TamTunnel
diff --git a/‎README.md‎
Lines changed: 168 additions & 142 deletions b/‎README.md‎
Lines changed: 168 additions & 142 deletions
@@ -7,198 +7,224 @@
 
 A **centralized platform** for managing your organization's AI models—a registry that tracks every AI system, its versions, performance metrics, risk profiles, and a complete audit trail for EU AI Act compliance.
 
+**v0.3** adds: **Policy Engine** with enforcement, **Multi-tenancy** with org/environment scoping, and **Prometheus-compatible metrics** for enterprise observability.
+
 ---
 
 ## Who Is This For?
 
 | Role | Value |
 |------|-------|
-| **ML Engineers** | Register models, track versions, store evaluation metrics automatically via CI/CD |
-| **Compliance Officers** | View audit trails, approve compliance status, generate PDF reports for regulators |
-| **CTOs/Engineering Leaders** | Dashboard overview of model risk levels and compliance status across the organization |
-| **Auditors** | Read-only access to model registry, versions, metrics, and audit logs |
+| **ML Engineers** | Register models, track versions, store evaluation metrics via CI/CD |
+| **Compliance Officers** | Define policies, approve models, generate PDF reports |
+| **CTOs/CISOs** | Dashboard overview, policy enforcement, observability metrics |
+| **Auditors** | Read-only access to models, audit logs, policy violations |
 
 ---
 
-## Usage Scenarios
+## Key Features
+
+| Feature | Description |
+|---------|-------------|
+| **Model Registry** | Register AI models with name, owner, risk profile |
+| **Risk Profiles** | EU AI Act levels (minimal, limited, high, unacceptable) |
+| **Compliance Lifecycle** | Status: draft → under_review → approved → retired |
+| **Policy Engine** | Define and enforce governance rules automatically |
+| **Policy Violations** | Track blocked actions with full audit trail |
+| **Multi-Tenancy** | Organization + environment (dev/test/prod) scoping |
+| **Prometheus Metrics** | `/api/v1/metrics` endpoint for observability |
+| **PDF Reports** | EU AI Act style compliance documentation |
+| **RBAC** | admin, model_owner, auditor roles |
 
-### Scenario 1: New Model Deployment
-1. ML team trains a new fraud detection model
-2. CI/CD pipeline automatically registers the model and pushes evaluation metrics
-3. Model starts in `draft` status with `high` risk level (finance domain)
-4. Compliance team reviews via `/dashboard`, updates to `under_review`
-5. After approval, status changes to `approved` with full audit trail
+---
 
-### Scenario 2: EU AI Act Audit
-1. Regulator requests documentation for high-risk AI systems
-2. Compliance officer filters models by `risk_level=high`
-3. Downloads PDF compliance report for each model
-4. Report includes: intended purpose, data sources, evaluation metrics, oversight plan
+## Policy Engine
 
-### Scenario 3: Model Retirement
-1. Old recommendation model needs to be retired
-2. Admin changes compliance status to `retired` with reason
-3. Audit log captures the change for future reference
-4. Model remains in registry for historical records
+### Supported Policy Types
 
----
+| Policy | Description |
+|--------|-------------|
+| `require_evaluation_before_approval` | Models must have evaluation metrics before approval |
+| `block_high_risk_without_approval` | High-risk models cannot skip `under_review` status |
+| `require_review_for_high_risk` | High-risk models require explicit review |
 
-## Key Features
+### How It Works
 
-| Feature | Description |
-|---------|-------------|
-| **Model Registry** | Register AI models with name, owner, description |
-| **Risk Profiles** | Classify models by EU AI Act risk levels (minimal, limited, high, unacceptable) |
-| **Compliance Lifecycle** | Track status: draft → under_review → approved → retired |
-| **Version Tracking** | Track model versions and artifact locations (S3) |
-| **Evaluation Metrics** | Store accuracy, F1, bias scores per version |
-| **Audit Logging** | Automatic immutable trail for all changes |
-| **Compliance Dashboard** | Visual overview of models by risk level and status |
-| **PDF Reports** | Generate EU AI Act style compliance documentation |
-| **Role-Based Access** | admin, model_owner, auditor roles |
-| **OAuth2 Auth** | JWT authentication |
-| **CI/CD Integration** | GitHub Actions workflow examples |
+1. **Define a policy** via API or UI (`/policies`)
+2. **Policy engine evaluates** on compliance status changes
+3. **Violations are blocked** with clear error messages
+4. **PolicyViolation record** created with full details
+5. **Audit log entry** captures the blocked action
+
+### Example: Create a Policy
+
+```bash
+curl -X POST "http://localhost:8000/api/v1/policies/" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "Require Evaluation Before Approval",
+    "description": "Models must have metrics before being approved",
+    "scope": "global",
+    "condition_type": "require_evaluation_before_approval",
+    "is_active": true
+  }'
+```
 
 ---
 
-## Roles & Permissions (RBAC)
+## Organizations & Environments
+
+### Conceptual Model
+
+```
+Organization (e.g., "Agency A", "Department B")
+  └── Environment (dev, test, staging, prod)
+       └── Models (scoped by org + env)
+```
+
+### How to Use
+
+- **Models** include `organization_id` and `environment` fields
+- **API queries** can be filtered by organization/environment
+- **Users** belong to organizations (planned: multi-org access)
 
-| Role | Permissions |
-|------|-------------|
-| `admin` | Full access - create, modify, delete models and users |
-| `model_owner` | Create/modify models, change compliance status |
-| `auditor` | Read-only - view models, audit logs, download reports |
+### Enterprise Mapping
+
+| Enterprise Concept | Platform Feature |
+|-------------------|------------------|
+| Department/Agency | Organization |
+| SDLC Stage | Environment (dev/test/prod) |
+| Data Classification | Risk Level |
 
 ---
 
-## EU AI Act Feature Mapping
+## Observability
+
+### Prometheus Metrics
+
+Access metrics at: `GET /api/v1/metrics`
+
+```prometheus
+# HELP ai_governance_models_total Total number of registered AI models
+ai_governance_models_total 42
+
+# HELP ai_governance_violations_total Total policy violations
+ai_governance_violations_total 3
+
+# Models by risk level
+ai_governance_models_by_risk{risk_level="high"} 5
+ai_governance_models_by_risk{risk_level="minimal"} 20
+```
+
+### Grafana Integration
 
-| EU AI Act Requirement | Platform Feature |
-|----------------------|------------------|
-| Risk Classification | `risk_level` field (minimal, limited, high, unacceptable) |
-| Intended Purpose Documentation | `intended_purpose` field |
-| Data Sources Transparency | `data_sources` field |
-| Performance Metrics | Evaluation metrics per version |
-| Human Oversight Plan | `oversight_plan` field |
-| Change Audit Trail | Automatic compliance logs |
-| Lifecycle Management | `compliance_status` (draft → approved → retired) |
+1. Add Prometheus data source pointing to your Prometheus server
+2. Create dashboard with key metrics:
+   - Model counts by risk level
+   - Policy violations over time
+   - Compliance status distribution
 
 ---
 
-## Architecture
+## Security & Deployment Considerations
+
+### Network Placement
+
+> [!IMPORTANT]
+> This application should be deployed **behind a reverse proxy** (Nginx, Envoy, API Gateway) and not directly exposed to the internet.
 
+**Recommended topology:**
 ```
-┌─────────────────────────────────────────────────────────────┐
-│                      FRONTEND (React)                       │
-│   • Model Registry List     • Compliance Dashboard          │
-│   • Risk Level Badges       • Status Filters                │
-└─────────────────────────────────────────────────────────────┘
-                              │ REST API
-                              ▼
-┌─────────────────────────────────────────────────────────────┐
-│                      BACKEND (FastAPI)                      │
-│   /api/v1/models              → Model registry CRUD         │
-│   /api/v1/models/{id}/risk-profile → Update risk profile    │
-│   /api/v1/models/{id}/compliance-status → Change status     │
-│   /api/v1/dashboard/stats     → Dashboard statistics        │
-│   /api/v1/versions            → Version management          │
-│   /api/v1/metrics             → Evaluation metrics          │
-│   /api/v1/audit-logs          → Compliance history          │
-│   /api/v1/reports/{id}/compliance-report → PDF download     │
-└─────────────────────────────────────────────────────────────┘
-                              │
-                              ▼
-┌─────────────────────────────────────────────────────────────┐
-│                    DATABASE (PostgreSQL)                    │
-│   Tables: modelregistry, modelversion, evaluationmetric,    │
-│           compliancelog, user                               │
-└─────────────────────────────────────────────────────────────┘
+Internet → Load Balancer → Nginx/Envoy (TLS) → AI Governance Hub → PostgreSQL
 ```
 
----
+### TLS/HTTPS
 
-## Quick Start
+- Configure TLS termination at the reverse proxy
+- Use Let's Encrypt or organizational certificates
+- Enforce HTTPS redirects
 
-### Prerequisites
-- Docker & Docker Compose
-- Node.js 18+ (for frontend development)
+### Secrets Management
 
-### Run with Docker
-```bash
-git clone https://github.com/TamTunnel/AI-Governance-Hub.git
-cd AI-Governance-Hub
-cp .env.example .env
-docker compose up --build
+| Secret | Source |
+|--------|--------|
+| `DATABASE_URL` | Environment variable |
+| `SECRET_KEY` | Environment variable (min 32 chars) |
+| `POSTGRES_PASSWORD` | Environment variable or secrets manager |
+
+> [!CAUTION]
+> Never commit secrets to version control. Use `.env` files for local development only.
+
+### Rate Limiting
+
+Rate limiting should be configured at the reverse proxy level:
+
+```nginx
+# Example Nginx rate limiting
+limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
+location /api/ {
+    limit_req zone=api burst=20 nodelay;
+}
 ```
 
-**URLs:**
-| Service | URL |
-|---------|-----|
-| Frontend | http://localhost:3000 |
-| Dashboard | http://localhost:3000/dashboard |
-| API Docs | http://localhost:8000/docs |
+### Logging & SIEM Integration
+
+- All governance actions are logged to `ComplianceLog` table
+- Logs include: entity, action, user, timestamp, details (JSON)
+- Export logs to SIEM via database replication or API polling
 
 ---
 
-## CI Integration
+## Backup & Data Export
 
-### Example: Register model after training
+### PostgreSQL Backup
 
 ```bash
-# Register a new model
-curl -X POST "http://localhost:8000/api/v1/models/" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "name": "fraud-detector-v2",
-    "owner": "ML Team",
-    "risk_level": "high",
-    "domain": "finance",
-    "intended_purpose": "Detect fraudulent transactions"
-  }'
+# Full backup
+pg_dump -h localhost -U postgres ai_governance > backup.sql
 
-# Create a version
-curl -X POST "http://localhost:8000/api/v1/versions/" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "model_id": 1,
-    "version_tag": "v1.0.0",
-    "s3_path": "s3://models/fraud-detector/v1.0.0"
-  }'
+# Restore
+psql -h localhost -U postgres ai_governance < backup.sql
+```
 
-# Push evaluation metric
-curl -X POST "http://localhost:8000/api/v1/metrics/" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "version_id": 1,
-    "metric_name": "accuracy",
-    "value": 0.95
-  }'
+### API Export
 
-# Update compliance status
-curl -X PATCH "http://localhost:8000/api/v1/models/1/compliance-status" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "status": "under_review",
-    "reason": "Ready for compliance review"
-  }'
+- `GET /api/v1/models/` - Export all models
+- `GET /api/v1/audit-logs/` - Export audit trail
+- `GET /api/v1/policies/violations/` - Export policy violations
+
+---
+
+## Quick Start
+
+```bash
+git clone https://github.com/TamTunnel/AI-Governance-Hub.git
+cd AI-Governance-Hub
+cp .env.example .env
+docker compose up --build
 ```
 
-See [`examples/ci-integration.yml`](examples/ci-integration.yml) for a complete GitHub Actions workflow.
+| Service | URL |
+|---------|-----|
+| Frontend | http://localhost:3000 |
+| Dashboard | http://localhost:3000/dashboard |
+| Policies | http://localhost:3000/policies |
+| API Docs | http://localhost:8000/docs |
+| Metrics | http://localhost:8000/api/v1/metrics |
 
 ---
 
 ## Roadmap
 
-### Planned Features
-
-| Priority | Feature | Description |
-|----------|---------|-------------|
-| 🔴 High | **Policy Engine** | Define and enforce compliance rules automatically |
-| 🔴 High | **Model Lineage** | Track data and model dependencies |
-| 🟡 Medium | **Notifications** | Webhooks and email alerts for status changes |
-| 🟡 Medium | **MLflow Integration** | Import models directly from MLflow |
-| 🟢 Future | **Kubernetes Operator** | Auto-register models deployed to K8s |
-| 🟢 Future | **LLM Governance** | Prompt tracking and response auditing |
+| Status | Feature |
+|--------|---------|
+| ✅ Done | Policy Engine with enforcement |
+| ✅ Done | Organization + environment scoping |
+| ✅ Done | Prometheus metrics endpoint |
+| 🔜 Planned | SSO/SAML integration |
+| 🔜 Planned | Webhooks for status changes |
+| 🔜 Planned | MLflow integration |
+| 🔜 Planned | Kubernetes operator |
 
 ---
 
@@ -210,7 +236,7 @@ See [`examples/ci-integration.yml`](examples/ci-integration.yml) for a complete
 | Backend | Python 3.11, FastAPI, SQLModel, Pydantic |
 | Database | PostgreSQL 15 |
 | Auth | OAuth2, JWT, bcrypt, RBAC |
-| Reports | ReportLab (PDF) |
+| Observability | Prometheus-compatible metrics |
 | Infrastructure | Docker, Docker Compose, Nginx |
 | CI/CD | GitHub Actions |