Merge origin/main (f85fff43) in meta-model-validation

ai-compliance-sdk/Dockerfile

@@ -35,6 +35,8 @@ COPY policies/ ./policies/
 
 # Copy Compliance Execution Graph data (file-backed: Registry join-key copy + accepted control
 # mappings + evidence requirements) consumed by GET /sdk/v1/compliance/obligation-status.
+# data/obligations/obligation_join_keys.json is a synced copy of the repo-root Registry contract
+# (the Obligation Registry owns the canonical file) — re-sync it when the Registry grows.
 COPY data/control_mappings/ ./data/control_mappings/
 COPY data/evidence_requirements/ ./data/evidence_requirements/
 COPY data/obligations/ ./data/obligations/

ai-compliance-sdk/data/obligations/obligation_join_keys.json

@@ -1,7 +1,7 @@
 {
  "schema_version": "obligation_join_keys_v1",
  "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
- "count": 93,
+ "count": 95,
  "obligation_ids": [
   {
    "obligation_id": "sbom_creation",
@@ -175,6 +175,26 @@
    ],
    "source_role": "LEGAL_BASIS"
   },
+  {
+   "obligation_id": "attack_surface_minimization",
+   "regulation": "CRA",
+   "family": "core",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(j)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "software_integrity_protection",
+   "regulation": "CRA",
+   "family": "core",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(f)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
   {
    "obligation_id": "user_authentication_required",
    "regulation": "CRA",