f23ae32077
feat: MaschVO als erster Multi-Regulation-Run + Reuse-Metrik (Freeze haelt: 0 neue Klassen)
...
User-Reframe: nicht „naechste Regulierung", sondern erster MULTI-REGULATION-Reuse-Test.
- obligations/cra_machinery.json: 31 MaschVO-Obligations (25 LM = Anhang-III-Essential-Reqs
rechtlich legit + 6 BP). Pipeline 2229->1096 micro->120 review-units->Opus. out_of_scope
41 RU (AI-Act/DSGVO/Common-Criteria/Banking/...).
- obligations/machinery_reuse_metrics.json: ERSTE Reuse-KPI. **NEUE OBJEKTKLASSEN = 0**
(Architektur-Freeze haelt gegen physische-Safety-Regulierung — empirisch). 39% Reuse / 61%
net-new; Capability-Reuse 2 (Cyber-Safety-Bruecke: access_control_safety_functions->access,
protection_against_corruption->integrity/tamper), Procedure-Reuse 6, Evidence-Reuse 2,
CORE-Spezialisierung 2 (risk_assessment->update_risk_assessment, conformity->sbom_tech_doc).
- join_keys 95->126 (machinery 31). precluster.py: machinery-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 10:05:00 +02:00
4e761c1363
feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json
...
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-26 00:54:23 +02:00
8937f105ea
feat(bridge): security-updates obligation cut (CRA Annex I (2)(c)/Art 13) — 9 obligations
...
- obligations/cra_updates.json: 9 (6 LEGAL_MINIMUM + 3 BEST_PRACTICE), Beziehungen.
Pipeline 670->318 micro->15 review-units -> Opus-Synthese. Synthese gut kalibriert ->
light review (KEINE Hart-Re-Tier, vs Auth/Remote-Access). out_of_scope M4/M7.
5 capability_candidate-Marker (signed/trusted/automatic/rollback/testing) fuer
Phase-4-Capability-Pruefung. Anker approximativ (curation.anchor_quality).
- obligation_join_keys.json: 84 -> 93 (updates 9). Alle 6 CRA-P1-Domaenen abgedeckt.
- precluster.py: updates-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 18:51:09 +02:00
1584b8fb2f
feat(bridge): remote-access obligation cut (CRA Annex I) — 18 obligations
...
- obligations/cra_remote_access.json: 18 (5 LEGAL_MINIMUM outcomes + 13 BEST_PRACTICE),
15 Beziehungen. Two-stage clustering 445->209 micro->27 review-units -> Opus-Synthese.
Synthese vergab 14 LM -> key-free re-tier nach Auth-Regel (Mechanismen MFA/Session/VPN/
insecure-protocol/OT/Wartungs-Governance/temp/data-export/component -> BEST_PRACTICE +
supports-Kante zur Eltern-LM). out_of_scope M5/M11 = physische Maschinen-Fernsteuerung
(MaschinenVO 2023/1230). Anker approximativ (siehe curation.anchor_quality).
- obligation_join_keys.json: 66 -> 84 (remote_access 18).
- precluster.py: remote_access-Scope.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 18:37:10 +02:00
a53d67a35a
feat(bridge): logging/audit obligation cut (CRA Annex I (2)(k)) + 7/7 control mapping
...
- obligations/cra_logging.json: 19 obligations (6 LEGAL_MINIMUM auf (2)(k) korrekt
verankert, 13 BEST_PRACTICE), 13 Beziehungen; out_of_scope M8/M5/M81 (AI-Act/FRT/PIN).
Two-stage clustering (2601->1361 micro->100 review-units) -> Opus-Synthese -> Kuration.
- controls_for_obligation_mapping.json: V16.1.1/V16.3.3/V16.3.4 -> event_logging_security_events
(Umbrella-LM; spezifische Alternativen via ASVS-Control-Text). Jetzt 7/7 gefuellt.
- obligation_join_keys.json: 47->66 obligation_ids (logging family).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 11:57:16 +02:00
9e0a9ccef4
Add obligation_id join-key contract (cross-session bridge)
...
CI / detect-changes (push) Successful in 5s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 8s
CI / validate-canonical-controls (push) Successful in 7s
CI / loc-budget (push) Successful in 19s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Macht meine Seite des Cross-Session-Vertrags konkret: obligation_id ist der stabile Join-Key
zwischen Legal Knowledge Graph (citation_spans -> obligation_id) und Compliance Execution Graph
(control_mapping.source_norm -> obligation_id). Export aller 47 obligation_ids (CRA: 11 sbom +
7 vuln + 29 auth) mit citation_units als Interim-Brücke. Disziplin: obligation_id nie neu
vergeben (re-link, Pendant zu span_id/control_uuid).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-25 10:29:29 +02:00
Benjamin Admin