feat(cra): route secure-dev breadth to code_security (atom-grain)

Both network_security and code_security are now atom-grain. Per-sub_topic
use_case routing: secure_development -> code_security (best for secure-dev
findings), everything else -> network_security. Findings carry breadth_use_case
so the source context (which atom corpus) is visible under the best-practice depth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRA.ts

@@ -58,6 +58,7 @@ function merge(live: any): CRADemo {
       measures: m.measures || [],
       evidence_type: m.evidence_type,
       sub_topic: m.sub_topic,
+      breadth_use_case: m.breadth_use_case,
       regulatory_breadth: m.regulatory_breadth || [],
       priority_tier: m.priority_tier,
       priority_score: m.priority_score,

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts

@@ -28,8 +28,9 @@ export interface CRAFinding {
   risk_level: string
   measures: string[]
   evidence_type?: string  // code | process | hybrid | document — drives the remediation-class badge
-  // network_security regulatory breadth (atom-grain shared Controls-API), live only
+  // regulatory breadth (atom-grain shared Controls-API: network_security / code_security), live only
   sub_topic?: string
+  breadth_use_case?: string
   regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string }[]
   // priority layer (set live by the backend prioritizer; optional in the static fallback)
   priority_tier?: string