fix(iace): set-based measure-category filter + 235 pattern-author fixes

Two-part nachhaltiger fix replacing the previous "fill to 5 mitigations
no matter what" behavior that the GT-Bremse benchmark proved
unfaithful (e.g. HP1625 "scharfe Kanten" returning M005 "Rotations-
bewegung vermeiden" via category fallback; HP1651 "Wiederanlauf
Roboter" returning M054 "Sichere thermische Auslegung" via
mismatched pattern reference).

PART A — Set-based category filter (handlers package):
- acceptableMeasureCategories: replaces 1:1 patternCatToMeasureCat
  with a curated set per pattern category, so e.g.
  safety_function_failure now accepts software_control measures
  (watchdogs, plausibility checks) and emc_hazard accepts both
  electrical and software_control measures
- isCategoryCompatible: gate every measure id against the accepted
  set before creating a mitigation; mismatches log MEASURE-SKIP
- The old category fallback is REMOVED. A hazard whose pattern has
  no category-compatible measure is now created with zero mitigations
  and logged as COVERAGE-GAP — the operator must consult an expert.
  No more silent invention of generic defaults.

PART B — 235 pattern author-error fixes across 26 files:
- HP040-HP044 (AI): M101/M102/M103 (Auffangwanne/Absauganlage) ->
  M133 Anomalieerkennung + M214 Plausibilitaet + M213 Sensor-Redundanz
  + M044 Zweikanalige Steuerung + others
- HP011-HP015, HP104-HP109, HP1085-HP1095, HP1281-HP1334 (electrical):
  M001-M005/M054/M061 placeholders -> M481/M482 Isolation +
  M511-M522 PE/Schutzleiter/RCD/Hauptschalter
- HP110-HP1331 (material_environmental): M101-M103 -> M384-M395
  Brandschutz/Laserschutz + M533/M408 SDB/PSA
- HP800-HP858, HP1178-HP1264 (software/sensor/hmi):
  M101/M104 -> M105/M106/M107/M214 SPS/Watchdog/Plausibilitaet
- HP026, HP611-HP1690 (ergonomic): M001/M082 -> M353-M360 +
  M530-M532 Hebehilfe/ergonomische Hoehe
- HP201-HP1697 (mechanical): M054/M051 -> M002/M008/M061/M141 +
  M487/M488 Tueroeffnung-Stillsetzung/Wiederanlauf
- Plus EMF/Strahlung/Brand/Lärm/Vibration/Kommunikation/Cyber

Coverage shift (Pattern-Author-Fehler bei aktiviertem Set-Filter):
   start:         237 patterns with zero category-compatible measures
   after Stufe 1A:   5 (AI)
   after Stufe 1B:  20 (mechanical Bestand)
   after Stufe 1C:  35 (electrical Bestand)
   after Stufe 1D:  29 (material_environmental)
   after Stufe 1E:  29 (software/sensor/hmi)
   after Stufe 1F:  20 (ergonomic)
   after Stufe 1G:  80 (thermal/comm/radiation/fire/safety)
   final:           0  (28 extended.go/extended2.go duplicates fixed)

New regression tests:
- TestEveryPattern_HasCategoryCompatibleMeasure: every pattern in
  collectAllPatterns() must reference at least one category-compatible
  measure; gaps must be explicitly listed in AllowlistKnownGaps
  (currently empty). Fails CI for any new pattern that drifts.
- TestAcceptableMeasureCategories: pins the set-mapping for the
  7 most-bug-prone pattern categories.
- TestIsCategoryCompatible_EmptyMeasureCat: protects legacy entries.

A separate task #11 tracks 58 HP-ID duplicates between
extended.go/extended2.go and cobot.go/press.go/operational.go —
patterns are semantically different and TestGetBuiltinHazardPatterns_-
UniqueIDs misses them because it only checks HP001-HP044.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/internal/api/handlers/iace_handler_init.go

@@ -273,16 +273,24 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 			}
 		}
 
-		// For each hazard: assign up to maxMitigationsPerHazard measures
-		// Priority 1: Pattern-specific SuggestedMeasureIDs (from the pattern that created this hazard)
-		// Priority 2: Category fallback (generic measures for the hazard category)
+		// For each hazard: only pattern-specific SuggestedMeasureIDs are
+		// used, FILTERED by category. Measures whose HazardCategory is
+		// incompatible with the pattern's accepted set are skipped with a
+		// MEASURE-SKIP log entry. There is NO category fallback any more —
+		// if the pattern author left a hazard without applicable measures,
+		// the hazard is created with zero mitigations and the operator must
+		// consult an expert. This is the only honest answer: silently
+		// inventing generic defaults (the previous behavior) produced
+		// nonsense like "Rotationsbewegung vermeiden" for a sharp-edge
+		// hazard. See feat/iace-measure-category-filter for context.
+		_ = measuresByCat // retained for backwards-compat read by other code paths
+		_ = patternCatToMeasureCat
+		zeroMitigationHazards := 0
 		for _, hazID := range allHazardIDs {
 			hazCat := hazardCatByID[hazID]
-			measCat := patternCatToMeasureCat(hazCat)
+			accepted := acceptableMeasureCategories(hazCat)
 			added := 0
-			usedIDs := make(map[string]bool)
 
-			// Priority 1: Pattern-specific measures
 			if patternMIDs, ok := hazardPatternMeasures[hazID]; ok {
 				for _, mid := range patternMIDs {
 					if added >= maxMitigationsPerHazard {
@@ -292,6 +300,11 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 					if !ok {
 						continue
 					}
+					if !isCategoryCompatible(entry.HazardCategory, accepted) {
+						fmt.Printf("MEASURE-SKIP: pattern-cat=%s acceptable=%v but mid=%s has cat=%s (%q) — skipping mismatch\n",
+							hazCat, keysOf(accepted), mid, entry.HazardCategory, entry.Name)
+						continue
+					}
 
 					rt := iace.ReductionType(entry.ReductionType)
 					if rt == "" {
@@ -306,30 +319,20 @@ func (h *IACEHandler) InitializeProject(c *gin.Context) {
 					} else {
 						created++
 						added++
-						usedIDs[mid] = true
 					}
 				}
 			}
 
-			// Priority 2: Category fallback (skip already-used IDs)
-			for _, m := range measuresByCat[measCat] {
-				if added >= maxMitigationsPerHazard || usedIDs[m.ID] {
-					continue
-				}
-				rt := iace.ReductionType(m.ReductionType)
-				if rt == "" {
-					rt = iace.ReductionTypeInformation
-				}
-				_, cerr := h.store.CreateMitigation(ctx, iace.CreateMitigationRequest{
-					HazardID: hazID, ReductionType: rt,
-					Name: m.Name, Description: m.Description,
-				})
-				if cerr == nil {
-					created++
-					added++
-				}
+			if added == 0 {
+				zeroMitigationHazards++
+				fmt.Printf("COVERAGE-GAP: hazard %s (cat=%s) has no pattern-specific measures — operator must consult expert\n",
+					hazID, hazCat)
 			}
 		}
+		if zeroMitigationHazards > 0 {
+			fmt.Printf("COVERAGE-GAP-SUMMARY: %d/%d hazards in this project have no mitigations and need expert review\n",
+				zeroMitigationHazards, len(allHazardIDs))
+		}
 		patternMeasureCount := 0
 		for _, mids := range hazardPatternMeasures {
 			patternMeasureCount += len(mids)

ai-compliance-sdk/internal/api/handlers/iace_handler_init_helpers.go

@@ -45,6 +45,91 @@ func extractNarrativeFromMetadata(metadata json.RawMessage) string {
 	return result
 }
 
+// acceptableMeasureCategories returns the set of measure HazardCategory values
+// that are semantically applicable to a hazard with the given pattern category.
+// The mapping is a *set*, not a single value — many pattern categories accept
+// measures from several measure-library categories that are conceptually
+// related. E.g. a safety_function_failure hazard is sensibly mitigated by
+// software_control measures like watchdogs, plausibility checks or self-tests,
+// not just by the (almost empty) safety_function category.
+//
+// "general" is implicit — handled in isCategoryCompatible and not duplicated
+// in every set below.
+func acceptableMeasureCategories(patternCat string) map[string]bool {
+	sets := map[string][]string{
+		"mechanical_hazard":       {"mechanical"},
+		"electrical_hazard":       {"electrical"},
+		"thermal_hazard":          {"thermal", "material_environmental"},
+		"noise_vibration":         {"noise_vibration", "ergonomic"},
+		"pneumatic_hydraulic":     {"pneumatic_hydraulic", "mechanical"},
+		"material_environmental":  {"material_environmental"},
+		"chemical_risk":           {"material_environmental", "thermal"},
+		"ergonomic":               {"ergonomic"},
+		"ergonomic_hazard":        {"ergonomic"},
+		"fire_explosion":          {"thermal", "material_environmental"},
+		"radiation_hazard":        {"material_environmental"},
+		"emc_hazard":              {"electrical", "software_control"},
+		"maintenance_hazard":      {"mechanical"},
+		"safety_function_failure": {"safety_function", "software_control"},
+		"software_fault":          {"software_control"},
+		"sensor_fault":            {"software_control"},
+		"configuration_error":     {"software_control"},
+		"update_failure":          {"software_control"},
+		"hmi_error":               {"software_control"},
+		"mode_confusion":          {"software_control"},
+		"unauthorized_access":     {"cyber_network", "software_control"},
+		"communication_failure":   {"cyber_network", "software_control"},
+		"firmware_corruption":     {"cyber_network", "software_control"},
+		"logging_audit_failure":   {"cyber_network", "software_control"},
+		"ai_misclassification":    {"ai_specific", "software_control"},
+		"false_classification":    {"ai_specific", "software_control"},
+		"model_drift":             {"ai_specific", "software_control"},
+		"data_poisoning":          {"ai_specific", "software_control"},
+		"sensor_spoofing":         {"ai_specific", "software_control"},
+		"unintended_bias":         {"ai_specific", "software_control"},
+		// Edge-case pattern categories from legacy authors. Treated as
+		// synonyms of their primary hazard category so existing patterns
+		// keep matching the right measure pool.
+		"noise_source":              {"noise_vibration", "ergonomic"},
+		"vibration_source":          {"noise_vibration", "ergonomic"},
+		"high_temperature":          {"thermal", "material_environmental"},
+		"material_environmental_hazard": {"material_environmental"},
+	}
+	out := map[string]bool{"general": true}
+	if list, ok := sets[patternCat]; ok {
+		for _, c := range list {
+			out[c] = true
+		}
+	}
+	return out
+}
+
+// isCategoryCompatible reports whether a measure with HazardCategory measureCat
+// is semantically applicable to a hazard whose acceptable measure categories
+// are listed in accepted. Empty measureCat is always allowed (legacy entries),
+// "general" measures are pre-seeded into accepted by acceptableMeasureCategories.
+//
+// Without this guard, patterns silently inherit nonsense mitigations (e.g.
+// HP1651 "robot restart while person in cell" inheriting M054 "Sichere
+// thermische Auslegung" — a thermal-design measure used as generic default in
+// ~100 mechanical patterns). The Fachmann benchmark rejects such mismatches.
+func isCategoryCompatible(measureCat string, accepted map[string]bool) bool {
+	if measureCat == "" {
+		return true
+	}
+	return accepted[measureCat]
+}
+
+// keysOf returns the sorted keys of a string-bool set, used for diagnostic
+// log messages that report which measure categories were accepted for a hazard.
+func keysOf(s map[string]bool) []string {
+	out := make([]string, 0, len(s))
+	for k := range s {
+		out = append(out, k)
+	}
+	return out
+}
+
 // patternCatToMeasureCat maps pattern hazard categories to measure categories.
 func patternCatToMeasureCat(patternCat string) string {
 	m := map[string]string{

ai-compliance-sdk/internal/api/handlers/iace_handler_init_helpers_test.go

@@ -0,0 +1,57 @@
+package handlers
+
+import "testing"
+
+// TestAcceptableMeasureCategories pins the set-based category acceptance map.
+// Each pattern category accepts not just its own measure category but a
+// curated set of semantically related ones — a safety_function_failure
+// pattern is sensibly mitigated by software_control measures (watchdogs,
+// plausibility checks), not just by the near-empty safety_function category.
+func TestAcceptableMeasureCategories(t *testing.T) {
+	cases := []struct {
+		patternCat string
+		mustAccept []string // measure categories that MUST be accepted
+		mustReject []string // measure categories that MUST be rejected
+	}{
+		// mechanical hazards: own + general only
+		{"mechanical_hazard", []string{"mechanical", "general"}, []string{"thermal", "electrical"}},
+		// electrical hazards: own + general only
+		{"electrical_hazard", []string{"electrical", "general"}, []string{"thermal", "mechanical"}},
+		// safety-function failures accept watchdogs (software_control)
+		{"safety_function_failure", []string{"safety_function", "software_control", "general"}, []string{"mechanical", "thermal"}},
+		// EMC accepts electrical + software (shielding + filter logic both apply)
+		{"emc_hazard", []string{"electrical", "software_control", "general"}, []string{"mechanical"}},
+		// AI failures accept ai_specific + software_control
+		{"false_classification", []string{"ai_specific", "software_control", "general"}, []string{"mechanical", "electrical"}},
+		// Fire/explosion accepts thermal + material_environmental
+		{"fire_explosion", []string{"thermal", "material_environmental", "general"}, []string{"mechanical", "electrical"}},
+		// Unknown pattern category: only general
+		{"unknown_made_up_cat", []string{"general"}, []string{"mechanical", "electrical"}},
+	}
+	for _, c := range cases {
+		accepted := acceptableMeasureCategories(c.patternCat)
+		for _, mc := range c.mustAccept {
+			if !isCategoryCompatible(mc, accepted) {
+				t.Errorf("patternCat=%q must accept measureCat=%q but rejected (set=%v)",
+					c.patternCat, mc, accepted)
+			}
+		}
+		for _, mc := range c.mustReject {
+			if isCategoryCompatible(mc, accepted) {
+				t.Errorf("patternCat=%q must reject measureCat=%q but accepted (set=%v)",
+					c.patternCat, mc, accepted)
+			}
+		}
+	}
+}
+
+// TestIsCategoryCompatible_EmptyMeasureCat pins that legacy measures with
+// no HazardCategory set are always allowed — they would otherwise silently
+// disappear during the re-init, since the audit found ~80 such entries in
+// older library files.
+func TestIsCategoryCompatible_EmptyMeasureCat(t *testing.T) {
+	accepted := acceptableMeasureCategories("mechanical_hazard")
+	if !isCategoryCompatible("", accepted) {
+		t.Error("empty measure category must be accepted (legacy entries)")
+	}
+}