๐ EU Parliament Monitor โ CI/CD Workflows
๐ก๏ธ Automated Security Excellence Through Continuous Integration
๐ฏ Transparent Pipeline Operations Demonstrating ISMS Policy Compliance
๐ Document Owner: CEO | ๐ Version: 4.0 | ๐
Last Updated: 2026-03-31 (UTC)
๐ Review Cycle: Quarterly | โฐ Next Review: 2026-06-30
๐ Workflow Status Badges
CI/CD Pipeline Status:
Security & Quality Metrics:
๐ ISMS Policy Alignment
EU Parliament Monitor's CI/CD workflows implement security controls mandated by Hack23 AB's ISMS framework:
| ISMS Policy | Workflow Implementation |
|---|---|
| ๐ ๏ธ Secure Development Policy | SAST (CodeQL), SCA (Dependency Review), E2E (Playwright), performance testing |
| ๐ Change Management | Automated testing gates, security scanning, PR review requirements |
| ๐ Vulnerability Management | Dependabot, CodeQL, OSSF Scorecard, npm audit, security advisories |
| ๐ Open Source Policy | SLSA attestations, SBOM generation, REUSE license compliance |
| ๐ Information Security Policy | Security-hardened runners, SHA-pinned actions, least privilege permissions |
| ๐ Access Control Policy | OIDC authentication, minimal workflow permissions, branch protection |
| ๐ Cryptography Policy | Sigstore signing, SLSA L3 provenance, build attestations |
| ๐จ Incident Response Plan | Automated rollback procedures, incident classification workflows |
| ๐พ Backup & Recovery Policy | Multi-CDN deployment (S3 + GitHub Pages DR), version control |
| ๐ค Third Party Management | SHA-pinned actions, dependency review, supply chain security |
Compliance Framework Mapping
| Framework | Version | Relevant Controls | Implementation |
|---|---|---|---|
| ISO 27001 | 2022 | A.8.25, A.8.26, A.8.27, A.8.28, A.12.1.4, A.12.6.1, A.14.2.1 | Secure development lifecycle, testing, change management |
| NIST CSF | 2.0 | PR.DS, DE.CM, ID.SC, RS.MI | Data security, monitoring, supply chain, mitigation |
| CIS Controls | v8.1 | 2.2, 4.1, 7.1, 16.1, 17.1 | Software inventory, access control, code signing, application security |
| EU CRA | 2024 | Art. 10, Art. 11 | SBOM generation, vulnerability disclosure, security updates |
๐ Architecture Documentation Map
| Document | Focus | Description | Documentation Link |
|---|---|---|---|
| Architecture | ๐๏ธ Architecture | C4 model showing current system structure | View Source |
| Future Architecture | ๐๏ธ Architecture | C4 model showing future system structure | View Source |
| Mindmaps | ๐ง Concept | Current system component relationships | View Source |
| Future Mindmaps | ๐ง Concept | Future capability evolution | View Source |
| SWOT Analysis | ๐ผ Business | Current strategic assessment | View Source |
| Future SWOT Analysis | ๐ผ Business | Future strategic opportunities | View Source |
| Data Model | ๐ Data | Current data structures and relationships | View Source |
| Future Data Model | ๐ Data | Enhanced European Parliament data architecture | View Source |
| Flowcharts | ๐ Process | Current data processing workflows | View Source |
| Future Flowcharts | ๐ Process | Enhanced AI-driven workflows | View Source |
| State Diagrams | ๐ Behavior | Current system state transitions | View Source |
| Future State Diagrams | ๐ Behavior | Enhanced adaptive state transitions | View Source |
| Security Architecture | ๐ก๏ธ Security | Current security implementation | View Source |
| Future Security Architecture | ๐ก๏ธ Security | Security enhancement roadmap | View Source |
| Threat Model | ๐ฏ Security | Political Threat Landscape analysis | View Source |
| Classification | ๐ท๏ธ Governance | CIA classification & BCP | View Source |
| CRA Assessment | ๐ก๏ธ Compliance | Cyber Resilience Act | View Source |
| Workflows | โ๏ธ DevOps | CI/CD documentation | View Source |
| Future Workflows | ๐ DevOps | Planned CI/CD enhancements | View Source |
| Business Continuity Plan | ๐ Resilience | Recovery planning | View Source |
| Financial Security Plan | ๐ฐ Financial | Cost & security analysis | View Source |
| End-of-Life Strategy | ๐ฆ Lifecycle | Technology EOL planning | View Source |
| Unit Test Plan | ๐งช Testing | Unit testing strategy | View Source |
| E2E Test Plan | ๐ Testing | End-to-end testing | View Source |
| Performance Testing | โก Performance | Performance benchmarks | View Source |
| Security Policy | ๐ Security | Vulnerability reporting & security policy | View Source |
๐ Executive Summary
EU Parliament Monitor employs a comprehensive suite of 22 GitHub Actions workflows (12 standard + 10 agentic) for automated intelligence operations, quality assurance, security scanning, and release management. All workflows follow Hack23 ISMS Secure Development Policy standards.
Workflow Portfolio
| # | Workflow | Purpose | Schedule / Trigger | ISMS Alignment |
|---|---|---|---|---|
| 1 | Agentic News Workflows (ร10) | AI-generated multi-language news articles | Varied schedules (see ยง1) | Integrity controls (Medium) |
| 2 | Test & Report | Unit tests, integration tests, coverage, performance | On PR/push to main | Quality assurance (ISO 27001 A.12.1.4) |
| 3 | CodeQL | SAST security scanning (JS/TS + GitHub Actions) | On PR/push + weekly Saturday | Vulnerability management (ISO 27001 A.12.6) |
| 4 | E2E Tests | End-to-end Playwright tests | On PR/push + daily midnight UTC | Functional validation |
| 5 | Release | Build, attest, document, release | Manual/tag push | SLSA L3, Documentation-as-code |
| 6 | Dependency Review | Supply chain security scanning | On PR | Supply chain security (NIST CSF ID.SC) |
| 7 | OpenSSF Scorecard | Security posture assessment | Weekly Tuesday 07:20 UTC | Continuous improvement |
| 8 | Deploy S3 | Production deployment to AWS | Push to main | Infrastructure as Code |
| 9 | REUSE Compliance | License and copyright verification | On PR/push + weekly Monday | Open Source Policy |
| 10 | SLSA Provenance | Build provenance attestation | On release + manual | Supply chain security (SLSA L3) |
| 11 | Compile Agentic Workflows | Compile .md โ .lock.yml via gh-aw CLI | Manual dispatch | Automation governance |
| 12 | Labeler | Automatic PR labeling | On pull_request_target | Workflow governance |
| 13 | Setup Labels | Repository label management | Manual dispatch | Repository governance |
| 14 | Copilot Setup Steps | GitHub Copilot agent environment setup | Push/PR to itself + manual | Agent infrastructure |
๐ Security Posture: All 12 standard workflows use SHA-pinned actions (100%), Harden Runner (step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0), and minimal permissions following least privilege principle.
๐๏ธ Pipeline Architecture
graph LR
A[Code Push] --> B[Build & Test]
B --> C[SCA Scan]
C --> D[CodeQL Scan]
D --> E[Quality Gate]
E --> F[Security Gate]
F --> G[SBOM Generation]
G --> H[Attestations]
H --> I[Release]
I --> J[Deploy]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef success fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B process
class C,D security
class E,F decision
class G,H security
class I,J success
Workflow Relationships
flowchart TB
subgraph "Continuous Integration"
direction TB
PR[Pull Request] --> CodeQLScan[CodeQL Analysis]
PR --> DependencyReview[Dependency Review]
PR --> Labeler[PR Labeler]
PR --> REUSECheck[REUSE Compliance]
CodeQLScan --> SecurityEvents[Security Events]
end
subgraph "Agentic Content Pipeline"
direction TB
Schedule1[Scheduled Triggers] --> AgenticNews[10 Agentic News Workflows]
AgenticNews --> Analysis[Political Intelligence Analysis]
Analysis --> Articles[14-Language Article Generation]
Articles --> ContentPR[Content Pull Request]
end
subgraph "Continuous Deployment"
direction TB
Release[Release Trigger] --> BuildTest[Prepare & Test]
BuildTest --> BuildPackage[Build & Package]
BuildPackage --> GenerateSBOM[Generate SBOM]
GenerateSBOM --> Attestations[Create Attestations]
Attestations --> CreateRelease[Create GitHub Release]
end
subgraph "Security Scanning"
direction TB
Weekly[Weekly Schedule] --> WeeklyScan[CodeQL Weekly Scan]
BranchProtection[Branch Protection] --> Scorecard[Scorecard Analysis]
end
PR -.-> |"approved & merged"| main[Main Branch]
ContentPR -.-> |"reviewed & merged"| main
main --> Scorecard
main --> DeployS3[Deploy to S3 + CloudFront]
main -.-> |"tag created"| Release
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef success fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
class PR,CodeQLScan,DependencyReview,Labeler,REUSECheck trigger
class Release,BuildTest,BuildPackage,GenerateSBOM,Attestations,CreateRelease process
class main,DeployS3 success
class Schedule1,AgenticNews,Analysis,Articles,ContentPR decision
class SecurityEvents,Weekly,WeeklyScan,BranchProtection,Scorecard security
๐ Workflow Detailed Documentation
1. Agentic News Workflows (ร10)
๐ฏ Purpose: AI-powered generation of multi-language news articles about European Parliament activities using GitHub Copilot with the claude-opus-4.6 model
๐ Architecture: 10 markdown source files (9 content-generation + 1 translation) compiled to 10 .lock.yml files via gh aw compile (GitHub Agentic Workflows CLI)
๐ Languages: 14 (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)
Agentic Workflow Schedule Matrix
| Workflow | File | Schedule | Timeout |
|---|---|---|---|
| EU Parliament Week Ahead | news-week-ahead.lock.yml |
Friday 07:00 UTC | 60 min |
| EU Parliament Weekly Review | news-weekly-review.lock.yml |
Saturday 09:00 UTC | 60 min |
| EU Parliament Plenary Votes & Resolutions | news-motions.lock.yml |
Weekdays (MonโFri) 06:00 UTC | 60 min |
| EU Parliament Legislative Procedures | news-propositions.lock.yml |
Weekdays (MonโFri) 05:00 UTC | 60 min |
| EU Parliament Committee Activity | news-committee-reports.lock.yml |
Weekdays (MonโFri) 04:00 UTC | 60 min |
| EU Parliament Month Ahead | news-month-ahead.lock.yml |
1st of month 08:00 UTC | 60 min |
| EU Parliament Monthly Review | news-monthly-review.lock.yml |
28th of month 10:00 UTC | 60 min |
| EU Parliament Breaking News | news-breaking.lock.yml |
Every 6 hours (0 */6 * * *) |
60 min |
| EU Parliament Article Generator | news-article-generator.lock.yml |
Manual dispatch only | 120 min |
| Translate Articles | news-translate.lock.yml |
Weekdays 09:00/12:00/15:00 UTC; Sat 15:00; 1st & 28th 15:00 | 60 min |
Agentic Workflow Architecture
All 10 agentic workflows share a common architecture (9 content-generation workflows produce English articles; the news-translate workflow then generates the remaining 13 languages):
graph TD
A[๐ Schedule / Manual Trigger] --> B[๐ Activation Job]
B --> C{Conditions Met?}
C -->|โ
Yes| D[๐ค Agent Job<br/>GitHub Copilot + claude-opus-4.6]
C -->|โ No| E[โญ๏ธ Skip]
D --> F[๐ฅ Checkout Repository]
F --> G[โ๏ธ Setup Node.js 25]
G --> H[๐ฆ Install Dependencies]
H --> I[๐ Install EP MCP Server v1.1.20]
I --> J1[๐ฌ Analysis Stage<br/>Political Intelligence Pipeline<br/>--analysis flag]
J1 --> J1a[๐ Classification: significance, impact-matrix, actors, forces]
J1 --> J1b[๐ก๏ธ Threat Assessment: Political Threat Landscape,<br/>actor-threats, disruption]
J1 --> J1c[๐ Risk Scoring: risk-matrix, SWOT, velocity, capital-at-risk]
J1a --> J1d[๐ analysis/{date}/{article-type}/]
J1b --> J1d
J1c --> J1d
J1d --> J[๐ฐ Generate News Articles<br/>npx tsx src/generators/news-enhanced.ts --analysis]
J --> K[๐ฌ๐ง English HTML Output]
K --> L[๐ Create Pull Request<br/>Includes analysis/ artifacts]
L --> M[โ
PR Ready for Review]
L -.-> N[๐ news-translate Workflow<br/>Generates 13 Additional Languages]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef skip fill:#95a5a6,stroke:#7f8c8d,stroke-width:1.5px,color:white
classDef analysis fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A,B trigger
class D,F,G,H,I process
class C decision
class E skip
class J1,J1a,J1b,J1c,J1d analysis
class J,K,L,M,N output
Common Agentic Workflow Properties
| Property | Value |
|---|---|
| Source format | Markdown (.md) compiled by gh aw compile |
| Lock format | YAML (.lock.yml) โ auto-generated, do not edit directly |
| AI Model | claude-opus-4.6 via GitHub Copilot CLI |
| Top-level permissions | {} (empty โ no default permissions) |
| Activation job permissions | contents: read |
| Agent job permissions | contents: write, pull-requests: write, issues: write, models: read |
| Concurrency group | gh-aw-${{ github.workflow }} |
| Node.js version | 25 |
| EP MCP Server | european-parliament-mcp-server (globally installed) |
| Data sources | European Parliament MCP Server (primary), World Bank MCP (optional) |
| Analysis stage | --analysis flag enables 18-method political intelligence pipeline before article generation |
| Analysis output | analysis/{date}/{article-type}/ โ classification, threat-assessment, risk-scoring, data (EP feeds, World Bank, OSINT) artifacts committed to PR. Article-type scoping prevents merge conflicts between concurrent workflows. |
Compilation Process
Source markdown files are compiled to lock files using the GitHub Agentic Workflows CLI:
# Compile all agentic workflow definitions
gh aw compile
The compile-agentic-workflows.yml workflow automates this process (see ยง11).
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Input Validation | MCP data validated via schema before use | ISO 27001 A.14.2.1 |
| HTML Sanitization | Strip scripts, encode entities in generated content | OWASP Top 10 (XSS) |
| Empty Top-Level Permissions | permissions: {} โ no default permissions |
Least privilege |
| Scoped Job Permissions | Write permissions only on agent job | Least privilege |
| Concurrency Control | Single concurrent run per workflow | Resource governance |
| PR-Based Output | All generated content via PR, not direct push | Change review |
ISMS Evidence
- Policy: Secure Development Policy ยง4.1 - CI/CD Security
- Workflows:
.github/workflows/news-*.lock.yml - Source definitions:
.github/workflows/news-*.md - Process Flow: FLOWCHART.md ยงNews Generation Security Flow
Unique Data & Analytics Per Workflow (PRIO 1)
Every workflow downloads unique data and produces article-type-specific analytics. The following matrix shows the mandatory MCP data downloads and analytical tools unique to each workflow:
flowchart LR
subgraph "๐ด Breaking News"
B1["adopted_texts_feed\nevents_feed\nprocedures_feed\nmeps_feed"] --> B2["detect_voting_anomalies\nanalyze_coalition_dynamics\nearly_warning_system\ngenerate_political_landscape"]
end
subgraph "๐ Motions"
M1["adopted_texts_feed\nquestions_feed\nmeps_feed\nprocedures_feed"] --> M2["detect_voting_anomalies\nanalyze_coalition_dynamics\nget_voting_records\ncompare_political_groups"]
end
subgraph "๐ Propositions"
P1["procedures_feed\ndocuments_feed\nadopted_texts_feed\nplenary_docs_feed"] --> P2["search_documents\nmonitor_legislative_pipeline\ntrack_legislation\nanalyze_legislative_effectiveness"]
end
subgraph "๐๏ธ Committee Reports"
C1["committee_docs_feed\nplenary_docs_feed\nadopted_texts_feed\nprocedures_feed"] --> C2["get_committee_info\nmonitor_legislative_pipeline\nanalyze_legislative_effectiveness"]
end
style B1 fill:#dc3545,stroke:#b02a37,color:#fff
style B2 fill:#dc3545,stroke:#b02a37,color:#fff
style M1 fill:#fd7e14,stroke:#ca6510,color:#fff
style M2 fill:#fd7e14,stroke:#ca6510,color:#fff
style P1 fill:#ffc107,stroke:#cc9a06,color:#000
style P2 fill:#ffc107,stroke:#cc9a06,color:#000
style C1 fill:#198754,stroke:#146c43,color:#fff
style C2 fill:#198754,stroke:#146c43,color:#fff
| Workflow | Mandatory Feed Data | Mandatory Analytical Tools | Unique Focus |
|---|---|---|---|
| Breaking | adopted_texts, events, procedures, meps (todayโone-week) + documents, plenary_docs, committee_docs, questions | detect_voting_anomalies, analyze_coalition_dynamics, early_warning_system, generate_political_landscape | โก Only TODAY's items; 6-hour cycle |
| Motions | adopted_texts, parliamentary_questions, meps, procedures | detect_voting_anomalies, analyze_coalition_dynamics, get_voting_records, compare_political_groups | ๐ณ๏ธ Per-resolution vote breakdowns |
| Propositions | procedures, documents, adopted_texts, plenary_documents | search_documents, monitor_legislative_pipeline, track_legislation, analyze_legislative_effectiveness | ๐ Procedure stage tracking |
| Committee | committee_documents, plenary_documents, adopted_texts, procedures | get_committee_info, monitor_legislative_pipeline, analyze_legislative_effectiveness | ๐๏ธ Per-committee deep analysis |
| Week Ahead | events, procedures, plenary_documents, plenary_session_documents | get_plenary_sessions (future), get_committee_info, monitor_legislative_pipeline, generate_political_landscape | ๐ Prospective agenda analysis |
| Weekly Review | adopted_texts, procedures, plenary_documents, parliamentary_questions | get_voting_records, detect_voting_anomalies, generate_political_landscape | ๐ Retrospective outcome review |
| Month Ahead | events, procedures, plenary/committee docs, adopted_texts, session docs, meps | get_plenary_sessions, get_committee_info, monitor_pipeline, generate_landscape, compare_groups, analyze_delegation | ๐ Strategic calendar outlook |
| Monthly Review | adopted_texts, procedures, plenary_documents, parliamentary_questions | get_voting_records, detect_anomalies, generate_landscape, compare_groups, analyze_effectiveness | ๐ Comprehensive monthly trends |
| Translate | โ (consumes English articles) | โ | ๐ EN โ 13 languages |
PRIO 1 MANDATE: Each workflow ALWAYS downloads its mandatory feed data and runs its mandatory analytical tools BEFORE deciding whether to produce an article. Data collection is NEVER skipped, even for noop runs.
1b. Agentic News Workflows (gh-aw)
๐ Files: .github/workflows/news-*.md (9 content workflows + 1 translation workflow)
๐ฏ Purpose: AI-powered news article generation using GitHub Agentic Workflows (gh-aw) with European Parliament MCP Server data
โฐ Schedule: Various (see table below)
Architecture: Content/Translation Split
The agentic news system uses a separation of concerns architecture:
- Content Workflows (9 workflows) โ Generate English-only articles with deep political intelligence
- Translation Workflow (1 workflow) โ Translates English articles to 13 other languages
This split ensures content workflows spend their full time budget on political intelligence quality, while translations maintain fidelity to the English source content.
graph TD
A[๐ Content Workflows<br/>English only] -->|Generate| B[๐ฐ English Articles]
B -->|Merge PR| C[main branch]
C -->|Schedule trigger| D[๐ Translation Workflow]
D -->|Generate| E[๐ 13 Language Translations]
E -->|Merge PR| C
C -->|Deploy| F[๐ GitHub Pages<br/>Language Switchers + Sitemaps]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef deploy fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef translation fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
class A trigger
class B,C process
class D,E translation
class F deploy
Content Workflow Schedule
| Workflow | Article Type | Schedule | Focus |
|---|---|---|---|
news-committee-reports.md |
Committee reports | MonโFri 04:00 UTC | Committee activity analysis |
news-propositions.md |
Legislative procedures | MonโFri 05:00 UTC | Legislative pipeline tracking |
news-motions.md |
Plenary votes | MonโFri 06:00 UTC | Voting patterns & resolutions |
news-week-ahead.md |
Week ahead | Fri 07:00 UTC | Upcoming parliamentary agenda |
news-month-ahead.md |
Month ahead | 1st of month 08:00 UTC | Monthly strategic outlook |
news-weekly-review.md |
Weekly review | Sat 09:00 UTC | Week in review |
news-monthly-review.md |
Monthly review | 28th of month 10:00 UTC | Monthly retrospective |
news-breaking.md |
Breaking news | Every 6 hours | Real-time EP feed events |
news-article-generator.md |
Multi-type | Manual dispatch | On-demand article generation |
Translation Workflow
| Workflow | Schedule | Purpose |
|---|---|---|
news-translate.md |
MonโFri 09/12/15 UTC, Sat 12 UTC, 1st+28th 12 UTC | Translate English articles to sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh |
Supported Languages (14 total)
| English (en) | Swedish (sv) | Danish (da) | Norwegian (no) | Finnish (fi) |
|---|---|---|---|---|
| German (de) | French (fr) | Spanish (es) | Dutch (nl) | Arabic (ar) |
| Hebrew (he) | Japanese (ja) | Korean (ko) | Chinese (zh) |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| MCP Data Source | European Parliament MCP Server (live data) | ISO 27001 A.14.2.1 |
| Content Integrity | Quality validation, synthetic ID detection | Data integrity |
| Safe Outputs | gh-aw safe-outputs for PR creation | Least privilege |
| Concurrency | Shared concurrency group prevents conflicts | Resource management |
| Network Allowlist | Explicit domain allowlisting via gh-aw | Network security |
Enhanced Analysis Features (v2)
The following 8 scheduled article-generation workflows have been upgraded with mandatory analytical enhancements: news-week-ahead.md, news-month-ahead.md, news-breaking.md, news-committee-reports.md, news-propositions.md, news-motions.md, news-weekly-review.md, news-monthly-review.md. The on-demand news-article-generator.md workflow is not included in this upgrade as it dispatches to the above workflows. The news-translate.md workflow has complementary analysis-fidelity requirements for preserving these elements in translation.
๐ญ Multi-Stakeholder Perspective Requirements
Every major parliamentary action must be analyzed from at least 3 of 6 stakeholder perspectives:
| Perspective | Analysis Focus |
|---|---|
| EP Political Groups | Coalition dynamics, group influence, voting alliances |
| Civil Society & NGOs | Citizens' rights, democratic participation, transparency |
| Industry & Business | Regulatory burden, market effects, compliance dynamics |
| National Governments | Subsidiarity, implementation requirements, national interests |
| EU Citizens | Direct life impact, rights, services, democratic representation |
| EU Institutions | Commission, Council, ECB, Court of Justice โ inter-institutional dynamics |
Stakeholder perspective analysis is rendered by the TypeScript generator (buildStakeholderPerspectivesSection) as a card grid in each article's deep-analysis portion. Agents provide structured perspective content โ impact direction (positive/negative/neutral/mixed), severity (high/medium/low), reasoning, and evidence backed by specific EP MCP data citations โ and the generator handles the HTML markup (analysis-stakeholder-perspectives / stakeholder-perspectives-grid). Agents must NOT write raw HTML for this section. Impact and severity values must remain as canonical English enum tokens (e.g. positive, high) even in non-English articles โ the generator handles localized display labels and CSS classing from these tokens. (Note: the separate winners/losers outcomes list uses analysis-stakeholders / stakeholder-list โ that is a different section rendered by buildStakeholderSection.)
๐ Iterative AI Content Refinement Cycle
All analytical content sections follow a mandatory 4-pass refinement process:
| Pass | Activity | Output |
|---|---|---|
| Pass 1 โ Initial Assessment | Gather MCP baseline data; identify actors, actions, outcomes | Draft narrative |
| Pass 2 โ Stakeholder Challenge | Re-examine from each stakeholder angle; flag blind spots | Revised draft with gaps identified |
| Pass 3 โ Evidence Cross-Validation | Verify claims against EP documents/votes; add ๐ข/๐ก/๐ด confidence indicators | Evidenced assertions only |
| Pass 4 โ Synthesis & Scenarios | Produce balanced conclusions; provide 2โ3 forward-looking scenarios with probability labels | Final publishable analysis |
Localization requirement: All text labels โ confidence (๐ข High / ๐ก Medium / ๐ด Low), probability (likely / possible / unlikely), and significance (High / Medium / Low) โ must be rendered in the article's output language while preserving the underlying 3-level scale and keeping emoji markers (๐ข/๐ก/๐ด, โโโ) unchanged. Non-English articles must use the equivalent terms in the target language, not English labels.
โ Enhanced Analysis Quality Gates
In addition to the existing content quality gates (500-word minimum, no synthetic IDs, current dates), all articles must pass two new quality gate categories:
Analysis Depth Gates:
- Minimum 3 stakeholder perspectives analyzed per key development
- SWOT dimensions cover both political AND economic/regulatory aspects
- Dashboard trend indicators included (โโโ), not just current values
- Cross-domain policy links shown (e.g., environment โ trade โ social)
- Evidence chains cite specific document IDs, vote counts, or MCP data points
- Outlook provides at least 2 named scenarios with probability labels
Political Intelligence Gates:
- Coalition dynamics named explicitly (not just "EPP and S&D voted together")
- Each group's position explained with reasoning (incentives, ideology, constituency)
- Winner/loser analysis identified with supporting evidence
- Historical EP context referenced where comparable precedents exist
๐ EP Document Analysis Framework
Every key EP document featured in the deep-analysis section must include structured analysis (other document references may remain as citations without full framework analysis):
- Political Context โ Why introduced? Who pushed it? What problem does it solve?
- Stakeholder Impact โ Who benefits/faces costs? Quantified where possible.
- Procedure Stage โ Where in the legislative pipeline? Next steps and timeline.
- Coalition Dynamics โ Which groups support/oppose? Key fault lines.
- Significance Rating โ High / Medium / Low with one-sentence justification. (Note: significance ratings use text labels, not color indicators, to avoid confusion with the ๐ข/๐ก/๐ด confidence scale used in the refinement cycle.)
๐ฌ Workflow-Specific Intelligence Modules
Each scheduled content workflow includes a tailored intelligence module beyond the shared framework:
| Workflow | Module | Focus |
|---|---|---|
news-week-ahead.md |
๐ญ Strategic Preview Analysis | What to watch, coalitions under stress, legislative inflection points, geopolitical triggers |
news-month-ahead.md |
๐ Long-Term Trend Context | Term trajectory, policy momentum, coalition evolution, EU external context |
news-breaking.md |
โก Rapid Stakeholder Impact Assessment | Immediate winners/losers, market/policy signals, next 24โ48 hour tracking |
news-committee-reports.md |
๐๏ธ Committee Power Dynamics Analysis | Rapporteur influence, shadow rapporteur positions, amendment landscape, trilogue implications |
news-propositions.md |
๐๏ธ Legislative Pipeline Intelligence | Passage probability, amendment expectations, timeline forecast, blocking coalitions |
news-motions.md |
๐ณ๏ธ Voting Pattern Intelligence | Coalition map, abstention analysis, cross-party defections, margin analysis |
news-weekly-review.md |
๐ Week-in-Context Analysis | Parliamentary landscape shift, promises vs. delivery, surprise developments |
news-monthly-review.md |
๐บ๏ธ Monthly Trend Synthesis | Legislative productivity, coalition stability index, policy trajectory, emerging themes |
The translation workflow has its own fidelity module:
| Workflow | Module | Focus |
|---|---|---|
news-translate.md |
๐ Analysis Fidelity Requirements | Stakeholder framing preservation, confidence indicator translation, EP official terminology |
๐ File: .github/workflows/test-and-report.yml
๐ฏ Purpose: Comprehensive testing with unit tests, integration tests, coverage reporting, and performance benchmarks
โฐ Trigger: On push to main, on PR to main
๐ Status:
Test Coverage
| Test Type | Framework | Coverage Target | Current Status |
|---|---|---|---|
| Unit Tests | Vitest | 169 tests | โ 169/169 passing |
| Integration Tests | Vitest | N/A | โ All passing |
| Line Coverage | Vitest (V8) | โฅ80% | โ 82%+ |
| Branch Coverage | Vitest (V8) | โฅ75% | โ 83%+ |
| Function Coverage | Vitest (V8) | โฅ80% | โ 89%+ |
Workflow Jobs (6 Jobs)
graph LR
A[Prepare] --> B[Validation]
A --> C[Functional Tests]
A --> D[Performance]
A --> E[Security Check]
B --> F[Report]
C --> F
D --> F
E --> F
classDef prepare fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef test fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef perf fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef report fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class A prepare
class B,C test
class D perf
class E security
class F report
| Job | Name | Purpose | Key Steps |
|---|---|---|---|
prepare |
Prepare Environment | Cache dependencies, setup Node.js 25 | Checkout, npm ci, cache |
validation |
Validate Code | ESLint, Prettier, HTMLHint, npm audit | Lint, format check, HTML validation |
functional-tests |
Functional Tests | Vitest unit + integration tests | Run tests, coverage report |
performance |
Performance Testing | Lighthouse CI + article generation benchmarks | @lhci/cli@0.15.1, performance metrics |
security-check |
Security Check | npm audit analysis | Vulnerability triage, CodeQL integration |
report |
Generate Report | Aggregate results, PR comments | Coverage summary, status checks |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Code Quality | ESLint + Prettier | Code quality standards |
| Vulnerability Scanning | npm audit | ISO 27001 A.12.6.1 |
| Coverage Thresholds | 80%+ lines, 75%+ branches | Quality gates |
| Performance Benchmarks | Lighthouse CI scoring | Performance validation |
| False Positive Handling | Intelligent npm audit triage | Risk acceptance process |
ISMS Evidence
- Policy: Secure Development Policy ยง3.3 - Testing Requirements
- Workflow: test-and-report.yml
- Coverage Report: Live Coverage
3. CodeQL Security Scanning
๐ File: .github/workflows/codeql.yml
๐ฏ Purpose: Static Application Security Testing (SAST) for JavaScript/TypeScript and GitHub Actions
โฐ Schedule: On push to main, on PR to main, weekly Saturday 21:33 UTC
๐ Status:
Security Analysis
| Parameter | Value |
|---|---|
| Languages | javascript-typescript, actions |
| Build Mode | none (interpreted languages) |
| Query Suite | Security Extended |
| Analysis Type | Source code + dependencies |
Vulnerability Types Detected:
- SQL Injection
- XSS (Cross-Site Scripting)
- Path Traversal
- Command Injection
- Unsafe Deserialization
- GitHub Actions expression injection
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| SAST Scanning | CodeQL security-extended (JS/TS + Actions) | ISO 27001 A.14.2.5 |
| Automated Analysis | On every PR + push | Shift-left security |
| SHA-Pinned Actions | All actions pinned to SHA | Supply chain security |
| Security Alerts | GitHub Security tab integration | Incident response |
ISMS Evidence
- Policy: Secure Development Policy ยง4.3 - Security Scanning
- Workflow: codeql.yml
- Security Architecture: SECURITY_ARCHITECTURE.md ยงCodeQL Analysis
4. E2E Testing Workflow
๐ File: .github/workflows/e2e.yml
๐ฏ Purpose: End-to-end testing with Playwright across browsers
โฐ Schedule: On push to main, on PR to main, daily at midnight UTC
๐ Status:
Test Coverage
- Browser: Chromium (optimised for speed)
- Timeout: 60 minutes
- Test Categories:
- Homepage validation
- Accessibility (axe-core integration)
- Responsive design
- Multi-language support (14 languages)
- Artifacts: Screenshots, videos, HTML reports
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Accessibility Testing | axe-core WCAG AA compliance | Inclusive security |
| Visual Regression | Screenshot comparison | Quality assurance |
| Functional Validation | User workflow testing | Requirements validation |
| Daily Regression | Scheduled midnight UTC | Continuous validation |
ISMS Evidence
- Workflow: e2e.yml
- Test Reports: Live E2E Report
5. Release Workflow
๐ File: .github/workflows/release.yml
๐ฏ Purpose: Comprehensive release automation with attestations and documentation
โฐ Trigger: Manual dispatch (with version input) or tag push (v*)
๐ Status:
Release Pipeline
graph TD
A[๐ Trigger: Manual/Tag] --> B[๐ Prepare Job]
B --> C[โ
Run Tests with Coverage]
C --> D[๐ญ Run E2E Tests]
D --> E[๐ Generate API Docs]
E --> F[๐ Generate Coverage Reports]
F --> G[๐จ Generate Doc Index]
G --> H[โ
Verify Structure]
H --> I[๐พ Commit Documentation]
I --> J[๐จ Build Job]
J --> K[๐ฆ Create Release Artifacts]
K --> L[๐ Generate SBOM]
L --> M[๐ Build Provenance]
M --> N[๐ SBOM Attestation]
N --> O[๐ Release Job]
O --> P[๐ Draft Release Notes]
P --> Q[๐ Create GitHub Release]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef test fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef docs fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef build fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef release fill:#2ecc71,stroke:#27ae60,stroke-width:2px,color:white
class A trigger
class B,C,D test
class E,F,G,H,I docs
class J,K build
class L,M,N security
class O,P,Q release
Release Jobs
| Job | Name | Key Permissions |
|---|---|---|
prepare |
Prepare Release | contents: write |
build |
Build Release Package | contents: read, id-token: write, attestations: write |
release |
Create Release | contents: write, id-token: write |
Documentation as Code
Every release automatically generates:
| Documentation | Generator | Output |
|---|---|---|
| API Documentation | JSDoc | 52 files, searchable |
| Test Coverage | Vitest HTML | Interactive reports |
| E2E Test Reports | Playwright | Screenshots, videos |
| Documentation Index | Custom script | Beautiful hub page |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| SLSA Level 3 | Build provenance attestation | Supply chain security |
| SBOM Generation | SPDX JSON format | NTIA SBOM minimum elements |
| Artifact Signing | GitHub Attestations API | Integrity verification |
| Documentation Audit Trail | Committed to main branch | Evidence trail |
| Test Validation | 169 unit tests + E2E | Quality gates |
ISMS Evidence
- Policy: Secure Development Policy ยง3.2 - Architecture Documentation
- Workflow: release.yml
- Release Guide: docs/RELEASE_PROCESS.md
- Attestations: GitHub Attestations
- Documentation: docs/index.html
6. Dependency Review Workflow
๐ File: .github/workflows/dependency-review.yml
๐ฏ Purpose: Supply chain security scanning for pull requests
โฐ Trigger: On pull request
๐ Status: Dependency review enabled
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| License Compliance | Allowed licenses only | Legal compliance |
| Vulnerability Detection | Known CVEs blocked | ISO 27001 A.12.6.1 |
| Supply Chain Security | Dependency graph analysis | NIST CSF ID.SC |
ISMS Evidence
- Policy: Supply Chain Security
- Workflow: dependency-review.yml
7. OpenSSF Scorecard Workflow
๐ File: .github/workflows/scorecards.yml
๐ฏ Purpose: Security posture assessment against OpenSSF best practices
โฐ Schedule: Weekly on Tuesday 07:20 UTC, push to main, branch protection rule
๐ Status:
Assessed Security Practices
- Binary artifacts
- Branch protection
- CI tests
- Code review
- Dangerous workflows
- Dependency update tool
- Fuzzing
- License
- Maintained
- Pinned dependencies
- SAST
- Security policy
- Signed releases
- Token permissions
- Vulnerabilities
ISMS Evidence
- Workflow: scorecards.yml
- Live Score: View Scorecard
8. Deploy S3 Workflow
๐ File: .github/workflows/deploy-s3.yml
๐ฏ Purpose: Production deployment to AWS S3 + CloudFront
โฐ Trigger: Push to main
๐ Status: Production deployment
Deployment Pipeline
graph LR
A[Push to main] --> B[Checkout Code]
B --> C[๐ Harden Runner<br/>egress: BLOCK]
C --> D[Configure AWS OIDC]
D --> E[Sync to S3]
E --> F[Invalidate CloudFront]
F --> G[โ
Production Live]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white
classDef complete fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white
class A trigger
class B,C security
class D,E,F aws
class G complete
Note:
deploy-s3.ymlis the only workflow usingegress-policy: block(all other workflows useaudit). Outbound network calls are restricted to an explicit allowlist defined in theallowed-endpointsparameter of the Harden Runner step within deploy-s3.yml.
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Federation | aws-actions/configure-aws-credentials with role ARN |
No long-lived secrets |
| Egress Block Mode | Harden Runner blocks all non-allowlisted endpoints | Network security |
| IAM Least Privilege | Minimal S3 + CloudFront permissions | AWS security best practices |
| HTTPS Only | CloudFront SSL/TLS distribution | Data in transit protection |
| Infrastructure as Code | GitHub Actions workflow | Reproducible deployments |
ISMS Evidence
- Workflow: deploy-s3.yml
- Architecture: SECURITY_ARCHITECTURE.md ยงDeployment
9. REUSE Compliance Workflow
๐ File: .github/workflows/reuse.yml
๐ฏ Purpose: License and copyright compliance verification using the REUSE Specification
โฐ Schedule: On push to main, on PR to main, weekly Monday 06:00 UTC
๐ Status:
License Compliance Scope
| Artifact | License | SPDX Header Required |
|---|---|---|
Source scripts (scripts/) |
Apache-2.0 | โ Yes |
Test files (test/, e2e/) |
Apache-2.0 | โ Yes |
HTML pages (index-*.html) |
Apache-2.0 | โ Yes |
Workflow files (.github/workflows/) |
Apache-2.0 | โ Yes |
| Binary assets | Declared in REUSE.toml |
Via manifest |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| License Verification | SPDX header validation on every file | Open Source Policy |
| Copyright Compliance | Per-file copyright tracking | IP management |
| Supply Chain Clarity | Machine-readable REUSE.toml |
NIST CSF ID.SC-4 |
| SHA-Pinned Action | fsfe/reuse-action pinned to SHA |
Supply chain security |
ISMS Evidence
- Policy: Open Source Policy
- Workflow: reuse.yml
- Configuration: REUSE.toml
10. SLSA Provenance (Integrated in Release Workflow)
๐ File: .github/workflows/release.yml
๐ฏ Purpose: Generate cryptographic build provenance for supply chain integrity verification
โฐ Trigger: On tag push (v*) + manual dispatch with version input
๐ Status:
Provenance Generation Pipeline
SLSA Level 3 provenance is generated as part of the release workflow build job. All attestations and SBOM are created during the build step and attached to the immutable GitHub Release in a single atomic operation.
Attestation Artifacts
| Artifact | Action | Verification Command |
|---|---|---|
| Build Provenance | actions/attest-build-provenance (SHA-pinned) |
gh attestation verify --owner Hack23 <file> |
| SBOM (SPDX) | anchore/sbom-action + actions/attest (SHA-pinned) |
gh attestation verify --owner Hack23 <file> |
| Distribution Archive | .zip with excluded dev files |
SHA-256 checksum |
| SBOM JSON | SPDX format | License compliance check |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Keyless Signing | id-token: write + GitHub Sigstore |
SLSA Level 3 |
| Immutable Release | immutableCreate: true โ single-write release |
Integrity |
| Minimal Permissions | permissions: read-all top-level |
Least privilege |
| Harden Runner | egress audit on all outbound calls | Network security |
ISMS Evidence
- Policy: Secure Development Policy ยง4.4
- Workflow: release.yml
- Attestations: GitHub Attestations
11. Compile Agentic Workflows
๐ File: .github/workflows/compile-agentic-workflows.yml
๐ฏ Purpose: Compile agentic workflow markdown source files (.md) into executable lock files (.lock.yml) using the gh-aw CLI
โฐ Trigger: Manual dispatch only (workflow_dispatch)
๐ Status: 
Compilation Pipeline
graph LR
A[Manual Trigger] --> B[Checkout Repository]
B --> C[Install gh-aw CLI]
C --> D[Compile .md โ .lock.yml]
D --> E[Commit & Push Lock Files]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B,C,D process
class E output
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Manual Trigger Only | workflow_dispatch โ no automatic runs |
Change control |
| Token Fallback | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN with GITHUB_TOKEN fallback |
Credential management |
| Write Permissions | contents: write, pull-requests: write, actions: write, issues: write |
Least privilege for compilation |
12. Pull Request Automatic Labeler
๐ File: .github/workflows/labeler.yml
๐ฏ Purpose: Automatically label pull requests based on file paths and content
โฐ Trigger: pull_request_target (opened, synchronize, reopened, edited)
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Minimal Job Permissions | contents: read, pull-requests: write, issues: read |
Least privilege |
| Target Event | pull_request_target โ runs on base branch code |
Workflow security |
13. Setup Repository Labels
๐ File: .github/workflows/setup-labels.yml
๐ฏ Purpose: Create and manage repository labels for issue/PR governance
โฐ Trigger: Manual dispatch only (workflow_dispatch with recreate_all input)
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Manual Trigger Only | workflow_dispatch โ deliberate action required |
Change control |
| Minimal Permissions | contents: read, issues: write |
Least privilege |
14. Copilot Setup Steps
๐ File: .github/workflows/copilot-setup-steps.yml
๐ฏ Purpose: Set up the development environment for GitHub Copilot coding agents
โฐ Trigger: Push/PR to copilot-setup-steps.yml file + manual dispatch
Environment Setup
| Component | Version / Configuration |
|---|---|
| Node.js | 25 |
| EP MCP Server | european-parliament-mcp-server (global) |
| Playwright Browsers | Installed for E2E |
| Virtual Display | Xvfb (:99) |
Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| Broad Read Permissions | Multiple read scopes for agent access | Copilot agent requirement |
| Write Limited | Only pull-requests: write, issues: write |
Least privilege for agents |
| Token Management | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
Credential management |
๐ Workflow Metrics
Execution Statistics
| Metric | Target | Current | Status |
|---|---|---|---|
| Test Success Rate | โฅ95% | 100% | โ Excellent |
| Test Execution Time | <10 min | ~3 min | โ Excellent |
| Release Frequency | As needed | Manual | โ On-demand |
| Mean Time to Deploy | <1 hour | ~15 min | โ Excellent |
| Failed Deployment Rate | <5% | 0% | โ Perfect |
Security Metrics
| Metric | Target | Current | Status |
|---|---|---|---|
| Critical Vulnerabilities | 0 | 0 | โ Secure |
| High Vulnerabilities | 0 | 0 | โ Secure |
| Code Coverage | โฅ80% | 82%+ | โ Above target |
| SHA-Pinned Actions | 100% | 100% | โ Complete |
| OpenSSF Score | โฅ8.0 | TBD | ๐ Monitoring |
๐ Security Hardening Practices
EU Parliament Monitor implements industry best practices for securing CI/CD pipelines, with StepSecurity hardening for all workflows:
flowchart LR
subgraph "๐ก๏ธ Pipeline Security Hardening"
PH[Permissions Hardening] --> LAP[Least Access Principle]
PS[Pin SHA Versions] --> IDT[Immutable Dependencies]
AV[Action Verification] --> TS[Trusted Sources]
RH[Runner Hardening] --> AL[Audit Logging]
OT[OIDC Tokens] --> EF[Ephemeral Credentials]
end
subgraph "๐ Security Measures"
AS[Asset Security] --> AC[Asset Verification]
DS[Dependency Security] --> PD[Dependency Pinning]
BS[Build Security] --> BA[Build Attestations]
RS[Release Security] --> SBOM[SBOM Generation]
end
PH --> AS
PS --> DS
AV --> BS
RH --> RS
classDef practice fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef measures fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class PH,PS,AV,RH,OT practice
class LAP,IDT,TS,AL,EF practice
class AS,DS,BS,RS measures
class AC,PD,BA,SBOM measures
Specific Hardening Measures
The project's workflows collectively implement the following security measures (applied per workflow where applicable):
- ๐ Permissions Restriction: Explicit least-privilege permissions with
read-allor empty{}top-level - ๐ SHA Pinning: 100% of actions pinned to specific SHA hashes โ zero tag references
- ๐ก๏ธ Runner Hardening: StepSecurity
harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0for audit logging - ๐ SBOM Generation: The release workflow generates a Software Bill of Materials in SPDX format via
anchore/sbom-action - ๐ Build Attestations: The release workflow creates SLSA Level 3 provenance via
actions/attest-build-provenance - โฑ๏ธ Timeout Limits: Critical workflows (e.g., E2E and agentic
*.lock.ymlpipelines) use explicittimeout-minutesto prevent resource exhaustion; remaining workflows rely on GitHub's default job timeouts and are monitored for anomalies - ๐ OIDC Tokens: The
deploy-s3workflow uses AWS OIDC federation โ no long-lived secrets - ๐ซ Egress Control: The
deploy-s3workflow usesharden-runnerwithegress-policy: block
๐ก๏ธ Workflow Security Architecture
Workflow Permissions Matrix
Every workflow declares explicit, minimal permissions following the principle of least privilege. Some workflows use top-level permissions: read-all with job-level write overrides where needed, while others define more restrictive explicit top-level scopes tailored to their tasks.
| Workflow | Top-Level | Job-Level Overrides | Secrets Used |
|---|---|---|---|
| codeql | contents: read |
analyze: security-events: write, packages: read, actions: read |
None |
| compile-agentic-workflows | contents: write, pull-requests: write, actions: write, issues: write |
โ | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
| copilot-setup-steps | contents: read, actions: read, attestations: read, checks: read, issues: write, models: read, discussions: read, pages: read, pull-requests: write, security-events: read, statuses: read |
โ | COPILOT_MCP_GITHUB_PERSONAL_ACCESS_TOKEN |
| dependency-review | contents: read |
โ | None |
| deploy-s3 | contents: read, id-token: write, actions: write |
โ | AWS OIDC role |
| e2e | contents: read |
e2e-tests: contents: read |
None |
| labeler | read-all |
labeler: contents: read, pull-requests: write, issues: read |
GITHUB_TOKEN |
| release | read-all |
prepare: contents: write; build: contents: read, id-token: write, attestations: write; release: contents: write, id-token: write |
GITHUB_TOKEN |
| reuse | contents: read |
โ | None |
| scorecards | read-all |
analysis: security-events: write, id-token: write, contents: read, actions: read, issues: read, pull-requests: read, checks: read |
None |
| setup-labels | contents: read, issues: write |
โ | GITHUB_TOKEN |
| test-and-report | read-all |
validation: contents: read, pull-requests: write; functional-tests: contents: read; performance: contents: read; security-check: contents: read, security-events: write; report: contents: read, pull-requests: write |
None |
| news-* (agentic ร9) | {} (empty) |
activation: contents: read; agent: contents: write, pull-requests: write, issues: write, models: read |
GITHUB_TOKEN |
Security Control Layers
graph TD
subgraph Layer1["๐ต Layer 1: Developer Workstation"]
PC[Pre-Commit Hooks<br/>gitleaks ยท eslint ยท prettier]
LS[Lint-Staged<br/>ESLint fix ยท Prettier ยท HTMLHint]
PC --> LS
end
subgraph Layer2["๐ข Layer 2: Source Control"]
BP[Branch Protection<br/>Required status checks]
CR[Code Review<br/>Required approvals]
BP --> CR
end
subgraph Layer3["๐ก Layer 3: CI Pipeline"]
HR[Harden Runner v2.15.1<br/>Egress policy: audit/block]
ST[SHA-Pinned Actions 100%<br/>Supply chain integrity]
HR --> ST
end
subgraph Layer4["๐ด Layer 4: Security Scanning"]
CQL[CodeQL SAST<br/>JS/TS + Actions analysis]
DR[Dependency Review<br/>CVE blocking on PR]
NA[npm audit<br/>CVE check]
CQL --> DR --> NA
end
subgraph Layer5["๐ฃ Layer 5: Build Integrity"]
SB[SBOM Generation<br/>CycloneDX / SPDX]
AT[Build Attestation<br/>Sigstore / SLSA L3]
SB --> AT
end
subgraph Layer6["โซ Layer 6: Deployment"]
S3[S3 Sync<br/>Cache-optimised headers]
CF[CloudFront Invalidation<br/>HTTPS-only CDN]
S3 --> CF
end
Layer1 --> Layer2 --> Layer3 --> Layer4 --> Layer5 --> Layer6
classDef layer1 fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef layer2 fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef layer3 fill:#f1c40f,stroke:#f39c12,stroke-width:1.5px,color:black
classDef layer4 fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef layer5 fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef layer6 fill:#2c3e50,stroke:#1a252f,stroke-width:1.5px,color:white
class PC,LS layer1
class BP,CR layer2
class HR,ST layer3
class CQL,DR,NA layer4
class SB,AT layer5
class S3,CF layer6
๐ช Pre-Commit Security Controls
The project employs two complementary pre-commit enforcement mechanisms: Husky (Node.js native) and pre-commit framework.
Husky + lint-staged
Configuration: .husky/pre-commit โ runs npx lint-staged
| File Pattern | Commands | Purpose |
|---|---|---|
scripts/**/*.js |
eslint --fix, prettier --write |
JS quality + formatting |
*.md |
prettier --write |
Documentation formatting |
*.html |
htmlhint |
HTML validation |
Pre-Commit Framework
Configuration: .pre-commit-config.yaml
graph LR
A[git commit] --> B{Husky Hook Triggered}
B --> C[lint-staged]
C --> D[ESLint --fix JS]
C --> E[Prettier --write MD]
C --> F[HTMLHint HTML]
D --> G{All Pass?}
E --> G
F --> G
G -->|โ
Pass| H[Commit Proceeds]
G -->|โ Fail| I[Commit Blocked]
I --> J[Developer Fixes Issues]
J --> A
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef lint fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
class A trigger
class B,G decision
class C,D,E,F lint
class H pass
class I,J fail
| Hook | Version | Purpose | Security Value |
|---|---|---|---|
| gitleaks | v8.16.3 | Secret scanning | Prevent credential exposure |
| mirrors-eslint | v8.38.0 | JS linting | Code quality enforcement |
| end-of-file-fixer | pre-commit v4.4.0 | File termination | Consistency |
| trailing-whitespace | pre-commit v4.4.0 | Whitespace cleanup | Consistency |
Security Value: gitleaks scans for hardcoded secrets (API keys, tokens, passwords) before any commit reaches the remote repository, providing first-line credential leak prevention aligned with Cryptography Policy.
๐ SLSA Level 3 Compliance
Supply-chain Levels for Software Artifacts (SLSA) Level 3 compliance is achieved through GitHub's native attestation infrastructure integrated into the release and SLSA provenance workflows.
SLSA Requirements Matrix
| SLSA L3 Requirement | Implementation | Workflow |
|---|---|---|
| Source โ Version controlled | Git + GitHub branch protection | All |
| Source โ Verified history | Protected main branch |
All |
| Build โ Scripted build | npm ci + reproducible steps |
release.yml |
| Build โ Build service | GitHub Actions managed runners | All |
| Build โ Non-falsifiable provenance | GitHub Sigstore / OIDC keyless | release.yml |
| Build โ Isolated | GitHub-hosted Ubuntu runners | All |
| Provenance โ Available | .intoto.jsonl attached to release |
release.yml |
| Provenance โ Authenticated | OIDC id-token: write |
release.yml |
| Provenance โ Service generated | actions/attest-build-provenance |
release.yml |
| Provenance โ Non-falsifiable | Sigstore transparency log | release.yml |
Build Provenance Flow
graph TD
A[Developer: git tag vX.Y.Z] --> B[GitHub Actions: release.yml triggered]
B --> C[prepare job: run tests + generate docs]
C --> D[build job: npm ci - hermetic install]
D --> E[Create release-artifacts/euparliamentmonitor-vX.Y.Z.zip]
E --> F[anchore/sbom-action: SPDX JSON SBOM]
F --> G[actions/attest-build-provenance<br/>Subject: release zip file]
G --> H[GitHub Sigstore: OIDC token exchange]
H --> I[Sigstore Transparency Log Entry]
I --> J[.intoto.jsonl bundle saved]
J --> K[actions/attest-sbom<br/>Subject: release zip + SBOM path]
K --> L[GitHub Release: all artifacts attached]
L --> M[Verification: gh attestation verify --owner Hack23 file.zip]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef build fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef crypto fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black
classDef release fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class A trigger
class B,C,D,E build
class F,K security
class G,H,I,J crypto
class L,M release
Attestation Verification
End-users can verify artifact integrity using the GitHub CLI:
# Verify build provenance
gh attestation verify euparliamentmonitor-v1.0.0.zip --owner Hack23
# Verify SBOM attestation
gh attestation verify euparliamentmonitor-v1.0.0.spdx.json --owner Hack23
# Expected output: โ
Verification successful
# Attestation bundle verified with signer's certificate
ISMS Reference: Secure Development Policy ยง4.4 โ Supply Chain Security
๐ Security Scanning Pipeline
Security scanning tools are integrated into the CI/CD pipeline with triggers as documented in the matrix below (e.g., push, pull request, schedule, pre-commit).
Scanning Tool Matrix
| Tool | Type | Triggers | Findings Location | Blocks Merge? |
|---|---|---|---|---|
| CodeQL | SAST | Push, PR, weekly Saturday | GitHub Security tab | Yes (via required check) |
| npm audit | SCA | Push, PR | Workflow logs | Yes (new โฅ moderate, allowlist exceptions) |
| Dependency Review | SCA | PR only | PR comments | Yes |
| ESLint | SAST Lint | Push, PR, pre-commit | Workflow logs | Yes |
| HTMLHint | Validation | Push, PR, pre-commit | Workflow logs | Warning |
| REUSE | Compliance | Push, PR, weekly Monday | Workflow logs | Yes |
| OpenSSF Scorecard | Posture | Push, weekly Tuesday | SARIF โ Security tab | Advisory |
| gitleaks | Secret Scan | Pre-commit | Terminal | Yes (pre-commit) |
Integrated Scanning Flow
graph LR
subgraph Triggers["โก Triggers"]
PR[Pull Request]
PS[Push to main]
SC[Schedule Weekly]
end
subgraph Scanning["๐ Security Scanning"]
CQL[CodeQL SAST<br/>JS/TS + Actions]
NA[npm audit<br/>CVE check]
DR[Dependency Review<br/>CVE block on PR]
RL[REUSE<br/>License compliance]
SC2[OpenSSF Scorecard<br/>Posture assessment]
end
subgraph Output["๐ Results"]
GH[GitHub Security<br/>Alerts Dashboard]
PRC[PR Comments<br/>Inline feedback]
SAR[SARIF Upload<br/>Code scanning tab]
WL[Workflow Logs<br/>Actions tab]
end
PR --> CQL & NA & DR & RL
PS --> CQL & NA & RL & SC2
CQL --> SAR
NA --> WL
DR --> PRC
RL --> WL
SC2 --> SAR
SAR --> GH
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef scanning fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
classDef output fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
class PR,PS,SC trigger
class CQL,NA,DR,RL,SC2 scanning
class GH,PRC,SAR,WL output
๐ฆ Deployment Security Gates
Production deployment to AWS S3 + CloudFront is protected by multiple sequential security gates that must all pass before code reaches production.
Security Gate Sequence
graph TD
A[Developer: Push / PR] --> B{Branch Protection<br/>Rules}
B -->|Protected branch| C[Required Status Checks]
C --> D{CI Tests Pass?<br/>test-and-report.yml}
D -->|โ
Pass| E{CodeQL Scan Pass?<br/>codeql.yml}
D -->|โ Fail| BLOCK[๐ซ Merge Blocked]
E -->|โ
Pass| F{REUSE Compliance?<br/>reuse.yml}
E -->|โ Fail| BLOCK
F -->|โ
Pass| G{Code Review<br/>Approved?}
F -->|โ Fail| BLOCK
G -->|โ
Approved| H[Merge to main]
G -->|โ Pending| BLOCK
H --> I[Deploy to S3<br/>deploy-s3.yml triggered]
I --> J[Harden Runner<br/>egress: BLOCK mode]
J --> K[OIDC AWS Auth<br/>id-token: write]
K --> L[S3 Sync<br/>Cache-optimised]
L --> M[CloudFront Invalidation<br/>Cache flush]
M --> N[โ
Production Live<br/>hack23.com]
classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white
classDef security fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
class A trigger
class B,D,E,F,G decision
class C,H,N pass
class BLOCK fail
class I,J,K security
class L,M aws
AWS Deployment Security Controls
| Control | Implementation | ISMS Reference |
|---|---|---|
| OIDC Federation | aws-actions/configure-aws-credentials with role ARN |
No long-lived secrets |
| Minimal IAM Role | GithubWorkFlowRole โ S3 + CloudFront only |
Least privilege |
| Egress Block Mode | Harden Runner blocks all non-allowlisted endpoints | Network security |
| mtime Preservation | Git commit times restored before sync | Change detection accuracy |
| Cache-Optimised Sync | Per-type cache headers (HTML: 1h, assets: 1y) | Performance + integrity |
| HTTPS Enforcement | CloudFront HTTPS-only distribution | Data in transit protection |
| TLS 1.3 | CloudFront + S3 expected to enforce TLS 1.3 (configured in AWS account) | Cryptography Policy |
๐ Workflow Failure Handling & Rollback
Failure Classification and Response
| Failure Type | Detection | Automated Response | Manual Action |
|---|---|---|---|
| Test failure | CI job exits non-zero | Workflow marked failed, merge blocked | Review logs, fix code, re-push |
| Security finding (CodeQL, new) | CodeQL analysis | PR comment + GitHub Security alert | Assess, fix or document false positive |
| Security finding (npm audit, new) | npm audit in test-and-report.yml |
Workflow failed, findings in logs only | Review audit output, update deps or add to allowlist per policy |
| Security finding (known / accepted) | Known GHSA in audit allowlist | Intelligent triage passes | Document in SECURITY.md and risk register |
| Deployment failure | S3 sync / CF invalidation error | Workflow failed, previous version still live | Check AWS CloudWatch, re-run |
| Attestation failure | Sigstore API / OIDC error | Release blocked | Retry workflow, check OIDC config |
| REUSE non-compliance | Missing SPDX header | PR blocked | Add SPDX-FileCopyrightText headers |
| Agentic workflow failure | Agent timeout or error | PR not created, workflow marked failed | Review agent logs, re-trigger manually |
Rollback Procedure
graph TD
A[๐จ Production Incident Detected] --> B{Incident Type}
B -->|Content error| C[Re-run deploy-s3.yml<br/>from previous commit]
B -->|Security breach| D[Immediate CloudFront disable]
B -->|Dependency vuln| E[npm audit fix + re-deploy]
C --> F[git revert + push to main]
F --> G[Auto-deploy triggered]
D --> H[Revoke AWS role session]
H --> I[Investigate + patch]
I --> J[Re-enable CloudFront]
E --> K[PR with dep update]
K --> L[CI gates pass]
L --> M[Merge + auto-deploy]
G --> N[โ
Rollback Complete]
J --> N
M --> N
classDef alert fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef content fill:#3498db,stroke:#2980b9,stroke-width:1.5px,color:white
classDef security fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef dependency fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
classDef complete fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white
class A alert
class B decision
class C,F,G content
class D,H,I,J security
class E,K,L,M dependency
class N complete
Recovery Time Objectives
| Scenario | RTO Target | Procedure |
|---|---|---|
| Broken deployment | < 15 minutes | Re-run deploy-s3.yml from last good commit |
| Content regression | < 30 minutes | git revert + auto-deploy pipeline |
| Dependency vulnerability | < 4 hours | npm audit fix + PR + deploy |
| Security incident | < 1 hour | CloudFront disable + incident response |
ISMS Reference: BCP Plan | Incident Response
๐ฆ Dependabot Security Configuration
Configuration: .github/dependabot.yml
Dependabot is configured with two package ecosystems, both scheduled on Monday to batch updates and reduce CI noise.
Dependabot Configuration Summary
| Ecosystem | Directory | Schedule | PR Limit | Groups |
|---|---|---|---|---|
| npm | / |
Weekly, Mon 06:00 UTC | 10 | dev-deps (minor/patch), prod-deps (minor/patch) |
| github-actions | / |
Weekly, Mon 07:00 UTC | Unlimited | github-actions (minor/patch) |
Update Grouping Strategy
graph LR
A[Dependabot Scan] --> B{Package Type?}
B -->|Development dep| C[Group: development-dependencies<br/>minor + patch updates]
B -->|Production dep| D[Group: production-dependencies<br/>minor + patch updates]
B -->|GitHub Action| E[Group: github-actions<br/>minor + patch updates]
C --> F[Single PR: all dev dep updates]
D --> G[Single PR: all prod dep updates]
E --> H[Single PR: all action SHA updates]
F --> I[CI gates validate]
G --> I
H --> I
I --> J{Pass?}
J -->|Yes| K[Auto-merge eligible]
J -->|No| L[Manual review required]
classDef scanner fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white
classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black
classDef group fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white
classDef pr fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white
classDef pass fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white
classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white
class A scanner
class B,J decision
class C,D,E group
class F,G,H pr
class I,K pass
class L fail
Commit Message Convention
| Type | Prefix | Example |
|---|---|---|
| npm dep update | build(deps): |
build(deps): bump eslint from 8.x to 9.x |
| npm dev dep | build(deps-dev): |
build(deps-dev): bump vitest from 2.x to 3.x |
| Actions update | build(deps): |
build(deps): bump actions/checkout from v4 to v5 |
Security Labels: All Dependabot PRs are labelled dependencies + javascript or github_actions for easy filtering.
๐ก Workflow Monitoring & Alerting
Workflow Status Badges
All primary workflows expose real-time status badges in README.md and this document for instant visibility into pipeline health:
| Workflow | Badge | Target |
|---|---|---|
| Test & Report | |
Green always |
| CodeQL | |
Green always |
| E2E Tests | |
Green always |
| REUSE | |
Green always |
| OpenSSF Scorecard | โฅ 8.0/10 |
GitHub Security Dashboard Integration
The following tools integrate with the GitHub Security Dashboard via SARIF or native mechanisms:
| Tool | Integration Type | Destination |
|---|---|---|
| CodeQL | SARIF via github/codeql-action/analyze |
GitHub Security Dashboard (code scanning alerts) |
| OpenSSF Scorecard | SARIF via github/codeql-action/upload-sarif |
GitHub Security Dashboard (code scanning alerts) |
| Dependabot | Native GitHub integration | GitHub Security Dashboard (Dependabot alerts) |
Alerting Channels
| Event | Alert Channel | Severity |
|---|---|---|
| Critical CVE found | GitHub Security Advisories | P1 โ Immediate |
| Workflow failure on main | GitHub email notification | P2 โ Same day |
| Scorecard score drop | Weekly scorecard badge | P3 โ Weekly review |
| Dependabot PR opened | GitHub PR notification | P4 โ Next Monday batch |
๐ ISMS Policy Alignment Summary
Policy Coverage
| ISMS Policy | Workflows Implementing Controls | Evidence |
|---|---|---|
| ๐ ๏ธ Secure Development Policy | All 22 workflows | This document |
| ๐ Information Security Policy | CodeQL, OpenSSF Scorecard | SECURITY_ARCHITECTURE.md |
| ๐ Access Control Policy | deploy-s3 (OIDC), release (minimal permissions) | Workflow files |
| ๐ Cryptography Policy | deploy-s3 (TLS), release (Sigstore/SLSA) | Attestations |
| ๐ Open Source Policy | REUSE compliance workflow | REUSE.toml |
| ๐ Vulnerability Management | CodeQL, npm audit, Dependency Review | GitHub Security tab, PR checks |
| ๐ Change Management | Branch protection, CI gates, PR reviews | Workflow gate enforcement |
| ๐จ Incident Response Plan | Rollback procedures, incident classification | ยงFailure Handling section |
Secure Development Policy Alignment
| Policy Section | Implementation | Evidence |
|---|---|---|
| ยง3.2 Architecture Documentation | Documentation-as-code in release workflow | SECURITY_ARCHITECTURE.md |
| ยง3.3 Testing Requirements | 169 unit tests, E2E tests, 82%+ coverage | Test & Report Workflow |
| ยง4.1 CI/CD Security | All workflows with security controls | This document |
| ยง4.3 Security Scanning | CodeQL, npm audit, Dependabot | CodeQL Workflow |
| ยง4.4 Supply Chain Security | SLSA L3, SBOM, Dependency Review, REUSE | Release Workflow |
| ยง10.1 CI/CD Workflow Excellence | 22 automated workflows, 100% SHA-pinned | This document |
Compliance Frameworks
| Framework | Version | Controls Implemented | Evidence Location |
|---|---|---|---|
| ISO 27001 | 2022 | A.8.25, A.8.26, A.8.27, A.8.28, A.12.1.4, A.12.6.1, A.14.2.1 | Workflow files + this document |
| NIST CSF | 2.0 | ID.SC (Supply Chain), DE.CM (Detection), PR.DS (Data Security) | SECURITY_ARCHITECTURE.md |
| CIS Controls | v8.1 | 2.2, 4.1, 7.1, 16.1, 16.5, 16.7, 16.12 | Scorecard |
| SLSA | L3 | Build provenance, hermetic build, non-falsifiable, authenticated | Attestations |
| OpenSSF | โ | SHA-pinned actions (100%), Harden Runner, branch protection | Scorecard Report |
| EU CRA | 2024 | SBOM generation, vulnerability disclosure, security updates | Release Workflow |
๐ฌ Political Intelligence Operations Centre
The 10 agentic news workflows collectively form a European Parliament Political Intelligence Operations Centre โ a systematic, automated pipeline that transforms raw parliamentary data into multi-language political intelligence articles published daily.
Intelligence Collection Cycle
The following diagram shows the complete intelligence cycle from EP data collection through analysis to multi-language publication:
flowchart TD
subgraph Collection["๐ก COLLECTION<br/>(EP MCP Server v1.1.20)"]
direction TB
C1["๐ณ๏ธ Votes &<br/>Adopted Texts"]
C2["๐ Legislative<br/>Procedures"]
C3["๐๏ธ Committee<br/>Documents"]
C4["๐ค Plenary<br/>Speeches"]
C5["โ Parliamentary<br/>Questions"]
C6["๐
Events &<br/>Meetings"]
C7["๐ค MEP Data &<br/>Declarations"]
end
subgraph Analysis["๐ฌ ANALYSIS<br/>(Political Intelligence Pipeline)"]
direction TB
A1["๐ท๏ธ Classification<br/>7-dimension taxonomy"]
A2["โ ๏ธ Risk Assessment<br/>5ร5 Likelihood ร Impact"]
A3["๐ญ Threat Landscape<br/>6 political dimensions"]
A4["๐ผ SWOT Analysis<br/>Evidence-based quadrants"]
A5["๐ Significance Scoring<br/>Publication priority"]
A6["๐ฅ Stakeholder Impact<br/>Multi-perspective"]
end
subgraph Production["๐ฐ PRODUCTION<br/>(9 Content Workflows)"]
direction TB
P1["โก Breaking News<br/>Every 6 hours"]
P2["๐ Daily Intelligence<br/>Motions + Propositions + Committees"]
P3["๐
Weekly Intelligence<br/>Week Ahead + Weekly Review"]
P4["๐ Monthly Intelligence<br/>Month Ahead + Monthly Review"]
P5["๐ฏ On-Demand<br/>Article Generator"]
end
subgraph Distribution["๐ DISTRIBUTION<br/>(14 Languages)"]
direction TB
D1["๐ฌ๐ง English<br/>(source)"]
D2["๐ธ๐ช๐ฉ๐ฐ๐ณ๐ด๐ซ๐ฎ<br/>Nordic Languages"]
D3["๐ฉ๐ช๐ซ๐ท๐ช๐ธ๐ณ๐ฑ<br/>Western European"]
D4["๐ธ๐ฆ๐ฎ๐ฑ๐ฏ๐ต๐ฐ๐ท๐จ๐ณ<br/>Global Languages"]
end
Collection --> Analysis --> Production --> D1
D1 --> |"news-translate<br/>workflow"| D2 & D3 & D4
style Collection fill:#1565C0,stroke:#0D47A1,color:#FFFFFF
style Analysis fill:#6A1B9A,stroke:#4A148C,color:#FFFFFF
style Production fill:#2E7D32,stroke:#1B5E20,color:#FFFFFF
style Distribution fill:#E65100,stroke:#BF360C,color:#FFFFFF
Threat Landscape Dimensions Monitored
The political intelligence pipeline monitors six threat landscape dimensions across all parliamentary activity:
mindmap
root((๐ญ Political<br/>Threat Landscape))
๐ Coalition Shifts
Grand coalition stability
Cross-party alliance formation
Defection patterns
Group cohesion metrics
๐ Transparency Deficit
Access-to-information gaps
Lobbying disclosure failures
Declaration compliance
Procedural opacity
โช Policy Reversal
Legislative rollback risk
Position contradiction
Commitment abandonment
Implementation failure
๐๏ธ Institutional Pressure
Inter-institutional friction
Council-Parliament disputes
Commission accountability
Rule-of-law mechanisms
๐ง Legislative Obstruction
Procedure stalling
Amendment flooding
Committee bottlenecks
Trilogue deadlocks
๐ณ๏ธ Democratic Erosion
Participation decline
Representation gaps
Accountability weakening
Mandate legitimacy
Workflow Cadence โ Weekly Intelligence Rhythm
The 10 agentic workflows follow a carefully orchestrated schedule to ensure continuous intelligence coverage of the European Parliament:
gantt
title Weekly Agentic Workflow Cadence (UTC)
dateFormat HH:mm
axisFormat %H:%M
section Daily (Mon-Fri)
Committee Reports (04:00) :active, d1, 04:00, 1h
Propositions (05:00) :active, d2, 05:00, 1h
Motions (06:00) :active, d3, 06:00, 1h
Breaking News (00/06/12/18) :crit, d4, 00:00, 1h
section Weekly
Week Ahead (Fri 07:00) :d5, 07:00, 1h
section Weekend
Weekly Review (Sat 09:00) :d6, 09:00, 1h
section Translation
Translate (09/12/15 Weekdays) :d7, 09:00, 1h
Translate (Sat 15:00) :d8, 15:00, 1h
section Monthly
Month Ahead (1st, 08:00) :milestone, m1, 08:00, 0h
Monthly Review (28th, 10:00) :milestone, m2, 10:00, 0h
Data Flow โ EP MCP Server to Published Article
flowchart LR
subgraph "๐๏ธ European Parliament"
EP["EP Open Data Portal"]
end
subgraph "๐ MCP Layer"
MCP["EP MCP Server<br/>v1.1.20<br/>(120s timeout)"]
end
subgraph "๐ค Agent Layer"
Agent["GitHub Copilot<br/>claude-opus-4.6"]
Analyze["Analysis Pipeline<br/>6 methodologies<br/>8 templates"]
end
subgraph "๐ฐ Output Layer"
EN["๐ฌ๐ง English Article"]
Translate["Translation Agent"]
Multi["๐ 13 Additional<br/>Languages"]
end
subgraph "๐ Deployment"
PR["Pull Request"]
Pages["GitHub Pages"]
S3["AWS S3 CDN"]
end
EP --> MCP --> Agent --> Analyze --> EN --> PR
EN --> Translate --> Multi --> PR
PR --> |"merge"| Pages & S3
style EP fill:#003399,stroke:#002266,color:#FFFFFF
style MCP fill:#6A1B9A,stroke:#4A148C,color:#FFFFFF
style Agent fill:#1565C0,stroke:#0D47A1,color:#FFFFFF
style Analyze fill:#C62828,stroke:#B71C1C,color:#FFFFFF
style EN fill:#2E7D32,stroke:#1B5E20,color:#FFFFFF
style Translate fill:#E65100,stroke:#BF360C,color:#FFFFFF
style Multi fill:#F57F17,stroke:#F9A825,color:#000000
style PR fill:#37474F,stroke:#263238,color:#FFFFFF
style Pages fill:#00695C,stroke:#004D40,color:#FFFFFF
style S3 fill:#FF6F00,stroke:#E65100,color:#FFFFFF
Analysis Artifact Structure
Each content workflow deposits analysis artifacts in an isolated directory:
analysis/2026-03-31/
โโโ ai-daily-synthesis.md โ Cross-article synthesis (date root)
โโโ breaking/ โ news-breaking workflow
โ โโโ manifest.json
โ โโโ classification/
โ โโโ threat-assessment/
โ โโโ risk-scoring/
โ โโโ data/ โ EP MCP data for this workflow
โโโ committee-reports/ โ news-committee-reports workflow
โ โโโ manifest.json
โ โโโ classification/
โ โโโ data/
โโโ motions/ โ news-motions workflow
โ โโโ manifest.json
โ โโโ data/
โโโ propositions/ โ news-propositions workflow
โ โโโ manifest.json
โ โโโ data/
โโโ week-ahead/ โ news-week-ahead workflow (Fridays)
โโโ manifest.json
โโโ data/
๐จ Isolation Rule: Each workflow writes ONLY to its own
{article-type-slug}/subdirectory. Cross-workflow overwrites are prohibited. Theai-*.mdsynthesis files at the date root aggregate across all workflows.
๐ Continuous Improvement
Planned Enhancements
See FUTURE_WORKFLOWS.md for:
- Advanced security scanning
- Performance testing enhancements
- Deployment automation improvements
- Multi-environment support
- Fuzzing integration
๐ Related Documentation
| Document | Focus | Link |
|---|---|---|
| ๐ Security Architecture | Current security implementation | SECURITY_ARCHITECTURE.md |
| ๐ Security Flowcharts | Process flows with security controls | FLOWCHART.md |
| ๐ Data Model | Data structures and flows | DATA_MODEL.md |
| ๐ Future Workflows | Planned enhancements | FUTURE_WORKFLOWS.md |
| ๐ Release Process | Release procedures | docs/RELEASE_PROCESS.md |
| ๐ก๏ธ ISMS Policy | Security policy framework | Hack23 ISMS-PUBLIC |
| ๐ฆ Dependabot Config | Automated dependency updates | .github/dependabot.yml |
๐ Questions? Contact: Security Team
๐ Security Issues? See SECURITY.md for vulnerability disclosure
Last updated: 2026-03-10 by Documentation Architect / DevOps Engineer