crp.comply¶
Auto-generated reference for the crp.comply subpackage.
comply.checkpoint_inbox¶
crp.comply.checkpoint_inbox ¶
Checkpoint inbox - human reviewer resolution endpoint (SPEC-034).
Provides HTTP-style handlers for the Comply Inbox surface. Integrates with SafetyControlPlane and ComplianceAuditTrail.
CheckpointInboxError ¶
Bases: Exception
Raised when checkpoint resolution fails.
resolve_checkpoint(checkpoint_id, action, reviewer, edited_output='', note='') ¶
Resolve a checkpoint by ID (called by reviewer/webhook).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
checkpoint_id | str | The UUID of the checkpoint to resolve. | required |
action | str |
| required |
reviewer | str | Identifier of the human reviewer (Clerk user ID). | required |
edited_output | str | If action is | '' |
note | str | Optional human note. | '' |
Returns:
| Type | Description |
|---|---|
dict[str, Any] | Dict with |
Raises:
| Type | Description |
|---|---|
CheckpointInboxError | if checkpoint not found or action invalid. |
list_active_checkpoints(tenant_id=None) ¶
Return all unresolved checkpoints, optionally filtered by tenant.
comply.gateway_client¶
crp.comply.gateway_client ¶
Comply Gateway Client - consumes Gateway audit streams (SPEC-042).
The Gateway calls stream_audit_events() at Step 20 of its lifecycle. This module receives those events and turns them into compliance evidence.
map_to_regulation(event_type) ¶
Map a Gateway audit event type to EU AI Act article citations.
stream_audit_events(events, tenant_id) ¶
Receive a batch of audit events from the Gateway and store as evidence.
Called non-blocking by the Gateway at Step 20.
get_evidence_pack(tenant_id, period=None) ¶
Aggregate audit events into an EU AI Act evidence pack.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
tenant_id | str | The Clerk org / Gateway tenant ID. | required |
period | str | None | Optional filter (e.g. | None |
Returns:
| Type | Description |
|---|---|
dict[str, Any] | Dict with |
get_org_safety_surface(org_id) ¶
Read the SafetyControlPlane surface map for a tenant's dashboard.
comply.github_routes¶
crp.comply.github_routes ¶
GitHub + Scan route handlers (SPEC-048).
Returns dicts for framework integration (FastAPI, Flask, etc.).
github_callback(query_params) ¶
GET /api/github/callback - OAuth callback after App installation.
Query params: installation_id, setup_action (install|update). Maps installation_id to Clerk org/tenant.
github_installed(query_params) ¶
GET /api/github/installed - post-install landing page.
github_connect() ¶
GET /api/github/connect - redirect to GitHub App install.
github_webhook(body, headers) ¶
POST /api/github/webhook - receive GitHub App events.
Verifies HMAC-SHA256 signature before processing.
scan_anonymous(body) ¶
POST /api/v1/scan/anonymous - store findings for pre-auth users.
scan_claim(body) ¶
POST /api/v1/scan/claim - claim anonymous results after signup.
scan_ingest_sarif(body) ¶
POST /api/v1/scan/ingest-sarif - ingest SARIF from crp-scan Action.
comply_apply_config(body) ¶
POST /api/v1/comply/apply-config - one-click apply Safety Manifest change.
Body: {"intent": {...}} - forwarded to No-Code Translator.
comply.header_mapping¶
crp.comply.header_mapping ¶
Bidirectional header mapping: X-CRP-Comply- ↔ CRP- (SPEC-042 §3.3).
Preserves the existing wire contract so current customer integrations keep working while the backend routes through the CRP Gateway.
map_request_headers(headers) ¶
Translate incoming X-CRP-Comply- headers to standard CRP- headers.
Unrecognised headers are passed through unchanged.
map_response_headers(headers) ¶
Translate Gateway CRP- response headers back to X-CRP-Comply-.
Also injects X-CRP-Comply: active to signal Comply governance.
strip_crp_headers_before_provider(headers) ¶
Return a copy of headers with all CRP-* headers removed.
Enforces Axiom 4 (Model Ignorance). Only headers in the provider allowlist are retained.
comply.no_code¶
crp.comply.no_code ¶
No-Code Governance Translator (SPEC-048 Part A).
Maps structured user intent (checkboxes, sliders) into exact CRP configuration - grounded in real capabilities only. Refuses to fabricate governance that CRP does not have.
NoCodeTranslatorError ¶
Bases: Exception
Raised when the translator cannot honour a request.
express_requirement(intent) ¶
Validate a user's structured intent against real CRP capabilities.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
intent | dict[str, Any] | Dict with keys like | required |
Returns:
| Type | Description |
|---|---|
dict[str, Any] | Dict with |
dict[str, Any] |
|
generate_config(intent) ¶
Generate a crp.config.yaml fragment from validated intent.
Raises NoCodeTranslatorError if intent contains unsupported asks.
generate_code_change(intent) ¶
Generate a code diff + explanation for applying the intent.
Returns a dict with file, diff, explanation.
refuse_to_fabricate(requested) ¶
Return a refusal message when the user asks for a non-existent capability.
Cites the relevant spec and offers alternatives.
comply.signup¶
crp.comply.signup ¶
Anonymous scan + result-preserving signup (SPEC-048 Part C).
Anonymous scans are limited to public repos or uploaded SARIF. Private-repo scanning requires authenticated GitHub App connection.
store_anonymous_results(findings, ttl_days=_DEFAULT_TTL_DAYS) ¶
Store scan findings against a random token for later claim.
Returns the claim token.
claim_results(token, org_id) ¶
Migrate anonymous findings to a Clerk org.
Idempotent - claiming twice for the same org returns success. Claiming for a different org returns error.
is_public_repo(repo_url) ¶
Best-effort check whether a GitHub repo is public.
Returns True if the repo is accessible without auth.