feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json

User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

obligations/cra_core.json

@@ -0,0 +1,82 @@
+{
+ "schema_version": "obligation_registry_v1",
+ "regulation": "CRA",
+ "regulation_code": "CRA",
+ "family": "core",
+ "theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)",
+ "generated_by": "materialize_capabilities.py (#5b, Modell C)",
+ "note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.",
+ "citation_status": "pending_span_anchor",
+ "obligations": [
+  {
+   "id": "attack_surface_minimization",
+   "name": "Minimierung der Angriffsflaeche",
+   "family": "core",
+   "description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).",
+   "tier": "LEGAL_MINIMUM",
+   "source_role": "LEGAL_BASIS",
+   "applicability": "universal",
+   "objective_tags": [
+    "attack_surface"
+   ],
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "anchor": "Annex I Part I (2)(j)",
+     "citation": "limit attack surfaces, including external interfaces"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "CM-7 Least Functionality",
+     "role": "best_practice"
+    }
+   ],
+   "specialized_by": [
+    "remote_access_attack_surface_min",
+    "component_remote_interface_security"
+   ],
+   "primary_implementation": "NIST CM-7",
+   "citation_status": "pending_span_anchor",
+   "review_status": "core_from_5b"
+  },
+  {
+   "id": "software_integrity_protection",
+   "name": "Schutz der Software-/Firmware-Integritaet",
+   "family": "core",
+   "description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).",
+   "tier": "LEGAL_MINIMUM",
+   "source_role": "LEGAL_BASIS",
+   "applicability": "universal",
+   "objective_tags": [
+    "integrity"
+   ],
+   "legal_basis": [
+    {
+     "source": "CRA",
+     "anchor": "Annex I Part I (2)(f)",
+     "citation": "protect the integrity of stored, transmitted or processed data, software and configuration"
+    }
+   ],
+   "guidance_basis": [
+    {
+     "source": "NIST",
+     "anchor": "SI-7 Software, Firmware, and Information Integrity",
+     "role": "best_practice"
+    }
+   ],
+   "specialized_by": [
+    "signed_update_integrity",
+    "firmware_software_authentication"
+   ],
+   "realized_by_capabilities": [
+    "code_signing"
+   ],
+   "primary_implementation": "NIST SI-7",
+   "citation_status": "pending_span_anchor",
+   "review_status": "core_from_5b"
+  }
+ ],
+ "relationships": []
+}