breakpilot-compliance

Author	SHA1	Message	Date
Benjamin Admin	c5ecfa8f6c	feat(bridge): export 7 accepted CRA->OWASP controls for obligation_id proposal CI / detect-changes (push) Successful in 5s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 9s Details CI / validate-canonical-controls (push) Successful in 5s Details CI / loc-budget (push) Successful in 23s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details obligations/controls_for_obligation_mapping.json — the Compliance Execution Graph's accepted controls (V6 auth / V11 crypto / V16 logging) handed to the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join (Befund 1). Registry fills proposed_obligation_id; we then adopt it into control_mapping.obligation_id. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 11:36:57 +02:00
Benjamin Admin	9e0a9ccef4	Add obligation_id join-key contract (cross-session bridge) CI / detect-changes (push) Successful in 5s Details CI / branch-name (push) Has been skipped Details CI / guardrail-integrity (push) Has been skipped Details CI / secret-scan (push) Has been skipped Details CI / dep-audit (push) Has been skipped Details CI / sbom-scan (push) Has been skipped Details CI / build-sha-integrity (push) Successful in 8s Details CI / validate-canonical-controls (push) Successful in 7s Details CI / loc-budget (push) Successful in 19s Details CI / go-lint (push) Has been skipped Details CI / python-lint (push) Has been skipped Details CI / nodejs-lint (push) Has been skipped Details CI / nodejs-build (push) Has been skipped Details CI / test-go (push) Has been skipped Details CI / iace-gt-coverage (push) Has been skipped Details CI / test-python-backend (push) Has been skipped Details CI / test-python-document-crawler (push) Has been skipped Details CI / test-python-dsms-gateway (push) Has been skipped Details Macht meine Seite des Cross-Session-Vertrags konkret: obligation_id ist der stabile Join-Key zwischen Legal Knowledge Graph (citation_spans -> obligation_id) und Compliance Execution Graph (control_mapping.source_norm -> obligation_id). Export aller 47 obligation_ids (CRA: 11 sbom + 7 vuln + 29 auth) mit citation_units als Interim-Brücke. Disziplin: obligation_id nie neu vergeben (re-link, Pendant zu span_id/control_uuid). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 10:29:29 +02:00
Benjamin Admin	67dba5f641	Add CRA procedure model (SBOM + Vuln) Schließt die Lücke Obligation→Procedure→Control→Evidence (Schritt 3, Compliance-OS-Ebene). Procedure = Umsetzungs-/Nachweisebene EINER Obligation, KEINE neue Pflicht (LEGAL_MINIMUM bleibt an der Obligation; Procedure beschreibt Umsetzung; Evidence belegt sie). - 11 Procedures (5 SBOM + 6 Vuln), 2 Worked Examples; source_role=procedural_requirement (Konvergenz mit der Legal-Knowledge-Engine der anderen Session) - fulfills_obligations[] referenziert die cra.json-Obligations (alle gültig, volle Abdeckung) - steps/controls/evidence je Procedure; KEINE tier/legal_basis-Felder (kein Pflicht-Duplikat) - citation_spans: [] / pending_span_anchor (Join folgt mit dem zitierfähigen Re-Ingest) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 09:28:40 +02:00
Benjamin Admin	48e39423e6	Add curated CRA authentication obligations (scaling test) Erster großer Skalierungstest der Registry-Pipeline mit Zwei-Stufen-Clustering: 4408 Controls → 2134 Mikro → 170 Review Units → Opus-Synthese 54 → Kuration 29. - Zwei-Stufen-Clustering (Mikro→Meta/Review-Unit) ist der Skalierungs-Fix für große Domänen - harte Tier-Regel generalisiert: nur 6 LEGAL_MINIMUM (CRA fordert nur High-Level-Auth), 23 BEST_PRACTICE; MFA/Passwort/Session/Krypto = guidance_basis, kein CRA-Primärrecht - Kuration (key-frei, regelbasiert): Krypto-Mikro→guidance · Prüf/Nachweis→evidence-Facette · Mechanismus-Familien behalten · eID/PSD2→out_of_scope; 6 LM unangetastet - Provenance pro Obligation (source_meta_cluster/confidence/model/version) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 07:30:55 +02:00
Benjamin Admin	188bb787d2	Add proposed CRA obligation relationships 11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview / confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for; gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten. Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis · out_of_scope · relationships · pending citation anchors. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-25 00:08:47 +02:00
Benjamin Admin	2645b5b043	Add draft CRA obligation registry Erstes belastbares Registry-Artefakt (obligation_registry_v1) aus den validierten SBOM+Vuln-Candidates der Obligation Discovery Pipeline. - 18 Obligations (11 SBOM + 7 Vuln) - 14 LEGAL_MINIMUM, alle mit legal_basis (harte Tier-Regel) - 4 BEST_PRACTICE korrekt herabgestuft (source_role GUIDANCE/IMPLEMENTATION) - 70 OUT_OF_SCOPE-Cluster getrennt; member_controls vollständig - legal_basis (CRA-Primärrecht) ⊥ guidance_basis (BSI/ENISA/NIST/...) - citation_status=pending_span_anchor (span_id folgt mit Asset 2), review_status=draft Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-24 23:52:20 +02:00

6 Commits