{"id":49620830,"url":"https://github.com/KevinRabun/GDPRShiftLeftMCP","last_synced_at":"2026-06-07T06:00:39.661Z","repository":{"id":336925905,"uuid":"1151704922","full_name":"KevinRabun/GDPRShiftLeftMCP","owner":"KevinRabun","description":"GDPR Shift-Left Compliance MCP Server — Azure-focused GDPR compliance automation.","archived":false,"fork":false,"pushed_at":"2026-02-21T17:06:22.000Z","size":390,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-11T17:08:54.414Z","etag":null,"topics":["compliance-as-code","compliance-automation","gdpr","gdpr-compliance","gdpr-compliant","mcp","mcp-server"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KevinRabun.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-06T19:50:00.000Z","updated_at":"2026-02-21T02:33:39.000Z","dependencies_parsed_at":null,"dependency_job_id":"19010374-51f8-42b5-8adf-8d4f66595031","html_url":"https://github.com/KevinRabun/GDPRShiftLeftMCP","commit_stats":null,"previous_names":["kevinrabun/gdprshiftleftmcp"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/KevinRabun/GDPRShiftLeftMCP","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KevinRabun%2FGDPRShiftLeftMCP","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KevinRabun%2FGDPRShiftLeftMCP/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KevinRabun%2FGDPRShiftLeftMCP/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KevinRabun%2FGDPRShiftLeftMCP/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KevinRabun","download_url":"https://codeload.github.com/KevinRabun/GDPRShiftLeftMCP/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KevinRabun%2FGDPRShiftLeftMCP/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34010556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-07T02:00:07.652Z","response_time":124,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance-as-code","compliance-automation","gdpr","gdpr-compliance","gdpr-compliant","mcp","mcp-server"],"created_at":"2026-05-05T02:00:24.248Z","updated_at":"2026-06-07T06:00:39.654Z","avatar_url":"https://github.com/KevinRabun.png","language":"Python","funding_links":[],"categories":["カテゴリ"],"sub_categories":["🔒 \u003ca name=\"security--auth\"\u003e\u003c/a\u003eセキュリティ・認証"],"readme":"# GDPR Shift-Left MCP Server\n\n\u003c!-- mcp-name: io.github.KevinRabun/GDPRShiftLeftMCP --\u003e\n\n[![Tests \u0026 Judges](https://github.com/KevinRabun/GDPRShiftLeftMCP/actions/workflows/test.yml/badge.svg)](https://github.com/KevinRabun/GDPRShiftLeftMCP/actions/workflows/test.yml)\n[![PyPI version](https://img.shields.io/pypi/v/gdpr-shift-left-mcp)](https://pypi.org/project/gdpr-shift-left-mcp/)\n[![Python versions](https://img.shields.io/pypi/pyversions/gdpr-shift-left-mcp)](https://pypi.org/project/gdpr-shift-left-mcp/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\nA Model Context Protocol (MCP) server that brings **GDPR compliance knowledge directly into your IDE**, enabling developers and compliance teams to \"shift left\" — identifying and addressing data protection requirements early in the development lifecycle.\n\n\u003e **⚠️ Disclaimer:** This tool provides informational guidance only and **does not constitute legal advice**. Organisations should consult qualified legal counsel for binding GDPR compliance decisions.\n\n## Features\n\n### 🔍 GDPR Knowledge Base (34 Tools)\n- **Article Lookup** — Retrieve any GDPR article by number, search across all 99 articles and 173 recitals\n- **Definitions** — Art. 4 term definitions with contextual explanations\n- **Chapter Navigation** — Browse articles by chapter with full directory\n- **Azure Mappings** — Map GDPR articles to Azure services and controls\n\n### 📋 Compliance Workflows\n- **DPIA Assessment** — Assess whether a DPIA is required (EDPB 9-criteria test), generate Art. 35 templates\n- **ROPA Builder** — Generate and validate Art. 30 Records of Processing Activities\n- **DSR Guidance** — Step-by-step workflows for all 7 data subject rights (Arts. 12–23)\n- **Retention Analysis** — Assess retention policies against Art. 5(1)(e) storage limitation\n- **Controller/Processor Role Classification** — Assess data roles, get obligations, analyze code patterns, generate DPA checklists\n\n### 🏗️ Infrastructure \u0026 Code Review\n- **Bicep/Terraform/ARM Analyzer** — Scan IaC for GDPR violations (encryption, access, network, residency, logging, retention)\n- **Application Code Analyzer** — Detect PII logging, hardcoded secrets, missing consent checks, data minimisation issues\n- **GDPR Config Validator** — Pass/fail validation in strict or advisory mode\n- **DSR Capability Analyzer** — Detect implementation of all 7 data subject rights (Arts. 15–22)\n- **Cross-Border Transfer Analyzer** — Identify third-party APIs/SDKs that may transfer data outside EEA, with **risk justifications** explaining why each provider has its assigned risk level (based on headquarters location, adequacy decisions, and data sensitivity)\n- **Breach Readiness Analyzer** — Assess breach detection, logging, and notification capabilities\n- **Data Flow Analyzer** — Map personal data lifecycle (collection, storage, transmission, deletion)\n- **AST Code Analyzer** — Deep analysis using Abstract Syntax Trees for Python, JavaScript, TypeScript, Java, C#, and Go with:\n  - PII detection in function parameters and variables\n  - Cross-border transfer detection via import analysis (150+ providers with risk justifications)\n  - PII logging violation detection\n  - DSR implementation pattern verification\n  - Data flow tracking and call graph analysis\n\n### 📝 Guided Prompts (8 Expert Prompts)\n- Gap Analysis, DPIA Assessment, Compliance Roadmap, Data Mapping\n- Incident Response, Azure Privacy Review, Vendor Assessment, Cross-Border Transfers\n\n### 📐 Azure Bicep Templates (19 Templates)\n- **Storage Account** — CMK encryption, Private Endpoint, lifecycle policies (Art. 5, 25, 32, 44-49)\n- **Key Vault** — HSM-backed Premium, purge protection, RBAC (Art. 25, 32)\n- **Azure SQL** — Entra-only auth, TDE, auditing (Art. 25, 32)\n- **Log Analytics** — 365-day retention, saved GDPR queries for breach/access/erasure tracking (Art. 5(2), 30, 33)\n- **Cosmos DB** — EU-only regions, strong consistency, continuous backup, TTL-enabled ROPA container (Art. 25, 32, 44-49)\n- **App Service** — Managed identity, TLS 1.2, VNet integration, staging slot, full audit logging (Art. 25, 32)\n- **Virtual Network** — 3 subnets, NSGs with least-privilege rules, service endpoints (Art. 25, 32, 5(1)(f))\n- **Container Apps** — Internal ingress, mutual TLS, zone redundancy, managed identity (Art. 25, 32)\n- **Monitor Alerts** — DPO action group, 4 scheduled alerts for sign-in/exfiltration/escalation/Key Vault (Art. 33, 34, 32)\n- **PostgreSQL Flexible Server** — Zone-redundant HA, Entra ID auth, pgaudit, geo-redundant backups (Art. 25, 32, 5(1)(e))\n- **Service Bus Premium** — CMK encryption, GDPR queues for DSR/consent/breach/retention (Art. 25, 32, 5(1)(f))\n- **AKS** — Private cluster, Azure CNI, Defender for Containers, workload identity, network policies (Art. 25, 32, 5(1)(f))\n- **Confidential Ledger** — TEE-backed tamper-proof audit trail for GDPR accountability records (Art. 5(2), 30, 33)\n- **Confidential VM** — AMD SEV-SNP encrypted memory, vTPM, secure boot, ephemeral OS disk (Art. 25, 32, 5(1)(f))\n- **Entra ID Configuration** — Audit log routing, sign-in monitoring, Conditional Access checklist (Art. 32, 5(2))\n- **Azure Policy** — EU region restriction, CMK enforcement, tag requirements, HTTPS-only (Art. 25, 32, 44)\n- **Defender for Cloud** — All Defender plans, security contacts, auto-provisioning, GDPR compliance dashboard (Art. 32, 33)\n- **API Management** — Internal VNet, TLS 1.2+, rate limiting, data masking policies, audit logging (Art. 25, 32, 30)\n- **Front Door with WAF** — OWASP rules, EU/EEA geo-filtering, bot protection, rate limiting (Art. 25, 32, 44)\n\n## Quick Start\n\n### Prerequisites\n- Python 3.10+\n- VS Code with GitHub Copilot\n\n### Installation\n\n#### Install from the MCP Registry (recommended)\n\nThe server is published to the [MCP Registry](https://registry.modelcontextprotocol.io). You can install it directly in VS Code:\n\n1. Open the Extensions view (`Ctrl+Shift+X`)\n2. Type `@mcp GDPR` in the search field\n3. Click **Install** on \"GDPR Shift-Left Compliance\"\n\n\u003e **Note:** The VS Code MCP gallery shows a curated subset of servers by default. If the server doesn't appear, add this to your VS Code **User Settings** (`Ctrl+,` → Open Settings JSON):\n\u003e\n\u003e ```json\n\u003e \"chat.mcp.gallery.serviceUrl\": \"https://registry.modelcontextprotocol.io\"\n\u003e ```\n\u003e\n\u003e This points VS Code at the full MCP Registry (5,000+ servers) instead of GitHub's curated list.\n\n#### Install via uvx (no clone needed)\n\n```bash\nuvx gdpr-shift-left-mcp\n```\n\n#### Install from source\n\n```bash\n# Clone the repository\ngit clone https://github.com/KevinRabun/GDPRShiftLeftMCP.git\ncd GDPRShiftLeftMCP\n\n# Install in development mode\npip install -e \".[dev]\"\n```\n\n### VS Code Integration\n\nThe repository includes `.vscode/mcp.json` for automatic MCP server registration. After installation, the GDPR tools appear in GitHub Copilot's tool list.\n\nTo configure manually, add to your VS Code settings:\n\n```json\n{\n  \"mcp\": {\n    \"servers\": {\n      \"gdpr-shift-left-mcp\": {\n        \"type\": \"stdio\",\n        \"command\": \"python\",\n        \"args\": [\"-m\", \"gdpr_shift_left_mcp\"]\n      }\n    }\n  }\n}\n```\n\n### Running the Server\n\n```bash\n# Run directly\npython -m gdpr_shift_left_mcp\n\n# Or via the installed entry point\ngdpr-shift-left-mcp\n```\n\n## Tool Reference\n\n| Tool | Description | GDPR Articles |\n|------|-------------|---------------|\n| `get_article` | Retrieve a GDPR article by number | All |\n| `list_chapter_articles` | List all articles in a chapter | All |\n| `search_gdpr` | Full-text search across GDPR | All |\n| `get_recital` | Retrieve a recital by number | All |\n| `get_azure_mapping` | Azure services for a GDPR article | All |\n| `get_definition` | Art. 4 term definition | Art. 4 |\n| `list_definitions` | List all definitions | Art. 4 |\n| `search_definitions` | Search definitions | Art. 4 |\n| `assess_dpia_need` | Check if DPIA is required | Art. 35 |\n| `generate_dpia_template` | Generate DPIA document | Art. 35 |\n| `get_dpia_guidance` | DPIA area guidance | Art. 35–36 |\n| `generate_ropa_template` | Art. 30 ROPA template | Art. 30 |\n| `validate_ropa` | Validate ROPA completeness | Art. 30 |\n| `get_ropa_requirements` | ROPA field requirements | Art. 30 |\n| `get_dsr_guidance` | DSR handling guidance | Arts. 12–23 |\n| `generate_dsr_workflow` | DSR fulfilment workflow | Arts. 12–23 |\n| `get_dsr_timeline` | DSR response timelines | Art. 12(3) |\n| `analyze_infrastructure_code` | Scan IaC for GDPR issues | Art. 25, 32, 44 |\n| `analyze_application_code` | Scan app code for GDPR issues | Art. 5, 25, 32 |\n| `validate_gdpr_config` | Pass/fail GDPR validation | All |\n| `assess_retention_policy` | Assess retention policy | Art. 5(1)(e) |\n| `get_retention_guidance` | Category-specific retention | Art. 5(1)(e) |\n| `check_deletion_requirements` | Deletion capability checklist | Art. 17 |\n| `assess_controller_processor_role` | Assess data controller/processor role | Art. 4, 24, 26, 28 |\n| `get_role_obligations` | Role-specific GDPR obligations | Art. 24, 26, 28 |\n| `analyze_code_for_role_indicators` | Detect controller/processor code patterns | Art. 4, 24, 28 |\n| `generate_dpa_checklist` | Art. 28 DPA agreement checklist | Art. 28 |\n| `get_role_scenarios` | Common role classification scenarios | Art. 4, 24, 26, 28 |\n| `analyze_dsr_capabilities` | Detect DSR implementation (access, erase, portability, etc.) | Arts. 15–22 |\n| `analyze_cross_border_transfers` | Detect third-party APIs/SDKs with risk justifications | Arts. 44–49 |\n| `analyze_breach_readiness` | Assess breach detection, logging, and notification capabilities | Arts. 33–34 |\n| `analyze_data_flow` | Map personal data lifecycle (collection, storage, transmission, deletion) | Art. 30 |\n| `analyze_code_ast` | Deep AST analysis for Python/JS/TS/Java/C#/Go (PII, cross-border, DSR) | Art. 5, 25, 32, 44 |\n| `get_ast_capabilities` | Get AST analyzer supported languages and features | All |\n\n## Architecture\n\n```\nsrc/gdpr_shift_left_mcp/\n├── __init__.py              # Package init\n├── __main__.py              # Entry point\n├── server.py                # FastMCP server + prompt registration\n├── disclaimer.py            # Legal disclaimer utility\n├── data_loader.py           # Online GDPR data fetching + caching\n├── tools/\n│   ├── __init__.py          # Tool registration (34 tools)\n│   ├── articles.py          # Article/recital/search tools\n│   ├── definitions.py       # Art. 4 definition tools\n│   ├── dpia.py              # DPIA assessment tools\n│   ├── ropa.py              # ROPA builder tools\n│   ├── dsr.py               # Data subject rights tools\n│   ├── analyzer.py          # IaC + app code analyzer\n│   ├── ast_analyzer.py      # AST-based deep code analysis\n│   ├── retention.py         # Retention/deletion tools\n│   └── role_classifier.py   # Controller/processor role classification\n├── prompts/\n│   ├── __init__.py          # Prompt loader\n│   └── *.txt                # 8 expert prompt templates\n└── templates/\n    ├── __init__.py           # Template loader\n    └── *.bicep               # GDPR-aligned Azure Bicep templates\n```\n\n## Testing\n\n```bash\n# Run all tests\npytest\n\n# Run with coverage\npytest --cov=gdpr_shift_left_mcp --cov-report=html\n\n# Run judges (end-to-end evaluators)\npython -m tests.evaluator.run_judges\n```\n\n## Online Updates\n\nThe server fetches GDPR data from a configurable online source, with local caching:\n\n- **Source URL:** Set via `GDPR_SOURCE_URL` environment variable\n- **Cache TTL:** Default 1 hour (configurable via `GDPR_CACHE_TTL`)\n- **Cache directory:** `__gdpr_cache__/` (configurable via `GDPR_CACHE_DIR`)\n- **Fallback:** Built-in data if online fetch fails\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. This project follows Git Flow branching:\n\n- `feature/\u003cname\u003e` for new features\n- `bugfix/\u003cname\u003e` for fixes\n- `release/\u003cversion\u003e` for releases\n- `hotfix/\u003cname\u003e` for production fixes\n\nAll PRs must pass automated tests and judges before merging.\n\n## License\n\nMIT — see [LICENSE](LICENSE) for details.\n\n## Acknowledgements\n\n- Architecture inspired by [FedRAMP20xMCP](https://github.com/KevinRabun/FedRAMP20xMCP)\n- GDPR text from [EUR-Lex](https://eur-lex.europa.eu/eli/reg/2016/679/oj)\n- EDPB guidelines from [edpb.europa.eu](https://www.edpb.europa.eu/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKevinRabun%2FGDPRShiftLeftMCP","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKevinRabun%2FGDPRShiftLeftMCP","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKevinRabun%2FGDPRShiftLeftMCP/lists"}