ProviderLocationThirdCountry ProviderLocation = "THIRD_COUNTRY"
|
|
)
|
|
|
|
// FinancialEntity describes the financial institution context
|
|
type FinancialEntity struct {
|
|
Type FinancialEntityType `json:"type"`
|
|
Regulated bool `json:"regulated"`
|
|
SizeCategory SizeCategory `json:"size_category"`
|
|
}
|
|
|
|
// ICTService describes ICT service characteristics for DORA compliance
|
|
type ICTService struct {
|
|
IsCritical bool `json:"is_critical"`
|
|
IsOutsourced bool `json:"is_outsourced"`
|
|
ProviderLocation ProviderLocation `json:"provider_location"`
|
|
ConcentrationRisk bool `json:"concentration_risk"`
|
|
}
|
|
|
|
// FinancialAIApplication describes financial-specific AI application characteristics
|
|
type FinancialAIApplication struct {
|
|
AffectsCustomerDecisions bool `json:"affects_customer_decisions"`
|
|
AlgorithmicTrading bool `json:"algorithmic_trading"`
|
|
RiskAssessment bool `json:"risk_assessment"`
|
|
AMLKYC bool `json:"aml_kyc"`
|
|
ModelValidationDone bool `json:"model_validation_done"`
|
|
}
|
|
|
|
// FinancialContext aggregates all financial regulation-specific information
|
|
type FinancialContext struct {
|
|
FinancialEntity FinancialEntity `json:"financial_entity"`
|
|
ICTService ICTService `json:"ict_service"`
|
|
AIApplication FinancialAIApplication `json:"ai_application"`
|
|
}
|
|
|
|
// ============================================================================
|
|
// Output Structs
|
|
// ============================================================================
|
|
|
|
// AssessmentResult represents the complete evaluation result
|
|
type AssessmentResult struct {
|
|
// Overall verdict
|
|
Feasibility Feasibility `json:"feasibility"`
|
|
RiskLevel RiskLevel `json:"risk_level"`
|
|
Complexity Complexity `json:"complexity"`
|
|
RiskScore int `json:"risk_score"` // 0-100
|
|
|
|
// Triggered rules
|
|
TriggeredRules []TriggeredRule `json:"triggered_rules"`
|
|
|
|
// Required controls/mitigations
|
|
RequiredControls []RequiredControl `json:"required_controls"`
|
|
|
|
// Recommended architecture patterns
|
|
RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"`
|
|
|
|
// Patterns that must NOT be used
|
|
ForbiddenPatterns []ForbiddenPattern `json:"forbidden_patterns"`
|
|
|
|
// Matching didactic examples
|
|
ExampleMatches []ExampleMatch `json:"example_matches"`
|
|
|
|
// Special flags
|
|
DSFARecommended bool `json:"dsfa_recommended"`
|
|
Art22Risk bool `json:"art22_risk"` // Art. 22 GDPR automated decision risk
|
|
TrainingAllowed TrainingAllowed `json:"training_allowed"`
|
|
|
|
// Summary for humans
|
|
Summary string `json:"summary"`
|
|
Recommendation string `json:"recommendation"`
|
|
AlternativeApproach string `json:"alternative_approach,omitempty"`
|
|
}
|
|
|
|
// TriggeredRule represents a rule that was triggered during evaluation
|
|
type TriggeredRule struct {
|
|
Code string `json:"code"` // e.g., "R-001"
|
|
Category string `json:"category"` // e.g., "A. Datenklassifikation"
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Severity Severity `json:"severity"`
|
|
ScoreDelta int `json:"score_delta"`
|
|
GDPRRef string `json:"gdpr_ref,omitempty"` // e.g., "Art. 9 DSGVO"
|
|
Rationale string `json:"rationale"` // Why this rule triggered
|
|
}
|
|
|
|
// RequiredControl represents a control that must be implemented
|
|
type RequiredControl struct {
|
|
ID string `json:"id"`
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Severity Severity `json:"severity"`
|
|
Category string `json:"category"` // "technical" or "organizational"
|
|
GDPRRef string `json:"gdpr_ref,omitempty"`
|
|
}
|
|
|
|
// PatternRecommendation represents a recommended architecture pattern
|
|
type PatternRecommendation struct {
|
|
PatternID string `json:"pattern_id"` // e.g., "P-RAG-ONLY"
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Rationale string `json:"rationale"`
|
|
Priority int `json:"priority"` // 1=highest
|
|
}
|
|
|
|
// ForbiddenPattern represents a pattern that must NOT be used
|
|
type ForbiddenPattern struct {
|
|
PatternID string `json:"pattern_id"`
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Reason string `json:"reason"`
|
|
GDPRRef string `json:"gdpr_ref,omitempty"`
|
|
}
|
|
|
|
// ExampleMatch represents a matching didactic example
|
|
type ExampleMatch struct {
|
|
ExampleID string `json:"example_id"`
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Similarity float64 `json:"similarity"` // 0.0 - 1.0
|
|
Outcome string `json:"outcome"` // What happened / recommendation
|
|
Lessons string `json:"lessons"` // Key takeaways
|
|
}
|
|
|
|
// ============================================================================
|
|
// Database Entity
|
|
// ============================================================================
|
|
|
|
// Assessment represents a stored assessment in the database
|
|
type Assessment struct {
|
|
ID uuid.UUID `json:"id"`
|
|
TenantID uuid.UUID `json:"tenant_id"`
|
|
NamespaceID *uuid.UUID `json:"namespace_id,omitempty"`
|
|
Title string `json:"title"`
|
|
PolicyVersion string `json:"policy_version"`
|
|
Status string `json:"status"` // "completed", "draft"
|
|
|
|
// Input
|
|
Intake UseCaseIntake `json:"intake"`
|
|
UseCaseTextStored bool `json:"use_case_text_stored"`
|
|
UseCaseTextHash string `json:"use_case_text_hash"`
|
|
|
|
// Results
|
|
Feasibility Feasibility `json:"feasibility"`
|
|
RiskLevel RiskLevel `json:"risk_level"`
|
|
Complexity Complexity `json:"complexity"`
|
|
RiskScore int `json:"risk_score"`
|
|
TriggeredRules []TriggeredRule `json:"triggered_rules"`
|
|
RequiredControls []RequiredControl `json:"required_controls"`
|
|
RecommendedArchitecture []PatternRecommendation `json:"recommended_architecture"`
|
|
ForbiddenPatterns []ForbiddenPattern `json:"forbidden_patterns"`
|
|
ExampleMatches []ExampleMatch `json:"example_matches"`
|
|
DSFARecommended bool `json:"dsfa_recommended"`
|
|
Art22Risk bool `json:"art22_risk"`
|
|
TrainingAllowed TrainingAllowed `json:"training_allowed"`
|
|
|
|
// LLM Explanation (optional)
|
|
ExplanationText *string `json:"explanation_text,omitempty"`
|
|
ExplanationGeneratedAt *time.Time `json:"explanation_generated_at,omitempty"`
|
|
ExplanationModel *string `json:"explanation_model,omitempty"`
|
|
|
|
// Domain
|
|
Domain Domain `json:"domain"`
|
|
|
|
// Audit
|
|
CreatedAt time.Time `json:"created_at"`
|
|
UpdatedAt time.Time `json:"updated_at"`
|
|
CreatedBy uuid.UUID `json:"created_by"`
|
|
}
|
|
|
|
// ============================================================================
|
|
// API Request/Response Types
|
|
// ============================================================================
|
|
|
|
// AssessRequest is the API request for creating an assessment
|
|
type AssessRequest struct {
|
|
Intake UseCaseIntake `json:"intake"`
|
|
}
|
|
|
|
// AssessResponse is the API response for an assessment
|
|
type AssessResponse struct {
|
|
Assessment Assessment `json:"assessment"`
|
|
Result AssessmentResult `json:"result"`
|
|
Escalation *Escalation `json:"escalation,omitempty"`
|
|
}
|
|
|
|
// ExplainRequest is the API request for generating an explanation
|
|
type ExplainRequest struct {
|
|
Language string `json:"language,omitempty"` // "de" or "en", default "de"
|
|
}
|
|
|
|
// ExplainResponse is the API response for an explanation
|
|
type ExplainResponse struct {
|
|
ExplanationText string `json:"explanation_text"`
|
|
GeneratedAt time.Time `json:"generated_at"`
|
|
Model string `json:"model"`
|
|
LegalContext *LegalContext `json:"legal_context,omitempty"`
|
|
}
|
|
|
|
// ExportFormat specifies the export format
|
|
type ExportFormat string
|
|
|
|
const (
|
|
ExportFormatJSON ExportFormat = "json"
|
|
ExportFormatMarkdown ExportFormat = "md"
|
|
)
|