3320ef94fc
Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits,
81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths /
484 operations).
## Phase 0 — Architecture guardrails
Three defense-in-depth layers to keep the architecture rules enforced
regardless of who opens Claude Code in this repo:
1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file
that would exceed the 500-line hard cap. Auto-loads in every Claude
session in this repo.
2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh)
enforces the LOC cap locally, freezes migrations/ without
[migration-approved], and protects guardrail files without
[guardrail-change].
3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity +
sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python
packages (compliance/{services,repositories,domain,schemas}), and
tsc --noEmit for admin-compliance + developer-portal.
Per-language conventions documented in AGENTS.python.md, AGENTS.go.md,
AGENTS.typescript.md at the repo root — layering, tooling, and explicit
"what you may NOT do" lists. Root CLAUDE.md is prepended with the six
non-negotiable rules. Each of the 10 services gets a README.md.
scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the
current baseline of 205 hard + 161 soft violations so Phases 1-4 can
drain it incrementally. CI gates only CHANGED files in PRs so the
legacy baseline does not block unrelated work.
## Deprecation sweep
47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config ->
ConfigDict in source_policy_router.py (schemas.py intentionally skipped;
it is the Phase 1 Step 3 split target). datetime.utcnow() ->
datetime.now(timezone.utc) everywhere including SQLAlchemy default=
callables. All DB columns already declare timezone=True, so this is a
latent-bug fix at the Python side, not a schema change.
DeprecationWarning count dropped from 158 to 35.
## Phase 1 Step 1 — Contract test harness
tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json
against tests/contracts/openapi.baseline.json on every test run. Fails on
removed paths, removed status codes, or new required request body fields.
Regenerate only via tests/contracts/regenerate_baseline.py after a
consumer-updated contract change. This is the safety harness for all
subsequent refactor commits.
## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim)
compliance/db/models.py is decomposed into seven sibling aggregate modules
following the existing repo pattern (dsr_models.py, vvt_models.py, ...):
regulation_models.py (134) — Regulation, Requirement
control_models.py (279) — Control, Mapping, Evidence, Risk
ai_system_models.py (141) — AISystem, AuditExport
service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk
audit_session_models.py (177) — AuditSession, AuditSignOff
isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA
isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit,
AuditTrail, Readiness
models.py becomes an 85-line re-export shim in dependency order so
existing imports continue to work unchanged. Schema is byte-identical:
__tablename__, column definitions, relationship strings, back_populates,
cascade directives all preserved.
All new sibling files are under the 500-line hard cap; largest is
isms_audit_models.py at 468. No file in compliance/db/ now exceeds
the hard cap.
## Phase 1 Step 3 — infrastructure only
backend-compliance/compliance/{schemas,domain,repositories}/ packages
are created as landing zones with docstrings. compliance/domain/
exports DomainError / NotFoundError / ConflictError / ValidationError /
PermissionError — the base classes services will use to raise
domain-level errors instead of HTTPException.
PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents
the nine-step execution plan for Phase 1: snapshot baseline,
characterization tests, split models.py (this commit), split schemas.py
(next), extract services, extract repositories, mypy --strict, coverage.
## Verification
backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt
PYTHONPATH=. pytest compliance/tests/ tests/contracts/
-> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
324 lines
12 KiB
Python
324 lines
12 KiB
Python
"""
|
|
ISMS Governance models (ISO 27001 Kapitel 4-6) — extracted from compliance/db/models.py.
|
|
|
|
Covers the documentation and planning side of the ISMS: scope, context,
|
|
policies, security objectives, and the Statement of Applicability. The audit
|
|
execution side (findings, CAPA, management reviews, internal audits, audit
|
|
trail, readiness checks) lives in ``isms_audit_models.py``.
|
|
|
|
Re-exported from ``compliance.db.models`` for backwards compatibility.
|
|
|
|
DO NOT change __tablename__, column names, or relationship strings — the
|
|
database schema is frozen.
|
|
"""
|
|
|
|
import uuid
|
|
import enum
|
|
from datetime import datetime, date, timezone
|
|
|
|
from sqlalchemy import (
|
|
Column, String, Text, Integer, Boolean, DateTime, Date,
|
|
ForeignKey, Enum, JSON, Index,
|
|
)
|
|
|
|
from classroom_engine.database import Base
|
|
|
|
|
|
# ============================================================================
|
|
# SHARED GOVERNANCE ENUMS
|
|
# ============================================================================
|
|
|
|
class ApprovalStatusEnum(str, enum.Enum):
|
|
"""Approval status for ISMS documents."""
|
|
DRAFT = "draft"
|
|
UNDER_REVIEW = "under_review"
|
|
APPROVED = "approved"
|
|
SUPERSEDED = "superseded"
|
|
|
|
|
|
# ============================================================================
|
|
# MODELS
|
|
# ============================================================================
|
|
|
|
class ISMSScopeDB(Base):
|
|
"""
|
|
ISMS Scope Definition (ISO 27001 Kapitel 4.3)
|
|
|
|
Defines the boundaries and applicability of the ISMS.
|
|
This is MANDATORY for certification.
|
|
"""
|
|
__tablename__ = 'compliance_isms_scope'
|
|
|
|
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
|
|
version = Column(String(20), nullable=False, default="1.0")
|
|
|
|
# Scope definition
|
|
scope_statement = Column(Text, nullable=False) # Main scope text
|
|
included_locations = Column(JSON) # List of locations
|
|
included_processes = Column(JSON) # List of processes
|
|
included_services = Column(JSON) # List of services/products
|
|
excluded_items = Column(JSON) # Explicitly excluded items
|
|
exclusion_justification = Column(Text) # Why items are excluded
|
|
|
|
# Boundaries
|
|
organizational_boundary = Column(Text) # Legal entity, departments
|
|
physical_boundary = Column(Text) # Locations, networks
|
|
technical_boundary = Column(Text) # Systems, applications
|
|
|
|
# Approval
|
|
status = Column(Enum(ApprovalStatusEnum), default=ApprovalStatusEnum.DRAFT)
|
|
approved_by = Column(String(100))
|
|
approved_at = Column(DateTime)
|
|
approval_signature = Column(String(64)) # SHA-256 hash
|
|
|
|
# Validity
|
|
effective_date = Column(Date)
|
|
review_date = Column(Date) # Next mandatory review
|
|
|
|
# Timestamps
|
|
created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
|
|
updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
|
|
created_by = Column(String(100))
|
|
updated_by = Column(String(100))
|
|
|
|
__table_args__ = (
|
|
Index('ix_isms_scope_status', 'status'),
|
|
)
|
|
|
|
def __repr__(self):
|
|
return f"<ISMSScope v{self.version} ({self.status.value})>"
|
|
|
|
|
|
class ISMSContextDB(Base):
|
|
"""
|
|
ISMS Context (ISO 27001 Kapitel 4.1, 4.2)
|
|
|
|
Documents internal/external issues and interested parties.
|
|
"""
|
|
__tablename__ = 'compliance_isms_context'
|
|
|
|
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
|
|
version = Column(String(20), nullable=False, default="1.0")
|
|
|
|
# 4.1 Internal issues
|
|
internal_issues = Column(JSON) # List of {"issue": "", "impact": "", "treatment": ""}
|
|
|
|
# 4.1 External issues
|
|
external_issues = Column(JSON) # List of {"issue": "", "impact": "", "treatment": ""}
|
|
|
|
# 4.2 Interested parties
|
|
interested_parties = Column(JSON) # List of {"party": "", "requirements": [], "relevance": ""}
|
|
|
|
# Legal/regulatory requirements
|
|
regulatory_requirements = Column(JSON) # DSGVO, AI Act, etc.
|
|
contractual_requirements = Column(JSON) # Customer contracts
|
|
|
|
# Analysis
|
|
swot_strengths = Column(JSON)
|
|
swot_weaknesses = Column(JSON)
|
|
swot_opportunities = Column(JSON)
|
|
swot_threats = Column(JSON)
|
|
|
|
# Approval
|
|
status = Column(Enum(ApprovalStatusEnum), default=ApprovalStatusEnum.DRAFT)
|
|
approved_by = Column(String(100))
|
|
approved_at = Column(DateTime)
|
|
|
|
# Review
|
|
last_reviewed_at = Column(DateTime)
|
|
next_review_date = Column(Date)
|
|
|
|
# Timestamps
|
|
created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
|
|
updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
|
|
|
|
def __repr__(self):
|
|
return f"<ISMSContext v{self.version}>"
|
|
|
|
|
|
class ISMSPolicyDB(Base):
|
|
"""
|
|
ISMS Policies (ISO 27001 Kapitel 5.2)
|
|
|
|
Information security policy and sub-policies.
|
|
"""
|
|
__tablename__ = 'compliance_isms_policies'
|
|
|
|
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
|
|
policy_id = Column(String(30), unique=True, nullable=False, index=True) # e.g., "POL-ISMS-001"
|
|
|
|
# Policy details
|
|
title = Column(String(200), nullable=False)
|
|
policy_type = Column(String(50), nullable=False) # "master", "operational", "technical"
|
|
description = Column(Text)
|
|
policy_text = Column(Text, nullable=False) # Full policy content
|
|
|
|
# Scope
|
|
applies_to = Column(JSON) # Roles, departments, systems
|
|
|
|
# Document control
|
|
version = Column(String(20), nullable=False, default="1.0")
|
|
status = Column(Enum(ApprovalStatusEnum), default=ApprovalStatusEnum.DRAFT)
|
|
|
|
# Approval chain
|
|
authored_by = Column(String(100))
|
|
reviewed_by = Column(String(100))
|
|
approved_by = Column(String(100)) # Must be top management
|
|
approved_at = Column(DateTime)
|
|
approval_signature = Column(String(64))
|
|
|
|
# Validity
|
|
effective_date = Column(Date)
|
|
review_frequency_months = Column(Integer, default=12)
|
|
next_review_date = Column(Date)
|
|
|
|
# References
|
|
parent_policy_id = Column(String(36), ForeignKey('compliance_isms_policies.id'))
|
|
related_controls = Column(JSON) # List of control_ids
|
|
|
|
# Document path
|
|
document_path = Column(String(500)) # Link to full document
|
|
|
|
# Timestamps
|
|
created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
|
|
updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
|
|
|
|
__table_args__ = (
|
|
Index('ix_policy_type_status', 'policy_type', 'status'),
|
|
)
|
|
|
|
def __repr__(self):
|
|
return f"<ISMSPolicy {self.policy_id}: {self.title}>"
|
|
|
|
|
|
class SecurityObjectiveDB(Base):
|
|
"""
|
|
Security Objectives (ISO 27001 Kapitel 6.2)
|
|
|
|
Measurable information security objectives.
|
|
"""
|
|
__tablename__ = 'compliance_security_objectives'
|
|
|
|
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
|
|
objective_id = Column(String(30), unique=True, nullable=False, index=True) # e.g., "OBJ-001"
|
|
|
|
# Objective definition
|
|
title = Column(String(200), nullable=False)
|
|
description = Column(Text)
|
|
category = Column(String(50)) # "availability", "confidentiality", "integrity", "compliance"
|
|
|
|
# SMART criteria
|
|
specific = Column(Text) # What exactly
|
|
measurable = Column(Text) # How measured
|
|
achievable = Column(Text) # Is it realistic
|
|
relevant = Column(Text) # Why important
|
|
time_bound = Column(Text) # Deadline
|
|
|
|
# Metrics
|
|
kpi_name = Column(String(100))
|
|
kpi_target = Column(String(100)) # Target value
|
|
kpi_current = Column(String(100)) # Current value
|
|
kpi_unit = Column(String(50)) # %, count, score
|
|
measurement_frequency = Column(String(50)) # monthly, quarterly
|
|
|
|
# Responsibility
|
|
owner = Column(String(100))
|
|
accountable = Column(String(100)) # RACI: Accountable
|
|
|
|
# Status
|
|
status = Column(String(30), default="active") # active, achieved, not_achieved, cancelled
|
|
progress_percentage = Column(Integer, default=0)
|
|
|
|
# Timeline
|
|
target_date = Column(Date)
|
|
achieved_date = Column(Date)
|
|
|
|
# Linked items
|
|
related_controls = Column(JSON)
|
|
related_risks = Column(JSON)
|
|
|
|
# Approval
|
|
approved_by = Column(String(100))
|
|
approved_at = Column(DateTime)
|
|
|
|
# Timestamps
|
|
created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
|
|
updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
|
|
|
|
__table_args__ = (
|
|
Index('ix_objective_status', 'status'),
|
|
Index('ix_objective_category', 'category'),
|
|
)
|
|
|
|
def __repr__(self):
|
|
return f"<SecurityObjective {self.objective_id}: {self.title}>"
|
|
|
|
|
|
class StatementOfApplicabilityDB(Base):
|
|
"""
|
|
Statement of Applicability (SoA) - ISO 27001 Anhang A Mapping
|
|
|
|
Documents which Annex A controls are applicable and why.
|
|
This is MANDATORY for certification.
|
|
"""
|
|
__tablename__ = 'compliance_soa'
|
|
|
|
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
|
|
|
|
# ISO 27001:2022 Annex A reference
|
|
annex_a_control = Column(String(20), nullable=False, index=True) # e.g., "A.5.1"
|
|
annex_a_title = Column(String(300), nullable=False)
|
|
annex_a_category = Column(String(100)) # "Organizational", "People", "Physical", "Technological"
|
|
|
|
# Applicability decision
|
|
is_applicable = Column(Boolean, nullable=False)
|
|
applicability_justification = Column(Text, nullable=False) # MUST be documented
|
|
|
|
# Implementation status
|
|
implementation_status = Column(String(30), default="planned") # planned, partial, implemented, not_implemented
|
|
implementation_notes = Column(Text)
|
|
|
|
# Mapping to our controls
|
|
breakpilot_control_ids = Column(JSON) # List of our control_ids that address this
|
|
coverage_level = Column(String(20), default="full") # full, partial, planned
|
|
|
|
# Evidence
|
|
evidence_description = Column(Text)
|
|
evidence_ids = Column(JSON) # Links to EvidenceDB
|
|
|
|
# Risk-based justification (for exclusions)
|
|
risk_assessment_notes = Column(Text) # If not applicable, explain why
|
|
compensating_controls = Column(Text) # If partial, explain compensating measures
|
|
|
|
# Approval
|
|
reviewed_by = Column(String(100))
|
|
reviewed_at = Column(DateTime)
|
|
approved_by = Column(String(100))
|
|
approved_at = Column(DateTime)
|
|
|
|
# Version tracking
|
|
version = Column(String(20), default="1.0")
|
|
|
|
# Timestamps
|
|
created_at = Column(DateTime, default=lambda: datetime.now(timezone.utc))
|
|
updated_at = Column(DateTime, default=lambda: datetime.now(timezone.utc), onupdate=lambda: datetime.now(timezone.utc))
|
|
|
|
__table_args__ = (
|
|
Index('ix_soa_annex_control', 'annex_a_control', unique=True),
|
|
Index('ix_soa_applicable', 'is_applicable'),
|
|
Index('ix_soa_status', 'implementation_status'),
|
|
)
|
|
|
|
def __repr__(self):
|
|
return f"<SoA {self.annex_a_control}: {'Applicable' if self.is_applicable else 'N/A'}>"
|
|
|
|
|
|
__all__ = [
|
|
"ApprovalStatusEnum",
|
|
"ISMSScopeDB",
|
|
"ISMSContextDB",
|
|
"ISMSPolicyDB",
|
|
"SecurityObjectiveDB",
|
|
"StatementOfApplicabilityDB",
|
|
]
|