feat(cra): two-lane breadth — CRA-specific corpus + technical depth

All 6 security use_cases are atom-grain now. Per finding we draw two lanes: the
CRA corpus (use_case=cra, the most on-point CRA obligations) + the technical
depth (code_security for secure-dev, else network_security). Controls merged,
deduped, each tagged with its use_case (shown in the best-practice depth).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRA.ts

@@ -58,7 +58,6 @@ function merge(live: any): CRADemo {
       measures: m.measures || [],
       evidence_type: m.evidence_type,
       sub_topic: m.sub_topic,
-      breadth_use_case: m.breadth_use_case,
       regulatory_breadth: m.regulatory_breadth || [],
       priority_tier: m.priority_tier,
       priority_score: m.priority_score,

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts

@@ -28,10 +28,9 @@ export interface CRAFinding {
   risk_level: string
   measures: string[]
   evidence_type?: string  // code | process | hybrid | document — drives the remediation-class badge
-  // regulatory breadth (atom-grain shared Controls-API: network_security / code_security), live only
+  // regulatory breadth (atom-grain shared Controls-API: cra + code/network_security), live only
   sub_topic?: string
-  breadth_use_case?: string
-  regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string }[]
+  regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string; use_case?: string }[]
   // priority layer (set live by the backend prioritizer; optional in the static fallback)
   priority_tier?: string
   priority_score?: number