Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
1,540 Commits 36 Branches 1 Tag
cba066f49bef14c3e362661fb8815c0dbcc4d0e1
Commit Graph

9 Commits

Author SHA1 Message Date
Benjamin Admin 4e761c1363 feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json 
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-26 00:54:23 +02:00
Benjamin Admin 01956ee690 feat: cross-domain relationship discovery — Capability-Schicht-Entwurf (CRA P1) 
Stufe 1+2 der Ontologie-Entdeckung (User-Schaerfung #54): nicht Aehnlichkeit sondern
STRUKTURELLE Beziehung. 93 Obligations -> BGE-M3 -> 101 cross-family Paare -> Opus
klassifiziert in 8 Kategorien (genau eine je Paar).
- scripts/obligation_discovery/cross_domain_pairs.py (Stufe 1, key-frei)
- scripts/obligation_discovery/classify_relationships.py (Stufe 2, Opus)
- obligations/cross_domain_relationships.json: 16 SHARED_CAPABILITY -> 8 Capabilities
  (mfa/session/transport-tls/code_signing/anomaly_detection), 23 SUPPORTED_BY
  (Hubs: vuln_identification_inventory<-SBOM-Familie 5x, vuln_remediation_patching 5x),
  1 SAME_OBLIGATION (vuln_remediation_patching == provide_security_updates, MERGE-Kandidat),
  42 OVERLAP_ONLY sauber verworfen. Erstentwurf der Capability-Schicht (Phase 4).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 19:12:17 +02:00
Benjamin Admin 8937f105ea feat(bridge): security-updates obligation cut (CRA Annex I (2)(c)/Art 13) — 9 obligations 
- obligations/cra_updates.json: 9 (6 LEGAL_MINIMUM + 3 BEST_PRACTICE), Beziehungen.
  Pipeline 670->318 micro->15 review-units -> Opus-Synthese. Synthese gut kalibriert ->
  light review (KEINE Hart-Re-Tier, vs Auth/Remote-Access). out_of_scope M4/M7.
  5 capability_candidate-Marker (signed/trusted/automatic/rollback/testing) fuer
  Phase-4-Capability-Pruefung. Anker approximativ (curation.anchor_quality).
- obligation_join_keys.json: 84 -> 93 (updates 9). Alle 6 CRA-P1-Domaenen abgedeckt.
- precluster.py: updates-Scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 18:51:09 +02:00
Benjamin Admin 1584b8fb2f feat(bridge): remote-access obligation cut (CRA Annex I) — 18 obligations 
- obligations/cra_remote_access.json: 18 (5 LEGAL_MINIMUM outcomes + 13 BEST_PRACTICE),
  15 Beziehungen. Two-stage clustering 445->209 micro->27 review-units -> Opus-Synthese.
  Synthese vergab 14 LM -> key-free re-tier nach Auth-Regel (Mechanismen MFA/Session/VPN/
  insecure-protocol/OT/Wartungs-Governance/temp/data-export/component -> BEST_PRACTICE +
  supports-Kante zur Eltern-LM). out_of_scope M5/M11 = physische Maschinen-Fernsteuerung
  (MaschinenVO 2023/1230). Anker approximativ (siehe curation.anchor_quality).
- obligation_join_keys.json: 66 -> 84 (remote_access 18).
- precluster.py: remote_access-Scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 18:37:10 +02:00
Benjamin Admin c090617afd Add logging scope to precluster (logging cut) 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 11:40:59 +02:00
Benjamin Admin 9e0a9ccef4 Add obligation_id join-key contract (cross-session bridge)
CI / detect-changes (push) Successful in 5s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Successful in 8s
Details
CI / validate-canonical-controls (push) Successful in 7s
Details
CI / loc-budget (push) Successful in 19s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Has been skipped
Details
CI / test-go (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-backend (push) Has been skipped
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details 
Macht meine Seite des Cross-Session-Vertrags konkret: obligation_id ist der stabile Join-Key
zwischen Legal Knowledge Graph (citation_spans -> obligation_id) und Compliance Execution Graph
(control_mapping.source_norm -> obligation_id). Export aller 47 obligation_ids (CRA: 11 sbom +
7 vuln + 29 auth) mit citation_units als Interim-Brücke. Disziplin: obligation_id nie neu
vergeben (re-link, Pendant zu span_id/control_uuid).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 10:29:29 +02:00
Benjamin Admin e5cce9caff Extend advisor proof with procedure→evidence chain 
Vollständige Begründungskette aus der Registry: Rechtsgrundlage → Obligation → Procedure
→ Controls → Evidence → Antwort. Join cra.json × cra_procedures.json, deterministisch, kein LLM.

SBOM-Beweis: 7 Pflichten je mit CRA-Rechtsgrundlage + Procedure (wie umgesetzt) + Controls
(Prüfung) + aggregierte Required Evidence; 4 Best-Practice (Guidance OWASP/NIST/ENISA);
Beziehung sbom_*→supports→vuln_identification; citation 7/7 pending_span_anchor.

Der Unterschied zu RAG sichtbar: RAG beantwortet — BreakPilot begründet UND operationalisiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 09:44:27 +02:00
Benjamin Admin db2fd9d8e9 Add obligation advisor proof (P3) 
Demonstriert den Produktnutzen der Registry: obligation-basierte Antwort statt RAG-Text.
Frage → Pflicht (LEGAL_MINIMUM + Rechtsgrundlage + Applicability) ⊥ Best Practice
(guidance_basis) ⊥ Nachweise (evidence_facets + member controls) + Beziehungen, deterministisch
aus obligations/cra.json (kein LLM, zitierfähig).

Beleg (SBOM, Maschinenbauer): JA — 7 CRA-Mindestpflichten + 4 Best-Practice (OWASP/NIST/ENISA);
sbom_* supports vuln_identification_inventory.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 09:06:34 +02:00
Benjamin Admin e1b270c36e Add obligation discovery pipeline tooling 
Sichert die validierte Obligation Discovery Pipeline aus /tmp als dauerhaftes,
committetes Tooling (scripts/obligation_discovery/) — der eigentliche Vermögenswert.

Stufen: precluster (Embedding-Cache + Mikro-Cluster) → meta_cluster (Review Units,
Skalierungs-Fix) → synthesize_obligations (Opus, Key aus ENV, Streaming, harte Tier-Regel,
Provenance) → validate_registry → merge_review_diff. Reine Helfer in _core.py, 16 Unit-Tests.

Doku docs-src/development/obligation_discovery_pipeline_v1.md mit Meilensteinen
(SBOM/Vuln reproduziert, Auth 4408→170 Review Units→54→kuriert 29) und der Architekturregel:
Runtime deterministisch, Discovery LLM-gestützt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-25 07:41:45 +02:00