aipea 1.1.0__tar.gz

aipea-1.1.0/.claude/commands/audit-deps.md

@@ -0,0 +1,11 @@
+Audit AIPEA dependencies for security vulnerabilities and license compliance.
+
+Steps:
+1. Read `pyproject.toml` to list all dependencies (core + dev)
+2. For each dependency, verify:
+   - License is MIT-compatible (MIT, BSD, Apache 2.0, ISC) — REFUSE GPL/LGPL/AGPL
+   - No known CVEs (check via `pip audit` if available, or web search)
+3. Verify core modules (`security.py`, `knowledge.py`, `search.py`) import only stdlib + httpx
+   - Run: `grep "^import\|^from" src/aipea/security.py src/aipea/knowledge.py src/aipea/search.py`
+4. Check for outdated packages: `pip list --outdated` (if in venv)
+5. Report findings as a table: Package | Version | License | Status | Notes

aipea-1.1.0/.claude/commands/test-module.md

@@ -0,0 +1,11 @@
+Test a specific AIPEA module with coverage reporting.
+
+Usage: /test-module <module_name>
+
+Run targeted tests for the specified module (e.g., security, analyzer, engine, enhancer, knowledge, search) and report coverage for that module only.
+
+Steps:
+1. Run: `pytest tests/test_$ARGUMENTS.py -v --cov=src/aipea/$ARGUMENTS --cov-report=term-missing`
+2. If the test file doesn't exist, search for matching test files: `ls tests/test_*$ARGUMENTS*.py`
+3. Report pass/fail count, coverage percentage, and any uncovered lines
+4. If coverage is below 75%, suggest which lines/branches need tests

aipea-1.1.0/.claude/commands/verify-spec.md

@@ -0,0 +1,19 @@
+Verify that the AIPEA implementation matches SPECIFICATION.md.
+
+Steps:
+1. Read `SPECIFICATION.md` to extract:
+   - All defined modules and their responsibilities
+   - All public classes/functions specified
+   - All environment variables specified
+   - All compliance modes specified
+   - All processing tiers and query types
+2. Read `src/aipea/__init__.py` to get the actual public API (`__all__`)
+3. For each module in the spec, read the corresponding source file and verify:
+   - All specified classes/functions exist
+   - All specified parameters are present
+   - Return types match specification
+4. Check for implementation drift:
+   - Features in code but NOT in spec (undocumented)
+   - Features in spec but NOT in code (unimplemented)
+5. Report as a table: Feature | Spec Status | Code Status | Match?
+6. Flag any critical mismatches that need attention

aipea-1.1.0/.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Default: all changes require joshuakirby review
+* @ThermoclineLeviathan
+
+# Critical paths: require explicit admin review
+.github/ @ThermoclineLeviathan
+CLAUDE.md @ThermoclineLeviathan

aipea-1.1.0/.github/ISSUE_TEMPLATE/bcp-drp-test.yml

@@ -0,0 +1,112 @@
+name: "BCP/DRP Test"
+description: "SOC 2 A1.x / FedRAMP CP-9,CP-10 — Document annual business continuity and disaster recovery test"
+title: "[BCP/DRP Test] YYYY"
+labels:
+  - "compliance/soc2"
+  - "cadence/annual"
+  - "evidence/bcp-drp"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Annual BCP/DRP Test
+        Complete this form to document the annual business continuity and disaster recovery test.
+        Reference: `docs/compliance/BCP-DRP.md` for the full Business Continuity / Disaster Recovery plan.
+
+        **Compliance mapping**: SOC 2 A1.2/A1.3 | FedRAMP CP-9, CP-10 | ISO 42001 Support
+
+  - type: input
+    id: test-date
+    attributes:
+      label: "Test Date"
+      description: "Date the BCP/DRP test was conducted"
+      placeholder: "YYYY-MM-DD"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: test-type
+    attributes:
+      label: "Test Type"
+      description: "What type of test was conducted?"
+      options:
+        - "Tabletop / walkthrough"
+        - "Partial failover (non-production)"
+        - "Full failover (production)"
+        - "Backup restoration test"
+    validations:
+      required: true
+
+  - type: input
+    id: facilitator
+    attributes:
+      label: "Test Lead"
+      description: "Person who led the BCP/DRP test"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: scope
+    attributes:
+      label: "Test Scope"
+      description: "Which systems, services, and recovery procedures were tested?"
+      placeholder: |
+        - RDS failover to secondary region
+        - S3 cross-region replication validation
+        - Application deployment to DR environment
+        - DNS failover procedure
+    validations:
+      required: true
+
+  - type: textarea
+    id: rto-rpo
+    attributes:
+      label: "RTO/RPO Results"
+      description: "Document actual recovery times vs. targets"
+      placeholder: |
+        | System | Target RTO | Actual RTO | Target RPO | Actual RPO | Pass? |
+        |--------|-----------|------------|-----------|------------|-------|
+        | API    | 1 hour    | 45 min     | 15 min    | 10 min     | Yes   |
+        | DB     | 30 min    | 25 min     | 5 min     | 3 min      | Yes   |
+    validations:
+      required: true
+
+  - type: textarea
+    id: findings
+    attributes:
+      label: "Findings & Issues"
+      description: "Document any issues discovered during the test"
+      placeholder: |
+        - [ ] All systems recovered within RTO targets
+        - [ ] All data recovered within RPO targets
+        - [ ] Runbooks were accurate and current
+        - [ ] Contact lists were up to date
+        - [ ] Communication procedures worked as expected
+    validations:
+      required: true
+
+  - type: textarea
+    id: improvements
+    attributes:
+      label: "Improvements & Action Items"
+      description: "Actions to improve BCP/DRP based on test results"
+      placeholder: |
+        - [ ] Update DNS failover TTL from 300s to 60s
+        - [ ] Add automated health check to DR environment
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Test Lead Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "The test was conducted in accordance with docs/compliance/BCP-DRP.md"
+          required: true
+        - label: "All RTO/RPO results have been documented accurately"
+          required: true
+        - label: "The BCP/DRP plan will be updated to reflect lessons learned"
+          required: true

aipea-1.1.0/.github/ISSUE_TEMPLATE/change-request.yml

@@ -0,0 +1,112 @@
+name: "Change Request"
+description: "SOC 2 CC8.x / FedRAMP CM-2,CM-3 — Document a change management request"
+title: "[Change Request]"
+labels:
+  - "compliance/soc2"
+  - "evidence/change-mgmt"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Change Management Request
+        Complete this form to document a change request per the change management process.
+        Reference: `docs/compliance/CHANGE-MANAGEMENT.md` for the full change management policy.
+
+        **Compliance mapping**: SOC 2 CC8.1 | FedRAMP CM-2, CM-3 | ISO 42001 Operation | NIST AI RMF MANAGE
+
+  - type: dropdown
+    id: change-class
+    attributes:
+      label: "Change Class"
+      description: "Classify the change per Engineering Standards S10 (Governance)"
+      options:
+        - "Class A — Style-only (auto-merge eligible)"
+        - "Class B — Refactor (perf + golden dataset verification required)"
+        - "Class C — Behavioral (backtest delta report + risk sign-off required)"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: risk-level
+    attributes:
+      label: "Risk Level"
+      description: "Assessed risk level of this change"
+      options:
+        - "Low — No customer impact, easily reversible"
+        - "Medium — Limited customer impact, reversible with effort"
+        - "High — Significant customer impact or difficult to reverse"
+        - "Critical — Production-wide impact, requires maintenance window"
+    validations:
+      required: true
+
+  - type: input
+    id: requester
+    attributes:
+      label: "Requester"
+      description: "Person requesting the change"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: "Change Description"
+      description: "Describe what is being changed and why"
+      placeholder: |
+        **What**: Upgrade PostgreSQL from 15.4 to 16.1
+        **Why**: End-of-life for 15.x in Q2, performance improvements for JSONB queries
+        **Scope**: Production RDS instances (us-east-1, us-west-2)
+    validations:
+      required: true
+
+  - type: textarea
+    id: impact-analysis
+    attributes:
+      label: "Impact Analysis"
+      description: "Document affected systems, users, and services"
+      placeholder: |
+        - Affected systems: API servers, background workers, analytics pipeline
+        - Affected users: All (during maintenance window)
+        - Dependencies: Application code is compatible (tested in staging)
+    validations:
+      required: true
+
+  - type: textarea
+    id: rollback-plan
+    attributes:
+      label: "Rollback Plan"
+      description: "Document how to revert this change if needed"
+      placeholder: |
+        1. Restore RDS from pre-upgrade snapshot (< 15 min)
+        2. Repoint DNS to restored instance
+        3. Verify application connectivity
+    validations:
+      required: true
+
+  - type: textarea
+    id: test-plan
+    attributes:
+      label: "Test Plan"
+      description: "How will this change be verified?"
+      placeholder: |
+        - [ ] Staging environment upgrade completed successfully
+        - [ ] Integration tests pass against upgraded instance
+        - [ ] Performance benchmarks show no regression
+        - [ ] Backup/restore verified on upgraded version
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Requester Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "This change has been tested in a non-production environment"
+          required: true
+        - label: "A rollback plan has been documented and verified"
+          required: true
+        - label: "Affected stakeholders have been notified"
+          required: true

aipea-1.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: "Security Incident"
+    url: "https://github.com/undercurrentai/AIPEA/blob/main/docs/compliance/IRP.md"
+    about: "Report security incidents via the Incident Response process (docs/compliance/IRP.md)"
+  - name: "Privacy / Data Subject Request"
+    url: "https://github.com/undercurrentai/AIPEA/blob/main/docs/compliance/DSR-PRIVACY-OPERATIONS.md"
+    about: "Submit data subject requests via the DSR portal (docs/compliance/DSR-PRIVACY-OPERATIONS.md)"

aipea-1.1.0/.github/ISSUE_TEMPLATE/incident-response-drill.yml

@@ -0,0 +1,118 @@
+name: "Incident Response Drill"
+description: "SOC 2 CC7.x / FedRAMP IR-4,IR-5 — Document tabletop exercise or IR drill results"
+title: "[IR Drill] Q_ YYYY"
+labels:
+  - "compliance/soc2"
+  - "cadence/quarterly"
+  - "evidence/incident-drill"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Incident Response Drill / Tabletop Exercise
+        Complete this form to document the periodic incident response drill.
+        Reference: `docs/compliance/IRP.md` for the full Incident Response Plan.
+
+        **Compliance mapping**: SOC 2 CC7.2/CC7.3/CC7.4 | FedRAMP IR-4, IR-5 | ISO 42001 Support | NIST AI RMF MANAGE
+
+  - type: dropdown
+    id: quarter
+    attributes:
+      label: "Review Period"
+      description: "Which quarter does this drill cover?"
+      options:
+        - "Q1 (Jan–Mar)"
+        - "Q2 (Apr–Jun)"
+        - "Q3 (Jul–Sep)"
+        - "Q4 (Oct–Dec)"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: drill-type
+    attributes:
+      label: "Drill Type"
+      description: "What type of exercise was conducted?"
+      options:
+        - "Tabletop exercise (discussion-based)"
+        - "Functional exercise (hands-on simulation)"
+        - "Full-scale exercise (live simulation)"
+    validations:
+      required: true
+
+  - type: input
+    id: facilitator
+    attributes:
+      label: "Facilitator"
+      description: "Person who facilitated the drill"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: scenario
+    attributes:
+      label: "Scenario Description"
+      description: "Describe the incident scenario used for the drill"
+      placeholder: |
+        Scenario: Unauthorized access to production database detected via anomalous
+        query patterns. Attacker appears to have exploited a SQL injection vulnerability
+        in the /api/search endpoint.
+    validations:
+      required: true
+
+  - type: textarea
+    id: participants
+    attributes:
+      label: "Participants"
+      description: "List all drill participants and their roles"
+      placeholder: |
+        - Jane Smith (Incident Commander)
+        - John Doe (Engineering Lead)
+        - Alice Johnson (Security)
+        - Bob Williams (Communications)
+    validations:
+      required: true
+
+  - type: textarea
+    id: timeline
+    attributes:
+      label: "Drill Timeline & Actions"
+      description: "Document the sequence of actions taken during the drill"
+      placeholder: |
+        1. T+0: Alert received, triage initiated
+        2. T+5: Incident Commander assigned, severity classified
+        3. T+15: Containment actions identified and (simulated) executed
+        4. T+30: Communication plan activated
+        5. T+45: Root cause analysis discussion
+        6. T+60: Recovery plan developed
+    validations:
+      required: true
+
+  - type: textarea
+    id: lessons-learned
+    attributes:
+      label: "Lessons Learned & Improvements"
+      description: "Document what went well, what needs improvement, and action items"
+      placeholder: |
+        **Went well**: Rapid triage, clear communication chain
+        **Needs improvement**: Runbook for database isolation was outdated
+        **Action items**:
+        - [ ] Update database isolation runbook by YYYY-MM-DD
+        - [ ] Add automated alerting for anomalous query patterns
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Facilitator Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "The drill was conducted in accordance with docs/compliance/IRP.md"
+          required: true
+        - label: "All lessons learned have been documented with owners and due dates"
+          required: true
+        - label: "The IRP will be updated to reflect any procedural changes identified"
+          required: true

aipea-1.1.0/.github/ISSUE_TEMPLATE/postmarket-monitoring-review.yml

@@ -0,0 +1,100 @@
+name: "Post-Market Monitoring Review"
+description: "EU AI Act Art. 72 / NIST AI RMF MANAGE — Monthly AI system monitoring review"
+title: "[Post-Market Monitoring] YYYY-MM"
+labels:
+  - "compliance/eu-ai-act"
+  - "cadence/monthly"
+  - "evidence/postmarket"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Monthly Post-Market Monitoring Review
+        Complete this form to document the monthly review of AI system performance and safety.
+        Reference: `ai/postmarket-monitoring.md` for the full monitoring plan.
+
+        **Compliance mapping**: EU AI Act Art. 72 | ISO 42001 Improvement | NIST AI RMF MANAGE | FedRAMP CA-7
+
+  - type: input
+    id: review-period
+    attributes:
+      label: "Review Period"
+      description: "Month being reviewed"
+      placeholder: "YYYY-MM"
+    validations:
+      required: true
+
+  - type: input
+    id: reviewer
+    attributes:
+      label: "Reviewer Name"
+      description: "Person conducting this monitoring review"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: systems-monitored
+    attributes:
+      label: "AI Systems Monitored"
+      description: "List all AI systems reviewed, referencing ai/system-register.yaml"
+      placeholder: |
+        | System ID | Name | Risk Level | Status |
+        |-----------|------|------------|--------|
+        | AI-001    | PCW  | High       | Active |
+    validations:
+      required: true
+
+  - type: textarea
+    id: performance-metrics
+    attributes:
+      label: "Performance Metrics"
+      description: "Document key performance indicators for each AI system"
+      placeholder: |
+        - Accuracy / F1 score: X.XX (target: >= Y.YY)
+        - Latency P95: XXms (target: <= YYms)
+        - Error rate: X.X% (target: <= Y.Y%)
+        - Drift detected: Yes/No
+    validations:
+      required: true
+
+  - type: textarea
+    id: safety-incidents
+    attributes:
+      label: "Safety & Bias Incidents"
+      description: "Document any safety incidents, bias detections, or unexpected behaviors"
+      placeholder: |
+        - [ ] No safety incidents reported
+        - [ ] No bias drift detected in monitoring dashboards
+        - [ ] No user complaints related to AI system behavior
+        - [ ] Feedback mechanisms operational
+    validations:
+      required: true
+
+  - type: textarea
+    id: actions
+    attributes:
+      label: "Actions & Model Updates"
+      description: "Document any corrective actions, model retraining, or system updates"
+      placeholder: |
+        - Updated model weights to address detected drift (version X.Y.Z → X.Y.W)
+        - Added new monitoring alert for edge case scenario
+        - None required — all metrics within acceptable bounds
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Reviewer Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "All AI systems in the system register have been reviewed"
+          required: true
+        - label: "Performance metrics are within acceptable bounds or remediation is documented"
+          required: true
+        - label: "This review was completed in accordance with ai/postmarket-monitoring.md"
+          required: true
+        - label: "The risk register (ai/risk-register.yaml) has been updated if new risks were identified"
+          required: true

aipea-1.1.0/.github/ISSUE_TEMPLATE/quarterly-access-review.yml

@@ -0,0 +1,87 @@
+name: "Quarterly Access Review"
+description: "SOC 2 CC6.x / FedRAMP AC-2,IA-5 — Review and certify user access rights"
+title: "[Access Review] Q_ YYYY"
+labels:
+  - "compliance/soc2"
+  - "cadence/quarterly"
+  - "evidence/access-review"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Quarterly Access Review
+        Complete this form to document the periodic review of user access rights.
+        Reference: `docs/compliance/ACCESS-REVIEW.md` for full procedure.
+
+        **Compliance mapping**: SOC 2 CC6.1/CC6.2/CC6.3 | FedRAMP AC-2, IA-5 | ISO 42001 Support
+
+  - type: dropdown
+    id: quarter
+    attributes:
+      label: "Review Period"
+      description: "Which quarter does this review cover?"
+      options:
+        - "Q1 (Jan–Mar)"
+        - "Q2 (Apr–Jun)"
+        - "Q3 (Jul–Sep)"
+        - "Q4 (Oct–Dec)"
+    validations:
+      required: true
+
+  - type: input
+    id: reviewer
+    attributes:
+      label: "Reviewer Name"
+      description: "Person conducting this access review"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: systems-reviewed
+    attributes:
+      label: "Systems Reviewed"
+      description: "List all systems and platforms whose access was reviewed"
+      placeholder: |
+        - AWS IAM (production account)
+        - GitHub organization
+        - Database access (RDS)
+        - Secrets Manager
+    validations:
+      required: true
+
+  - type: textarea
+    id: findings
+    attributes:
+      label: "Findings"
+      description: "Document any access anomalies, orphaned accounts, or excessive privileges found"
+      placeholder: |
+        - [ ] All accounts have appropriate access levels
+        - [ ] No orphaned/inactive accounts found
+        - [ ] MFA enforced on all privileged accounts
+        - [ ] Service accounts have minimal required permissions
+    validations:
+      required: true
+
+  - type: textarea
+    id: remediation
+    attributes:
+      label: "Remediation Actions"
+      description: "Actions taken to resolve any findings (or 'None required' if clean)"
+      placeholder: "Revoked access for departed employee X. Reduced privileges for service account Y."
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Reviewer Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "I have reviewed all user accounts for the systems listed above"
+          required: true
+        - label: "All identified issues have been remediated or have a documented remediation plan"
+          required: true
+        - label: "This review was completed in accordance with docs/compliance/ACCESS-REVIEW.md"
+          required: true

aipea-1.1.0/.github/ISSUE_TEMPLATE/vendor-risk-assessment.yml

@@ -0,0 +1,87 @@
+name: "Vendor Risk Assessment"
+description: "SOC 2 CC9.x / FedRAMP SA-12 — Assess third-party vendor risk posture"
+title: "[Vendor Risk] Q_ YYYY"
+labels:
+  - "compliance/soc2"
+  - "cadence/quarterly"
+  - "evidence/vendor-risk"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Quarterly Vendor Risk Assessment
+        Complete this form to document the periodic review of third-party vendor risk.
+        Reference: `docs/compliance/VENDOR-RISK.md` for full procedure.
+
+        **Compliance mapping**: SOC 2 CC9.1/CC9.2 | FedRAMP SA-12 | ISO 42001 Support | NIST AI RMF GOVERN
+
+  - type: dropdown
+    id: quarter
+    attributes:
+      label: "Review Period"
+      description: "Which quarter does this review cover?"
+      options:
+        - "Q1 (Jan–Mar)"
+        - "Q2 (Apr–Jun)"
+        - "Q3 (Jul–Sep)"
+        - "Q4 (Oct–Dec)"
+    validations:
+      required: true
+
+  - type: input
+    id: reviewer
+    attributes:
+      label: "Reviewer Name"
+      description: "Person conducting this vendor review"
+      placeholder: "Jane Smith"
+    validations:
+      required: true
+
+  - type: textarea
+    id: vendors-reviewed
+    attributes:
+      label: "Vendors Reviewed"
+      description: "List all vendors assessed in this cycle with their risk tier"
+      placeholder: |
+        | Vendor | Service | Data Access | Risk Tier | SOC 2 Report? |
+        |--------|---------|-------------|-----------|---------------|
+        | AWS    | Cloud   | Yes         | Critical  | Yes (Type II) |
+        | Stripe | Payments| Yes (PCI)   | High      | Yes (Type II) |
+    validations:
+      required: true
+
+  - type: textarea
+    id: risk-findings
+    attributes:
+      label: "Risk Findings"
+      description: "Document any vendor risk concerns, SLA breaches, or compliance gaps"
+      placeholder: |
+        - [ ] All critical vendors have current SOC 2 / ISO 27001 reports
+        - [ ] No vendor SLA breaches in review period
+        - [ ] All vendor contracts include security/privacy clauses
+        - [ ] Subprocessor lists reviewed for changes
+    validations:
+      required: true
+
+  - type: textarea
+    id: remediation
+    attributes:
+      label: "Remediation Actions"
+      description: "Actions taken for any findings (or 'None required' if clean)"
+      placeholder: "Requested updated SOC 2 report from vendor X. Added DPA to contract with vendor Y."
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: attestation
+    attributes:
+      label: "Reviewer Attestation"
+      description: "Confirm the following"
+      options:
+        - label: "I have reviewed all vendors at or above the designated risk tier"
+          required: true
+        - label: "All identified risks have mitigations documented or in progress"
+          required: true
+        - label: "This review was completed in accordance with docs/compliance/VENDOR-RISK.md"
+          required: true