feat(cra): CRA Compliance module Phase 1+2+3 (intake, scope, path, requirements, backlog, sbom, checks)

Phase 1 — Intake + Scope + Path: - Migration 119: compliance_cra_projects table (intake + classification + path + status state machine) - Backend service cra_routes.py: CRUD + scope-check + path-select - Deterministic Annex III/IV classifier (verbatim mapping from migration 059 wiki) - Path validation per classification (CRITICAL → notified_body mandatory) - Frontend: project list, dashboard, 3-step wizard (intake/scope/path) - Sidebar entry under "CRA Compliance" (red) Phase 2 — Annex I Requirements + Priorisierungs-Backlog: - cra_annex_i_data.py: 40 Annex-I requirements (8 categories), 9 measures (M540-M548), 3 CRA deadlines - Endpoints: /requirements (40 items), /backlog (priority-sorted with deadline pressure) - Frontend: requirements table with filters + expandable details, backlog with deadline banner + score-ranked table - Dashboard KPI cards (Critical count, days to CE deadline, etc.) + top-10 backlog snippet Phase 3 — SBOM Upload + Automated Checks: - Migration 120: compliance_cra_sboms (versioned uploads, CycloneDX + SPDX) - SBOM endpoints: POST /sbom/upload (format detection, summary extraction), GET /sboms - Checks reuse compliance_evidence_checks: init creates 6 default CRA checks, run executes - Real implementations: cra_security_txt (HTTP + Contact: line) and cra_tls_cert_check (TLS handshake) - Frontend: SBOM file upload + version list, Checks page with per-check URL input + Run button Backend-Reuse: gap_projects (intake pre-population), compliance_evidence_checks/_check_results. Tenant scoping via existing X-Tenant-ID header pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:56:52 +02:00
parent 3faa312b31
commit 1cf5de1d45
27 changed files with 3714 additions and 0 deletions
@@ -0,0 +1,44 @@
+-- Migration 119: CRA Compliance Projects
+-- Tracks per-product CRA conformity assessment lifecycle.
+-- Status state machine (validated as whitelist, no transition enforcement):
+--   draft -> scoped -> classified -> path_selected -> requirements_mapped ->
+--   evidence_pending -> gaps_open -> remediation -> ready_for_review ->
+--   declaration_ready -> post_market
+-- Tenant scoping via X-Tenant-ID header (validated UUID).
+
+CREATE TABLE IF NOT EXISTS compliance_cra_projects (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id VARCHAR(255) NOT NULL,
+    name VARCHAR(500) NOT NULL,
+    description TEXT DEFAULT '',
+    gap_project_id UUID,
+
+    -- Intake (Software-fokussiert, NICHT Hardware)
+    repo_url VARCHAR(1000),
+    primary_language VARCHAR(50),
+    has_firmware BOOLEAN DEFAULT false,
+    connected_to_internet BOOLEAN DEFAULT false,
+    has_software_updates BOOLEAN DEFAULT false,
+    processes_personal_data BOOLEAN DEFAULT false,
+    is_critical_infra_supplier BOOLEAN DEFAULT false,
+    intended_use TEXT DEFAULT '',
+
+    -- Scope
+    cra_classification VARCHAR(20),
+    classification_rationale JSONB DEFAULT '[]'::jsonb,
+
+    -- Path
+    conformity_path VARCHAR(30),
+
+    -- Status (whitelist)
+    status VARCHAR(40) NOT NULL DEFAULT 'draft',
+
+    -- Audit
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_cra_projects_tenant ON compliance_cra_projects(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_status ON compliance_cra_projects(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_class ON compliance_cra_projects(cra_classification);
+CREATE INDEX IF NOT EXISTS idx_cra_projects_gap_link ON compliance_cra_projects(gap_project_id) WHERE gap_project_id IS NOT NULL;