3320ef94fc
Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits,
81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths /
484 operations).
## Phase 0 — Architecture guardrails
Three defense-in-depth layers to keep the architecture rules enforced
regardless of who opens Claude Code in this repo:
1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file
that would exceed the 500-line hard cap. Auto-loads in every Claude
session in this repo.
2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh)
enforces the LOC cap locally, freezes migrations/ without
[migration-approved], and protects guardrail files without
[guardrail-change].
3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity +
sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python
packages (compliance/{services,repositories,domain,schemas}), and
tsc --noEmit for admin-compliance + developer-portal.
Per-language conventions documented in AGENTS.python.md, AGENTS.go.md,
AGENTS.typescript.md at the repo root — layering, tooling, and explicit
"what you may NOT do" lists. Root CLAUDE.md is prepended with the six
non-negotiable rules. Each of the 10 services gets a README.md.
scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the
current baseline of 205 hard + 161 soft violations so Phases 1-4 can
drain it incrementally. CI gates only CHANGED files in PRs so the
legacy baseline does not block unrelated work.
## Deprecation sweep
47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config ->
ConfigDict in source_policy_router.py (schemas.py intentionally skipped;
it is the Phase 1 Step 3 split target). datetime.utcnow() ->
datetime.now(timezone.utc) everywhere including SQLAlchemy default=
callables. All DB columns already declare timezone=True, so this is a
latent-bug fix at the Python side, not a schema change.
DeprecationWarning count dropped from 158 to 35.
## Phase 1 Step 1 — Contract test harness
tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json
against tests/contracts/openapi.baseline.json on every test run. Fails on
removed paths, removed status codes, or new required request body fields.
Regenerate only via tests/contracts/regenerate_baseline.py after a
consumer-updated contract change. This is the safety harness for all
subsequent refactor commits.
## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim)
compliance/db/models.py is decomposed into seven sibling aggregate modules
following the existing repo pattern (dsr_models.py, vvt_models.py, ...):
regulation_models.py (134) — Regulation, Requirement
control_models.py (279) — Control, Mapping, Evidence, Risk
ai_system_models.py (141) — AISystem, AuditExport
service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk
audit_session_models.py (177) — AuditSession, AuditSignOff
isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA
isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit,
AuditTrail, Readiness
models.py becomes an 85-line re-export shim in dependency order so
existing imports continue to work unchanged. Schema is byte-identical:
__tablename__, column definitions, relationship strings, back_populates,
cascade directives all preserved.
All new sibling files are under the 500-line hard cap; largest is
isms_audit_models.py at 468. No file in compliance/db/ now exceeds
the hard cap.
## Phase 1 Step 3 — infrastructure only
backend-compliance/compliance/{schemas,domain,repositories}/ packages
are created as landing zones with docstrings. compliance/domain/
exports DomainError / NotFoundError / ConflictError / ValidationError /
PermissionError — the base classes services will use to raise
domain-level errors instead of HTTPException.
PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents
the nine-step execution plan for Phase 1: snapshot baseline,
characterization tests, split models.py (this commit), split schemas.py
(next), extract services, extract repositories, mypy --strict, coverage.
## Verification
backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt
PYTHONPATH=. pytest compliance/tests/ tests/contracts/
-> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.9 KiB
3.9 KiB
AGENTS.python.md — Python Service Conventions
Applies to: backend-compliance/, document-crawler/, dsms-gateway/, compliance-tts-service/.
Layered architecture (FastAPI)
compliance/
├── api/ # HTTP layer — routers only. Thin (≤30 LOC per handler).
│ └── <domain>_routes.py
├── services/ # Business logic. Pure-ish; no FastAPI imports.
│ └── <domain>_service.py
├── repositories/ # DB access. Owns SQLAlchemy session usage.
│ └── <domain>_repository.py
├── domain/ # Value objects, enums, domain exceptions.
├── schemas/ # Pydantic models, split per domain. NEVER one giant schemas.py.
│ └── <domain>.py
└── db/
└── models/ # SQLAlchemy ORM, one module per aggregate. __tablename__ frozen.
Dependency direction: api → services → repositories → db.models. Lower layers must not import upper layers.
Routers
- One
APIRouterper domain file. - Handlers do exactly: parse request → call service → map domain errors to HTTPException → return response model.
- Inject services via
Depends. No globals. - Tag routes; document with summary + response_model.
@router.post("/dsr/requests", response_model=DSRRequestRead, status_code=201)
async def create_dsr_request(
payload: DSRRequestCreate,
service: DSRService = Depends(get_dsr_service),
tenant_id: UUID = Depends(get_tenant_id),
) -> DSRRequestRead:
try:
return await service.create(tenant_id, payload)
except DSRConflict as exc:
raise HTTPException(409, str(exc)) from exc
Services
- Constructor takes the repository (interface, not concrete).
- No
Request,Response, or HTTP knowledge. - Raise domain exceptions (e.g.
DSRConflict,DSRNotFound), neverHTTPException. - Return domain objects or Pydantic schemas — pick one and stay consistent inside a service.
Repositories
- Methods are intent-named (
get_pending_for_tenant), not CRUD-named (select_where). - Sessions injected, not constructed inside.
- No business logic. No cross-aggregate joins for unrelated workflows — that belongs in a service.
- Return ORM models or domain VOs; never
Row.
Schemas (Pydantic v2)
- One module per domain. Module ≤300 lines.
- Use
model_config = ConfigDict(from_attributes=True, frozen=True)for read models. - Separate
*Create,*Update,*Read. No giant union schemas.
Tests (pytest)
- Layout:
tests/unit/,tests/integration/,tests/contracts/. - Unit tests mock the repository. Use
pytest.fixture+unittest.mock.AsyncMock. - Integration tests run against the real Postgres from
docker-compose.ymlvia a transactional fixture (rollback after each test). - Contract tests diff
/openapi.jsonagainsttests/contracts/openapi.baseline.json. - Naming:
test_<unit>_<scenario>_<expected>.py::TestClass::test_method. pytest-asynciomode =auto. Mark slow tests with@pytest.mark.slow.- Coverage target: 80% for new code; never decrease the service baseline.
Tooling
ruff check+ruff format(line length 100).mypy --strictonservices/,repositories/,domain/. Expand outward.pip-auditin CI.- Async-first: prefer
httpx.AsyncClient,asyncpg/SQLAlchemy 2.x async.
Errors & logging
- Domain errors inherit from a single
DomainErrorbase per service. - Log via
structlogwith bound context (tenant_id,request_id). Never log secrets, PII, or full request bodies. - Audit-relevant actions go through the audit logger, not the application logger.
What you may NOT do
- Add a new Alembic migration.
- Rename a
__tablename__, column, or enum value. - Change a public route's path/method/status/schema without simultaneous dashboard fix.
- Catch
Exceptionbroadly — catch the specific domain or library error. - Put business logic in a router or in a Pydantic validator.
- Create a new file >500 lines. Period.