Design Docs#12
Closed
Brad-Edwards wants to merge 4 commits intomainfrom
Closed
Conversation
Remove all existing Ground Control code and replace with comprehensive platform design docs for an open-source AuditBoard ITRM replacement: - PRD: Full product requirements with competitive analysis, personas, capabilities, frameworks (SOX, SOC2, ISO 27001, NIST, PCI-DSS), agent-first design, and release roadmap - User Stories: 30+ stories across 8 epics with acceptance criteria covering risk management, control management, assessment/testing, evidence management, findings, reporting, admin, and agent workflows - Use Cases: 9 detailed UML use cases with PlantUML sequence and activity diagrams, plus actor-matrix - Architecture: System architecture with component diagrams, domain services, event bus, plugin runtime, security layers, auth model, and technology stack (FastAPI, React, PostgreSQL, S3, Redis) - Data Model: 19 entity definitions with full SQL schemas, indexes, RLS policies, ERD, and storage strategy - API Spec: REST + GraphQL API design with 60+ endpoints, response formats, webhook events, rate limiting, plugin SDK, and agent SDK - Deployment: Docker Compose, Kubernetes Helm, and cloud-managed deployment guides with SSO setup (SAML 2.0, OIDC, SCIM 2.0), multi-tenancy modes, backup/DR, and monitoring https://claude.ai/code/session_01S8xaFNnGjQfMBbcjoS9ddx
Comprehensive issue backlog covering the full implementation of Ground Control, organized into 12 phases aligned with the PRD roadmap (v0.1–v1.0). Each issue is cross-referenced to user stories, use cases, and design documents. Phases: - Phase 0: Project bootstrap, coding standards, CI/CD (lint, type-check, test, SonarQube, SAST/DAST, OpenANT, dependency scanning), structured logging, exception hierarchy, design-by-contract, architecture-as-code, policy-as-code - Phase 1: Core data model (all 19 entities from DATA_MODEL.md) - Phase 2: FastAPI scaffold, REST API endpoints, local/OIDC/API key auth - Phase 3: RBAC/ABAC engines, SAML SSO, SCIM, OAuth2 client credentials, MFA - Phase 4: Risk scoring, assessment workflows, evidence management, findings - Phase 5: Event bus, background jobs, workflow engine, notifications, webhooks - Phase 6: Framework loader, SOX/SOC2/ISO27001/NIST definitions, CCL seed data - Phase 7: Agent registration, SDK (Python/TypeScript), provenance tracking - Phase 8: Meilisearch integration, dashboards, report generation, GraphQL - Phase 9: React frontend (all domain views, admin, dashboards, accessibility) - Phase 10: Plugin runtime, SDK, management API - Phase 11: Multi-tenancy, Helm chart, Docker prod, performance, security, E2E https://claude.ai/code/session_01S8xaFNnGjQfMBbcjoS9ddx
There was a problem hiding this comment.
Pull request overview
This PR pivots the repository toward the “Ground Control” ITRM platform plan by adding product documentation and a full set of phased implementation issue definitions.
Changes:
- Add PRD and user stories documentation for the planned ITRM platform.
- Add
.github/issues/containing 127 phase-organized implementation issues intended for GitHub Issues import. - Remove the prior Python JIRA-sync CLI implementation and related project tooling/CI files.
Reviewed changes
Copilot reviewed 147 out of 148 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_ground_control.py | Removed legacy CLI test suite |
| src/grndctl/main.py | Removed legacy CLI implementation |
| src/grndctl/init.py | Removed legacy package module docstring |
| setup.cfg | Removed legacy flake8 configuration |
| pyproject.toml | Removed legacy Poetry project configuration |
| CHANGELOG.md | Removed legacy changelog |
| .pre-commit-config.yaml | Removed legacy pre-commit hook configuration |
| .github/workflows/security.yml | Removed legacy security CI workflow |
| .github/workflows/quality.yml | Removed legacy quality CI workflow |
| .github/dependabot.yml | Removed legacy Dependabot configuration |
| docs/user-stories/USER_STORIES.md | Added user stories and acceptance criteria for the planned platform |
| docs/PRD.md | Added product requirements document (PRD) for the planned platform |
| README.md | Replaced CLI-focused README with platform overview and doc links |
| LICENSE | Switched repository license text to Apache-2.0 (partial text currently) |
| .github/issues/README.md | Added index describing phased issue organization and cross-references |
| .github/issues/phase-00-foundation/001-repo-structure.md | Issue #1: repo structure |
| .github/issues/phase-00-foundation/002-adr-framework.md | Issue #2: ADR framework |
| .github/issues/phase-00-foundation/003-coding-standards.md | Issue #3: coding standards |
| .github/issues/phase-00-foundation/004-python-backend-scaffold.md | Issue #4: Python backend scaffold |
| .github/issues/phase-00-foundation/005-frontend-scaffold.md | Issue #5: frontend scaffold |
| .github/issues/phase-00-foundation/006-dev-environment.md | Issue #6: dev environment |
| .github/issues/phase-00-foundation/007-pre-commit-hooks.md | Issue #7: pre-commit hooks |
| .github/issues/phase-00-foundation/008-ci-lint-format.md | Issue #8: CI lint/format |
| .github/issues/phase-00-foundation/009-ci-type-checking.md | Issue #9: CI type checking |
| .github/issues/phase-00-foundation/010-ci-unit-tests.md | Issue #10: CI unit tests |
| .github/issues/phase-00-foundation/011-ci-build-docker.md | Issue #11: CI docker build/publish |
| .github/issues/phase-00-foundation/012-ci-sonarqube.md | Issue #12: SonarQube/SonarCloud |
| .github/issues/phase-00-foundation/013-ci-sast.md | Issue #13: SAST (Semgrep/Bandit) |
| .github/issues/phase-00-foundation/014-ci-dast.md | Issue #014: DAST (OWASP ZAP) |
| .github/issues/phase-00-foundation/015-ci-openant.md | Issue #15: OpenANT scanning |
| .github/issues/phase-00-foundation/016-ci-dependency-scanning.md | Issue #16: dependency/license scanning |
| .github/issues/phase-00-foundation/017-exception-hierarchy.md | Issue #017: exception hierarchy |
| .github/issues/phase-00-foundation/018-structured-logging.md | Issue #018: structured logging |
| .github/issues/phase-00-foundation/019-config-management.md | Issue #019: config management |
| .github/issues/phase-00-foundation/020-base-schemas.md | Issue #020: base schemas/envelope |
| .github/issues/phase-00-foundation/021-database-setup.md | Issue #021: DB setup |
| .github/issues/phase-00-foundation/022-alembic-setup.md | Issue #022: Alembic setup |
| .github/issues/phase-00-foundation/023-design-by-contract.md | Issue #023: design-by-contract |
| .github/issues/phase-00-foundation/024-architecture-as-code.md | Issue #024: architecture-as-code |
| .github/issues/phase-00-foundation/025-policy-as-code.md | Issue #025: policy-as-code |
| .github/issues/phase-01-data-model/026-tenant-model.md | Issue #026: tenant model/RLS |
| .github/issues/phase-01-data-model/027-user-model.md | Issue #027: user model |
| .github/issues/phase-01-data-model/028-role-permission-model.md | Issue #028: roles/permissions |
| .github/issues/phase-01-data-model/029-risk-entity.md | Issue #029: risk entity |
| .github/issues/phase-01-data-model/030-control-entity.md | Issue #030: control entity |
| .github/issues/phase-01-data-model/031-framework-entity.md | Issue #031: framework entity |
| .github/issues/phase-01-data-model/032-ccl-entity.md | Issue #032: CCL entity |
| .github/issues/phase-01-data-model/033-assessment-entity.md | Issue #033: assessment entity |
| .github/issues/phase-01-data-model/034-test-procedure-entity.md | Issue #34: test procedure/steps |
| .github/issues/phase-01-data-model/035-artifact-entity.md | Issue #35: artifact entity |
| .github/issues/phase-01-data-model/036-finding-entity.md | Issue #036: finding entity |
| .github/issues/phase-01-data-model/037-remediation-entity.md | Issue #037: remediation entities |
| .github/issues/phase-01-data-model/038-taxonomy-entity.md | Issue #038: taxonomy entity |
| .github/issues/phase-01-data-model/039-audit-log-entity.md | Issue #039: audit log entity |
| .github/issues/phase-01-data-model/040-comment-notification-entities.md | Issue #040: comments/notifications |
| .github/issues/phase-02-api-foundation/041-fastapi-scaffold.md | Issue #041: FastAPI scaffold |
| .github/issues/phase-02-api-foundation/042-request-middleware.md | Issue #042: request/tenant middleware |
| .github/issues/phase-02-api-foundation/043-api-versioning.md | Issue #043: API versioning |
| .github/issues/phase-02-api-foundation/044-risk-api.md | Issue #044: risk API |
| .github/issues/phase-02-api-foundation/045-control-api.md | Issue #045: control API |
| .github/issues/phase-02-api-foundation/046-assessment-api.md | Issue #046: assessment API |
| .github/issues/phase-02-api-foundation/047-artifact-api.md | Issue #047: artifact API |
| .github/issues/phase-02-api-foundation/048-finding-api.md | Issue #048: finding API |
| .github/issues/phase-02-api-foundation/049-taxonomy-audit-api.md | Issue #049: taxonomy/audit/search APIs |
| .github/issues/phase-02-api-foundation/050-evidence-request-api.md | Issue #050: evidence request API |
| .github/issues/phase-02-api-foundation/051-local-auth.md | Issue #051: local auth |
| .github/issues/phase-02-api-foundation/052-jwt-management.md | Issue #052: JWT management |
| .github/issues/phase-02-api-foundation/053-oidc-auth.md | Issue #053: OIDC auth |
| .github/issues/phase-02-api-foundation/054-api-key-auth.md | Issue #054: API key auth |
| .github/issues/phase-02-api-foundation/055-openapi-validation.md | Issue #55: OpenAPI validation |
| .github/issues/phase-03-auth-identity/056-rbac-engine.md | Issue #056: RBAC engine |
| .github/issues/phase-03-auth-identity/057-abac-engine.md | Issue #057: ABAC engine |
| .github/issues/phase-03-auth-identity/058-auth-middleware.md | Issue #058: auth middleware/decorators |
| .github/issues/phase-03-auth-identity/059-saml-sso.md | Issue #059: SAML SSO |
| .github/issues/phase-03-auth-identity/060-oauth2-client-credentials.md | Issue #060: OAuth2 client credentials |
| .github/issues/phase-03-auth-identity/061-scim-provisioning.md | Issue #061: SCIM provisioning |
| .github/issues/phase-03-auth-identity/062-mfa-support.md | Issue #062: MFA support |
| .github/issues/phase-03-auth-identity/063-user-role-management-api.md | Issue #063: user/role management API |
| .github/issues/phase-04-business-logic/064-risk-scoring-engine.md | Issue #064: risk scoring engine |
| .github/issues/phase-04-business-logic/065-risk-campaign-workflow.md | Issue #065: risk campaign workflow |
| .github/issues/phase-04-business-logic/066-risk-treatment.md | Issue #066: risk treatment |
| .github/issues/phase-04-business-logic/067-risk-control-linkage.md | Issue #067: risk-control linkage |
| .github/issues/phase-04-business-logic/068-control-catalog-service.md | Issue #068: control catalog service |
| .github/issues/phase-04-business-logic/069-framework-mapping-engine.md | Issue #069: mapping engine/gap analysis |
| .github/issues/phase-04-business-logic/070-assessment-state-machine.md | Issue #070: assessment state machine |
| .github/issues/phase-04-business-logic/071-test-execution-engine.md | Issue #071: test execution engine |
| .github/issues/phase-04-business-logic/072-sampling.md | Issue #072: sampling |
| .github/issues/phase-04-business-logic/073-evidence-upload-storage.md | Issue #073: evidence upload/storage |
| .github/issues/phase-04-business-logic/074-evidence-linking.md | Issue #074: evidence linking/requests |
| .github/issues/phase-04-business-logic/075-evidence-lineage.md | Issue #075: evidence lineage |
| .github/issues/phase-04-business-logic/076-finding-lifecycle.md | Issue #076: finding lifecycle |
| .github/issues/phase-04-business-logic/077-bulk-import-export.md | Issue #077: bulk import/export |
| .github/issues/phase-05-events-workflow/078-event-bus.md | Issue #078: event bus |
| .github/issues/phase-05-events-workflow/079-background-jobs.md | Issue #079: background jobs |
| .github/issues/phase-05-events-workflow/080-workflow-engine.md | Issue #080: workflow engine |
| .github/issues/phase-05-events-workflow/081-notification-system.md | Issue #081: notification system |
| .github/issues/phase-05-events-workflow/082-webhook-system.md | Issue #082: outbound webhooks |
| .github/issues/phase-05-events-workflow/083-slack-teams.md | Issue #083: Slack/Teams notifications |
| .github/issues/phase-05-events-workflow/084-task-assignment.md | Issue #084: task assignment/SLA |
| .github/issues/phase-06-frameworks/085-framework-loader.md | Issue #085: framework loader |
| .github/issues/phase-06-frameworks/086-sox-framework.md | Issue #086: SOX framework definition |
| .github/issues/phase-06-frameworks/087-soc2-framework.md | Issue #087: SOC 2 framework definition |
| .github/issues/phase-06-frameworks/088-iso27001-framework.md | Issue #088: ISO 27001 framework definition |
| .github/issues/phase-06-frameworks/089-nist-frameworks.md | Issue #089: NIST CSF/800-53 definitions |
| .github/issues/phase-06-frameworks/090-additional-frameworks.md | Issue #090: additional frameworks |
| .github/issues/phase-06-frameworks/091-ccl-seed-data.md | Issue #091: CCL seed data |
| .github/issues/phase-06-frameworks/092-template-library.md | Issue #092: template library |
| .github/issues/phase-07-agents/093-agent-registration.md | Issue #093: agent registration |
| .github/issues/phase-07-agents/094-agent-assignments.md | Issue #094: agent assignments/results |
| .github/issues/phase-07-agents/095-agent-provenance.md | Issue #095: agent provenance |
| .github/issues/phase-07-agents/096-agent-sdk-python.md | Issue #096: agent SDK (Python) |
| .github/issues/phase-07-agents/097-agent-sdk-typescript.md | Issue #097: agent SDK (TypeScript) |
| .github/issues/phase-07-agents/098-automated-evidence-collection.md | Issue #098: automated evidence collection |
| .github/issues/phase-07-agents/099-agent-mapping-suggestions.md | Issue #099: mapping suggestions |
| .github/issues/phase-08-reporting-search/100-search-integration.md | Issue #100: search integration |
| .github/issues/phase-08-reporting-search/101-dashboard-apis.md | Issue #101: dashboard aggregation APIs |
| .github/issues/phase-08-reporting-search/102-report-generation.md | Issue #102: report generation engine |
| .github/issues/phase-08-reporting-search/103-scheduled-reports.md | Issue #103: scheduled reports/GraphQL |
| .github/issues/phase-09-frontend/104-frontend-setup.md | Issue #104: frontend setup |
| .github/issues/phase-09-frontend/105-auth-pages.md | Issue #105: auth pages |
| .github/issues/phase-09-frontend/106-risk-views.md | Issue #106: risk views |
| .github/issues/phase-09-frontend/107-control-views.md | Issue #107: control views |
| .github/issues/phase-09-frontend/108-assessment-views.md | Issue #108: assessment views |
| .github/issues/phase-09-frontend/109-evidence-views.md | Issue #109: evidence views |
| .github/issues/phase-09-frontend/110-finding-views.md | Issue #110: finding views |
| .github/issues/phase-09-frontend/111-admin-views.md | Issue #111: admin views |
| .github/issues/phase-09-frontend/112-dashboard-views.md | Issue #112: dashboard/reporting views |
| .github/issues/phase-09-frontend/113-accessibility.md | Issue #113: accessibility audit |
| .github/issues/phase-10-plugins/114-plugin-runtime.md | Issue #114: plugin runtime/sandboxing |
| .github/issues/phase-10-plugins/115-plugin-sdk.md | Issue #115: plugin SDK |
| .github/issues/phase-10-plugins/116-plugin-management-api.md | Issue #116: plugin management API/UI |
| .github/issues/phase-11-production/117-multi-tenancy-shared.md | Issue #117: multi-tenancy (shared schema + RLS) |
| .github/issues/phase-11-production/118-multi-tenancy-advanced.md | Issue #118: schema/db-per-tenant modes |
| .github/issues/phase-11-production/119-docker-compose-prod.md | Issue #119: production Docker Compose |
| .github/issues/phase-11-production/120-helm-chart.md | Issue #120: Helm chart |
| .github/issues/phase-11-production/121-health-metrics.md | Issue #121: health/metrics/dashboards |
| .github/issues/phase-11-production/122-performance-testing.md | Issue #122: performance testing |
| .github/issues/phase-11-production/123-security-hardening.md | Issue #123: security hardening |
| .github/issues/phase-11-production/124-backup-dr.md | Issue #124: backup/DR procedures |
| .github/issues/phase-11-production/125-data-migration.md | Issue #125: data migration tools |
| .github/issues/phase-11-production/126-e2e-tests.md | Issue #126: end-to-end tests |
| .github/issues/phase-11-production/127-documentation.md | Issue #127: documentation site |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Brad-Edwards
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.