2e4c5c09075874154a96fdcf4d3289d014d11e08
1457 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Benjamin Admin
|
2e4c5c0907 |
docs(platform): Pruefer-Matrix / Meta-Modell einfrieren (verification_method + decision_method)
Routing-Prinzip aus 4 kalibrierten Modulen (DSE/Cookie/Impressum/AGB): Kontrolltyp bestimmt Pruefer. Zwei Achsen — verification_method (8 Klassen x Pruefer) + decision_method (KEYWORD->EMBEDDING->LLM) — plus durable Metadaten-Felder, Routing-Kette und die erarbeiteten Prinzipien. Vertrag fuer kommende Modul-Integrationen (AGB, Nutzungsbedingungen, Widerruf, CRA, NIS2). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
e646091ba2 |
chore(deploy): ai-sdk + admin neu bauen — Legal-Zitatfelder (article_label) nach Prod-Re-Ingest aktiv
CI / detect-changes (push) Successful in 8s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / nodejs-lint (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 6s
CI / loc-budget (push) Successful in 20s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m3s
CI / test-go (push) Failing after 57s
CI / iace-gt-coverage (push) Successful in 16s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Triggert CI + detect-changes fuer ai-compliance-sdk + admin-compliance, nachdem der vorige Deploy am last-build/main Tag-Bug haengenblieb (Builds uebersprungen). Nur Doku-Kommentare, Logik unveraendert. Daten-Merge (Qdrant) ist bereits live. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
069b855b49 |
ci: re-trigger deploy — last-build/main tag-bug uebersprang ai-sdk/admin builds (Daten-Merge bereits live)
CI / detect-changes (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / validate-canonical-controls (push) Successful in 4s
CI / nodejs-build (push) Successful in 3m3s
CI / secret-scan (push) Has been skipped
CI / loc-budget (push) Successful in 18s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go (push) Failing after 59s
CI / iace-gt-coverage (push) Successful in 16s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
|
||
|
Benjamin Admin
|
01af9b56a6 |
Merge branch 'main' of ssh://gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance
CI / detect-changes (push) Successful in 9s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / sbom-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 4s
CI / loc-budget (push) Successful in 18s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go (push) Failing after 1m3s
CI / iace-gt-coverage (push) Successful in 18s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / nodejs-build (push) Successful in 3m8s
|
||
|
Benjamin Admin
|
017c9b3c12 |
feat(advisor): Legal-RAG Zitier-Metadaten — ai-sdk + Advisor/Drafting lesen article_label
ai-sdk (legal_rag_client/scroll/types) liest die gepinnten Spec-Felder
article_label/regulation_code/article/paragraph/sub/citation_style/is_recital
mit Fallback auf alt-ingestierte Chunks (regulation_id, section); neuer getBool-Helfer.
Advisor + Drafting-Engine bilden die Quellenzeile primaer aus article_label
("BDSG § 38 Abs. 1"), sonst aus den strukturierten Feldern. 17 Tests gruen, tsc sauber.
Vertrag: docs-src/development/rag_reingest_spec.md (§2/§7). Deploy an den Re-Ingest
gekoppelt — neue Felder sind bis dahin leer (graceful Fallback).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|
Benjamin Admin
|
76d1dc5e00 |
fix(db): dedupe doc_check_controls 3x + unique constraint
CI / detect-changes (pull_request) Failing after 5s
CI / branch-name (pull_request) Successful in 1s
CI / guardrail-integrity (pull_request) Failing after 2s
CI / secret-scan (pull_request) Failing after 5s
CI / dep-audit (pull_request) Failing after 12s
CI / sbom-scan (pull_request) Failing after 3s
CI / build-sha-integrity (pull_request) Failing after 3s
CI / validate-canonical-controls (pull_request) Failing after 1s
CI / loc-budget (pull_request) Has been skipped
CI / go-lint (pull_request) Has been skipped
CI / python-lint (pull_request) Has been skipped
CI / test-go (pull_request) Has been skipped
CI / iace-gt-coverage (pull_request) Has been skipped
CI / nodejs-lint (pull_request) Has been skipped
CI / nodejs-build (pull_request) Has been skipped
CI / test-python-backend (pull_request) Has been skipped
CI / test-python-document-crawler (pull_request) Has been skipped
CI / test-python-dsms-gateway (pull_request) Has been skipped
CI / detect-changes (push) Successful in 10s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 8s
CI / validate-canonical-controls (push) Successful in 6s
CI / loc-budget (push) Successful in 19s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / test-python-backend (push) Successful in 25s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
compliance.doc_check_controls war auf prod historisch trippliziert (Dump-Artefakt ohne PK/Unique: jede (doc_type, control_id)-Zeile 3x, 5622 statt 1874 ueber alle 8 doc_types). Die Migration dedupt idempotent (kleinste ctid behalten) und setzt UNIQUE(doc_type, control_id), damit sich die Triplikation nicht wiederholen kann. Auf prod bereits direkt angewandt und in _migration_history registriert (read-only verifiziert: 1874, alle doc_types total=distinct, Constraint aktiv); dieser Commit codifiziert die Migration in der Deploy-Kette, damit ein Restore aus einem aelteren Dump sie automatisch re-appliziert. [migration-approved] Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
b664d73ffc |
fix(advisor): Soul haerten — Quellentreue + keine Control-ID-Leaks
CI / detect-changes (push) Successful in 20s
CI / guardrail-integrity (push) Has been skipped
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 9s
CI / validate-canonical-controls (push) Successful in 7s
CI / nodejs-build (push) Successful in 3m2s
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / loc-budget (push) Successful in 22s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go (push) Has been skipped
Legal-RAG-Qualitaet (Vorher/Nachher-Test, 6 Fragen): das Modell erfand selbstbewusst Paragraphen/Fristen/Schwellen (§38 BDSG "10%/250", fake "3-/12-Monats"-Fristen, §35 statt §26, CRA-Fake-Artikel). Neue Sektion "Quellentreue": konkrete Fundstellen NUR wenn in den RAG-Quellen belegt, sonst ehrlich "nicht belegt" — keine aus dem Gedaechtnis rekonstruierten Nummern. Dev-Modus-Block entschaerft: Controls-Block als Inhaltsquelle nutzen, aber interne Control-IDs (SEC-/AUTH-/CRYP-/MC-) NICHT in der Nutzerantwort ausgeben (Klartext fuehrt). Live auf prod verifiziert: erfundene Fundstellen stark reduziert (oder als unbelegt markiert), Control-ID-Leak = 0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
90a70c8404 |
fix(drafting): Drafting-Engine auf prod reparieren — RAG via ai-sdk + OVH-LLM-Kaskade
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / detect-changes (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 5s
CI / validate-canonical-controls (push) Successful in 4s
CI / loc-budget (push) Successful in 17s
CI / go-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m2s
CI / test-go (push) Has been skipped
Die Drafting-Engine (Dokument-Entwurf, v2-Pipeline, Validierung, Drafting-Chat, Vendor-Vertragspruefung) war auf prod doppelt tot: - RAG ueber bp-core-rag-service:8097 (existiert auf prod nicht) - LLM ueber OLLAMA_URL/api/chat mit qwen2.5vl (prod = ollama-embed, kein Chat-Modell) Fix (analog zum Compliance-Advisor): - rag-query.ts -> ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar). - Neue lib/sdk/drafting-engine/llm-cascade.ts: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback; cascadeComplete (JSON) + cascadeStream. Das Backend nutzt OVH+JSON bereits erfolgreich auf prod (extract-datasheet). - 5 Aufrufstellen (draft-helpers, draft-helpers-v2, validate, chat, vendor-review) auf die Kaskade umgestellt; keine direkten Ollama-Calls mehr. - Tests: llm-cascade + rag-query aktualisiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
cd3e0b15ad |
fix(advisor): Compliance-Advisor auf prod reparieren — RAG via ai-sdk (bge-m3) + OVH-LLM
CI / detect-changes (push) Successful in 6s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / validate-canonical-controls (push) Successful in 6s
CI / loc-budget (push) Successful in 19s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m4s
CI / test-go (push) Successful in 58s
CI / iace-gt-coverage (push) Successful in 16s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Der Floating-Compliance-Advisor war auf prod kaputt (502): RAG ging ueber rag-service:8097 (auf prod nicht vorhanden) und der Chat ueber OLLAMA_URL=ollama-embed (embedding-only, kein qwen2.5vl). - RAG laeuft jetzt ueber die ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar) statt rag-service -> profitiert vom reicheren Embedding. (lib/sdk/agents/advisor-rag.ts) - LLM-Kaskade: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback. (lib/sdk/agents/advisor-llm.ts; OVH-Env via orca-infra admin-Block) - ai-sdk: bp_compliance_recht in AllowedCollections ergaenzt (Whitelist war inkonsistent — die Fehlermeldung listete es bereits als erlaubt). - Route auf die Module umgestellt (duenn); Controls-Augmentation unveraendert. - Tests: advisor-rag + advisor-llm. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
f0a0a887fd |
revert(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" zurueckziehen
Das Frontend-Redesign wird vorerst pausiert (Fokus MVP). Der komplette
Stand ist im Git-Tag redesign-archive-20260619 (Commit
|
||
|
Benjamin Bönisch
|
42d4b4d9c5 |
feat(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" (additiv)
CI / detect-changes (push) Successful in 19s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / validate-canonical-controls (push) Successful in 4s
CI / loc-budget (push) Successful in 21s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m13s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Schritt A (Tokens): zentrale Design-Sprache aus dem Claude-Design-Handoff —
Tailwind-Tokens (re/geltung/severity/domain) + Fonts (Public Sans / Source
Serif 4 / IBM Plex Mono) + components/redesign/{tokens.ts,Chips.tsx}
(GeltungChip, SeverityChip, DomainTag, MonoId) + Showcase /sdk/design-system.
Bestehende Farben/sans unangetastet.
Schritt B (Ebene 2): CyberMeetsSafety als USP-Hero im CRA/Cyber-Tab
(/sdk/iace/[id]/cra) — Domaenen-Bar, Hazard-Karten (CE-gemildert -> Cyber-Befund
-> Restrisiko, Warum-Box, Pflicht/Empfehlung-Massnahmen, aufklappbarer
Norm-Bezug), Massnahmen-Backlog mit Geltung-Filter. Gebunden an echte
cross_links/findings/open_measures. Bisheriger CRACyberView bleibt eingeklappt
erhalten -> kein Inhaltsverlust.
Guardrail-Doku: design/redesign/ (HANDOFF_README, CONTENT_INVENTORY mit
40-Screen-Mapping + Waisen-Liste, Arbeitsbereich.dc.html-Referenz).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|
Benjamin Bönisch
|
43e02f794a |
feat(cra): SBOM- + DAST-Findings aus dem Scanner-MCP konsumieren
CI / detect-changes (push) Successful in 8s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 20s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Successful in 1m4s
CI / iace-gt-coverage (push) Successful in 15s
CI / test-python-backend (push) Successful in 24s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Sharangs compliance-scanner-agent exponiert SBOM (sbom_vuln_report) + DAST (list_dast_findings) als eigene MCP-Tools (nicht via list_findings). Neuer fetch_all_findings(repo_id) zieht list_findings + SBOM + DAST in EINER MCP-Session und normalisiert ins Finding-Schema: - SBOM: ein Finding pro verwundbarem Paket (nicht pro CVE), cwe=CWE-1395 -> deterministisch CRA-AI-22 (robust gegen Paketnamen wie "sqlite"). - DAST: cwe/endpoint/vuln_type uebernommen -> Mapping via cwe/keywords. assess-from-scanner nutzt fetch_all_findings + liefert source.breakdown (code/sbom/dast). DAST hat im MCP keinen repo_id-Filter -> dast_repo_scoped:false (deployment-weit, transparent geflaggt). Echte MCP-Daten: Kitchenasty 58 code + 35 sbom + 81 dast -> 174 gemappt (Coverage 94,3%, alle 35 SBOM -> CRA-AI-22). Enthaelt zusaetzlich das Qdrant->Prod-Kopierскript (#42, verbatim macmini->prod). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Bönisch
|
8f21650d74 |
feat(sdk): Kunden-Dokumente + CRA-Meldewesen, Screening aus Frontend genommen
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 15s
CI / validate-canonical-controls (push) Successful in 13s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m9s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 31s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
- /sdk/dokumente: Kundensicht nur auf veroeffentlichte Rechtsdokumente (Ansehen + Download); Proxy mit Allow-List nur /public — Templates/Drafts/ Generator bleiben unerreichbar. - /sdk/cra-meldewesen: CRA Art. 14 Meldewesen (24h/72h/14d-Kaskade) mit Fristen-Tracking + ENISA-SRP-Export-Entwurf (kein Live-API). Backend: cra_meldewesen (pure, getestet) + cra_incident_store (schema-neutral ueber compliance_cra_documents) + /api/v1/cra/incidents (additiv, contract-safe). - Screening (Self-Scan) aus dem Frontend genommen: Flow-Stepper-Eintrag ausgeblendet (visibleWhen), Dashboard-Kachel + Import-Button entfernt. Repo-Scanning laeuft extern im Compliance-Scanner; Backend-Router bleibt vorerst gemountet (Contract-Stabilitaet). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Bönisch
|
72093e5501 |
fix(cra): Scanner-Findings vollstaendig mappen + assess-from-scanner-Latenz senken
CI / detect-changes (push) Successful in 17s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 13s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 30s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Punkt 2 (Coverage): semgrep/gdpr-Findings ohne CWE blieben unmapped (~21%). Der Mapper nutzt jetzt den scanner rule_id + gezielte Keywords (gdpr -> Datenminimierung CRA-AI-17, path-traversal/prototype-pollution -> CRA-AI-20, nginx-header/Docker-Hardening -> CRA-AI-1/4, insecure-websocket -> CRA-AI-15). Reale Scanner-Daten: unmapped 19/92 -> 0/92 (Coverage 100%). Punkt 3 (Latenz): enrich_findings_with_breadth lief ~6 Aggregat-Queries je (use_case,sub_topic)-Paar, nutzte aber nur die Liste. Jetzt EINE batched Query (breadth_controls_batch) fuer alle Paare + Prozess-Cache (TTL 1800s). macmini: cold 0,23s / warm 0,000s. Prod-Root-Cause: atom_classification ohne (use_case,sub_topic)-Index nach DB-Swap -> Index dem DB-Owner empfohlen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
4f4ffc2ad5 |
feat(cra): Cyber-trifft-CE mit echten IACE-Safety-Functions
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 11s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 28s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m10s
CI / test-go (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
useCRA leitet aus den Hazards+Mitigations DES IACE-Projekts cyber-relevante safety_functions ab (Bewegung/Quetschen/safety_function_failure/Pneumatik → prevent_unexpected_actuation; Signal/Sensor/Kommunikation → signal_integrity; rein physische wie Thermik/Ergonomie ausgeschlossen) und gibt sie statt der Demo-Hardcodes an /assess. build_cross_links zeigt dann, welche REALE Projekt-Schutzmassnahme ein Cyber-Befund wieder oeffnet. Fallback auf Demo-Set, bis die Projekt-Hazards geladen sind. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
b76f3cee48 |
feat(cra): 'Projekt anlegen' triggert IACE-Auto-Ableitung (/initialize)
Nach dem Setzen der limits_form ruft createProject jetzt POST /iace/projects/ :id/initialize — IACE liest die limits_form als Narrative → Komponenten → Gefährdungen → Maßnahmen → Verifikation → Normen (idempotent, best-effort). Navigiert danach auf die Projekt-Übersicht (Risiko-Summary). Interview-Felder bleiben editierbar, Ableitung im IACE re-triggerbar. Schliesst die Kette Datenblatt → Grenzen → Gefährdungen/Maßnahmen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
fda94afd5f |
fix(cra): prod hang-guard /readiness machinery + robuster Datenblatt-JSON-Parse
CI / detect-changes (push) Successful in 19s
CI / guardrail-integrity (push) Has been skipped
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 10s
CI / validate-canonical-controls (push) Successful in 9s
CI / loc-budget (push) Successful in 22s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 32s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
#1 _machinery_obligations: SET statement_timeout=4s + run_in_threadpool — auf prod hing die maschinen-Query ~30s (langsame/unindizierte DB nach DB-Swap) und blockierte den async-Worker. Jetzt: bei Langsamkeit graceful 'keine Maschinen-Pflichten' statt Hang. (Fehlender prod-Index = Controls/DB-Session.) #2 parse_grenzen_json: tolerant ggue. ```json-Fences / Prosa-umschlossenem JSON (gehostete Modelle wie OVH ignorieren z.T. response_format) → Datenblatt- Extraktion liefert auch ueber den OVH-Fallback Felder. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
9e2655bfef |
fix(cra): IACE-Create id-Wrapper + MaschinenVO eigene Sektion
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 12s
CI / validate-canonical-controls (push) Successful in 11s
CI / loc-budget (push) Successful in 24s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m10s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 32s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
1) createProject las proj.id, der Create-Response ist aber {project:{id}} →
'Projekt anlegen' war kaputt. Jetzt proj.project?.id. E2E verifiziert
(create→put limits_form→get→delete = 200).
2) MaschinenVO-Sicherheitspflichten wurden in die CRA-Cyber-Buckets
(Code/Prozess/Doku) gemischt → fehl-kategorisiert (Maschinen-Safety ≠
CRA-Annex-I-Cyber). Jetzt eigene Response-Liste machinery_guideline +
eigener Frontend-Abschnitt 'Maschinensicherheit (MaschinenVO 2023/1230)';
geklebtes 'MaschVO'-Badge entfaellt damit.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|
Benjamin Admin
|
72117c447f |
fix(cra): IACE-Create braucht machine_type+manufacturer (binding required)
CreateProjectRequest verlangt machine_name, machine_type UND manufacturer (alle required) → leere Werte gaben 400. Fallback 'Nicht angegeben', wenn das Datenblatt sie nicht liefert (im Interview editierbar). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
cf20fa85db |
feat(cra): 'Projekt anlegen' aus Datenblatt → IACE mit editierbaren Grenzen
DatasheetExtract: Button legt ein IACE-Projekt an (POST /iace/projects) und speichert die extrahierten Grenzen + Rückfrage-Antworten als metadata.limits_form (PUT), dann Navigation ins Interview. Das Interview-Formular bleibt voll editierbar (jedes vorbefuellte Feld aenderbar, Auto-Save). Manuelles Anlegen ueber /sdk/iace bleibt unveraendert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
fae826e1f7 |
fix(cra): 35B-Datenblatt-Extraktion — Thinking-Mode aus (think=false)
qwen3.5:35b-a3b ist ein Thinking-Modell → generierte erst Reasoning, riss das 90s-Timeout → leere Extraktion. llm_cascade additiv um think-Param erweitert (Cache-Key kennt think); Datenblatt-Extraktor setzt think=False → sauberes JSON in ~1s. Default fuer alle anderen Cascade-Nutzer unveraendert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
b217429d39 |
feat(cra): Datenblatt-Extraktion auf lokales 35B + llm_status-Fix
llm_cascade additiv modell-faehig (optionaler model-Param, Cache-Key kennt model_hint → keine Kollision; Default unveraendert für alle anderen Nutzer). Datenblatt-Extraktor nutzt jetzt qwen3.5:35b-a3b (CRA_DATASHEET_MODEL, gleiches Modell wie der Compliance Advisor) für bessere semantische Zuordnung. Plus llm_status (ok|empty|unavailable) + Logging statt stillem except; Frontend zeigt bei 'unavailable' einen Hinweis statt leerer Felder (wichtig auf prod ohne lokales Ollama → Cascade-Fallback bzw. Hinweis). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
6ca085ffc5 |
feat(cra): Datenblatt-Analyse-Frontend (Grenzen-Extraktion + Rückfragen)
DatasheetExtract auf /sdk/cra: Datenblatt einfügen (oder Beispiel OWIS/Zwick) → POST /extract-datasheet → gefuellte ISO-12100-Grenzen mit Quellen-Zitat + deterministisch erkannte Schnittstellen/Einheiten + gezielte Rückfragen fuer leere Pflichtfelder (foreseeable_misuses, person_groups, …). Vorstufe fuer 'Projekt anlegen' → IACE-Grenzen-Prefill. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
cfdc5fe277 |
feat(cra): Datenblatt→Grenzen-Extraktor (hybrid, lokales 35B)
Hybrid-Extraktion Datenblatt → IACE Grenzen (ISO 12100): deterministischer Detektor (Schnittstellen/Einheiten per Regex) + lokales 35B via llm_cascade (Qwen-lokal-first) fuer die semantische Zuordnung auf die echten LimitsFormData- Keys. Nichts erfinden: Feld nicht im Text → leer + Quellen-Zitat je Feld. Essenzielle ISO-12100-Felder, die leer bleiben → gezielte Rückfragen (foreseeable_misuses, person_groups, qualification, temporal_limits …). Endpoint POST /api/v1/cra/extract-datasheet. 13 Tests gruen (reine Teile). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
62fafaaec5 |
feat(cra): MaschinenVO-Gefährdungs-Ableitung + Cyber-Safety-Brücke
3-Tier-MaschinenVO-Verdict (direkt / sicherheitsrelevant / nicht relevant) aus Personengefährdungs-Signal: eine Komponente ist keine Maschine, aber wenn ihre Funktion bei Fehler ODER Manipulation Personen gefaehrden kann (Bewegung, Laser/ Auge, Kraft, Temperatur, elektrisch), ist sie sicherheitsrelevant — Pflicht trifft den Maschinenbauer, Zulieferer liefert Nachweise, und ein Cyber-Angriff kann die Sicherheitsfunktion aushebeln (Cyber-Safety-Bruecke). OWIS-mit-Laser landet so korrekt als 'sicherheitsrelevante Komponente'. Engine + /readiness additiv; Frontend: Gefährdungs-Frage + -Typen, MaschinenVO-Ergebnisblock. Presets aktualisiert (OWIS: Laser+Bewegung, Zwick: Bewegung). 22 Tests gruen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
2b5c155f57 |
docs: Mandanten-Suppression API-Übergabe an Controls/CRA-Session
CI / detect-changes (push) Successful in 17s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 13s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 28s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Backend (Suppression-API + Filter) ist live; Frontend-Mark/Unmark (Cyber-Risiko- Projekt + Workspace) wird übergeben. Endpunkte, Integration, offenes Mapping (Anzeige-Entität → control_uuid) dokumentiert. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
472b0cfd2b |
fix(db): canonical_controls PK + FKs wiederherstellen (prod DB-Swap-Verlust)
CI / guardrail-integrity (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 13s
CI / validate-canonical-controls (push) Successful in 11s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / detect-changes (push) Successful in 14s
CI / nodejs-lint (push) Has been skipped
CI / branch-name (push) Has been skipped
CI / nodejs-build (push) Successful in 3m11s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 29s
CI / test-python-document-crawler (push) Has been skipped
Migration 157: ADD PRIMARY KEY canonical_controls(id) + FK atom_classification + FK control_suppressions, jeweils nur falls fehlend (No-Op auf macmini, fixt prod). Verifiziert: 314.811 distinct ids, 0 NULL, 0 Orphans. DB-Owner-Freigabe. [migration-approved] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
2d9b650ac1 |
feat(cra): Eingangstür-Frontend — neutrales Verdict + Hersteller-Typ + Presets
ReadinessCheck erweitert: Hersteller-Typ-Weiche (Komponente/Endgeraet/Anlage- Maschine/Software-App), Verkauf-ab-2027- und Kunden-Nachfrage-Fragen, Checkliste vorhandener Nachweise. Neuer Ergebnis-View (ReadinessResult): 3-Tier-Verdict (zwingend/ratsam/nicht betroffen, Co-Pilot-Ton ohne Panik-Rot) + Reifegrad-% + fehlende Nachweise + gefundene digitale Elemente + Pflichten-Uebersicht. Zwei Demo-Presets (OWIS PS90+ Komponente, ZwickRoell roboTest Anlage+SW). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
3afb0e7f4d |
feat(cra): neutrale Eingangstür-Verdict-Engine (zwingend/ratsam/nicht betroffen)
CI / detect-changes (push) Successful in 20s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 10s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 24s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m11s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 33s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Reine, deterministische Verdict-Schicht ueber der bestehenden Annex-III/IV- Klassifikation (kein vierter Klassifizierer): trennt Rechtspflicht von Markt- Druck. Kern: das Inverkehrbringen (ab 11.12.2027), nicht der Entwicklungs- zeitpunkt, entscheidet — Bestandsprodukte, die nach der Frist weiter verkauft werden, fallen unter CRA. Producer-Typen (component/end_device/machine_ integrator/software_app) steuern Default-Annahmen (Anlagenbauer: Vernetzung/OTA vorausgesetzt) + Verdict-Betonung (Komponente => Markt-Druck). Plus Evidence- Checkliste (SBOM/VDP/Patch/Lifecycle/Threat-Model/Logging/Auth/Incident) + Reifegrad. /readiness additiv erweitert (verdict/maturity/digital_elements/ producer_type). 15 Tests gruen. Beispiele: OWIS PS90+, ZwickRoell roboTest. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
8086b8be03 |
fix(migration): control_suppressions ohne FK auf canonical_controls
prod-canonical_controls (aus dem DB-Swap) hat weder PK noch Unique auf id → FK InvalidForeignKey. control_uuid bleibt UUID (logische Referenz), wie die bereits FK-lose atom_classification auf prod. [migration-approved] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
7aabfbe5b5 |
feat(controls): Mandanten-Suppression — per-tenant Applicability-Override
Geteilte Schicht für alle Surfaces (Workspace-Anwälte, Cyber-Risiko-Projekt,
Admin): ein Mandant markiert ein Control als "nicht anwendbar" → in seinen
Use-Case-Ansichten (und künftig Repo-Scans) ausgeblendet.
- Migration 156: compliance.control_suppressions (PK tenant_id+control_uuid),
reversibel (active + reverted_*), auditierbar (actor/reason/created_at).
[migration-approved]
- Service control_suppression: suppress/revert/list_suppressions +
suppressed_control_uuids (geteilter Filter).
- Routes: GET/POST /v1/controls/suppressions + POST .../{uuid}/revert (X-Tenant-ID).
- controls_for_use_case: optionaler X-Tenant-ID + include_suppressed; suppressed
per Default versteckt (nie gelöscht), suppressed_count, suppressed-Flag pro
Control. Agenten/CRA ohne Tenant unberührt.
- Tests: Request-Validierung + import-safety (E2E-Zyklus gegen macmini bewiesen).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
||
|
Benjamin Admin
|
400eba592e |
refactor(sdk): Sidebar-Doppelungen auflösen (A1) + Routen-Inventur
11 Modul-Eintraege entfernt, deren exakte Route bereits ein immer-sichtbarer Pipeline-Schritt ist (advisory-board, ai-act, source-policy, loeschfristen, einwilligungen, cookie-banner, dsr, vendor-compliance, consent-management, email-templates, training) — Heimat bleibt die Pipeline, kein Feature-Verlust (keiner dieser Schritte hat visibleWhen). "Datenschutz"-Gruppe zu "Cookie & Consent" (Consent Dashboard + Cookie Live-Vorschau) verschlankt. Aehnlich benannte, aber VERSCHIEDENE Seiten bewusst behalten (document-generator≠ catalog-manager, control-library≠coverage, consent≠consent-management, cookie-banner≠/preview, vendor-compliance≠vendor-assessment). Vollstaendige Routen-Inventur (Pipeline + Module + aufgeloeste Dups) in docs-src/development/sdk-navigation-inventory.md — damit kein Feature unsichtbar verloren geht. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
f8b45dd3d1 |
feat(sdk): Sidebar neu gruppieren + Kunde/Intern-Trennung
Die vier Kern-Module in eine Gruppe "Produkt-Compliance (CE & Cyber)" (Gap-Analyse, Maschinensicherheit/CE, Cyber Resilience/CRA) — iace+cra benachbart, KI-Compliance nicht mehr dazwischen gekeilt. Labels entschaerft (kein "IACE"-Codename, keine doppelten Header). Interne/Entwickler-Module (Kataloge/Templates, Korpus/coverage, Quellen, Engine-Internals, Admin) in eine per useInternalUI() gegatete Sektion "Intern · Entwicklung" — Kunden sehen sie nie (Default versteckt; intern = macmini/localhost o. Browser-Opt-in). coverage erstmals erreichbar (war verwaist). Toter SidebarModuleNav.tsx geloescht. Alle bestehenden Routen erhalten. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
8a0097f5da |
feat(coverage): Korpus-Dokumente gruppiert nach Art + Herausgeber-Familie
CI / dep-audit (push) Has been skipped
CI / test-python-backend (push) Successful in 27s
CI / test-python-document-crawler (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / build-sha-integrity (push) Successful in 14s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / detect-changes (push) Successful in 19s
CI / python-lint (push) Has been skipped
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m8s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
Die "Korpus-Dokumente"-Tabelle wird nach Dokument-Art geordnet (Gesetze & Verordnungen → Behörden-Leitfäden → Standards & Best Practice → Rechtsprechung) mit Zwischenüberschriften, und je Herausgeber-Familie zusammengefasst (alle DSK, alle EDPB, alle OWASP/NIST/ENISA gemeinsam). Deterministischer Kategorisierer (categorizeCorpusDoc) + Grouper (groupCorpusDocs), pure + unit-getestet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
9e9d780902 |
feat(cra): Management-Fortschritts-Ansicht (Ticket-Status-Readback)
Liest den Lebenszyklus jedes Befunds (status + tracker_issue_url) aus dem Scanner zurück und rollt ihn zu einem Management-Bild auf: % erledigt, 4-Phasen (offen/in Arbeit/erledigt/ausgeschlossen), offenes Restrisiko nach Schweregrad, Fortschritt je CRA-Anforderung und eine Aufgaben-/Ticket-Tabelle mit Jira-Link. Neuer Endpoint GET/POST /api/v1/cra/progress (dünn → Service cra_progress, rein deterministisch, kein /assess-Schema-Drift). Frontend: ProgressView in Ebene 1 (CRACyberView), live je Scanner-Repo, sonst Demo-Status. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
7a4f086151 |
feat(cra): Maßnahmen-Provenienz + Lizenzklasse je Normquelle
Jede Normreferenz einer Maßnahme wird lizenzklassifiziert (eu_law / public_domain / open / paid_reference) — paid-reference-Normen werden nur als Verweis geführt, nie im Text gespeichert (idea/expression). Kuratierte Maßnahmen tragen Tier 'core', KI-/Fallback-Maßnahmen 'review' (indikativ). Frontend zeigt Quellen-Badges + "indikativ"-Kennzeichnung. Methodik in docs-src/development/mapping-methodology.md (Szenario C, Due-Diligence). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
6c619ecc42 |
feat(cra): kuratierte Maßnahmen-Bibliothek — alle 40 CRA-Anforderungen belegt
- data/measures_curated.json: 24 deduplizierte, standard-gestützte Maßnahmen (9 bestehende M540-548 + 15 neue M600-614), Volltext + norm_refs + multi-reg covers. Deckt alle 40 CRA-AI-x (vorher nur 17). - cra_annex_i_data lädt die Bibliothek defensiv: MEASURES=Superset, MEASURE_DETAILS (Volltext), mapped_measures aus covers abgeleitet. Fallback = hartkodierte 9. - Mapper: open_measures tragen jetzt name+description+norm_refs (echte Volltexte). - useCRA: merge nutzt Backend-Volltexte statt Demo-Lookup. - Tests: Coverage (40/40) + Volltext im Assessment. Quelle: extern handkuratiert/recherchiert, hier dedupliziert + gemappt. Maschinen- VO/NIS2/IEC-Maßnahmen folgen, sobald deren Spine existiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
4c206aa332 |
feat(cra): scanner-repo→IACE-Projekt-Mapping persistieren (Pull-Flow) [migration-approved]
Ersetzt die ephemere Dropdown-Auswahl durch DB-Persistenz pro IACE-Projekt:
- Migration 156: compliance_cra_scanner_repo_map (tenant_id, iace_project_id PK,
scanner_repo_id). Additiv + idempotent.
- GET/PUT /v1/cra/scanner-repo-map/{iace_project_id} (Upsert/Clear).
- useCRA lädt das gespeicherte Repo beim Laden + persistiert bei Auswahl.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|
Benjamin Admin
|
0a6e57ac02 |
feat(use-case-controls): Adressat-Achse — out-of-scope advisory + additiver GOV-Tag
2-Pass-Haiku-Klassifikation (konservativ + Re-Confirm jeder Nicht-unternehmen- Einstufung) der Review-Tier-Atome: wer muss die Pflicht erfuellen? - Migration 155: atom_classification.addressee (unternehmen/oeffentliche_stelle/ aufsichtsbefugnis/staat_eu/dritter/meta), additiv, kein CHECK. [migration-approved] - Service: addressee + applicable + is_gov pro Control; include_out_of_scope-Param (Default false -> out-of-scope advisory ausgeblendet, NIE geloescht); out_of_scope_count. Pure Helper addressee_applicable/addressee_is_gov (+ Tests). - Route: optionaler include_out_of_scope-Query (contract-safe, additiv). - Frontend: GOV-Chip (additiv) + "kein Kunden-Pruefaspekt"-Chip + 1-Klick-Toggle zum Einblenden der out-of-scope-Atome. Daten: 40.859 Adressat-Tags auf macmini geladen (81% applicable, 19% advisory, 3.146 GOV). Konservativ: NULL/Unklar = applicable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
f6fe592164 |
docs: Schnittstellen-Notiz um Controls-Session-Abhängigkeit ergänzt
Ergänzt nach Rückmeldung der Controls-Session: ID-Stabilität schützt auch deren atom_classification (~161k) + addressee (control_uuid-gebunden); deren Step-1/2 ist additiv (tier/source_type/core_count/addressee, bricht Verträge nicht); eine Wahrheit — Muster-Schicht aus atom_classification speisen, nicht neu ableiten. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
a49adff814 |
docs: Schnittstelle Controls-/Muster-Schicht → Maßnahmen-Schicht
Andock-Vertrag für die Maßnahmen-Schicht: stabile Muster-Einheit + feste ID, control→pattern-Mapping, Framework-Crosswalk pro Muster. Abstimmung mit der Controls-Session (core/control-pipeline). CRA-Spine/M5xx bleiben unabhängig. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
90def4d857 |
feat(cra): Flow-2 UI — Scanner-Repo wählen → echtes Assessment
- GET /v1/cra/scanner-repos: distinct repo_ids (+counts) vom Scanner-MCP für den Picker. - useCRA: scannerRepo-State; bei Auswahl POST /assess-from-scanner (echte Findings), sonst by-iace/Demo wie bisher. - ScannerRepoPicker im CRA/Cyber-Tab; leere Auswahl = Demo, Repo gewählt = echte Befunde. Mapping repo_id↔Projekt aktuell UI-seitig (ephemeral); DB-Persistenz pro Projekt folgt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
926dc02a09 |
feat(use-case-controls): relevant als Stufe statt Hard-Filter + Provenance
CI / detect-changes (push) Successful in 15s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 12s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m9s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 30s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Der harte relevant=true-Filter versteckte ~25% des Korpus (40.926 Atome), ~70% davon echte Pflichten (500er-Validierung). relevant wird zur Stufe: - Service: tier-Param (core=Default schuetzt Agent/CRA; all=alles inkl. review), ORDER BY relevant DESC; pro Control relevant/tier/source_type (own_library bei license_rule=3, sonst derived) + source_regulation/article; core_count/review_count. Pure Helper tier_label + source_type (+ Tests). - Route: optionaler tier-Query (default core) — contract-safe (additiv). - Frontend: Coverage-Drill-down /sdk/coverage/[useCase] — Kern-Pflichten vs. "zur fachlichen Pruefung", je mit Herkunfts-Badge; Uebersicht zeigt Delta. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
e140477c0b |
feat(cra): Pull-Flow — Findings vom Scanner-MCP ziehen + assessen
CI / detect-changes (push) Successful in 15s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 12s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m12s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 39s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
(2) Wir als MCP-Client zum compliance-scanner-agent: - scanner_mcp_client.fetch_findings(): streamablehttp_client + ClientSession → list_findings, parst JSON-Text zu Finding-Dicts. Config via SCANNER_MCP_URL/ SCANNER_MCP_TOKEN (unset = leer → UI behält Demo). Transport lazy-importiert. - POST /v1/cra/assess-from-scanner: rohe Scanner-Dicts → toleranter Mapper (behält scan_type/cvss_score/file_path) → assess + Breadth. - Tests: parse_findings_text + no-config-Pfad. Live-Verdrahtung der UI folgt, sobald ihr Endpoint+Token stehen (dann nur Env setzen + useCRA auf /assess-from-scanner zeigen). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
e7c3cd7cee |
fix(mcp): DNS-Rebinding-Schutz aus (server-to-server+Bearer) + MCP-Dienst expose-only
- FastMCP transport_security: enable_dns_rebinding_protection nur an, wenn MCP_ALLOWED_HOSTS gesetzt; sonst aus (sonst HTTP 421 "Invalid Host header" bei Aufrufen über nginx/Container-Name). Bearer bleibt die Zugriffskontrolle. - bp-compliance-mcp: Host-Port-Mapping entfernt (8099 war von bp-core-health belegt) → expose-only im breakpilot-network, Routing via nginx (Folgeschritt). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
414496c31a |
feat(mcp): HTTP+Bearer CRA-MCP-Server für den Repo-Scanner + Finding-Adapter
Register-Flow für compliance-scanner-agent (anderes Team, Rust): deren MCP-Client (McpServerConfig) erwartet Streamable HTTP + Bearer — unser MCP war stdio/ohne Auth. - server.py auf FastMCP umgestellt: Tools cra_assess_findings + cra_list_requirements, Dual-Transport (stdio default; Streamable HTTP wenn MCP_PORT gesetzt), Bearer-Gate via CRA_MCP_TOKEN. - ScannerFinding.from_dict tolerant für ihr Finding-Schema (_id/fingerprint, scan_type→category, cvss_score→cvss, file_path→location, severity info→low). - Eigenständiger docker-compose-Dienst bp-compliance-mcp (Port 8099, pure/kein DB, isoliert von der Haupt-API) + Hetzner-amd64-Override. - Tests: test_cra_scanner_adapter, test_mcp_server (Bearer-Gate + Tool-Registry). Pull-Flow (wir holen ihre Findings über ihren MCP) + öffentliches nginx-Routing folgen separat (brauchen ihren Endpoint/Token). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
7aaa7e083b |
feat(cra): Konformitätspfad-Kacheln — "Mit BreakPilot"-Rolle + aufklappbarer Info-Text
Reframe: BreakPilot ist Audit-VORBEREITER, nicht Prüfstelle. Jede Kachel zeigt jetzt eine "Mit BreakPilot"-Zeile (Selbstbewertung = end-to-end; EUCC/benannte Stelle = audit-fähig machen, formale Prüfung durch ITSEF/benannte Stelle) plus aufklappbaren Erklär-Text (was EUCC ist, wie es läuft, was der Nutzer tut). Normtext (ISO/IEC 15408/18045) nur referenziert, nicht reproduziert. Kachel von <button> auf <div> + separater Wählen-Button + Info-Toggle umgebaut. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
731076835d |
fix(cra): Konformitätspfad-Kacheln korrekt benennen + Gating nach CRA Art. 32
(a) Labels: Module korrekt zugeordnet — Modul A = Selbstbewertung, Modul B+C =
benannte Stelle, EUCC = eigenes Zertifikat (nicht Modul H), "harmonisierte
Norm" ist kein Modul sondern Konformitätsvermutung. Für den CRA noch KEINE
harmonisierte Norm veröffentlicht → Kachel als "noch nicht verfügbar"
(erwartet ~2027), nicht wählbar, mit Hinweis. (page/path/documents-Labels.)
(b) Gating: wichtige Klasse II + kritische Produkte dürfen NICHT selbst bewerten;
harmonisierte Norm allein genügt dort nicht → ALLOWED_PATHS IMPORTANT_II/
CRITICAL = {eucc, notified_body}; DEFAULT_FOR II = notified_body. _PATH_HINT
entsprechend. Regressionstest test_cra_conformity_paths.py.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|
Benjamin Admin
|
e1f89f6226 |
feat(cra): CRA/Cyber-Tab in 3 Zielgruppen-Ebenen + Brücke /sdk/cra
Frontend-Reorganisation (kein Datenmodell-Umbau): - Ebene 1 (Management): CRA-Readiness, offene Risiken (Klartext Kritisch/Hoch/..), Handlungsaufwand nach Evidenz-Typ, betroffene Vorschriften, Top-Risiken, Fristen. - Ebene 2 (Safety × Cyber): "Cyber öffnet CE-Gefährdung erneut" als Hero (USP). - Ebene 3 (Technik): Befund-Tabelle einklappbar, interne IDs (CRA-AI-x/CWE/NIST/ OWASP/ISO) nur im Detail, Maßnahmen-Namen statt M-IDs, größere Schrift. - Brücke: IACE-CRA-Tab ↔ /sdk/cra (Readiness-Check) beidseitig verlinkt. - CRACyberView in Unterkomponenten gesplittet (LOC < 300). scripts/qa/poc_cra_article_assign.py: PoC Artikel/Absatz-Zuordnung (Pfad B2b, zurückgestellt — nicht MVP). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|
Benjamin Admin
|
6a6c2dbcaa |
feat(controls): atom-grain liefert source_article + Registry-Tests im CI-Pfad
CI / detect-changes (push) Successful in 17s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 9s
CI / validate-canonical-controls (push) Successful in 8s
CI / loc-budget (push) Successful in 21s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m6s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 30s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
- _ATOM_LIST_SQL via LATERAL: zusaetzlich cpl.source_article (Gesetzes-Artikel) im atom-grain Response. Spalte control_parent_links.source_article verifiziert (macmini + prod). - Registry-Mapper-Test (neue Domaenen) nach compliance/tests/ verschoben — CI faehrt compliance/tests/, nicht tests/; schliesst die CI-Luecke der 6-neue-Use-Cases-Erweiterung. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |