Skip to content

crp.comply

Auto-generated reference for the crp.comply subpackage.

comply.checkpoint_inbox

crp.comply.checkpoint_inbox

Checkpoint inbox - human reviewer resolution endpoint (SPEC-034).

Provides HTTP-style handlers for the Comply Inbox surface. Integrates with SafetyControlPlane and ComplianceAuditTrail.

CheckpointInboxError

Bases: Exception

Raised when checkpoint resolution fails.

resolve_checkpoint(checkpoint_id, action, reviewer, edited_output='', note='')

Resolve a checkpoint by ID (called by reviewer/webhook).

Parameters:

Name Type Description Default
checkpoint_id str

The UUID of the checkpoint to resolve.

required
action str

approve, reject, or edit.

required
reviewer str

Identifier of the human reviewer (Clerk user ID).

required
edited_output str

If action is edit, the modified output.

''
note str

Optional human note.

''

Returns:

Type Description
dict[str, Any]

Dict with status, checkpoint_id, audit_ref.

Raises:

Type Description
CheckpointInboxError

if checkpoint not found or action invalid.

list_active_checkpoints(tenant_id=None)

Return all unresolved checkpoints, optionally filtered by tenant.

comply.gateway_client

crp.comply.gateway_client

Comply Gateway Client - consumes Gateway audit streams (SPEC-042).

The Gateway calls stream_audit_events() at Step 20 of its lifecycle. This module receives those events and turns them into compliance evidence.

map_to_regulation(event_type)

Map a Gateway audit event type to EU AI Act article citations.

stream_audit_events(events, tenant_id)

Receive a batch of audit events from the Gateway and store as evidence.

Called non-blocking by the Gateway at Step 20.

get_evidence_pack(tenant_id, period=None)

Aggregate audit events into an EU AI Act evidence pack.

Parameters:

Name Type Description Default
tenant_id str

The Clerk org / Gateway tenant ID.

required
period str | None

Optional filter (e.g. "2026-06").

None

Returns:

Type Description
dict[str, Any]

Dict with events, article_coverage, risk_summary.

get_org_safety_surface(org_id)

Read the SafetyControlPlane surface map for a tenant's dashboard.

comply.github_routes

crp.comply.github_routes

GitHub + Scan route handlers (SPEC-048).

Returns dicts for framework integration (FastAPI, Flask, etc.).

github_callback(query_params)

GET /api/github/callback - OAuth callback after App installation.

Query params: installation_id, setup_action (install|update). Maps installation_id to Clerk org/tenant.

github_installed(query_params)

GET /api/github/installed - post-install landing page.

github_connect()

GET /api/github/connect - redirect to GitHub App install.

github_webhook(body, headers)

POST /api/github/webhook - receive GitHub App events.

Verifies HMAC-SHA256 signature before processing.

scan_anonymous(body)

POST /api/v1/scan/anonymous - store findings for pre-auth users.

scan_claim(body)

POST /api/v1/scan/claim - claim anonymous results after signup.

scan_ingest_sarif(body)

POST /api/v1/scan/ingest-sarif - ingest SARIF from crp-scan Action.

comply_apply_config(body)

POST /api/v1/comply/apply-config - one-click apply Safety Manifest change.

Body: {"intent": {...}} - forwarded to No-Code Translator.

comply.header_mapping

crp.comply.header_mapping

Bidirectional header mapping: X-CRP-Comply- ↔ CRP- (SPEC-042 §3.3).

Preserves the existing wire contract so current customer integrations keep working while the backend routes through the CRP Gateway.

map_request_headers(headers)

Translate incoming X-CRP-Comply- headers to standard CRP- headers.

Unrecognised headers are passed through unchanged.

map_response_headers(headers)

Translate Gateway CRP- response headers back to X-CRP-Comply-.

Also injects X-CRP-Comply: active to signal Comply governance.

strip_crp_headers_before_provider(headers)

Return a copy of headers with all CRP-* headers removed.

Enforces Axiom 4 (Model Ignorance). Only headers in the provider allowlist are retained.

comply.no_code

crp.comply.no_code

No-Code Governance Translator (SPEC-048 Part A).

Maps structured user intent (checkboxes, sliders) into exact CRP configuration - grounded in real capabilities only. Refuses to fabricate governance that CRP does not have.

NoCodeTranslatorError

Bases: Exception

Raised when the translator cannot honour a request.

express_requirement(intent)

Validate a user's structured intent against real CRP capabilities.

Parameters:

Name Type Description Default
intent dict[str, Any]

Dict with keys like prevent_hallucinations: True, grounding_threshold: 0.85, etc.

required

Returns:

Type Description
dict[str, Any]

Dict with valid (bool), capabilities (list of capability names),

dict[str, Any]

settings (dict of values), and refusals (list of unsupported asks).

generate_config(intent)

Generate a crp.config.yaml fragment from validated intent.

Raises NoCodeTranslatorError if intent contains unsupported asks.

generate_code_change(intent)

Generate a code diff + explanation for applying the intent.

Returns a dict with file, diff, explanation.

refuse_to_fabricate(requested)

Return a refusal message when the user asks for a non-existent capability.

Cites the relevant spec and offers alternatives.

comply.signup

crp.comply.signup

Anonymous scan + result-preserving signup (SPEC-048 Part C).

Anonymous scans are limited to public repos or uploaded SARIF. Private-repo scanning requires authenticated GitHub App connection.

store_anonymous_results(findings, ttl_days=_DEFAULT_TTL_DAYS)

Store scan findings against a random token for later claim.

Returns the claim token.

claim_results(token, org_id)

Migrate anonymous findings to a Clerk org.

Idempotent - claiming twice for the same org returns success. Claiming for a different org returns error.

is_public_repo(repo_url)

Best-effort check whether a GitHub repo is public.

Returns True if the repo is accessible without auth.