Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: breakpilot-core - Shared Infrastructure

Browse Source 
Docker Compose with 24+ services:
- PostgreSQL (PostGIS), Valkey, MinIO, Qdrant
- Vault (PKI/TLS), Nginx (Reverse Proxy)
- Backend Core API, Consent Service, Billing Service
- RAG Service, Embedding Service
- Gitea, Woodpecker CI/CD
- Night Scheduler, Health Aggregator
- Jitsi (Web/XMPP/JVB/Jicofo), Mailpit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Boenisch
2026-02-11 23:47:13 +01:00
commit ad111d5e69
244 changed files with 84288 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

746
docs-src/services/ai-compliance-sdk/DEVELOPER.md Normal file
View File

@@ -0,0 +1,746 @@
# AI Compliance SDK - Entwickler-Dokumentation
## Inhaltsverzeichnis
1. [Schnellstart](#1-schnellstart)
2. [Architektur-Übersicht](#2-architektur-übersicht)
3. [Policy Engine](#3-policy-engine)
4. [License Policy Engine](#4-license-policy-engine)
5. [Legal RAG Integration](#5-legal-rag-integration)
6. [Wizard & Legal Assistant](#6-wizard--legal-assistant)
7. [Eskalations-System](#7-eskalations-system)
8. [API-Endpoints](#8-api-endpoints)
9. [Policy-Dateien](#9-policy-dateien)
10. [Tests ausführen](#10-tests-ausführen)
---
## 1. Schnellstart
### Voraussetzungen
- Go 1.21+
- PostgreSQL (für Eskalations-Store)
- Qdrant (für Legal RAG)
- Ollama oder Anthropic API Key (für LLM)
### Build & Run
```bash
# Build
cd ai-compliance-sdk
go build -o server ./cmd/server
# Run
./server --config config.yaml
# Alternativ: mit Docker
docker compose up -d
```
### Erste Anfrage
```bash
# UCCA Assessment erstellen
curl -X POST http://localhost:8080/sdk/v1/ucca/assess \
-H "Content-Type: application/json" \
-d '{
"use_case_text": "Chatbot für Kundenservice mit FAQ-Suche",
"domain": "utilities",
"data_types": {
"personal_data": false,
"public_data": true
},
"automation": "assistive",
"model_usage": {
"rag": true
},
"hosting": {
"region": "eu"
}
}'
```
---
## 2. Architektur-Übersicht
```
┌─────────────────────────────────────────────────────────────────┐
│ API Layer (Gin) │
│ internal/api/handlers/ │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ UCCA │ │ License │ │ Eskalation │ │
│ │ Handler │ │ Handler │ │ Handler │ │
│ └──────┬──────┘ └──────┬──────┘ └───────────┬─────────────┘ │
│ │ │ │ │
├─────────┼────────────────┼──────────────────────┼────────────────┤
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ Policy │ │ License │ │ Escalation │ │
│ │ Engine │ │ Policy │ │ Store │ │
│ │ │ │ Engine │ │ │ │
│ └──────┬──────┘ └──────┬──────┘ └───────────┬─────────────┘ │
│ │ │ │ │
│ └────────┬───────┴──────────────────────┘ │
│ ▼ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Legal RAG System │ │
│ │ (Qdrant + LLM Integration) │ │
│ └─────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
```
### Kernprinzip
**LLM ist NICHT die Quelle der Wahrheit!**
| Komponente | Entscheidet | LLM-Nutzung |
|------------|-------------|-------------|
| Policy Engine | Feasibility, Risk Level | Nein |
| License Engine | Operation Mode, Stop-Lines | Nein |
| Gap Mapping | Facts → Gaps → Controls | Nein |
| Legal RAG | Erklärung generieren | Ja (nur Output) |
---
## 3. Policy Engine
### Übersicht
Die Policy Engine (`internal/ucca/policy_engine.go`) evaluiert Use Cases gegen deterministische Regeln.
### Verwendung
```go
import "ai-compliance-sdk/internal/ucca"
// Engine erstellen
engine, err := ucca.NewPolicyEngineFromPath("policies/ucca_policy_v1.yaml")
if err != nil {
log.Fatal(err)
}
// Intake erstellen
intake := &ucca.UseCaseIntake{
UseCaseText: "Chatbot für Kundenservice",
Domain: ucca.DomainUtilities,
DataTypes: ucca.DataTypes{
PersonalData: false,
PublicData: true,
},
Automation: ucca.AutomationAssistive,
ModelUsage: ucca.ModelUsage{
RAG: true,
},
Hosting: ucca.Hosting{
Region: "eu",
},
}
// Evaluieren
result := engine.Evaluate(intake)
// Ergebnis auswerten
fmt.Println("Feasibility:", result.Feasibility) // YES, NO, CONDITIONAL
fmt.Println("Risk Level:", result.RiskLevel) // MINIMAL, LOW, MEDIUM, HIGH
fmt.Println("Risk Score:", result.RiskScore) // 0-100
```
### Ergebnis-Struktur
```go
type EvaluationResult struct {
Feasibility Feasibility // YES, NO, CONDITIONAL
RiskLevel RiskLevel // MINIMAL, LOW, MEDIUM, HIGH
RiskScore int // 0-100
TriggeredRules []TriggeredRule // Ausgelöste Regeln
RequiredControls []Control // Erforderliche Maßnahmen
RecommendedArchitecture []Pattern // Empfohlene Patterns
DSFARecommended bool // DSFA erforderlich?
Art22Risk bool // Art. 22 Risiko?
TrainingAllowed TrainingAllowed // YES, NO, CONDITIONAL
PolicyVersion string // Version der Policy
}
```
### Regeln hinzufügen
Neue Regeln werden in `policies/ucca_policy_v1.yaml` definiert:
```yaml
rules:
- id: R-CUSTOM-001
code: R-CUSTOM-001
category: custom
title: Custom Rule
title_de: Benutzerdefinierte Regel
description: Custom rule description
severity: WARN # INFO, WARN, BLOCK
gdpr_ref: "Art. 6 DSGVO"
condition:
all_of:
- field: domain
equals: custom_domain
- field: data_types.personal_data
equals: true
controls:
- C_CUSTOM_CONTROL
```
---
## 4. License Policy Engine
### Übersicht
Die License Policy Engine (`internal/ucca/license_policy.go`) prüft die Lizenz-Compliance für Standards und Normen.
### Operationsmodi
| Modus | Beschreibung | Lizenzanforderung |
|-------|--------------|-------------------|
| `LINK_ONLY` | Nur Verweise | Keine |
| `NOTES_ONLY` | Eigene Notizen | Keine |
| `EXCERPT_ONLY` | Kurzzitate (<150 Zeichen) | Standard-Lizenz |
| `FULLTEXT_RAG` | Volltext-Embedding | Explizite KI-Lizenz |
| `TRAINING` | Modell-Training | Enterprise + Vertrag |
### Verwendung
```go
import "ai-compliance-sdk/internal/ucca"
engine := ucca.NewLicensePolicyEngine()
facts := &ucca.LicensedContentFacts{
Present: true,
Publisher: "DIN_MEDIA",
LicenseType: "SINGLE_WORKSTATION",
AIUsePermitted: "NO",
ProofUploaded: false,
OperationMode: "FULLTEXT_RAG",
}
result := engine.Evaluate(facts)
if !result.Allowed {
fmt.Println("Blockiert:", result.StopLine.Message)
fmt.Println("Effektiver Modus:", result.EffectiveMode)
}
```
### Ingest-Entscheidung
```go
// Prüfen ob Volltext-Ingest erlaubt ist
canIngest := engine.CanIngestFulltext(facts)
// Oder detaillierte Entscheidung
decision := engine.DecideIngest(facts)
fmt.Println("Fulltext:", decision.AllowFulltext)
fmt.Println("Notes:", decision.AllowNotes)
fmt.Println("Metadata:", decision.AllowMetadata)
```
### Audit-Logging
```go
// Audit-Entry erstellen
entry := engine.FormatAuditEntry("tenant-123", "doc-456", facts, result)
// Human-readable Summary
summary := engine.FormatHumanReadableSummary(result)
fmt.Println(summary)
```
### Publisher-spezifische Regeln
DIN Media hat explizite Restriktionen:
```go
// DIN Media blockiert FULLTEXT_RAG ohne AI-Lizenz
if facts.Publisher == "DIN_MEDIA" && facts.AIUsePermitted != "YES" {
// → STOP_DIN_FULLTEXT_AI_NOT_ALLOWED
// → Downgrade auf LINK_ONLY
}
```
---
## 5. Legal RAG Integration
### Übersicht
Das Legal RAG System (`internal/ucca/legal_rag.go`) generiert Erklärungen mit rechtlichem Kontext.
### Verwendung
```go
import "ai-compliance-sdk/internal/ucca"
rag := ucca.NewLegalRAGService(qdrantClient, llmClient, "bp_legal_corpus")
// Erklärung generieren
explanation, err := rag.Explain(ctx, result, intake)
if err != nil {
log.Error(err)
}
fmt.Println("Erklärung:", explanation.Text)
fmt.Println("Rechtsquellen:", explanation.Sources)
```
### Rechtsquellen im RAG
| Quelle | Chunks | Beschreibung |
|--------|--------|--------------|
| DSGVO | 128 | EU Datenschutz-Grundverordnung |
| AI Act | 96 | EU AI-Verordnung |
| NIS2 | 128 | Netzwerk-Informationssicherheit |
| SCC | 32 | Standardvertragsklauseln |
| DPF | 714 | Data Privacy Framework |
---
## 6. Wizard & Legal Assistant
### Wizard-Schema
Das Wizard-Schema (`policies/wizard_schema_v1.yaml`) definiert die Fragen für das Frontend.
### Legal Assistant verwenden
```go
// Wizard-Frage an Legal Assistant stellen
type WizardAskRequest struct {
Question string `json:"question"`
StepNumber int `json:"step_number"`
FieldID string `json:"field_id,omitempty"`
CurrentData map[string]interface{} `json:"current_data,omitempty"`
}
// POST /sdk/v1/ucca/wizard/ask
```
### Beispiel API-Call
```bash
curl -X POST http://localhost:8080/sdk/v1/ucca/wizard/ask \
-H "Content-Type: application/json" \
-d '{
"question": "Was sind personenbezogene Daten?",
"step_number": 2,
"field_id": "data_types.personal_data"
}'
```
---
## 7. Eskalations-System
### Eskalationsstufen
| Level | Auslöser | Prüfer | SLA |
|-------|----------|--------|-----|
| E0 | Nur INFO | Automatisch | - |
| E1 | WARN, geringes Risiko | Team-Lead | 24h |
| E2 | Art. 9, DSFA empfohlen | DSB | 8h |
| E3 | BLOCK, hohes Risiko | DSB + Legal | 4h |
### Eskalation erstellen
```go
import "ai-compliance-sdk/internal/ucca"
store := ucca.NewEscalationStore(db)
escalation := &ucca.Escalation{
AssessmentID: "assess-123",
Level: ucca.EscalationE2,
TriggerReason: "Art. 9 Daten betroffen",
RequiredReviews: 1,
}
err := store.CreateEscalation(ctx, escalation)
```
### SLA-Monitor
```go
monitor := ucca.NewSLAMonitor(store, notificationService)
// Im Hintergrund starten
go monitor.Start(ctx)
```
---
## 8. API-Endpoints
### UCCA Endpoints
| Method | Endpoint | Beschreibung |
|--------|----------|--------------|
| POST | `/sdk/v1/ucca/assess` | Assessment erstellen |
| GET | `/sdk/v1/ucca/assess/:id` | Assessment abrufen |
| POST | `/sdk/v1/ucca/explain` | Erklärung generieren |
| GET | `/sdk/v1/ucca/wizard/schema` | Wizard-Schema abrufen |
| POST | `/sdk/v1/ucca/wizard/ask` | Legal Assistant fragen |
### License Endpoints
| Method | Endpoint | Beschreibung |
|--------|----------|--------------|
| POST | `/sdk/v1/license/evaluate` | Lizenz-Prüfung |
| POST | `/sdk/v1/license/decide-ingest` | Ingest-Entscheidung |
### Eskalations-Endpoints
| Method | Endpoint | Beschreibung |
|--------|----------|--------------|
| GET | `/sdk/v1/escalations` | Offene Eskalationen |
| GET | `/sdk/v1/escalations/:id` | Eskalation abrufen |
| POST | `/sdk/v1/escalations/:id/decide` | Entscheidung treffen |
---
## 9. Policy-Dateien
### Dateistruktur
```
policies/
├── ucca_policy_v1.yaml # Haupt-Policy (Regeln, Controls, Patterns)
├── wizard_schema_v1.yaml # Wizard-Fragen und Legal Assistant
├── controls_catalog.yaml # Detaillierte Control-Beschreibungen
├── gap_mapping.yaml # Facts → Gaps → Controls
├── licensed_content_policy.yaml # Standards/Normen Compliance
└── scc_legal_corpus.yaml # SCC Rechtsquellen
```
### Policy-Version
Jede Policy hat eine Version:
```yaml
metadata:
version: "1.0.0"
effective_date: "2025-01-01"
author: "Compliance Team"
```
---
## 10. Tests ausführen
### Alle Tests
```bash
cd ai-compliance-sdk
go test -v ./...
```
### Spezifische Tests
```bash
# Policy Engine Tests
go test -v ./internal/ucca/policy_engine_test.go
# License Policy Tests
go test -v ./internal/ucca/license_policy_test.go
# Eskalation Tests
go test -v ./internal/ucca/escalation_test.go
```
### Test-Coverage
```bash
go test -cover ./...
# HTML-Report
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.out
```
### Beispiel: Neuen Test hinzufügen
```go
func TestMyNewFeature(t *testing.T) {
engine := NewLicensePolicyEngine()
facts := &LicensedContentFacts{
Present: true,
Publisher: "DIN_MEDIA",
OperationMode: "FULLTEXT_RAG",
}
result := engine.Evaluate(facts)
if result.Allowed {
t.Error("Expected blocked for DIN_MEDIA FULLTEXT_RAG")
}
}
```
---
## 11. Generic Obligations Framework
### Übersicht
Das Obligations Framework ermöglicht die automatische Ableitung regulatorischer Pflichten aus NIS2, DSGVO und AI Act.
### Verwendung
```go
import "ai-compliance-sdk/internal/ucca"
// Registry erstellen (lädt alle Module)
registry := ucca.NewObligationsRegistry()
// UnifiedFacts aufbauen
facts := &ucca.UnifiedFacts{
Organization: ucca.OrganizationFacts{
EmployeeCount: 150,
AnnualRevenue: 30000000,
Country: "DE",
EUMember: true,
},
Sector: ucca.SectorFacts{
PrimarySector: "digital_infrastructure",
SpecialServices: []string{"cloud", "msp"},
IsKRITIS: false,
},
DataProtection: ucca.DataProtectionFacts{
ProcessesPersonalData: true,
},
AIUsage: ucca.AIUsageFacts{
UsesAI: true,
HighRiskCategories: []string{"employment"},
IsGPAIProvider: false,
},
}
// Alle anwendbaren Pflichten evaluieren
overview := registry.EvaluateAll(facts, "Muster GmbH")
// Ergebnis auswerten
fmt.Println("Anwendbare Regulierungen:", len(overview.ApplicableRegulations))
fmt.Println("Gesamtzahl Pflichten:", len(overview.Obligations))
fmt.Println("Kritische Pflichten:", overview.ExecutiveSummary.CriticalObligations)
```
### Neues Regulierungsmodul erstellen
```go
// 1. Module-Interface implementieren
type MyRegulationModule struct {
obligations []ucca.Obligation
controls []ucca.ObligationControl
incidentDeadlines []ucca.IncidentDeadline
}
func (m *MyRegulationModule) ID() string { return "my_regulation" }
func (m *MyRegulationModule) Name() string { return "My Regulation" }
func (m *MyRegulationModule) IsApplicable(facts *ucca.UnifiedFacts) bool {
// Prüflogik implementieren
return facts.Organization.Country == "DE"
}
func (m *MyRegulationModule) DeriveObligations(facts *ucca.UnifiedFacts) []ucca.Obligation {
// Pflichten basierend auf Facts ableiten
return m.obligations
}
// 2. In Registry registrieren
func NewMyRegulationModule() (*MyRegulationModule, error) {
m := &MyRegulationModule{}
// YAML laden oder hardcoded Pflichten definieren
return m, nil
}
// In obligations_registry.go:
// r.Register(NewMyRegulationModule())
```
### YAML-basierte Pflichten
```yaml
# policies/obligations/my_regulation_obligations.yaml
regulation: my_regulation
name: "My Regulation"
obligations:
- id: "MYREG-OBL-001"
title: "Compliance-Pflicht"
description: "Beschreibung der Pflicht"
applies_when: "classification != 'nicht_betroffen'"
legal_basis:
- norm: "§ 1 MyReg"
category: "Governance"
responsible: "Geschäftsführung"
deadline:
type: "relative"
duration: "12 Monate"
sanctions:
max_fine: "1 Mio. EUR"
priority: "high"
controls:
- id: "MYREG-CTRL-001"
name: "Kontrollmaßnahme"
category: "Technical"
when_applicable: "immer"
what_to_do: "Maßnahme implementieren"
evidence_needed:
- "Dokumentation"
```
### PDF Export
```go
import "ai-compliance-sdk/internal/ucca"
// Exporter erstellen
exporter := ucca.NewPDFExporter("de")
// PDF generieren
response, err := exporter.ExportManagementMemo(overview)
if err != nil {
log.Fatal(err)
}
// base64-kodierter PDF-Inhalt
fmt.Println("Content-Type:", response.ContentType) // application/pdf
fmt.Println("Filename:", response.Filename)
// PDF speichern
decoded, _ := base64.StdEncoding.DecodeString(response.Content)
os.WriteFile("memo.pdf", decoded, 0644)
// Alternativ: Markdown
mdResponse, err := exporter.ExportMarkdown(overview)
fmt.Println(mdResponse.Content) // Markdown-Text
```
### API-Endpoints
```bash
# Assessment erstellen
curl -X POST http://localhost:8090/sdk/v1/ucca/obligations/assess \
-H "Content-Type: application/json" \
-d '{
"facts": {
"organization": {"employee_count": 150, "country": "DE"},
"sector": {"primary_sector": "healthcare"},
"data_protection": {"processes_personal_data": true},
"ai_usage": {"uses_ai": false}
},
"organization_name": "Test GmbH"
}'
# PDF Export (direkt)
curl -X POST http://localhost:8090/sdk/v1/ucca/obligations/export/direct \
-H "Content-Type: application/json" \
-d '{
"overview": { ... },
"format": "pdf",
"language": "de"
}'
```
---
## 12. Tests für Obligations Framework
```bash
# Alle Obligations-Tests
go test -v ./internal/ucca/..._module_test.go
# NIS2 Module Tests
go test -v ./internal/ucca/nis2_module_test.go
# DSGVO Module Tests
go test -v ./internal/ucca/dsgvo_module_test.go
# AI Act Module Tests
go test -v ./internal/ucca/ai_act_module_test.go
# PDF Export Tests
go test -v ./internal/ucca/pdf_export_test.go
```
### Beispiel-Tests
```go
func TestNIS2Module_LargeCompanyInAnnexISector(t *testing.T) {
module, _ := ucca.NewNIS2Module()
facts := &ucca.UnifiedFacts{
Organization: ucca.OrganizationFacts{
EmployeeCount: 500,
AnnualRevenue: 100000000,
Country: "DE",
},
Sector: ucca.SectorFacts{
PrimarySector: "energy",
},
}
if !module.IsApplicable(facts) {
t.Error("Expected NIS2 to apply to large energy company")
}
classification := module.Classify(facts)
if classification != "besonders_wichtige_einrichtung" {
t.Errorf("Expected 'besonders_wichtige_einrichtung', got '%s'", classification)
}
}
func TestAIActModule_HighRiskEmploymentAI(t *testing.T) {
module, _ := ucca.NewAIActModule()
facts := &ucca.UnifiedFacts{
AIUsage: ucca.AIUsageFacts{
UsesAI: true,
HighRiskCategories: []string{"employment"},
},
}
if !module.IsApplicable(facts) {
t.Error("Expected AI Act to apply")
}
riskLevel := module.ClassifyRisk(facts)
if riskLevel != ucca.AIActHighRisk {
t.Errorf("Expected 'high_risk', got '%s'", riskLevel)
}
}
```
---
## Anhang: Wichtige Dateien
| Datei | Beschreibung |
|-------|--------------|
| `internal/ucca/policy_engine.go` | Haupt-Policy-Engine |
| `internal/ucca/license_policy.go` | License Policy Engine |
| `internal/ucca/obligations_framework.go` | Obligations Interfaces & Typen |
| `internal/ucca/obligations_registry.go` | Modul-Registry |
| `internal/ucca/nis2_module.go` | NIS2 Decision Tree |
| `internal/ucca/dsgvo_module.go` | DSGVO Pflichten |
| `internal/ucca/ai_act_module.go` | AI Act Risk Classification |
| `internal/ucca/pdf_export.go` | PDF/Markdown Export |
| `internal/api/handlers/obligations_handlers.go` | Obligations API |
| `policies/obligations/*.yaml` | Pflichten-Kataloge |
---
*Dokumentationsstand: 2026-01-29*