From c5ecfa8f6cfd0002eaf8ca50c36ce19801ad89ce Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Thu, 25 Jun 2026 11:36:57 +0200
Subject: [PATCH] feat(bridge): export 7 accepted CRA->OWASP controls for
 obligation_id proposal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

obligations/controls_for_obligation_mapping.json — the Compliance Execution
Graph's accepted controls (V6 auth / V11 crypto / V16 logging) handed to the
Obligation Registry to propose the SEMANTIC control->obligation_id, replacing
the coarse citation_unit interim join (Befund 1). Registry fills
proposed_obligation_id; we then adopt it into control_mapping.obligation_id.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../controls_for_obligation_mapping.json      | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 obligations/controls_for_obligation_mapping.json

diff --git a/obligations/controls_for_obligation_mapping.json b/obligations/controls_for_obligation_mapping.json
new file mode 100644
index 00000000..12848311
--- /dev/null
+++ b/obligations/controls_for_obligation_mapping.json
@@ -0,0 +1,71 @@
+{
+ "schema_version": "controls_for_obligation_mapping_v1",
+ "purpose": "Accepted CRA->OWASP controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.",
+ "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25",
+ "count": 7,
+ "controls": [
+  {
+   "framework": "OWASP ASVS",
+   "control": "V6.3.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)",
+   "family": "auth",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V6.1.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)",
+   "family": "auth",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V11.2.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)",
+   "family": "crypto",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V11.7.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)",
+   "family": "crypto",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.3.3",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.3.4",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  },
+  {
+   "framework": "OWASP ASVS",
+   "control": "V16.1.1",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)",
+   "family": "logging",
+   "mapping_type": "supports",
+   "proposed_obligation_id": ""
+  }
+ ]
+}