The last edge of the compliance graph: what concrete, fresh evidence proves a
framework control is met (config_export/test_report/sbom/audit_log/pentest/...
from github/ci/scanner/manual_upload, with a freshness requirement).
Seeded for all 7 accepted CRA->OWASP controls (Auth/Crypto/Logging). A graph
test enforces connectivity: every accepted control must carry >=1 required
evidence — no dangling node in Obligation -> Control -> Evidence.
This is what will let the Advisor state "the CRA requirement is fulfilled" from
present evidence, not from the mere existence of a document.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
7 accepted, 13 rejected (reviewed_by=benjamin, 2026-06-25). The accepted set is
the first audited ground truth of the compliance graph:
(2c) Zugriff -> V6.3.1, V6.1.1 (Auth)
(2d) Crypto -> V11.2.1, V11.7.1 (corrected from the retriever's wrong V14)
(2k) Logging -> V16.3.3, V16.3.4, V16.1.1
Rejected stay as audit trail. (2e) integrity, (2l) updates, (2i) attack surface
rejected with reason "OWASP ASVS not the right target standard, map via NIST/BSI"
— architectural proof for the multi-framework framework_* layer.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- DROP confidence from the persisted mapping: a curated mapping is a
professional statement, not an AI guess (retriever score -> rationale only).
- ADD mapping_status (candidate|accepted|rejected|superseded) — the review state.
- ADD audit trail (reviewed_by/review_date/review_reason); accepted/rejected
fail-closed without it.
- EXTEND mapping_type: + implements, + contradicts.
- Advisor truth = mapping_status=accepted (acceptedOnly filter).
- migrate the 18 CRA->OWASP rows to mapping_status=candidate.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
18 retriever_candidate mappings generated via the sdk-dev control-intent
retriever. All marked retriever_candidate (NOT curated truth) — the review
step turns the good ones into human_curated.
Empirical validation of the A-decision: the retriever proposes, but produces
wrong candidates (e.g. encryption -> V14 Config instead of V11 Crypto;
V14.2.4 over-appears) that only human review catches. Review notes inline.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Versioned JSONL store + Go model for Regulation->Control mappings, per the
A-decision: the retriever only PROPOSES candidates; the curated mapping is the
audited truth the Advisor uses at runtime, never re-invented per query.
- ControlMapping struct (source_norm/source_role/target_framework/target_control/
mapping_type/confidence/provenance/rationale/version)
- enum validation (rule layer), fail-closed loader, forward+reverse index,
curated-only filter (IsCurated)
- seed: 2 retriever_candidate rows CRA Annex I -> OWASP ASVS (not yet curated)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Benjamin Admin