feat(lib): EUDI Wallet ARF HLRs

[ImanABS]

Summary by CodeRabbit

• New Features
  • Introduced the Intuitem Security Assurance Plan framework, a comprehensive security requirements library covering governance, architecture, data protection, SDLC, cryptography, incident response, compliance, and infrastructure security.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new YAML configuration file was added to define the Intuitem Security Assurance Plan framework. The file contains comprehensive metadata and a hierarchical requirements tree spanning governance, security architecture, data protection, compliance, and incident management domains.

Changes

Cohort / File(s)	Summary
New Framework Library backend/library/libraries/SAP_Intuitem.yaml	Added new framework definition with 744 lines specifying the Intuitem_Security_Assurance_Plan, including URN, metadata, versioning, and a complete hierarchical requirements tree covering 20+ security and compliance domains.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Hoppy frameworks bloom today,
Intuitem finds its way,
Requirements dance in YAML files,
Security smiles for many miles,
A new library in the warren's care,
Assurance and safety everywhere! 🌿

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The pull request title 'EUDI Wallet ARF HLRs' does not match the actual changeset, which adds a SAP Intuitem security framework. The title refers to EUDI Wallet and ARF HLRs, but the changes are about SAP Intuitem.	Update the title to accurately reflect the changes, such as 'Add SAP Intuitem Security Assurance Plan framework library' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch EUDI

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

backend/library/libraries/SAP_Intuitem.yaml (1)

258-277: Consider adding name fields for consistency.

Several requirement nodes have a description field but no name field:

• Lines 258-277: Nodes 7.1.1, 7.1.2, 7.1.3 (retention periods)
• Lines 617-642: Nodes 18.1.1, 18.1.2, 18.1.3, 18.2 (customer responsibilities)
• Line 643-649: Node 18.3

While this may be intentional (using only descriptions for leaf nodes), it creates an inconsistent pattern compared to other nodes in the hierarchy that include both name and description. The name field is recognized by the importer and could provide a more concise label for these requirements.

Also applies to: 617-649

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/library/libraries/SAP_Intuitem.yaml` around lines 258 - 277, Add
missing name fields to the leaf requirement nodes so they match other nodes and
are recognized by the importer: for ref_id 7.1.1, 7.1.2, 7.1.3 (urns
urn:intuitem:risk:req_node:sap_intuitem:7.1.1, :7.1.2, :7.1.3) add concise name
values (e.g., "Production data retention", "Backup retention", "Log retention")
above their description entries; do the same for ref_ids 18.1.1, 18.1.2, 18.1.3,
18.2 and 18.3 so each node has both name and description fields and follows the
existing naming convention used elsewhere in the YAML.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/library/libraries/SAP_Intuitem.yaml`:
- Line 202: Fix the typo in the YAML description field where the string
"solation is enforced at the deployment and storage layers to prevent" appears:
change "solation" to "Isolation" (capitalize the I) in the description value so
the sentence reads "Isolation is enforced at the deployment and storage layers
to prevent...".
- Line 262: The ref_id values in SAP_Intuitem.yaml (e.g., the unquoted entries
with values 7.1.1, 7.1.2, 7.1.3 and 18.1.1, 18.1.2, 18.1.3) are being parsed as
numbers; update those ref_id fields to be quoted string literals (e.g., "7.1.1")
to match the other ref_id entries and avoid type coercion—locate the ref_id keys
near the shown occurrences and wrap their values in quotes consistently.
- Around line 38-744: The YAML's requirement_nodes include a redundant "depth"
property that the RequirementNode importer (backend/core/models.py at the
import/filter logic around the RequirementNode importer) already strips; either
remove all "depth" entries from the SAP_Intuitem.yaml requirement_nodes to avoid
confusion (reference: the "requirement_nodes" block and individual nodes like
urn:intuitem:risk:req_node:sap_intuitem:2.1) OR, if you need to persist depth,
add a depth field to the RequirementNode model and update the importer logic to
accept and store "depth" (modify the filter at the importer code path
referenced) and document that it is persisted instead of computed.

---

Nitpick comments:
In `@backend/library/libraries/SAP_Intuitem.yaml`:
- Around line 258-277: Add missing name fields to the leaf requirement nodes so
they match other nodes and are recognized by the importer: for ref_id 7.1.1,
7.1.2, 7.1.3 (urns urn:intuitem:risk:req_node:sap_intuitem:7.1.1, :7.1.2,
:7.1.3) add concise name values (e.g., "Production data retention", "Backup
retention", "Log retention") above their description entries; do the same for
ref_ids 18.1.1, 18.1.2, 18.1.3, 18.2 and 18.3 so each node has both name and
description fields and follows the existing naming convention used elsewhere in
the YAML.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 41540315-16a6-4d96-ae59-249641c22554

📥 Commits

Reviewing files that changed from the base of the PR and between f5ee641 and a37cb4f.

⛔ Files ignored due to path filters (2)

• tools/excel/EUDI/EUDI_arf_HLRs.xlsx is excluded by !**/*.xlsx
• tools/excel/intuitem/SAP_Intuitem.xlsx is excluded by !**/*.xlsx

📒 Files selected for processing (2)

• backend/library/libraries/EUDI_arf_HLRs.yaml
• backend/library/libraries/SAP_Intuitem.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo: Missing capital "I" in "Isolation".

Line 202 contains a typo: "solation is enforced" should be "Isolation is enforced".

✏️ Proposed fix

       name: 'Deployment-level controls:'
-      description: solation is enforced at the deployment and storage layers to prevent
+      description: Isolation is enforced at the deployment and storage layers to prevent
         cross-tenant access.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	description: solation is enforced at the deployment and storage layers to prevent
	name: 'Deployment-level controls:'
	description: Isolation is enforced at the deployment and storage layers to prevent
	cross-tenant access.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/library/libraries/SAP_Intuitem.yaml` at line 202, Fix the typo in the
YAML description field where the string "solation is enforced at the deployment
and storage layers to prevent" appears: change "solation" to "Isolation"
(capitalize the I) in the description value so the sentence reads "Isolation is
enforced at the deployment and storage layers to prevent...".

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent quoting of ref_id values - potential type coercion issue.

The ref_id field should be consistently quoted as a string. Lines 262, 269, 275, 621, 627, and 634 use unquoted decimal values (7.1.1, 7.1.2, 7.1.3, 18.1.1, 18.1.2, 18.1.3), which YAML will parse as floats rather than strings. This creates inconsistency with other ref_id values that are properly quoted (e.g., '2.1', '3.1').

🔧 Proposed fix for consistent string quoting

     - urn: urn:intuitem:risk:req_node:sap_intuitem:7.1.1
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:7.1
-      ref_id: 7.1.1
+      ref_id: '7.1.1'
       description: 'Production data: retained for the lifetime of the subscription
         and deleted within 30 days after termination unless otherwise agreed.'
     - urn: urn:intuitem:risk:req_node:sap_intuitem:7.1.2
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:7.1
-      ref_id: 7.1.2
+      ref_id: '7.1.2'
       description: 'Backups: retained for 14 days before automated secure deletion.'
     - urn: urn:intuitem:risk:req_node:sap_intuitem:7.1.3
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:7.1
-      ref_id: 7.1.3
+      ref_id: '7.1.3'
       description: 'Logs: retained per operational needs (default 90 days), anonymized
         or deleted thereof.'

Apply the same fix to lines 621, 627, and 634:

     - urn: urn:intuitem:risk:req_node:sap_intuitem:18.1.1
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:18.1
-      ref_id: 18.1.1
+      ref_id: '18.1.1'
       description: Manage user accounts, roles, and MFA inside the product.
     - urn: urn:intuitem:risk:req_node:sap_intuitem:18.1.2
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:18.1
-      ref_id: 18.1.2
+      ref_id: '18.1.2'
       description: Configure access settings to align with internal policies and organisation
         setup.
     - urn: urn:intuitem:risk:req_node:sap_intuitem:18.1.3
       assessable: true
       depth: 3
       parent_urn: urn:intuitem:risk:req_node:sap_intuitem:18.1
-      ref_id: 18.1.3
+      ref_id: '18.1.3'
       description: Can generate an export of their data as an extra layer of backup
         or portability needs.

Also applies to: 269-269, 275-275, 621-621, 627-627, 634-634

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/library/libraries/SAP_Intuitem.yaml` at line 262, The ref_id values
in SAP_Intuitem.yaml (e.g., the unquoted entries with values 7.1.1, 7.1.2, 7.1.3
and 18.1.1, 18.1.2, 18.1.3) are being parsed as numbers; update those ref_id
fields to be quoted string literals (e.g., "7.1.1") to match the other ref_id
entries and avoid type coercion—locate the ref_id keys near the shown
occurrences and wrap their values in quotes consistently.

[ab-smith]

let's keep only the EUDI framework on this PR for now, for the SAP we need to talk about the relevance of publishing it and in a different PR