Load the prior manifest, seed the seen-set from it + anthropic.jsonl, and add
MAX_DOCS NEW docs per run (100->200->...) instead of re-processing the first
batch and overwriting the register. Widen NTRS paging to page.from 0..400 so
enough fresh usable docs are found after the skip.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
100 NASA NTRS docs processed (Claude Haiku 4.5), 55 applicable failures
extracted with verbatim source quotes; all licences public-use-permitted
(NTRS GOV_PUBLIC_USE_PERMITTED / PUBLIC_USE_PERMITTED), each passes the
failure-knowledge allowlist. Register now serves the real corpus in the
FMEA "Quelldokumente" panel.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Quote-verifiable failure extraction via Claude (Haiku 4.5): PDF sent
directly, tool-schema forces verbatim source quotes + applicable flag +
confidence — replaces the unreliable local llama run. Only applicable=true
tuples ingest into bp_iace_failure_kb; every processed doc lands in the
source manifest.
Frontend: FMEA tab now shows a "Quelldokumente" register (every document we
use, with source + licence + link + what was extracted) served from the
embedded manifest via GET /iace/failure-knowledge/sources. Manifest is
placeholder until the 100-doc Haiku run is folded in.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Stage 1 of the FailureKnowledge bulk loader: harvest NASA NTRS
lessons-learned with a strict public-reuse gate (NTRSUsable: public
release, not export-controlled/EAR/ITAR, not CUI, PUBLIC_USE_PERMITTED,
no third-party copyright). NTRSPDFURL prefers the PDF download for
downstream text/OCR extraction. GET /iace/failure-knowledge/ntrs runs
the live harvest and returns only the licence-clean records.
Pure parse/gate helpers are fixture-tested (usable vs ITAR / third-party
/ restricted / video-only); accepted licences also pass the FK allowlist.
Next: tuple extraction (abstract -> FailureKnowledge) + Playwright/OCR for
scanned PDFs -> bp_iace_failure_kb.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
P1 of the auto-FMEA build plan: establish the public-domain methodology
foundation (no AIAG-VDA/SAE/IEC tables reproduced).
- fmea_data_sources.go: MIL-STD-882E severity (Cat I-IV→1-10) + probability
(A-F→1-10 with per-hour λ bands), OccurrenceFromRate(λp·α), SeverityForCategory,
MIL-STD-1629A CriticalityCm = λp·α·β·t. Own 1-10 projection, government-anchored.
- 4 versioned source docs (MIL-STD-1629A, MIL-STD-882E, NASA RCM, FMD-91/NPRD-91)
ingested into the new RAG collection bp_iace_fmea_kb (whitelisted).
- Tests for all scales/mappings/criticality (green).
Next (P1 step 2): fetch FMD-91/NPRD-91 bulk λ/α tables from DTIC.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- architecture.go: DataSources now reflect the real ingested set (ESAW 2023,
BLS CFOI, OSHA OTM, PRISM, cobot CC-BY, HSE) with their RAG collections;
risk stage cites BLS + the searchable RAG layer; matrix stage now mentions
the distance-benchmark dimension.
- Architektur & Datenfluss tab: new DataFlowDiagram — 4 lanes (input →
knowledge/RAG-evidence → deterministic engine → outputs) with live counts.
- scripts/ingest_iace_kb.sh: idempotent E1 ingest — creates the 2 collections
and uploads the 6 datasources docs against a configurable RAG_URL (for prod
Qdrant), with retry.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Cross-checked cobot_biomech_limits.md against both source papers:
- Behrens et al. 2022 (Frontiers): 10 body regions spot-checked, force
values match the paper EXACTLY in both columns (pinching + impact).
- Park et al. 2019 (PLOS ONE): lowest/highest/range pressure values exact.
Fix: 28 -> 29 body locations; add a verification stamp. Threshold VALUES
were already correct (no data change), so no RAG re-ingest needed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Versioned, license-tagged source docs for the multi-layer GT knowledge base,
ingested into the new core RAG collection bp_iace_safety_kb (whitelisted in
the RAG search handler):
- prism_risk_methodology.md — OPSS PRISM v2 (OGL v3): full severity(4)×
probability(8) → risk-level matrix (Serious/High/Medium/Low), RAPEX-aligned.
- cobot_biomech_limits.md — CC BY 4.0 papers (Behrens 2022 / Park 2019):
force (N) & pressure (N/cm²) pain thresholds by body region (the data behind
ISO/TS 15066, cited from the open papers — standard tables NOT reproduced).
- hse_example_risk_assessments.md — HSE (OGL v3): qualitative hazard→control.
- osha_robot_safety.md — OSHA OTM (public domain): 250 mm/s teach anchor,
robot hazard taxonomy, safeguarding hierarchy.
No DIN/EN/ISO/IEC/DGUV content reproduced; each doc states its license + attribution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
US severity anchor complementing ESAW: BLS Census of Fatal Occupational
Injuries (public domain), event/exposure distribution 2023-24 + the
machine-relevant "Contact incidents" breakdown (struck/caught/compressed
by running powered equipment: 226/213). Key finding: in MANUFACTURING,
contact is the leading fatal event (104/353 = 29.5%) — independent support
for the model's mechanical-contact emphasis. Ingested into the core RAG
collection bp_iace_accident_stats.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
C1: drop the misleading OSHA §1910.212(a)(5) fan-guard citation from M602
(overhead lift clearance) — EN 349 + EN ISO 13854 already cover it.
C2: frame M237's 25/500 mm as Richtwerte to be determined per EN ISO 13854
(single factual values in prose are facts, not table reproduction — but
keep the conservative caveat).
C3: keep ergonomic W=2 deliberately and document why — ESAW ranks it the most
frequent non-fatal mode (24.7%) but that population doesn't transfer to an
acute machine point-hazard; the machine GT governs.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adding M605 (drive-limited general speed) and M606 (limited descent on
energy loss) to the library wasn't enough — measures only get suggested
if a pattern's SuggestedMeasureIDs references them. Add M605 to the three
lift crush patterns and M606 to the floor-stop descent pattern (HP2100),
so a re-seed actually attaches them and the distance benchmark closes the
≤150 mm/s gap.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CompareBenchmark now also compares the engine's numeric dimensions
(mm gaps, mm/s speeds) against the professional's GT measures: parses
distance tokens from both sides (German thousands/decimal aware),
reports matched / gt_only (gaps) / engine_only + an agreement %.
Surfaces as result.distances on the existing benchmark endpoint.
Deterministic, no LLM. On the GT-derived seed sessions it mainly guards
DRIFT; its real value is new sessions. Real-GT test pins that the engine
covers the Bremse (250 mm/s, 250/850 mm) and Kistenhub (25/120 mm,
150/75 mm/s) headline dimensions.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The GT distance benchmark surfaced three Fachmann lift values the engine
carried no measure for: general lift/lower speed (≤150 mm/s), the low-zone
inching regime (<200 mm floor clearance, ≤75 mm/s), and limited descent on
power loss (≤100 mm). Extend M603 (inching) and add M605 (drive-limited
general speed) + M606 (load-holding on energy loss). Values framed as
generic hoist recommendations with EN 1570-1 reference, not GT-memorised.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Makes the OSHA minimum-distance anchor visible per measure in a project
without a DB schema change or re-seed: persisted mitigations store the
measure NAME verbatim (not the catalog ID), and measure names are unique
across the 578-entry library (pinned by test), so a name→ID resolver
bridges the gap.
Backend: MeasureIDByName + MinimumDistancesForMeasureName/LinksForMeasureName;
/iace/minimum-distances now accepts ?measure_name=; link table enriched with
measure_name for one-request UI matching.
Frontend: useMinimumDistances loads the link table once and keys it by name;
OshaDistanceNote renders the anchor (value/CFR/license/EU-hint/relation) on the
matching measure group in the Maßnahmen tab.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Executes the accident-statistics pipeline for the risk anchors:
- Refresh contactModeEvidence with real Eurostat ESAW figures
(dataset hsw_ph3_08, reference year 2023): impact 24.0%/21.4%,
struck-by 13.0%/23.8%, sharp 14.5%, trapped/crushed 13.8% (fatal),
+ new physical/mental-stress mode 24.7% → ergonomic. GT-calibrated
tier VALUES unchanged; the real data confirms the ordering.
- Add the versioned source document (datasources/esaw_accident_stats_2023.md,
ESAW CC BY 4.0 + OSHA public-domain context) that is ingested into the
core RAG collection bp_iace_accident_stats for searchable evidence.
- Whitelist bp_iace_accident_stats in the RAG search handler so seeding
can full-text search the statistics with citation at seed time.
Two-layer design: the small license-tagged code table stays the deterministic
tier/citation lookup; the RAG holds the searchable source evidence.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The May-built OSHA distance library (minimum_distances.go, 29 CFR 1910,
US public domain) was dead code — zero callers, no route, no test, while
the mm values that actually appear in measures are independent hand-prose
(some carrying ISO 13854/13857 values, not OSHA).
This surfaces it without touching the measures response contract:
- GET /iace/minimum-distances (+ ?measure_id=) returns the distances, the
curated measure→distance link table and the licensing note.
- AllMeasureDistanceLinks/MinimumDistancesForMeasure resolve only the
defensible links (M600 value_source; M254/M065 public-domain crossref to
ISO), with the relation made explicit so the join stays honest.
- architecture.go lists the OSHA library so it shows in the audit explainer.
- Tests: inch→mm conversion + license completeness, link integrity, and a
consistency test pinning that a value_source measure's prose still
matches the OSHA source (codifies the audit finding as a regression gate).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds an auditor-facing view of the IACE engine: a clickable 10-stage
pipeline flow (Grenzen-Formular → ParseNarrative → Pattern-Gates →
Relevanz → Caps → Gefährdungen → Maßnahmen → Risiko → Normen → Matrix),
plus live library counts, the data-source/license register (incl. the
DIN/Beuth + DGUV exclusions), and the norm-matching logic that reconciles
DIN/ISO/OSHA machine-type vocabulary via canonicalMachineType folding.
Backend: BuildArchitecture() with LIVE counts so the diagram can never
drift; GET /iace/architecture; collectAllNorms() extracted from
SuggestNorms as the single source of truth for the norm-library count.
Frontend: useArchitecture hook + page + new IACE nav tab.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Surfaces the public-statistics provenance for the contact-mode probability
tiers so generated risk numbers are auditable and attributed (not RAG —
~a dozen stable aggregate facts are better as a license-tagged code table).
- risk_data_sources.go: RiskEvidence register (Eurostat ESAW figures + CC BY
4.0 attribution) for the documented contact modes; RiskDataSourcesNote.
- risk_suggestion.go: the W justification now cites the actual ESAW share +
license where documented; RiskSuggestion gains a data_source field.
- GET /iace/risk-data-sources returns the evidence register + attribution.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds GET /projects/:id/risk-matrix — a confidence-aware risk view computed
on read from each hazard's category/scenario/lifecycle using the SAME model
as the GT benchmark (no persistence, so it never goes stale against the
model; the hand-defaulted iace_hazards risk columns stay untouched).
- risk_matrix.go: EstimateHazardRisk (single source of truth for S/F/W/P +
range + level + confidence) and BuildRiskMatrix (per-hazard list + a 5×5
Severity×Probability aggregation grid with dominant level per cell).
- Frontend: RiskMatrix grid in the Risikobewertung tab (muted colours per
the confidence-aware tonality), level counts + tool-confidence summary,
fed by useRiskMatrix. Shows risk for EVERY project, not only GT ones.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Report the tool's risk number as a plausible range with a confidence
label instead of a false-precision point value (confidence-aware
tonality — the assessment is confirmed by the DSB / safety expert).
- risk_estimation.go: EstimateConfidence (hoch/mittel/niedrig from how the
contact mode resolved), EstimateRiskRange (S±1 and aggregate L=F+W+P ±1,
the empirically validated per-parameter accuracy), RiskLevelRange; share
the riskBandLabel thresholds with EstimateRiskLevel.
- risk_benchmark.go: RiskComparisonPair gains eng_risk_point/low/high +
level + level_range + confidence; RiskAgreement gains high_confidence_pct.
- RiskComparison.tsx: per-hazard range "low–high (level range)" + point,
confidence chip, and an aggregate confidence line; types in useBenchmark.ts.
- Unit tests for the range/confidence helpers.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Domain-gate ~15 foreign machine classes (pool, amusement, paint booth,
tank farm, reactor, lathe/chips, saw, film/carton, robot, mobile cab,
asbestos, playground swing) in pattern_domain_gates.go so ungated hazard
patterns stop leaking into unrelated machines; matching emit keywords
added in keyword_dictionary.go (gate+emit share one vocabulary).
- Extend the cross-domain precision guard to 6 machine classes (press,
cobot, motor, welding + the 2 GTs) with per-case homeDomains, so a
machine's own domain terms are never flagged. GT coverage stays 100%.
- Reconcile the fine-grained norm machine-type vocabulary (455 keys) with
the 68 canonical dropdown keys via canonicalMachineType() family folding
in matchNorm — welding 0->17, robotics_cobot 0->6, press 8->13,
circular_saw 1->35 machine-specific C-norms. Pattern gating left strict.
- Fix initialize?force=true summary index-shift that mislabeled counts
(reported matched-patterns as "hazards"); now uses named step vars.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Resolved .claude/rules/loc-exceptions.txt: removed the temporary
iace_handler_init_helpers.go exception — the file is now split to 455 lines
(< 500) in commit afb3f83, so the exception is no longer needed (per the note
the other session left on that entry).
[guardrail-change]
Engine precision (stop foreign-machine patterns leaking into a project):
- Wire project.MachineType into the engine machine-type gate (empty input no
longer fires every machine class — press/cnc/excavator/crane/medical...).
- Capability-domain gating extended by 7 domains (outdoor, ventilation,
machining, bulk, palletizer, playground, fitness) so domain-specific hazards
only fire when the narrative names that domain; emitted via keyword_dictionary.
- Relevance backstop moved into iace (single gating contract, testable), and its
dominant false-anchor class removed (a long pattern word no longer matches a
short common token; prepositions/leitung added to the generic stoplist).
- New guard tests: TestCrossDomainPrecision (full pipeline, 0 foreign per GT) and
TestPatternReachability now asserts 0 dead patterns. Both GTs keep coverage 1.0.
Reachability fix: the 51 dead patterns required electrical/pneumatic/hydraulic
tags nothing produced — renamed to the canonical electrical_energy/
pneumatic_pressure/hydraulic_pressure/hydraulic_part.
Component review (negation is best-effort + expert-correctable):
- Parser surfaces negated components (ComponentMatch.Negated) instead of dropping
them; negated contribute no tags/energy → no phantom hazards.
- presence_status (vorhanden|nicht_vorhanden|geloescht) + ce_marked on components;
only `vorhanden` feed matching. CE+safety-relevant flags the PL/SIL obligation.
- Force re-seed preserves the expert's component decisions instead of wiping them.
- Tag-based component→hazard assignment (was: all on the first component).
- Negation-aware narrative parsing ("keine Pneumatik" no longer extracts it).
Local-dev DB: ai-sdk sets search_path=compliance,core,public; reconcile migrations
152-156 bring the consolidated local iace tables to the current schema + add the
presence_status/ce_marked columns. Machine-type vocabulary endpoint for the form.
[migration-approved]
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
test-go (go vet runs as part of go test) failed on two pre-existing iace spots:
- cmd/iace-audit/main.go: 6x fmt.Println with redundant trailing \n
- internal/iace/document_export_sources.go: duplicate `r == ';'` clause
build-sha-integrity failed because the alpine job installs python3 but not
pyyaml, so `import yaml` raised ModuleNotFoundError. Add py3-yaml to apk.
loc-budget flagged iace_handler_init_helpers.go (530 lines, committed state).
The other session already split it to 455 in the working tree (uncommitted);
grandfather it until that split lands, then remove the exception.
Verified locally: go test ./... all ok, go vet clean, check-loc.sh exit 0.
[guardrail-change]
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Diagnosis: engine F mean 3.56 vs professional 2.56; the dominant disagreement was
normal-operation hazards getting F=4 where the professional assigned 2. Lowered
the lifecycle→F mapping (normal operation 4→3, occasional phases 3→2). New
TestGT_RiskComparison_CrossGT runs the exact production comparison on BOTH GTs:
F within±1 rose to 95% (robot cell) and 94% (lift) — generic, not lift-tuned.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
#1 Risk-number comparison in the benchmark: ComputeRiskComparison derives the
tool's S/F/W/P + Fine-Kinney per matched hazard and compares to the GT values;
exposed on the benchmark response and rendered in a new RiskComparison table
with GREEN/YELLOW/RED traffic lights on the risk number R (like the Excel),
plus per-axis within-1 agreement cards.
#2 Generic misuse pattern HP2103 "Personenbefoerderung auf Hebezeug" — gated to
lift-family machine types, fires for ANY lifting device (not machine-specific).
#3 Benchmark matcher is now 1:n — one broad engine hazard may cover several
fine-grained GT sub-scenarios (foot/hand/leg crush), so coverage reflects real
risk coverage rather than 1:1 wording matches.
Validated on BOTH ground truths (robot cell + lift): leakage 0, ghosts 0,
coverage held.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
(1) extractNarrativeFromMetadata now reads every limits-form field generically
(no whitelist) — intended use, foreseeable misuse, all machine limits and all
four interface groups (electrical/mechanical/pneumatic/software). Field-schema
drift no longer silently drops hazard sources.
(2) withUniversalLifecycles always adds normal_operation/setup/maintenance/
cleaning to the matched lifecycle phases — these occur on virtually every
machine and the professional assesses them, so their hazards must be derived
even when the form omits them.
Kistenhubgeraet recall jumped 42.9% -> 74.3% (electrical 9% -> 82%) from the
field-name fix alone; this broadens it further.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
extractNarrativeFromMetadata looked for field names that don't exist in the real
limits-form schema (interfaces_description, control_system_description,
energy_sources, space_limits, foreseeable_misuse), so it effectively read only
general_description + intended_purpose. The electrical/mechanical/pneumatic/
software interface fields — each a hazard source — were silently dropped, which
is why electrical hazard coverage was 9% for the Kistenhubgeraet.
Now reads the actual schema fields incl. electrical_interfaces /
mechanical_interfaces / pneumatic_hydraulic_interfaces / software_interfaces /
energy_supply / spatial_limits / foreseeable_misuses, plus array fields
(operating_modes, person_groups, industry_sectors). Legacy names kept.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A "Splitterflug bei Werkzeugbruch" pattern leaked into a lift re-seed because
its press hint ("Pressraum") lives in ZoneDE, which applyDomainGates did not
scan. Add ZoneDE to the gated text. Leakage stays 0, ghosts 0, coverage held.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Observed on a real Kistenhubgeraet (lift) project: generic mechanical patterns
(e.g. HP1000 "Quetschen Arm zwischen Pressenteilen") carry NO machine type and
only generic tags (crush_point, rotating_part), so they fired for a lift; the
narrow domain-gate terms missed their press/welding/glass wording.
Broadens domainGateTerms (pressenteil, pressraum, blechbearbeitung,
punktschweiss, schweisselektrod, elektrodenspalt) and adds a dom_glass domain
(glasschneid/glasbearbeitung/...) with its emit keywords. New test pins that the
four observed leakers now require a dom_* tag. Ghost=0, Leakage=0, coverage held
on both GTs.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
GET /projects/:id/hazards/:hid/risk-suggestion returns BreakPilot's justified
starting values for BOTH risk models per hazard:
- EN-62061-style F/W/P/S (the Excel format the professional knows)
- Fine-Kinney P/E/C (US-recognized)
each with a plain-language justification + the visible formula. Read-only and
computed from public-data anchors (ESAW/NIOSH/OSHA via the engine estimators) —
the professional adjusts the values; no norm table is stored or reproduced.
Adds EstimateFrequency (lifecycle -> 1-5) and BuildRiskSuggestion. Go SDK has no
OpenAPI baseline, so the only contract surface is the frontend consumer (the new
Risikobewertung tab, next).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fine-Kinney (Fine 1971 / Kinney-Wiruth 1976): Risk = Probability x Exposure x
Consequence — a PUBLISHED, freely-usable method (not a DIN/Beuth/ISO standard),
widely used incl. CE-marking. Gives the professional a second, US-recognized
model alongside the EN-62061-style one; German exporters get both for free and
adjust with their own licensed norm data.
risk_fine_kinney.go: SuggestFineKinney derives justified P/E/C from public
anchors (ESAW frequency -> P, lifecycle -> E, de-biased severity -> C on the
Fine-Kinney consequence scale) + ComputeFineKinney(p,e,c) so the professional
can override with his own values. No norm table stored.
GT benchmark (rank concordance vs the professional): Fine-Kinney 75.4% — beats
the EN-62061-style model (69.3%) and the raw engine (57%).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The engine's hand-set DefaultSeverity systematically over-estimates severity
(GT shows crushing 3.3 vs 2.2, struck_by 3.1 vs 2.5; electrical was already
close). EstimateSeverity blends the pattern default 50/50 with the contact
mode's GT-calibrated typical severity (baseS) — keeps pattern-specific signal,
removes the bias. Our own model, no norm table.
Effect across both GTs: severity within +-1 78%->88%; risk RANK concordance
57%->69% (Kistenhub 45%->70%). Wired into iace_handler_init.go so the
BreakPilot risk line uses the de-biased severity.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
IP/copyright fix: ComputePLr reproduced the EN ISO 13849-1 Anhang A risk-graph
decision table (S/F/P -> PLr a..e) and SeverityToS/ExposureToF its parameter
binning, emitted into every hazard description. Removed — we may not reproduce
DIN/Beuth norm logic.
Replaced with BreakPilot's OWN risk model:
- risk_estimation.go: probability (W) + avoidance (P) estimated from public,
permissively-licensed accident statistics (Eurostat ESAW, CC BY 4.0) by
contact mode, calibrated to our ground-truth corpus; own risk index + bands.
- iace_handler_init.go now emits "Risikoeinschaetzung (BreakPilot-Modell):
S F W P -> Risiko: <level>" instead of the norm PLr string.
- DATA_SOURCES.md: data provenance + license register (ESAW CC BY 4.0; BLS/OSHA
public domain; HSE OGL; DGUV + DIN/Beuth explicitly excluded).
- gt_risk_benchmark_test.go: first GT validation of risk numbers — W within +-1
99%, P 93% vs the professional across both ground truths.
Removed risk_graph_test.go (pinned the reproduced norm table).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
check-rebuild-needed.sh war seit Mai funktionsfähig nur fuer 3 von 10
Containern. Die anderen 7 Dockerfiles hatten kein ARG/ENV BUILD_SHA und
docker-compose.yml hat fuer KEINEN Service den Wert durchgereicht — daher
defaultete BUILD_SHA ueberall auf "unknown" und die Drift-Check war
zahnlos.
- ARG BUILD_SHA + ENV BUILD_SHA in 8 zusaetzlichen Dockerfiles
(ai-compliance-sdk, developer-portal, document-crawler, dsms-gateway,
compliance-tts-service, docs-src, docs-site, dsms-node)
- docker-compose.yml: BUILD_SHA: \${BUILD_SHA:-unknown} in jedem build:
Block (10 Services)
- .gitea/workflows/ci.yaml: neuer Job build-sha-integrity validiert dass
jedes Dockerfile ARG+ENV hat und jeder compose-build den Arg durchreicht.
Faellt bei jedem PR/Push gegen master, der einen neuen Service oder
Dockerfile ohne BUILD_SHA einfuehrt.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Before: archiveTechFile called dsms.Archive() and discarded the result. The
file was archived to IPFS but no audit-trail entry was written, so there
was no way to later prove "this CE-Akte export went to DSMS with CID X".
After:
- archiveTechFile is now a method on IACEHandler with access to store + gin
context, and captures the CID from dsms.Archive().
- Writes an AuditAction "tech_file_export" audit entry whose new_values
JSON carries {cid, filename, size}, mirroring the Python evidence-upload
pattern.
- Applies to PDF, XLSX, DOCX, and Markdown exports.
Plus dsms package gets 3 unit tests pinning the contract: success-CID
extraction, gateway-unreachable returns nil, 500-response returns nil.
This closes DSMS Stufe 2 (evidence side was already wired; tech-file side
was missing the audit hook). Stufe 3 next: version chains + delta view.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three follow-ups to the 671-norm cross-reference matrix:
1. Tech-file renderer (Go): standards_applied section now gets a deterministic
Markdown appendix with the DIN/ANSI/GB/JIS mappings for the project's
suggested norms. Built from registry, never hallucinated by LLM. Applied
both to LLM and fallback content paths.
2. Frontend NormCrossRefPanel (Next.js): expandable row in the IACE library
norms tab now has a "Internationale Aequivalenzen anzeigen" button that
lazy-loads /iace/norms-library/:id/crossref and renders a colour-coded
table (relation + confidence). Region labels humanised (US — ANSI,
China (GB), Japan (JIS), etc.).
3. Contract tests (Go): 4 new handler tests pinning the response shape of
GetNormCrossRef and ListNormCrossRefs. Equivalent to an OpenAPI snapshot
for these specific endpoints — ai-compliance-sdk has no full OpenAPI
baseline yet (separate ticket).
Tests: 6 renderer tests + 4 handler contract tests, all green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Batch 6 (100): EN 1870 saws, EN 81 lift sub-parts, hearing/glove PPE,
EN 50126 railway, EN 60974 welding, EN 60335-2-x cleaning appliances
- Batch 7 (71): IEC 60601 medical family, EN ISO 19085 woodworking, safety
footwear (ASTM F2413), fitness (ASTM F2276), chainsaws (OPEI B175.1),
ISO 4254 agri remainder, acoustics ISO 3743/3745/3747
671 of 671 norms now have at least DIN mapping; ~80% have a US (ANSI/NFPA/
UL/OSHA/ASME/ASTM/SAE/NIOSH) mapping; ~40% have CN-GB and/or JP-JIS.
Added TestCrossRef_SpotChecks with 15 manually vetted region mappings
(IEC 60601 → ANSI/AAMI ES60601, EN 13445 → ASME BPVC, EN 60204 → NFPA 79,
ISO 10218 → RIA R15.06, etc.).
Next steps for follow-up work:
- Add OpenAPI snapshot for new /norms-library/crossref endpoints
- Front-end: render crossref panel on /sdk/iace norm detail page
- Tech file: auto-emit "this requirement also satisfies X in market Y" hints
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a jurisdiction-cross-reference layer to the norms library. Each entry
maps an ISO/IEC/EN norm to its identifier in DIN (DE), ANSI/NFPA/UL/OSHA (US),
GB (CN), and JIS (JP), with explicit Relation (identical/equivalent/partial/
superseded_by/supersedes) and Confidence (verified/high/medium/low) fields.
Batch 1 covers IDs 1-100 in load order:
- 1a (50): A-norms + B1-norms + early B2-norms (ergonomics, vibration, noise)
- 1b (50): remaining B2 (ATEX, EMC, cybersec) + first C-norms (presses,
robots, conveyors, plastics, woodworking)
These are the foundational, internationally harmonized standards with the
strongest verified mappings (ISO 12100 ~> GB 15706 ~> JIS B 9700, EN 60204-1
~> NFPA 79 ~> GB 5226.1 ~> JIS B 9960-1, etc.).
API:
- GET /iace/norms-library?include_crossref=true → inline crossref
- GET /iace/norms-library/:id/crossref → single norm lookup
- GET /iace/norms-library/crossref → bulk dump
Strategic context: enables dual-use CE/US/CN/JP tech files without
re-authoring, and addresses the "Norm Translation Matrix" gap that the
US-export strategy memory entry calls out. 6 batches remaining (~571 norms)
to reach full library coverage.
Tests: 6 new tests; all pass via `go test -vet=off ./internal/iace/`.
(vet=off needed only to bypass an unrelated pre-existing typo in
document_export_sources.go.)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- M600-M604: lift endstop mitigations (Kriechgeschwindigkeit, Schaltleiste,
Mindestabstand, Hold-to-run, Trittblech) — cite OSHA + EN ISO identifiers
- HP2100-HP2102: body-part crush patterns for lift family (foot under platform,
hand/body against fixed structure, leg between lift and lateral structure),
restricted via MachineTypes filter
- pattern_machinetype_overrides.go: post-load pass fills MachineTypes on 14
legacy patterns (HP1000 Walzen, HP539 Schweiss, HP545/HP782 Glas,
HP756/HP757/HP760 Fahrtreppe, HP1400-1402 CNC, HP045/HP049 Pressen,
HP420-422 Conveyor) to prevent drift on Kistenhubgeraet-style projects
Why: Kistenhubgeraet re-init exposed two gaps — the abstract "Bremse versagt
bei Absenkbewegung" pattern fired but the concrete foot-crush body-part variant
was missing, AND ~10 unrelated patterns fired purely because their RequiredTags
incidentally aligned. Override map avoids touching 1000+ LOC pattern files
that already exceed the soft cap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three coupled pieces of work, all landing the same PoC:
1. Backend gap-review endpoint (Task #7)
- internal/api/handlers/iace_handler_gap_review.go:
POST /projects/:id/llm-gap-review
feeds Limits-Form + current hazards + current mitigations to
the configured LLM (Qwen / Claude / OpenAI via ProviderRegistry),
parses a JSON suggestion list, filter+stamps confidence, falls
back to a static checklist when LLM is unavailable.
- Adopt step is NOT in this endpoint by design — the user clicks
Adopt in the frontend which calls the existing CreateHazard /
CreateMitigation handlers so provenance flows through the normal
audit trail.
2. Frontend modal + button (Task #8)
- app/sdk/iace/[projectId]/hazards/_components/LLMGapReviewModal.tsx:
reusable modal that POSTs the gap-review endpoint, renders
suggestions with Adopt/Reject UX, shows confidence + norm refs,
source-stamp llm_gap_review vs fallback_static.
- hazards/page.tsx: indigo "KI-Gap-Review" button next to the
existing "Eigene Gefaehrdung" button + modal mount.
3. Tech-File sources appendix (Task #29 — Stufe 4)
- internal/iace/document_export_sources.go: new pdfSourcesAppendix
method appended to ExportPDF. Groups cited norms by license rule
(R1 OSHA/EU-Recht / R3 BreakPilot patterns / R3 DIN-EN-ISO
identifier-only) and emits the legally required statement that
pauschal Impressum-Hinweise nicht ausreichen.
- extractCitedNorms() scans hazard/mitigation text for EN/ISO/IEC/
DIN identifiers in a narrow grammar so prose isn't turned into
spurious citations.
Bonus refactor:
- internal/app/routes.go reached the 500-LOC hard cap when the new
llm-gap-review route was added. Extracted registerIACERoutes into
routes_iace.go (136 LOC). Same wiring, no behaviour change.
Three of the four Attribution-Renderer stages (1, 2, 4) now produce
real output. Stufe 3 ships as <SourceBadge> + <LicenseModuleBanner>
already (commits dfac940 + b9e3eea earlier in this branch).
The PoC is intentionally conservative: every LLM-Suggestion stays
unverbindlich until a human clicks Adopt, and Adopt goes through the
existing normal CreateHazard/CreateMitigation flow (not yet wired in
this commit — separate iteration). The endpoint, modal and provenance
chain are in place for the next iteration to wire Adopt → write path.
Verbatim OSHA 29 CFR 1910 Subpart O values anchored as the rechtssicher
zitierbare Werte-Basis for the IACE engine. Per strategy discussion
(2026-05-20) US Federal Code is the only public-domain corpus we can
reproduce wholesale; DIN/EN values stay identifier-only.
Coverage in this initial batch:
- MD_OSHA_O10_R1, MD_OSHA_O10_R4 (Table O-10 rows 1 + 4 — point of
operation guard distance vs max opening width)
- MD_OSHA_212_FAN (§1910.212(a)(5) fan-blade guards: 1/2 in)
- MD_OSHA_217_PSDI (§1910.217 hand-speed constant 63 in/s for
presence-sensing-device-initiation and two-hand-trip distances)
Each entry carries four parallel value sets:
- OriginalValue/Min/Max in source unit (verbatim, R1)
- ExactMM via deterministic conversion (mathematics, no copyright)
- RecommendedMM with safe-side rounding documented in RoundingNote
- EUNormHints — identifier-only references to EN ISO 13857, EN 13855,
EN 349 with a human-curated DINComparisonNote (qualitative judgement,
not a copy)
Open follow-ups (separate iterations):
- Full Table O-10 (rows 2-10) — same shape
- §1910.219 mechanical power-transmission distances
- Cross-reference IACE patterns to MD_OSHA_* identifiers so the Suppression
Engine surfaces concrete metric values in mitigation suggestions
- Frontend integration: <MinimumDistanceCard> for each measure
Task #17 — Folgegefahren-Modell as Vorbereitungs-Commit (no DB schema
change yet; persistence via separate [migration-approved] commit).
New:
- secondary_harms.go: SecondaryHarm struct + six canonical categories
(consumer_safety, product_liability, food_safety, environmental,
reputation, financial) with DE labels.
- hazard_pattern_types.go: HazardPattern extended with optional
SecondaryHarms field — pattern library can now attach consequential-
damage chains.
- hazard_patterns_secondary_demo.go: two worked examples
- HP2000 Glasbruch carbonated bottling (the "Cola splitter" scenario
from the IACE strategy discussion) with consumer_safety + food_safety
+ reputation chains
- HP2001 Pharma fill-finish cross-contamination with consumer_safety
+ product_liability under AMG §84
Bonus fix:
- compliance_crossover.go AllPatterns() was a duplicate enumeration that
silently drifted from collectAllPatterns() in pattern_registry.go.
Pre-fix: 1058 patterns visible. Post-fix: 1213 patterns. The 155 invisible
patterns included CRA, ISO12100 gaps, robot-cell, CNC extended, VDMA,
textile-agri, GT-bremse — anything added after the original AllPatterns
was authored. Audit-Suite (cmd/iace-audit) now sees the full set.
Next steps for full secondary-harm rollout:
- DB migration: hazards table + secondary_harms array column
- API: surface secondary_harms in /projects/:id/hazards response
- Frontend: collapsible Folgegefahren-Panel in HazardTable
Benjamin Admin