Skip to content

Commit 0f9219e

Browse files
montfortclaude
andauthored
feat: add opt-in China regulatory coverage (fw-4.3.0, cli-3.3.0) (#55)
Adds support for six Chinese AI / data regulations as an opt-in regional scope. Existing projects are unaffected — Chinese frameworks activate only when `regional_scope: china` is added to `.devtrail/config.yml`. Frameworks covered: - TC260 AI Safety Governance Framework v2.0 (five-level risk grading) - PIPL + PIPIA (Art. 55-56, retention >= 3 years) - GB 45438-2025 (mandatory AI-generated content labeling) - CAC Algorithm Filing (single + dual filing process) - GB/T 45652-2025 (pre-training & fine-tuning data security) - CSL 2026 incident reporting (1h / 4h+72h+30d windows) Framework changes (4.3.0): - 4 new templates: TEMPLATE-PIPIA, TEMPLATE-CACFILE, TEMPLATE-TC260RA, TEMPLATE-AILABEL — translated to es and zh-CN. - 5 new governance guides under .devtrail/00-governance/ with full es and zh-CN translations. - China-specific sections appended to MCARD, DPIA, INC, ETH, SBOM, AILOG, activated only when regional_scope includes china. - regional_scope field documented in .devtrail/config.yml. CLI changes (3.3.0): - 4 new DocType variants: Pipia, Cacfile, Tc260ra, Ailabel — filtered out of `devtrail new` unless china is in scope. - 6 new Standard variants and checkers; new --region <global|eu|china|all> flag on `devtrail compliance`. - 12 new validation rules (CROSS-004..011, TYPE-003..006), scope-aware. - 20 new optional frontmatter fields covering all six profiles. - 30+ new tests (unit + integration). Notes: - TC260 v2.0 is treated as Recommended (not yet a binding GB). - CSL 2026 windows are enforced as cross-rules; DevTrail documents intent and plan, not actual submission to authorities. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 6d2d3e6 commit 0f9219e

71 files changed

Lines changed: 6023 additions & 216 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

CHANGELOG.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,32 @@ and this project uses [independent versioning](README.md#versioning) for Framewo
77

88
---
99

10+
## Framework 4.3.0 / CLI 3.3.0 — China Regulatory Coverage (TC260, PIPL, GB 45438, CAC, GB/T 45652, CSL)
11+
12+
DevTrail now supports six Chinese AI / data regulations as an opt-in regional scope. Existing projects are unaffected — Chinese frameworks activate only when `regional_scope: china` is added to `.devtrail/config.yml`.
13+
14+
### Added (Framework)
15+
- 4 new document templates: `TEMPLATE-PIPIA.md`, `TEMPLATE-CACFILE.md`, `TEMPLATE-TC260RA.md`, `TEMPLATE-AILABEL.md` — translated to `es` and `zh-CN`.
16+
- 5 new governance guides under `dist/.devtrail/00-governance/``CHINA-REGULATORY-FRAMEWORK.md`, `TC260-IMPLEMENTATION-GUIDE.md`, `PIPL-PIPIA-GUIDE.md`, `CAC-FILING-GUIDE.md`, `GB-45438-LABELING-GUIDE.md` — with full `es` and `zh-CN` translations.
17+
- China-specific sections appended to `TEMPLATE-MCARD`, `TEMPLATE-DPIA`, `TEMPLATE-INC`, `TEMPLATE-ETH`, `TEMPLATE-SBOM`, `TEMPLATE-AILOG` — activated by `regional_scope: china`.
18+
- `regional_scope` field documented in `.devtrail/config.yml` with explanatory comments. Default `[global, eu]` preserves backward compatibility.
19+
20+
### Added (CLI)
21+
- 4 new `DocType` variants: `Pipia`, `Cacfile`, `Tc260ra`, `Ailabel`. Filtered out of `devtrail new` unless `china` is in `regional_scope`.
22+
- 6 new `Standard` variants and checkers: `china-tc260`, `china-pipl`, `china-gb45438`, `china-cac`, `china-gb45652`, `china-csl`.
23+
- New `--region <global|eu|china|all>` flag on `devtrail compliance`. The default behavior now respects `regional_scope` from config; `--all` still runs every standard.
24+
- `devtrail compliance --standard <name>` accepts six new identifiers.
25+
- 12 new validation rules: `CROSS-004` through `CROSS-011` and `TYPE-003` through `TYPE-006`. China rules are skipped when `china` is not in scope.
26+
- 20 new optional frontmatter fields covering TC260, PIPL, GB 45438, CAC, GB/T 45652, and CSL profiles.
27+
- `devtrail metrics` document-count breakdown now includes the 4 China-specific types when present.
28+
- 30+ new tests (unit + integration) covering checkers, validation, config, and the opt-in dispatch.
29+
30+
### Notes
31+
- TC260 v2.0 is treated as `Recommended` (not yet a binding GB). Status will be promoted in a future release if it is published as a GB.
32+
- CSL 2026 reporting windows (1h / 4h+72h+30d) are enforced as cross-rules but DevTrail does not validate actual submission to authorities — it documents intent and plan.
33+
34+
---
35+
1036
## CLI 3.2.5 — Smarter Table Column Allocation in `explore`
1137

1238
### Fixed (CLI)

README.md

Lines changed: 70 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
[Getting Started](#getting-started)
1414
[Features](#features)
15+
[China Compliance 中国合规](#china-regulatory-compliance--中国合规)
1516
[Documentation](#documentation)
1617
[Contributing](#contributing)
1718

@@ -43,7 +44,7 @@ Teams that adopt DevTrail produce evidence compatible with **ISO/IEC 42001 certi
4344

4445
### 📋 Structured Documentation
4546

46-
Twelve document types covering the full development lifecycle:
47+
Sixteen document types covering the full development lifecycle (twelve core + four China-specific opt-in):
4748

4849
| Type | Purpose | Example |
4950
|------|---------|---------|
@@ -59,6 +60,12 @@ Twelve document types covering the full development lifecycle:
5960
| **MCARD** | Model/System Cards | AI model documentation |
6061
| **SBOM** | Software Bill of Materials | AI component inventory |
6162
| **DPIA** | Data Protection Impact Assessment | Privacy impact analysis |
63+
| **PIPIA**| Personal Information Protection Impact Assessment (China — PIPL Art. 55-56) | Sensitive data, cross-border transfer |
64+
| **CACFILE**| CAC Algorithm Filing (China) | Algorithm registration, dual filing |
65+
| **TC260RA**| TC260 Risk Assessment (China) | Five-level risk grading per AI Safety Framework v2.0 |
66+
| **AILABEL**| GB 45438 Content Labeling Plan (China) | Explicit + implicit labeling for generative AI |
67+
68+
⚪ Available only when `regional_scope: china` is enabled in `.devtrail/config.yml` — see [China Regulatory Compliance](#china-regulatory-compliance--中国合规) below.
6269

6370
### 📐 Standards Alignment
6471

@@ -73,6 +80,17 @@ Twelve document types covering the full development lifecycle:
7380
| **GDPR** | Data protection in ETH/DPIA |
7481
| **OpenTelemetry** | Observability (optional) |
7582

83+
#### China Regulatory Coverage — opt-in via `regional_scope: china`
84+
85+
| Standard | DevTrail Integration |
86+
|----------|---------------------|
87+
| **TC260 AI Safety Governance Framework v2.0** | Five-level risk grading (TC260RA) |
88+
| **PIPL — Personal Information Protection Law** | Personal Information Protection Impact Assessment (PIPIA), retention ≥ 3 years |
89+
| **GB 45438-2025** *(mandatory)* | AI-generated content labeling — explicit + implicit (AILABEL) |
90+
| **CAC Algorithm Filing** | Algorithm registration, dual filing process (CACFILE) |
91+
| **GB/T 45652-2025** | Pre-training & fine-tuning data security (SBOM/MCARD) |
92+
| **CSL 2026** | Cybersecurity incident reporting (1h / 4h+72h+30d windows) on INC |
93+
7694
### 🤖 AI Agent Support
7795

7896
Pre-configured for popular AI coding assistants:
@@ -101,15 +119,54 @@ Built-in safeguards ensure humans stay in control:
101119

102120
Built-in CLI tools for governance:
103121

104-
- **`devtrail validate`**13 validation rules for document correctness
105-
- **`devtrail compliance`** — Regulatory compliance scoring (EU AI Act, ISO 42001, NIST AI RMF)
122+
- **`devtrail validate`**25+ validation rules for document correctness (12 China-specific are scope-aware)
123+
- **`devtrail compliance`** — Regulatory compliance scoring (EU AI Act, ISO 42001, NIST AI RMF; six Chinese frameworks opt-in via `--region china`)
106124
- **`devtrail metrics`** — Governance KPIs, review rates, risk distribution, trends
107125
- **`devtrail analyze`** — Code complexity analysis (cognitive + cyclomatic) powered by [arborist-metrics](https://github.com/StrangeDaysTech/arborist), our open-source Rust library for multi-language code metrics
108126
- **`devtrail audit`** — Audit trail reports with timeline, traceability maps, and HTML export
109127
- **Pre-commit hooks** + **GitHub Actions** for CI/CD validation
110128

111129
---
112130

131+
## China Regulatory Compliance — 中国合规
132+
133+
DevTrail covers six Chinese AI / data regulations as an **opt-in** regional scope: **TC260 AI Safety Governance Framework v2.0**, **PIPL** (Personal Information Protection Law), **GB 45438-2025** (mandatory AI content labeling), **CAC Algorithm Filing**, **GB/T 45652-2025**, and the **CSL 2026** incident-reporting amendments. Activate by adding `regional_scope: china` to `.devtrail/config.yml`; projects without it are unaffected.
134+
135+
When enabled, four China-specific document types (PIPIA, CACFILE, TC260RA, AILABEL) become available, twelve validation rules begin to enforce the new cross-references, and `devtrail compliance --region china` produces a per-framework score. Detailed guides live under `.devtrail/00-governance/` (`CHINA-REGULATORY-FRAMEWORK.md`, `TC260-IMPLEMENTATION-GUIDE.md`, `PIPL-PIPIA-GUIDE.md`, `CAC-FILING-GUIDE.md`, `GB-45438-LABELING-GUIDE.md`).
136+
137+
### 中国法规支持
138+
139+
DevTrail 现在以 **opt-in**(自愿启用)的方式覆盖六项中国 AI / 数据法规:**TC260《人工智能安全治理框架 v2.0》**(五级风险分级)、**《个人信息保护法》(PIPL)** 及其配套的 **PIPIA**(个人信息保护影响评估,留存 ≥ 3 年)、**强制性国家标准 GB 45438-2025**《网络安全技术 人工智能生成合成内容标识方法》(显式 + 隐式标识)、**CAC 算法备案**(包括省级 + 国家级双重备案)、**GB/T 45652-2025** 预训练与微调数据安全,以及自 2026-01-01 生效的 **《网络安全法》修订** 与《国家网络安全事件报告管理办法》(1 小时 / 4 小时 + 72 小时评估 + 30 天事后审查的报告窗口)。
140+
141+
#### 启用方式
142+
143+
`.devtrail/config.yml` 中添加:
144+
145+
```yaml
146+
regional_scope:
147+
- global # NIST + ISO 42001(始终可用)
148+
- eu # EU AI Act + GDPR
149+
- china # 启用上述六项中国法规
150+
```
151+
152+
#### 启用后获得
153+
154+
- **4 个中国专属文档类型**:`PIPIA`、`CACFILE`、`TC260RA`、`AILABEL`(均经 `devtrail new` 生成,模板已翻译为中文,位于 `.devtrail/templates/i18n/zh-CN/`)。
155+
- **6 个合规检查器**:通过 `devtrail compliance --region china` 一次性运行,或单独运行 `--standard china-tc260 | china-pipl | china-gb45438 | china-cac | china-gb45652 | china-csl`。
156+
- **12 条新的验证规则**(`CROSS-004…011`、`TYPE-003…006`):自动校验跨文档引用一致性,例如:`cac_filing_required: true` 必须关联 CACFILE;`csl_severity_level: particularly_serious` 必须配合 `csl_report_deadline_hours: 1`;PIPIA 的 `pipl_retention_until` 必须至少为 `created` + 3 年。
157+
- **5 份中文治理指南**,位于 `.devtrail/00-governance/i18n/zh-CN/`:`CHINA-REGULATORY-FRAMEWORK.md`、`TC260-IMPLEMENTATION-GUIDE.md`、`PIPL-PIPIA-GUIDE.md`、`CAC-FILING-GUIDE.md`、`GB-45438-LABELING-GUIDE.md`。
158+
159+
#### 适用人群
160+
161+
- 在中国大陆运营 AI 服务的团队,需办理 CAC 算法备案或对外提供生成式 AI。
162+
- 处理中国大陆个人信息(尤其是敏感个人信息)、需进行 PIPIA 的处理者。
163+
- 涉及跨境数据传输,须依据 PIPL 第 38-40 条选择安全评估、认证或标准合同机制的组织。
164+
- 采用 ISO/IEC 42001 全球治理框架并希望在中国境内补充本地合规证据的企业。
165+
166+
不在 `regional_scope` 中包含 `china` 的项目完全不受影响 — 这是完全向后兼容的扩展。
167+
168+
---
169+
113170
## Getting Started
114171

115172
### Option 1: CLI (Recommended)
@@ -149,8 +206,8 @@ DevTrail uses independent version tags for each component:
149206

150207
| Component | Tag prefix | Example | Includes |
151208
|-----------|-----------|---------|----------|
152-
| Framework | `fw-` | `fw-4.2.0` | Templates (12 types), governance, directives |
153-
| CLI | `cli-` | `cli-3.2.5` | The `devtrail` binary |
209+
| Framework | `fw-` | `fw-4.3.0` | Templates (12 types), governance, directives |
210+
| CLI | `cli-` | `cli-3.3.0` | The `devtrail` binary |
154211

155212
Check installed versions with `devtrail status` or `devtrail about`.
156213

@@ -180,7 +237,7 @@ See [CLI Reference](https://github.com/StrangeDaysTech/devtrail/blob/main/docs/a
180237
```bash
181238
# Download the latest framework release ZIP from GitHub
182239
# Go to https://github.com/StrangeDaysTech/devtrail/releases
183-
# and download the latest fw-* release (e.g., fw-4.2.0)
240+
# and download the latest fw-* release (e.g., fw-4.3.0)
184241
185242
# Extract and copy to your project
186243
unzip devtrail-fw-*.zip -d your-project/
@@ -224,7 +281,7 @@ Once adopted, DevTrail creates a `.devtrail/` directory in your project for deve
224281

225282
```
226283
.devtrail/
227-
├── 00-governance/ # Policies and rules
284+
├── 00-governance/ # Policies and rules (China guides ⚪)
228285
├── 01-requirements/ # REQ documents
229286
├── 02-design/decisions/ # ADR documents
230287
├── 03-implementation/ # Implementation guides (incl. Git strategy)
@@ -234,10 +291,15 @@ Once adopted, DevTrail creates a `.devtrail/` directory in your project for deve
234291
├── 07-ai-audit/
235292
│ ├── agent-logs/ # AILOG documents
236293
│ ├── decisions/ # AIDEC documents
237-
│ └── ethical-reviews/ # ETH, DPIA documents
294+
│ ├── ethical-reviews/ # ETH, DPIA, PIPIA ⚪
295+
│ ├── regulatory-filings/ # CACFILE ⚪
296+
│ └── risk-assessments/ # TC260RA ⚪
238297
├── 08-security/ # SEC documents
239298
├── 09-ai-models/ # MCARD documents
299+
│ └── labeling/ # AILABEL ⚪
240300
└── templates/ # Document templates
301+
302+
⚪ Created only when regional_scope: china is enabled in .devtrail/config.yml
241303
```
242304

243305
### Naming Convention

cli/Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cli/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "devtrail-cli"
3-
version = "3.2.5"
3+
version = "3.3.0"
44
edition = "2021"
55
description = "CLI tool for DevTrail - Documentation Governance for AI-Assisted Development"
66
license = "MIT"

0 commit comments

Comments
 (0)