feat(gap): IST-Zustand Assessment — IACE + Normen + Prozesse

Gap Analysis v2: statt 500 generische Gaps → nur die ECHTEN Lücken.

Backend:
- ProductProfile um 15 IST-Felder erweitert (Normen, Doku, Prozesse, CE)
- assessGapStatus prüft: IACE-Mitigations → Zertifizierungen → Normen → IST-Felder
- norm_mapping.go: 20 Normen → MC-Topic Mapping (ISO 12100, IEC 62443, etc.)
- IACE-Integration: CheckIACECoverage() matcht verified Mitigations gegen MCs

Frontend:
- 2-Step Wizard: Produkt beschreiben → IST-Zustand erfassen
- IstAssessment.tsx: CE-Jahr, Normen-Multiselect, Doku+Prozess Checkboxen
- Step-Navigation mit visuellen Indikatoren

Migration 025 erweitert um IST-Felder.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/migrations/025_gap_projects.sql

@@ -16,6 +16,18 @@ CREATE TABLE IF NOT EXISTS compliance.gap_projects (
     processes_personal_data BOOLEAN DEFAULT false,
     is_critical_infra_supplier BOOLEAN DEFAULT false,
     existing_certifications JSONB DEFAULT '[]',
+    applied_norms JSONB DEFAULT '[]',
+    has_risk_assessment BOOLEAN DEFAULT false,
+    has_technical_file BOOLEAN DEFAULT false,
+    has_operating_manual BOOLEAN DEFAULT false,
+    has_sbom BOOLEAN DEFAULT false,
+    has_vuln_management BOOLEAN DEFAULT false,
+    has_update_mechanism BOOLEAN DEFAULT false,
+    has_incident_response BOOLEAN DEFAULT false,
+    has_supply_chain_mgmt BOOLEAN DEFAULT false,
+    ce_marking_since VARCHAR(20),
+    product_age VARCHAR(20),
+    iace_project_id UUID,
     last_analysis_at TIMESTAMPTZ,
     created_at TIMESTAMPTZ DEFAULT NOW(),
     updated_at TIMESTAMPTZ DEFAULT NOW()