feat(cra): route secure-dev breadth to code_security (atom-grain)

Both network_security and code_security are now atom-grain. Per-sub_topic use_case routing: secure_development -> code_security (best for secure-dev findings), everything else -> network_security. Findings carry breadth_use_case so the source context (which atom corpus) is visible under the best-practice depth. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 11:04:24 +02:00
parent c7845f67d6
commit a06c64af48
4 changed files with 26 additions and 7 deletions
@@ -130,7 +130,8 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
                    {f.regulatory_breadth && f.regulatory_breadth.length > 0 && (
                      <div className="mt-2">
                        <p className="text-[10px] text-gray-400 mb-1">
-                          Regulatorische Breite{f.sub_topic ? ` — ${f.sub_topic}` : ''} (NIST/ENISA/ISO-Quellen)
+                          Regulatorische Breite{f.sub_topic ? ` — ${f.sub_topic}` : ''}
                          {f.breadth_use_case ? ` · ${f.breadth_use_case}` : ''} (NIST/OWASP/ENISA-Quellen)
                        </p>
                        <ul className="space-y-0.5">
                          {f.regulatory_breadth.map((c) => (
@@ -58,6 +58,7 @@ function merge(live: any): CRADemo {
      measures: m.measures || [],
      evidence_type: m.evidence_type,
      sub_topic: m.sub_topic,
      breadth_use_case: m.breadth_use_case,
      regulatory_breadth: m.regulatory_breadth || [],
      priority_tier: m.priority_tier,
      priority_score: m.priority_score,
@@ -28,8 +28,9 @@ export interface CRAFinding {
  risk_level: string
  measures: string[]
  evidence_type?: string  // code | process | hybrid | document — drives the remediation-class badge
-  // network_security regulatory breadth (atom-grain shared Controls-API), live only
+  // regulatory breadth (atom-grain shared Controls-API: network_security / code_security), live only
  sub_topic?: string
  breadth_use_case?: string
  regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string }[]
  // priority layer (set live by the backend prioritizer; optional in the static fallback)
  priority_tier?: string
@@ -38,10 +38,22 @@ _REQ_TO_SUBTOPIC = {
 }
 # Which atom-grain use_case is most relevant per sub_topic. Both network_security
 # and code_security are atom-grain; secure-dev is best served by code_security.
 _SUBTOPIC_TO_USECASE = {
    "secure_development": "code_security",
 }
 _DEFAULT_USECASE = "network_security"
 def subtopic_for(req_id: str):
    return _REQ_TO_SUBTOPIC.get(req_id)
 def usecase_for(sub_topic: str) -> str:
    return _SUBTOPIC_TO_USECASE.get(sub_topic, _DEFAULT_USECASE)
 def enrich_findings_with_breadth(mapped: list, db, limit: int = 5) -> None:
    """Attach `sub_topic` + `regulatory_breadth` (atom controls) to each finding.
@@ -55,15 +67,19 @@ def enrich_findings_with_breadth(mapped: list, db, limit: int = 5) -> None:
        m["sub_topic"] = st
        if not st:
            m["regulatory_breadth"] = []
            m["breadth_use_case"] = None
            continue
-        if st not in cache:
+        uc = usecase_for(st)
        m["breadth_use_case"] = uc
        key = (uc, st)
        if key not in cache:
            try:
-                res = svc.controls_for_use_case("network_security", sub_topic=st, limit=limit)
+                res = svc.controls_for_use_case(uc, sub_topic=st, limit=limit)
-                cache[st] = [
+                cache[key] = [
                    {"control_id": c.get("control_id"), "title": c.get("title"),
                     "source_regulation": c.get("source_regulation"), "severity": c.get("severity")}
                    for c in res.get("controls", [])
                ]
            except Exception:
-                cache[st] = []
+                cache[key] = []
-        m["regulatory_breadth"] = cache[st]
+        m["regulatory_breadth"] = cache[key]