Feature/controller processor classification#11
Merged
KevinRabun merged 2 commits intomainfrom Feb 10, 2026
Merged
Conversation
Add new MCP tools to help developers and technical PMs determine whether their service acts as a GDPR controller, processor, joint controller, or has a mixed role. New tools: - assess_controller_processor_role: Analyze service description for role indicators - get_role_obligations: Get GDPR obligations specific to each role - analyze_code_for_role_indicators: Detect role patterns in source code - generate_dpa_checklist: Create Art. 28 DPA compliance checklist - get_role_scenarios: Common scenarios with role determinations Features: - Text analysis of service descriptions against GDPR definitions - Code pattern detection for controller vs processor indicators - Detailed GDPR obligations per role with Azure implementation guidance - DPA (Data Processing Agreement) checklist per Article 28 - Common scenarios from EDPB guidance Also enhanced: - analyzer.py: Added role indicator hints to application code analysis - gdpr_bundled.json: Added role_classification section with decision factors Includes 49 comprehensive tests covering: - Helper function unit tests - Role assessment integration tests - Edge cases and input validation - Data structure validation References: GDPR Article 4(7), 4(8), 26, 28; EDPB Guidelines 07/2020
This commit adds comprehensive adversarial tests for the new role classification tools, covering: 1. Injection attack tests (Section 14): - XSS, SQL injection, prompt injection, shell commands - Path traversal, null bytes, unicode RTL attacks - Oversized inputs, JSON break attempts, role confusion 2. GDPR accuracy validation (Section 15): - Controller assessment references Art. 4(7) - Processor assessment references Art. 4(8) - Joint controller references Art. 26 - Processor obligations reference Art. 28 - Controller obligations reference key GDPR articles 3. Role indicator completeness (Section 16): - Purpose/means determination keywords for controllers - Instruction-following keywords for processors - Joint/shared keywords for joint controllers - Minimum indicator count per role 4. Ambiguous role classification (Section 17): - Pure controller/processor scenarios - Cloud provider, SaaS, dual role cases - Joint controller, subtle role indicators - Infrastructure-only edge cases 5. DPA checklist completeness (Section 18): - All Art. 28(3) required elements covered 6. Code pattern detection (Section 19): - Controller patterns: consent, privacy policy, retention - Processor patterns: instructions, subprocessor management 7. Industry scenario accuracy (Section 20): - Healthcare, finance, technology industries - Controller and processor examples per industry Total: 537 judge tests, all passing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.