feat(gap): IST-Zustand Assessment — IACE + Normen + Prozesse

Gap Analysis v2: statt 500 generische Gaps → nur die ECHTEN Lücken.

Backend:
- ProductProfile um 15 IST-Felder erweitert (Normen, Doku, Prozesse, CE)
- assessGapStatus prüft: IACE-Mitigations → Zertifizierungen → Normen → IST-Felder
- norm_mapping.go: 20 Normen → MC-Topic Mapping (ISO 12100, IEC 62443, etc.)
- IACE-Integration: CheckIACECoverage() matcht verified Mitigations gegen MCs

Frontend:
- 2-Step Wizard: Produkt beschreiben → IST-Zustand erfassen
- IstAssessment.tsx: CE-Jahr, Normen-Multiselect, Doku+Prozess Checkboxen
- Step-Navigation mit visuellen Indikatoren

Migration 025 erweitert um IST-Felder.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/internal/gap/gap_engine.go

@@ -38,7 +38,7 @@ func (e *Engine) Analyze(profile *ProductProfile) (*GapReport, error) {
 	// Step 4: Assess gaps
 	gaps := make([]GapItem, 0, len(mcGroups))
 	for _, mc := range mcGroups {
-		status := e.assessGapStatus(mc, profile.ExistingCertifications)
+		status := e.assessGapStatus(mc, profile)
 		item := GapItem{
 			MCID:          mc.MasterControlID,
 			MCName:        mc.CanonicalName,
@@ -77,27 +77,80 @@ func (e *Engine) Analyze(profile *ProductProfile) (*GapReport, error) {
 	return report, nil
 }
 
-// assessGapStatus determines if a MC is fulfilled based on existing certs.
-func (e *Engine) assessGapStatus(mc MCGroup, certs []string) GapStatus {
-	// If customer has ISO 27001, many security controls are likely fulfilled
-	for _, cert := range certs {
+// assessGapStatus determines if a MC is fulfilled based on IST-Zustand:
+// IACE project data, applied norms, certifications, and existing processes.
+func (e *Engine) assessGapStatus(mc MCGroup, profile *ProductProfile) GapStatus {
+	name := mc.CanonicalName
+
+	// A) IACE-Projekt vorhanden → aus verified Mitigations ableiten
+	if profile.IACEProjectID != nil {
+		status := e.store.CheckIACECoverage(*profile.IACEProjectID, name)
+		if status == "verified" {
+			return GapFulfilled
+		}
+		if status == "implemented" {
+			return GapPartial
+		}
+	}
+
+	// B) Bestehende Zertifizierungen
+	for _, cert := range profile.ExistingCertifications {
 		switch cert {
-		case "ISO27001":
-			if isSecurityTopic(mc.CanonicalName) {
-				return GapPartial // Likely partially covered
-			}
 		case "CE":
-			if isMachineryTopic(mc.CanonicalName) {
+			if isMachineryTopic(name) {
 				return GapFulfilled
 			}
+		case "ISO27001":
+			if isSecurityTopic(name) {
+				return GapPartial
+			}
 		case "SOC2":
-			if isSecurityTopic(mc.CanonicalName) {
+			if isSecurityTopic(name) {
+				return GapPartial
+			}
+		case "ISO13485":
+			if contains(name, "risk_management") || contains(name, "documentation") {
 				return GapPartial
 			}
 		}
 	}
 
-	// Default: missing (customer must verify)
+	// C) Angewandte Normen → Controls als fulfilled erkennen
+	if normCoversControl(profile.AppliedNorms, name) {
+		return GapFulfilled
+	}
+
+	// D) IST-Felder direkt matchen
+	if profile.HasSBOM && contains(name, "asset_management_inventory") {
+		return GapFulfilled
+	}
+	if profile.HasVulnManagement && contains(name, "vulnerability") {
+		return GapFulfilled
+	}
+	if profile.HasUpdateMechanism && contains(name, "patch_management") {
+		return GapFulfilled
+	}
+	if profile.HasIncidentResponse && contains(name, "incident") {
+		return GapFulfilled
+	}
+	if profile.HasRiskAssessment && contains(name, "risk_management") {
+		return GapFulfilled
+	}
+	if profile.HasTechnicalFile && contains(name, "documentation") {
+		return GapFulfilled
+	}
+	if profile.HasOperatingManual && contains(name, "operating_instructions") {
+		return GapFulfilled
+	}
+	if profile.HasSupplyChainMgmt && contains(name, "third_party_management") {
+		return GapFulfilled
+	}
+
+	// E) CE-Kennzeichnung vorhanden → Produktsicherheit fulfilled
+	if profile.CEMarkingSince != nil && isMachineryTopic(name) {
+		return GapFulfilled
+	}
+
 	return GapMissing
 }