feat(cra): CRA Readiness Check lead-magnet on /sdk/cra (Track A)

Low-friction, stateless readiness check (no project/DB): business-scope answers
(internet / parameter app / remote maintenance / updates / firmware / personal
data / critical infra) -> Annex III/IV classification (reuses _classify) + a
high-level guideline grouped Code / Prozess / Dokumentation (via Annex I
evidence_type) + conformity path + deadlines + rough effort + the "we implement"
hook and a CTA into the existing project workflow. Endpoint POST /api/v1/cra/
readiness. Reuse + reframe of the existing CRA module — no duplicate questionnaire.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

admin-compliance/app/sdk/cra/_components/ReadinessCheck.tsx

@@ -0,0 +1,152 @@
+'use client'
+
+import { useState } from 'react'
+
+interface GuidelineItem {
+  req_id: string
+  title: string
+  category: string
+  annex_anchor: string
+  severity: string
+  effort_days?: number
+  measures: { id: string; name: string }[]
+}
+interface ReadinessResult {
+  in_scope: boolean
+  classification: string
+  rationale: string[]
+  conformity_path_hint: string
+  guideline: { code: GuidelineItem[]; process: GuidelineItem[]; document: GuidelineItem[] }
+  counts: { code: number; process: number; document: number }
+  total_effort_days: number
+  deadlines: { date: string; label: string }[]
+}
+
+const CLASS_LABEL: Record<string, string> = {
+  CRITICAL: 'Kritisch', IMPORTANT_II: 'Wichtig (Klasse II)', IMPORTANT_I: 'Wichtig (Klasse I)',
+  STANDARD: 'Standard', NOT_IN_SCOPE: 'Nicht im CRA-Anwendungsbereich',
+}
+const BUCKETS: { key: 'code' | 'process' | 'document'; label: string; hint: string }[] = [
+  { key: 'code', label: 'Code / Technik', hint: 'im Produkt umzusetzen' },
+  { key: 'process', label: 'Prozesse', hint: 'organisatorisch zu etablieren' },
+  { key: 'document', label: 'Dokumentation', hint: 'nachzuweisen / beizulegen' },
+]
+
+export function ReadinessCheck({ onCreateProject }: { onCreateProject?: () => void }) {
+  const [intendedUse, setIntendedUse] = useState('')
+  const [flags, setFlags] = useState<Record<string, boolean>>({})
+  const [result, setResult] = useState<ReadinessResult | null>(null)
+  const [loading, setLoading] = useState(false)
+
+  const toggle = (k: string) => setFlags((f) => ({ ...f, [k]: !f[k] }))
+
+  const run = async () => {
+    setLoading(true)
+    try {
+      const res = await fetch('/api/v1/cra/readiness', {
+        method: 'POST', headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ intended_use: intendedUse, ...flags }),
+      })
+      setResult(res.ok ? await res.json() : null)
+    } finally { setLoading(false) }
+  }
+
+  const QUESTIONS: { k: string; label: string }[] = [
+    { k: 'connected_to_internet', label: 'Hängt das Produkt am Internet (oder soll es)?' },
+    { k: 'user_parameter_app', label: 'Gibt es eine App, mit der Nutzer Parameter einstellen?' },
+    { k: 'remote_maintenance', label: 'Bietet ihr Fernwartung an?' },
+    { k: 'has_software_updates', label: 'Hat es Software-/Firmware-Updates?' },
+    { k: 'has_firmware', label: 'Enthält es Firmware (Embedded/IoT)?' },
+    { k: 'processes_personal_data', label: 'Verarbeitet es personenbezogene Daten?' },
+    { k: 'is_critical_infra_supplier', label: 'Wird es in kritischer Infrastruktur eingesetzt?' },
+  ]
+
+  return (
+    <div className="rounded-xl border border-purple-200 dark:border-purple-800 bg-purple-50/50 dark:bg-purple-900/20 p-5 mb-6">
+      <h2 className="text-lg font-semibold text-gray-900 dark:text-gray-100">CRA-Readiness-Check</h2>
+      <p className="text-sm text-gray-600 dark:text-gray-300 mt-1 mb-4">
+        Was kommt mit dem Cyber Resilience Act auf Ihr Produkt zu? Ein paar Fragen — Sie bekommen sofort
+        eine auf Ihren Scope zugeschnittene Übersicht (Code, Prozesse, Dokumentation). <span className="italic">Wir analysieren —
+        und setzen es mit Ihnen um.</span>
+      </p>
+
+      <textarea
+        value={intendedUse} onChange={(e) => setIntendedUse(e.target.value)}
+        placeholder="Was tut das Produkt? (z. B. vernetztes Kistenhubgerät mit App-Steuerung und Fernwartung)"
+        className="w-full text-sm rounded border border-gray-200 dark:border-gray-600 bg-white dark:bg-gray-700 p-2 mb-3" rows={2}
+      />
+      <div className="grid sm:grid-cols-2 gap-2 mb-4">
+        {QUESTIONS.map((q) => (
+          <label key={q.k} className="flex items-center gap-2 text-xs text-gray-700 dark:text-gray-300">
+            <input type="checkbox" checked={!!flags[q.k]} onChange={() => toggle(q.k)} className="rounded" />
+            {q.label}
+          </label>
+        ))}
+      </div>
+      <button onClick={run} disabled={loading}
+        className="rounded bg-purple-600 hover:bg-purple-700 disabled:opacity-50 text-white text-sm px-4 py-2">
+        {loading ? 'Prüfe …' : 'CRA-Readiness prüfen'}
+      </button>
+
+      {result && (
+        <div className="mt-5">
+          {!result.in_scope ? (
+            <p className="text-sm text-gray-700 dark:text-gray-200">
+              Nach diesen Angaben fällt das Produkt <span className="font-semibold">nicht in den CRA-Anwendungsbereich</span>
+              {' '}(kein digitales Element erkannt). Sobald es vernetzt ist oder Updates bekommt, ändert sich das.
+            </p>
+          ) : (
+            <>
+              <div className="flex flex-wrap items-center gap-2 mb-1">
+                <span className="text-sm text-gray-600 dark:text-gray-300">Einstufung:</span>
+                <span className="rounded px-2 py-0.5 text-xs font-semibold bg-purple-100 text-purple-700 dark:bg-purple-900/40 dark:text-purple-300">
+                  {CLASS_LABEL[result.classification] || result.classification}
+                </span>
+                <span className="text-xs text-gray-500">· Konformität: {result.conformity_path_hint}</span>
+              </div>
+              <p className="text-xs text-gray-500 mb-3">
+                {result.counts.code + result.counts.process + result.counts.document} Pflichten · grobe Schätzung
+                ~{result.total_effort_days} Personentage. Das ist ein Überblick zur Klärung — keine Rechtsberatung.
+              </p>
+
+              <div className="grid md:grid-cols-3 gap-3">
+                {BUCKETS.map((b) => (
+                  <div key={b.key} className="rounded-lg border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-3">
+                    <h3 className="text-sm font-semibold text-gray-800 dark:text-gray-200">{b.label}
+                      <span className="ml-1 text-[10px] font-normal text-gray-400">({result.counts[b.key]} · {b.hint})</span>
+                    </h3>
+                    <ul className="mt-2 space-y-1.5">
+                      {result.guideline[b.key].map((it) => (
+                        <li key={it.req_id} className="text-[11px] text-gray-600 dark:text-gray-300">
+                          <span className="font-medium text-gray-800 dark:text-gray-200">{it.title}</span>
+                          <span className="text-gray-400"> · {it.annex_anchor}</span>
+                          {it.measures.length > 0 && (
+                            <span className="text-gray-400"> · {it.measures.map((m) => m.id).join(', ')}</span>
+                          )}
+                        </li>
+                      ))}
+                    </ul>
+                  </div>
+                ))}
+              </div>
+
+              <div className="flex flex-wrap gap-3 mt-3 text-[11px] text-gray-500">
+                <span className="font-medium text-gray-600 dark:text-gray-300">CRA-Fristen:</span>
+                {result.deadlines.map((d) => (
+                  <span key={d.date}><span className="font-mono">{d.date}</span> {d.label}</span>
+                ))}
+              </div>
+
+              {onCreateProject && (
+                <button onClick={onCreateProject}
+                  className="mt-4 rounded bg-purple-600 hover:bg-purple-700 text-white text-sm px-4 py-2">
+                  Projekt anlegen & Checkliste abarbeiten — wir setzen es mit Ihnen um
+                </button>
+              )}
+            </>
+          )}
+        </div>
+      )}
+    </div>
+  )
+}

admin-compliance/app/sdk/cra/page.tsx

@@ -3,6 +3,7 @@
 import React, { useState, useEffect, useCallback } from 'react'
 import { useRouter } from 'next/navigation'
 import { ClassificationBadge } from './_components/ClassificationBadge'
+import { ReadinessCheck } from './_components/ReadinessCheck'
 
 interface CRAProject {
   id: string
@@ -99,6 +100,8 @@ export default function CRAProjectsPage() {
           </p>
         </div>
 
+        <ReadinessCheck onCreateProject={() => setShowModal(true)} />
+
         <div className="mb-4 px-4 py-2 bg-emerald-50 border border-emerald-200 rounded-lg text-xs text-emerald-800 flex items-start gap-2">
           <span className="font-semibold">Quellen &amp; Lizenz:</span>
           <span>

backend-compliance/compliance/api/cra_assess_routes.py

@@ -18,6 +18,8 @@ from compliance.services.cra_finding_mapper import assess_findings_payload
 from compliance.services.cra_snapshot_store import save_snapshot, list_snapshots, get_snapshot
 from compliance.services.cra_use_case_controls import enrich_findings_with_breadth
 from compliance.services.cra_component_findings import findings_from_components
+from compliance.api.cra_annex_i_data import ANNEX_I_REQUIREMENTS, MEASURES, DEADLINES
+from compliance.api.cra_routes import _classify  # reuse the deterministic Annex III/IV classifier
 from database import SessionLocal
 from .tenant_utils import get_tenant_id
 
@@ -113,3 +115,64 @@ async def get_assess_snapshot(snapshot_id: str, tenant_id: str = Depends(get_ten
     if not snap:
         raise HTTPException(status_code=404, detail="Snapshot not found")
     return snap
+
+
+# --- Lead-magnet readiness check (stateless, no project, no DB) ---
+
+class ReadinessRequest(BaseModel):
+    intended_use: Optional[str] = ""
+    connected_to_internet: Optional[bool] = False
+    has_software_updates: Optional[bool] = False
+    processes_personal_data: Optional[bool] = False
+    is_critical_infra_supplier: Optional[bool] = False
+    has_firmware: Optional[bool] = False
+    remote_maintenance: Optional[bool] = False        # implies connectivity + updates
+    user_parameter_app: Optional[bool] = False        # implies connectivity + updates
+
+
+# CRA Annex I evidence_type -> guideline bucket (Code / Prozess / Dokumentation).
+_GUIDELINE_BUCKET = {"code": "code", "hybrid": "code", "process": "process", "document": "document"}
+_PATH_HINT = {
+    "CRITICAL": "Konformitaet ueber benannte Stelle / EUCC (Modul H/C)",
+    "IMPORTANT_II": "Modul B+C oder harmonisierte Norm",
+    "IMPORTANT_I": "Self-Assessment bei harmonisierten Normen, sonst Modul B",
+    "STANDARD": "Self-Assessment (Modul A)",
+    "NOT_IN_SCOPE": "—",
+}
+
+
+@router.post("/readiness")
+async def readiness(body: ReadinessRequest):
+    """Low-friction CRA readiness check: business-scope answers -> Annex III/IV
+    classification + a high-level guideline grouped Code / Prozess / Dokumentation.
+    Reuses the deterministic classifier + Annex I spine. No project, no DB."""
+    intake = {
+        "intended_use": body.intended_use,
+        "connected_to_internet": bool(body.connected_to_internet or body.remote_maintenance or body.user_parameter_app),
+        "has_software_updates": bool(body.has_software_updates or body.remote_maintenance or body.user_parameter_app),
+        "processes_personal_data": bool(body.processes_personal_data),
+        "is_critical_infra_supplier": bool(body.is_critical_infra_supplier),
+    }
+    classification, rationale = _classify(intake)
+    in_scope = classification != "NOT_IN_SCOPE"
+    groups = {"code": [], "process": [], "document": []}
+    if in_scope:
+        for req in ANNEX_I_REQUIREMENTS:
+            bucket = _GUIDELINE_BUCKET.get(req.get("evidence_type", "process"), "process")
+            groups[bucket].append({
+                "req_id": req["req_id"], "title": req["title"], "category": req["category"],
+                "annex_anchor": req["annex_anchor"], "severity": req["severity"],
+                "effort_days": req.get("effort_days"),
+                "measures": [{"id": m, "name": MEASURES.get(m, m)} for m in req.get("mapped_measures", [])],
+            })
+    total_effort = sum(r["effort_days"] for g in groups.values() for r in g if r.get("effort_days"))
+    return {
+        "in_scope": in_scope,
+        "classification": classification,
+        "rationale": rationale,
+        "conformity_path_hint": _PATH_HINT.get(classification, ""),
+        "guideline": groups,
+        "counts": {k: len(v) for k, v in groups.items()},
+        "total_effort_days": total_effort,
+        "deadlines": list(DEADLINES),
+    }

backend-compliance/tests/test_cra_readiness.py

@@ -0,0 +1,31 @@
+"""Stateless CRA readiness check: scope answers -> classification + grouped guideline."""
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+from compliance.api.cra_assess_routes import router
+
+app = FastAPI()
+app.include_router(router, prefix="/api")
+client = TestClient(app)
+
+
+def test_connected_product_in_scope_with_grouped_guideline():
+    r = client.post("/api/v1/cra/readiness", json={
+        "intended_use": "App fuer Industrieanlagen", "connected_to_internet": True, "has_software_updates": True})
+    assert r.status_code == 200
+    d = r.json()
+    assert d["in_scope"] is True
+    assert d["counts"]["code"] > 0 and d["counts"]["process"] > 0 and d["counts"]["document"] > 0
+    assert d["total_effort_days"] > 0
+    assert len(d["deadlines"]) >= 1
+
+
+def test_remote_maintenance_implies_connectivity():
+    d = client.post("/api/v1/cra/readiness", json={"intended_use": "x", "remote_maintenance": True}).json()
+    assert d["in_scope"] is True
+
+
+def test_no_digital_element_not_in_scope():
+    d = client.post("/api/v1/cra/readiness", json={"intended_use": ""}).json()
+    assert d["in_scope"] is False
+    assert d["classification"] == "NOT_IN_SCOPE"
+    assert d["counts"]["code"] == 0