Commit Graph

613 Commits

Author SHA1 Message Date
Benjamin Admin e8ea179228 feat(advisor): topic threads, per-question delete/copy, fullscreen
Adds case management to the Compliance Advisor widget.

- topic threads: cases group into threads; the left menu shows each
  thread's first question as the Thema with expandable follow-ups.
  Send = follow-up to the active thread (carries the thread's prior Q&A
  as history for contextual answers); "+" starts a new topic.
- delete: a trash action per question (menu + stacked view).
- copy: single Q&A (question + answer + evidence + footnotes) or a whole
  thread, as Markdown to the clipboard (pure formatters in copy.ts).
- fullscreen: compact -> panel -> fullscreen view.
- route.ts consumes an optional bounded `history` so follow-ups are
  contextual for both the widget and the workspace consumer.

Tests: copy formatter unit tests + Playwright specs (threads/new-topic,
delete, fullscreen, copy affordance). No deploy.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 18:51:17 +02:00
Benjamin Admin a9b04e5286 feat(advisor): evidence-framed header + bindingness contract seam
Rework the Compliance Advisor header ("Diese Antwort stuetzt sich auf")
to describe the EVIDENCE rather than the documents: binding
Rechtsgrundlagen split from Leitlinien (soft-law guidance), a
per-regulation breakdown, plus Abbildungen, Fussnoten and Evidence Units.
No fabricated trust score — objective counts only.

- bindingness is a canonical Legal-KG fact (APEX rule): added an optional
  EvidenceUnit.bindingness contract seam; the FE renders the split from it
  and degrades to a neutral per-regulation breakdown when it is absent
  (SDK/RAG asked via board to populate it in /retrieve).
- evidence-grouping.ts: pure, tested grouping/counting model.
- route.ts: optional `audience` field (tonality) kept out of the retrieval
  question; answers lead with a "Kurz gesagt" summary, structured by theme.
- E2E + unit tests updated for the evidence framing.

Not deployed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 15:17:21 +02:00
Benjamin Admin 3f372bcb39 feat(advisor): Phase 1 — endpoint backward-compat (keep breakpilot-workspace working)
The advisor endpoint now serves two shapes off one orchestration:
- new FE ({question}) -> v3 JSON contract (clarity/answer/evidence/citations/...).
- legacy consumer ({message}, e.g. breakpilot-workspace which reads a text stream and
  persists raw bytes) -> plain-text stream of the L2 answer (clean prose, no [n] markup,
  no clarify gate). isLegacyRequest() discriminates; answerSystem() gains withCitations.

Prevents the v3 contract from breaking breakpilot-workspace's chat (CLAUDE.md rule #4,
keep every consumer working). No deploy. tsc clean, 13 vitest (incl. isLegacyRequest),
check-loc 0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 13:53:17 +02:00
Benjamin Admin 5a513181cc feat(advisor): Clarity-Gate orchestration in route.ts (consumes /retrieve)
Completes the advisor stack (FE + orchestration; /retrieve is SDK/RAG-owned). The route
now returns the FE contract instead of a text stream:
- retrieveFull() calls /retrieve with {query, context}; consumes clarity/evidence/
  visual_evidence/footnotes (exact shape per board 2026-07-01 12:25).
- mode-routing (resolveMode): clarify unless a context was chosen and /retrieve's
  clarity.mode says so. clarify -> L1 general answer (completeAdvisorAnswer, ungrounded,
  no sources). answer -> L2 answer over numbered evidence with [n] markers.
- citations generated here ([n] -> nth evidence unit); footnotes remapped; evidence /
  visual_evidence passed through.
- advisor-llm: non-streaming completeAdvisorAnswer(). Pure mappings in retrieve-mapping.ts
  (+ tests). Removed the dead v2 evidence.ts/evidence-adapter (RegulationRef moved to
  regulation-display). controls-augmentation kept (tested; re-integrable later).

NOT deployed: joint deploy with the SDK /retrieve endpoint (deploy-coupling). tsc clean,
25 vitest (mapping/clarify/answer/markdown/registry/rag), check-loc 0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 12:39:47 +02:00
Benjamin Admin 591cae5ebc feat(advisor): Case Workspace v2 — Evidence grouping, human names, 3-column, summary
Reworks the advisor toward a Compliance Case Workspace (review feedback):
- Rename user-facing "Quellen" -> "Evidence".
- Evidence grouped by document/regulation family (count + expandable) — no more
  unsorted DSK/DSK/DPF/... jumble.
- Human-readable regulation names via a display registry (DSK Sdm B51 -> "DSK
  Standard-Datenschutzmodell (SDM)" / Kapitel B51); generic, bridges G2.
- Evidence summary "Antwort basiert auf" with meaningful counts; Regelwerke = distinct
  FAMILIES (fixes the inflated count). NO fabricated trust score (needs a defined basis).
- Expanded mode = 3-column workspace (question+summary | answer | evidence, independent
  scroll) + history switcher; narrow mode stays stacked.
- Prompt: push aggressive markdown structure (## per aspect, numbered phases).

Deferred/coordinated on board: C8 diagrams (RAG contract), answer<->evidence coupling
[1] (needs LLM citation anchors — phase 2), G1 retrieval relevance + G2 metadata (RAG).
tsc clean, 17 vitest, check-loc 0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 10:38:06 +02:00
Benjamin Admin 3884038b06 fix(advisor): generic — drop trailing source list in answer + de-duplicate source card
Two structural fixes (not query-specific):
- Proxy prompt: forbid ANY trailing "Quellen:"/"Quellen im RAG-System" list and make it
  the LAST instruction so it overrides the soul file's answer-structure + example that
  teach a closing sources section. Applies to every answer.
- KnowledgeUnitCard: render the label only when it differs from regulation.short, so a
  source whose label == short name no longer prints twice. Applies to every source.

Answer text is still never parsed in the FE (sources live in the pane). + card test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 10:13:58 +02:00
Benjamin Admin 49171e841f feat(advisor): Evidence Workspace — structured panes, markdown, sources as knowledge units
Rebuilds the Compliance Advisor floating widget from a plain chat into an Evidence
Workspace: pinned last question, markdown-rendered answer (clean prose), and separate
panes for Sources (hierarchical Knowledge Units), Figures (C8, conditional) and
Footnotes (C-FN), plus a stats bar (Quellen/Regelwerke/Diagramme/Fußnoten). Scrollable
turn history; stays a floating icon on every SDK page.

Architecture (user direction): the frontend renders ONLY structured evidence and NEVER
parses the answer text. The proxy now returns a JSON AdvisorEvidenceMeta line followed
by the streamed markdown answer; advisor-rag exposes structured results; an adapter maps
RAG/compiler output to the frontend envelope. Figures/footnotes wire in once the
RAG-ingestion contract lands (requested on the board) — figures pane is conditional.

- lib/sdk/advisor/{evidence,evidence-adapter}.ts (+ adapter test, 7 cases)
- components/sdk/advisor/* panes + in-house safe Markdown (no new dep, no dangerouslySetInnerHTML) + test
- useAdvisorStream (meta-line parse + streamed answer) + useAdvisorEmail (escaped)
- proxy: evidence-meta-v1 envelope + clean-prose prompt (no inline citations)
- tsc clean, 11 vitest pass, check-loc 0. ESLint not installed in this node_modules -> CI lints on push.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 07:46:37 +02:00
Benjamin Admin 867f8c3854 feat(onboarding): make the advisor visibly responsive — headline leads with the moving number + auto-recompute
Testing surfaced that toggling certifications appeared to "do nothing": the headline led with the TOTAL
requirement count (constant per target, e.g. 17 for CRA), and the page only recomputed on an explicit
button click. Both fixed:
  - engine.py headline now leads with the number that actually moves: "11 von 17 Anforderungen offen ·
    6 wahrscheinlich (Zertifikate) · 5 zu klären" (was "17 Anforderungen erkannt · …"). Keeps the
    "automatisch erkannt (Intake)" substring.
  - frontend auto-recomputes on certifications / target / scanner-signal change (no button needed).

Now ISO27001 alone -> "13 von 17 offen · 4 wahrscheinlich"; + ISO9001+TISAX+IEC62443 -> "11 von 17 offen ·
6 wahrscheinlich". (Domain truth stays visible: CRA's product-cyber gaps barely move with management-system
certs.) 28 onboarding+transition tests pass, check-loc 0.
2026-06-28 19:31:15 +02:00
Benjamin Admin 807a7002b2 feat(onboarding): surface curated expert text + human capability labels (advisor was showing snake_case)
The advisor was structurally correct but unusable: every question showed a snake_case capability id plus a
single generic fallback reason ("Keine Anhaltspunkte im Unternehmensprofil — klären"). The expert text
already EXISTED in the transition patterns (why_asked / reviewable_claim) — the pipeline just dropped it.

  - transition_reasoning: TargetRequirement gains `rationale`; assess_transition uses it as the request
    reason when present, else the generic fallback (additive, backward-compatible for all consumers).
  - onboarding_service._target carries the pattern's why_asked (delta) and reviewable_claim (likely_covered)
    into the requirement rationale -> the question's `why`.
  - knowledge/onboarding/capability_labels.yaml: curated DE labels (id -> human), reusable across targets;
    labels_for() + response.capability_labels expose them; the frontend renders label || prettified id.

Now ISO27001->TISAX reads "Auftragsverarbeitung (Art. 28 DSGVO) — If a TISAX data label is in scope, you
must show Art. 28 GDPR processing-on-behalf controls; ISO 27001 does not establish these." instead of
"data_protection_processing_on_behalf — klären". why_asked text is still EN (existing knowledge; translation
is curation). 34 onboarding+transition tests pass, mypy --strict clean (13 modules), check-loc 0.
2026-06-28 18:46:56 +02:00
Benjamin Admin 239702fdca feat(admin): ETO / Onboarding-Advisor test page (thin operator surface over the advisor endpoint)
A focused client page at /sdk/onboarding-advisor that exercises POST /api/compliance/onboarding/
advisor-start through the existing compliance proxy: pick certifications + target + scanner findings
(observation / partial / requirement) and render the result — headline, silent-intake summary,
auto-detected (green), indications (amber), next-best questions with WHY, inferred (Welt-1) vs rejected
assumptions, capability delta, evidence requests, completeness. NOT the regulation gap engine
(/sdk/gap-analysis is a different flow). No new backend; calls only the existing endpoint. 195 lines.
2026-06-28 17:12:40 +02:00
Benjamin_Boenisch 230dc05287 feat(ai-sdk): legal-corpus coverage + Phase-2 citation-graph assessment (#33)
CI / detect-changes (push) Successful in 8s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / sbom-scan (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 6s
CI / go-lint (push) Has been skipped
CI / loc-budget (push) Successful in 19s
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m1s
CI / test-go (push) Successful in 59s
CI / iace-gt-coverage (push) Successful in 22s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
2026-06-24 06:37:22 +00:00
Benjamin Admin a4d1105b3c Merge branch 'feat/advisor-corpus-authority' into HEAD
CI / detect-changes (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / validate-canonical-controls (push) Successful in 7s
CI / loc-budget (push) Successful in 21s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m8s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
2026-06-22 18:40:15 +02:00
Benjamin Admin 33085c61b4 feat(advisor): Korpus-Autoritaet — Fakten nur aus Kontext, Konflikt-Transparenz
Authority-/Freshness-Layer Punkte 1/2/5 im Advisor-Antwortpfad (Prompt-Ebene, kein
Schema). Neue Soul-Sektion "Korpus-Autoritaet & Aktualitaet": rechtliche FAKTEN
(Schwellen/Fristen/Zahlen/Pflichten) nur aus bereitgestelltem RAG-/Controls-Kontext,
Trainingswissen nie als Rechtsquelle; Konflikt -> Kontext gewinnt, transparent;
Co-Pilot-Ton statt Roboter-Verweigerung. Ergaenzt Quellentreue (Fundstellen) um die
Fakten-Ebene -> loest den "DSB ab 10 statt 20"-Fall. route.ts: RAG-Framing als
"deine EINZIGEN Rechtsquellen" verschaerft.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-21 23:18:05 +02:00
Benjamin_Boenisch 38a347a82a feat(platform): live-wire AGB v2 + DSE v3 + Architektur-Tab (#29)
CI / detect-changes (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 9s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 24s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m11s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 24s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
AGB v2 (decision_method routing, 71%FP->~0) + DSE v3 (4-layer, recovered from container) + Architektur-Tab into /sdk/agent live path. Incl CI robustness (detect-changes.sh + PR-head checkout) + security (hardcoded Qdrant key removed, gitleaks allowlist).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-21 12:58:26 +00:00
Benjamin Admin 90a70c8404 fix(drafting): Drafting-Engine auf prod reparieren — RAG via ai-sdk + OVH-LLM-Kaskade
CI / detect-changes (push) Successful in 7s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 5s
CI / validate-canonical-controls (push) Successful in 4s
CI / loc-budget (push) Successful in 17s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m2s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Die Drafting-Engine (Dokument-Entwurf, v2-Pipeline, Validierung, Drafting-Chat,
Vendor-Vertragspruefung) war auf prod doppelt tot:
- RAG ueber bp-core-rag-service:8097 (existiert auf prod nicht)
- LLM ueber OLLAMA_URL/api/chat mit qwen2.5vl (prod = ollama-embed, kein Chat-Modell)

Fix (analog zum Compliance-Advisor):
- rag-query.ts -> ai-compliance-sdk /sdk/v1/rag/search (bge-m3, prod-erreichbar).
- Neue lib/sdk/drafting-engine/llm-cascade.ts: OVH/LiteLLM (gpt-oss-120b) zuerst,
  Ollama als Dev-Fallback; cascadeComplete (JSON) + cascadeStream. Das Backend nutzt
  OVH+JSON bereits erfolgreich auf prod (extract-datasheet).
- 5 Aufrufstellen (draft-helpers, draft-helpers-v2, validate, chat, vendor-review)
  auf die Kaskade umgestellt; keine direkten Ollama-Calls mehr.
- Tests: llm-cascade + rag-query aktualisiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-19 10:02:06 +02:00
Benjamin Admin cd3e0b15ad fix(advisor): Compliance-Advisor auf prod reparieren — RAG via ai-sdk (bge-m3) + OVH-LLM
CI / detect-changes (push) Successful in 6s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / validate-canonical-controls (push) Successful in 6s
CI / loc-budget (push) Successful in 19s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m4s
CI / test-go (push) Successful in 58s
CI / iace-gt-coverage (push) Successful in 16s
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Der Floating-Compliance-Advisor war auf prod kaputt (502): RAG ging ueber
rag-service:8097 (auf prod nicht vorhanden) und der Chat ueber
OLLAMA_URL=ollama-embed (embedding-only, kein qwen2.5vl).

- RAG laeuft jetzt ueber die ai-compliance-sdk /sdk/v1/rag/search (bge-m3,
  prod-erreichbar) statt rag-service -> profitiert vom reicheren Embedding.
  (lib/sdk/agents/advisor-rag.ts)
- LLM-Kaskade: OVH/LiteLLM (gpt-oss-120b) zuerst, Ollama als Dev-Fallback.
  (lib/sdk/agents/advisor-llm.ts; OVH-Env via orca-infra admin-Block)
- ai-sdk: bp_compliance_recht in AllowedCollections ergaenzt (Whitelist war
  inkonsistent — die Fehlermeldung listete es bereits als erlaubt).
- Route auf die Module umgestellt (duenn); Controls-Augmentation unveraendert.
- Tests: advisor-rag + advisor-llm.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-19 09:22:44 +02:00
Benjamin Admin f0a0a887fd revert(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" zurueckziehen
Das Frontend-Redesign wird vorerst pausiert (Fokus MVP). Der komplette
Stand ist im Git-Tag redesign-archive-20260619 (Commit 42d4b4d9)
archiviert und jederzeit fortsetzbar; die Handoff-Docs bleiben unter
design/redesign/ erhalten. Diese Aenderung zieht nur den aktiven Code
zurueck (Tokens, Chips, CyberMeetsSafety, design-system-Seite, Font-Setup) —
die UI kehrt zum vorherigen Stand zurueck.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-19 09:22:19 +02:00
Benjamin Bönisch 42d4b4d9c5 feat(redesign): Design-Tokens + Ebene-2 "Cyber trifft Safety" (additiv)
CI / detect-changes (push) Successful in 19s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 7s
CI / validate-canonical-controls (push) Successful in 4s
CI / loc-budget (push) Successful in 21s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m13s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Schritt A (Tokens): zentrale Design-Sprache aus dem Claude-Design-Handoff —
Tailwind-Tokens (re/geltung/severity/domain) + Fonts (Public Sans / Source
Serif 4 / IBM Plex Mono) + components/redesign/{tokens.ts,Chips.tsx}
(GeltungChip, SeverityChip, DomainTag, MonoId) + Showcase /sdk/design-system.
Bestehende Farben/sans unangetastet.

Schritt B (Ebene 2): CyberMeetsSafety als USP-Hero im CRA/Cyber-Tab
(/sdk/iace/[id]/cra) — Domaenen-Bar, Hazard-Karten (CE-gemildert -> Cyber-Befund
-> Restrisiko, Warum-Box, Pflicht/Empfehlung-Massnahmen, aufklappbarer
Norm-Bezug), Massnahmen-Backlog mit Geltung-Filter. Gebunden an echte
cross_links/findings/open_measures. Bisheriger CRACyberView bleibt eingeklappt
erhalten -> kein Inhaltsverlust.

Guardrail-Doku: design/redesign/ (HANDOFF_README, CONTENT_INVENTORY mit
40-Screen-Mapping + Waisen-Liste, Arbeitsbereich.dc.html-Referenz).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-18 16:49:04 +02:00
Benjamin Bönisch 8f21650d74 feat(sdk): Kunden-Dokumente + CRA-Meldewesen, Screening aus Frontend genommen
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 15s
CI / validate-canonical-controls (push) Successful in 13s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m9s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 31s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
- /sdk/dokumente: Kundensicht nur auf veroeffentlichte Rechtsdokumente
  (Ansehen + Download); Proxy mit Allow-List nur /public — Templates/Drafts/
  Generator bleiben unerreichbar.
- /sdk/cra-meldewesen: CRA Art. 14 Meldewesen (24h/72h/14d-Kaskade) mit
  Fristen-Tracking + ENISA-SRP-Export-Entwurf (kein Live-API). Backend:
  cra_meldewesen (pure, getestet) + cra_incident_store (schema-neutral ueber
  compliance_cra_documents) + /api/v1/cra/incidents (additiv, contract-safe).
- Screening (Self-Scan) aus dem Frontend genommen: Flow-Stepper-Eintrag
  ausgeblendet (visibleWhen), Dashboard-Kachel + Import-Button entfernt.
  Repo-Scanning laeuft extern im Compliance-Scanner; Backend-Router bleibt
  vorerst gemountet (Contract-Stabilitaet).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-17 21:21:28 +02:00
Benjamin Admin 4f4ffc2ad5 feat(cra): Cyber-trifft-CE mit echten IACE-Safety-Functions
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 11s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 28s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m10s
CI / test-go (push) Has been skipped
CI / test-python-backend (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
useCRA leitet aus den Hazards+Mitigations DES IACE-Projekts cyber-relevante
safety_functions ab (Bewegung/Quetschen/safety_function_failure/Pneumatik →
prevent_unexpected_actuation; Signal/Sensor/Kommunikation → signal_integrity;
rein physische wie Thermik/Ergonomie ausgeschlossen) und gibt sie statt der
Demo-Hardcodes an /assess. build_cross_links zeigt dann, welche REALE
Projekt-Schutzmassnahme ein Cyber-Befund wieder oeffnet. Fallback auf Demo-Set,
bis die Projekt-Hazards geladen sind.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-17 09:18:23 +02:00
Benjamin Admin b76f3cee48 feat(cra): 'Projekt anlegen' triggert IACE-Auto-Ableitung (/initialize)
Nach dem Setzen der limits_form ruft createProject jetzt POST /iace/projects/
:id/initialize — IACE liest die limits_form als Narrative → Komponenten →
Gefährdungen → Maßnahmen → Verifikation → Normen (idempotent, best-effort).
Navigiert danach auf die Projekt-Übersicht (Risiko-Summary). Interview-Felder
bleiben editierbar, Ableitung im IACE re-triggerbar. Schliesst die Kette
Datenblatt → Grenzen → Gefährdungen/Maßnahmen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-17 08:25:06 +02:00
Benjamin Admin 9e2655bfef fix(cra): IACE-Create id-Wrapper + MaschinenVO eigene Sektion
CI / detect-changes (push) Successful in 16s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 12s
CI / validate-canonical-controls (push) Successful in 11s
CI / loc-budget (push) Successful in 24s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m10s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 32s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
1) createProject las proj.id, der Create-Response ist aber {project:{id}} →
   'Projekt anlegen' war kaputt. Jetzt proj.project?.id. E2E verifiziert
   (create→put limits_form→get→delete = 200).
2) MaschinenVO-Sicherheitspflichten wurden in die CRA-Cyber-Buckets
   (Code/Prozess/Doku) gemischt → fehl-kategorisiert (Maschinen-Safety ≠
   CRA-Annex-I-Cyber). Jetzt eigene Response-Liste machinery_guideline +
   eigener Frontend-Abschnitt 'Maschinensicherheit (MaschinenVO 2023/1230)';
   geklebtes 'MaschVO'-Badge entfaellt damit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-17 00:12:52 +02:00
Benjamin Admin 72117c447f fix(cra): IACE-Create braucht machine_type+manufacturer (binding required)
CreateProjectRequest verlangt machine_name, machine_type UND manufacturer
(alle required) → leere Werte gaben 400. Fallback 'Nicht angegeben', wenn das
Datenblatt sie nicht liefert (im Interview editierbar).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 23:54:27 +02:00
Benjamin Admin cf20fa85db feat(cra): 'Projekt anlegen' aus Datenblatt → IACE mit editierbaren Grenzen
DatasheetExtract: Button legt ein IACE-Projekt an (POST /iace/projects) und
speichert die extrahierten Grenzen + Rückfrage-Antworten als metadata.limits_form
(PUT), dann Navigation ins Interview. Das Interview-Formular bleibt voll
editierbar (jedes vorbefuellte Feld aenderbar, Auto-Save). Manuelles Anlegen
ueber /sdk/iace bleibt unveraendert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 23:36:49 +02:00
Benjamin Admin b217429d39 feat(cra): Datenblatt-Extraktion auf lokales 35B + llm_status-Fix
llm_cascade additiv modell-faehig (optionaler model-Param, Cache-Key kennt
model_hint → keine Kollision; Default unveraendert für alle anderen Nutzer).
Datenblatt-Extraktor nutzt jetzt qwen3.5:35b-a3b (CRA_DATASHEET_MODEL, gleiches
Modell wie der Compliance Advisor) für bessere semantische Zuordnung. Plus
llm_status (ok|empty|unavailable) + Logging statt stillem except; Frontend zeigt
bei 'unavailable' einen Hinweis statt leerer Felder (wichtig auf prod ohne
lokales Ollama → Cascade-Fallback bzw. Hinweis).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 19:53:48 +02:00
Benjamin Admin 6ca085ffc5 feat(cra): Datenblatt-Analyse-Frontend (Grenzen-Extraktion + Rückfragen)
DatasheetExtract auf /sdk/cra: Datenblatt einfügen (oder Beispiel OWIS/Zwick) →
POST /extract-datasheet → gefuellte ISO-12100-Grenzen mit Quellen-Zitat +
deterministisch erkannte Schnittstellen/Einheiten + gezielte Rückfragen fuer
leere Pflichtfelder (foreseeable_misuses, person_groups, …). Vorstufe fuer
'Projekt anlegen' → IACE-Grenzen-Prefill.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 19:20:14 +02:00
Benjamin Admin 62fafaaec5 feat(cra): MaschinenVO-Gefährdungs-Ableitung + Cyber-Safety-Brücke
3-Tier-MaschinenVO-Verdict (direkt / sicherheitsrelevant / nicht relevant) aus
Personengefährdungs-Signal: eine Komponente ist keine Maschine, aber wenn ihre
Funktion bei Fehler ODER Manipulation Personen gefaehrden kann (Bewegung, Laser/
Auge, Kraft, Temperatur, elektrisch), ist sie sicherheitsrelevant — Pflicht
trifft den Maschinenbauer, Zulieferer liefert Nachweise, und ein Cyber-Angriff
kann die Sicherheitsfunktion aushebeln (Cyber-Safety-Bruecke). OWIS-mit-Laser
landet so korrekt als 'sicherheitsrelevante Komponente'. Engine + /readiness
additiv; Frontend: Gefährdungs-Frage + -Typen, MaschinenVO-Ergebnisblock.
Presets aktualisiert (OWIS: Laser+Bewegung, Zwick: Bewegung). 22 Tests gruen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 18:48:52 +02:00
Benjamin Admin 2d9b650ac1 feat(cra): Eingangstür-Frontend — neutrales Verdict + Hersteller-Typ + Presets
ReadinessCheck erweitert: Hersteller-Typ-Weiche (Komponente/Endgeraet/Anlage-
Maschine/Software-App), Verkauf-ab-2027- und Kunden-Nachfrage-Fragen, Checkliste
vorhandener Nachweise. Neuer Ergebnis-View (ReadinessResult): 3-Tier-Verdict
(zwingend/ratsam/nicht betroffen, Co-Pilot-Ton ohne Panik-Rot) + Reifegrad-%
+ fehlende Nachweise + gefundene digitale Elemente + Pflichten-Uebersicht.
Zwei Demo-Presets (OWIS PS90+ Komponente, ZwickRoell roboTest Anlage+SW).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 17:25:17 +02:00
Benjamin Admin 8a0097f5da feat(coverage): Korpus-Dokumente gruppiert nach Art + Herausgeber-Familie
CI / detect-changes (push) Successful in 19s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 14s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m8s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 27s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Die "Korpus-Dokumente"-Tabelle wird nach Dokument-Art geordnet
(Gesetze & Verordnungen → Behörden-Leitfäden → Standards & Best Practice →
Rechtsprechung) mit Zwischenüberschriften, und je Herausgeber-Familie
zusammengefasst (alle DSK, alle EDPB, alle OWASP/NIST/ENISA gemeinsam).
Deterministischer Kategorisierer (categorizeCorpusDoc) + Grouper
(groupCorpusDocs), pure + unit-getestet.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 12:20:10 +02:00
Benjamin Admin 9e9d780902 feat(cra): Management-Fortschritts-Ansicht (Ticket-Status-Readback)
Liest den Lebenszyklus jedes Befunds (status + tracker_issue_url) aus dem
Scanner zurück und rollt ihn zu einem Management-Bild auf: % erledigt,
4-Phasen (offen/in Arbeit/erledigt/ausgeschlossen), offenes Restrisiko nach
Schweregrad, Fortschritt je CRA-Anforderung und eine Aufgaben-/Ticket-Tabelle
mit Jira-Link. Neuer Endpoint GET/POST /api/v1/cra/progress (dünn → Service
cra_progress, rein deterministisch, kein /assess-Schema-Drift). Frontend:
ProgressView in Ebene 1 (CRACyberView), live je Scanner-Repo, sonst Demo-Status.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 10:10:45 +02:00
Benjamin Admin 7a4f086151 feat(cra): Maßnahmen-Provenienz + Lizenzklasse je Normquelle
Jede Normreferenz einer Maßnahme wird lizenzklassifiziert (eu_law /
public_domain / open / paid_reference) — paid-reference-Normen werden nur als
Verweis geführt, nie im Text gespeichert (idea/expression). Kuratierte
Maßnahmen tragen Tier 'core', KI-/Fallback-Maßnahmen 'review' (indikativ).
Frontend zeigt Quellen-Badges + "indikativ"-Kennzeichnung. Methodik in
docs-src/development/mapping-methodology.md (Szenario C, Due-Diligence).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 10:10:20 +02:00
Benjamin Admin 6c619ecc42 feat(cra): kuratierte Maßnahmen-Bibliothek — alle 40 CRA-Anforderungen belegt
- data/measures_curated.json: 24 deduplizierte, standard-gestützte Maßnahmen
  (9 bestehende M540-548 + 15 neue M600-614), Volltext + norm_refs + multi-reg
  covers. Deckt alle 40 CRA-AI-x (vorher nur 17).
- cra_annex_i_data lädt die Bibliothek defensiv: MEASURES=Superset, MEASURE_DETAILS
  (Volltext), mapped_measures aus covers abgeleitet. Fallback = hartkodierte 9.
- Mapper: open_measures tragen jetzt name+description+norm_refs (echte Volltexte).
- useCRA: merge nutzt Backend-Volltexte statt Demo-Lookup.
- Tests: Coverage (40/40) + Volltext im Assessment.

Quelle: extern handkuratiert/recherchiert, hier dedupliziert + gemappt. Maschinen-
VO/NIS2/IEC-Maßnahmen folgen, sobald deren Spine existiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 07:44:13 +02:00
Benjamin Admin 4c206aa332 feat(cra): scanner-repo→IACE-Projekt-Mapping persistieren (Pull-Flow) [migration-approved]
Ersetzt die ephemere Dropdown-Auswahl durch DB-Persistenz pro IACE-Projekt:
- Migration 156: compliance_cra_scanner_repo_map (tenant_id, iace_project_id PK,
  scanner_repo_id). Additiv + idempotent.
- GET/PUT /v1/cra/scanner-repo-map/{iace_project_id} (Upsert/Clear).
- useCRA lädt das gespeicherte Repo beim Laden + persistiert bei Auswahl.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 07:05:33 +02:00
Benjamin Admin 0a6e57ac02 feat(use-case-controls): Adressat-Achse — out-of-scope advisory + additiver GOV-Tag
2-Pass-Haiku-Klassifikation (konservativ + Re-Confirm jeder Nicht-unternehmen-
Einstufung) der Review-Tier-Atome: wer muss die Pflicht erfuellen?

- Migration 155: atom_classification.addressee (unternehmen/oeffentliche_stelle/
  aufsichtsbefugnis/staat_eu/dritter/meta), additiv, kein CHECK. [migration-approved]
- Service: addressee + applicable + is_gov pro Control; include_out_of_scope-Param
  (Default false -> out-of-scope advisory ausgeblendet, NIE geloescht); out_of_scope_count.
  Pure Helper addressee_applicable/addressee_is_gov (+ Tests).
- Route: optionaler include_out_of_scope-Query (contract-safe, additiv).
- Frontend: GOV-Chip (additiv) + "kein Kunden-Pruefaspekt"-Chip + 1-Klick-Toggle
  zum Einblenden der out-of-scope-Atome.

Daten: 40.859 Adressat-Tags auf macmini geladen (81% applicable, 19% advisory,
3.146 GOV). Konservativ: NULL/Unklar = applicable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 06:58:37 +02:00
Benjamin Admin 90def4d857 feat(cra): Flow-2 UI — Scanner-Repo wählen → echtes Assessment
- GET /v1/cra/scanner-repos: distinct repo_ids (+counts) vom Scanner-MCP für den Picker.
- useCRA: scannerRepo-State; bei Auswahl POST /assess-from-scanner (echte Findings),
  sonst by-iace/Demo wie bisher.
- ScannerRepoPicker im CRA/Cyber-Tab; leere Auswahl = Demo, Repo gewählt = echte Befunde.

Mapping repo_id↔Projekt aktuell UI-seitig (ephemeral); DB-Persistenz pro Projekt folgt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-16 05:49:15 +02:00
Benjamin Admin 926dc02a09 feat(use-case-controls): relevant als Stufe statt Hard-Filter + Provenance
CI / detect-changes (push) Successful in 15s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 12s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m9s
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 30s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Der harte relevant=true-Filter versteckte ~25% des Korpus (40.926 Atome),
~70% davon echte Pflichten (500er-Validierung). relevant wird zur Stufe:

- Service: tier-Param (core=Default schuetzt Agent/CRA; all=alles inkl. review),
  ORDER BY relevant DESC; pro Control relevant/tier/source_type
  (own_library bei license_rule=3, sonst derived) + source_regulation/article;
  core_count/review_count. Pure Helper tier_label + source_type (+ Tests).
- Route: optionaler tier-Query (default core) — contract-safe (additiv).
- Frontend: Coverage-Drill-down /sdk/coverage/[useCase] — Kern-Pflichten vs.
  "zur fachlichen Pruefung", je mit Herkunfts-Badge; Uebersicht zeigt Delta.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 20:58:25 +02:00
Benjamin Admin 7aaa7e083b feat(cra): Konformitätspfad-Kacheln — "Mit BreakPilot"-Rolle + aufklappbarer Info-Text
Reframe: BreakPilot ist Audit-VORBEREITER, nicht Prüfstelle. Jede Kachel zeigt
jetzt eine "Mit BreakPilot"-Zeile (Selbstbewertung = end-to-end; EUCC/benannte
Stelle = audit-fähig machen, formale Prüfung durch ITSEF/benannte Stelle) plus
aufklappbaren Erklär-Text (was EUCC ist, wie es läuft, was der Nutzer tut).
Normtext (ISO/IEC 15408/18045) nur referenziert, nicht reproduziert.
Kachel von <button> auf <div> + separater Wählen-Button + Info-Toggle umgebaut.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-15 15:12:49 +02:00
Benjamin Admin 731076835d fix(cra): Konformitätspfad-Kacheln korrekt benennen + Gating nach CRA Art. 32
(a) Labels: Module korrekt zugeordnet — Modul A = Selbstbewertung, Modul B+C =
    benannte Stelle, EUCC = eigenes Zertifikat (nicht Modul H), "harmonisierte
    Norm" ist kein Modul sondern Konformitätsvermutung. Für den CRA noch KEINE
    harmonisierte Norm veröffentlicht → Kachel als "noch nicht verfügbar"
    (erwartet ~2027), nicht wählbar, mit Hinweis. (page/path/documents-Labels.)
(b) Gating: wichtige Klasse II + kritische Produkte dürfen NICHT selbst bewerten;
    harmonisierte Norm allein genügt dort nicht → ALLOWED_PATHS IMPORTANT_II/
    CRITICAL = {eucc, notified_body}; DEFAULT_FOR II = notified_body. _PATH_HINT
    entsprechend. Regressionstest test_cra_conformity_paths.py.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-15 13:49:00 +02:00
Benjamin Admin e1f89f6226 feat(cra): CRA/Cyber-Tab in 3 Zielgruppen-Ebenen + Brücke /sdk/cra
Frontend-Reorganisation (kein Datenmodell-Umbau):
- Ebene 1 (Management): CRA-Readiness, offene Risiken (Klartext Kritisch/Hoch/..),
  Handlungsaufwand nach Evidenz-Typ, betroffene Vorschriften, Top-Risiken, Fristen.
- Ebene 2 (Safety × Cyber): "Cyber öffnet CE-Gefährdung erneut" als Hero (USP).
- Ebene 3 (Technik): Befund-Tabelle einklappbar, interne IDs (CRA-AI-x/CWE/NIST/
  OWASP/ISO) nur im Detail, Maßnahmen-Namen statt M-IDs, größere Schrift.
- Brücke: IACE-CRA-Tab ↔ /sdk/cra (Readiness-Check) beidseitig verlinkt.
- CRACyberView in Unterkomponenten gesplittet (LOC < 300).

scripts/qa/poc_cra_article_assign.py: PoC Artikel/Absatz-Zuordnung (Pfad B2b,
zurückgestellt — nicht MVP).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-15 00:48:53 +02:00
Benjamin Admin 828230746e feat(cra): Befund-Detail aufgeräumt + Rechts-Anker (source_article) sichtbar
Frontend (CRA/Cyber-Tab):
- Erklär-Zwischensätze je Ebene (Befund -> CRA-Anforderung -> Best-Practice-
  Standard -> Maßnahmen) + "So liest du einen Befund"-Legende.
- Kuratierte M-Maßnahmen und atom-grain "Regulatorische Breite" in EINE Sektion
  "Maßnahmen (wählbar)" zusammengeführt (statt zwei konkurrierender Listen).
- Standalone "Empfohlene Maßnahmen (Sollzustand)" entfernt (jetzt je Befund).

Backend:
- Atom-Controls-Query liefert jetzt cpl.source_article (Artikel/Anhang/Erwägungs-
  grund-Anker) zusätzlich zu source_regulation; via LATERAL-Join.
- enrich_findings_with_breadth trägt source_article in regulatory_breadth.
- Daten waren schon ingestiert (682/691 CRA-Atome haben source_article) — wurden
  nur nicht selektiert/angezeigt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 23:14:53 +02:00
Benjamin Admin ef4cf1cb62 feat(cra,agent): readiness copy refinement + Track B (CompanyProfile prefill)
Readiness check: legally tighter + sales-sharper copy per review — names both
regulations cleanly (CRA + Machinery Reg 2023/1230 in plain language), frames CRA
Art. 13 as "more than a yearly pentest: assess/document/handle cyber risk across
the lifecycle" (not over-claiming a "continuously documented risk assessment"),
adds the "we turn regulation into code" positioning, and reorders the 8 questions
in CRA order (machine -> connectivity -> software -> updates -> remote -> app ->
personal data -> critical env).

Track B: the Compliance Agent Pre-Scan wizard now detects the shared
CompanyProfile and offers "Aus Profil übernehmen" — tolerant mapping (legal_form,
industry, employee_count) across the differing module vocabularies, user-
triggered (never silent), so company context isn't re-asked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 22:27:44 +02:00
Benjamin Admin 00f304fed9 feat(controls): 5 neue Use Cases + Machinery-Fix + Korpus-/Lizenz-Übersicht
CI / detect-changes (push) Successful in 14s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 11s
CI / validate-canonical-controls (push) Failing after 5s
CI / loc-budget (push) Successful in 22s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / test-go (push) Successful in 1m11s
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Successful in 3m41s
CI / iace-gt-coverage (push) Failing after 5s
CI / test-python-backend (push) Failing after 5s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
- Registry: arbeitsrecht, gesellschaftsrecht, insolvenzrecht, csrd, bafin_it
  + Mapper-Regeln für zuvor ungemappte Quell-Gesetze, Machinery-Guide 2006/42
  -> maschinen. Jetzt 43 Use Cases (Achse 1 / license 1+2 vollständig).
- corpus_overview Service + GET /v1/controls/corpus: Quell-Dokumente mit
  Lizenz-Tier + atom-Count + Use-Case + kuratiertem Lizenz-Katalog.
- list_use_cases trägt atom_classification-Counts (atom_total/atom_relevant).
- Frontend /sdk/coverage: Use-Case-Übersicht + Korpus-Dokumente + Lizenz-Katalog.
- Tests: registry-Mappings (neue Domänen), corpus tier-labels, coverage-helpers.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 21:49:22 +02:00
Benjamin Admin 60f988f3cb feat(cra): hard CRA<->IACE link — IACE tab pulls the linked assessment [migration-approved]
Migration 153 adds compliance_cra_projects.linked_iace_project_id (additive,
idempotent). New thin router cra_link_routes.py: POST /projects/{id}/link-iace
sets the reference; GET /by-iace/{iace_project_id} returns the linked CRA project
+ its latest assessment snapshot. The IACE "CRA / Cyber" tab now resolves the
linked CRA assessment first (real, from the snapshot) and only falls back to the
demo scenario when nothing is linked. One assessment, two views.

[migration-approved] — user approved the new column for the CRA<->IACE reference.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 19:22:29 +02:00
Benjamin Admin b19d76407d chore(cra): align CRA module to the dev/demo tenant + demo-customer seed script
CRA frontend pages hardcoded tenant 00000000-…-001 while IACE uses the dev
tenant 9282a473-… → a demo customer was split/invisible across modules. Align all
app/sdk/cra pages to 9282a473-… so the whole CRA<->IACE journey lives under ONE
tenant. Add scripts/seed_demo_customer.py: seeds CompanyProfile + IACE project
(components, hazards, mitigations) + CRA project (intake, scope-check, assessment
snapshot from faked repo findings + components + safety functions) — the source-
repo layer is faked so the full frontend is walkable once.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 15:52:49 +02:00
Benjamin Admin b0f78ae9a3 feat(cra): readiness derives obligations from Machinery Reg 2023/1230 too
Machine/plant builders are hit by BOTH the CRA and the new Machinery Regulation.
New machinery_reg_cyber.py models its two well-corroborated Annex III cyber-with-
safety essential requirements (1.1.9 protection against corruption, 1.2.1 control-
system safety incl. foreseeable manipulation) in our own words; EU legal text is
freely reusable (Commission Decision 2011/833/EU, source acknowledged), harmonised
standards referenced by identifier only. The readiness check asks "is it
machinery?" and, if so, adds these obligations tagged "Maschinen-VO" alongside the
CRA ones — the combination is visible (regulations list + per-item source badge).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 14:26:08 +02:00
Benjamin Admin 2da3e5fdbb copy(cra): readiness check names both regulations + the living-system framing
Intro now states machine/plant builders are hit by BOTH the CRA (manufacturer
duties from 2027) and the new Machinery Regulation 2023/1230 (cyber-affecting-
safety in CE), and frames CRA Art. 13 as a continuously documented risk
assessment over the lifecycle — not a yearly pentest — which we run as a living
system (versioned snapshots). Educates the lead to win them.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 13:59:07 +02:00
Benjamin Admin 9660724a2c feat(cra): CRA Readiness Check lead-magnet on /sdk/cra (Track A)
Low-friction, stateless readiness check (no project/DB): business-scope answers
(internet / parameter app / remote maintenance / updates / firmware / personal
data / critical infra) -> Annex III/IV classification (reuses _classify) + a
high-level guideline grouped Code / Prozess / Dokumentation (via Annex I
evidence_type) + conformity path + deadlines + rough effort + the "we implement"
hook and a CTA into the existing project workflow. Endpoint POST /api/v1/cra/
readiness. Reuse + reframe of the existing CRA module — no duplicate questionnaire.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 13:33:09 +02:00
Benjamin Admin 398eaf3c36 feat(cra): two-lane breadth — CRA-specific corpus + technical depth
All 6 security use_cases are atom-grain now. Per finding we draw two lanes: the
CRA corpus (use_case=cra, the most on-point CRA obligations) + the technical
depth (code_security for secure-dev, else network_security). Controls merged,
deduped, each tagged with its use_case (shown in the best-practice depth).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 12:23:37 +02:00
Benjamin Admin a06c64af48 feat(cra): route secure-dev breadth to code_security (atom-grain)
Both network_security and code_security are now atom-grain. Per-sub_topic
use_case routing: secure_development -> code_security (best for secure-dev
findings), everything else -> network_security. Findings carry breadth_use_case
so the source context (which atom corpus) is visible under the best-practice depth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 11:04:24 +02:00
Benjamin Admin c7845f67d6 feat(cra): attach network_security regulatory breadth (shared Controls-API)
Semantic breadth (2): each finding's CRA-AI is mapped to a network_security
sub_topic and enriched with atom-grain, framework-traceable obligations from the
shared Controls-API (compliance.atom_classification) — at the endpoint/view layer
(SessionLocal), NOT in the pure mapper. CRA-AI anchor + curated measure +
NIST/OWASP crosswalk stay the lead; this is breadth + source evidence. Only
network_security is queried (atom-grain), scoped by sub_topic + limit. Frontend
renders it under the collapsible best-practice depth (control_id · title · source).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 10:45:21 +02:00