[roadmap] Add contextual regulatory review packs#40
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 83e3d6bb56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Query(query): Query<WebContextQuery>, | ||
| Form(form): Form<WebManagementReviewPreviewForm>, | ||
| ) -> Html<String> { | ||
| let Some(context) = web_context_from_request(&query, &headers, &state).await else { |
There was a problem hiding this comment.
Require authentication before using web tenant context
This new web surface establishes context through web_context_from_request, which falls back to caller-supplied tenant_id/user_id query parameters or x-iscy-* headers, and then uses that context to list regulatory snapshots; the preview handler below repeats the same pattern before returning evidence, incident, supplier, product-security, and AI-governance aggregates. In a non-session request such as POST /regulatory-review-packs/preview?tenant_id=1&user_id=1, an unauthenticated caller can read tenant-scoped regulatory data, whereas the API handlers require authenticated_tenant_context.
Useful? React with 👍 / 👎.
| match store.library(500).await { | ||
| Ok(library) => ( | ||
| match store | ||
| .list_regulatory_review_pack_snapshots(context.tenant_id, 50) |
There was a problem hiding this comment.
Filter snapshots before applying the page limit
This endpoint fetches the newest 50 regulatory snapshots across all pack types and only then filters by the requested pack. When a tenant has more than 50 recent regulatory snapshots and the requested pack's snapshots are older than those, /api/v1/regulatory/review-packs/{pack_type}/snapshots omits valid snapshots or can return an empty list; the pack predicate needs to be applied in the query before the LIMIT.
Useful? React with 👍 / 👎.
Problem and Goal
ISCY already has Management Review snapshots and regulatory templates, but NIS2, DORA and DSGVO/GDPR review preparation was still spread across general management-review flows. This PR adds contextual Regulatory Review Packs that reuse the existing snapshot/export layer instead of creating another compliance silo.
Goal: provide tenant-scoped pack catalog, preview, snapshot and export flows for NIS2, DORA, DSGVO/GDPR and generic security governance, using current ISCY data where available.
Changed Functions
/regulatory-review-packs/with pack selection, period input, preview, snapshot creation for write roles and snapshot listing.Affected Files
rust/iscy-backend/src/lib.rsrust/iscy-backend/src/report_store.rsrust/iscy-backend/tests/http_tests.rsCHANGELOG.mddocs/ISCY_Handbuch.mddocs/ISCY_Handbuch.pdfdocs/ISCY_STRATEGIC_ROADMAP.mddocs/GUI_SCREENSHOTS.mddocs/assets/*.pngscreenshot updates/additionsDatabase Migrations
New or Changed API Endpoints
GET /api/v1/regulatory/review-packsGET /api/v1/regulatory/review-packs/{pack_type}POST /api/v1/regulatory/review-packs/{pack_type}/previewGET /api/v1/regulatory/review-packs/{pack_type}/snapshotsPOST /api/v1/regulatory/review-packs/{pack_type}/snapshotsGET /api/v1/regulatory/review-pack-snapshotsGET /api/v1/regulatory/review-pack-snapshots/{snapshot_id}GET /api/v1/regulatory/review-pack-snapshots/{snapshot_id}/export?format=markdown|html|pdf|jsonGUI Changes
Regulatory Packs./regulatory-review-packs/overview with pack cards, preview form, snapshot create form for write roles and snapshot table.Tenant and Permission Boundaries
404.Security Decisions
Tests Executed
nix develop --command cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --checknix develop --command cargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warningsnix develop --command cargo test --locked --manifest-path rust/iscy-backend/Cargo.tomlnix develop --command cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml docs_markdown_screenshot_references_resolve -- --nocapturenix develop --command cargo test --locked --manifest-path rust/iscy-backend/Cargo.toml regulatory_review_pack_endpoints_snapshot_exports_and_security -- --nocapturenix shell nixpkgs#cargo-audit --command cargo-audit audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071nix shell nixpkgs#cargo-deny nixpkgs#cargo --command cargo-deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sourcesnix develop --command make docs-pdfnix develop --command make rust-smokenix develop --command make rust-restore-smokenix run .#iscy-backendwith local disposable SQLite DB and checks for/health/live,/status/,/regulatory-review-packs/,/api/v1/regulatory/review-packs.env.example: base, LLM, stage, prod and prod+LLM configsgit diff --checkKnown Limitations
/var/run/docker.sock; GitHub CI must validate the hardened Docker build.Deliberately Not Implemented
Notes for PR #39/#38 Context
origin/mainafter PR [roadmap] Add evidence storage restore drill phase two #39 was merged and verified green.