Skip to content

feat(b6-9): event-driven-eu compliance hooks — NIS2 + DORA (B.6.9)#44

Merged
Bogala merged 5 commits into
mainfrom
b6-9-compliance
Jul 12, 2026
Merged

feat(b6-9): event-driven-eu compliance hooks — NIS2 + DORA (B.6.9)#44
Bogala merged 5 commits into
mainfrom
b6-9-compliance

Conversation

@Bogala

@Bogala Bogala commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements B.6.9 (docs/new-archetypes-plan.md §6.1) — the regulatory layer of the event-driven-eu archetype (profile "NIS2 + DORA (si finance) + CRA", ARCHITECTURE-TARGET.md §10.3), the B.6 sibling of the B.7.5/B.7.8 AI-Act work (b7-5-ai-act). Adapts the AI-Act-flavoured template to the archetype's actual EU surface: NIS2 (incident reporting 24h/72h) + DORA (RoI submission).

Every regulatory specific is grounded-or-deferred (Article III.4): grounded figures are cited verbatim from the repo (ARCHITECTURE-TARGET.md §10.4 "reporting 24h/72h", §9.2 "incident reporting < 24h", §10.4 DORA RoI "30 avr 2026"); everything the repo cannot ground is a [NEEDS CLARIFICATION] marker tagged Themis (K.5) Phase-B. Context7 was not used for legal text.

What ships

  • B.6.9.a — NIS2 artefacts .forge/compliance/nis2/ (the I.6-reserved nis2/ sibling, now filled): incident-reporting.md (24h/72h obligation scoped to the NATS JetStream / Temporal / Postgres event-store outage/breach surface → I.6 audit-ledger + IX.4 Rust OTel evidence), incident-report.template.yaml (adopter-fillable 24h/72h notification skeleton), obligations-index.yaml (incident-reporting + supply-chain-security satisfied; ungrounded pillars → needs-clarification/themis_owner: K.5).
  • B.6.9.b — DORA RoI submission helper .forge/scripts/compliance/dora-roi-helper.shdrives (reads, never forks) the b7-5 dora/roi-register.template.yaml base and specialises it for the archetype's ICT third-party stack (NATS/Temporal/Postgres providers).
  • B.6.9.c — SBOM CycloneDX auto-generation wiring — documented that event-driven-eu (Rust) SBOM rides the existing bin/forge-sbom.sh (Cargo.lock → CycloneDX 1.5) + the I.6 bundle sbom/sbom.cdx.json member. No new generator (per the brief: "wire the same mechanism in, don't reinvent it").
  • B.6.9.d — Bundle wiring (additive)bundle.sh walk tuple gains "nis2"; the I.6 bundle contract compliance-artefacts-bundle.md bumped 1.1.0 → 1.2.0 (NIS2 reserved → shipped; CRA still reserved; determinism recipe untouched; Interdiction T.5 Connect codegen — additive Connect-RPC for full-stack-monorepo/1.0.0 #3 amended). REVIEW.md records the amendment.
  • B.6.9.e — Standard global/nis2-dora-eda-artefacts.md v1.0.0 (6 H2 + 5 MUST NOT, Phase A/B BDFL→Themis governance) + index.yml + REVIEW.md.
  • B.6.9.f — Harness b6-9.test.sh (17 L1 + 3 L2), registered in forge-ci.yml after b7-5.test.sh (compliance family). forge-compliance.yml unchanged (artefacts ride the existing bundle step).

Cross-impact — sibling lock-step (shared-reservation discipline)

Creating .forge/compliance/nis2/ and bumping the shared I.6 bundle contract trips assertions that hard-pinned the old state, so they are amended in the same change (the "update every sibling that hard-pins it" rule):

  • b7-5.test.sh::_test_b75_001 — dropped its nis2/-reserved assertion (B.6.9 now ships nis2/; cra/ reservation kept).
  • b7-5.test.sh::_test_b75_051 — its exact I.6-version pin relaxed to a semver-validity check (Option B precedent) so future bundle bumps don't re-break it.
  • i6.test.sh::_test_i6_021 — frontmatter pins updated to 1.2.0 / 2026-07-10.
  • ai-act-dora-artefacts.md + docs/COMPLIANCE.md — stale "NIS2 reserved" prose corrected (NIS2 shipped, CRA reserved).

Deferred (intentional)

Plan/roadmap resync (new-archetypes-plan.md §11 row + roadmap.md) is deferred to a maintainer resync to avoid collision across the 6 in-flight B.6 PRs (mirrors b7-5's T-INV deferral). VERSION bump is a maintainer release task.

Test plan

  • b6-9.test.sh --level 1,220/20 GREEN (17 L1 + 3 L2 bundle integration/determinism/graceful-absence).
  • Sibling harnesses after lock-step: b7-5.test.sh 19/19, i6.test.sh 16/16, k5.test.sh 27/27 (drives the live bundle), i5.test.sh 16/16, i2 14/14, i3 18/18, j7 21/21, f4 23/23, t4 30/30 — all GREEN.
  • verify.sh514 PASS / 0 FAIL / 1 WARN (pre-existing baseline) → RESULT PASS.
  • constitution-linter.sh → OVERALL PASS (0 FAIL; the 4 WARN are pre-existing template codegen-coverage).
  • validate-standards-yaml.sh → STD-PASS (new standard is Markdown, out of J.7 scope).
  • forge-ci.yml → 375 lines (< 400).
  • Anti-hallucination: _test_b69_030 negative-grep GREEN (no fabricated Article/recital/date outside [NEEDS CLARIFICATION]).

⚠️ Merge note: CHANGELOG.md, docs/COMPLIANCE.md, .forge/standards/index.yml, .forge/standards/REVIEW.md, .github/workflows/forge-ci.yml, and .forge/specs/event-driven-eu.md will conflict with the sibling B.6 PRs (B.6.3/4/5/6/10) — all additive, resolved centrally at merge.

🤖 Generated with Claude Code

Bogala and others added 5 commits July 10, 2026 13:43
… compliance hooks

B.6.9 (docs/new-archetypes-plan.md §6.1): the regulatory layer of the
event-driven-eu archetype (NIS2 + DORA), mirroring the b7-5-ai-act
structure. Adds the change specs (proposal/specs/design/tasks/
open-questions/.forge.yaml, namespace FR-B69-*) and the b6-9.test.sh
harness (17 L1 + 3 L2), registered in forge-ci.yml after b7-5.test.sh
(compliance family, ADR-B69-005).

Article I (TDD): harness written first; RED until the artefacts land.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…-eu)

B.6.9.a/b/c. Ships .forge/compliance/nis2/ (incident-reporting.md,
incident-report.template.yaml, obligations-index.yaml) scoped to the
archetype's NATS JetStream / Temporal / Postgres operational surface,
citing the grounded NIS2 24h/72h reporting windows + "< 24h" charter
figure verbatim (ARCHITECTURE-TARGET §10.4 / §9.2) and mapping them to
the I.6 audit-ledger + IX.4 Rust OTel evidence surfaces.

Adds .forge/scripts/compliance/dora-roi-helper.sh — the DORA Register-of-
Information submission helper that DRIVES (reads, never forks) the b7-5
dora/roi-register.template.yaml base and specialises it for the archetype's
ICT third-party stack (NATS/Temporal/Postgres).

SBOM CycloneDX auto-generation rides the existing bin/forge-sbom.sh
(Rust Cargo.lock) — no new generator. Every regulatory specific is
grounded-or-deferred (Article III.4); precise NIS2 stages + authoritative
DORA/CSIRT field schemas are [NEEDS CLARIFICATION] Themis (K.5) Phase-B items.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…bling lock-step

B.6.9.d/e. New standard global/nis2-dora-eda-artefacts.md v1.0.0 (6 H2 +
5 MUST NOT, Phase A/B BDFL->Themis governance, SBOM-wiring posture) +
index.yml entry + REVIEW.md birth.

Bundle wiring (additive): bundle.sh walk tuple gains "nis2" (regulatory/
nis2/* rides the I.6 hand-off .tgz; graceful absence preserved). I.6
bundle contract global/compliance-artefacts-bundle.md bumped 1.1.0 ->
1.2.0 (NIS2 reserved -> shipped; CRA still reserved; determinism recipe
untouched; Interdiction #3 amended). REVIEW.md records the amendment.

Lock-step (shared-reservation discipline, ADR-B69-006):
- b7-5.test.sh: _test_b75_001 drops its nis2/-reserved assertion (B.6.9
  now ships nis2/; cra/ still reserved); _test_b75_051 I.6-version pin
  relaxed to semver-validity (Option B precedent) so future bundle bumps
  don't re-break it.
- i6.test.sh: _test_i6_021 frontmatter pins updated to 1.2.0 / 2026-07-10.
- ai-act-dora-artefacts.md: stale "NIS2 reserved" prose corrected.

b7-5.test.sh 19/19, i6.test.sh 16/16 GREEN after the lock-step edits.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
B.6.9.f. docs/COMPLIANCE.md new H2 "Regulatory artefacts (NIS2 + DORA
event-driven)" cross-linking the nis2/ artefacts + the DORA RoI helper +
the standard + the bundle regulatory/nis2/ subdirectory; the b7-5 section's
stale "NIS2 reserved" prose corrected (NIS2 shipped, CRA reserved).
CHANGELOG [Unreleased] entry. Archive: the B.6.9 ADDED block appended to
.forge/specs/event-driven-eu.md; .forge.yaml status -> archived.

Plan/roadmap resync (T-INV-001) intentionally deferred to avoid collision
across the 6 in-flight B.6 PRs (mirrors b7-5 T-INV deferral).

Gates: b6-9.test.sh 20/20 (L1,2); verify.sh 514 PASS / 0 FAIL / 1 WARN
(pre-existing) -> PASS; constitution-linter OVERALL PASS; validate-standards-yaml
STD-PASS; forge-ci.yml 375 lines.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…6-6) + trim CI line budget

Four sibling B.6 bricks merged first (#39, #42, #40, #41) and touched the
same shared files. Conflicts in:
- .forge/specs/event-driven-eu.md (both sides appended an archived-brick
  section at the same point) — kept both sections, reordered numerically
  (B.6.4, B.6.5, B.6.9). Note: B.6.3 and B.6.6 never added their own
  section to this consolidated spec doc (pre-existing gap, not introduced
  here — flagging for awareness, not fixing on their behalf).
- .forge/standards/REVIEW.md (ledger entries at the same insertion point)
  — kept both, ordered by actual landing order (b6-3 merged before b6-9).
- .forge/standards/index.yml (both sides appended entries at the same
  point) — kept both blocks, B.6.3 before B.6.9.
- CHANGELOG.md ([Unreleased] entries) — kept all four bullets in module
  order (B.6.4, B.6.5, B.6.6, B.6.9).
.github/workflows/forge-ci.yml auto-merged cleanly but landed at 384
lines (4 over the 380 budget, t5-1.test.sh caught it) — condensed the
b7-5/b6-9 harness-registration comments from 2x3 lines to 2 lines total.

Re-ran b6-9 (20/20), b7-5 (19/19), i6 (16/16), b6-3 (7/7), t5-1.test.sh
CI line-budget (17/17, 380/380 lines), verify.sh (544/0),
constitution-linter.sh (PASS 80/0) — all green post-merge.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@Bogala Bogala merged commit 118a400 into main Jul 12, 2026
7 checks passed
@Bogala Bogala deleted the b6-9-compliance branch July 12, 2026 11:09
Bogala added a commit that referenced this pull request Jul 12, 2026
… trim CI line budget

Final B.6 fan-out brick. Five sibling bricks merged first (#39, #42, #40,
#41, #44) and touched the same shared files. Conflicts in:
- .forge/standards/REVIEW.md (ledger entries at the same insertion
  point) — kept all three, reordered by actual landing order (b6-3,
  b6-9, then b6-10 last).
- .github/workflows/forge-ci.yml (harness registration insertion point)
  — merged into one consolidated b6-1..b6-10 block.
- CHANGELOG.md ([Unreleased] entries) — kept all five bullets in module
  order (B.6.4, B.6.5, B.6.6, B.6.9, B.6.10).

The merged forge-ci.yml landed at 382 lines (2 over the 380 budget,
t5-1.test.sh caught it) — condensed two harness-registration comment
blocks to free 4 lines, landing at 378/380.

Re-ran b6-10 (12/12), b7-9 (15/15), i3 (18/18), i2 (14/14), t5-1.test.sh
CI line-budget (17/17, 378/380 lines), verify.sh (551/0),
constitution-linter.sh (PASS 81/0) — all green post-merge.

This is the last of the 6 step-2 B.6 fan-out bricks (B.6.3/4/5/6/9/10).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant