Overview
Risk and compliance products are usually built under pressure from audits, incidents, or customer due diligence requirements. That creates two recurring failures in backend design: domain models collapse into generic ticket tables, and authorization becomes scattered policy checks that are hard to reason about. This API was designed to avoid both outcomes by starting with explicit governance entities and a strict layered architecture.
The repository implements a FastAPI service for risks, controls, evidence, tasks, users, authentication, health checks, and audit event retrieval. It is not just CRUD around a single table. It captures the relationships that governance teams actually use: risks own controls and tasks, controls own evidence, and all write actions are traceable through audit records.
Technical Design
Routing is split under app/api with dedicated modules such as /risks, /controls, /evidence, /tasks, /auth, /users, and /audit. The API layer delegates business rules to app/services, and services delegate persistence concerns to app/repositories, which keeps transaction logic and query behavior isolated from endpoint concerns.
Data modeling uses SQLAlchemy 2.0 with UUID primary keys, enum-backed status and severity fields, timestamp columns, and foreign-key relationships across domain entities. Pydantic v2 schemas define separate create, update, and read contracts for each resource, keeping request validation and response shape explicit.
Authentication uses JWT access and refresh tokens, including refresh-token lifecycle handling. Authorization includes role checks, with admin-only operations for sensitive routes such as user creation and audit event listing. The architecture also includes request IDs, structured logging, Docker support, Alembic migrations, and environment-driven runtime configuration.
Key Features
- ▸Layered FastAPI architecture with routers, services, repositories, and typed schemas
- ▸Domain resources for risks, controls, evidence, tasks, users, and audit events
- ▸Auth endpoints for login, refresh, and current-user retrieval
- ▸RBAC-enforced endpoints through role requirements and ownership-aware service logic
- ▸Audit trail coverage for write operations via dedicated audit service and persistence layer
- ▸Filtering and pagination support on list endpoints for operational use at scale
- ▸Deployment and developer ergonomics through Docker Compose, migration scripts, and test tooling
The result is a backend foundation that is concrete enough for production use while still cleanly extensible for additional governance modules.