feat(iace): Hazard-Library v2, Controls-Library, SEPA Avoidance, CE RAG-Ingest

- Hazard-Library: +79 neue Eintraege in 12 Kategorien (software_fault, hmi_error, mechanical_hazard, electrical_hazard, thermal_hazard, emc_hazard, configuration_error, safety_function_failure, logging_audit_failure, integration_error, environmental_hazard, maintenance_hazard) — Gesamtanzahl: ~116 Eintraege in 24 Kategorien - Controls-Library: neue Datei controls_library.go mit 200 Eintraegen in 6 Domaenen (REQ/ARCH/SWDEV/VER/CYBER/DOC) - Handler: GET /sdk/v1/iace/controls-library (?domain=, ?category=) - SEPA: CalculateInherentRisk() + 4. Param Avoidance (0=disabled, 1-5: 3=neutral); RiskComputeInput.Avoidance, RiskAssessment.Avoidance, AssessRiskRequest.Avoidance — backward-kompatibel (A=0 → S×E×P) - Tests: engine_test.go + hazard_library_test.go aktualisiert - Scripts: ingest-ce-corpus.sh — 15 CE/Safety-Dokumente (EUR-Lex, NIST, ENISA, NASA, OWASP, MITRE CWE) in bp_compliance_ce und bp_compliance_datenschutz - Docs: docs-src/services/sdk-modules/iace.md + mkdocs.yml Nav-Eintrag Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-05 17:13:01 +01:00
parent 3ed8300daf
commit efeacc1619
11 changed files with 2410 additions and 17 deletions
--- a/ai-compliance-sdk/internal/iace/engine.go
+++ b/ai-compliance-sdk/internal/iace/engine.go
@@ -13,6 +13,7 @@ type RiskComputeInput struct {
 	Severity         int     `json:"severity"`          // 1-5
 	Exposure         int     `json:"exposure"`          // 1-5
 	Probability      int     `json:"probability"`       // 1-5
+	Avoidance        int     `json:"avoidance"`         // 0=disabled, 1-5 (3=neutral)
 	ControlMaturity  int     `json:"control_maturity"`  // 0-4
 	ControlCoverage  float64 `json:"control_coverage"`  // 0-1
 	TestEvidence     float64 `json:"test_evidence"`     // 0-1
@@ -68,13 +69,24 @@ func clampFloat(v, lo, hi float64) float64 {
 	return v
 }

-// CalculateInherentRisk computes the inherent risk score as S * E * P.
+// CalculateInherentRisk computes the inherent risk score.
+//
+// Formula:
+//   - avoidance == 0: S × E × P  (backward-compatible, no avoidance factor)
+//   - avoidance  > 0: S × E × P × (A / 3.0)  (3 = neutral, no influence)
+//
+// Avoidance scale: 1=leicht vermeidbar, 3=neutral, 5=nicht vermeidbar.
 // Each factor is expected in the range 1-5 and will be clamped if out of range.
-func (e *RiskEngine) CalculateInherentRisk(severity, exposure, probability int) float64 {
+func (e *RiskEngine) CalculateInherentRisk(severity, exposure, probability, avoidance int) float64 {
 	s := clamp(severity, 1, 5)
 	ex := clamp(exposure, 1, 5)
 	p := clamp(probability, 1, 5)
-	return float64(s) * float64(ex) * float64(p)
+	base := float64(s) * float64(ex) * float64(p)
+	if avoidance <= 0 {
+		return base
+	}
+	a := clamp(avoidance, 1, 5)
+	return base * (float64(a) / 3.0)
 }

 // CalculateControlEffectiveness computes the control effectiveness score.
@@ -104,7 +116,7 @@ func (e *RiskEngine) CalculateControlEffectiveness(maturity int, coverage, testE
 //   - severity, exposure, probability: 1-5, clamped if out of range
 //   - cEff: control effectiveness, 0-1
 func (e *RiskEngine) CalculateResidualRisk(severity, exposure, probability int, cEff float64) float64 {
-	inherent := e.CalculateInherentRisk(severity, exposure, probability)
+	inherent := e.CalculateInherentRisk(severity, exposure, probability, 0)
 	return inherent * (1 - cEff)
 }

@@ -185,7 +197,7 @@ func (e *RiskEngine) ComputeRisk(req RiskComputeInput) (*RiskComputeResult, erro
 		return nil, fmt.Errorf("severity, exposure, and probability must be >= 1")
 	}

-	inherentRisk := e.CalculateInherentRisk(req.Severity, req.Exposure, req.Probability)
+	inherentRisk := e.CalculateInherentRisk(req.Severity, req.Exposure, req.Probability, req.Avoidance)
 	controlEff := e.CalculateControlEffectiveness(req.ControlMaturity, req.ControlCoverage, req.TestEvidence)
 	residualRisk := e.CalculateResidualRisk(req.Severity, req.Exposure, req.Probability, controlEff)
 	riskLevel := e.DetermineRiskLevel(residualRisk)