Claude/audit sprint 8 plan 9 fn5v w

compliance-practices/cyber_resilience_act_cra.md

@@ -39,7 +39,7 @@ The CRA's first enforcement deadline is **September 2026** — months away. Whil
 | CRA Expectation | CDDBS Implementation | Evidence |
 |-----------------|---------------------|----------|
 | Documented vulnerability handling process | SECURITY.md with reporting process, scope, response timeline | `SECURITY.md` |
-| Timely security updates | Docker-based deployment allows rapid patching; tagged releases | `Dockerfile`, `v2026.03` tag |
+| Timely security updates | Docker-based deployment allows rapid patching; semver-tagged releases | `Dockerfile`, `v0.9.0` tag |
 | Public disclosure mechanism | GitHub Security Advisories; SECURITY.md provides contact | `SECURITY.md` |
 | SBOM (Software Bill of Materials) | `requirements.txt` with versions; `package.json` with lockfile; ready for CycloneDX generation | `requirements.txt`, `frontend/package.json` |
 | Reporting of actively exploited vulnerabilities | Process documented; GitHub issues for tracking | `SECURITY.md` |
@@ -85,7 +85,7 @@ The CRA requires documentation to be "kept up to date" (Art. 13). Most projects
 | Mechanism | Implementation |
 |-----------|---------------|
 | Containerized deployment | Docker + Docker Compose; `docker compose pull && docker compose up` updates all services |
-| Version tagging | Git tags (`v2026.03`); CHANGELOG.md tracks all changes |
+| Version tagging | Semver git tags (`v0.5.0`…`v0.9.0`); CHANGELOG.md tracks all changes |
 | Environment-based configuration | All runtime config via environment variables; no code changes needed for config updates |
 | Database migrations | SQLAlchemy models with `init_db()` auto-creation; Alembic-ready for schema migrations |
 

compliance-practices/eu_regulatory_landscape.md

@@ -59,7 +59,7 @@ The CRA applies to "products with digital elements" placed on the EU market. As
 | **Vulnerability handling** (Annex I, Part II) | SECURITY.md with CVE reporting process, 48h acknowledgement SLA |
 | **Documentation** (Art. 13) | DEVELOPER.md (45KB), QUICK_START.md, DATABASE_CONNECTION.md, inline code docs |
 | **SBOM readiness** (Art. 13(15)) | `requirements.txt` with pinned versions, `package.json` with lockfile; ready for CycloneDX/SPDX generation |
-| **Update mechanism** (Art. 10(12)) | Docker-based deployment, version-tagged releases (v2026.03), CHANGELOG.md |
+| **Update mechanism** (Art. 10(12)) | Docker-based deployment, semver-tagged releases (v0.5.0–v0.9.0), CHANGELOG.md |
 | **No known exploitable vulnerabilities** (Art. 10(4)) | Secret scanning CI, dependency versions reviewed, no hardcoded credentials |
 | **Documentation integrity** (Art. 13) | CI documentation drift detection (`scripts/check_docs_drift.py`) ensures docs match code |
 

compliance-practices/sprint_compliance_log.md

@@ -1,6 +1,6 @@
 # Sprint-by-Sprint Compliance Log
 
-**Last Updated**: 2026-03-22
+**Last Updated**: 2026-03-28
 **Purpose**: Track what compliance-relevant measures were implemented in each sprint
 
 ---
@@ -131,21 +131,46 @@ Sprint 7 is the first sprint where all compliance measures were **documented bef
 
 ---
 
-## Sprint 8: Topic Mode & Supply Chain Security (Apr 15-28, 2026) — PLANNED
+## Sprint 8: Topic Mode & Supply Chain Security (Mar 22-28, 2026) — COMPLETE
 
-### Planned Compliance Measures
+### Compliance Measures Implemented
+
+| Measure | Regulation | Description |
+|---------|-----------|-------------|
+| **SBOM generation in CI** | CRA Art. 13(15) | CycloneDX `sbom.json` generated on every push to main/development via `sbom.yml`; uploaded as 90-day CI artifact; BSI TR-03183-2 compatible format |
+| **Dependency vulnerability scanning** | CRA Art. 10(4) | pip-audit in CI (`ci.yml` vulnerability-scan job); fails on actionable HIGH/CRITICAL CVEs (non-empty fix_versions); unfixable CVEs logged as notices |
+| **AI provenance disclosure** | EU AI Act Art. 50 | `AIProvenanceCard.tsx` — tiered disclosure: badge showing model ID + prompt version, expandable provenance detail with quality score and legal text; replaces generic "Experimental" alert |
+| **Machine-readable AI metadata** | EU AI Act Art. 50 | `ai_metadata` object in `GET /analysis-runs/{id}` response: model_id, prompt_version, quality_score, requires_human_review, disclosure text |
+| **Topic Mode transparency** | EU AI Act Art. 50 | Divergence scores (0-100) are deterministic and inspectable; coordination signal computation documented; methodology in DEVELOPER.md Section 15 |
+| **Supply chain hardening** | CRA Art. 10(4) | All GitHub Actions pinned to commit SHAs (mitigates GhostAction-style supply chain attacks on CI); `cyclonedx-bom` and `pip-audit` added to `requirements.txt` |
+| **Coordination signal detection** | EU AI Act Art. 50 | Post-analysis computation flags coordinated narrative clusters (outlets sharing ≥2 propaganda techniques at divergence ≥60); score + detail stored and surfaced in UI |
+| **10 new tests** | CRA Annex I | `test_sprint8_topic_innovations.py` — coordination logic, key claims/omissions storage, API schema completeness, ai_metadata structure validation |
+
+### Key Decision
+Sprint 8 closes three compliance gaps simultaneously: (1) SBOM generation moves from "ready" to "done" (CRA Art. 13(15)), (2) AI disclosure moves from system-prompt-level to user-facing UI (EU AI Act Art. 50), (3) supply chain integrity via SHA-pinned Actions and vulnerability scanning. The coordination signal detection is an innovation beyond the original backlog — it surfaces potential coordinated disinformation campaigns, directly serving the project mission.
+
+---
+
+## Sprint 9: AI Trust, Information Security & Compliance Automation (Mar 28, 2026)
+
+### Compliance Measures Implemented
 
 | Measure | Regulation | Description |
 |---------|-----------|-------------|
-| **SBOM generation in CI** | CRA Art. 13(15) | CycloneDX `sbom.json` generated on every push to main/development; formally satisfies SBOM requirement |
-| **Dependency vulnerability scanning** | CRA Art. 10(4) | pip-audit in CI; blocks merge on HIGH/CRITICAL CVEs; exceptions require documented review |
-| **User-facing AI disclosure panel** | EU AI Act Art. 50 | Persistent panel on every briefing view: names Gemini as AI model, instructs analyst review |
-| **Topic Mode transparency** | EU AI Act Art. 50 | Divergence scores are deterministic and inspectable; methodology documented in DEVELOPER.md |
-| **Compliance log update** | CRA Art. 13 | This document updated at sprint close |
-| **≥18 new tests** | CRA Annex I | Topic pipeline, topic API, NetworkGraph coverage |
+| Input sanitization | OWASP LLM01 | Prompt injection prevention via control char stripping, delimiter escaping, pattern filtering |
+| Output validation | OWASP LLM02, EU AI Act Art. 9 | Structural validation of Gemini JSON before DB storage |
+| Grounding score | EU AI Act Art. 14 | TF-IDF cosine similarity flags ungrounded LLM claims for analyst review |
+| Rate limiting | OWASP LLM04, CRA Art. 10 | slowapi per-endpoint limits prevent API abuse and quota exhaustion |
+| CORS hardening | OWASP, CRA | Explicit origin list replaces wildcard; credentials disabled |
+| Security headers | CRA Art. 10 | X-Content-Type-Options, X-Frame-Options, CSP, Cache-Control on all responses |
+| Error sanitization | OWASP LLM06 | Internal details (DB schema, stack traces) no longer leaked to clients |
+| API key hygiene | DSGVO Art. 32 | API keys removed from request schemas; server-side only |
+| Compliance endpoint | EU AI Act Art. 12 | Machine-readable evidence at GET /compliance/evidence |
+| Custom dependency scanner | CRA Art. 10(4) | Replaces Dependabot; scans Python + Node.js on schedule + push |
+| Dependabot disabled | CRA | In-repo scanning provides better control than external service |
 
 ### Key Decision
-Sprint 8 completes the CRA Art. 13(15) SBOM requirement that has been "SBOM-ready" since Sprint 6 (pinned requirements.txt). Generating the actual artifact closes the gap between readiness and compliance.
+Sprint 9 was reprioritized to address security hardening before authentication (originally planned here). Rationale: rate limiting and input validation must exist before adding auth, and AI output trustworthiness is more mission-critical for a disinformation detection system than access control. Authentication deferred to Sprint 10.
 
 ---
 
@@ -166,9 +191,11 @@ Sprint 6 ─── CI Compliance Pipeline (secret scan, docs drift, branch polic
     │
 Sprint 7 ─── Documentation & Audit (compliance practices, recursive verification) ✓ COMPLETE
     │
-Sprint 8 ─── SBOM artifact, vulnerability scanning, AI disclosure UI  ← CURRENT
+Sprint 8 ─── SBOM artifact, vulnerability scanning, AI provenance UI, supply chain hardening ✓ COMPLETE
+    │
+Sprint 9 ─── AI trust, information security, compliance automation ✓ COMPLETE
     │
-Sprint 9+ ── User auth, formal assessment, CDDBS-Edge governance artifacts
+Sprint 10 ── User authentication, CDDBS-Edge Phase 0  ← NEXT
 ```
 
 ---
@@ -177,11 +204,11 @@ Sprint 9+ ── User auth, formal assessment, CDDBS-Edge governance artifacts
 
 | Metric | Value |
 |--------|-------|
-| Sprints with compliance measures | 8/8 (100%) |
-| Automated CI compliance checks | 4 now, 6 planned (+ SBOM, pip-audit in Sprint 8) |
-| Test count | 204 (Sprint 7 complete) |
-| Documentation pages | 10+ production docs, 14+ sprint docs, 5 blog posts, 7 compliance docs |
-| Security-specific files | SECURITY.md, CODEOWNERS, detect_secrets.py, secret-scan.yml |
+| Sprints with compliance measures | 9/9 (100%) |
+| Automated CI compliance checks | 7 (secret scan, docs drift, branch policy, lint, SBOM, pip-audit, dependency-scan) |
+| Test count | 249 (Sprint 9: 214 + 35 new) |
+| Documentation pages | 10+ production docs, 18+ sprint docs, 5 blog posts, 7 compliance docs |
+| Security-specific files | SECURITY.md, CODEOWNERS, detect_secrets.py, secret-scan.yml, sbom.yml, dependency-scan.yml, security_headers.py, input_sanitizer.py |
 | DSGVO measures | 6 (BYOK, minimization, purpose limitation, no tracking, secret protection, webhook signing) |
-| CRA measures | 8 (secret scan, docs drift, branch policy, SBOM-ready, SECURITY.md, documentation, version tags, change control) |
-| EU AI Act measures | 5 (confidence framework, quality rubric, human oversight, record keeping, AI labeling) |
+| CRA measures | 12 (secret scan, docs drift, branch policy, SBOM generation, pip-audit, custom dependency scanner, SECURITY.md, documentation, SHA-pinned Actions, version tags, change control, error sanitization) |
+| EU AI Act measures | 10 (confidence framework, quality rubric, human oversight, record keeping, AI labeling, AI provenance UI, coordination signal transparency, grounding score, output validation, compliance evidence endpoint) |