Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caf33ea2959f13d9cc893121abe816e8842eb696
breakpilot-compliance/backend-compliance/compliance/data/template_rule_seed_data.py
T
Benjamin Admin bb183b0e75
CI / detect-changes (push) Successful in 12s
Details
CI / branch-name (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 33s
Details
CI / test-python-document-crawler (push) Successful in 23s
Details
CI / test-python-dsms-gateway (push) Successful in 19s
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Failing after 7s
Details
CI / validate-canonical-controls (push) Successful in 16s
Details
CI / loc-budget (push) Failing after 18s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Successful in 2m27s
Details
CI / test-go (push) Failing after 46s
Details
CI / iace-gt-coverage (push) Successful in 25s
Details
feat(template-rules): backend foundation for profile-based document recommendations 
Introduces the sustainable backend replacement for the hardcoded inline rules in
admin-compliance/app/sdk/document-generator/templateRecommendations.ts.

What's in this commit (Phase 1.1 - 1.5 of the rustling-yawning-boot plan):

- Migration 147: 4 new tables
  - compliance_template_rules (rule shell, document_type, current_version_id)
  - compliance_template_rule_versions (lifecycle, JSONB conditions,
    source_citation, change_summary, approval timestamps)
  - compliance_template_rule_approvals (audit trail)
  - compliance_tenant_rule_overrides (per-tenant classification overrides)
  Plus partial unique index for "only one is_live=1 version per rule".

- SQLAlchemy models: TemplateRuleDB, TemplateRuleVersionDB,
  TemplateRuleApprovalDB, TenantRuleOverrideDB (compliance/db/).

- Pydantic schemas (compliance/schemas/template_rule.py): full request/response
  set including RecommendationRequest/Result with reasons and override tracking.

- TemplateRuleService (compliance/services/): CRUD + Lifecycle transitions
  (submit_for_review/approve/publish/reject) following legal_document_service.py
  pattern with _transition() helper and approval audit trail. Plus tenant
  override upsert.

- RecommendationService: condition evaluator (eq, neq, in, not_in, gte/lte/gt/lt,
  exists, truthy) over JSONB conditions, override application, reason generation
  for human-readable explanations in workspace UI.

- 18 FastAPI routes in compliance/api/template_rule_routes.py covering rule CRUD,
  version lifecycle, override management and POST /recommend evaluation endpoint.

- Seed data: 33 initial rules ported from templateRecommendations.ts in
  compliance/data/template_rule_seed_data.py, written as published versions
  on first seed run. Idempotent via rule_key.

Phase 1.6 (pytest suite) and Phase 2 (editorial UI in admin-compliance) follow
in separate commits.

[migration-approved]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 23:13:50 +02:00

336 lines
14 KiB
Python
Raw Blame History

"""
Seed-Daten für ``compliance_template_rules`` — die 33 Initial-Regeln, die aus
``admin-compliance/app/sdk/document-generator/templateRecommendations.ts``
übernommen wurden.
Reine Datenstruktur — die Logik liegt in ``scripts/seed_template_rules.py``.
"""
from typing import Any
def _level_clause(*levels: str) -> dict:
return {"field": "compliance_depth_level", "op": "in", "value": list(levels)}
SEED_RULES: list[dict[str, Any]] = [
{
"rule_key": "employee_dsi_required_with_employees",
"document_type": "employee_dsi",
"title": "Datenschutzinformation für Mitarbeiter",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "org_has_employees", "op": "eq", "value": "yes"},
{"field": "org_employee_count", "op": "not_in",
"value": ["none", "0", "1_9"]},
]},
"rationale": "Art. 13 DSGVO Informationspflichten gegenüber Beschäftigten.",
},
{
"rule_key": "applicant_dsi_recommended_with_employees",
"document_type": "applicant_dsi",
"title": "Datenschutzinformation für Bewerber",
"classification": "recommended",
"conditions": {"kind": "any", "clauses": [
{"field": "org_has_employees", "op": "eq", "value": "yes"},
{"field": "org_employee_count", "op": "not_in",
"value": ["none", "0"]},
]},
"rationale": "Empfehlenswert, sobald Bewerbungsdaten verarbeitet werden.",
},
{
"rule_key": "whistleblower_required_50plus",
"document_type": "whistleblower_policy",
"title": "Hinweisgeberschutz-Richtlinie (HinSchG)",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "org_employee_count", "op": "in",
"value": ["50_249", "250_999", "1000_plus"]},
]},
"rationale": "§ 12 HinSchG — Pflicht ab 50 Beschäftigten.",
},
{
"rule_key": "ai_usage_required_when_ai_used",
"document_type": "ai_usage_policy",
"title": "KI-Nutzungsrichtlinie",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "proc_ai_usage", "op": "not_in", "value": ["none", "no"]},
{"field": "proc_uses_ai_tools", "op": "truthy"},
]},
"rationale": "AI Act + interne Governance bei KI-Einsatz.",
},
{
"rule_key": "byod_required_when_allowed",
"document_type": "byod_policy",
"title": "BYOD-Richtlinie (Bring Your Own Device)",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "proc_byod_allowed", "op": "eq", "value": "yes"},
]},
"rationale": "Erforderlich wenn private Geräte für Arbeit genutzt werden.",
},
{
"rule_key": "social_media_dsi_required",
"document_type": "social_media_dsi",
"title": "Datenschutzhinweis Social Media",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "org_has_social_media", "op": "eq", "value": "yes"},
]},
"rationale": "BVerfG/EuGH-Rechtsprechung zu gemeinsamer Verantwortlichkeit.",
},
{
"rule_key": "video_conference_dsi_recommended",
"document_type": "video_conference_dsi",
"title": "Datenschutzhinweis Videokonferenz",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [
{"field": "org_has_video_conferencing", "op": "eq", "value": "yes"},
]},
"rationale": "DSK Orientierungshilfe Videokonferenzsysteme.",
},
{
"rule_key": "information_security_required_l3plus",
"document_type": "information_security_policy",
"title": "Informationssicherheits-Richtlinie",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "Ab Compliance-Tiefe L3 (Strict) erforderlich.",
},
{
"rule_key": "password_recommended_l2plus",
"document_type": "password_policy",
"title": "Passwort-Richtlinie",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]},
"rationale": "Best Practice IT-Sicherheit ab L2.",
},
{
"rule_key": "encryption_recommended_l3plus",
"document_type": "encryption_policy",
"title": "Verschlüsselungs-Richtlinie",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "BSI-Empfehlung, ISO 27001 A.10.",
},
{
"rule_key": "access_control_recommended_l3plus",
"document_type": "access_control_policy",
"title": "Zugriffskontroll-Richtlinie",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "Art. 32 DSGVO i.V.m. ISO 27001 A.9.",
},
{
"rule_key": "it_security_required_l3plus",
"document_type": "it_security_concept",
"title": "IT-Sicherheitskonzept",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "BSI IT-Grundschutz / ISO 27001.",
},
{
"rule_key": "backup_recommended_l3plus",
"document_type": "backup_recovery_concept",
"title": "Backup- und Recovery-Konzept",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "Art. 32 DSGVO 'Verfügbarkeit + Belastbarkeit'.",
},
{
"rule_key": "logging_recommended_l3plus",
"document_type": "logging_concept",
"title": "Protokollierungskonzept",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "Art. 32 DSGVO + BSI IT-Grundschutz.",
},
{
"rule_key": "access_control_concept_recommended_l3plus",
"document_type": "access_control_concept",
"title": "Zugriffskonzept",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]},
"rationale": "ISO 27001 A.9 / BSI IT-Grundschutz ORP.4.",
},
{
"rule_key": "community_guidelines_required_ugc_platform",
"document_type": "community_guidelines",
"title": "Community-Richtlinien",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "prod_ugc_platform", "op": "eq", "value": "yes"},
{"field": "org_business_model", "op": "in",
"value": ["platform", "marketplace", "social"]},
]},
"rationale": "DSA + NetzDG für Plattformen mit nutzergeneriertem Inhalt.",
},
{
"rule_key": "terms_of_use_required_platforms",
"document_type": "terms_of_use",
"title": "Nutzungsbedingungen",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "prod_ugc_platform", "op": "eq", "value": "yes"},
{"field": "org_business_model", "op": "in",
"value": ["platform", "marketplace", "social", "saas"]},
]},
"rationale": "Plattform-/SaaS-Geschäft braucht klare Nutzungsregeln.",
},
{
"rule_key": "media_content_policy_recommended",
"document_type": "media_content_policy",
"title": "Medien-/Content-Policy",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [
{"field": "org_business_model", "op": "in", "value": ["platform", "media"]},
]},
"rationale": "Empfehlenswert für Media-/Plattform-Geschäftsmodelle.",
},
{
"rule_key": "widerruf_required_webshop",
"document_type": "widerruf",
"title": "Widerrufsbelehrung",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "prod_webshop", "op": "neq", "value": "no"},
]},
"rationale": "§§ 312g, 355 BGB bei Fernabsatzverträgen B2C.",
},
{
"rule_key": "consent_texts_recommended_with_consent_mgmt",
"document_type": "consent_texts",
"title": "Einwilligungstexte (Double-Opt-In)",
"classification": "recommended",
"conditions": {"kind": "all", "clauses": [
{"field": "prod_consent_management", "op": "neq", "value": "no"},
]},
"rationale": "§ 7 UWG + Art. 7 DSGVO.",
},
{
"rule_key": "impressum_always_required",
"document_type": "impressum",
"title": "Impressum",
"classification": "required",
"conditions": {"kind": "all", "clauses": []},
"rationale": "§ 5 TMG / § 18 MStV — gilt für jedes Telemedienangebot.",
},
{
"rule_key": "cookie_policy_always_required",
"document_type": "cookie_policy",
"title": "Cookie-Richtlinie",
"classification": "required",
"conditions": {"kind": "all", "clauses": []},
"rationale": "§ 25 TDDDG + Art. 5 (3) ePrivacy.",
},
{
"rule_key": "privacy_policy_always_required",
"document_type": "privacy_policy",
"title": "Datenschutzerklärung",
"classification": "required",
"conditions": {"kind": "all", "clauses": []},
"rationale": "Art. 13 DSGVO — gilt für jede Verarbeitung.",
},
{
"rule_key": "data_protection_policy_required_l2plus",
"document_type": "data_protection_policy",
"title": "Datenschutzleitlinie",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]},
"rationale": "Interne Leitlinie ab Standard-Compliance-Tiefe.",
},
{
"rule_key": "dsfa_required_when_flagged",
"document_type": "dsfa",
"title": "Datenschutz-Folgenabschätzung (DSFA)",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "proc_dsfa_required", "op": "eq", "value": "yes"},
{"field": "comp_dsfa_processes", "op": "eq", "value": "required"},
]},
"rationale": "Art. 35 DSGVO + DSK Muss-Liste.",
},
{
"rule_key": "dpa_required_with_processors",
"document_type": "dpa",
"title": "Auftragsverarbeitungsvertrag (AVV)",
"classification": "required",
"conditions": {"kind": "any", "clauses": [
{"field": "comp_has_processors", "op": "neq", "value": "no"},
{"field": "comp_vendor_management", "op": "neq", "value": "no"},
]},
"rationale": "Art. 28 DSGVO.",
},
{
"rule_key": "vvt_required_l2plus",
"document_type": "vvt_register",
"title": "Verzeichnis von Verarbeitungstätigkeiten (VVT)",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]},
"rationale": "Art. 30 DSGVO — Pflicht außer Ausnahmen § 30 Abs. 5.",
},
{
"rule_key": "tom_required_l2plus",
"document_type": "tom_documentation",
"title": "Technisch-Organisatorische Maßnahmen (TOM)",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]},
"rationale": "Art. 32 DSGVO Nachweispflicht.",
},
{
"rule_key": "loeschkonzept_required_l2plus",
"document_type": "loeschkonzept",
"title": "Löschkonzept",
"classification": "required",
"conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]},
"rationale": "Art. 5 (1) e + Art. 17 DSGVO.",
},
{
"rule_key": "tia_required_third_country",
"document_type": "transfer_impact_assessment",
"title": "Transfer Impact Assessment (TIA)",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "tech_third_country", "op": "not_in",
"value": ["no", "us_dpf_only", "adequate_only"]},
]},
"rationale": "EuGH C-311/18 (Schrems II) + EDSA-Empfehlungen 01/2020.",
},
{
"rule_key": "isms_required_when_certifying",
"document_type": "isms_manual",
"title": "ISMS-Handbuch",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "org_cert_target", "op": "in",
"value": ["iso27001", "iso27701", "tisax"]},
]},
"rationale": "ISO 27001 / TISAX VDA-ISA Pflichtdokumentation.",
},
{
"rule_key": "vendor_risk_recommended",
"document_type": "vendor_risk_management_policy",
"title": "Lieferantenrisiko-Management",
"classification": "recommended",
"conditions": {"kind": "any", "clauses": [
{"field": "comp_vendor_management", "op": "neq", "value": "no"},
{"field": "compliance_depth_level", "op": "eq", "value": "L4"},
]},
"rationale": "Empfehlenswert bei aktivem Vendor-Management.",
},
{
"rule_key": "bcm_required_l4",
"document_type": "business_continuity_policy",
"title": "Business-Continuity-Richtlinie",
"classification": "required",
"conditions": {"kind": "all", "clauses": [
{"field": "compliance_depth_level", "op": "eq", "value": "L4"},
]},
"rationale": "BSI 200-4 / ISO 22301 für Zertifizierungsstufe.",
},
]
__all__ = ["SEED_RULES"]
Reference in New Issue View Git Blame Copy Permalink