feat(gap): IST-Zustand Assessment — IACE + Normen + Prozesse

Gap Analysis v2: statt 500 generische Gaps → nur die ECHTEN Lücken.

Backend:
- ProductProfile um 15 IST-Felder erweitert (Normen, Doku, Prozesse, CE)
- assessGapStatus prüft: IACE-Mitigations → Zertifizierungen → Normen → IST-Felder
- norm_mapping.go: 20 Normen → MC-Topic Mapping (ISO 12100, IEC 62443, etc.)
- IACE-Integration: CheckIACECoverage() matcht verified Mitigations gegen MCs

Frontend:
- 2-Step Wizard: Produkt beschreiben → IST-Zustand erfassen
- IstAssessment.tsx: CE-Jahr, Normen-Multiselect, Doku+Prozess Checkboxen
- Step-Navigation mit visuellen Indikatoren

Migration 025 erweitert um IST-Felder.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/internal/gap/norm_mapping.go

@@ -0,0 +1,73 @@
+package gap
+
+// NormToControlMapping maps applied norms to MC topic prefixes they cover.
+// If a manufacturer has applied a norm, all matching MC topics are "fulfilled".
+var NormToControlMapping = map[string][]string{
+	// Machine Safety
+	"ISO12100":   {"risk_management_assessment", "risk_management_documentation", "product_safety"},
+	"ENISO13849": {"product_safety", "risk_management_assessment", "secure_development"},
+	"IEC61508":   {"product_safety", "risk_management", "secure_development"},
+	"IEC62061":   {"product_safety", "risk_management"},
+
+	// EMC / Electrical Safety
+	"EN61326":  {"network_security", "physical_security"},
+	"EN62368":  {"physical_security", "product_safety"},
+	"IEC60204": {"physical_security", "product_safety"},
+
+	// Information Security
+	"ISO27001": {
+		"access_control", "encryption", "incident", "audit_logging",
+		"vulnerability", "patch_management", "risk_management",
+		"human_resources_security", "physical_security", "backup",
+		"disaster_recovery", "change_management", "asset_management",
+		"monitoring", "network_security",
+	},
+	"ISO27002": {
+		"access_control", "encryption", "audit_logging",
+		"vulnerability", "patch_management",
+	},
+
+	// Industrial Cybersecurity
+	"IEC62443": {
+		"network_security", "network_segmentation", "access_control",
+		"monitoring", "vulnerability", "patch_management",
+		"incident", "secure_development",
+	},
+
+	// Medical Devices
+	"ISO13485":   {"risk_management", "documentation", "change_management", "training"},
+	"IEC60601":   {"physical_security", "product_safety"},
+	"ISO14971":   {"risk_management_assessment", "risk_management_documentation"},
+	"IEC62304":   {"secure_development", "change_management", "documentation"},
+
+	// Crypto/Fintech
+	"ISO22301":   {"disaster_recovery", "backup", "incident"},
+	"PCIDSS":     {"encryption", "access_control", "audit_logging", "vulnerability", "network_segmentation"},
+
+	// Quality / Environmental
+	"ISO9001":    {"change_management", "documentation", "training", "compliance_audit"},
+	"ISO14001":   {"compliance_audit", "documentation", "risk_management"},
+
+	// Product Safety / RoHS / REACH
+	"EN50581":    {"supply_chain_due_diligence", "product_safety"},
+
+	// Functional Safety (software)
+	"ASPICE":     {"secure_development", "change_management", "documentation"},
+	"ISO26262":   {"secure_development", "risk_management", "product_safety"},
+}
+
+// normCoversControl checks if any applied norm covers a given MC topic.
+func normCoversControl(appliedNorms []string, mcTopic string) bool {
+	for _, norm := range appliedNorms {
+		topics, ok := NormToControlMapping[norm]
+		if !ok {
+			continue
+		}
+		for _, topic := range topics {
+			if contains(mcTopic, topic) {
+				return true
+			}
+		}
+	}
+	return false
+}