[roadmap] Add management regulatory templates#37
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8161a3c1a7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Query(query): Query<WebContextQuery>, | ||
| Form(form): Form<WebManagementReviewPreviewForm>, | ||
| ) -> Html<String> { | ||
| let Some(context) = web_context_from_request(&query, &headers, &state).await else { |
There was a problem hiding this comment.
Require authentication before previewing tenant snapshots
This new preview handler only calls web_context_from_request, which accepts the display context from query parameters or caller-controlled headers when no session is present, and then uses that tenant/user to build the management-review preview. In a deployed web route, a POST to /management-reviews/preview?tenant_id=<other>&user_id=<id> can therefore read aggregated risks, incidents, suppliers, product-security, AI-governance, and regulatory profile data for that tenant without first passing authenticated_tenant_context; mirror the API preview/generate handlers and derive the tenant from an authenticated session/token before calling the store.
Useful? React with 👍 / 👎.
Problemstellung und Ziel
ISCY konnte Management-Review-Pakete bereits als eingefrorene Snapshots erzeugen, hatte aber noch keine wiederholbaren Management-/Regulatory-Templates fuer ISO 27001, NIS2, DORA, KRITIS und generische Security-Governance-Reviews.
Dieser PR ergaenzt eine additive Template-Schicht auf Basis bestehender ISCY-Daten, ohne neue Evidence-, Risk-, Control-, Notification-, Supplier- oder Product-Security-Engines einzufuehren.
Geaenderte Funktionen
template_typetemplate_versionregulatory_context_jsonsupplier_jsonsource_counts_jsongap_summary_jsondecision_summary_jsonBetroffene Dateien
rust/iscy-backend/src/db_admin.rsrust/iscy-backend/src/report_store.rsrust/iscy-backend/src/lib.rsrust/iscy-backend/tests/http_tests.rsCHANGELOG.mddocs/AI_GOVERNANCE.mddocs/ISCY_STRATEGIC_ROADMAP.mddocs/ISCY_Handbuch.mddocs/ISCY_Handbuch.pdfDatenbankmigrationen
0032_rust_management_regulatory_templatesensure_sqlite_columnmanagement_review_audit_eventund Indizes anALTER TABLE ... ADD COLUMN IF NOT EXISTSmanagement_review_audit_eventund Indizes anNeue oder geaenderte API-Endpunkte
GET /api/v1/management/templatesGET /api/v1/management/templates/{template_type}POST /api/v1/regulatory/templates/{template_type}/previewGET /api/v1/management/reviewsPOST /api/v1/management/reviewsGET /api/v1/management/reviews/{review_id}PATCH /api/v1/management/reviews/{review_id}GET /api/v1/management/reviews/{review_id}/export/api/v1/reports/management-reviews...-Pfade bleiben erhalten.GUI-Aenderungen
/management-reviews/zeigt Template-Karten.Tenant- und Berechtigungsgrenzen
Security-Entscheidungen
Ausgefuehrte Tests
cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --checkcargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warningscargo test --locked --manifest-path rust/iscy-backend/Cargo.tomlcargo audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071cargo deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sourcesmake rust-smokemake rust-restore-smokenix flake checkdocs/ISCY_Handbuch.mdneu erzeugtLokal blockierte Checks
docker compose ... configkonnte lokal nicht ausgefuehrt werden, weil.envdem aktuellen User nicht lesbar ist (-rw------- nobody nogroup). Die Rechte wurden nicht eigenmaechtig geaendert, weil.envpotentiell Secrets enthaelt.docker build --file rust/iscy-backend/Dockerfile rust/iscy-backendkonnte lokal nicht ausgefuehrt werden, weil kein Docker-Daemon unter/var/run/docker.sockerreichbar ist.Bekannte Einschraenkungen
Bewusst nicht umgesetzt