feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json

User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

obligations/capabilities.json

@@ -0,0 +1,253 @@
+{
+ "schema_version": "capability_layer_v1",
+ "model": "Modell C (docs-src/development/capability_model_v1.md)",
+ "note": "Capability = technische Faehigkeit (regulierungs-agnostisch). realized_by = Obligations, die sie erfuellt (n:m). guidance_basis hier KANONISCH hochgezogen aus den realisierten Obligations (die Obligation-Kopien bleiben vorerst als Legacy; Strip = Folge-Cleanup). Sicherheitsziele sind KEINE Capabilities -> cra_core.json.",
+ "dropped": {
+  "access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert"
+ },
+ "candidate_capabilities_followup": [
+  "automatic_update_delivery",
+  "update_rollback",
+  "trusted_update_source",
+  "hash_verification",
+  "secure_boot",
+  "least_functionality",
+  "credential_storage"
+ ],
+ "capabilities": [
+  {
+   "capability_id": "multi_factor_authentication",
+   "name": "Multi-Factor Authentication",
+   "description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).",
+   "type": "technical_capability",
+   "realized_by": [
+    "mfa_required",
+    "privileged_op_reauth",
+    "remote_access_authentication",
+    "remote_access_mfa",
+    "remote_access_user_validation_ot",
+    "supplier_access_auth"
+   ],
+   "realizes_count": 6,
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B",
+     "role": "best_practice"
+    },
+    {
+     "source": "Out-of-Band-Authentifizierung",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "out_of_band_authentication"
+    },
+    {
+     "source": "Hardware-basierte Authentifizierung (AAL3)",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "hardware_authenticators"
+    },
+    {
+     "source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)",
+     "anchor": "",
+     "role": "implementation_guidance",
+     "merged_from": "email_authentication"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-02",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-02(1)",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "AC-17",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SP 800-53 IA-2",
+     "role": "best_practice"
+    },
+    {
+     "source": "BSI",
+     "anchor": "ICS Security Kompendium",
+     "role": "best_practice"
+    },
+    {
+     "source": "ISO",
+     "anchor": "ISO 27001 A.5.19",
+     "role": "best_practice"
+    }
+   ],
+   "domains": [
+    "authentication",
+    "remote_access"
+   ],
+   "provenance": {
+    "source": "cross_domain_relationships.json SHARED_CAPABILITY"
+   }
+  },
+  {
+   "capability_id": "session_management",
+   "name": "Session Management",
+   "description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.",
+   "type": "technical_capability",
+   "realized_by": [
+    "reauth_after_inactivity",
+    "remote_session_management",
+    "session_binding_management",
+    "temporary_remote_access_mgmt"
+   ],
+   "realizes_count": 4,
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SP 800-63B 4.3",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SP 800-53 AC-12",
+     "role": "best_practice"
+    },
+    {
+     "source": "OWASP",
+     "anchor": "ASVS V3",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "AC-2(5)",
+     "role": "best_practice"
+    }
+   ],
+   "domains": [
+    "authentication",
+    "remote_access"
+   ],
+   "provenance": {
+    "source": "cross_domain_relationships.json SHARED_CAPABILITY"
+   }
+  },
+  {
+   "capability_id": "transport_encryption",
+   "name": "Transport Encryption",
+   "description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).",
+   "type": "technical_capability",
+   "realized_by": [
+    "encrypted_auth_channel",
+    "mutual_authentication",
+    "reject_insecure_remote_protocols",
+    "remote_access_confidentiality_integrity",
+    "remote_access_encryption",
+    "service_to_service_auth",
+    "tls_certificate_auth"
+   ],
+   "realizes_count": 7,
+   "guidance_basis": [
+    {
+     "source": "BSI",
+     "anchor": "TR-02102-2",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-03",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SC-8",
+     "role": "best_practice"
+    },
+    {
+     "source": "BSI",
+     "anchor": "IT-Grundschutz NET.3.3",
+     "role": "best_practice"
+    },
+    {
+     "source": "OWASP",
+     "anchor": "API Security Top 10",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "IA-05(2)",
+     "role": "best_practice"
+    }
+   ],
+   "domains": [
+    "authentication",
+    "remote_access"
+   ],
+   "provenance": {
+    "source": "cross_domain_relationships.json SHARED_CAPABILITY"
+   }
+  },
+  {
+   "capability_id": "code_signing",
+   "name": "Code & Update Signing",
+   "description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.",
+   "type": "technical_capability",
+   "realized_by": [
+    "firmware_software_authentication",
+    "signed_update_integrity"
+   ],
+   "realizes_count": 2,
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SI-07",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SP 800-147 BIOS Protection",
+     "role": "best_practice"
+    }
+   ],
+   "domains": [
+    "authentication",
+    "updates"
+   ],
+   "provenance": {
+    "source": "cross_domain_relationships.json SHARED_CAPABILITY"
+   }
+  },
+  {
+   "capability_id": "security_monitoring_alerting",
+   "name": "Security Monitoring & Alerting",
+   "description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.",
+   "type": "technical_capability",
+   "realized_by": [
+    "log_monitoring_alerting",
+    "remote_access_threat_detection"
+   ],
+   "realizes_count": 2,
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "AU-6/SI-4",
+     "role": "best_practice"
+    },
+    {
+     "source": "NIST",
+     "anchor": "SP 800-94",
+     "role": "best_practice"
+    }
+   ],
+   "domains": [
+    "logging",
+    "remote_access"
+   ],
+   "provenance": {
+    "source": "cross_domain_relationships.json SHARED_CAPABILITY"
+   }
+  }
+ ]
+}