From 3a19affb674980af6bf8926ac2878109906fe950 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Fri, 26 Jun 2026 01:00:53 +0200
Subject: [PATCH 1/2] ci(compliance): re-trigger scoped ai-sdk build + doc
 synced join-keys copy

Prior gitea push's build-ai-sdk failed on a transient registry push (arm64 built
clean on macmini; amd64 cross-compile is green) and last-build/main got poisoned
to that SHA, so a plain re-run scopes to nothing. A real touch in ai-compliance-sdk/
re-scopes the build. Also documents the synced-copy contract for
data/obligations/obligation_join_keys.json.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 ai-compliance-sdk/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ai-compliance-sdk/Dockerfile b/ai-compliance-sdk/Dockerfile
index 03c7384e..b87ea258 100644
--- a/ai-compliance-sdk/Dockerfile
+++ b/ai-compliance-sdk/Dockerfile
@@ -35,6 +35,8 @@ COPY policies/ ./policies/
 
 # Copy Compliance Execution Graph data (file-backed: Registry join-key copy + accepted control
 # mappings + evidence requirements) consumed by GET /sdk/v1/compliance/obligation-status.
+# data/obligations/obligation_join_keys.json is a synced copy of the repo-root Registry contract
+# (the Obligation Registry owns the canonical file) — re-sync it when the Registry grows.
 COPY data/control_mappings/ ./data/control_mappings/
 COPY data/evidence_requirements/ ./data/evidence_requirements/
 COPY data/obligations/ ./data/obligations/

From f85fff4398fee846215f37f9c2363b1a16ac61c6 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Fri, 26 Jun 2026 01:02:02 +0200
Subject: [PATCH 2/2] chore(ucca): re-sync data/obligations join-keys copy (93
 -> 95)

Registry grew to 95 (Capability materialization #5b added CORE obligations).
Keep the ai-sdk build-context copy current so obligation-status reflects the
live registry contract.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../obligations/obligation_join_keys.json     | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/ai-compliance-sdk/data/obligations/obligation_join_keys.json b/ai-compliance-sdk/data/obligations/obligation_join_keys.json
index 7a5d5bec..e5838c54 100644
--- a/ai-compliance-sdk/data/obligations/obligation_join_keys.json
+++ b/ai-compliance-sdk/data/obligations/obligation_join_keys.json
@@ -1,7 +1,7 @@
 {
  "schema_version": "obligation_join_keys_v1",
  "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
- "count": 93,
+ "count": 95,
  "obligation_ids": [
   {
    "obligation_id": "sbom_creation",
@@ -175,6 +175,26 @@
    ],
    "source_role": "LEGAL_BASIS"
   },
+  {
+   "obligation_id": "attack_surface_minimization",
+   "regulation": "CRA",
+   "family": "core",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(j)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "software_integrity_protection",
+   "regulation": "CRA",
+   "family": "core",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(f)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
   {
    "obligation_id": "user_authentication_required",
    "regulation": "CRA",