Skip to content

Add compliance_report stage emitting 4 per-standard markdown reports (Phase 3'.1 B-4)#11

Merged
R00T-Kim merged 2 commits into
mainfrom
phase-3-compliance-report-stage
Apr 19, 2026
Merged

Add compliance_report stage emitting 4 per-standard markdown reports (Phase 3'.1 B-4)#11
R00T-Kim merged 2 commits into
mainfrom
phase-3-compliance-report-stage

Conversation

@R00T-Kim
Copy link
Copy Markdown
Owner

@R00T-Kim R00T-Kim commented Apr 19, 2026

Summary

Phase 3'.1 Track B fourth PR. Adds a new 43rd pipeline stage that turns the four-document compatibility-mapping suite (PR #10: B-1..B-3) into a per-run deliverable.

Every analysis run now emits four standard-specific markdown reports:

<run_dir>/stages/compliance_report/
  ├─ cra_annex_i_report.md       (EU CRA Annex I)
  ├─ fda_524b_report.md          (FDA Section 524B)
  ├─ iso_21434_report.md         (ISO/SAE 21434)
  └─ un_r155_report.md           (UN R155)

Each report aggregates per-run evidence counts from sbom, cve_scan, findings, cert_analysis, init_analysis, and fs_permissions, then links back to the canonical mapping document under docs/compliance_mapping/.

Mandatory wording

Every emitted report carries the "compatible with" disclaimer required by scripts/check_doc_consistency.py rule 3. Tests assert both presence of the canonical phrase and absence of the forbidden "compliant with" / "fully compliant" substitutions.

Stage registration

  • _make_compliance_report_stage() factory registered as "compliance_report" in _STAGE_FACTORIES (43 entries).
  • STAGE_DEPS["compliance_report"] = frozenset({"exploit_policy", "sbom", "cve_scan"}) so the stage always runs after the major evidence-producing stages.

Degradation behaviour

When no upstream artefacts are present (e.g. an --no-llm smoke run with most stages skipped), the stage degrades to status=partial (without crashing) and still emits all four reports with zero counts plus an explicit limitation. This guarantees the four files always land.

Test plan

  • pytest -q tests/test_compliance_report.py — 8 passed (stage emits 4 reports / degrades to partial without evidence / evidence counts match seeded inputs / sources only list present artefacts / every report carries the "compatible with" disclaimer / every report links back to the canonical mapping / stage_registry exposes the factory / factory returns the expected stage)
  • pytest -q — full suite green (including test_stage_dag::test_stage_deps_keys_match_factories_exact)
  • ruff check src/aiedge/compliance_report.py src/aiedge/stage_registry.py src/aiedge/stage_dag.py tests/test_compliance_report.py — clean
  • pyright — 0 errors on changed files
  • python3 scripts/check_doc_consistency.py — OK

Files

  • src/aiedge/compliance_report.py (new, 380 lines)
  • src/aiedge/stage_registry.py (+12 lines: factory + dict entry)
  • src/aiedge/stage_dag.py (+1 line: STAGE_DEPS entry)
  • tests/test_compliance_report.py (new, 280 lines)
  • CHANGELOG.md (Unreleased ### Added)

Why a separate PR from PR #10

PR #10 was docs-only (the four mapping markdown files). This PR is code-only (stage + factory + DAG + tests). Splitting keeps each PR's review scope focused and lets the docs PR merge independently of any code-review delay on the stage.

Plan reference

See ~/.claude/plans/twinkly-hugging-leaf.md (Track B B-4) for the broader Track A / Track B parallel plan.

🤖 Generated with Claude Code

R00T-Kim and others added 2 commits April 19, 2026 20:05
@R00T-Kim @claude
Add compliance_report stage emitting 4 per-standard markdown reports …
d8c7ec5 
…(Phase 3'.1 B-4)

Closes the second-to-last Phase 3'.1 step. The new stage takes the
four-document compatibility-mapping suite (B-1..B-3) and turns it
into a per-run deliverable: every analysis run now emits four
standard-specific markdown reports under
stages/compliance_report/, alongside a structured stage.json that
records the evidence sources consulted and the aggregate counts.

- src/aiedge/compliance_report.py (new, 43rd pipeline stage)
    * ComplianceEvidence dataclass aggregates per-stage counts:
      sbom_component_count, cve_match_count, cve_critical_high_count,
      finding_total, finding_by_{severity,category,evidence_tier},
      cert_finding_count, init_high_risk_service_count,
      fs_perm_finding_count, evidence sources dict.
    * _gather_evidence() reads sbom.json, cve_matches.json,
      findings.json, certificate_analysis.json, init_analysis.json,
      fs_permissions.json. Every input is optional; missing
      artefacts yield zero counts.
    * _render_report() produces a self-contained markdown with the
      mandatory "compatible with" disclaimer, evidence summary,
      severity / category / evidence-tier tables, and a pointer back
      to the canonical mapping document under
      docs/compliance_mapping/.
    * Stage degrades to status=partial (without crashing) when no
      upstream artefacts are present, so the four reports always
      land.
- src/aiedge/stage_registry.py
    * _make_compliance_report_stage() factory registered as
      "compliance_report" in _STAGE_FACTORIES (43 entries total).
- src/aiedge/stage_dag.py
    * STAGE_DEPS adds "compliance_report" depending on
      exploit_policy + sbom + cve_scan so the stage always runs
      after the major evidence-producing stages.
- tests/test_compliance_report.py (new, 8 tests)
    * Stage emits 4 reports; degrades to partial without evidence;
      evidence counts match seeded inputs; sources only list
      present artefacts; every report carries the "compatible with"
      disclaimer; every report links back to the canonical mapping;
      stage_registry exposes the factory; factory returns the
      expected stage.

Verification:
  pytest -q tests/test_compliance_report.py   # 8 passed
  pytest -q                                    # full suite green (incl. test_stage_dag)
  ruff check, pyright (changed files)         # clean / 0 errors
  python3 scripts/check_doc_consistency.py    # OK

Phase 3'.1 Track B fourth step (Pivot 2026-04-19).
B-5 (v2.7.1 release tag) remains as the closing step after Track A
v2.7.0 lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@R00T-Kim
Merge remote-tracking branch 'origin/main' into phase-3-compliance-re…
1308b27 
…port-stage

# Conflicts:
#	CHANGELOG.md
@R00T-Kim R00T-Kim merged commit 5176c87 into main Apr 19, 2026
6 checks passed
@R00T-Kim R00T-Kim deleted the phase-3-compliance-report-stage branch April 19, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@R00T-Kim