breakpilot-compliance

Benjamin_Boenisch/breakpilot-compliance

Fork 0

Commit Graph

Author	SHA1	Message	Date
Benjamin Admin	4e761c1363	feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch via materialize_capabilities.py: - obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/ transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) + guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP). - obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 + software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap. - DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security, signed_update_integrity, firmware_software_authentication) + objective_tags. - Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates. - remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope). - join_keys 93->95 (core 2). Bidirektional validiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-26 00:54:23 +02:00
Benjamin Admin	188bb787d2	Add proposed CRA obligation relationships 11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview / confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for; gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten. Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis · out_of_scope · relationships · pending citation anchors. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 00:08:47 +02:00
Benjamin Admin	2645b5b043	Add draft CRA obligation registry Erstes belastbares Registry-Artefakt (obligation_registry_v1) aus den validierten SBOM+Vuln-Candidates der Obligation Discovery Pipeline. - 18 Obligations (11 SBOM + 7 Vuln) - 14 LEGAL_MINIMUM, alle mit legal_basis (harte Tier-Regel) - 4 BEST_PRACTICE korrekt herabgestuft (source_role GUIDANCE/IMPLEMENTATION) - 70 OUT_OF_SCOPE-Cluster getrennt; member_controls vollständig - legal_basis (CRA-Primärrecht) ⊥ guidance_basis (BSI/ENISA/NIST/...) - citation_status=pending_span_anchor (span_id folgt mit Asset 2), review_status=draft Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-24 23:52:20 +02:00

Author

SHA1

Message

Date

Benjamin Admin

4e761c1363

feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json

User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-26 00:54:23 +02:00

Benjamin Admin

188bb787d2

Add proposed CRA obligation relationships

11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die
Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview /
confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for;
gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten.

Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis ·
out_of_scope · relationships · pending citation anchors.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-25 00:08:47 +02:00

Benjamin Admin

2645b5b043

Add draft CRA obligation registry

Erstes belastbares Registry-Artefakt (obligation_registry_v1) aus den validierten
SBOM+Vuln-Candidates der Obligation Discovery Pipeline.

- 18 Obligations (11 SBOM + 7 Vuln)
- 14 LEGAL_MINIMUM, alle mit legal_basis (harte Tier-Regel)
- 4 BEST_PRACTICE korrekt herabgestuft (source_role GUIDANCE/IMPLEMENTATION)
- 70 OUT_OF_SCOPE-Cluster getrennt; member_controls vollständig
- legal_basis (CRA-Primärrecht) ⊥ guidance_basis (BSI/ENISA/NIST/...)
- citation_status=pending_span_anchor (span_id folgt mit Asset 2), review_status=draft

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-24 23:52:20 +02:00

3 Commits