feat: POST /onboarding/advisor-start — expose the Smart Onboarding Advisor at runtime (#58)

This exposes the existing Smart Onboarding Advisor through a runtime endpoint; it does not add new
reasoning logic. Tightly scoped: adapter boundary + endpoint, no big frontend, no persistence, no
empirical learning, no new scanners, no LLM.

  POST /onboarding/advisor-start : (company + certifications + target + scanner_findings[ProducedSignal])
        -> Normalizer -> Silent Knowledge Pass -> Advisor -> { silent_intake_summary, inferred_assumptions,
           rejected_assumptions, top_5_questions, capability_delta, top_measures, evidence_requests,
           completeness_summary, auto_detected, headline }
  GET  /onboarding/targets       : the supported target ids (CRA, TISAX, MDR, Environmental)

compliance/services/onboarding_service.py is the app-caller: it loads the curated knowledge (hypothesis
library, signal vocabulary + map, the target's required capabilities) once and calls the pure, tested
orchestration (normalize_signals -> silent_intake -> advisor_start). The scanner ADAPTER boundary is the
ProducedSignal format the request carries — existing scanners emit it, no new scanners. Thin handler
(<30 LOC), registered in the auto-load list. No DB. Additive to the OpenAPI contract (contract test is
additive-friendly; baseline regenerates on CI/py3.12). First deployable runtime feature -> dev deploy +
smoke. mypy --strict clean, 22 onboarding tests pass, check-loc 0.

backend-compliance/compliance/api/__init__.py

@@ -78,6 +78,7 @@ _ROUTER_MODULES = [
     "template_rule_routes",
     "specialist_agent_routes",
     "reasoning_routes",
+    "onboarding_routes",
 ]
 
 _loaded_count = 0

backend-compliance/compliance/api/onboarding_routes.py

@@ -0,0 +1,72 @@
+"""Onboarding Advisor endpoint — exposes the existing Smart Onboarding Advisor at runtime.
+
+This adds NO new reasoning logic. It exposes the already-built, tested orchestration (Signal Producers
+-> Normalizer -> Silent Knowledge Pass -> Advisor) through one runtime endpoint. No DB, no persistence.
+
+  POST /onboarding/advisor-start  — (company + certs + target + scanner findings) -> advisory payload
+  GET  /onboarding/targets        — the supported target ids
+"""
+
+import logging
+from typing import List, Optional
+
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel, Field
+
+from compliance.onboarding import (
+    AdvisorMeasure,
+    AdvisorQuestion,
+    InferredAssumption,
+    ProducedSignal,
+    RejectedAssumption,
+)
+from compliance.services.onboarding_service import run_advisor, supported_targets
+
+logger = logging.getLogger(__name__)
+router = APIRouter(prefix="/onboarding", tags=["onboarding"])
+
+
+class OnboardingAdvisorRequest(BaseModel):
+    company: str = ""
+    industry: Optional[str] = None
+    products: List[str] = Field(default_factory=list)
+    markets: List[str] = Field(default_factory=list)
+    certifications: List[str] = Field(default_factory=list)
+    known_evidence: List[str] = Field(default_factory=list)
+    target: str = "CRA"
+    scanner_findings: List[ProducedSignal] = Field(default_factory=list)   # adapters upstream produced these
+
+
+class AdvisorResponse(BaseModel):
+    silent_intake_summary: str = ""
+    headline: str = ""
+    auto_detected: List[str] = Field(default_factory=list)
+    inferred_assumptions: List[InferredAssumption] = Field(default_factory=list)
+    rejected_assumptions: List[RejectedAssumption] = Field(default_factory=list)
+    top_5_questions: List[AdvisorQuestion] = Field(default_factory=list)
+    capability_delta: List[str] = Field(default_factory=list)
+    top_measures: List[AdvisorMeasure] = Field(default_factory=list)
+    evidence_requests: List[str] = Field(default_factory=list)
+    unsupported_domains: List[str] = Field(default_factory=list)
+    completeness_summary: str = ""
+
+
+@router.get("/targets")
+def list_targets() -> dict:
+    return {"targets": supported_targets()}
+
+
+@router.post("/advisor-start", response_model=AdvisorResponse)
+def advisor_start_endpoint(req: OnboardingAdvisorRequest) -> AdvisorResponse:
+    if req.target not in supported_targets():
+        raise HTTPException(status_code=404, detail="unsupported target '%s'; supported: %s" % (req.target, supported_targets()))
+    result, si_summary = run_advisor(
+        company=req.company, certifications=req.certifications, target=req.target,
+        signals=req.scanner_findings, known_evidence=req.known_evidence,
+        products=req.products, markets=req.markets, industry=req.industry or "")
+    return AdvisorResponse(
+        silent_intake_summary=si_summary, headline=result.headline, auto_detected=result.auto_detected,
+        inferred_assumptions=result.inferred_assumptions, rejected_assumptions=result.rejected_assumptions,
+        top_5_questions=result.next_best_questions, capability_delta=result.capability_delta,
+        top_measures=result.top_measures, evidence_requests=result.evidence_requests,
+        unsupported_domains=result.unsupported_domains, completeness_summary=result.completeness_summary)