Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json

Browse Source 
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-26 00:54:23 +02:00
parent c72fd3eb5a
commit 4e761c1363
8 changed files with 552 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
obligations/capabilities.json
+253
View File
@@ -0,0 +1,253 @@
{
"schema_version": "capability_layer_v1",
"model": "Modell C (docs-src/development/capability_model_v1.md)",
"note": "Capability = technische Faehigkeit (regulierungs-agnostisch). realized_by = Obligations, die sie erfuellt (n:m). guidance_basis hier KANONISCH hochgezogen aus den realisierten Obligations (die Obligation-Kopien bleiben vorerst als Legacy; Strip = Folge-Cleanup). Sicherheitsziele sind KEINE Capabilities -> cra_core.json.",
"dropped": {
"access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert"
},
"candidate_capabilities_followup": [
"automatic_update_delivery",
"update_rollback",
"trusted_update_source",
"hash_verification",
"secure_boot",
"least_functionality",
"credential_storage"
],
"capabilities": [
{
"capability_id": "multi_factor_authentication",
"name": "Multi-Factor Authentication",
"description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).",
"type": "technical_capability",
"realized_by": [
"mfa_required",
"privileged_op_reauth",
"remote_access_authentication",
"remote_access_mfa",
"remote_access_user_validation_ot",
"supplier_access_auth"
],
"realizes_count": 6,
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-63B",
"role": "best_practice"
},
{
"source": "Out-of-Band-Authentifizierung",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "out_of_band_authentication"
},
{
"source": "Hardware-basierte Authentifizierung (AAL3)",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "hardware_authenticators"
},
{
"source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "email_authentication"
},
{
"source": "NIST",
"anchor": "IA-02",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-02(1)",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "AC-17",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-53 IA-2",
"role": "best_practice"
},
{
"source": "BSI",
"anchor": "ICS Security Kompendium",
"role": "best_practice"
},
{
"source": "ISO",
"anchor": "ISO 27001 A.5.19",
"role": "best_practice"
}
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"capability_id": "session_management",
"name": "Session Management",
"description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.",
"type": "technical_capability",
"realized_by": [
"reauth_after_inactivity",
"remote_session_management",
"session_binding_management",
"temporary_remote_access_mgmt"
],
"realizes_count": 4,
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-63B 4.3",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-53 AC-12",
"role": "best_practice"
},
{
"source": "OWASP",
"anchor": "ASVS V3",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "AC-2(5)",
"role": "best_practice"
}
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"capability_id": "transport_encryption",
"name": "Transport Encryption",
"description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).",
"type": "technical_capability",
"realized_by": [
"encrypted_auth_channel",
"mutual_authentication",
"reject_insecure_remote_protocols",
"remote_access_confidentiality_integrity",
"remote_access_encryption",
"service_to_service_auth",
"tls_certificate_auth"
],
"realizes_count": 7,
"guidance_basis": [
{
"source": "BSI",
"anchor": "TR-02102-2",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-03",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SC-8",
"role": "best_practice"
},
{
"source": "BSI",
"anchor": "IT-Grundschutz NET.3.3",
"role": "best_practice"
},
{
"source": "OWASP",
"anchor": "API Security Top 10",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-05(2)",
"role": "best_practice"
}
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"capability_id": "code_signing",
"name": "Code & Update Signing",
"description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.",
"type": "technical_capability",
"realized_by": [
"firmware_software_authentication",
"signed_update_integrity"
],
"realizes_count": 2,
"guidance_basis": [
{
"source": "NIST",
"anchor": "SI-07",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-147 BIOS Protection",
"role": "best_practice"
}
],
"domains": [
"authentication",
"updates"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"capability_id": "security_monitoring_alerting",
"name": "Security Monitoring & Alerting",
"description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.",
"type": "technical_capability",
"realized_by": [
"log_monitoring_alerting",
"remote_access_threat_detection"
],
"realizes_count": 2,
"guidance_basis": [
{
"source": "NIST",
"anchor": "AU-6/SI-4",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-94",
"role": "best_practice"
}
],
"domains": [
"logging",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
}
]
}
obligations/cra.json
+4 -1
View File
@@ -966,7 +966,10 @@
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft"
"review_status": "draft",
"merged_into": "provide_security_updates",
"status": "deprecated_alias",
"merge_note": "SAME_OBLIGATION (Cross-Domain-Review). Kanonisch: provide_security_updates ((2)(c)/Art.13). ID bleibt als Alias aufloesbar; downstream provide_security_updates nutzen."
},
{
"id": "vuln_handling_process",
obligations/cra_authentication.json
+5 -1
View File
@@ -10281,7 +10281,11 @@
"cluster_size": 4,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
}
},
"specializes": "software_integrity_protection",
"objective_tags": [
"integrity"
]
}
],
"relationships": [
obligations/cra_core.json
+82
View File
@@ -0,0 +1,82 @@
{
"schema_version": "obligation_registry_v1",
"regulation": "CRA",
"regulation_code": "CRA",
"family": "core",
"theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)",
"generated_by": "materialize_capabilities.py (#5b, Modell C)",
"note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.",
"citation_status": "pending_span_anchor",
"obligations": [
{
"id": "attack_surface_minimization",
"name": "Minimierung der Angriffsflaeche",
"family": "core",
"description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"attack_surface"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(j)",
"citation": "limit attack surfaces, including external interfaces"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "CM-7 Least Functionality",
"role": "best_practice"
}
],
"specialized_by": [
"remote_access_attack_surface_min",
"component_remote_interface_security"
],
"primary_implementation": "NIST CM-7",
"citation_status": "pending_span_anchor",
"review_status": "core_from_5b"
},
{
"id": "software_integrity_protection",
"name": "Schutz der Software-/Firmware-Integritaet",
"family": "core",
"description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"integrity"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(f)",
"citation": "protect the integrity of stored, transmitted or processed data, software and configuration"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SI-7 Software, Firmware, and Information Integrity",
"role": "best_practice"
}
],
"specialized_by": [
"signed_update_integrity",
"firmware_software_authentication"
],
"realized_by_capabilities": [
"code_signing"
],
"primary_implementation": "NIST SI-7",
"citation_status": "pending_span_anchor",
"review_status": "core_from_5b"
}
],
"relationships": []
}
obligations/cra_remote_access.json
+12 -3
View File
@@ -1187,7 +1187,11 @@
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
"family": "remote_access",
"specializes": "attack_surface_minimization",
"objective_tags": [
"attack_surface"
]
},
{
"id": "remote_access_vuln_patch_mgmt",
@@ -1465,7 +1469,8 @@
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
"family": "remote_access",
"tier_note": "Bleibt BEST_PRACTICE (NICHT LM) bis Data-Act/Export-Scope sauber ist (User #5b.6). Evtl. Capability-or-Procedure statt Obligation."
},
{
"id": "component_remote_interface_security",
@@ -1508,7 +1513,11 @@
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
"family": "remote_access",
"specializes": "attack_surface_minimization",
"objective_tags": [
"attack_surface"
]
},
{
"id": "remote_access_fallback_concept",
obligations/cra_updates.json
+5 -1
View File
@@ -1392,7 +1392,11 @@
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true
"capability_candidate": true,
"specializes": "software_integrity_protection",
"objective_tags": [
"integrity"
]
},
{
"id": "trusted_update_source",
obligations/obligation_join_keys.json
+21 -1
View File
@@ -1,7 +1,7 @@
{
"schema_version": "obligation_join_keys_v1",
"contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
"count": 93,
"count": 95,
"obligation_ids": [
{
"obligation_id": "sbom_creation",
@@ -175,6 +175,26 @@
],
"source_role": "LEGAL_BASIS"
},
{
"obligation_id": "attack_surface_minimization",
"regulation": "CRA",
"family": "core",
"tier": "LEGAL_MINIMUM",
"citation_units": [
"Annex I Part I (2)(j)"
],
"source_role": "LEGAL_BASIS"
},
{
"obligation_id": "software_integrity_protection",
"regulation": "CRA",
"family": "core",
"tier": "LEGAL_MINIMUM",
"citation_units": [
"Annex I Part I (2)(f)"
],
"source_role": "LEGAL_BASIS"
},
{
"obligation_id": "user_authentication_required",
"regulation": "CRA",