feat(cra): cyber-meets-safety bridge as real logic (step 2)

Deterministic bridge (cra_safety_bridge.py): a cyber finding's attack capability
(remote_actuation / code_tampering / integrity_loss / auth_bypass, derived from
its CRA category) is matched against what each CE safety function is vulnerable
to. A match re-opens the mitigated hazard, flags the finding safety_impact (which
floors it to P0), and produces the cross-link. Endpoint accepts safety_functions;
frontend passes the project's safety functions and renders the LIVE cross-links
(no more hardcode). Safety functions are demo input now; come from the CE risk
assessment in production.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/compliance/api/cra_assess_routes.py

@@ -32,14 +32,28 @@ class FindingIn(BaseModel):
     exploited: Optional[bool] = False
 
 
+class SafetyFunctionIn(BaseModel):
+    name: str
+    hazard: Optional[str] = ""
+    original_measure: Optional[str] = ""
+    kind: Optional[str] = ""               # prevent_unexpected_actuation | signal_integrity
+    vulnerable_to: Optional[List[str]] = None
+
+
 class AssessRequest(BaseModel):
     findings: List[FindingIn]
     # customer priorities for the discretionary tier: {objective: high|medium|low}.
     # objectives: access | data | network_api | supply_updates | monitoring.
     weights: Optional[Dict[str, str]] = None
+    # CE-risk-assessment safety functions for the cyber-meets-safety bridge.
+    safety_functions: Optional[List[SafetyFunctionIn]] = None
 
 
 @router.post("/assess")
 async def assess(body: AssessRequest):
-    payload = {"findings": [f.model_dump() for f in body.findings], "weights": body.weights}
+    payload = {
+        "findings": [f.model_dump() for f in body.findings],
+        "weights": body.weights,
+        "safety_functions": [s.model_dump() for s in body.safety_functions] if body.safety_functions else None,
+    }
     return assess_findings_payload(payload)