2063615d37
feat: Capability Registry v1 API-Vertrag ( #59 ) + Ownership-Modell finalisiert
...
#59 (geschaerft, User): capabilities.json -> capability_registry_v1 (contract_version 1.0):
stabile `cap.*`-IDs (NIE umbenennen) + 5 Vertragsfelder (description/guidance_basis/
realizes_obligations/required_procedures/evidence_patterns), PRODUKTNEUTRAL (keine Features).
= stabiler API-Vertrag fuer die Product->Compliance-Schnittstelle (Feature->Capability,
Session 3 mappt read-only dagegen).
session_ownership_model_v1.md RESOLVED: Legal-Owner = Re-Ingest-Session (vergibt KEINE
obligation_id, nur citation_span->legal_basis) · 4. Session -> Quality & Validation (nur
Tests, KEINE Daten) · Compliance 2 Branches DAUERHAFT (A=Build, B=Runtime). 4-Bibliotheken-
Zielbild (Legal/Product/Capability/Evidence).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 10:35:49 +02:00
2e6eee6ba1
Merge origin/main ( 8609b696) in machinery-multi-reg-run
2026-06-26 10:05:24 +02:00
f23ae32077
feat: MaschVO als erster Multi-Regulation-Run + Reuse-Metrik (Freeze haelt: 0 neue Klassen)
...
User-Reframe: nicht „naechste Regulierung", sondern erster MULTI-REGULATION-Reuse-Test.
- obligations/cra_machinery.json: 31 MaschVO-Obligations (25 LM = Anhang-III-Essential-Reqs
rechtlich legit + 6 BP). Pipeline 2229->1096 micro->120 review-units->Opus. out_of_scope
41 RU (AI-Act/DSGVO/Common-Criteria/Banking/...).
- obligations/machinery_reuse_metrics.json: ERSTE Reuse-KPI. **NEUE OBJEKTKLASSEN = 0**
(Architektur-Freeze haelt gegen physische-Safety-Regulierung — empirisch). 39% Reuse / 61%
net-new; Capability-Reuse 2 (Cyber-Safety-Bruecke: access_control_safety_functions->access,
protection_against_corruption->integrity/tamper), Procedure-Reuse 6, Evidence-Reuse 2,
CORE-Spezialisierung 2 (risk_assessment->update_risk_assessment, conformity->sbom_tech_doc).
- join_keys 95->126 (machinery 31). precluster.py: machinery-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 10:05:00 +02:00
fdaf547b06
feat(ucca): re-point NIST primary_implementation to CORE obligations ( #6 )
...
Registry materialized the generic CORE security objectives (#5b, Modell C), so
the two broad NIST controls now point at their canonical parents instead of the
domain-scoped matches:
SI-7 -> software_integrity_protection (CORE, Annex I (2)(f))
CM-7 -> attack_surface_minimization (CORE, Annex I (2)(j))
Non-breaking: the domain-scoped obligations stay valid and specialize the CORE.
SI-7 evidence = sbom + config_export (SBOM evidences component/supply-chain
integrity; config = signing/secure-boot). Export proposed_obligation_id + handler
test (2 CORE cases) updated. go test green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 09:35:46 +02:00
4e761c1363
feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json
...
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 00:54:23 +02:00
ed31fdc0df
fill: NIST primary_implementation -> obligation_id (Handoff #4 , jetzt 10/10)
...
SI-2 -> provide_security_updates (stark, (2)(c)/Art.13) · SI-7 -> signed_update_integrity
(update-scoped) · CM-7 -> remote_access_attack_surface_min (remote-scoped). Validiert gegen
Registries (join_keys 93). GAP-BEFUND (Cross-Domain-Review): generische Parent-Obligations
software_integrity_protection + attack_surface_minimization fehlen (SI-7/CM-7 sind breiter
als die domaenen-scoped Treffer) -> Kandidaten fuer neue Obligations (User-Entscheidung).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 19:15:49 +02:00
5412bf0ba3
Merge origin/main (NIST-Export e46e74dd) in cross-domain-discovery
2026-06-25 19:13:21 +02:00
01956ee690
feat: cross-domain relationship discovery — Capability-Schicht-Entwurf (CRA P1)
...
Stufe 1+2 der Ontologie-Entdeckung (User-Schaerfung #54 ): nicht Aehnlichkeit sondern
STRUKTURELLE Beziehung. 93 Obligations -> BGE-M3 -> 101 cross-family Paare -> Opus
klassifiziert in 8 Kategorien (genau eine je Paar).
- scripts/obligation_discovery/cross_domain_pairs.py (Stufe 1, key-frei)
- scripts/obligation_discovery/classify_relationships.py (Stufe 2, Opus)
- obligations/cross_domain_relationships.json: 16 SHARED_CAPABILITY -> 8 Capabilities
(mfa/session/transport-tls/code_signing/anomaly_detection), 23 SUPPORTED_BY
(Hubs: vuln_identification_inventory<-SBOM-Familie 5x, vuln_remediation_patching 5x),
1 SAME_OBLIGATION (vuln_remediation_patching == provide_security_updates, MERGE-Kandidat),
42 OVERLAP_ONLY sauber verworfen. Erstentwurf der Capability-Schicht (Phase 4).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 19:12:17 +02:00
e46e74ddbb
feat(bridge): export 3 CRA->NIST controls (primary_implementation) for obligation_id
...
Adds SI-7/SI-2/CM-7 to controls_for_obligation_mapping.json (7 OWASP -> 10),
mapping_type=primary_implementation (the single canonical control per obligation).
proposed_obligation_id left empty for the Registry to assign. Notes aligned to the
updates family (join_keys 93): SI-2 -> provide_security_updates (strong),
SI-7 -> signed_update_integrity (partial; SI-7 broader), CM-7 ->
remote_access_attack_surface_min (partial; CM-7 broader).
Origin-only (data/tooling; backend does not load obligations/* at runtime) -> no Orca.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 18:57:17 +02:00
8937f105ea
feat(bridge): security-updates obligation cut (CRA Annex I (2)(c)/Art 13) — 9 obligations
...
- obligations/cra_updates.json: 9 (6 LEGAL_MINIMUM + 3 BEST_PRACTICE), Beziehungen.
Pipeline 670->318 micro->15 review-units -> Opus-Synthese. Synthese gut kalibriert ->
light review (KEINE Hart-Re-Tier, vs Auth/Remote-Access). out_of_scope M4/M7.
5 capability_candidate-Marker (signed/trusted/automatic/rollback/testing) fuer
Phase-4-Capability-Pruefung. Anker approximativ (curation.anchor_quality).
- obligation_join_keys.json: 84 -> 93 (updates 9). Alle 6 CRA-P1-Domaenen abgedeckt.
- precluster.py: updates-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 18:51:09 +02:00
1584b8fb2f
feat(bridge): remote-access obligation cut (CRA Annex I) — 18 obligations
...
- obligations/cra_remote_access.json: 18 (5 LEGAL_MINIMUM outcomes + 13 BEST_PRACTICE),
15 Beziehungen. Two-stage clustering 445->209 micro->27 review-units -> Opus-Synthese.
Synthese vergab 14 LM -> key-free re-tier nach Auth-Regel (Mechanismen MFA/Session/VPN/
insecure-protocol/OT/Wartungs-Governance/temp/data-export/component -> BEST_PRACTICE +
supports-Kante zur Eltern-LM). out_of_scope M5/M11 = physische Maschinen-Fernsteuerung
(MaschinenVO 2023/1230). Anker approximativ (siehe curation.anchor_quality).
- obligation_join_keys.json: 66 -> 84 (remote_access 18).
- precluster.py: remote_access-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 18:37:10 +02:00
a53d67a35a
feat(bridge): logging/audit obligation cut (CRA Annex I (2)(k)) + 7/7 control mapping
...
- obligations/cra_logging.json: 19 obligations (6 LEGAL_MINIMUM auf (2)(k) korrekt
verankert, 13 BEST_PRACTICE), 13 Beziehungen; out_of_scope M8/M5/M81 (AI-Act/FRT/PIN).
Two-stage clustering (2601->1361 micro->100 review-units) -> Opus-Synthese -> Kuration.
- controls_for_obligation_mapping.json: V16.1.1/V16.3.3/V16.3.4 -> event_logging_security_events
(Umbrella-LM; spezifische Alternativen via ASVS-Control-Text). Jetzt 7/7 gefuellt.
- obligation_join_keys.json: 47->66 obligation_ids (logging family).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 11:57:16 +02:00
3259984d1c
Fill semantic control->obligation_id (4/7; V16 pending logging cut)
...
V6.x->user_authentication_required, V11.2.1->credential_confidentiality_protection,
V11.7.1->auth_key_management; semantisch (NICHT CRA-Anker, die sind approximativ).
V16.x pending bis Logging-Cut. anchor_quality_note dokumentiert.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 11:44:56 +02:00
c5ecfa8f6c
feat(bridge): export 7 accepted CRA->OWASP controls for obligation_id proposal
...
CI / detect-changes (push) Successful in 5s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 9s
CI / validate-canonical-controls (push) Successful in 5s
CI / loc-budget (push) Successful in 23s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
obligations/controls_for_obligation_mapping.json — the Compliance Execution
Graph's accepted controls (V6 auth / V11 crypto / V16 logging) handed to the
Obligation Registry to propose the SEMANTIC control->obligation_id, replacing
the coarse citation_unit interim join (Befund 1). Registry fills
proposed_obligation_id; we then adopt it into control_mapping.obligation_id.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 11:36:57 +02:00
9e0a9ccef4
Add obligation_id join-key contract (cross-session bridge)
...
CI / detect-changes (push) Successful in 5s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 8s
CI / validate-canonical-controls (push) Successful in 7s
CI / loc-budget (push) Successful in 19s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Macht meine Seite des Cross-Session-Vertrags konkret: obligation_id ist der stabile Join-Key
zwischen Legal Knowledge Graph (citation_spans -> obligation_id) und Compliance Execution Graph
(control_mapping.source_norm -> obligation_id). Export aller 47 obligation_ids (CRA: 11 sbom +
7 vuln + 29 auth) mit citation_units als Interim-Brücke. Disziplin: obligation_id nie neu
vergeben (re-link, Pendant zu span_id/control_uuid).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 10:29:29 +02:00
67dba5f641
Add CRA procedure model (SBOM + Vuln)
...
Schließt die Lücke Obligation→Procedure→Control→Evidence (Schritt 3, Compliance-OS-Ebene).
Procedure = Umsetzungs-/Nachweisebene EINER Obligation, KEINE neue Pflicht (LEGAL_MINIMUM
bleibt an der Obligation; Procedure beschreibt Umsetzung; Evidence belegt sie).
- 11 Procedures (5 SBOM + 6 Vuln), 2 Worked Examples; source_role=procedural_requirement
(Konvergenz mit der Legal-Knowledge-Engine der anderen Session)
- fulfills_obligations[] referenziert die cra.json-Obligations (alle gültig, volle Abdeckung)
- steps/controls/evidence je Procedure; KEINE tier/legal_basis-Felder (kein Pflicht-Duplikat)
- citation_spans: [] / pending_span_anchor (Join folgt mit dem zitierfähigen Re-Ingest)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 09:28:40 +02:00
48e39423e6
Add curated CRA authentication obligations (scaling test)
...
Erster großer Skalierungstest der Registry-Pipeline mit Zwei-Stufen-Clustering:
4408 Controls → 2134 Mikro → 170 Review Units → Opus-Synthese 54 → Kuration 29.
- Zwei-Stufen-Clustering (Mikro→Meta/Review-Unit) ist der Skalierungs-Fix für große Domänen
- harte Tier-Regel generalisiert: nur 6 LEGAL_MINIMUM (CRA fordert nur High-Level-Auth),
23 BEST_PRACTICE; MFA/Passwort/Session/Krypto = guidance_basis, kein CRA-Primärrecht
- Kuration (key-frei, regelbasiert): Krypto-Mikro→guidance · Prüf/Nachweis→evidence-Facette ·
Mechanismus-Familien behalten · eID/PSD2→out_of_scope; 6 LM unangetastet
- Provenance pro Obligation (source_meta_cluster/confidence/model/version)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 07:30:55 +02:00
188bb787d2
Add proposed CRA obligation relationships
...
11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die
Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview /
confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for;
gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten.
Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis ·
out_of_scope · relationships · pending citation anchors.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 00:08:47 +02:00
2645b5b043
Add draft CRA obligation registry
...
Erstes belastbares Registry-Artefakt (obligation_registry_v1) aus den validierten
SBOM+Vuln-Candidates der Obligation Discovery Pipeline.
- 18 Obligations (11 SBOM + 7 Vuln)
- 14 LEGAL_MINIMUM, alle mit legal_basis (harte Tier-Regel)
- 4 BEST_PRACTICE korrekt herabgestuft (source_role GUIDANCE/IMPLEMENTATION)
- 70 OUT_OF_SCOPE-Cluster getrennt; member_controls vollständig
- legal_basis (CRA-Primärrecht) ⊥ guidance_basis (BSI/ENISA/NIST/...)
- citation_status=pending_span_anchor (span_id folgt mit Asset 2), review_status=draft
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-24 23:52:20 +02:00
Benjamin Admin