feat(cra): attach network_security regulatory breadth (shared Controls-API)

Semantic breadth (2): each finding's CRA-AI is mapped to a network_security
sub_topic and enriched with atom-grain, framework-traceable obligations from the
shared Controls-API (compliance.atom_classification) — at the endpoint/view layer
(SessionLocal), NOT in the pure mapper. CRA-AI anchor + curated measure +
NIST/OWASP crosswalk stay the lead; this is breadth + source evidence. Only
network_security is queried (atom-grain), scoped by sub_topic + limit. Frontend
renders it under the collapsible best-practice depth (control_id · title · source).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

admin-compliance/app/sdk/iace/[projectId]/cra/_components/CRACyberView.tsx

@@ -127,6 +127,21 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
                         </>
                       )}
                     </div>
+                    {f.regulatory_breadth && f.regulatory_breadth.length > 0 && (
+                      <div className="mt-2">
+                        <p className="text-[10px] text-gray-400 mb-1">
+                          Regulatorische Breite{f.sub_topic ? ` — ${f.sub_topic}` : ''} (NIST/ENISA/ISO-Quellen)
+                        </p>
+                        <ul className="space-y-0.5">
+                          {f.regulatory_breadth.map((c) => (
+                            <li key={c.control_id} className="text-[10px] text-gray-600 dark:text-gray-300">
+                              <span className="font-mono text-gray-500">{c.control_id}</span> {c.title}
+                              <span className="text-gray-400"> · {c.source_regulation}</span>
+                            </li>
+                          ))}
+                        </ul>
+                      </div>
+                    )}
                   </td>
                 </tr>
               )}

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRA.ts

@@ -57,6 +57,8 @@ function merge(live: any): CRADemo {
       risk_level: m.risk_level || (base ? base.risk_level : 'LOW'),
       measures: m.measures || [],
       evidence_type: m.evidence_type,
+      sub_topic: m.sub_topic,
+      regulatory_breadth: m.regulatory_breadth || [],
       priority_tier: m.priority_tier,
       priority_score: m.priority_score,
       quick_win: m.quick_win,

admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts

@@ -28,6 +28,9 @@ export interface CRAFinding {
   risk_level: string
   measures: string[]
   evidence_type?: string  // code | process | hybrid | document — drives the remediation-class badge
+  // network_security regulatory breadth (atom-grain shared Controls-API), live only
+  sub_topic?: string
+  regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string }[]
   // priority layer (set live by the backend prioritizer; optional in the static fallback)
   priority_tier?: string
   priority_score?: number