feat(cra): CRA Compliance module Phase 1+2+3 (intake, scope, path, requirements, backlog, sbom, checks)

Phase 1 — Intake + Scope + Path:
- Migration 119: compliance_cra_projects table (intake + classification + path + status state machine)
- Backend service cra_routes.py: CRUD + scope-check + path-select
- Deterministic Annex III/IV classifier (verbatim mapping from migration 059 wiki)
- Path validation per classification (CRITICAL → notified_body mandatory)
- Frontend: project list, dashboard, 3-step wizard (intake/scope/path)
- Sidebar entry under "CRA Compliance" (red)

Phase 2 — Annex I Requirements + Priorisierungs-Backlog:
- cra_annex_i_data.py: 40 Annex-I requirements (8 categories), 9 measures (M540-M548), 3 CRA deadlines
- Endpoints: /requirements (40 items), /backlog (priority-sorted with deadline pressure)
- Frontend: requirements table with filters + expandable details, backlog with deadline banner + score-ranked table
- Dashboard KPI cards (Critical count, days to CE deadline, etc.) + top-10 backlog snippet

Phase 3 — SBOM Upload + Automated Checks:
- Migration 120: compliance_cra_sboms (versioned uploads, CycloneDX + SPDX)
- SBOM endpoints: POST /sbom/upload (format detection, summary extraction), GET /sboms
- Checks reuse compliance_evidence_checks: init creates 6 default CRA checks, run executes
- Real implementations: cra_security_txt (HTTP + Contact: line) and cra_tls_cert_check (TLS handshake)
- Frontend: SBOM file upload + version list, Checks page with per-check URL input + Run button

Backend-Reuse: gap_projects (intake pre-population), compliance_evidence_checks/_check_results.
Tenant scoping via existing X-Tenant-ID header pattern.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin-compliance/app/api/sdk/v1/cra/checks/[checkId]/run/route.ts

@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ checkId: string }> }) {
+  const { checkId } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/checks/${checkId}/run`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+      body: body || '{}',
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/backlog/route.ts

@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/backlog`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/checks/route.ts

@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /checks (no body) -> backend /checks/init creates default checks */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/checks/init`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/path-select/route.ts

@@ -0,0 +1,29 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/path-select`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/requirements/route.ts

@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/requirements`, {
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/route.ts

@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+async function proxy(request: NextRequest, method: string, id: string, body?: string) {
+  const tenantId = tenantHeader(request)
+  const init: RequestInit = {
+    method,
+    headers: { 'X-Tenant-ID': tenantId, 'Content-Type': 'application/json' },
+  }
+  if (body !== undefined) init.body = body
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}`, init)
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'GET', id)
+}
+
+export async function PATCH(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const body = await request.text()
+  return proxy(request, 'PATCH', id, body)
+}
+
+export async function DELETE(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  return proxy(request, 'DELETE', id)
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/sbom/route.ts

@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenant(req: NextRequest) {
+  return req.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /sbom -> List uploads. We map this to the backend /sboms endpoint. */
+export async function GET(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sboms`, {
+      headers: { 'X-Tenant-ID': tenant(request) },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}
+
+/** POST /sbom -> multipart upload to backend /sbom/upload */
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  try {
+    const formData = await request.formData()
+    const upstreamForm = new FormData()
+    for (const [key, value] of formData.entries()) {
+      upstreamForm.append(key, value)
+    }
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/sbom/upload`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenant(request) },
+      body: upstreamForm as unknown as BodyInit,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json({ error: 'Backend unreachable', details: String(err) }, { status: 502 })
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/[id]/scope-check/route.ts

@@ -0,0 +1,24 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+export async function POST(request: NextRequest, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params
+  const tenantId = request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects/${id}/scope-check`, {
+      method: 'POST',
+      headers: { 'X-Tenant-ID': tenantId },
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}

admin-compliance/app/api/sdk/v1/cra/projects/route.ts

@@ -0,0 +1,56 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+function tenantHeader(request: NextRequest): string {
+  return request.headers.get('x-tenant-id') || '00000000-0000-0000-0000-000000000001'
+}
+
+/** GET /api/sdk/v1/cra/projects -> Backend list */
+export async function GET(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const { searchParams } = new URL(request.url)
+  const qs = searchParams.toString()
+  try {
+    const resp = await fetch(
+      `${BACKEND_URL}/api/v1/cra/projects${qs ? `?${qs}` : ''}`,
+      { headers: { 'X-Tenant-ID': tenantId } }
+    )
+    const body = await resp.text()
+    return new NextResponse(body, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}
+
+/** POST /api/sdk/v1/cra/projects -> Backend create */
+export async function POST(request: NextRequest) {
+  const tenantId = tenantHeader(request)
+  const body = await request.text()
+  try {
+    const resp = await fetch(`${BACKEND_URL}/api/v1/cra/projects`, {
+      method: 'POST',
+      headers: {
+        'X-Tenant-ID': tenantId,
+        'Content-Type': 'application/json',
+      },
+      body,
+    })
+    const text = await resp.text()
+    return new NextResponse(text, {
+      status: resp.status,
+      headers: { 'Content-Type': resp.headers.get('Content-Type') || 'application/json' },
+    })
+  } catch (err) {
+    return NextResponse.json(
+      { error: 'Backend unreachable', details: String(err) },
+      { status: 502 }
+    )
+  }
+}