feat: Capability Registry v1 API-Vertrag (#59) + Ownership-Modell finalisiert

#59 (geschaerft, User): capabilities.json -> capability_registry_v1 (contract_version 1.0):
stabile `cap.*`-IDs (NIE umbenennen) + 5 Vertragsfelder (description/guidance_basis/
realizes_obligations/required_procedures/evidence_patterns), PRODUKTNEUTRAL (keine Features).
= stabiler API-Vertrag fuer die Product->Compliance-Schnittstelle (Feature->Capability,
Session 3 mappt read-only dagegen).
session_ownership_model_v1.md RESOLVED: Legal-Owner = Re-Ingest-Session (vergibt KEINE
obligation_id, nur citation_span->legal_basis) · 4. Session -> Quality & Validation (nur
Tests, KEINE Daten) · Compliance 2 Branches DAUERHAFT (A=Build, B=Runtime). 4-Bibliotheken-
Zielbild (Legal/Product/Capability/Evidence).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

obligations/capabilities.json

@@ -1,7 +1,19 @@
 {
- "schema_version": "capability_layer_v1",
- "model": "Modell C (docs-src/development/capability_model_v1.md)",
- "note": "Capability = technische Faehigkeit (regulierungs-agnostisch). realized_by = Obligations, die sie erfuellt (n:m). guidance_basis hier KANONISCH hochgezogen aus den realisierten Obligations (die Obligation-Kopien bleiben vorerst als Legacy; Strip = Folge-Cleanup). Sicherheitsziele sind KEINE Capabilities -> cra_core.json.",
+ "schema_version": "capability_registry_v1",
+ "contract_version": "1.0",
+ "status": "stable_api_contract",
+ "note": "PRODUKTNEUTRALER Vertrag zwischen Product Knowledge Graph (Domaene 3, Feature->Capability) und Compliance Execution Graph (Domaene 2). Stabile cap.*-IDs NIE umbenennen. KEINE Business-Features hier (die besitzt die Product-Session). Siehe docs-src/development/session_ownership_model_v1.md + compliance_meta_model_v1.md (Freeze v1.0).",
+ "id_namespace": "cap.",
+ "contract_fields": [
+  "id",
+  "name",
+  "description",
+  "guidance_basis",
+  "realizes_obligations",
+  "required_procedures",
+  "evidence_patterns",
+  "domains"
+ ],
  "dropped": {
   "access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert"
  },
@@ -16,19 +28,10 @@
  ],
  "capabilities": [
   {
-   "capability_id": "multi_factor_authentication",
+   "id": "cap.multi_factor_authentication",
+   "slug": "multi_factor_authentication",
    "name": "Multi-Factor Authentication",
    "description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).",
-   "type": "technical_capability",
-   "realized_by": [
-    "mfa_required",
-    "privileged_op_reauth",
-    "remote_access_authentication",
-    "remote_access_mfa",
-    "remote_access_user_validation_ot",
-    "supplier_access_auth"
-   ],
-   "realizes_count": 6,
    "guidance_basis": [
     {
      "source": "NIST",
@@ -84,6 +87,20 @@
      "role": "best_practice"
     }
    ],
+   "realizes_obligations": [
+    "mfa_required",
+    "privileged_op_reauth",
+    "remote_access_authentication",
+    "remote_access_mfa",
+    "remote_access_user_validation_ot",
+    "supplier_access_auth"
+   ],
+   "required_procedures": [],
+   "evidence_patterns": [
+    "iam_config_export",
+    "mfa_policy_export",
+    "auth_audit_log"
+   ],
    "domains": [
     "authentication",
     "remote_access"
@@ -93,17 +110,10 @@
    }
   },
   {
-   "capability_id": "session_management",
+   "id": "cap.session_management",
+   "slug": "session_management",
    "name": "Session Management",
    "description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.",
-   "type": "technical_capability",
-   "realized_by": [
-    "reauth_after_inactivity",
-    "remote_session_management",
-    "session_binding_management",
-    "temporary_remote_access_mgmt"
-   ],
-   "realizes_count": 4,
    "guidance_basis": [
     {
      "source": "NIST",
@@ -126,6 +136,17 @@
      "role": "best_practice"
     }
    ],
+   "realizes_obligations": [
+    "reauth_after_inactivity",
+    "remote_session_management",
+    "session_binding_management",
+    "temporary_remote_access_mgmt"
+   ],
+   "required_procedures": [],
+   "evidence_patterns": [
+    "session_config_export",
+    "timeout_policy_export"
+   ],
    "domains": [
     "authentication",
     "remote_access"
@@ -135,20 +156,10 @@
    }
   },
   {
-   "capability_id": "transport_encryption",
+   "id": "cap.transport_encryption",
+   "slug": "transport_encryption",
    "name": "Transport Encryption",
    "description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).",
-   "type": "technical_capability",
-   "realized_by": [
-    "encrypted_auth_channel",
-    "mutual_authentication",
-    "reject_insecure_remote_protocols",
-    "remote_access_confidentiality_integrity",
-    "remote_access_encryption",
-    "service_to_service_auth",
-    "tls_certificate_auth"
-   ],
-   "realizes_count": 7,
    "guidance_basis": [
     {
      "source": "BSI",
@@ -181,6 +192,21 @@
      "role": "best_practice"
     }
    ],
+   "realizes_obligations": [
+    "encrypted_auth_channel",
+    "mutual_authentication",
+    "reject_insecure_remote_protocols",
+    "remote_access_confidentiality_integrity",
+    "remote_access_encryption",
+    "service_to_service_auth",
+    "tls_certificate_auth"
+   ],
+   "required_procedures": [],
+   "evidence_patterns": [
+    "tls_config_export",
+    "cipher_scan",
+    "cert_inventory"
+   ],
    "domains": [
     "authentication",
     "remote_access"
@@ -190,15 +216,10 @@
    }
   },
   {
-   "capability_id": "code_signing",
+   "id": "cap.code_signing",
+   "slug": "code_signing",
    "name": "Code & Update Signing",
    "description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.",
-   "type": "technical_capability",
-   "realized_by": [
-    "firmware_software_authentication",
-    "signed_update_integrity"
-   ],
-   "realizes_count": 2,
    "guidance_basis": [
     {
      "source": "NIST",
@@ -211,6 +232,16 @@
      "role": "best_practice"
     }
    ],
+   "realizes_obligations": [
+    "firmware_software_authentication",
+    "signed_update_integrity"
+   ],
+   "required_procedures": [],
+   "evidence_patterns": [
+    "signature_verification_log",
+    "sbom",
+    "signing_key_policy"
+   ],
    "domains": [
     "authentication",
     "updates"
@@ -220,15 +251,10 @@
    }
   },
   {
-   "capability_id": "security_monitoring_alerting",
+   "id": "cap.security_monitoring_alerting",
+   "slug": "security_monitoring_alerting",
    "name": "Security Monitoring & Alerting",
    "description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.",
-   "type": "technical_capability",
-   "realized_by": [
-    "log_monitoring_alerting",
-    "remote_access_threat_detection"
-   ],
-   "realizes_count": 2,
    "guidance_basis": [
     {
      "source": "NIST",
@@ -241,6 +267,16 @@
      "role": "best_practice"
     }
    ],
+   "realizes_obligations": [
+    "log_monitoring_alerting",
+    "remote_access_threat_detection"
+   ],
+   "required_procedures": [],
+   "evidence_patterns": [
+    "siem_config_export",
+    "alert_rule_export",
+    "monitoring_audit_log"
+   ],
    "domains": [
     "logging",
     "remote_access"