feat(bridge): security-updates obligation cut (CRA Annex I (2)(c)/Art 13) — 9 obligations

- obligations/cra_updates.json: 9 (6 LEGAL_MINIMUM + 3 BEST_PRACTICE), Beziehungen. Pipeline 670->318 micro->15 review-units -> Opus-Synthese. Synthese gut kalibriert -> light review (KEINE Hart-Re-Tier, vs Auth/Remote-Access). out_of_scope M4/M7. 5 capability_candidate-Marker (signed/trusted/automatic/rollback/testing) fuer Phase-4-Capability-Pruefung. Anker approximativ (curation.anchor_quality). - obligation_join_keys.json: 84 -> 93 (updates 9). Alle 6 CRA-P1-Domaenen abgedeckt. - precluster.py: updates-Scope. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-25 18:51:09 +02:00
parent 1584b8fb2f
commit 8937f105ea
3 changed files with 1909 additions and 1 deletions
@@ -1,7 +1,7 @@
 {
 "schema_version": "obligation_join_keys_v1",
 "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
- "count": 84,
+ "count": 93,
 "obligation_ids": [
  {
   "obligation_id": "sbom_creation",
@@ -736,6 +736,91 @@
   "tier": "BEST_PRACTICE",
   "citation_units": [],
   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "provide_security_updates",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(c)",
+    "Art. 13"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "support_period_maintenance",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Art. 13(8)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "signed_update_integrity",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(3)(f)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "trusted_update_source",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(3)(d)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "update_testing_validation",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "update_rollback",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "automatic_updates_optout",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(c)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "update_risk_assessment",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (1)(2)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "secure_modification_control",
+   "regulation": "CRA",
+   "family": "updates",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "IMPLEMENTATION"
  }
 ]
 }