feat(cra): Flow-2 UI — Scanner-Repo wählen → echtes Assessment

- GET /v1/cra/scanner-repos: distinct repo_ids (+counts) vom Scanner-MCP für den Picker.
- useCRA: scannerRepo-State; bei Auswahl POST /assess-from-scanner (echte Findings),
  sonst by-iace/Demo wie bisher.
- ScannerRepoPicker im CRA/Cyber-Tab; leere Auswahl = Demo, Repo gewählt = echte Befunde.

Mapping repo_id↔Projekt aktuell UI-seitig (ephemeral); DB-Persistenz pro Projekt folgt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend-compliance/compliance/api/cra_assess_routes.py

@@ -134,6 +134,23 @@ async def assess_from_scanner(body: ScannerPullRequest):
     return result
 
 
+@router.get("/scanner-repos")
+async def scanner_repos():
+    """Distinct repo_ids the scanner has findings for, so the UI can pick which
+    repo to assess. Best-effort (one findings page); empty if no scanner config."""
+    findings = await fetch_findings(limit=200)
+    counts: Dict[str, int] = {}
+    for f in findings:
+        rid = f.get("repo_id")
+        if rid:
+            counts[rid] = counts.get(rid, 0) + 1
+    repos = sorted(
+        ({"repo_id": k, "count": v} for k, v in counts.items()),
+        key=lambda r: -r["count"],
+    )
+    return {"repos": repos, "sampled": len(findings) >= 200}
+
+
 @router.post("/projects/{project_id}/assess-snapshot")
 async def assess_snapshot(project_id: str, body: AssessRequest, tenant_id: str = Depends(get_tenant_id)):
     """Run the assessment and persist it as a versioned snapshot (running system)."""