feat(cra): neutrale Eingangstür-Verdict-Engine (zwingend/ratsam/nicht betroffen)

Reine, deterministische Verdict-Schicht ueber der bestehenden Annex-III/IV- Klassifikation (kein vierter Klassifizierer): trennt Rechtspflicht von Markt- Druck. Kern: das Inverkehrbringen (ab 11.12.2027), nicht der Entwicklungs- zeitpunkt, entscheidet — Bestandsprodukte, die nach der Frist weiter verkauft werden, fallen unter CRA. Producer-Typen (component/end_device/machine_ integrator/software_app) steuern Default-Annahmen (Anlagenbauer: Vernetzung/OTA vorausgesetzt) + Verdict-Betonung (Komponente => Markt-Druck). Plus Evidence- Checkliste (SBOM/VDP/Patch/Lifecycle/Threat-Model/Logging/Auth/Incident) + Reifegrad. /readiness additiv erweitert (verdict/maturity/digital_elements/ producer_type). 15 Tests gruen. Beispiele: OWIS PS90+, ZwickRoell roboTest. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 17:17:55 +02:00
parent 8086b8be03
commit 3afb0e7f4d
3 changed files with 212 additions and 3 deletions
@@ -15,6 +15,7 @@ from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel

 from compliance.services.cra_finding_mapper import assess_findings_payload
+from compliance.services.cra_applicability import compute_verdict, maturity as evidence_maturity, MACHINE_INTEGRATOR
 from compliance.services.scanner_mcp_client import fetch_findings
 from compliance.services.cra_snapshot_store import save_snapshot, list_snapshots, get_snapshot
 from compliance.services.cra_use_case_controls import enrich_findings_with_breadth
@@ -184,6 +185,12 @@ class ReadinessRequest(BaseModel):
    remote_maintenance: Optional[bool] = False        # implies connectivity + updates
    user_parameter_app: Optional[bool] = False        # implies connectivity + updates
    is_machinery: Optional[bool] = False              # CE machinery -> also Machinery Reg 2023/1230
+    # Eingangstür / verdict layer (all optional, additive)
+    producer_type: Optional[str] = ""                 # component|end_device|machine_integrator|software_app
+    placed_on_market_after_2027: Optional[bool] = None  # None = unknown -> assumed yes (conservative)
+    customers_request_cra_evidence: Optional[bool] = False
+    provided_evidence: Optional[List[str]] = None     # evidence keys already in place (sbom, vdp, …)
+    digital_elements: Optional[List[str]] = None      # detected/declared digital elements


 # CRA Annex I evidence_type -> guideline bucket (Code / Prozess / Dokumentation).
@@ -234,10 +241,14 @@ async def readiness(body: ReadinessRequest):
    """Low-friction CRA readiness check: business-scope answers -> Annex III/IV
    classification + a high-level guideline grouped Code / Prozess / Dokumentation.
    Reuses the deterministic classifier + Annex I spine. No project, no DB."""
+    machine_integrator = body.producer_type == MACHINE_INTEGRATOR
+    has_digital = bool(body.digital_elements)
+    # Machine/plant builders: connectivity, remote maintenance and OTA are the norm.
+    # Declared digital elements (e.g. from a datasheet upload) imply digital elements too.
    intake = {
        "intended_use": body.intended_use,
-        "connected_to_internet": bool(body.connected_to_internet or body.remote_maintenance or body.user_parameter_app),
-        "has_software_updates": bool(body.has_software_updates or body.remote_maintenance or body.user_parameter_app),
+        "connected_to_internet": bool(body.connected_to_internet or body.remote_maintenance or body.user_parameter_app or machine_integrator or has_digital),
+        "has_software_updates": bool(body.has_software_updates or body.remote_maintenance or body.user_parameter_app or machine_integrator or has_digital),
        "processes_personal_data": bool(body.processes_personal_data),
        "is_critical_infra_supplier": bool(body.is_critical_infra_supplier),
    }
@@ -258,13 +269,17 @@ async def readiness(body: ReadinessRequest):
            })
        # Machine/plant builders are ALSO hit by the new Machinery Regulation's
        # cyber-with-safety essential requirements (Annex III) — show the combination.
-        if body.is_machinery:
+        if body.is_machinery or machine_integrator:
            machinery = _machinery_obligations()
            if machinery:
                regulations.append("Maschinen-VO 2023/1230")
                for bucket, item in machinery:
                    groups[bucket].append(item)
    total_effort = sum(r["effort_days"] for g in groups.values() for r in g if r.get("effort_days"))
+    verdict = compute_verdict(
+        classification, body.placed_on_market_after_2027,
+        body.producer_type or "", bool(body.customers_request_cra_evidence),
+    )
    return {
        "in_scope": in_scope,
        "classification": classification,
@@ -275,4 +290,9 @@ async def readiness(body: ReadinessRequest):
        "counts": {k: len(v) for k, v in groups.items()},
        "total_effort_days": total_effort,
        "deadlines": list(DEADLINES),
+        # Eingangstür verdict layer
+        "verdict": verdict,
+        "maturity": evidence_maturity(body.provided_evidence),
+        "digital_elements": body.digital_elements or [],
+        "producer_type": body.producer_type or "",
    }