Fixops acquisition review

[DevOpsMadDog]

Create acquisition collateral documents to highlight FixOps' AI governance, privacy, and strategic value for potential acquirers.

---

 

---

Summary by cubic

Adds core governance and privacy modules plus acquisition docs to position FixOps for buyers and enable concrete compliance artifacts. Delivers AI-BOMs, system cards, private data sharing, and data residency controls to support due diligence.

• New Features
  • core/ai_bom.py: AI-BOM generator (CycloneDX 1.5) with model cards, training data lineage, deps, and hashing.
  • core/ai_governance.py: System Cards aligned to ISO 42001/NIST AI RMF with fairness/safety results, oversight, and markdown reports.
  • core/differential_privacy.py: Local DP (randomized response, Laplace) to anonymize metrics and histograms for safe sharing.
  • core/privacy_geofence.py: Data residency policies with storage/access validation and cross-border transfer blocking.
  • docs/acquisition/FIXOPS_ACQUISITION_TARGETS.md and FIXOPS_AI_GOVERNANCE_PRIVACY.md: buyer targets, governance/privacy architecture, GRC mapping, and roadmap.

^{Written for commit 1cd987f. Summary will update on new commits.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1cd987fc34

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Classify non‑EU/APAC regions instead of defaulting to US

In PrivacyGeofence.validate_storage_location, the region detection only checks for EU/APAC substrings and otherwise leaves detected_region as US. That means a path in another region (e.g., a CN bucket name like ...cn...) will be treated as US and allowed whenever US is permitted, which defeats the residency policy for those regions. This is a data-sovereignty bypass that occurs whenever the storage path belongs to an unsupported region but lacks the EU/APAC markers.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Guard against epsilon=0 in Laplace noise

DifferentialPrivacyEngine.add_laplace_noise computes scale = sensitivity / self.config.epsilon without validating epsilon. If a caller sets epsilon=0 (a common way to request maximum privacy), this raises ZeroDivisionError and prevents any anonymization from running; negative epsilon also yields an invalid negative scale. A simple validation or minimum epsilon would avoid crashing on those inputs.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

6 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="core/ai_bom.py">

<violation number="1" location="core/ai_bom.py:180">
P2: Inconsistent use of `.get()` defaults will produce malformed purl when library dict is missing keys. Lines 176-177 use defaults (`"unknown"`), but the purl construction does not, resulting in `pkg:pypi/None@None` instead of `pkg:pypi/unknown@unknown`.</violation>
</file>

<file name="core/ai_governance.py">

<violation number="1" location="core/ai_governance.py:16">
P3: Unused import: `json` module is imported but never used in this file. Remove the unused import to keep the code clean.</violation>

<violation number="2" location="core/ai_governance.py:153">
P3: Unused attribute: `self.organization` is stored but never used in the class. Consider using it in the system card generation (e.g., in metadata or system_id), or remove if not needed.</violation>
</file>

<file name="core/differential_privacy.py">

<violation number="1" location="core/differential_privacy.py:67">
P1: Potential `ValueError: math domain error` when `random()` returns 0. When `u = -0.5`, the expression `1 - 2 * abs(u)` equals 0, and `math.log(0)` will crash. Add bounds checking to prevent the edge case.</violation>
</file>

<file name="core/privacy_geofence.py">

<violation number="1" location="core/privacy_geofence.py:48">
P2: The `storage_map` dictionary is defined but never used. The `validate_storage_location` method uses hardcoded string pattern matching instead of leveraging this map. Either use the storage_map for region detection or remove this dead code.</violation>

<violation number="2" location="core/privacy_geofence.py:87">
P2: Region detection is incomplete - missing CN (China) region detection. Paths with Chinese region identifiers will incorrectly default to US, which could cause data residency violations for Chinese data sovereignty requirements.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Potential ValueError: math domain error when random() returns 0. When u = -0.5, the expression 1 - 2 * abs(u) equals 0, and math.log(0) will crash. Add bounds checking to prevent the edge case.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/differential_privacy.py, line 67:

<comment>Potential `ValueError: math domain error` when `random()` returns 0. When `u = -0.5`, the expression `1 - 2 * abs(u)` equals 0, and `math.log(0)` will crash. Add bounds checking to prevent the edge case.</comment>

<file context>
@@ -0,0 +1,105 @@
+        scale = sensitivity / self.config.epsilon
+        # Generate Laplace noise: L(0, scale)
+        # Using inverse transform sampling
+        u = secrets.SystemRandom().random() - 0.5
+        noise = -scale * math.copysign(1.0, u) * math.log(1 - 2 * abs(u))
+        
</file context>

Suggested change

	u = secrets.SystemRandom().random() - 0.5
	noise = -scale * math.copysign(1.0, u) * math.log(1 - 2 * abs(u))
	u = secrets.SystemRandom().random() - 0.5
	# Clamp to avoid log(0) when u is exactly -0.5 or 0.5
	abs_u = min(abs(u), 0.5 - 1e-10)
	noise = -scale * math.copysign(1.0, u) * math.log(1 - 2 * abs_u)

[cubic-dev-ai]

P2: Inconsistent use of .get() defaults will produce malformed purl when library dict is missing keys. Lines 176-177 use defaults ("unknown"), but the purl construction does not, resulting in pkg:pypi/None@None instead of pkg:pypi/unknown@unknown.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/ai_bom.py, line 180:

<comment>Inconsistent use of `.get()` defaults will produce malformed purl when library dict is missing keys. Lines 176-177 use defaults (`"unknown"`), but the purl construction does not, resulting in `pkg:pypi/None@None` instead of `pkg:pypi/unknown@unknown`.</comment>

<file context>
@@ -0,0 +1,190 @@
+                "type": "library",
+                "name": lib.get("name", "unknown"),
+                "version": lib.get("version", "unknown"),
+                "purl": f"pkg:pypi/{lib.get('name')}@{lib.get('version')}"
+            }
+            components.append(comp)
</file context>

Suggested change

	"purl": f"pkg:pypi/{lib.get('name')}@{lib.get('version')}"
	"purl": f"pkg:pypi/{lib.get('name', 'unknown')}@{lib.get('version', 'unknown')}"

[cubic-dev-ai]

P2: The storage_map dictionary is defined but never used. The validate_storage_location method uses hardcoded string pattern matching instead of leveraging this map. Either use the storage_map for region detection or remove this dead code.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/privacy_geofence.py, line 48:

<comment>The `storage_map` dictionary is defined but never used. The `validate_storage_location` method uses hardcoded string pattern matching instead of leveraging this map. Either use the storage_map for region detection or remove this dead code.</comment>

<file context>
@@ -0,0 +1,134 @@
+        self.config = config
+        self.policy = self._load_policy()
+        # Mock mapping of storage paths to regions for demonstration
+        self.storage_map: Dict[str, GeoRegion] = {
+            "s3://fixops-eu-central": GeoRegion.EU,
+            "s3://fixops-us-east": GeoRegion.US,
</file context>

[cubic-dev-ai]

P2: Region detection is incomplete - missing CN (China) region detection. Paths with Chinese region identifiers will incorrectly default to US, which could cause data residency violations for Chinese data sovereignty requirements.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/privacy_geofence.py, line 87:

<comment>Region detection is incomplete - missing CN (China) region detection. Paths with Chinese region identifiers will incorrectly default to US, which could cause data residency violations for Chinese data sovereignty requirements.</comment>

<file context>
@@ -0,0 +1,134 @@
+        
+        if "eu-central" in str_path or "/eu/" in str_path:
+            detected_region = GeoRegion.EU
+        elif "apac" in str_path or "/apac/" in str_path:
+            detected_region = GeoRegion.APAC
+            
</file context>

[cubic-dev-ai]

P3: Unused import: json module is imported but never used in this file. Remove the unused import to keep the code clean.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/ai_governance.py, line 16:

<comment>Unused import: `json` module is imported but never used in this file. Remove the unused import to keep the code clean.</comment>

<file context>
@@ -0,0 +1,171 @@
+from __future__ import annotations
+
+import datetime
+import json
+import logging
+from dataclasses import dataclass, field
</file context>

[cubic-dev-ai]

P3: Unused attribute: self.organization is stored but never used in the class. Consider using it in the system card generation (e.g., in metadata or system_id), or remove if not needed.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/ai_governance.py, line 153:

<comment>Unused attribute: `self.organization` is stored but never used in the class. Consider using it in the system card generation (e.g., in metadata or system_id), or remove if not needed.</comment>

<file context>
@@ -0,0 +1,171 @@
+    """Orchestrates the creation and validation of System Cards."""
+
+    def __init__(self, organization: str = "FixOps"):
+        self.organization = organization
+
+    def create_system_card(
</file context>