Initial deployment of da-autocompliance-dev

Dockerfile

@@ -0,0 +1,27 @@
+FROM openjdk:21-jdk-slim
+
+WORKDIR /app
+
+# Install required packages
+RUN apt-get update && apt-get install -y \
+    curl \
+    wget \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy application files
+COPY . .
+
+# Build application (if build.gradle.kts exists)
+RUN if [ -f "build.gradle.kts" ]; then \
+        ./gradlew build -x test; \
+    fi
+
+# Expose port
+EXPOSE 8080
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
+    CMD curl -f http://localhost:8080/actuator/health || exit 1
+
+# Run application
+CMD ["java", "-jar", "build/libs/da-autocompliance.jar"]

README.md

@@ -1,10 +1,38 @@
 ---
-title: Da Autocompliance Dev
-emoji: 📉
-colorFrom: indigo
-colorTo: yellow
+title: da-autocompliance (dev)
+emoji: 🔧
+colorFrom: blue
+colorTo: green
 sdk: docker
-pinned: false
+app_port: 8080
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# da-autocompliance - dev Environment
+
+This is the da-autocompliance microservice deployed in the dev environment.
+
+## Features
+
+- RESTful API endpoints
+- Health monitoring via Actuator
+- JWT authentication integration
+- PostgreSQL database connectivity
+
+## API Documentation
+
+Once deployed, API documentation will be available at:
+- Swagger UI: https://huggingface.co/spaces/dalabsai/da-autocompliance-dev/swagger-ui.html
+- Health Check: https://huggingface.co/spaces/dalabsai/da-autocompliance-dev/actuator/health
+
+## Environment
+
+- **Environment**: dev
+- **Port**: 8080
+- **Java Version**: 21
+- **Framework**: Spring Boot
+
+## Deployment
+
+This service is automatically deployed via the DALab CI/CD pipeline.
+
+Last updated: 2025-06-16 23:40:18

build.gradle.kts

@@ -0,0 +1,70 @@
+plugins {
+    id("org.springframework.boot") version "3.2.5"
+    id("io.spring.dependency-management") version "1.1.4"
+    java
+}
+
+group = "com.dalab"
+version = "0.0.1-SNAPSHOT"
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_17
+}
+
+repositories {
+    mavenCentral()
+}
+
+dependencyManagement {
+    imports {
+        // Consider adding Spring Cloud BOM if needed for Feign, etc.
+        // mavenBom("org.springframework.cloud:spring-cloud-dependencies:YYYY.X.X") 
+    }
+}
+
+val mapstructVersion = "1.5.5.Final"
+
+dependencies {
+    // Common Spring Boot dependencies
+    implementation("org.springframework.boot:spring-boot-starter-actuator")
+    implementation("org.springframework.boot:spring-boot-starter-web")
+    implementation("org.springframework.boot:spring-boot-starter-validation")
+    implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
+    
+    // Shared proto dependency
+    implementation(project(":da-protos"))
+    
+    // AutoCompliance-specific dependencies
+    implementation("org.springframework.boot:spring-boot-starter-data-jpa")
+    implementation("org.springframework.kafka:spring-kafka")
+    implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.2.0")
+
+    // MapStruct
+    implementation("org.mapstruct:mapstruct:$mapstructVersion")
+    annotationProcessor("org.mapstruct:mapstruct-processor:$mapstructVersion")
+    annotationProcessor("org.projectlombok:lombok-mapstruct-binding:0.2.0")
+
+    // Database
+    runtimeOnly("org.postgresql:postgresql")
+    
+    // Common development and runtime dependencies
+    developmentOnly("org.springframework.boot:spring-boot-devtools")
+    annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
+    
+    // Lombok
+    compileOnly("org.projectlombok:lombok")
+    annotationProcessor("org.projectlombok:lombok")
+    
+    // Test dependencies
+    testImplementation("org.springframework.boot:spring-boot-starter-test") {
+        exclude(group = "org.junit.vintage", module = "junit-vintage-engine")
+    }
+    testImplementation("org.springframework.security:spring-security-test")
+    testImplementation("org.springframework.kafka:spring-kafka-test")
+}
+
+tasks.named<org.springframework.boot.gradle.tasks.bundling.BootJar>("bootJar") {
+    archiveFileName.set("${project.name}.jar")
+} 

src/main/docker/Dockerfile

@@ -0,0 +1,23 @@
+# Ultra-lean container using Google Distroless
+# Expected final size: ~120-180MB (minimal base + JRE + JAR only)
+
+FROM gcr.io/distroless/java21-debian12:nonroot
+
+# Set working directory
+WORKDIR /app
+
+# Copy JAR file
+COPY build/libs/da-autocompliance.jar app.jar
+
+# Expose standard Spring Boot port
+EXPOSE 8080
+
+# Run application (distroless has no shell, so use exec form)
+ENTRYPOINT ["java", \
+    "-XX:+UseContainerSupport", \
+    "-XX:MaxRAMPercentage=75.0", \
+    "-XX:+UseG1GC", \
+    "-XX:+UseStringDeduplication", \
+    "-Djava.security.egd=file:/dev/./urandom", \
+    "-Dspring.backgroundpreinitializer.ignore=true", \
+    "-jar", "app.jar"]

src/main/docker/Dockerfile.alpine-jlink

@@ -0,0 +1,43 @@
+# Ultra-minimal Alpine + Custom JRE
+# Expected size: ~120-160MB
+
+# Stage 1: Create custom JRE with only needed modules
+FROM eclipse-temurin:21-jdk-alpine as jre-builder
+WORKDIR /app
+
+# Analyze JAR to find required modules
+COPY build/libs/*.jar app.jar
+RUN jdeps --ignore-missing-deps --print-module-deps app.jar > modules.txt
+
+# Create minimal JRE with only required modules
+RUN jlink \
+    --add-modules $(cat modules.txt),java.logging,java.xml,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument \
+    --strip-debug \
+    --no-man-pages \
+    --no-header-files \
+    --compress=2 \
+    --output /custom-jre
+
+# Stage 2: Production image
+FROM alpine:3.19
+RUN apk add --no-cache tzdata && \
+    addgroup -g 1001 -S appgroup && \
+    adduser -u 1001 -S appuser -G appgroup
+
+# Copy custom JRE
+COPY --from=jre-builder /custom-jre /opt/java
+ENV JAVA_HOME=/opt/java
+ENV PATH="$JAVA_HOME/bin:$PATH"
+
+WORKDIR /app
+COPY build/libs/*.jar app.jar
+RUN chown appuser:appgroup app.jar
+
+USER appuser
+EXPOSE 8080
+
+ENTRYPOINT ["java", \
+    "-XX:+UseContainerSupport", \
+    "-XX:MaxRAMPercentage=70.0", \
+    "-XX:+UseG1GC", \
+    "-jar", "app.jar"]

src/main/docker/Dockerfile.layered

@@ -0,0 +1,34 @@
+# Ultra-optimized layered build using Distroless
+# Expected size: ~180-220MB with better caching
+
+FROM gcr.io/distroless/java21-debian12:nonroot as base
+
+# Stage 1: Extract JAR layers for optimal caching
+FROM eclipse-temurin:21-jdk-alpine as extractor
+WORKDIR /app
+COPY build/libs/*.jar app.jar
+RUN java -Djarmode=layertools -jar app.jar extract
+
+# Stage 2: Production image with extracted layers
+FROM base
+WORKDIR /app
+
+# Copy layers in dependency order (best caching)
+COPY --from=extractor /app/dependencies/ ./
+COPY --from=extractor /app/spring-boot-loader/ ./
+COPY --from=extractor /app/snapshot-dependencies/ ./
+COPY --from=extractor /app/application/ ./
+
+EXPOSE 8080
+
+# Optimized JVM settings for micro-containers
+ENTRYPOINT ["java", \
+    "-XX:+UseContainerSupport", \
+    "-XX:MaxRAMPercentage=70.0", \
+    "-XX:+UseG1GC", \
+    "-XX:+UseStringDeduplication", \
+    "-XX:+CompactStrings", \
+    "-Xshare:on", \
+    "-Djava.security.egd=file:/dev/./urandom", \
+    "-Dspring.backgroundpreinitializer.ignore=true", \
+    "org.springframework.boot.loader.JarLauncher"]

src/main/docker/Dockerfile.native

@@ -0,0 +1,20 @@
+# GraalVM Native Image - Ultra-fast startup, tiny size
+# Expected size: ~50-80MB, startup <100ms
+# Note: Requires native compilation support in Spring Boot
+
+# Stage 1: Native compilation
+FROM ghcr.io/graalvm/graalvm-ce:ol9-java21 as native-builder
+WORKDIR /app
+
+# Install native-image
+RUN gu install native-image
+
+# Copy source and build native executable
+COPY . .
+RUN ./gradlew nativeCompile
+
+# Stage 2: Minimal runtime
+FROM scratch
+COPY --from=native-builder /app/build/native/nativeCompile/app /app
+EXPOSE 8080
+ENTRYPOINT ["/app"]

src/main/java/com/dalab/autocompliance/DaAutocomplianceApplication.java

@@ -0,0 +1,30 @@
+package com.dalab.autocompliance;
+
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.info.License;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+
+@SpringBootApplication
+@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
+@EnableJpaAuditing(auditorAwareRef = "auditorProvider")
+public class DaAutocomplianceApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(DaAutocomplianceApplication.class, args);
+    }
+
+    @Bean
+    public OpenAPI customOpenAPI() {
+        return new OpenAPI()
+                .info(new Info().title("DALab AutoCompliance Service API")
+                        .version("v1")
+                        .description("API for managing compliance reports, checks, and asset compliance status.")
+                        .termsOfService("http://swagger.io/terms/")
+                        .license(new License().name("Apache 2.0").url("http://springdoc.org")));
+    }
+} 

src/main/java/com/dalab/autocompliance/config/SpringSecurityAuditorAware.java

@@ -0,0 +1,31 @@
+package com.dalab.autocompliance.config;
+
+import org.springframework.data.domain.AuditorAware;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.stereotype.Component;
+
+import java.util.Optional;
+
+@Component("auditorProvider")
+public class SpringSecurityAuditorAware implements AuditorAware<String> {
+
+    @Override
+    public Optional<String> getCurrentAuditor() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+        if (authentication == null || !authentication.isAuthenticated() || authentication.getPrincipal() instanceof String && "anonymousUser".equals(authentication.getPrincipal())) {
+            return Optional.of("system"); // Default to system if no user or anonymous
+        }
+
+        Object principal = authentication.getPrincipal();
+        if (principal instanceof User) {
+            return Optional.of(((User) principal).getUsername());
+        } else if (principal instanceof String) {
+            return Optional.of((String) principal);
+        }
+        // For other principal types, you might need custom logic or return a default
+        return Optional.of("system"); 
+    }
+} 

src/main/java/com/dalab/autocompliance/controller/ComplianceController.java

@@ -0,0 +1,160 @@
+package com.dalab.autocompliance.controller;
+
+import com.dalab.autocompliance.dto.ComplianceReportDefinitionDTO;
+import com.dalab.autocompliance.dto.ReportGenerationRequestDTO;
+import com.dalab.autocompliance.dto.ReportGenerationResponseDTO;
+import com.dalab.autocompliance.dto.ReportJobStatusDTO;
+import com.dalab.autocompliance.dto.ComplianceReportDTO;
+import com.dalab.autocompliance.dto.AssetComplianceStatusDTO;
+import com.dalab.autocompliance.dto.ComplianceControlDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationRequestDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationResponseDTO;
+import com.dalab.autocompliance.service.IComplianceService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.Parameter;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.List;
+
+@RestController
+@RequestMapping("/api/v1/compliance")
+@Tag(name = "Compliance API", description = "APIs for managing compliance checks, reports, and evaluations")
+@RequiredArgsConstructor
+public class ComplianceController {
+
+    private final IComplianceService complianceService;
+
+    @Operation(summary = "List available compliance report definitions",
+               description = "Provides a list of all configured compliance report types that can be generated.",
+               responses = {
+                   @ApiResponse(responseCode = "200", description = "Successfully retrieved report definitions")
+               })
+    @GetMapping("/reports")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD', 'USER', 'AUDITOR')") // Broad access to see what reports are available
+    public ResponseEntity<List<ComplianceReportDefinitionDTO>> listAvailableReportDefinitions() {
+        List<ComplianceReportDefinitionDTO> definitions = complianceService.listAvailableReportDefinitions();
+        return ResponseEntity.ok(definitions);
+    }
+
+    @Operation(summary = "Generate a compliance report",
+               description = "Triggers the asynchronous generation of a specific compliance report based on its type and provided parameters.",
+               responses = {
+                   @ApiResponse(responseCode = "202", description = "Report generation request accepted."),
+                   @ApiResponse(responseCode = "400", description = "Invalid request (e.g., missing parameters, report type not found)"),
+                   @ApiResponse(responseCode = "404", description = "Report type not found") // Covered by 400 in current impl
+               })
+    @PostMapping("/reports/{reportType}/generate")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD')") // Users who can trigger generation
+    public ResponseEntity<ReportGenerationResponseDTO> generateComplianceReport(
+            @Parameter(description = "Unique identifier of the report type to generate", required = true) 
+            @PathVariable String reportType,
+            @Parameter(description = "Parameters required for the report generation", required = true)
+            @Valid @RequestBody ReportGenerationRequestDTO request) {
+        
+        ReportGenerationResponseDTO response = complianceService.generateComplianceReport(reportType, request);
+        
+        if ("FAILED_VALIDATION".equals(response.getStatus())) {
+            return ResponseEntity.badRequest().body(response);
+        }
+        return ResponseEntity.status(HttpStatus.ACCEPTED).body(response);
+    }
+
+    @Operation(summary = "Get compliance report generation job status",
+               description = "Retrieves the current status of an asynchronous report generation job.",
+               responses = {
+                   @ApiResponse(responseCode = "200", description = "Successfully retrieved job status."),
+                   @ApiResponse(responseCode = "404", description = "Job ID not found.")
+               })
+    @GetMapping("/reports/jobs/{jobId}")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD', 'USER', 'AUDITOR')") // Users who can view job status
+    public ResponseEntity<ReportJobStatusDTO> getReportGenerationJobStatus(
+            @Parameter(description = "ID of the report generation job", required = true) 
+            @PathVariable String jobId) {
+        ReportJobStatusDTO jobStatus = complianceService.getReportGenerationJobStatus(jobId);
+        if ("NOT_FOUND".equals(jobStatus.getStatus())) {
+            return ResponseEntity.status(HttpStatus.NOT_FOUND).body(jobStatus);
+        }
+        return ResponseEntity.ok(jobStatus);
+    }
+
+    @Operation(summary = "Retrieve a generated compliance report",
+               description = "Fetches the detailed contents of a previously generated compliance report.",
+               responses = {
+                   @ApiResponse(responseCode = "200", description = "Successfully retrieved the report."),
+                   @ApiResponse(responseCode = "404", description = "Report ID not found.")
+               })
+    @GetMapping("/reports/results/{reportId}")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD', 'USER', 'AUDITOR')") // Users who can view reports
+    public ResponseEntity<ComplianceReportDTO> getGeneratedReport(
+            @Parameter(description = "ID of the generated compliance report", required = true) 
+            @PathVariable String reportId) {
+        ComplianceReportDTO report = complianceService.getGeneratedReport(reportId);
+        if (report == null) {
+            return ResponseEntity.notFound().build();
+        }
+        return ResponseEntity.ok(report);
+    }
+
+    @Operation(summary = "Get compliance status for an asset",
+               description = "Retrieves the overall compliance status and recent findings for a specific asset.",
+               responses = {
+                   @ApiResponse(responseCode = "200", description = "Successfully retrieved asset compliance status."),
+                   @ApiResponse(responseCode = "404", description = "Asset ID not found or no compliance data available.")
+               })
+    @GetMapping("/assets/{assetId}/status")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD', 'USER', 'AUDITOR')")
+    public ResponseEntity<AssetComplianceStatusDTO> getAssetComplianceStatus(
+            @Parameter(description = "ID of the asset (e.g., cloud resource ID)", required = true) 
+            @PathVariable String assetId) {
+        AssetComplianceStatusDTO status = complianceService.getAssetComplianceStatus(assetId);
+        if ("UNKNOWN".equals(status.getOverallComplianceStatus()) && status.getRelevantReportIds() == null) { // Basic check for 'not found'
+             return ResponseEntity.status(HttpStatus.NOT_FOUND).body(status); // Provide status with UNKNOWN if created that way
+        }
+        return ResponseEntity.ok(status);
+    }
+
+    @Operation(summary = "List available compliance controls",
+               description = "Provides a list of all configured and typically enabled compliance controls that can be evaluated.",
+               responses = {
+                   @ApiResponse(responseCode = "200", description = "Successfully retrieved compliance controls")
+               })
+    @GetMapping("/controls")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD', 'USER', 'AUDITOR')") // Broad access to see available controls
+    public ResponseEntity<List<ComplianceControlDTO>> listAvailableControls() {
+        List<ComplianceControlDTO> controls = complianceService.listAvailableControls();
+        return ResponseEntity.ok(controls);
+    }
+
+    @Operation(summary = "Evaluate a compliance control",
+               description = "Triggers the asynchronous evaluation of a specific compliance control.",
+               responses = {
+                   @ApiResponse(responseCode = "202", description = "Control evaluation request accepted."),
+                   @ApiResponse(responseCode = "400", description = "Invalid request (e.g., missing parameters, control not enabled)"),
+                   @ApiResponse(responseCode = "404", description = "Control ID not found")
+               })
+    @PostMapping("/controls/{controlId}/evaluate")
+    @PreAuthorize("hasAnyRole('ADMIN', 'DATA_STEWARD')") // Users who can trigger evaluations
+    public ResponseEntity<ControlEvaluationResponseDTO> evaluateControl(
+            @Parameter(description = "Unique identifier of the control to evaluate", required = true) 
+            @PathVariable String controlId,
+            @Parameter(description = "Parameters for the control evaluation", required = true)
+            @Valid @RequestBody ControlEvaluationRequestDTO request) {
+        
+        ControlEvaluationResponseDTO response = complianceService.evaluateControl(controlId, request);
+        
+        if ("FAILED_VALIDATION".equals(response.getStatus())) {
+            return ResponseEntity.badRequest().body(response);
+        }
+        // Assuming ControlNotFoundException is handled by a global exception handler to return 404
+        return ResponseEntity.status(HttpStatus.ACCEPTED).body(response);
+    }
+
+    // TODO: Add endpoint for GET /controls/evaluations/{jobId} (status of a control evaluation job)
+} 

src/main/java/com/dalab/autocompliance/dto/AssetComplianceStatusDTO.java

@@ -0,0 +1,44 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * DTO representing the compliance status of a specific asset.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class AssetComplianceStatusDTO {
+    private String assetId;
+    private String assetType; // e.g., GCP_COMPUTE_INSTANCE, AWS_S3_BUCKET
+    private String assetName; // User-friendly name if available
+    private String overallComplianceStatus; // e.g., COMPLIANT, NON_COMPLIANT, PARTIALLY_COMPLIANT, UNKNOWN
+    private LocalDateTime lastEvaluatedAt;
+    private int totalChecksApplied;
+    private int compliantChecks;
+    private int nonCompliantChecks;
+    private List<ComplianceFindingSummaryDTO> recentNonCompliantFindings; // Summaries of key issues
+
+    // Could also include links to full reports involving this asset
+    private List<String> relevantReportIds;
+
+    @Data
+    @Builder
+    @NoArgsConstructor
+    @AllArgsConstructor
+    public static class ComplianceFindingSummaryDTO {
+        private String checkId;
+        private String description;
+        private String severity;
+        private String reportId; // Report where this finding was detailed
+        private LocalDateTime findingTimestamp;
+    }
+} 

src/main/java/com/dalab/autocompliance/dto/ComplianceControlDTO.java

@@ -0,0 +1,29 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * DTO representing a single, executable compliance control or check.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ComplianceControlDTO {
+    private String controlId; // Unique identifier for the control (e.g., "CIS-GCP-1.1", "PCI-REQ-3.4")
+    private String name; // Short, human-readable name of the control
+    private String description; // Detailed description of what the control checks
+    private String severity; // e.g., CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL
+    private List<String> applicableFrameworks; // e.g., ["CIS Benchmark v1.3", "PCI DSS v3.2.1"]
+    private List<String> targetAssetTypes; // Asset types this control applies to (e.g., "GCP_BUCKET", "AWS_IAM_USER")
+    private String remediationSteps; // Suggested steps to remediate a non-compliant finding
+    private Map<String, String> evaluationParametersDefinition; // Parameters needed to evaluate this control (name: type)
+    private String detailsLink; // Link to external documentation for this control
+    private boolean enabled; // Whether this control is currently active for evaluation
+} 

src/main/java/com/dalab/autocompliance/dto/ComplianceReportDTO.java

@@ -0,0 +1,59 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * DTO representing a generated compliance report.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ComplianceReportDTO {
+    private String reportId; // Unique ID of this generated report instance
+    private String reportType; // e.g., "cis-gcp-foundations-v1.3"
+    private String displayName; // User-friendly name of the report type
+    private LocalDateTime generationTimestamp;
+    private String overallStatus; // e.g., COMPLIANT, NON_COMPLIANT, PARTIALLY_COMPLIANT, ERROR
+    private Map<String, Object> generationParameters; // Parameters used to generate this report
+
+    private SummaryDTO summary; // High-level summary statistics
+    private List<FindingDTO> findings; // Detailed list of findings
+
+    // Nested DTOs for structure
+    @Data
+    @Builder
+    @NoArgsConstructor
+    @AllArgsConstructor
+    public static class SummaryDTO {
+        private int totalChecks;
+        private int compliantChecks;
+        private int nonCompliantChecks;
+        private int errorChecks;
+        private double complianceScore; // e.g., percentage
+    }
+
+    @Data
+    @Builder
+    @NoArgsConstructor
+    @AllArgsConstructor
+    public static class FindingDTO {
+        private String checkId; // Unique identifier for the specific check/control
+        private String description;
+        private String assetId; // ID of the asset evaluated
+        private String assetType;
+        private String assetName; // User-friendly name of the asset
+        private String status; // COMPLIANT, NON_COMPLIANT, ERROR, NOT_APPLICABLE
+        private String severity; // INFO, LOW, MEDIUM, HIGH, CRITICAL
+        private String recommendation;
+        private Map<String, Object> details; // Specific details about the finding
+        private String evidenceLink; // Link to evidence if applicable
+    }
+} 

src/main/java/com/dalab/autocompliance/dto/ComplianceReportDefinitionDTO.java

@@ -0,0 +1,27 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * DTO representing the definition of a compliance report type.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ComplianceReportDefinitionDTO {
+    private String reportType; // Unique identifier for the report type (e.g., "pci-dss-q1", "cis-benchmark-gcp")
+    private String displayName; // User-friendly name (e.g., "PCI DSS Requirement 1 Check", "CIS Google Cloud Platform Foundation Benchmark")
+    private String description;
+    private String version; // Version of the report definition/benchmark
+    private List<String> applicableComplianceFrameworks; // e.g., ["PCI DSS v3.2.1", "HIPAA"]
+    private List<String> targetAssetTypes; // e.g., ["GCP_COMPUTE_INSTANCE", "AWS_S3_BUCKET"]
+    private Map<String, String> generationParameters; // Key-value pairs for parameters needed to generate this report (e.g., {"gcpProjectId": "string"})
+    private String detailsLink; // Link to more information about this compliance check/report
+} 

src/main/java/com/dalab/autocompliance/dto/ControlEvaluationRequestDTO.java

@@ -0,0 +1,31 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import jakarta.validation.constraints.NotEmpty;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * DTO for requesting the evaluation of a specific compliance control.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ControlEvaluationRequestDTO {
+    
+    // Specific assets to target for this evaluation. If empty, might apply to all relevant assets.
+    private List<String> targetAssetIds; 
+
+    // Override or provide specific parameters for this evaluation run for the control.
+    // These would align with or override those in ComplianceControlDTO.evaluationParametersDefinition.
+    private Map<String, Object> evaluationParameters; 
+
+    private String triggeredBy; // Optional: User or system that triggered the evaluation
+    private String notificationEmail; // Optional: Email to notify upon completion/failure
+    private boolean forceReevaluation; // Optional: If true, re-evaluate even if recent results exist
+} 

src/main/java/com/dalab/autocompliance/dto/ControlEvaluationResponseDTO.java

@@ -0,0 +1,24 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.time.LocalDateTime;
+
+/**
+ * DTO representing the response after submitting a control evaluation request.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ControlEvaluationResponseDTO {
+    private String jobId; // ID of the asynchronous evaluation job
+    private String controlId;
+    private String status; // e.g., ACCEPTED, FAILED_VALIDATION, QUEUED
+    private LocalDateTime submittedAt;
+    private String message; // e.g., "Control evaluation accepted and queued.", "Invalid parameters for control."
+    private int targetedAssetCount; // Number of assets targeted for this evaluation run
+} 

src/main/java/com/dalab/autocompliance/dto/ReportGenerationRequestDTO.java

@@ -0,0 +1,27 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import jakarta.validation.constraints.NotEmpty;
+import java.util.Map;
+
+/**
+ * DTO for requesting the generation of a specific compliance report.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ReportGenerationRequestDTO {
+    
+    // Parameters required for this specific report type, matching those defined in ComplianceReportDefinitionDTO.generationParameters
+    // For example, {"gcpProjectId": "my-gcp-project", "targetRegions": ["us-central1", "us-east1"]}
+    @NotEmpty(message = "Generation parameters cannot be empty.")
+    private Map<String, Object> parameters; 
+
+    private String triggeredBy; // Optional: User or system that triggered the generation
+    private String notificationEmail; // Optional: Email to notify upon completion/failure
+} 

src/main/java/com/dalab/autocompliance/dto/ReportGenerationResponseDTO.java

@@ -0,0 +1,23 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.time.LocalDateTime;
+
+/**
+ * DTO representing the response after submitting a report generation request.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ReportGenerationResponseDTO {
+    private String jobId; // ID of the asynchronous generation job
+    private String reportType;
+    private String status; // e.g., ACCEPTED, FAILED_VALIDATION, QUEUED
+    private LocalDateTime submittedAt;
+    private String message; // e.g., "Report generation accepted and queued.", "Invalid parameters for report type."
+} 

src/main/java/com/dalab/autocompliance/dto/ReportJobStatusDTO.java

@@ -0,0 +1,27 @@
+package com.dalab.autocompliance.dto;
+
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+
+import java.time.LocalDateTime;
+
+/**
+ * DTO for representing the status of a compliance report generation job.
+ */
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ReportJobStatusDTO {
+    private String jobId;
+    private String reportType;
+    private String status; // e.g., QUEUED, PROCESSING, COMPLETED_SUCCESS, COMPLETED_FAILURE, NOT_FOUND
+    private LocalDateTime submittedAt;
+    private LocalDateTime startedAt;
+    private LocalDateTime completedAt;
+    private String message; // e.g., "Processing started", "Report generated successfully", "Failed due to: ..."
+    private String reportId; // ID of the generated report if completed successfully
+    private String downloadLink; // Link to download the report if applicable
+} 

src/main/java/com/dalab/autocompliance/model/entity/AbstractAuditableEntity.java

@@ -0,0 +1,38 @@
+package com.dalab.autocompliance.model.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.EntityListeners;
+import jakarta.persistence.MappedSuperclass;
+import lombok.Data;
+import org.springframework.data.annotation.CreatedBy;
+import org.springframework.data.annotation.CreatedDate;
+import org.springframework.data.annotation.LastModifiedBy;
+import org.springframework.data.annotation.LastModifiedDate;
+import org.springframework.data.jpa.domain.support.AuditingEntityListener;
+
+import java.io.Serializable;
+import java.time.Instant;
+
+@Data
+@MappedSuperclass
+@EntityListeners(AuditingEntityListener.class)
+public abstract class AbstractAuditableEntity implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    @CreatedBy
+    @Column(name = "created_by", nullable = false, length = 50, updatable = false)
+    private String createdBy;
+
+    @CreatedDate
+    @Column(name = "created_date", nullable = false, updatable = false)
+    private Instant createdDate = Instant.now();
+
+    @LastModifiedBy
+    @Column(name = "last_modified_by", length = 50)
+    private String lastModifiedBy;
+
+    @LastModifiedDate
+    @Column(name = "last_modified_date")
+    private Instant lastModifiedDate = Instant.now();
+} 

src/main/java/com/dalab/autocompliance/model/entity/ComplianceControlEntity.java

@@ -0,0 +1,74 @@
+package com.dalab.autocompliance.model.entity;
+
+import java.util.List;
+import java.util.Map;
+
+import org.hibernate.annotations.JdbcTypeCode;
+import org.hibernate.type.SqlTypes;
+
+import jakarta.persistence.CollectionTable;
+import jakarta.persistence.Column;
+import jakarta.persistence.ElementCollection;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.Id;
+import jakarta.persistence.Index;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.Lob;
+import jakarta.persistence.Table;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+
+@Entity
+@Table(name = "compliance_controls", indexes = {
+    @Index(name = "idx_control_severity", columnList = "severity"),
+    @Index(name = "idx_control_enabled", columnList = "enabled")
+})
+@Data
+@EqualsAndHashCode(callSuper = true)
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class ComplianceControlEntity extends AbstractAuditableEntity {
+
+    @Id
+    @Column(nullable = false, unique = true, length = 100)
+    private String controlId;
+
+    @Column(nullable = false, length = 255)
+    private String name;
+
+    @Lob
+    @JdbcTypeCode(SqlTypes.LONGVARCHAR)
+    private String description;
+
+    @Column(length = 50)
+    private String severity;
+
+    @ElementCollection(fetch = FetchType.EAGER)
+    @CollectionTable(name = "control_frameworks", joinColumns = @JoinColumn(name = "control_id"))
+    @Column(name = "framework_name")
+    private List<String> applicableFrameworks;
+
+    @ElementCollection(fetch = FetchType.EAGER)
+    @CollectionTable(name = "control_asset_types", joinColumns = @JoinColumn(name = "control_id"))
+    @Column(name = "asset_type")
+    private List<String> targetAssetTypes;
+
+    @Lob
+    @JdbcTypeCode(SqlTypes.LONGVARCHAR)
+    private String remediationSteps;
+
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, String> evaluationParametersDefinition;
+
+    @Column(length = 512)
+    private String detailsLink;
+
+    @Builder.Default
+    private boolean enabled = true;
+} 

src/main/java/com/dalab/autocompliance/model/entity/ComplianceGeneratedReportEntity.java

@@ -0,0 +1,59 @@
+package com.dalab.autocompliance.model.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import org.hibernate.annotations.JdbcTypeCode;
+import org.hibernate.type.SqlTypes;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Map;
+
+@Entity
+@Table(name = "compliance_generated_reports")
+@Data
+@EqualsAndHashCode(callSuper = true)
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class ComplianceGeneratedReportEntity extends AbstractAuditableEntity {
+
+    @Id
+    @Column(length = 36) // UUID length
+    private String reportId;
+
+    @Column(nullable = false, length = 100)
+    private String reportType; // Corresponds to ComplianceReportDefinitionEntity.reportType
+
+    @Column(length = 255)
+    private String displayName; // User-friendly name of the report type at the time of generation
+
+    @Column(nullable = false)
+    private LocalDateTime generationTimestamp;
+
+    @Column(length = 50)
+    private String overallStatus; // e.g., COMPLIANT, NON_COMPLIANT, PARTIALLY_COMPLIANT, ERROR
+
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, Object> generationParameters; // Parameters used to generate this specific report instance
+
+    // Storing summary and findings as JSONB. 
+    // If specific fields within these need to be frequently queried, consider normalizing them.
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private ReportSummaryData summaryData; // Corresponds to ComplianceReportDTO.SummaryDTO
+
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private List<ReportFindingData> findingsData; // Corresponds to List<ComplianceReportDTO.FindingDTO>
+
+    // Link back to the job that generated this report
+    @OneToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "job_id", referencedColumnName = "jobId")
+    private ComplianceReportJobEntity reportJob;
+} 

src/main/java/com/dalab/autocompliance/model/entity/ComplianceReportDefinitionEntity.java

@@ -0,0 +1,55 @@
+package com.dalab.autocompliance.model.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import org.hibernate.annotations.JdbcTypeCode;
+import org.hibernate.type.SqlTypes;
+
+import java.util.List;
+import java.util.Map;
+
+@Entity
+@Table(name = "compliance_report_definitions")
+@Data
+@EqualsAndHashCode(callSuper = true)
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class ComplianceReportDefinitionEntity extends AbstractAuditableEntity {
+
+    @Id
+    @Column(nullable = false, unique = true, length = 100)
+    private String reportType; // e.g., "cis-gcp-foundations-v1.3"
+
+    @Column(nullable = false, length = 255)
+    private String displayName;
+
+    @Lob
+    @JdbcTypeCode(SqlTypes.LONGVARCHAR)
+    private String description;
+
+    @Column(length = 50)
+    private String version;
+
+    @ElementCollection(fetch = FetchType.EAGER)
+    @CollectionTable(name = "report_def_frameworks", joinColumns = @JoinColumn(name = "report_type"))
+    @Column(name = "framework_name")
+    private List<String> applicableComplianceFrameworks;
+
+    @ElementCollection(fetch = FetchType.EAGER)
+    @CollectionTable(name = "report_def_asset_types", joinColumns = @JoinColumn(name = "report_type"))
+    @Column(name = "asset_type")
+    private List<String> targetAssetTypes;
+
+    // Storing parameter definitions (name and type, e.g., "gcpProjectId": "string")
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, String> generationParametersDefinition; // Renamed for clarity from DTO's 'generationParameters'
+
+    @Column(length = 512)
+    private String detailsLink;
+} 

src/main/java/com/dalab/autocompliance/model/entity/ComplianceReportJobEntity.java

@@ -0,0 +1,56 @@
+package com.dalab.autocompliance.model.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+
+import java.time.LocalDateTime;
+import java.util.Map;
+
+@Entity
+@Table(name = "compliance_report_jobs")
+@Data
+@EqualsAndHashCode(callSuper = true)
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class ComplianceReportJobEntity extends AbstractAuditableEntity {
+
+    @Id
+    @Column(length = 36) // UUID length
+    private String jobId;
+
+    @Column(nullable = false, length = 100)
+    private String reportType; // Corresponds to ComplianceReportDefinitionEntity.reportType
+
+    @Column(nullable = false, length = 50)
+    private String status; // e.g., QUEUED, PROCESSING, COMPLETED_SUCCESS, COMPLETED_FAILURE
+
+    private LocalDateTime submittedAt;
+    private LocalDateTime startedAt;
+    private LocalDateTime completedAt;
+
+    @Lob
+    @Basic(fetch = FetchType.LAZY) // Message could be long, fetch lazily
+    private String message; 
+
+    @Column(length = 36) // UUID length, if report is generated
+    private String generatedReportId; // Links to ComplianceGeneratedReportEntity.reportId
+
+    // Parameters used for this specific job instance.
+    // In DTO this was Map<String, Object>. For DB, JSON is suitable.
+    // Consider if complex objects need to be queryable. If so, separate columns or normalized tables might be better.
+    // For now, storing as JSONB is a flexible approach.
+    @org.hibernate.annotations.JdbcTypeCode(org.hibernate.type.SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, Object> generationParameters;
+
+    @Column(length = 255)
+    private String triggeredBy; // User or system that triggered it
+
+    @Column(length = 255)
+    private String notificationEmail; // Email for notification
+} 

src/main/java/com/dalab/autocompliance/model/entity/ControlEvaluationJobEntity.java

@@ -0,0 +1,67 @@
+package com.dalab.autocompliance.model.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import org.hibernate.annotations.JdbcTypeCode;
+import org.hibernate.type.SqlTypes;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Map;
+
+@Entity
+@Table(name = "compliance_control_evaluation_jobs", indexes = {
+    @Index(name = "idx_ctrl_eval_job_control_id", columnList = "controlId"),
+    @Index(name = "idx_ctrl_eval_job_status", columnList = "status")
+})
+@Data
+@EqualsAndHashCode(callSuper = true)
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class ControlEvaluationJobEntity extends AbstractAuditableEntity {
+
+    @Id
+    @Column(length = 36) // UUID length
+    private String jobId;
+
+    @Column(nullable = false, length = 100)
+    private String controlId; // Foreign key to ComplianceControlEntity.controlId
+
+    @Column(nullable = false, length = 50)
+    private String status; // e.g., QUEUED, PROCESSING, COMPLETED_SUCCESS, COMPLETED_FAILURE, PARTIAL_FAILURE
+
+    private LocalDateTime submittedAt;
+    private LocalDateTime startedAt;
+    private LocalDateTime completedAt;
+
+    @Lob
+    @Basic(fetch = FetchType.LAZY)
+    private String message; // Overall message for the job execution
+
+    @ElementCollection(fetch = FetchType.LAZY) // Store targeted asset IDs
+    @CollectionTable(name = "control_eval_job_target_assets", joinColumns = @JoinColumn(name = "job_id"))
+    @Column(name = "asset_id")
+    private List<String> targetAssetIds;
+
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, Object> evaluationParameters; // Parameters used for this specific evaluation run
+    
+    private boolean forceReevaluation;
+
+    @Column(length = 255)
+    private String triggeredBy;
+
+    @Column(length = 255)
+    private String notificationEmail;
+
+    // In a more detailed model, you might have a list of ControlEvaluationResultEntity linked here.
+    // For now, the results (findings) would likely be new entries in the main GeneratedReport or a similar table,
+    // or a dedicated ControlFindingEntity. This part needs further thought based on how results are stored/queried.
+    // For simplicity, this job entity primarily tracks the execution.
+} 

src/main/java/com/dalab/autocompliance/model/entity/ReportFindingData.java

@@ -0,0 +1,26 @@
+package com.dalab.autocompliance.model.entity;
+
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+
+import java.util.Map;
+
+// This is a simple POJO, not an entity. Used for JSONB mapping.
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ReportFindingData {
+    private String checkId;
+    private String description;
+    private String assetId;
+    private String assetType;
+    private String assetName;
+    private String status;
+    private String severity;
+    private String recommendation;
+    private Map<String, Object> details;
+    private String evidenceLink;
+} 

src/main/java/com/dalab/autocompliance/model/entity/ReportSummaryData.java

@@ -0,0 +1,19 @@
+package com.dalab.autocompliance.model.entity;
+
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+
+// This is a simple POJO, not an entity. Used for JSONB mapping.
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class ReportSummaryData {
+    private int totalChecks;
+    private int compliantChecks;
+    private int nonCompliantChecks;
+    private int errorChecks;
+    private double complianceScore;
+} 

src/main/java/com/dalab/autocompliance/model/mapper/ComplianceControlMapper.java

@@ -0,0 +1,22 @@
+package com.dalab.autocompliance.model.mapper;
+
+import com.dalab.autocompliance.dto.ComplianceControlDTO;
+import com.dalab.autocompliance.model.entity.ComplianceControlEntity;
+import org.mapstruct.Mapper;
+import org.mapstruct.factory.Mappers;
+
+import java.util.List;
+
+@Mapper(componentModel = "spring")
+public interface ComplianceControlMapper {
+
+    ComplianceControlMapper INSTANCE = Mappers.getMapper(ComplianceControlMapper.class);
+
+    ComplianceControlDTO toDto(ComplianceControlEntity entity);
+
+    ComplianceControlEntity toEntity(ComplianceControlDTO dto);
+
+    List<ComplianceControlDTO> toDtoList(List<ComplianceControlEntity> entities);
+
+    List<ComplianceControlEntity> toEntityList(List<ComplianceControlDTO> dtos);
+} 

src/main/java/com/dalab/autocompliance/model/mapper/ComplianceGeneratedReportMapper.java

@@ -0,0 +1,46 @@
+package com.dalab.autocompliance.model.mapper;
+
+import java.util.List;
+
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.factory.Mappers;
+
+import com.dalab.autocompliance.dto.ComplianceReportDTO;
+import com.dalab.autocompliance.model.entity.ComplianceGeneratedReportEntity;
+import com.dalab.autocompliance.model.entity.ReportFindingData;
+import com.dalab.autocompliance.model.entity.ReportSummaryData;
+
+/**
+ * Mapper interface for converting between ComplianceGeneratedReportEntity and DTOs.
+ */
+@Mapper(componentModel = "spring")
+public interface ComplianceGeneratedReportMapper {
+
+    ComplianceGeneratedReportMapper INSTANCE = Mappers.getMapper(ComplianceGeneratedReportMapper.class);
+
+    // Entity to DTO
+    @Mapping(source = "summaryData", target = "summary")
+    @Mapping(source = "findingsData", target = "findings")
+    ComplianceReportDTO toDto(ComplianceGeneratedReportEntity entity);
+
+    List<ComplianceReportDTO> toDtoList(List<ComplianceGeneratedReportEntity> entities);
+
+    // DTO to Entity
+    @Mapping(source = "summary", target = "summaryData")
+    @Mapping(source = "findings", target = "findingsData")
+    @Mapping(target = "reportJob", ignore = true) // Typically set separately or via jobId
+    ComplianceGeneratedReportEntity toEntity(ComplianceReportDTO dto);
+
+    // Mappings for nested POJOs (if MapStruct doesn't handle them automatically, which it often does)
+    // These might not be strictly necessary if names and types match and MapStruct can infer them.
+    ReportSummaryData toReportSummaryData(ComplianceReportDTO.SummaryDTO summaryDTO);
+    ComplianceReportDTO.SummaryDTO toSummaryDTO(ReportSummaryData reportSummaryData);
+
+    List<ReportFindingData> toReportFindingDataList(List<ComplianceReportDTO.FindingDTO> findingDTOs);
+    List<ComplianceReportDTO.FindingDTO> toFindingDTOList(List<ReportFindingData> reportFindingDataList);
+    
+    ReportFindingData toReportFindingData(ComplianceReportDTO.FindingDTO findingDTO);
+    ComplianceReportDTO.FindingDTO toFindingDTO(ReportFindingData reportFindingData);
+
+} 

src/main/java/com/dalab/autocompliance/model/mapper/ComplianceReportDefinitionMapper.java

@@ -0,0 +1,25 @@
+package com.dalab.autocompliance.model.mapper;
+
+import com.dalab.autocompliance.dto.ComplianceReportDefinitionDTO;
+import com.dalab.autocompliance.model.entity.ComplianceReportDefinitionEntity;
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.factory.Mappers;
+
+import java.util.List;
+
+@Mapper(componentModel = "spring")
+public interface ComplianceReportDefinitionMapper {
+
+    ComplianceReportDefinitionMapper INSTANCE = Mappers.getMapper(ComplianceReportDefinitionMapper.class);
+
+    @Mapping(source = "generationParametersDefinition", target = "generationParameters")
+    ComplianceReportDefinitionDTO toDto(ComplianceReportDefinitionEntity entity);
+
+    @Mapping(source = "generationParameters", target = "generationParametersDefinition")
+    ComplianceReportDefinitionEntity toEntity(ComplianceReportDefinitionDTO dto);
+
+    List<ComplianceReportDefinitionDTO> toDtoList(List<ComplianceReportDefinitionEntity> entities);
+
+    List<ComplianceReportDefinitionEntity> toEntityList(List<ComplianceReportDefinitionDTO> dtos);
+} 

src/main/java/com/dalab/autocompliance/model/mapper/ComplianceReportJobMapper.java

@@ -0,0 +1,41 @@
+package com.dalab.autocompliance.model.mapper;
+
+import com.dalab.autocompliance.dto.ReportJobStatusDTO;
+import com.dalab.autocompliance.dto.ReportGenerationRequestDTO; // For mapping parameters
+import com.dalab.autocompliance.model.entity.ComplianceReportJobEntity;
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.Named;
+import org.mapstruct.factory.Mappers;
+
+import java.util.Map;
+import java.util.List;
+
+/**
+ * Mapper interface for converting between ComplianceReportJobEntity and DTOs.
+ */
+@Mapper
+public interface ComplianceReportJobMapper {
+
+    ComplianceReportJobMapper INSTANCE = Mappers.getMapper(ComplianceReportJobMapper.class);
+
+    // From Entity to DTO (ReportJobStatusDTO)
+    @Mapping(target = "reportId", ignore = true)
+    @Mapping(target = "downloadLink", ignore = true)
+    ReportJobStatusDTO toDto(ComplianceReportJobEntity entity);
+
+    List<ReportJobStatusDTO> toDtoList(List<ComplianceReportJobEntity> entities);
+
+    // From DTO (ReportGenerationRequestDTO for submission) to Entity
+    // Note: JobId will be set in service. Status will be set. reportId will be null initially.
+    @Mapping(source = "dto.parameters", target = "generationParameters") // Map<String, Object> to Map<String, Object>
+    @Mapping(target = "jobId", ignore = true) // Set by service
+    @Mapping(target = "status", ignore = true) // Set by service
+    @Mapping(target = "submittedAt", ignore = true) // Set by service or DB default
+    @Mapping(target = "startedAt", ignore = true)
+    @Mapping(target = "completedAt", ignore = true)
+    @Mapping(target = "message", ignore = true)
+    @Mapping(target = "generatedReportId", ignore = true)
+    ComplianceReportJobEntity fromGenerationRequest(ReportGenerationRequestDTO dto, String reportType);
+
+} 

src/main/java/com/dalab/autocompliance/model/mapper/ControlEvaluationJobMapper.java

@@ -0,0 +1,37 @@
+package com.dalab.autocompliance.model.mapper;
+
+import java.time.LocalDateTime;
+import java.util.UUID;
+
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.factory.Mappers;
+
+import com.dalab.autocompliance.dto.ControlEvaluationRequestDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationResponseDTO;
+import com.dalab.autocompliance.model.entity.ControlEvaluationJobEntity;
+
+/**
+ * Mapper interface for converting between ControlEvaluationJobEntity and DTOs.
+ */
+@Mapper(imports = {UUID.class, LocalDateTime.class})
+public interface ControlEvaluationJobMapper {
+
+    ControlEvaluationJobMapper INSTANCE = Mappers.getMapper(ControlEvaluationJobMapper.class);
+
+    // To DTO (ControlEvaluationResponseDTO is simpler, doesn't carry all entity details by default)
+    @Mapping(target = "targetedAssetCount", expression = "java(entity.getTargetAssetIds() != null ? entity.getTargetAssetIds().size() : 0)")
+    ControlEvaluationResponseDTO toResponseDto(ControlEvaluationJobEntity entity);
+
+    // From Request DTO to Entity
+    @Mapping(target = "jobId", expression = "java(UUID.randomUUID().toString())")
+    @Mapping(target = "submittedAt", expression = "java(LocalDateTime.now())")
+    @Mapping(target = "status", constant = "QUEUED")
+    @Mapping(target = "startedAt", ignore = true)
+    @Mapping(target = "completedAt", ignore = true)
+    @Mapping(target = "message", ignore = true)
+    ControlEvaluationJobEntity fromRequestDto(ControlEvaluationRequestDTO requestDto, String controlId);
+
+    // If you need a more detailed DTO for job status (like ReportJobStatusDTO), you'd create another one.
+    // For now, the response DTO is used for the immediate POST response.
+} 

src/main/java/com/dalab/autocompliance/model/repository/ComplianceControlRepository.java

@@ -0,0 +1,22 @@
+package com.dalab.autocompliance.model.repository;
+
+import com.dalab.autocompliance.model.entity.ComplianceControlEntity;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+@Repository
+public interface ComplianceControlRepository extends JpaRepository<ComplianceControlEntity, String>, JpaSpecificationExecutor<ComplianceControlEntity> {
+    // String is the type of the ID (controlId)
+
+    Optional<ComplianceControlEntity> findByControlIdIgnoreCase(String controlId);
+
+    List<ComplianceControlEntity> findByEnabledTrue();
+
+    List<ComplianceControlEntity> findBySeverityIgnoreCaseAndEnabledTrue(String severity);
+
+    // JpaSpecificationExecutor allows for dynamic queries based on criteria, useful for filtering controls
+} 

src/main/java/com/dalab/autocompliance/model/repository/ComplianceGeneratedReportRepository.java

@@ -0,0 +1,28 @@
+package com.dalab.autocompliance.model.repository;
+
+import com.dalab.autocompliance.model.entity.ComplianceGeneratedReportEntity;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+
+@Repository
+public interface ComplianceGeneratedReportRepository extends JpaRepository<ComplianceGeneratedReportEntity, String> {
+    // String is the type of the ID (reportId)
+
+    Page<ComplianceGeneratedReportEntity> findByReportTypeIgnoreCase(String reportType, Pageable pageable);
+
+    // Example of a query that might be needed to get asset status (though this is complex for JSONB)
+    // This is a conceptual query; actual JSONB querying capabilities depend heavily on the database (e.g., PostgreSQL).
+    // It's often better to process this in the service layer after fetching relevant reports, 
+    // or use a dedicated search index if performance is critical.
+    @Query(value = "SELECT cgr.* FROM compliance_generated_reports cgr " +
+                   "WHERE EXISTS (SELECT 1 FROM jsonb_array_elements(cgr.findings_data) AS finding " +
+                                 "WHERE finding ->> 'assetId' = :assetId)",
+           nativeQuery = true)
+    List<ComplianceGeneratedReportEntity> findReportsContainingAssetId(@Param("assetId") String assetId);
+} 

src/main/java/com/dalab/autocompliance/model/repository/ComplianceReportDefinitionRepository.java

@@ -0,0 +1,16 @@
+package com.dalab.autocompliance.model.repository;
+
+import com.dalab.autocompliance.model.entity.ComplianceReportDefinitionEntity;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+@Repository
+public interface ComplianceReportDefinitionRepository extends JpaRepository<ComplianceReportDefinitionEntity, String> {
+    // String is the type of the ID (reportType)
+
+    Optional<ComplianceReportDefinitionEntity> findByReportTypeIgnoreCase(String reportType);
+
+    boolean existsByReportTypeIgnoreCase(String reportType);
+} 

src/main/java/com/dalab/autocompliance/model/repository/ComplianceReportJobRepository.java

@@ -0,0 +1,18 @@
+package com.dalab.autocompliance.model.repository;
+
+import com.dalab.autocompliance.model.entity.ComplianceReportJobEntity;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+
+@Repository
+public interface ComplianceReportJobRepository extends JpaRepository<ComplianceReportJobEntity, String> {
+    // String is the type of the ID (jobId)
+
+    Page<ComplianceReportJobEntity> findByReportTypeIgnoreCase(String reportType, Pageable pageable);
+    
+    List<ComplianceReportJobEntity> findByStatusIn(List<String> statuses); // For finding active jobs etc.
+} 

src/main/java/com/dalab/autocompliance/model/repository/ControlEvaluationJobRepository.java

@@ -0,0 +1,19 @@
+package com.dalab.autocompliance.model.repository;
+
+import com.dalab.autocompliance.model.entity.ControlEvaluationJobEntity;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+
+@Repository
+public interface ControlEvaluationJobRepository extends JpaRepository<ControlEvaluationJobEntity, String>, JpaSpecificationExecutor<ControlEvaluationJobEntity> {
+    // String is the type of the ID (jobId)
+
+    Page<ControlEvaluationJobEntity> findByControlIdIgnoreCase(String controlId, Pageable pageable);
+
+    List<ControlEvaluationJobEntity> findByStatusIn(List<String> statuses);
+} 

src/main/java/com/dalab/autocompliance/service/IComplianceService.java

@@ -0,0 +1,77 @@
+package com.dalab.autocompliance.service;
+
+import com.dalab.autocompliance.dto.ComplianceReportDefinitionDTO;
+import com.dalab.autocompliance.dto.ReportGenerationRequestDTO;
+import com.dalab.autocompliance.dto.ReportGenerationResponseDTO;
+import com.dalab.autocompliance.dto.ReportJobStatusDTO;
+import com.dalab.autocompliance.dto.ComplianceReportDTO;
+import com.dalab.autocompliance.dto.AssetComplianceStatusDTO;
+import com.dalab.autocompliance.dto.ComplianceControlDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationRequestDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationResponseDTO;
+// Future DTOs:
+// import com.dalab.autocompliance.dto.ReportGenerationRequestDTO;
+// import com.dalab.autocompliance.dto.ReportGenerationResponseDTO;
+// import com.dalab.autocompliance.dto.ReportJobStatusDTO;
+
+import java.util.List;
+
+public interface IComplianceService {
+
+    /**
+     * Lists all available compliance report definitions.
+     * @return A list of ComplianceReportDefinitionDTOs.
+     */
+    List<ComplianceReportDefinitionDTO> listAvailableReportDefinitions();
+
+    /**
+     * Initiates the generation of a specific compliance report.
+     * @param reportType The type of report to generate.
+     * @param request DTO containing parameters for report generation.
+     * @return A response DTO with the job ID and status.
+     */
+    ReportGenerationResponseDTO generateComplianceReport(String reportType, ReportGenerationRequestDTO request);
+
+    /**
+     * Retrieves the status of a specific compliance report generation job.
+     * @param jobId The ID of the job.
+     * @return A DTO with the job status details.
+     */
+    ReportJobStatusDTO getReportGenerationJobStatus(String jobId);
+
+    /**
+     * Retrieves a generated compliance report by its ID.
+     * @param reportId The ID of the generated report.
+     * @return The ComplianceReportDTO or null if not found.
+     */
+    ComplianceReportDTO getGeneratedReport(String reportId);
+
+    /**
+     * Retrieves the overall compliance status for a specific asset.
+     * @param assetId The ID of the asset.
+     * @return AssetComplianceStatusDTO or null if asset not found or no status available.
+     */
+    AssetComplianceStatusDTO getAssetComplianceStatus(String assetId);
+
+    /**
+     * Lists all available (and typically enabled) compliance controls.
+     * @return A list of ComplianceControlDTOs.
+     */
+    List<ComplianceControlDTO> listAvailableControls();
+
+    /**
+     * Initiates the evaluation of a specific compliance control.
+     * @param controlId The ID of the control to evaluate.
+     * @param request DTO containing parameters for the evaluation.
+     * @return A response DTO with the job ID and status.
+     */
+    ControlEvaluationResponseDTO evaluateControl(String controlId, ControlEvaluationRequestDTO request);
+
+    // TODO: Add method to get status of a control evaluation job
+    // ControlEvaluationJobStatusDTO getControlEvaluationJobStatus(String jobId);
+
+    // Methods to be added later:
+    // ReportGenerationResponseDTO generateComplianceReport(String reportType, ReportGenerationRequestDTO request);
+    // ReportJobStatusDTO getReportGenerationJobStatus(String jobId);
+    // ... and others for controls and asset status
+} 

src/main/java/com/dalab/autocompliance/service/exception/ControlNotFoundException.java

@@ -0,0 +1,15 @@
+package com.dalab.autocompliance.service.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.NOT_FOUND)
+public class ControlNotFoundException extends RuntimeException {
+    public ControlNotFoundException(String message) {
+        super(message);
+    }
+
+    public ControlNotFoundException(String message, Throwable cause) {
+        super(message, cause);
+    }
+} 

src/main/java/com/dalab/autocompliance/service/exception/GeneratedReportNotFoundException.java

@@ -0,0 +1,15 @@
+package com.dalab.autocompliance.service.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.NOT_FOUND)
+public class GeneratedReportNotFoundException extends RuntimeException {
+    public GeneratedReportNotFoundException(String message) {
+        super(message);
+    }
+
+    public GeneratedReportNotFoundException(String message, Throwable cause) {
+        super(message, cause);
+    }
+} 

src/main/java/com/dalab/autocompliance/service/exception/ReportDefinitionNotFoundException.java

@@ -0,0 +1,15 @@
+package com.dalab.autocompliance.service.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.NOT_FOUND)
+public class ReportDefinitionNotFoundException extends RuntimeException {
+    public ReportDefinitionNotFoundException(String message) {
+        super(message);
+    }
+
+    public ReportDefinitionNotFoundException(String message, Throwable cause) {
+        super(message, cause);
+    }
+} 

src/main/java/com/dalab/autocompliance/service/exception/ReportJobNotFoundException.java

@@ -0,0 +1,15 @@
+package com.dalab.autocompliance.service.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.NOT_FOUND)
+public class ReportJobNotFoundException extends RuntimeException {
+    public ReportJobNotFoundException(String message) {
+        super(message);
+    }
+
+    public ReportJobNotFoundException(String message, Throwable cause) {
+        super(message, cause);
+    }
+} 

src/main/java/com/dalab/autocompliance/service/impl/ComplianceServiceImpl.java

@@ -0,0 +1,324 @@
+package com.dalab.autocompliance.service.impl;
+
+import java.time.LocalDateTime;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.dalab.autocompliance.dto.AssetComplianceStatusDTO;
+import com.dalab.autocompliance.dto.ComplianceControlDTO;
+import com.dalab.autocompliance.dto.ComplianceReportDTO;
+import com.dalab.autocompliance.dto.ComplianceReportDefinitionDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationRequestDTO;
+import com.dalab.autocompliance.dto.ControlEvaluationResponseDTO;
+import com.dalab.autocompliance.dto.ReportGenerationRequestDTO;
+import com.dalab.autocompliance.dto.ReportGenerationResponseDTO;
+import com.dalab.autocompliance.dto.ReportJobStatusDTO;
+import com.dalab.autocompliance.model.entity.ComplianceControlEntity;
+import com.dalab.autocompliance.model.entity.ComplianceGeneratedReportEntity;
+import com.dalab.autocompliance.model.entity.ComplianceReportDefinitionEntity;
+import com.dalab.autocompliance.model.entity.ComplianceReportJobEntity;
+import com.dalab.autocompliance.model.entity.ControlEvaluationJobEntity;
+import com.dalab.autocompliance.model.mapper.ComplianceControlMapper;
+import com.dalab.autocompliance.model.mapper.ComplianceGeneratedReportMapper;
+import com.dalab.autocompliance.model.mapper.ComplianceReportDefinitionMapper;
+import com.dalab.autocompliance.model.mapper.ComplianceReportJobMapper;
+import com.dalab.autocompliance.model.mapper.ControlEvaluationJobMapper;
+import com.dalab.autocompliance.model.repository.ComplianceControlRepository;
+import com.dalab.autocompliance.model.repository.ComplianceGeneratedReportRepository;
+import com.dalab.autocompliance.model.repository.ComplianceReportDefinitionRepository;
+import com.dalab.autocompliance.model.repository.ComplianceReportJobRepository;
+import com.dalab.autocompliance.model.repository.ControlEvaluationJobRepository;
+import com.dalab.autocompliance.service.IComplianceService;
+import com.dalab.autocompliance.service.exception.ControlNotFoundException;
+import com.dalab.autocompliance.service.exception.GeneratedReportNotFoundException;
+import com.dalab.autocompliance.service.exception.ReportDefinitionNotFoundException;
+import com.dalab.autocompliance.service.exception.ReportJobNotFoundException;
+
+import jakarta.annotation.PostConstruct;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Service("complianceService")
+@RequiredArgsConstructor
+@Slf4j
+public class ComplianceServiceImpl implements IComplianceService {
+
+    private final ComplianceReportDefinitionRepository reportDefinitionRepository;
+    private final ComplianceReportJobRepository reportJobRepository;
+    private final ComplianceGeneratedReportRepository generatedReportRepository;
+    private final ComplianceControlRepository controlRepository;
+    private final ControlEvaluationJobRepository controlEvaluationJobRepository;
+
+    private final ComplianceReportDefinitionMapper reportDefinitionMapper;
+    private final ComplianceReportJobMapper reportJobMapper;
+    private final ComplianceGeneratedReportMapper generatedReportMapper;
+    private final ComplianceControlMapper controlMapper;
+    private final ControlEvaluationJobMapper controlEvaluationJobMapper;
+
+    @PostConstruct
+    @Transactional
+    public void initDefaultData() {
+        initDefaultReportDefinitions();
+        initDefaultControls();
+    }
+
+    public void initDefaultReportDefinitions() {
+        if (reportDefinitionRepository.count() == 0) {
+            log.info("Initializing default compliance report definitions...");
+            List<ComplianceReportDefinitionEntity> defaultDefinitions = new ArrayList<>();
+            defaultDefinitions.add(ComplianceReportDefinitionEntity.builder()
+                .reportType("cis-gcp-foundations-v1.3")
+                .displayName("CIS Google Cloud Platform Foundations Benchmark v1.3")
+                .description("Checks for compliance against the CIS GCP Foundations Benchmark v1.3.")
+                .version("1.3.0")
+                .applicableComplianceFrameworks(List.of("CIS Benchmark"))
+                .targetAssetTypes(List.of("GCP_PROJECT", "GCP_IAM_POLICY", "GCP_VPC_NETWORK"))
+                .generationParametersDefinition(Map.of("gcpProjectId", "string", "targetRegions", "list_string"))
+                .detailsLink("https://www.cisecurity.org/benchmark/google_cloud_computing_platform/")
+                .build());
+
+            defaultDefinitions.add(ComplianceReportDefinitionEntity.builder()
+                .reportType("pci-dss-aws-v3.2.1")
+                .displayName("PCI DSS v3.2.1 for AWS Infrastructure")
+                .description("Assesses AWS resources against applicable PCI DSS v3.2.1 requirements.")
+                .version("3.2.1")
+                .applicableComplianceFrameworks(List.of("PCI DSS v3.2.1"))
+                .targetAssetTypes(List.of("AWS_EC2_INSTANCE", "AWS_S3_BUCKET", "AWS_VPC"))
+                .generationParametersDefinition(Map.of("awsAccountId", "string", "awsRegion", "string"))
+                .detailsLink("https://aws.amazon.com/compliance/pci-dss/")
+                .build());
+            reportDefinitionRepository.saveAll(defaultDefinitions);
+            log.info("{} default compliance report definitions initialized.", defaultDefinitions.size());
+        }
+    }
+
+    public void initDefaultControls() {
+        if (controlRepository.count() == 0) {
+            log.info("Initializing default compliance controls...");
+            List<ComplianceControlEntity> defaultControls = new ArrayList<>();
+            defaultControls.add(ComplianceControlEntity.builder()
+                .controlId("CIS-GCP-1.1")
+                .name("Ensure that corporate login credentials are used instead of gmail.com accounts")
+                .description("GCP supports using Google Workspace or Cloud Identity to manage user identities. It is recommended to use managed corporate accounts instead of personal gmail.com accounts for managing cloud resources.")
+                .severity("MEDIUM")
+                .applicableFrameworks(List.of("CIS GCP Foundations Benchmark v1.3"))
+                .targetAssetTypes(List.of("GCP_IAM_POLICY"))
+                .remediationSteps("Migrate any gmail.com accounts with IAM roles to managed corporate accounts.")
+                .evaluationParametersDefinition(Map.of("gcpProjectId", "string"))
+                .detailsLink("https://www.cisecurity.org/benchmark/google_cloud_computing_platform/") // Point to specific control if possible
+                .enabled(true)
+                .build());
+            defaultControls.add(ComplianceControlEntity.builder()
+                .controlId("PCI-REQ-8.2.3")
+                .name("Use strong passwords (or passphrases)")
+                .description("Ensure passwords/passphrases meet minimum complexity requirements as defined by PCI DSS requirement 8.2.3.")
+                .severity("HIGH")
+                .applicableFrameworks(List.of("PCI DSS v3.2.1"))
+                .targetAssetTypes(List.of("AWS_IAM_USER", "Linux_Server")) // Example asset types
+                .remediationSteps("Configure password policies to enforce complexity. For existing users, enforce password change at next login.")
+                .evaluationParametersDefinition(Map.of("minPasswordLength", "integer", "requiresUppercase", "boolean")) // Example params
+                .detailsLink("https://www.pcisecuritystandards.org/") // Point to specific control
+                .enabled(true)
+                .build());
+            controlRepository.saveAll(defaultControls);
+            log.info("{} default compliance controls initialized.", defaultControls.size());
+        }
+    }
+
+    @Override
+    @Transactional(readOnly = true)
+    public List<ComplianceReportDefinitionDTO> listAvailableReportDefinitions() {
+        log.debug("Fetching all available report definitions.");
+        List<ComplianceReportDefinitionEntity> entities = reportDefinitionRepository.findAll();
+        return reportDefinitionMapper.toDtoList(entities);
+    }
+
+    @Override
+    @Transactional
+    public ReportGenerationResponseDTO generateComplianceReport(String reportType, ReportGenerationRequestDTO request) {
+        log.info("Request to generate report type: {} with parameters: {}", reportType, request.getParameters());
+
+        ComplianceReportDefinitionEntity definitionEntity = reportDefinitionRepository.findByReportTypeIgnoreCase(reportType)
+                .orElseThrow(() -> {
+                    log.warn("Report type '{}' not found.", reportType);
+                    return new ReportDefinitionNotFoundException("Report type " + reportType + " not found.");
+                });
+
+        // Validate parameters (basic check for key presence)
+        if (request.getParameters() == null || 
+            !request.getParameters().keySet().containsAll(definitionEntity.getGenerationParametersDefinition().keySet())) {
+            String errorMsg = String.format("Missing required parameters for report type '%s'. Required: %s, Provided: %s",
+                                   reportType, definitionEntity.getGenerationParametersDefinition().keySet(), 
+                                   request.getParameters() != null ? request.getParameters().keySet() : "null");
+            log.warn(errorMsg);
+            // For immediate feedback, we can return a response, though throwing an exception is also an option.
+            return ReportGenerationResponseDTO.builder()
+                    .jobId(null).reportType(reportType).status("FAILED_VALIDATION")
+                    .submittedAt(LocalDateTime.now()).message(errorMsg)
+                    .build();
+        }
+
+        ComplianceReportJobEntity jobEntity = reportJobMapper.fromGenerationRequest(request, reportType);
+        jobEntity.setJobId(UUID.randomUUID().toString());
+        jobEntity.setStatus("QUEUED");
+        jobEntity.setSubmittedAt(LocalDateTime.now());
+        jobEntity.setReportType(definitionEntity.getReportType()); // Ensure canonical report type
+        // triggeredBy and notificationEmail are mapped by mapper if present in request
+
+        reportJobRepository.save(jobEntity);
+        log.info("Report generation job {} for report type '{}' accepted and queued.", jobEntity.getJobId(), reportType);
+
+        // TODO: Trigger actual asynchronous report generation (e.g., via @Async method or Kafka message)
+        // This async process would later update the jobEntity status and link to a ComplianceGeneratedReportEntity.
+
+        return ReportGenerationResponseDTO.builder()
+                .jobId(jobEntity.getJobId()).reportType(reportType).status("ACCEPTED")
+                .submittedAt(jobEntity.getSubmittedAt()).message("Report generation accepted and queued.")
+                .build();
+    }
+
+    @Override
+    @Transactional(readOnly = true)
+    public ReportJobStatusDTO getReportGenerationJobStatus(String jobId) {
+        log.debug("Fetching status for job ID: {}", jobId);
+        ComplianceReportJobEntity jobEntity = reportJobRepository.findById(jobId)
+                .orElseThrow(() -> {
+                    log.warn("Job ID '{}' not found.", jobId);
+                    return new ReportJobNotFoundException("Job ID " + jobId + " not found.");
+                });
+        return reportJobMapper.toDto(jobEntity);
+    }
+
+    @Override
+    @Transactional(readOnly = true)
+    public ComplianceReportDTO getGeneratedReport(String reportId) {
+        log.debug("Fetching generated report for report ID: {}", reportId);
+        ComplianceGeneratedReportEntity reportEntity = generatedReportRepository.findById(reportId)
+                .orElseThrow(() -> {
+                    log.warn("Report ID '{}' not found.", reportId);
+                    return new GeneratedReportNotFoundException("Generated report with ID " + reportId + " not found.");
+                });
+        return generatedReportMapper.toDto(reportEntity);
+    }
+
+    @Override
+    @Transactional(readOnly = true)
+    public AssetComplianceStatusDTO getAssetComplianceStatus(String assetId) {
+        log.debug("Fetching compliance status for asset ID: {}", assetId);
+        
+        // This is a simplified implementation. A more robust solution would involve:
+        // 1. Querying `ComplianceGeneratedReportEntity` for reports containing this assetId (potentially using the native query or service-layer filtering).
+        // 2. Aggregating findings from those reports.
+        // 3. Determining overall status based on those findings.
+        // For now, we mock it by looking for the dummy asset in any dummy report.
+
+        List<ComplianceGeneratedReportEntity> reportsWithAsset = generatedReportRepository.findReportsContainingAssetId(assetId);
+
+        if (reportsWithAsset.isEmpty()) {
+            log.warn("Asset ID '{}' not found in any generated reports or no compliance data available.", assetId);
+            return AssetComplianceStatusDTO.builder()
+                    .assetId(assetId)
+                    .overallComplianceStatus("UNKNOWN") // Or NOT_EVALUATED
+                    .lastEvaluatedAt(LocalDateTime.now()) // Or null if never evaluated
+                    .build();
+        }
+
+        List<AssetComplianceStatusDTO.ComplianceFindingSummaryDTO> assetFindingsSummaries = new ArrayList<>();
+        List<String> relevantReportIds = new ArrayList<>();
+        int compliantCount = 0;
+        int nonCompliantCount = 0;
+        String assetType = "UNKNOWN";
+        String assetName = "UNKNOWN"; 
+        LocalDateTime lastEvalTime = null;
+
+        for (ComplianceGeneratedReportEntity reportEntity : reportsWithAsset) {
+            relevantReportIds.add(reportEntity.getReportId());
+            if (reportEntity.getFindingsData() != null) {
+                for (com.dalab.autocompliance.model.entity.ReportFindingData findingData : reportEntity.getFindingsData()) {
+                    if (assetId.equals(findingData.getAssetId())) {
+                        // Update asset details from the first finding containing them (could be more sophisticated)
+                        if ("UNKNOWN".equals(assetType) && findingData.getAssetType() != null) assetType = findingData.getAssetType();
+                        if ("UNKNOWN".equals(assetName) && findingData.getAssetName() != null) assetName = findingData.getAssetName();
+                        
+                        if ("NON_COMPLIANT".equalsIgnoreCase(findingData.getStatus())) {
+                            nonCompliantCount++;
+                            assetFindingsSummaries.add(AssetComplianceStatusDTO.ComplianceFindingSummaryDTO.builder()
+                                    .checkId(findingData.getCheckId())
+                                    .description(findingData.getDescription())
+                                    .severity(findingData.getSeverity())
+                                    .reportId(reportEntity.getReportId())
+                                    .findingTimestamp(reportEntity.getGenerationTimestamp()) 
+                                    .build());
+                        } else if ("COMPLIANT".equalsIgnoreCase(findingData.getStatus())) {
+                            compliantCount++;
+                        }
+                        // Update last evaluation time for this asset based on reports
+                        if (lastEvalTime == null || reportEntity.getGenerationTimestamp().isAfter(lastEvalTime)) {
+                            lastEvalTime = reportEntity.getGenerationTimestamp();
+                        }
+                    }
+                }
+            }
+        }
+
+        String overallStatus = "UNKNOWN";
+        if (compliantCount > 0 || nonCompliantCount > 0) {
+            overallStatus = nonCompliantCount > 0 ? "NON_COMPLIANT" : "COMPLIANT";
+        } else if (!reportsWithAsset.isEmpty()) {
+             overallStatus = "NO_FINDINGS"; // Or EVALUATED_COMPLIANT if all checks were compliant
+        }
+
+        return AssetComplianceStatusDTO.builder()
+                .assetId(assetId)
+                .assetType(assetType)
+                .assetName(assetName)
+                .overallComplianceStatus(overallStatus)
+                .lastEvaluatedAt(lastEvalTime != null ? lastEvalTime : LocalDateTime.now()) // Fallback, should ideally be from data
+                .totalChecksApplied(compliantCount + nonCompliantCount) // This is simplified, total checks could be different
+                .compliantChecks(compliantCount)
+                .nonCompliantChecks(nonCompliantCount)
+                .recentNonCompliantFindings(assetFindingsSummaries.stream().limit(5).collect(Collectors.toList()))
+                .relevantReportIds(relevantReportIds)
+                .build();
+    }
+
+    @Override
+    @Transactional(readOnly = true)
+    public List<ComplianceControlDTO> listAvailableControls() {
+        log.debug("Fetching all available and enabled compliance controls.");
+        List<ComplianceControlEntity> entities = controlRepository.findByEnabledTrue(); 
+        return controlMapper.toDtoList(entities);
+    }
+
+    @Override
+    @Transactional
+    public ControlEvaluationResponseDTO evaluateControl(String controlId, ControlEvaluationRequestDTO request) {
+        log.info("Request to evaluate control ID: {} with request: {}", controlId, request);
+
+        ComplianceControlEntity controlEntity = controlRepository.findByControlIdIgnoreCase(controlId)
+                .orElseThrow(() -> {
+                    log.warn("Control ID '{}' not found.", controlId);
+                    return new ControlNotFoundException("Control ID " + controlId + " not found.");
+                });
+        
+        // Create and save the evaluation job
+        ControlEvaluationJobEntity jobEntity = controlEvaluationJobMapper.fromRequestDto(request, controlId);
+        jobEntity = controlEvaluationJobRepository.save(jobEntity);
+        
+        log.info("Created control evaluation job {} for control {}", jobEntity.getJobId(), controlId);
+        
+        // TODO: Implement actual control evaluation logic
+        // This would typically involve:
+        // 1. Fetching relevant assets based on request parameters
+        // 2. Applying the control's evaluation logic
+        // 3. Updating the job status and results
+        
+        return controlEvaluationJobMapper.toResponseDto(jobEntity);
+    }
+} 

src/main/resources/application.properties

@@ -0,0 +1,57 @@
+# DALab AutoCompliance Service Configuration
+spring.application.name=da-autocompliance
+server.port=8080
+
+# Database Configuration - da_autocompliance database
+spring.datasource.url=jdbc:postgresql://localhost:5432/da_autocompliance
+spring.datasource.username=da_autocompliance_user
+spring.datasource.password=da_autocompliance_pass
+spring.datasource.driver-class-name=org.postgresql.Driver
+
+# JPA Configuration
+spring.jpa.hibernate.ddl-auto=update
+spring.jpa.show-sql=false
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
+spring.jpa.properties.hibernate.format_sql=true
+
+# Common entities database configuration (for da-protos entities)
+dalab.common.datasource.url=jdbc:postgresql://localhost:5432/dalab_common
+dalab.common.datasource.username=dalab_common_user
+dalab.common.datasource.password=dalab_common_pass
+
+# Kafka Configuration
+spring.kafka.bootstrap-servers=localhost:9092
+spring.kafka.consumer.group-id=da-autocompliance-group
+spring.kafka.consumer.auto-offset-reset=earliest
+spring.kafka.consumer.key-deserializer=org.apache.kafka.common.serialization.StringDeserializer
+spring.kafka.consumer.value-deserializer=org.springframework.kafka.support.serializer.JsonDeserializer
+spring.kafka.consumer.properties.spring.json.trusted.packages=*
+spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer
+spring.kafka.producer.value-serializer=org.springframework.kafka.support.serializer.JsonSerializer
+
+# Kafka Topics
+dalab.kafka.topics.policy-actions=dalab.policies.actions
+dalab.kafka.topics.compliance-events=dalab.compliance.events
+
+# Security Configuration (Keycloak JWT)
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8180/realms/dalab
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:8180/realms/dalab/protocol/openid-connect/certs
+
+# Compliance Configuration
+compliance.evaluation.batch.size=100
+compliance.reports.default.retention.days=365
+compliance.alerts.enabled=true
+
+# Actuator Configuration
+management.endpoints.web.exposure.include=health,info,metrics,prometheus
+management.endpoint.health.show-details=when-authorized
+management.metrics.export.prometheus.enabled=true
+
+# OpenAPI Documentation
+springdoc.api-docs.path=/v3/api-docs
+springdoc.swagger-ui.path=/swagger-ui.html
+
+# Logging Configuration
+logging.level.com.dalab.autocompliance=INFO
+logging.level.org.springframework.kafka=WARN
+logging.level.org.springframework.security=WARN 

src/test/java/com/dalab/autocompliance/controller/ComplianceControllerTest.java

@@ -0,0 +1,161 @@
+package com.dalab.autocompliance.controller;
+
+import com.dalab.autocompliance.dto.*;
+import com.dalab.autocompliance.service.IComplianceService;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.time.LocalDateTime;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+@WebMvcTest(ComplianceController.class)
+class ComplianceControllerTest {
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private IComplianceService complianceService;
+
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    private ComplianceReportDefinitionDTO reportDefinitionDTO;
+    private ReportGenerationRequestDTO reportGenerationRequestDTO;
+    private ReportGenerationResponseDTO reportGenerationResponseDTO;
+    private ReportJobStatusDTO reportJobStatusDTO;
+    private ComplianceReportDTO complianceReportDTO;
+    private AssetComplianceStatusDTO assetComplianceStatusDTO;
+    private ComplianceControlDTO complianceControlDTO;
+    private ControlEvaluationRequestDTO controlEvaluationRequestDTO;
+    private ControlEvaluationResponseDTO controlEvaluationResponseDTO;
+
+    @BeforeEach
+    void setUp() {
+        reportDefinitionDTO = ComplianceReportDefinitionDTO.builder().reportType("test-report").displayName("Test Report").build();
+        
+        reportGenerationRequestDTO = ReportGenerationRequestDTO.builder().parameters(Map.of("param1", "value1")).build();
+        reportGenerationResponseDTO = ReportGenerationResponseDTO.builder().jobId(UUID.randomUUID().toString()).status("ACCEPTED").build();
+        
+        reportJobStatusDTO = ReportJobStatusDTO.builder().jobId(UUID.randomUUID().toString()).status("COMPLETED_SUCCESS").build();
+        
+        complianceReportDTO = ComplianceReportDTO.builder().reportId(UUID.randomUUID().toString()).overallStatus("COMPLIANT").build();
+        
+        assetComplianceStatusDTO = AssetComplianceStatusDTO.builder().assetId("asset-123").overallComplianceStatus("COMPLIANT").build();
+        
+        complianceControlDTO = ComplianceControlDTO.builder().controlId("control-001").name("Test Control").enabled(true).build();
+        
+        controlEvaluationRequestDTO = ControlEvaluationRequestDTO.builder().targetAssetIds(List.of("asset-123")).build();
+        controlEvaluationResponseDTO = ControlEvaluationResponseDTO.builder().jobId(UUID.randomUUID().toString()).status("ACCEPTED").build();
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void listAvailableReportDefinitions_shouldReturnOk() throws Exception {
+        given(complianceService.listAvailableReportDefinitions()).willReturn(Collections.singletonList(reportDefinitionDTO));
+        mockMvc.perform(get("/api/v1/compliance/reports"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$[0].reportType").value("test-report"));
+    }
+
+    @Test
+    @WithMockUser(roles = "ADMIN")
+    void generateComplianceReport_shouldReturnAccepted() throws Exception {
+        given(complianceService.generateComplianceReport(anyString(), any(ReportGenerationRequestDTO.class))).willReturn(reportGenerationResponseDTO);
+        mockMvc.perform(post("/api/v1/compliance/reports/test-report/generate").with(csrf())
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(objectMapper.writeValueAsString(reportGenerationRequestDTO)))
+                .andExpect(status().isAccepted())
+                .andExpect(jsonPath("$.status").value("ACCEPTED"));
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void getReportGenerationJobStatus_shouldReturnOk() throws Exception {
+        given(complianceService.getReportGenerationJobStatus(anyString())).willReturn(reportJobStatusDTO);
+        mockMvc.perform(get("/api/v1/compliance/reports/jobs/some-job-id"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.status").value("COMPLETED_SUCCESS"));
+    }
+    
+    @Test
+    @WithMockUser(roles = "USER")
+    void getReportGenerationJobStatus_whenNotFound_shouldReturnNotFound() throws Exception {
+        ReportJobStatusDTO notFoundDto = ReportJobStatusDTO.builder().jobId("not-found-id").status("NOT_FOUND").build();
+        given(complianceService.getReportGenerationJobStatus("not-found-id")).willReturn(notFoundDto);
+        mockMvc.perform(get("/api/v1/compliance/reports/jobs/not-found-id"))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void getGeneratedReport_shouldReturnOk() throws Exception {
+        given(complianceService.getGeneratedReport(anyString())).willReturn(complianceReportDTO);
+        mockMvc.perform(get("/api/v1/compliance/reports/results/some-report-id"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.overallStatus").value("COMPLIANT"));
+    }
+    
+    @Test
+    @WithMockUser(roles = "USER")
+    void getGeneratedReport_whenNotFound_shouldReturnNotFound() throws Exception {
+        given(complianceService.getGeneratedReport("not-found-id")).willReturn(null);
+        mockMvc.perform(get("/api/v1/compliance/reports/results/not-found-id"))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void getAssetComplianceStatus_shouldReturnOk() throws Exception {
+        given(complianceService.getAssetComplianceStatus(anyString())).willReturn(assetComplianceStatusDTO);
+        mockMvc.perform(get("/api/v1/compliance/assets/asset-123"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.overallComplianceStatus").value("COMPLIANT"));
+    }
+    
+    @Test
+    @WithMockUser(roles = "USER")
+    void getAssetComplianceStatus_whenNotFound_shouldReturnNotFound() throws Exception {
+        AssetComplianceStatusDTO notFoundStatus = AssetComplianceStatusDTO.builder().assetId("asset-not-found").overallComplianceStatus("UNKNOWN").relevantReportIds(null).build();
+        given(complianceService.getAssetComplianceStatus("asset-not-found")).willReturn(notFoundStatus);
+        mockMvc.perform(get("/api/v1/compliance/assets/asset-not-found"))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(roles = "USER")
+    void listAvailableControls_shouldReturnOk() throws Exception {
+        given(complianceService.listAvailableControls()).willReturn(Collections.singletonList(complianceControlDTO));
+        mockMvc.perform(get("/api/v1/compliance/controls"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$[0].controlId").value("control-001"));
+    }
+
+    @Test
+    @WithMockUser(roles = "ADMIN")
+    void evaluateControl_shouldReturnAccepted() throws Exception {
+        given(complianceService.evaluateControl(anyString(), any(ControlEvaluationRequestDTO.class))).willReturn(controlEvaluationResponseDTO);
+        mockMvc.perform(post("/api/v1/compliance/controls/control-001/evaluate").with(csrf())
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(objectMapper.writeValueAsString(controlEvaluationRequestDTO)))
+                .andExpect(status().isAccepted())
+                .andExpect(jsonPath("$.status").value("ACCEPTED"));
+    }
+} 

src/test/java/com/dalab/autocompliance/service/impl/ComplianceServiceImplTest.java

@@ -0,0 +1 @@
+