feat(bridge): remote-access obligation cut (CRA Annex I) — 18 obligations

- obligations/cra_remote_access.json: 18 (5 LEGAL_MINIMUM outcomes + 13 BEST_PRACTICE),
  15 Beziehungen. Two-stage clustering 445->209 micro->27 review-units -> Opus-Synthese.
  Synthese vergab 14 LM -> key-free re-tier nach Auth-Regel (Mechanismen MFA/Session/VPN/
  insecure-protocol/OT/Wartungs-Governance/temp/data-export/component -> BEST_PRACTICE +
  supports-Kante zur Eltern-LM). out_of_scope M5/M11 = physische Maschinen-Fernsteuerung
  (MaschinenVO 2023/1230). Anker approximativ (siehe curation.anchor_quality).
- obligation_join_keys.json: 66 -> 84 (remote_access 18).
- precluster.py: remote_access-Scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

obligations/obligation_join_keys.json

@@ -1,7 +1,7 @@
 {
  "schema_version": "obligation_join_keys_v1",
  "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
- "count": 66,
+ "count": 84,
  "obligation_ids": [
   {
    "obligation_id": "sbom_creation",
@@ -582,6 +582,160 @@
    "tier": "BEST_PRACTICE",
    "citation_units": [],
    "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_control_least_privilege",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(2)(d)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "remote_access_confidentiality_integrity",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(2)(b)(c)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "remote_session_management",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_mfa",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_encryption",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "reject_insecure_remote_protocols",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_logging_audit",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(2)(g)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "remote_access_user_validation_ot",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_training",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_architecture_design",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_attack_surface_min",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(2)(a)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "remote_access_vuln_patch_mgmt",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "remote_access_threat_detection",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_maintenance_governance",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "temporary_remote_access_mgmt",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_data_export_protection",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "component_remote_interface_security",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_fallback_concept",
+   "regulation": "CRA",
+   "family": "remote_access",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
   }
  ]
 }

scripts/obligation_discovery/precluster.py

@@ -22,6 +22,10 @@ SCOPES = {
     "logging": ["%logging%", "%protokollierung%", "%audit-log%", "%audit-trail%",
                 "%ereignisprotokoll%", "%sicherheitsprotokoll%", "%audit-protokoll%",
                 "%log-management%", "%sicherheitsereignis%protokoll%", "%audit-trail%"],
+    "remote_access": ["%fernwartung%", "%fernzugriff%", "%fernzugang%", "%fernwartungs%",
+                      "%remote access%", "%remote maintenance%", "%remote management%",
+                      "%remote-wartung%", "%remote-zugriff%", "%remote-zugang%",
+                      "%sichere fernwartung%", "%fernsteuerung%"],
 }