Semantic breadth (2): each finding's CRA-AI is mapped to a network_security
sub_topic and enriched with atom-grain, framework-traceable obligations from the
shared Controls-API (compliance.atom_classification) — at the endpoint/view layer
(SessionLocal), NOT in the pure mapper. CRA-AI anchor + curated measure +
NIST/OWASP crosswalk stay the lead; this is breadth + source evidence. Only
network_security is queried (atom-grain), scoped by sub_topic + limit. Frontend
renders it under the collapsible best-practice depth (control_id · title · source).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Snapshot/history: "Snapshot speichern" + a version list (status, date, coverage)
you can click through — makes the CRA Art. 13 running system visible (backend
endpoints already live). Measure-class: each finding shows a remediation-class
badge from its CRA evidence_type ("Code-nah" = scan-locatable, code-fix in the
ticket possible; otherwise Prozess/Doku), and the measures section is relabelled
as the Sollzustand (process/build) — no auto-fix buttons on process measures.
Backend: MappedFinding now carries evidence_type.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
controls-augmentation now renders control_id + sub_topic + source_regulation
(handles both atom-grain and master-grain API shapes). The compliance-advisor
answers from atom_classification (precise, sub-topic-organized, framework-
traceable) via the shared get_controls_for_use_case API. 100% local at runtime.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Reads compliance.atom_classification (Haiku pass: relevant + sub_topic +
canonical_obligation) when present -> precise, sub-topic-organized controls per
topic; master-grain seed stays as fallback for unprocessed topics. New optional
sub_topic filter + subtopic_counts facet + granularity flag in the response.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Persist each CRA assessment as a versioned, auditable snapshot over the product
lifecycle. Reuses the existing compliance_cra_documents table (NO new schema,
frozen DB respected): doc_type='doc_risk_assessment', full assessment in
generation_context, requirements_coverage summary, auto-incrementing version,
prior version superseded. New endpoints: POST /projects/{id}/assess-snapshot,
GET /projects/{id}/assess-snapshots (history), GET /assess-snapshots/{id}.
Additive (no contract baseline change).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add-only table for the one-time Haiku pass result: per atomic control x use-case
-> relevant? + sub_topic + canonical_obligation. Atom-grain successor to the
master-grain mc_use_case_mappings (master clustering = gpre2 object-only ->
mega-clusters, unusable). Runtime reads only this table (no live LLM).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Deterministic bridge (cra_safety_bridge.py): a cyber finding's attack capability
(remote_actuation / code_tampering / integrity_loss / auth_bypass, derived from
its CRA category) is matched against what each CE safety function is vulnerable
to. A match re-opens the mitigated hazard, flags the finding safety_impact (which
floors it to P0), and produces the cross-link. Endpoint accepts safety_functions;
frontend passes the project's safety functions and renders the LIVE cross-links
(no more hardcode). Safety functions are demo input now; come from the CE risk
assessment in production.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CRA tab now shows the priority layer: a weights control (5 business objectives,
high/medium/low) that re-computes the assessment live; a Prio column with
P0..P3 tier badges (P0 = non-negotiable floor, reason on hover); the table in
backend priority order; and a Quick-Wins block (high impact, low effort). Demo
flags the safety-cross-linked findings as safety_impact so the P0 floor shows.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Deterministic prioritisation on top of the mapper (cra_prioritizer.py): a
non-negotiable P0 floor (safety-function compromise / actively exploited /
CRITICAL — customer weights cannot demote) plus a discretionary tier ranked by
severity x the customer's weight (high/medium/low) for the 5 business objectives
(access/data/network_api/supply_updates/monitoring). Quick-win flag (high impact,
low effort) for a second view; each finding carries a short priority reason.
Endpoint accepts weights + per-finding safety_impact/exploited. Rough pre-sort
only (devs re-sort in Jira). No DB.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CRA tab now computes the assessment live: useCRA POSTs the scenario findings
through a new /api/v1/cra/* proxy to the backend mapper and merges the live
mapping (CRA requirement, risk, measures, NIST/OWASP crosswalk) with the
frontend scenario constants (full measure texts + cyber->safety cross-links,
until those move server-side in step 2). Falls back to the static scenario if
the backend is unreachable.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Live HTTP entry for the deterministic CRA assessment — repo-scanner findings
in, CRA Annex I mapping + risk + curated measures + NIST/OWASP golden-set
crosswalk out. Project-less (works for any customer, no CE-RA/FMEA required);
reuses the tested mapper, same logic the MCP server exposes. Additive endpoint
(no contract baseline change); no DB.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Prompt-augments the RAG-only advisor with the shared use-case->controls API:
deterministic topic detection -> local controls API -> context block, so the
agent can answer from real Control-IDs. 100% local at runtime (no Anthropic).
NOT pushed/deployed: the shared API currently returns MASTER-grain controls,
whose composition is broken (gpre2 object-only clustering -> mega-clusters).
Pending the atom-grain rework of the API. tsc + vitest green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Per the Co-Pilot-calm principle: the findings table stays compact (Befund /
CRA-Anforderung / Risiko / Maßnahmen) and the NIST/OWASP + ISO 27001
best-practice depth is revealed per finding via a "NIST/OWASP" toggle. Keeps
the 3-layer model (CRA obligation -> measure -> best-practice depth) tidy.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Read-only layer (service + thin route + tests) that returns the controls
mapped to a use-case/topic, ranked by a deterministic precision proxy
(is_primary + mapping confidence + registry keyword relevance) over the
existing mc_use_case_mappings seed. No schema change.
Shared handoff point: the document specialist agents AND the CRA
finding-mapper draw from this one controls index instead of separate
retrievals.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Crosswalk (cra_security_crosswalk.py): deterministic, hand-curated CRA Annex I ->
NIST 800-53 Rev5 + OWASP Top 10:2021 mapping, the authoritative Security Golden
Set (no RAG; semantic breadth comes later via the shared Controls-API). Mapper
attaches NIST/OWASP refs per finding; golden-set completeness pinned by test
(every requirement has >=1 NIST ref). CRA tab now shows the NIST/OWASP best-
practice refs per finding and the full curated measure texts + norm references
(from measures_library_cra.go).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
New "CRA / Cyber" tab in the IACE project (Zusatzmodule). Treats the
Kistenhubgeraet CE project as if it had an IoT module; invented cyber findings
are mapped to CRA Annex I requirements via the REAL backend mapper output
(faithful), and crucially cross-linked to the existing CE safety hazards they
re-open (cyber defeats a mechanically-mitigated guard -> CRA x Machinery Reg).
Frontend fixture for now; live wiring to the mapper endpoint follows.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Deterministic mapper (no DB/LLM): repo-scanner findings -> the CRA Annex I
essential requirement(s) they violate -> risk level -> remediation measures +
coverage. Reuses the existing Annex I spine (cra_annex_i_data). The MCP server
(compliance/mcp/server.py, stdio) is the thin transport the external scanner
queries; all logic lives in the fully-tested mapper. Works standalone (no
project/FMEA required). No DB migrations.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- compliance-advisor.soul: Quellenschutz/Anti-Leak ersetzt durch Transparenz-
Modus (nur Dev nutzt den Agent; offene Meta-Antworten erlaubt) + ehrlicher
Hinweis, dass der Agent nur RAG sieht, NICHT die MC-DB.
- Snapshot: Impressum/DSE/AGB-Tabs immer sichtbar (Hinweis statt Verstecken bei
fehlendem Text).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Storage-Keys fehlen in Phase A (vor Consent) oft → provider blieb leer. Jetzt
fällt detect_consent_history auf den bereits aus dem Banner-DOM erkannten
banner_provider zurück → korrekter Anbieter + history_capable auch ohne
Storage-Eintrag.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Cumulative resume run added 64 new NASA NTRS docs (query/page pool then
exhausted): 164 total, 73 applicable failures, all public-use licensed.
NASA stays a generic component failure-mode library; not scaled further.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
consent_history.detect_consent_history: erkennt CMP-Anbieter (Borlabs/
Usercentrics/OneTrust/Cookiebot/…) aus Storage+Cookies, versionierten Consent
(historie-fähig) + dauerhaftes Widerruf-/Einstellungs-Widget. consent_scanner
ruft es in Phase A; scan_matrix_summary surft summary.consent_history;
browser_cross_finding: positiver Befund wenn vorhanden, sonst Best-Practice-LOW
(„Nutzer sehen, wann sie welcher Version zugestimmt haben"); BrowserBehaviorView
zeigt es im Engine-Detail. Tests: 7 (classify/versioned) + 2 Cross-Finding.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User-Bug (BMW): Banner überlagert, aber Footer-Links (Impressum/DSE) bleiben
klickbar → fehlender In-Banner-Link ist dann nur Best Practice, kein Verstoß.
banner_text_checker misst per Playwright-trial-Klick, ob der Footer-Impressum/
DSE-Link trotz Banner erreichbar ist: erreichbar → LOW/Best-Practice (+ Borlabs-
Consent-Historie-Hinweis), blockiert → HIGH/MEDIUM wie bisher. browser_cross_
finding: redundante (nicht footer-bewusste) "Link im Banner fehlt"-Befunde raus.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
User-Feedback umgesetzt: Cookie-Titel-Fix (rendern nicht mehr als nacktes
"Befund" — Titel aus cookie/type/vendor), Executive Summary oben, je Modul
Statistik (Counts + Severity-Balken + MCs) + nur Top-3 Befunde + Verweis auf
"N weitere" mit Frontend-Link (snapshot_id) + Zwischenfazit, Browser-Übersicht,
Gesamtanalyse, klarerer "Grenzen"-Satz, Report-Versionsnummer. 6 Tests grün.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Load the prior manifest, seed the seen-set from it + anthropic.jsonl, and add
MAX_DOCS NEW docs per run (100->200->...) instead of re-processing the first
batch and overwriting the register. Widen NTRS paging to page.from 0..400 so
enough fresh usable docs are found after the skip.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
100 NASA NTRS docs processed (Claude Haiku 4.5), 55 applicable failures
extracted with verbatim source quotes; all licences public-use-permitted
(NTRS GOV_PUBLIC_USE_PERMITTED / PUBLIC_USE_PERMITTED), each passes the
failure-knowledge allowlist. Register now serves the real corpus in the
FMEA "Quelldokumente" panel.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Quote-verifiable failure extraction via Claude (Haiku 4.5): PDF sent
directly, tool-schema forces verbatim source quotes + applicable flag +
confidence — replaces the unreliable local llama run. Only applicable=true
tuples ingest into bp_iace_failure_kb; every processed doc lands in the
source manifest.
Frontend: FMEA tab now shows a "Quelldokumente" register (every document we
use, with source + licence + link + what was extracted) served from the
embedded manifest via GET /iace/failure-knowledge/sources. Manifest is
placeholder until the 100-doc Haiku run is folded in.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Schnelltest-nur-Chrome wieder entfernt (User: Banner-Test soll IMMER alle
Browser abdecken). Ein primärer Button im Leerzustand + "Erneut testen" im
Ergebnis-Kopf; beide lösen die volle Matrix aus.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Stage 1 of the FailureKnowledge bulk loader: harvest NASA NTRS
lessons-learned with a strict public-reuse gate (NTRSUsable: public
release, not export-controlled/EAR/ITAR, not CUI, PUBLIC_USE_PERMITTED,
no third-party copyright). NTRSPDFURL prefers the PDF download for
downstream text/OCR extraction. GET /iace/failure-knowledge/ntrs runs
the live harvest and returns only the licence-clean records.
Pure parse/gate helpers are fixture-tested (usable vs ITAR / third-party
/ restricted / video-only); accepted licences also pass the FK allowlist.
Next: tuple extraction (abstract -> FailureKnowledge) + Playwright/OCR for
scanned PDFs -> bp_iace_failure_kb.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Korrektheit (§ 25 TDDDG): "Cookies vor Consent" ist KEIN Verstoss per se —
technisch notwendige Cookies inkl. des Consent-Cookies (speichert die
Ablehnung) sind nach Abs. 2 erlaubt. Verstoss ist nur nicht-essentielles
TRACKING vor Consent.
- browser_cross_finding: Befund haengt jetzt an violations.before_consent
(Tracking), nicht an der Cookie-Rohzahl; § 25 Abs. 2-Hinweis im Detail.
Regressionstest: Cookies-ohne-Tracking → KEIN Befund.
- multi_browser_scanner._extract_dimensions: Score nutzt Tracking-Violations
+ reject_respected-Verdikt statt Rohzahl (Fallback erhalten).
- BrowserBehaviorView: "Cookies vor Consent" nur rot/⚠ bei Tracking,
"nach Ablehnen" neutral (Verdikt = reject-Spalte); erklaerende Zeile.
Speed: run_consent_test ueberspringt im Matrix-Modus (browser_profile gesetzt)
die teuren Phasen C/D-F/G — nur A+B noetig. Verhindert das 504 beim
Multi-Engine-Scan (BMW 4 Engines lief sonst in den 338s-Gateway-Timeout).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
E2E auf BMW (macmini, arm64) zeigte: nur Chromium lief, Firefox/WebKit/Mobile-
Safari scheiterten mit "Host system is missing dependencies to run browsers".
Die manuell gepflegte apt-Lib-Liste war fuer Gecko/WebKit unvollstaendig.
`playwright install-deps chromium firefox webkit` (als root) installiert den
vollstaendigen OS-Dep-Satz → alle Engines starten. Betrifft beide Arches.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- browser_cross_finding: deterministische Sicht ueber die Matrix (keine 2.
Engine, kein LLM). Findet Inkonsistenzen ZWISCHEN Browsern (Cookies vor
Consent / Ablehnen nicht universell respektiert / Banner-Links fehlend) und
ordnet ein: Safari-ITP / Brave-Shields / Firefox-ETP maskieren Verstoesse
clientseitig → strenge Engine "sauber" ist KEIN Compliance-Beleg, massgeblich
sind die nachgiebigen (Chrome/Edge). Coverage-Hinweis fuer nicht verfuegbare
Browser. Je Befund Titel/Detail/Severity/affected/Massnahme.
- snapshot_check_routes: cross_findings frisch in run + GET (nicht persistiert).
- BrowserBehaviorView: "Cross-Browser-Befunde"-Block ueber der Tabelle.
- Tests: test_browser_cross_finding (6).
Offen (Folge-Task): Borlabs-Consent-Historie-Live-Erkennung (braucht
consent-tester-Storage-Scan).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- check_snapshot: update_browser_matrix/load_browser_matrix — migrationsfrei
in banner_result.browser_matrix (JSONB jsonb_set, eigener scanned_at)
- snapshot_check_routes: POST /snapshots/{id}/browser-behavior/run laeuft
/scan-matrix LIVE (Re-Crawl je Engine, nur live messbar), persistiert das
Ergebnis; GET /snapshots/{id}/browser-behavior liefert die gespeicherte
Matrix ohne Re-Crawl. Profil-Set = 4 Default-Engines + Brave/Chrome/Edge.
- consent-tester multi_browser_scanner: Semaphore(2) gegen OOM (7 Browser
parallel sprengten das 2g-mem_limit)
- Pydantic-Modell mit Optional[List[...]] (nicht `| None`) → Py3.9-sicher
- Tests: _snapshot_scan_url + Request-Defaults (5)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
P1 of the auto-FMEA build plan: establish the public-domain methodology
foundation (no AIAG-VDA/SAE/IEC tables reproduced).
- fmea_data_sources.go: MIL-STD-882E severity (Cat I-IV→1-10) + probability
(A-F→1-10 with per-hour λ bands), OccurrenceFromRate(λp·α), SeverityForCategory,
MIL-STD-1629A CriticalityCm = λp·α·β·t. Own 1-10 projection, government-anchored.
- 4 versioned source docs (MIL-STD-1629A, MIL-STD-882E, NASA RCM, FMD-91/NPRD-91)
ingested into the new RAG collection bp_iace_fmea_kb (whitelisted).
- Tests for all scales/mappings/criticality (green).
Next (P1 step 2): fetch FMD-91/NPRD-91 bulk λ/α tables from DTIC.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Dockerfile: Brave-apt-Repo + `playwright install --with-deps chrome msedge`,
beide hinter TARGETARCH=amd64-Gate und best-effort (|| echo) → arm64-Dev-
Builds (macmini) brechen NICHT, laufen mit den 4 Default-Engines; Brave/
Chrome/Edge sind amd64-only opt-in-Extras (EXTRA_PROFILES).
- docker-compose.hetzner.yml: consent-tester auf linux/amd64 (statt arm64-
Emulation auf Orca) — Voraussetzung dafuer, dass die echten Browser
ueberhaupt installiert werden.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
run_consent_test nimmt jetzt browser_profile (browser_profiles.py): Firefox/Gecko,
WebKit/Safari oder Blink (Chromium-Default / Chrome-/Edge-Channel / Brave via
executable_path). Rückwärtskompatibel: None → Chromium wie bisher. Fundament für
die echte /scan-matrix (Stage-1.b-Shim), die als nächstes Profile durchreicht.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
#1/#2 (kein-Banner-affirmativ) feuerte nicht, weil der no-banner-Pfad bei
Zeile 220 früh zurückkehrt — vor dem Edge-Case-Block am Funktionsende.
Logik in _apply_edge_case_findings extrahiert und an BEIDEN Return-Pfaden
aufgerufen (Früh-Return + Ende). Damit greift #1 jetzt auf statischen Seiten.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
#1/#2: Wenn KEIN Banner erkannt UND kein Tracking vor Consent (statische Seite
oder nur technisch notwendige Cookies, §25 Abs.2 TDDDG) → affirmativer LOW-Befund
"konform, kein Banner nötig" statt stillem "Banner fehlt". Inkl. Geo-Caveat
(Scan außerhalb EU sieht geo-getargetete Banner evtl. nicht).
#3: detect_non_cookie_tracking erkennt Pixel/Fingerprinting per Domain-Signatur
(Meta, TikTok, LinkedIn, Pinterest, Clarity, FingerprintJS, Hotjar, Reddit,
Snapchat) → MEDIUM-Befund "§25/Art.5(3) gilt auch ohne Cookies". '0 Cookies' ≠
'kein einwilligungspflichtiges Tracking'.
Verdrahtet in consent_scanner vor dem Return. Tests + py_compile grün.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Cookie-freie Analyse mit reinem Opt-out-Hinweis (z.B. bayshore.ai:
"Privacy-friendly, cookie-free analytics are currently enabled ... Disable")
ist KEIN Consent-Banner: cookieless = kein Endgeräte-Zugriff → §25 TDDDG
verlangt keine Einwilligung → Opt-out statt Opt-in. Die Standard-Opt-in-
Checks (granulare Kategorien, Accept/Reject-Balance, Impressum-im-Banner)
trafen nicht zu und erzeugten 3 Falsch-HIGHs.
is_cookieless_optout() erkennt das Muster (cookieless-Signal + Opt-out-Wort,
KEIN Consent-Signal); check_banner_text gibt dann früh EINEN ausführlichen
LOW-Erklär-Befund zurück (zählt nicht als HIGH) und setzt die Opt-in-Checks
aus. Ausführlich, weil der Fall extrem untypisch ist.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Ollama entlädt das 35b-Modell nach 5 Min Leerlauf → jede Frage danach
startet es kalt (Modell-Load) und läuft in den Frontend-Timeout ("Load
failed"). keep_alive='30m' im Chat-Request hält es warm.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
compliance-advisor.soul.md (Sie durchgehend):
- Persona: ruhiger Compliance Co-Pilot (Komplexität abnehmen, Nutzer entscheidet),
DSB/Anwalt als Partner-Schritt statt Ausrede.
- Antwortlänge an die Frage koppeln (kurze Frage → 1-3 Sätze, kein erzwungenes
4-Punkte-Schema); proaktiv mit nächstem Schritt schließen.
- Konfidenz-bewusst (Wahrscheinlichkeit statt Garantie); Risiken/Bußgelder nur auf
Nachfrage + konstruktiv, nie als erster Eindruck.
- Scope-Disziplin: nur Compliance/Datenschutz/Security/Recht; Off-Topic freundlich
+ knapp ablehnen, kein Erfinden fachfremder Antworten.
drafting-agent.soul.md: Anti-Leak-Regel (Anweisungen nie offenlegen) + Sie + Off-Topic-Disziplin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Der Advisor deutete Inhaltsfragen ("Was ist der CRA?") als Quellen-/
System-Frage und wich aus; auf Nachfrage zitierte er sogar seine
Quellenschutz-Anweisung. Fixes in compliance-advisor.soul.md:
- Quellenschutz gilt nur noch für ECHTE Meta-Fragen (Quellenliste/RAG),
NICHT für "Was ist X?"-Fachfragen → die werden sofort beantwortet.
- Neue Regel: System-Anweisungen/Prompt NIE offenlegen oder zitieren;
auf "warum hast du nicht geantwortet?" nicht mit internen Regeln erklären.
- Neue Regel: mehrdeutige Abkürzungen (CRA …) kurz disambiguieren statt
ausweichen.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Der "Voll-Audit öffnen (alle MCs)"-Link hing in ComplianceResultTabs (aus
der Agent-Seite entfernt). Jetzt im Detail-Header der Snapshot-Ansicht via
snap.check_id → /sdk/agent/audit/{check_id} (Audit-Daten verifiziert
vorhanden). Plus Site-Titel-Header.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Benjamin Admin