breakpilot-compliance

Author	SHA1	Message	Date
Benjamin Admin	32e45f0797	feat(agb): wire validated routed AGB engine into live check path Consolidate the AGB C-lean engine (71% FP -> ~0, validated vs 7-company Opus GT) onto the canonical checker library and into the live check path. - AGBAgent.evaluate now runs routed C-lean: keyword (L1/L2) -> business- model gate -> per-item decision_method routing (embedding/reference/llm via services/checkers/) -> severity re-tiering (LOW -> recommendation), honoring context.skip_llm. - New agb/_pipeline.py orchestrates the routing; agent.py stays thin. - Remove the 3 AGB-local checker duplicates (_reference_check, _embedding_rescue, _llm_judge); services/checkers/ is now canonical. - Wire "agb" into _agent_outputs._TOPIC_AGENTS so the live check emits a validated AGB tab (was snapshot-only). - Run topic agents concurrently (asyncio.gather) + emit each tab via SSE as it finishes -> progressive results, no wait on the slowest agent. - Tests: checker units (mocked), routed agent (gate/rescue/re-tier), topic wiring; existing AGB tests made offline-safe. dev-only, no deploy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 10:40:08 +02:00
Benjamin Admin	9d79cf1576	docs+feat(platform): Pruefer-Matrix-Foundation einfrieren (Evidenz, Mapping, Checker-Library, AGB-Kalibrierung) Know-how-Freeze der Website-Compliance-Runde (DSE/Cookie/Impressum/AGB). docs: platform_evidence_v1 (Evidenz-/Qualitaetsnachweis, echte Zahlen), nutzungsbedingungen_mapping (neues Modul = Mapping, empirisch belegt), platform_checker_matrix (Meta-Modell verification_method x decision_method), verification_method, platform_validation_v1. code: checkers/ (reusable Pruefer-Library base+reference+embedding+llm, im Container validiert), agb/ (decision_method-Routing + Checker-Prototypen, 71% FP -> ~0 validiert). Dev-only, kein Prod-Push; Benchmark-GTs/Korpora im internen Archiv (data-retention). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 09:23:21 +02:00
Benjamin Admin	6b9c7984b4	fix(ci): regulatory_news Zeitbomben-Test entschaerfen — test-go + Deploy entsperren CI / detect-changes (push) Successful in 8s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 18s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m2s Details CI / test-go (push) Successful in 1m8s Details CI / iace-gt-coverage (push) Successful in 19s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details test-go failte seit 2026-06-19: VBR-OBL-001 ("Widerrufsbutton ab 19.06.2026") ist seit dem Stichtag abgelaufen und faellt aus dem Zukunfts-Horizont von GetRegulatoryNews, wodurch TestGetRegulatoryNews_FromRealFiles bricht. Fix: now-Referenz injizierbar (GetRegulatoryNewsAt), Test nutzt fixes Datum -> deterministisch. Produktions-Caller unveraendert (Wrapper). admin rag-query Marker, damit detect-changes admin mitbaut (article_label-Rendering). go vet + alle ai-sdk-Tests lokal gruen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 00:51:47 +02:00
Benjamin Admin	e646091ba2	chore(deploy): ai-sdk + admin neu bauen — Legal-Zitatfelder (article_label) nach Prod-Re-Ingest aktiv CI / detect-changes (push) Successful in 8s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / nodejs-lint (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / validate-canonical-controls (push) Successful in 6s Details CI / loc-budget (push) Successful in 20s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m3s Details CI / test-go (push) Failing after 57s Details CI / iace-gt-coverage (push) Successful in 16s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Triggert CI + detect-changes fuer ai-compliance-sdk + admin-compliance, nachdem der vorige Deploy am last-build/main Tag-Bug haengenblieb (Builds uebersprungen). Nur Doku-Kommentare, Logik unveraendert. Daten-Merge (Qdrant) ist bereits live. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-21 00:15:48 +02:00
Benjamin Admin	069b855b49	ci: re-trigger deploy — last-build/main tag-bug uebersprang ai-sdk/admin builds (Daten-Merge bereits live) CI / detect-changes (push) Successful in 7s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 6s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / nodejs-build (push) Successful in 3m3s Details CI / secret-scan (push) Has been skipped Details CI / loc-budget (push) Successful in 18s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go (push) Failing after 59s Details CI / iace-gt-coverage (push) Successful in 16s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details	2026-06-20 21:30:53 +02:00
Benjamin Admin	01af9b56a6	Merge branch 'main' of ssh://gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance CI / detect-changes (push) Successful in 9s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 6s Details CI / sbom-scan (push) Has been skipped Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 18s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go (push) Failing after 1m3s Details CI / iace-gt-coverage (push) Successful in 18s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m8s Details	2026-06-20 20:58:33 +02:00
Benjamin Admin	017c9b3c12	feat(advisor): Legal-RAG Zitier-Metadaten — ai-sdk + Advisor/Drafting lesen article_label ai-sdk (legal_rag_client/scroll/types) liest die gepinnten Spec-Felder article_label/regulation_code/article/paragraph/sub/citation_style/is_recital mit Fallback auf alt-ingestierte Chunks (regulation_id, section); neuer getBool-Helfer. Advisor + Drafting-Engine bilden die Quellenzeile primaer aus article_label ("BDSG § 38 Abs. 1"), sonst aus den strukturierten Feldern. 17 Tests gruen, tsc sauber. Vertrag: docs-src/development/rag_reingest_spec.md (§2/§7). Deploy an den Re-Ingest gekoppelt — neue Felder sind bis dahin leer (graceful Fallback). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-20 14:34:15 +02:00
Benjamin Admin	76d1dc5e00	fix(db): dedupe doc_check_controls 3x + unique constraint CI / detect-changes (pull_request) Failing after 5s Details CI / branch-name (pull_request) Successful in 1s Details CI / guardrail-integrity (pull_request) Failing after 2s Details CI / secret-scan (pull_request) Failing after 5s Details CI / dep-audit (pull_request) Failing after 12s Details CI / sbom-scan (pull_request) Failing after 3s Details CI / build-sha-integrity (pull_request) Failing after 3s Details CI / validate-canonical-controls (pull_request) Failing after 1s Details CI / loc-budget (pull_request) Has been skipped Details CI / go-lint (pull_request) Has been skipped Details CI / python-lint (pull_request) Has been skipped Details CI / test-go (pull_request) Has been skipped Details CI / iace-gt-coverage (pull_request) Has been skipped Details CI / nodejs-lint (pull_request) Has been skipped Details CI / nodejs-build (pull_request) Has been skipped Details CI / test-python-backend (pull_request) Has been skipped Details CI / test-python-document-crawler (pull_request) Has been skipped Details CI / test-python-dsms-gateway (pull_request) Has been skipped Details CI / detect-changes (push) Successful in 10s Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 8s Details CI / validate-canonical-controls (push) Successful in 6s Details CI / loc-budget (push) Successful in 19s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / test-python-backend (push) Successful in 25s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details compliance.doc_check_controls war auf prod historisch trippliziert (Dump-Artefakt ohne PK/Unique: jede (doc_type, control_id)-Zeile 3x, 5622 statt 1874 ueber alle 8 doc_types). Die Migration dedupt idempotent (kleinste ctid behalten) und setzt UNIQUE(doc_type, control_id), damit sich die Triplikation nicht wiederholen kann. Auf prod bereits direkt angewandt und in _migration_history registriert (read-only verifiziert: 1874, alle doc_types total=distinct, Constraint aktiv); dieser Commit codifiziert die Migration in der Deploy-Kette, damit ein Restore aus einem aelteren Dump sie automatisch re-appliziert. [migration-approved] Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-20 14:25:03 +02:00
Benjamin Admin	b664d73ffc	fix(advisor): Soul haerten — Quellentreue + keine Control-ID-Leaks CI / detect-changes (push) Successful in 20s Details CI / guardrail-integrity (push) Has been skipped Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 9s Details CI / validate-canonical-controls (push) Successful in 7s Details CI / nodejs-build (push) Successful in 3m2s Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / loc-budget (push) Successful in 22s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / test-go (push) Has been skipped Details Legal-RAG-Qualitaet (Vorher/Nachher-Test, 6 Fragen): das Modell erfand selbstbewusst Paragraphen/Fristen/Schwellen (§38 BDSG "10%/250", fake "3-/12-Monats"-Fristen, §35 statt §26, CRA-Fake-Artikel). Neue Sektion "Quellentreue": konkrete Fundstellen NUR wenn in den RAG-Quellen belegt, sonst ehrlich "nicht belegt" — keine aus dem Gedaechtnis rekonstruierten Nummern. Dev-Modus-Block entschaerft: Controls-Block als Inhaltsquelle nutzen, aber interne Control-IDs (SEC-/AUTH-/CRYP-/MC-) NICHT in der Nutzerantwort ausgeben (Klartext fuehrt). Live auf prod verifiziert: erfundene Fundstellen stark reduziert (oder als unbelegt markiert), Control-ID-Leak = 0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 11:39:42 +02:00
Benjamin Admin	90a70c8404	fix(drafting): Drafting-Engine auf prod reparieren — RAG via ai-sdk + OVH-LLM-Kaskade CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / detect-changes (push) Successful in 7s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 5s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 17s Details CI / go-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m2s Details CI / test-go (push) Has been skipped Details Die Drafting-Engine (Dokument-Entwurf, v2-Pipeline, Validierung, Drafting-Chat, Vendor-Vertragspruefung) war auf prod doppelt tot: - RAG ueber bp-core-rag-service:8097 (existiert auf prod nicht) - LLM ueber OLLAMA_URL/api/chat mit qwen2.5vl (prod = ollama-embed, kein Chat-Modell) Fix (analog zum Compliance-Advisor): - rag-query.ts -> ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar). - Neue lib/sdk/drafting-engine/llm-cascade.ts: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback; cascadeComplete (JSON) + cascadeStream. Das Backend nutzt OVH+JSON bereits erfolgreich auf prod (extract-datasheet). - 5 Aufrufstellen (draft-helpers, draft-helpers-v2, validate, chat, vendor-review) auf die Kaskade umgestellt; keine direkten Ollama-Calls mehr. - Tests: llm-cascade + rag-query aktualisiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 10:02:06 +02:00
Benjamin Admin	cd3e0b15ad	fix(advisor): Compliance-Advisor auf prod reparieren — RAG via ai-sdk (bge-m3) + OVH-LLM CI / detect-changes (push) Successful in 6s Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 6s Details CI / loc-budget (push) Successful in 19s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m4s Details CI / test-go (push) Successful in 58s Details CI / iace-gt-coverage (push) Successful in 16s Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Der Floating-Compliance-Advisor war auf prod kaputt (502): RAG ging ueber rag-service:8097 (auf prod nicht vorhanden) und der Chat ueber OLLAMA_URL=ollama-embed (embedding-only, kein qwen2.5vl). - RAG laeuft jetzt ueber die ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar) statt rag-service -> profitiert vom reicheren Embedding. (lib/sdk/agents/advisor-rag.ts) - LLM-Kaskade: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback. (lib/sdk/agents/advisor-llm.ts; OVH-Env via orca-infra admin-Block) - ai-sdk: bp_compliance_recht in AllowedCollections ergaenzt (Whitelist war inkonsistent — die Fehlermeldung listete es bereits als erlaubt). - Route auf die Module umgestellt (duenn); Controls-Augmentation unveraendert. - Tests: advisor-rag + advisor-llm. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 09:22:44 +02:00
Benjamin Admin	f0a0a887fd	revert(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" zurueckziehen Das Frontend-Redesign wird vorerst pausiert (Fokus MVP). Der komplette Stand ist im Git-Tag redesign-archive-20260619 (Commit `42d4b4d9`) archiviert und jederzeit fortsetzbar; die Handoff-Docs bleiben unter design/redesign/ erhalten. Diese Aenderung zieht nur den aktiven Code zurueck (Tokens, Chips, CyberMeetsSafety, design-system-Seite, Font-Setup) — die UI kehrt zum vorherigen Stand zurueck. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-19 09:22:19 +02:00
Benjamin Bönisch	42d4b4d9c5	feat(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" (additiv) CI / detect-changes (push) Successful in 19s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 7s Details CI / validate-canonical-controls (push) Successful in 4s Details CI / loc-budget (push) Successful in 21s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m13s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Schritt A (Tokens): zentrale Design-Sprache aus dem Claude-Design-Handoff — Tailwind-Tokens (re/geltung/severity/domain) + Fonts (Public Sans / Source Serif 4 / IBM Plex Mono) + components/redesign/{tokens.ts,Chips.tsx} (GeltungChip, SeverityChip, DomainTag, MonoId) + Showcase /sdk/design-system. Bestehende Farben/sans unangetastet. Schritt B (Ebene 2): CyberMeetsSafety als USP-Hero im CRA/Cyber-Tab (/sdk/iace/[id]/cra) — Domaenen-Bar, Hazard-Karten (CE-gemildert -> Cyber-Befund -> Restrisiko, Warum-Box, Pflicht/Empfehlung-Massnahmen, aufklappbarer Norm-Bezug), Massnahmen-Backlog mit Geltung-Filter. Gebunden an echte cross_links/findings/open_measures. Bisheriger CRACyberView bleibt eingeklappt erhalten -> kein Inhaltsverlust. Guardrail-Doku: design/redesign/ (HANDOFF_README, CONTENT_INVENTORY mit 40-Screen-Mapping + Waisen-Liste, Arbeitsbereich.dc.html-Referenz). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-18 16:49:04 +02:00
Benjamin Bönisch	43e02f794a	feat(cra): SBOM- + DAST-Findings aus dem Scanner-MCP konsumieren CI / detect-changes (push) Successful in 8s Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 6s Details CI / validate-canonical-controls (push) Successful in 10s Details CI / loc-budget (push) Successful in 20s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Successful in 1m4s Details CI / iace-gt-coverage (push) Successful in 15s Details CI / test-python-backend (push) Successful in 24s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Sharangs compliance-scanner-agent exponiert SBOM (sbom_vuln_report) + DAST (list_dast_findings) als eigene MCP-Tools (nicht via list_findings). Neuer fetch_all_findings(repo_id) zieht list_findings + SBOM + DAST in EINER MCP-Session und normalisiert ins Finding-Schema: - SBOM: ein Finding pro verwundbarem Paket (nicht pro CVE), cwe=CWE-1395 -> deterministisch CRA-AI-22 (robust gegen Paketnamen wie "sqlite"). - DAST: cwe/endpoint/vuln_type uebernommen -> Mapping via cwe/keywords. assess-from-scanner nutzt fetch_all_findings + liefert source.breakdown (code/sbom/dast). DAST hat im MCP keinen repo_id-Filter -> dast_repo_scoped:false (deployment-weit, transparent geflaggt). Echte MCP-Daten: Kitchenasty 58 code + 35 sbom + 81 dast -> 174 gemappt (Coverage 94,3%, alle 35 SBOM -> CRA-AI-22). Enthaelt zusaetzlich das Qdrant->Prod-Kopierскript (#42, verbatim macmini->prod). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-18 12:05:05 +02:00
Benjamin Bönisch	8f21650d74	feat(sdk): Kunden-Dokumente + CRA-Meldewesen, Screening aus Frontend genommen CI / detect-changes (push) Successful in 16s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 15s Details CI / validate-canonical-controls (push) Successful in 13s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m9s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 31s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details - /sdk/dokumente: Kundensicht nur auf veroeffentlichte Rechtsdokumente (Ansehen + Download); Proxy mit Allow-List nur /public — Templates/Drafts/ Generator bleiben unerreichbar. - /sdk/cra-meldewesen: CRA Art. 14 Meldewesen (24h/72h/14d-Kaskade) mit Fristen-Tracking + ENISA-SRP-Export-Entwurf (kein Live-API). Backend: cra_meldewesen (pure, getestet) + cra_incident_store (schema-neutral ueber compliance_cra_documents) + /api/v1/cra/incidents (additiv, contract-safe). - Screening (Self-Scan) aus dem Frontend genommen: Flow-Stepper-Eintrag ausgeblendet (visibleWhen), Dashboard-Kachel + Import-Button entfernt. Repo-Scanning laeuft extern im Compliance-Scanner; Backend-Router bleibt vorerst gemountet (Contract-Stabilitaet). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 21:21:28 +02:00
Benjamin Bönisch	72093e5501	fix(cra): Scanner-Findings vollstaendig mappen + assess-from-scanner-Latenz senken CI / detect-changes (push) Successful in 17s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 13s Details CI / validate-canonical-controls (push) Successful in 12s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 30s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Punkt 2 (Coverage): semgrep/gdpr-Findings ohne CWE blieben unmapped (~21%). Der Mapper nutzt jetzt den scanner rule_id + gezielte Keywords (gdpr -> Datenminimierung CRA-AI-17, path-traversal/prototype-pollution -> CRA-AI-20, nginx-header/Docker-Hardening -> CRA-AI-1/4, insecure-websocket -> CRA-AI-15). Reale Scanner-Daten: unmapped 19/92 -> 0/92 (Coverage 100%). Punkt 3 (Latenz): enrich_findings_with_breadth lief ~6 Aggregat-Queries je (use_case,sub_topic)-Paar, nutzte aber nur die Liste. Jetzt EINE batched Query (breadth_controls_batch) fuer alle Paare + Prozess-Cache (TTL 1800s). macmini: cold 0,23s / warm 0,000s. Prod-Root-Cause: atom_classification ohne (use_case,sub_topic)-Index nach DB-Swap -> Index dem DB-Owner empfohlen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 13:17:51 +02:00
Benjamin Admin	4f4ffc2ad5	feat(cra): Cyber-trifft-CE mit echten IACE-Safety-Functions CI / detect-changes (push) Successful in 16s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 11s Details CI / validate-canonical-controls (push) Successful in 10s Details CI / loc-budget (push) Successful in 28s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m10s Details CI / test-go (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details useCRA leitet aus den Hazards+Mitigations DES IACE-Projekts cyber-relevante safety_functions ab (Bewegung/Quetschen/safety_function_failure/Pneumatik → prevent_unexpected_actuation; Signal/Sensor/Kommunikation → signal_integrity; rein physische wie Thermik/Ergonomie ausgeschlossen) und gibt sie statt der Demo-Hardcodes an /assess. build_cross_links zeigt dann, welche REALE Projekt-Schutzmassnahme ein Cyber-Befund wieder oeffnet. Fallback auf Demo-Set, bis die Projekt-Hazards geladen sind. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 09:18:23 +02:00
Benjamin Admin	b76f3cee48	feat(cra): 'Projekt anlegen' triggert IACE-Auto-Ableitung (/initialize) Nach dem Setzen der limits_form ruft createProject jetzt POST /iace/projects/ :id/initialize — IACE liest die limits_form als Narrative → Komponenten → Gefährdungen → Maßnahmen → Verifikation → Normen (idempotent, best-effort). Navigiert danach auf die Projekt-Übersicht (Risiko-Summary). Interview-Felder bleiben editierbar, Ableitung im IACE re-triggerbar. Schliesst die Kette Datenblatt → Grenzen → Gefährdungen/Maßnahmen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 08:25:06 +02:00
Benjamin Admin	fda94afd5f	fix(cra): prod hang-guard /readiness machinery + robuster Datenblatt-JSON-Parse CI / detect-changes (push) Successful in 19s Details CI / guardrail-integrity (push) Has been skipped Details CI / branch-name (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 10s Details CI / validate-canonical-controls (push) Successful in 9s Details CI / loc-budget (push) Successful in 22s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 32s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details #1 _machinery_obligations: SET statement_timeout=4s + run_in_threadpool — auf prod hing die maschinen-Query ~30s (langsame/unindizierte DB nach DB-Swap) und blockierte den async-Worker. Jetzt: bei Langsamkeit graceful 'keine Maschinen-Pflichten' statt Hang. (Fehlender prod-Index = Controls/DB-Session.) #2 parse_grenzen_json: tolerant ggue. ```json-Fences / Prosa-umschlossenem JSON (gehostete Modelle wie OVH ignorieren z.T. response_format) → Datenblatt- Extraktion liefert auch ueber den OVH-Fallback Felder. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 07:39:39 +02:00
Benjamin Admin	9e2655bfef	fix(cra): IACE-Create id-Wrapper + MaschinenVO eigene Sektion CI / detect-changes (push) Successful in 16s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 12s Details CI / validate-canonical-controls (push) Successful in 11s Details CI / loc-budget (push) Successful in 24s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m10s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 32s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details 1) createProject las proj.id, der Create-Response ist aber {project:{id}} → 'Projekt anlegen' war kaputt. Jetzt proj.project?.id. E2E verifiziert (create→put limits_form→get→delete = 200). 2) MaschinenVO-Sicherheitspflichten wurden in die CRA-Cyber-Buckets (Code/Prozess/Doku) gemischt → fehl-kategorisiert (Maschinen-Safety ≠ CRA-Annex-I-Cyber). Jetzt eigene Response-Liste machinery_guideline + eigener Frontend-Abschnitt 'Maschinensicherheit (MaschinenVO 2023/1230)'; geklebtes 'MaschVO'-Badge entfaellt damit. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-17 00:12:52 +02:00
Benjamin Admin	72117c447f	fix(cra): IACE-Create braucht machine_type+manufacturer (binding required) CreateProjectRequest verlangt machine_name, machine_type UND manufacturer (alle required) → leere Werte gaben 400. Fallback 'Nicht angegeben', wenn das Datenblatt sie nicht liefert (im Interview editierbar). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 23:54:27 +02:00
Benjamin Admin	cf20fa85db	feat(cra): 'Projekt anlegen' aus Datenblatt → IACE mit editierbaren Grenzen DatasheetExtract: Button legt ein IACE-Projekt an (POST /iace/projects) und speichert die extrahierten Grenzen + Rückfrage-Antworten als metadata.limits_form (PUT), dann Navigation ins Interview. Das Interview-Formular bleibt voll editierbar (jedes vorbefuellte Feld aenderbar, Auto-Save). Manuelles Anlegen ueber /sdk/iace bleibt unveraendert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 23:36:49 +02:00
Benjamin Admin	fae826e1f7	fix(cra): 35B-Datenblatt-Extraktion — Thinking-Mode aus (think=false) qwen3.5:35b-a3b ist ein Thinking-Modell → generierte erst Reasoning, riss das 90s-Timeout → leere Extraktion. llm_cascade additiv um think-Param erweitert (Cache-Key kennt think); Datenblatt-Extraktor setzt think=False → sauberes JSON in ~1s. Default fuer alle anderen Cascade-Nutzer unveraendert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 20:22:57 +02:00
Benjamin Admin	b217429d39	feat(cra): Datenblatt-Extraktion auf lokales 35B + llm_status-Fix llm_cascade additiv modell-faehig (optionaler model-Param, Cache-Key kennt model_hint → keine Kollision; Default unveraendert für alle anderen Nutzer). Datenblatt-Extraktor nutzt jetzt qwen3.5:35b-a3b (CRA_DATASHEET_MODEL, gleiches Modell wie der Compliance Advisor) für bessere semantische Zuordnung. Plus llm_status (ok\|empty\|unavailable) + Logging statt stillem except; Frontend zeigt bei 'unavailable' einen Hinweis statt leerer Felder (wichtig auf prod ohne lokales Ollama → Cascade-Fallback bzw. Hinweis). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 19:53:48 +02:00
Benjamin Admin	6ca085ffc5	feat(cra): Datenblatt-Analyse-Frontend (Grenzen-Extraktion + Rückfragen) DatasheetExtract auf /sdk/cra: Datenblatt einfügen (oder Beispiel OWIS/Zwick) → POST /extract-datasheet → gefuellte ISO-12100-Grenzen mit Quellen-Zitat + deterministisch erkannte Schnittstellen/Einheiten + gezielte Rückfragen fuer leere Pflichtfelder (foreseeable_misuses, person_groups, …). Vorstufe fuer 'Projekt anlegen' → IACE-Grenzen-Prefill. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 19:20:14 +02:00
Benjamin Admin	cfdc5fe277	feat(cra): Datenblatt→Grenzen-Extraktor (hybrid, lokales 35B) Hybrid-Extraktion Datenblatt → IACE Grenzen (ISO 12100): deterministischer Detektor (Schnittstellen/Einheiten per Regex) + lokales 35B via llm_cascade (Qwen-lokal-first) fuer die semantische Zuordnung auf die echten LimitsFormData- Keys. Nichts erfinden: Feld nicht im Text → leer + Quellen-Zitat je Feld. Essenzielle ISO-12100-Felder, die leer bleiben → gezielte Rückfragen (foreseeable_misuses, person_groups, qualification, temporal_limits …). Endpoint POST /api/v1/cra/extract-datasheet. 13 Tests gruen (reine Teile). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 19:06:07 +02:00
Benjamin Admin	62fafaaec5	feat(cra): MaschinenVO-Gefährdungs-Ableitung + Cyber-Safety-Brücke 3-Tier-MaschinenVO-Verdict (direkt / sicherheitsrelevant / nicht relevant) aus Personengefährdungs-Signal: eine Komponente ist keine Maschine, aber wenn ihre Funktion bei Fehler ODER Manipulation Personen gefaehrden kann (Bewegung, Laser/ Auge, Kraft, Temperatur, elektrisch), ist sie sicherheitsrelevant — Pflicht trifft den Maschinenbauer, Zulieferer liefert Nachweise, und ein Cyber-Angriff kann die Sicherheitsfunktion aushebeln (Cyber-Safety-Bruecke). OWIS-mit-Laser landet so korrekt als 'sicherheitsrelevante Komponente'. Engine + /readiness additiv; Frontend: Gefährdungs-Frage + -Typen, MaschinenVO-Ergebnisblock. Presets aktualisiert (OWIS: Laser+Bewegung, Zwick: Bewegung). 22 Tests gruen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 18:48:52 +02:00
Benjamin Admin	2b5c155f57	docs: Mandanten-Suppression API-Übergabe an Controls/CRA-Session CI / detect-changes (push) Successful in 17s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 13s Details CI / validate-canonical-controls (push) Successful in 10s Details CI / loc-budget (push) Successful in 28s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Backend (Suppression-API + Filter) ist live; Frontend-Mark/Unmark (Cyber-Risiko- Projekt + Workspace) wird übergeben. Endpunkte, Integration, offenes Mapping (Anzeige-Entität → control_uuid) dokumentiert. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 18:38:58 +02:00
Benjamin Admin	472b0cfd2b	fix(db): canonical_controls PK + FKs wiederherstellen (prod DB-Swap-Verlust) CI / guardrail-integrity (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 13s Details CI / validate-canonical-controls (push) Successful in 11s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / detect-changes (push) Successful in 14s Details CI / nodejs-lint (push) Has been skipped Details CI / branch-name (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m11s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 29s Details CI / test-python-document-crawler (push) Has been skipped Details Migration 157: ADD PRIMARY KEY canonical_controls(id) + FK atom_classification + FK control_suppressions, jeweils nur falls fehlend (No-Op auf macmini, fixt prod). Verifiziert: 314.811 distinct ids, 0 NULL, 0 Orphans. DB-Owner-Freigabe. [migration-approved] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 17:29:39 +02:00
Benjamin Admin	2d9b650ac1	feat(cra): Eingangstür-Frontend — neutrales Verdict + Hersteller-Typ + Presets ReadinessCheck erweitert: Hersteller-Typ-Weiche (Komponente/Endgeraet/Anlage- Maschine/Software-App), Verkauf-ab-2027- und Kunden-Nachfrage-Fragen, Checkliste vorhandener Nachweise. Neuer Ergebnis-View (ReadinessResult): 3-Tier-Verdict (zwingend/ratsam/nicht betroffen, Co-Pilot-Ton ohne Panik-Rot) + Reifegrad-% + fehlende Nachweise + gefundene digitale Elemente + Pflichten-Uebersicht. Zwei Demo-Presets (OWIS PS90+ Komponente, ZwickRoell roboTest Anlage+SW). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 17:25:17 +02:00
Benjamin Admin	3afb0e7f4d	feat(cra): neutrale Eingangstür-Verdict-Engine (zwingend/ratsam/nicht betroffen) CI / detect-changes (push) Successful in 20s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 10s Details CI / validate-canonical-controls (push) Successful in 12s Details CI / loc-budget (push) Successful in 24s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m11s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 33s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Reine, deterministische Verdict-Schicht ueber der bestehenden Annex-III/IV- Klassifikation (kein vierter Klassifizierer): trennt Rechtspflicht von Markt- Druck. Kern: das Inverkehrbringen (ab 11.12.2027), nicht der Entwicklungs- zeitpunkt, entscheidet — Bestandsprodukte, die nach der Frist weiter verkauft werden, fallen unter CRA. Producer-Typen (component/end_device/machine_ integrator/software_app) steuern Default-Annahmen (Anlagenbauer: Vernetzung/OTA vorausgesetzt) + Verdict-Betonung (Komponente => Markt-Druck). Plus Evidence- Checkliste (SBOM/VDP/Patch/Lifecycle/Threat-Model/Logging/Auth/Incident) + Reifegrad. /readiness additiv erweitert (verdict/maturity/digital_elements/ producer_type). 15 Tests gruen. Beispiele: OWIS PS90+, ZwickRoell roboTest. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 17:17:55 +02:00
Benjamin Admin	8086b8be03	fix(migration): control_suppressions ohne FK auf canonical_controls prod-canonical_controls (aus dem DB-Swap) hat weder PK noch Unique auf id → FK InvalidForeignKey. control_uuid bleibt UUID (logische Referenz), wie die bereits FK-lose atom_classification auf prod. [migration-approved] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 17:12:58 +02:00
Benjamin Admin	7aabfbe5b5	feat(controls): Mandanten-Suppression — per-tenant Applicability-Override Geteilte Schicht für alle Surfaces (Workspace-Anwälte, Cyber-Risiko-Projekt, Admin): ein Mandant markiert ein Control als "nicht anwendbar" → in seinen Use-Case-Ansichten (und künftig Repo-Scans) ausgeblendet. - Migration 156: compliance.control_suppressions (PK tenant_id+control_uuid), reversibel (active + reverted_*), auditierbar (actor/reason/created_at). [migration-approved] - Service control_suppression: suppress/revert/list_suppressions + suppressed_control_uuids (geteilter Filter). - Routes: GET/POST /v1/controls/suppressions + POST .../{uuid}/revert (X-Tenant-ID). - controls_for_use_case: optionaler X-Tenant-ID + include_suppressed; suppressed per Default versteckt (nie gelöscht), suppressed_count, suppressed-Flag pro Control. Agenten/CRA ohne Tenant unberührt. - Tests: Request-Validierung + import-safety (E2E-Zyklus gegen macmini bewiesen). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 16:35:38 +02:00
Benjamin Admin	400eba592e	refactor(sdk): Sidebar-Doppelungen auflösen (A1) + Routen-Inventur 11 Modul-Eintraege entfernt, deren exakte Route bereits ein immer-sichtbarer Pipeline-Schritt ist (advisory-board, ai-act, source-policy, loeschfristen, einwilligungen, cookie-banner, dsr, vendor-compliance, consent-management, email-templates, training) — Heimat bleibt die Pipeline, kein Feature-Verlust (keiner dieser Schritte hat visibleWhen). "Datenschutz"-Gruppe zu "Cookie & Consent" (Consent Dashboard + Cookie Live-Vorschau) verschlankt. Aehnlich benannte, aber VERSCHIEDENE Seiten bewusst behalten (document-generator≠ catalog-manager, control-library≠coverage, consent≠consent-management, cookie-banner≠/preview, vendor-compliance≠vendor-assessment). Vollstaendige Routen-Inventur (Pipeline + Module + aufgeloeste Dups) in docs-src/development/sdk-navigation-inventory.md — damit kein Feature unsichtbar verloren geht. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 16:35:07 +02:00
Benjamin Admin	f8b45dd3d1	feat(sdk): Sidebar neu gruppieren + Kunde/Intern-Trennung Die vier Kern-Module in eine Gruppe "Produkt-Compliance (CE & Cyber)" (Gap-Analyse, Maschinensicherheit/CE, Cyber Resilience/CRA) — iace+cra benachbart, KI-Compliance nicht mehr dazwischen gekeilt. Labels entschaerft (kein "IACE"-Codename, keine doppelten Header). Interne/Entwickler-Module (Kataloge/Templates, Korpus/coverage, Quellen, Engine-Internals, Admin) in eine per useInternalUI() gegatete Sektion "Intern · Entwicklung" — Kunden sehen sie nie (Default versteckt; intern = macmini/localhost o. Browser-Opt-in). coverage erstmals erreichbar (war verwaist). Toter SidebarModuleNav.tsx geloescht. Alle bestehenden Routen erhalten. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 13:27:38 +02:00
Benjamin Admin	8a0097f5da	feat(coverage): Korpus-Dokumente gruppiert nach Art + Herausgeber-Familie CI / dep-audit (push) Has been skipped Details CI / test-python-backend (push) Successful in 27s Details CI / test-python-document-crawler (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 14s Details CI / validate-canonical-controls (push) Successful in 10s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / detect-changes (push) Successful in 19s Details CI / python-lint (push) Has been skipped Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m8s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details Die "Korpus-Dokumente"-Tabelle wird nach Dokument-Art geordnet (Gesetze & Verordnungen → Behörden-Leitfäden → Standards & Best Practice → Rechtsprechung) mit Zwischenüberschriften, und je Herausgeber-Familie zusammengefasst (alle DSK, alle EDPB, alle OWASP/NIST/ENISA gemeinsam). Deterministischer Kategorisierer (categorizeCorpusDoc) + Grouper (groupCorpusDocs), pure + unit-getestet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 12:20:10 +02:00
Benjamin Admin	9e9d780902	feat(cra): Management-Fortschritts-Ansicht (Ticket-Status-Readback) Liest den Lebenszyklus jedes Befunds (status + tracker_issue_url) aus dem Scanner zurück und rollt ihn zu einem Management-Bild auf: % erledigt, 4-Phasen (offen/in Arbeit/erledigt/ausgeschlossen), offenes Restrisiko nach Schweregrad, Fortschritt je CRA-Anforderung und eine Aufgaben-/Ticket-Tabelle mit Jira-Link. Neuer Endpoint GET/POST /api/v1/cra/progress (dünn → Service cra_progress, rein deterministisch, kein /assess-Schema-Drift). Frontend: ProgressView in Ebene 1 (CRACyberView), live je Scanner-Repo, sonst Demo-Status. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 10:10:45 +02:00
Benjamin Admin	7a4f086151	feat(cra): Maßnahmen-Provenienz + Lizenzklasse je Normquelle Jede Normreferenz einer Maßnahme wird lizenzklassifiziert (eu_law / public_domain / open / paid_reference) — paid-reference-Normen werden nur als Verweis geführt, nie im Text gespeichert (idea/expression). Kuratierte Maßnahmen tragen Tier 'core', KI-/Fallback-Maßnahmen 'review' (indikativ). Frontend zeigt Quellen-Badges + "indikativ"-Kennzeichnung. Methodik in docs-src/development/mapping-methodology.md (Szenario C, Due-Diligence). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 10:10:20 +02:00
Benjamin Admin	6c619ecc42	feat(cra): kuratierte Maßnahmen-Bibliothek — alle 40 CRA-Anforderungen belegt - data/measures_curated.json: 24 deduplizierte, standard-gestützte Maßnahmen (9 bestehende M540-548 + 15 neue M600-614), Volltext + norm_refs + multi-reg covers. Deckt alle 40 CRA-AI-x (vorher nur 17). - cra_annex_i_data lädt die Bibliothek defensiv: MEASURES=Superset, MEASURE_DETAILS (Volltext), mapped_measures aus covers abgeleitet. Fallback = hartkodierte 9. - Mapper: open_measures tragen jetzt name+description+norm_refs (echte Volltexte). - useCRA: merge nutzt Backend-Volltexte statt Demo-Lookup. - Tests: Coverage (40/40) + Volltext im Assessment. Quelle: extern handkuratiert/recherchiert, hier dedupliziert + gemappt. Maschinen- VO/NIS2/IEC-Maßnahmen folgen, sobald deren Spine existiert. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 07:44:13 +02:00
Benjamin Admin	4c206aa332	feat(cra): scanner-repo→IACE-Projekt-Mapping persistieren (Pull-Flow) [migration-approved] Ersetzt die ephemere Dropdown-Auswahl durch DB-Persistenz pro IACE-Projekt: - Migration 156: compliance_cra_scanner_repo_map (tenant_id, iace_project_id PK, scanner_repo_id). Additiv + idempotent. - GET/PUT /v1/cra/scanner-repo-map/{iace_project_id} (Upsert/Clear). - useCRA lädt das gespeicherte Repo beim Laden + persistiert bei Auswahl. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 07:05:33 +02:00
Benjamin Admin	0a6e57ac02	feat(use-case-controls): Adressat-Achse — out-of-scope advisory + additiver GOV-Tag 2-Pass-Haiku-Klassifikation (konservativ + Re-Confirm jeder Nicht-unternehmen- Einstufung) der Review-Tier-Atome: wer muss die Pflicht erfuellen? - Migration 155: atom_classification.addressee (unternehmen/oeffentliche_stelle/ aufsichtsbefugnis/staat_eu/dritter/meta), additiv, kein CHECK. [migration-approved] - Service: addressee + applicable + is_gov pro Control; include_out_of_scope-Param (Default false -> out-of-scope advisory ausgeblendet, NIE geloescht); out_of_scope_count. Pure Helper addressee_applicable/addressee_is_gov (+ Tests). - Route: optionaler include_out_of_scope-Query (contract-safe, additiv). - Frontend: GOV-Chip (additiv) + "kein Kunden-Pruefaspekt"-Chip + 1-Klick-Toggle zum Einblenden der out-of-scope-Atome. Daten: 40.859 Adressat-Tags auf macmini geladen (81% applicable, 19% advisory, 3.146 GOV). Konservativ: NULL/Unklar = applicable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-16 06:58:37 +02:00
Benjamin Admin	f6fe592164	docs: Schnittstellen-Notiz um Controls-Session-Abhängigkeit ergänzt Ergänzt nach Rückmeldung der Controls-Session: ID-Stabilität schützt auch deren atom_classification (~161k) + addressee (control_uuid-gebunden); deren Step-1/2 ist additiv (tier/source_type/core_count/addressee, bricht Verträge nicht); eine Wahrheit — Muster-Schicht aus atom_classification speisen, nicht neu ableiten. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 06:24:48 +02:00
Benjamin Admin	a49adff814	docs: Schnittstelle Controls-/Muster-Schicht → Maßnahmen-Schicht Andock-Vertrag für die Maßnahmen-Schicht: stabile Muster-Einheit + feste ID, control→pattern-Mapping, Framework-Crosswalk pro Muster. Abstimmung mit der Controls-Session (core/control-pipeline). CRA-Spine/M5xx bleiben unabhängig. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 06:21:13 +02:00
Benjamin Admin	90def4d857	feat(cra): Flow-2 UI — Scanner-Repo wählen → echtes Assessment - GET /v1/cra/scanner-repos: distinct repo_ids (+counts) vom Scanner-MCP für den Picker. - useCRA: scannerRepo-State; bei Auswahl POST /assess-from-scanner (echte Findings), sonst by-iace/Demo wie bisher. - ScannerRepoPicker im CRA/Cyber-Tab; leere Auswahl = Demo, Repo gewählt = echte Befunde. Mapping repo_id↔Projekt aktuell UI-seitig (ephemeral); DB-Persistenz pro Projekt folgt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-16 05:49:15 +02:00
Benjamin Admin	926dc02a09	feat(use-case-controls): relevant als Stufe statt Hard-Filter + Provenance CI / detect-changes (push) Successful in 15s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 12s Details CI / validate-canonical-controls (push) Successful in 12s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m9s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 30s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Der harte relevant=true-Filter versteckte ~25% des Korpus (40.926 Atome), ~70% davon echte Pflichten (500er-Validierung). relevant wird zur Stufe: - Service: tier-Param (core=Default schuetzt Agent/CRA; all=alles inkl. review), ORDER BY relevant DESC; pro Control relevant/tier/source_type (own_library bei license_rule=3, sonst derived) + source_regulation/article; core_count/review_count. Pure Helper tier_label + source_type (+ Tests). - Route: optionaler tier-Query (default core) — contract-safe (additiv). - Frontend: Coverage-Drill-down /sdk/coverage/[useCase] — Kern-Pflichten vs. "zur fachlichen Pruefung", je mit Herkunfts-Badge; Uebersicht zeigt Delta. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 20:58:25 +02:00
Benjamin Admin	e140477c0b	feat(cra): Pull-Flow — Findings vom Scanner-MCP ziehen + assessen CI / detect-changes (push) Successful in 15s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 12s Details CI / validate-canonical-controls (push) Successful in 12s Details CI / loc-budget (push) Successful in 25s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Successful in 3m12s Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Successful in 39s Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details (2) Wir als MCP-Client zum compliance-scanner-agent: - scanner_mcp_client.fetch_findings(): streamablehttp_client + ClientSession → list_findings, parst JSON-Text zu Finding-Dicts. Config via SCANNER_MCP_URL/ SCANNER_MCP_TOKEN (unset = leer → UI behält Demo). Transport lazy-importiert. - POST /v1/cra/assess-from-scanner: rohe Scanner-Dicts → toleranter Mapper (behält scan_type/cvss_score/file_path) → assess + Breadth. - Tests: parse_findings_text + no-config-Pfad. Live-Verdrahtung der UI folgt, sobald ihr Endpoint+Token stehen (dann nur Env setzen + useCRA auf /assess-from-scanner zeigen). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-15 19:05:44 +02:00
Benjamin Admin	e7c3cd7cee	fix(mcp): DNS-Rebinding-Schutz aus (server-to-server+Bearer) + MCP-Dienst expose-only - FastMCP transport_security: enable_dns_rebinding_protection nur an, wenn MCP_ALLOWED_HOSTS gesetzt; sonst aus (sonst HTTP 421 "Invalid Host header" bei Aufrufen über nginx/Container-Name). Bearer bleibt die Zugriffskontrolle. - bp-compliance-mcp: Host-Port-Mapping entfernt (8099 war von bp-core-health belegt) → expose-only im breakpilot-network, Routing via nginx (Folgeschritt). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-15 18:36:47 +02:00
Benjamin Admin	414496c31a	feat(mcp): HTTP+Bearer CRA-MCP-Server für den Repo-Scanner + Finding-Adapter Register-Flow für compliance-scanner-agent (anderes Team, Rust): deren MCP-Client (McpServerConfig) erwartet Streamable HTTP + Bearer — unser MCP war stdio/ohne Auth. - server.py auf FastMCP umgestellt: Tools cra_assess_findings + cra_list_requirements, Dual-Transport (stdio default; Streamable HTTP wenn MCP_PORT gesetzt), Bearer-Gate via CRA_MCP_TOKEN. - ScannerFinding.from_dict tolerant für ihr Finding-Schema (_id/fingerprint, scan_type→category, cvss_score→cvss, file_path→location, severity info→low). - Eigenständiger docker-compose-Dienst bp-compliance-mcp (Port 8099, pure/kein DB, isoliert von der Haupt-API) + Hetzner-amd64-Override. - Tests: test_cra_scanner_adapter, test_mcp_server (Bearer-Gate + Tool-Registry). Pull-Flow (wir holen ihre Findings über ihren MCP) + öffentliches nginx-Routing folgen separat (brauchen ihren Endpoint/Token). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-15 18:30:47 +02:00
Benjamin Admin	7aaa7e083b	feat(cra): Konformitätspfad-Kacheln — "Mit BreakPilot"-Rolle + aufklappbarer Info-Text Reframe: BreakPilot ist Audit-VORBEREITER, nicht Prüfstelle. Jede Kachel zeigt jetzt eine "Mit BreakPilot"-Zeile (Selbstbewertung = end-to-end; EUCC/benannte Stelle = audit-fähig machen, formale Prüfung durch ITSEF/benannte Stelle) plus aufklappbaren Erklär-Text (was EUCC ist, wie es läuft, was der Nutzer tut). Normtext (ISO/IEC 15408/18045) nur referenziert, nicht reproduziert. Kachel von <button> auf <div> + separater Wählen-Button + Info-Toggle umgebaut. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-15 15:12:49 +02:00
Benjamin Admin	731076835d	fix(cra): Konformitätspfad-Kacheln korrekt benennen + Gating nach CRA Art. 32 (a) Labels: Module korrekt zugeordnet — Modul A = Selbstbewertung, Modul B+C = benannte Stelle, EUCC = eigenes Zertifikat (nicht Modul H), "harmonisierte Norm" ist kein Modul sondern Konformitätsvermutung. Für den CRA noch KEINE harmonisierte Norm veröffentlicht → Kachel als "noch nicht verfügbar" (erwartet ~2027), nicht wählbar, mit Hinweis. (page/path/documents-Labels.) (b) Gating: wichtige Klasse II + kritische Produkte dürfen NICHT selbst bewerten; harmonisierte Norm allein genügt dort nicht → ALLOWED_PATHS IMPORTANT_II/ CRITICAL = {eucc, notified_body}; DEFAULT_FOR II = notified_body. _PATH_HINT entsprechend. Regressionstest test_cra_conformity_paths.py. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-15 13:49:00 +02:00

1 2 3 4 5 ...

1459 Commits