feat(cra): snapshot/history UI + measure-class (code-fix vs process) UI

Snapshot/history: "Snapshot speichern" + a version list (status, date, coverage)
you can click through — makes the CRA Art. 13 running system visible (backend
endpoints already live). Measure-class: each finding shows a remediation-class
badge from its CRA evidence_type ("Code-nah" = scan-locatable, code-fix in the
ticket possible; otherwise Prozess/Doku), and the measures section is relabelled
as the Sollzustand (process/build) — no auto-fix buttons on process measures.
Backend: MappedFinding now carries evidence_type.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

admin-compliance/app/sdk/iace/[projectId]/cra/_components/CRACyberView.tsx

@@ -34,6 +34,31 @@ function TierBadge({ tier, reason }: { tier?: string; reason?: string }) {
   )
 }
 
+const EVIDENCE_LABEL: Record<string, string> = {
+  code: 'Code-nah',
+  hybrid: 'Code + Prozess',
+  process: 'Prozess',
+  document: 'Dokumentation',
+}
+
+// "Code-nah" = der Scan kann es im Quellcode verorten → Code-Fix im Ticket möglich.
+// Sonst = Prozess/Organisation: wir benennen den Sollzustand, kein Auto-Fix.
+function EvidenceTag({ et }: { et?: string }) {
+  if (!et || !EVIDENCE_LABEL[et]) return null
+  const codeish = et === 'code' || et === 'hybrid'
+  return (
+    <span
+      title={codeish ? 'Code-Fix im Ticket möglich (wenn der Scan die Stelle sieht)' : 'Prozess-/Build-Maßnahme — kein Auto-Fix'}
+      className={`inline-block rounded px-1.5 py-0.5 text-[10px] font-medium ${
+        codeish
+          ? 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-300'
+          : 'bg-indigo-100 text-indigo-700 dark:bg-indigo-900/40 dark:text-indigo-300'}`}
+    >
+      {EVIDENCE_LABEL[et]}
+    </span>
+  )
+}
+
 function FindingsTable({ findings }: { findings: CRAFinding[] }) {
   const [open, setOpen] = useState<Record<string, boolean>>({})
   const toggle = (id: string) => setOpen((o) => ({ ...o, [id]: !o[id] }))
@@ -58,6 +83,7 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
                 <td className="py-2 px-4 max-w-xs">
                   <div className="text-gray-800 dark:text-gray-200">{f.title}</div>
                   <div className="text-[10px] text-gray-400">{f.id} · {f.cwe} · {f.location}</div>
+                  <div className="mt-1"><EvidenceTag et={f.evidence_type} /></div>
                 </td>
                 <td className="py-2 px-3 text-gray-600 dark:text-gray-300">
                   <span className="font-medium">{f.primary_requirement}</span> {f.requirement_title}
@@ -205,8 +231,12 @@ export function CRACyberView({ data }: { data: CRADemo }) {
 
       {/* Recommended measures — full curated text + norm references */}
       <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
-        <h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-1">Empfohlene Maßnahmen</h2>
-        <p className="text-[11px] text-gray-400 mb-3">Kuratierte CRA-Maßnahmen aus der BreakPilot-Bibliothek — mit Normverweisen.</p>
+        <h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-1">Empfohlene Maßnahmen (Sollzustand)</h2>
+        <p className="text-[11px] text-gray-400 mb-3">
+          Kuratierte CRA-Maßnahmen mit Normverweisen — sie beschreiben den <span className="font-medium">umzubauenden Prozess / das Sollziel</span>,
+          kein Auto-Fix. Konkrete Code-Fixes entstehen separat, wenn der Repo-Scan ein Source-Code-Risiko an einer
+          Stelle sieht (Findings mit <span className="text-emerald-600 dark:text-emerald-400">„Code-nah"</span>).
+        </p>
         <div className="space-y-3">
           {data.open_measures.map((me) => (
             <div key={me.id} className="rounded-lg border border-gray-100 dark:border-gray-700/60 p-3">

admin-compliance/app/sdk/iace/[projectId]/cra/_components/SnapshotPanel.tsx

@@ -0,0 +1,73 @@
+'use client'
+
+import { useState } from 'react'
+import { SnapshotMeta } from '../_hooks/useCRA'
+
+export function SnapshotPanel({ snapshots, onSave, onView }: {
+  snapshots: SnapshotMeta[]
+  onSave: () => Promise<void>
+  onView: (id: string) => Promise<any>
+}) {
+  const [saving, setSaving] = useState(false)
+  const [detail, setDetail] = useState<{ version: number; content_md: string } | null>(null)
+
+  const save = async () => {
+    setSaving(true)
+    try { await onSave() } finally { setSaving(false) }
+  }
+  const view = async (id: string) => {
+    const d = await onView(id)
+    if (d) setDetail({ version: d.version, content_md: d.content_md })
+  }
+
+  return (
+    <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
+      <div className="flex items-start justify-between gap-3">
+        <div>
+          <h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200">Verlauf / Snapshots</h2>
+          <p className="text-[11px] text-gray-400">
+            Versionierte CRA-Risikobeurteilung über die Zeit — die fortlaufende Dokumentation (CRA Art. 13).
+          </p>
+        </div>
+        <button
+          onClick={save}
+          disabled={saving}
+          className="shrink-0 rounded bg-purple-600 hover:bg-purple-700 disabled:opacity-50 text-white text-xs px-3 py-1.5"
+        >
+          {saving ? 'Speichert …' : 'Snapshot speichern'}
+        </button>
+      </div>
+
+      {snapshots.length === 0 ? (
+        <p className="text-xs text-gray-500 mt-3">Noch kein Snapshot gespeichert.</p>
+      ) : (
+        <ul className="mt-3 space-y-1">
+          {snapshots.map((s) => (
+            <li key={s.id} className="flex items-center justify-between text-xs border-b border-gray-100 dark:border-gray-700/50 py-1">
+              <span className="text-gray-600 dark:text-gray-300">
+                <span className="font-medium">v{s.version}</span>
+                <span className={`ml-2 rounded px-1.5 py-0.5 text-[10px] ${
+                  s.status === 'draft'
+                    ? 'bg-green-100 text-green-700 dark:bg-green-900/40 dark:text-green-300'
+                    : 'bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-400'}`}>{s.status}</span>
+                <span className="ml-2 text-gray-400">{new Date(s.generated_at).toLocaleString('de-DE')}</span>
+                <span className="ml-2 text-gray-400">· {s.coverage?.covered?.length ?? 0}/{s.coverage?.total ?? 40} Anforderungen</span>
+              </span>
+              <button onClick={() => view(s.id)} className="text-purple-600 hover:underline">ansehen</button>
+            </li>
+          ))}
+        </ul>
+      )}
+
+      {detail && (
+        <div className="mt-3 rounded-lg border border-gray-200 dark:border-gray-700 p-3 bg-gray-50/60 dark:bg-gray-900/30">
+          <div className="flex items-center justify-between mb-1">
+            <span className="text-xs font-medium text-gray-700 dark:text-gray-200">Snapshot v{detail.version}</span>
+            <button onClick={() => setDetail(null)} className="text-[11px] text-gray-400 hover:underline">schließen</button>
+          </div>
+          <pre className="text-[11px] text-gray-600 dark:text-gray-300 whitespace-pre-wrap font-mono">{detail.content_md}</pre>
+        </div>
+      )}
+    </div>
+  )
+}