feat(ucca): adopt obligation_id + harden join to semantic (step 3 core)

The Obligation Registry filled proposed_obligation_id (7/7) + cut the logging
family (obligations 47->66). Adopted obligation_id onto our 7 accepted CRA->OWASP
mappings; the join now prefers the EXACT obligation_id over the coarse
citation_unit (which stays as fallback for not-yet-adopted rows).

Effect: semantic coverage 2->4 (user_authentication_required,
credential_confidentiality_protection, auth_key_management,
event_logging_security_events). Befund 1 resolved: V11.2.1 crypto now sits under
credential_confidentiality_protection, not user_authentication_required.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ai-compliance-sdk/data/control_mappings/cra_owasp.jsonl

@@ -2,13 +2,13 @@
 // Reviewt 2026-06-25 (benjamin): 7 accepted, 13 rejected. accepted = Audit-Wahrheit (Advisor nutzt acceptedOnly).
 // rejected bleiben als Audit-Spur ("warum verworfen"). KEIN confidence — kuratiert = fachliche Feststellung.
 // Architekturbeweis: CRA -> OWASP fuer AppSec/Auth/Crypto/Logging; Ops/Update/Attack-Surface/Integritaet -> NIST/BSI.
-{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.3.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V6 = Authentication.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V6 = Authentication, sauberer Treffer fuer Zugriffsschutz/Authentisierung.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V6 = Authentication.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V6 = Authentication, sauberer Treffer fuer Zugriffsschutz/Authentisierung.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V11.2.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V11 = Cryptography.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "Korrektur von V14: V11 = Cryptography, richtiger Bereich fuer Verschluesselung.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V11.7.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V11.7 = Key Management.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "Korrektur von V14: V11.7 = Key Management fuer Verschluesselung/Schluesselverwaltung.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.3", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.4", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25"}
-{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.1.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25"}
+{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.3.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V6 = Authentication.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V6 = Authentication, sauberer Treffer fuer Zugriffsschutz/Authentisierung.", "version": "2026-06-25", "obligation_id": "user_authentication_required"}
+{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V6 = Authentication.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V6 = Authentication, sauberer Treffer fuer Zugriffsschutz/Authentisierung.", "version": "2026-06-25", "obligation_id": "user_authentication_required"}
+{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V11.2.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V11 = Cryptography.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "Korrektur von V14: V11 = Cryptography, richtiger Bereich fuer Verschluesselung.", "version": "2026-06-25", "obligation_id": "credential_confidentiality_protection"}
+{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V11.7.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V11.7 = Key Management.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "Korrektur von V14: V11.7 = Key Management fuer Verschluesselung/Schluesselverwaltung.", "version": "2026-06-25", "obligation_id": "auth_key_management"}
+{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.3", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25", "obligation_id": "event_logging_security_events"}
+{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.4", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25", "obligation_id": "event_logging_security_events"}
+{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.1.1", "mapping_type": "supports", "mapping_status": "accepted", "provenance": "human_curated", "rationale": "V16 = Security Logging.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V16 = Logging, sauberer Treffer fuer sicherheitsrelevante Ereignisse.", "version": "2026-06-25", "obligation_id": "event_logging_security_events"}
 {"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "rejected", "provenance": "human_curated", "rationale": "Retriever-Kandidat.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V14 = Config, kein Auth — verworfen.", "version": "2026-06-25"}
 {"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "rejected", "provenance": "human_curated", "rationale": "Retriever-Kandidat.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V14 = Config, Crypto gehoert zu V11 — verworfen.", "version": "2026-06-25"}
 {"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.3.2", "mapping_type": "related", "mapping_status": "rejected", "provenance": "human_curated", "rationale": "Retriever-Kandidat.", "reviewed_by": "benjamin", "review_date": "2026-06-25", "review_reason": "V14 = Config, Crypto gehoert zu V11 — verworfen.", "version": "2026-06-25"}

ai-compliance-sdk/internal/ucca/compliance_status.go

@@ -0,0 +1,71 @@
+package ucca
+
+// ObligationStatus is the Advisor's vertical slice over the compliance graph for ONE legal
+// obligation: which accepted controls satisfy it, what evidence they require, what's missing,
+// and the resulting status. The point is "the required evidence is (not) present", not "a
+// document exists". citation_spans is pending until the Legal-Knowledge-Graph session attaches
+// them to the obligation (the upper half of the bridge).
+type ObligationStatus struct {
+	ObligationID  string                    `json:"obligation_id"`
+	LegalBasis    []string                  `json:"legal_basis"` // the obligation's citation_units
+	Status        string                    `json:"status"`      // erfuellt | offen | unklar
+	Controls      []ObligationControlStatus `json:"controls"`
+	CitationSpans string                    `json:"citation_spans"` // "pending" until the registry fills them
+}
+
+// ObligationControlStatus is one control under an obligation with its evidence picture.
+type ObligationControlStatus struct {
+	Framework        string                `json:"framework"`
+	Control          string                `json:"control"`
+	MappingType      string                `json:"mapping_type"`
+	RequiredEvidence []EvidenceRequirement `json:"required_evidence"`
+	MissingEvidence  []EvidenceRequirement `json:"missing_evidence"`
+}
+
+// AssessObligationStatus traverses obligation_id -> (citation_unit) -> accepted Controls ->
+// required Evidence -> Status. hasEvidence reports whether a given (framework, control,
+// evidence_type) is already collected; pass nil in the MVP (no collection yet) -> everything
+// required is missing and the status is "offen". Unknown or unmapped obligation -> "unklar".
+func AssessObligationStatus(joins *ObligationJoinKeys, mappings *ControlMappingSet, evidence *EvidenceRequirementSet, obligationID string, hasEvidence func(framework, control, evidenceType string) bool) ObligationStatus {
+	ob := joins.FindObligation(obligationID)
+	if ob == nil {
+		return ObligationStatus{ObligationID: obligationID, Status: "unklar", CitationSpans: "pending"}
+	}
+	st := ObligationStatus{
+		ObligationID:  obligationID,
+		LegalBasis:    ob.CitationUnits,
+		CitationSpans: "pending",
+		Controls:      []ObligationControlStatus{},
+	}
+	ctrls := AcceptedControlsForObligation(*ob, mappings)
+	if len(ctrls) == 0 {
+		st.Status = "unklar" // no accepted control reaches it — we cannot assess
+		return st
+	}
+	anyMissing := false
+	for _, m := range ctrls {
+		req := evidence.RequiredFor(m.TargetFramework, m.TargetControl)
+		missing := make([]EvidenceRequirement, 0, len(req))
+		for _, e := range req {
+			if hasEvidence == nil || !hasEvidence(e.Framework, e.Control, e.EvidenceType) {
+				missing = append(missing, e)
+			}
+		}
+		if len(missing) > 0 {
+			anyMissing = true
+		}
+		st.Controls = append(st.Controls, ObligationControlStatus{
+			Framework:        m.TargetFramework,
+			Control:          m.TargetControl,
+			MappingType:      m.MappingType,
+			RequiredEvidence: req,
+			MissingEvidence:  missing,
+		})
+	}
+	if anyMissing {
+		st.Status = "offen"
+	} else {
+		st.Status = "erfuellt"
+	}
+	return st
+}

ai-compliance-sdk/internal/ucca/compliance_status_test.go

@@ -0,0 +1,59 @@
+package ucca
+
+import "testing"
+
+func loadGraph(t *testing.T) (*ObligationJoinKeys, *ControlMappingSet, *EvidenceRequirementSet) {
+	t.Helper()
+	joins, err := LoadObligationJoinKeys("../../../obligations/obligation_join_keys.json")
+	if err != nil {
+		t.Fatalf("join keys: %v", err)
+	}
+	maps, err := LoadControlMappings("../../data/control_mappings")
+	if err != nil {
+		t.Fatalf("mappings: %v", err)
+	}
+	ev, err := LoadEvidenceRequirements("../../data/evidence_requirements")
+	if err != nil {
+		t.Fatalf("evidence: %v", err)
+	}
+	return joins, maps, ev
+}
+
+func TestAssessObligationStatus(t *testing.T) {
+	joins, maps, ev := loadGraph(t)
+
+	// covered obligation, no evidence collected yet (MVP) -> offen
+	st := AssessObligationStatus(joins, maps, ev, "user_authentication_required", nil)
+	if st.Status != "offen" {
+		t.Errorf("want offen, got %q", st.Status)
+	}
+	if len(st.Controls) == 0 {
+		t.Fatal("expected controls for a covered obligation")
+	}
+	for _, c := range st.Controls {
+		if len(c.MissingEvidence) != len(c.RequiredEvidence) {
+			t.Error("MVP: all required evidence should be missing")
+		}
+	}
+	t.Logf("DURCHSTICH user_authentication_required: status=%s legal_basis=%v citation_spans=%s",
+		st.Status, st.LegalBasis, st.CitationSpans)
+	for _, c := range st.Controls {
+		t.Logf("  %s %s (%s): %d required evidence, %d missing", c.Framework, c.Control, c.MappingType, len(c.RequiredEvidence), len(c.MissingEvidence))
+	}
+
+	// all evidence present -> erfuellt
+	st2 := AssessObligationStatus(joins, maps, ev, "user_authentication_required", func(f, c, et string) bool { return true })
+	if st2.Status != "erfuellt" {
+		t.Errorf("want erfuellt with all evidence present, got %q", st2.Status)
+	}
+
+	// uncovered obligation (no accepted control reaches it) -> unklar
+	if st3 := AssessObligationStatus(joins, maps, ev, "sbom_creation", nil); st3.Status != "unklar" {
+		t.Errorf("uncovered sbom_creation: want unklar, got %q", st3.Status)
+	}
+
+	// unknown obligation_id -> unklar
+	if st4 := AssessObligationStatus(joins, maps, ev, "does_not_exist", nil); st4.Status != "unklar" {
+		t.Errorf("unknown obligation: want unklar, got %q", st4.Status)
+	}
+}

ai-compliance-sdk/internal/ucca/control_mapping.go

@@ -19,13 +19,14 @@ import (
 // professional statement, not an AI guess. The retriever's score lives only in the rationale
 // of a candidate, never as structured truth.
 type ControlMapping struct {
-	SourceNorm      string `json:"source_norm"`      // e.g. "CRA Annex I Part I (2)(c)"
-	SourceRole      string `json:"source_role"`      // source_role of the norm (operational_requirement, ...)
-	TargetFramework string `json:"target_framework"` // e.g. "OWASP ASVS"
-	TargetControl   string `json:"target_control"`   // e.g. "V6.3.1"
-	MappingType     string `json:"mapping_type"`     // supports | partially_supports | implements | related | contradicts
-	MappingStatus   string `json:"mapping_status"`   // candidate | accepted | rejected | superseded
-	Provenance      string `json:"provenance"`       // retriever_candidate | human_curated | rule_based
+	SourceNorm      string `json:"source_norm"`             // e.g. "CRA Annex I Part I (2)(c)"
+	SourceRole      string `json:"source_role"`             // source_role of the norm (operational_requirement, ...)
+	TargetFramework string `json:"target_framework"`        // e.g. "OWASP ASVS"
+	TargetControl   string `json:"target_control"`          // e.g. "V6.3.1"
+	MappingType     string `json:"mapping_type"`            // supports | partially_supports | implements | related | contradicts
+	MappingStatus   string `json:"mapping_status"`          // candidate | accepted | rejected | superseded
+	Provenance      string `json:"provenance"`              // retriever_candidate | human_curated | rule_based
+	ObligationID    string `json:"obligation_id,omitempty"` // stable cross-session join key (Obligation Registry); empty until adopted, citation_unit is the interim bridge
 	Rationale       string `json:"rationale"`
 	ReviewedBy      string `json:"reviewed_by,omitempty"` // who decided (human or rule id)
 	ReviewDate      string `json:"review_date,omitempty"` // YYYY-MM-DD

ai-compliance-sdk/internal/ucca/obligation_join.go

@@ -0,0 +1,172 @@
+package ucca
+
+import (
+	"encoding/json"
+	"os"
+	"regexp"
+	"strings"
+)
+
+// ObligationKey is one entry of the Obligation Registry's cross-session contract
+// (obligations/obligation_join_keys.json). obligation_id is the STABLE join key — assigned
+// only by the Registry, never minted here. citation_units are the interim bridge until our
+// ControlMapping adopts obligation_id directly.
+type ObligationKey struct {
+	ObligationID  string   `json:"obligation_id"`
+	Regulation    string   `json:"regulation"`
+	Family        string   `json:"family"`
+	Tier          string   `json:"tier"`
+	CitationUnits []string `json:"citation_units"`
+	SourceRole    string   `json:"source_role"`
+}
+
+// ObligationJoinKeys is the loaded contract + a citation-unit index for the interim join.
+type ObligationJoinKeys struct {
+	SchemaVersion string          `json:"schema_version"`
+	Count         int             `json:"count"`
+	ObligationIDs []ObligationKey `json:"obligation_ids"`
+	byCitationKey map[string][]string
+}
+
+var citationRefRe = regexp.MustCompile(`\(([0-9a-zA-Z]+)\)`)
+
+// citationUnitKey normalizes a CRA Annex I reference for the INTERIM citation_unit join, so
+// our "CRA Annex I Part I (2)(c)" and the Registry's "Annex I (2)(c)" collapse to the same
+// key ("i:2.c"). Interim only — superseded by the stable obligation_id once adopted.
+func citationUnitKey(cu string) string {
+	low := strings.ToLower(cu)
+	part := ""
+	switch {
+	case strings.Contains(low, "part ii"):
+		part = "ii"
+	case strings.Contains(low, "part i"), strings.Contains(low, "(2)"):
+		part = "i" // CRA Annex I Part I = the (2)(x) essential requirements
+	}
+	var refs []string
+	for _, m := range citationRefRe.FindAllStringSubmatch(cu, -1) {
+		refs = append(refs, strings.ToLower(m[1]))
+	}
+	return part + ":" + strings.Join(refs, ".")
+}
+
+// LoadObligationJoinKeys reads the Registry contract and indexes it by citation-unit key.
+func LoadObligationJoinKeys(path string) (*ObligationJoinKeys, error) {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	var o ObligationJoinKeys
+	if err := json.Unmarshal(raw, &o); err != nil {
+		return nil, err
+	}
+	o.byCitationKey = map[string][]string{}
+	for _, ob := range o.ObligationIDs {
+		for _, cu := range ob.CitationUnits {
+			k := citationUnitKey(cu)
+			o.byCitationKey[k] = append(o.byCitationKey[k], ob.ObligationID)
+		}
+	}
+	return &o, nil
+}
+
+// ObligationsForCitation returns the obligation_ids that join (interim) to a citation
+// reference such as a control_mapping.source_norm.
+func (o *ObligationJoinKeys) ObligationsForCitation(citationRef string) []string {
+	return o.byCitationKey[citationUnitKey(citationRef)]
+}
+
+// FindObligation returns the registry entry for an obligation_id (nil if unknown).
+func (o *ObligationJoinKeys) FindObligation(obligationID string) *ObligationKey {
+	for i := range o.ObligationIDs {
+		if o.ObligationIDs[i].ObligationID == obligationID {
+			return &o.ObligationIDs[i]
+		}
+	}
+	return nil
+}
+
+// mappingReaches reports whether a control mapping reaches an obligation — EXACT via the
+// adopted obligation_id (semantic, preferred), else via the interim citation_unit join (for
+// not-yet-adopted rows). Once obligation_id is set, the coarse citation_unit match is ignored:
+// that is how the semantic join replaces the structural one (e.g. V11.2.1 crypto no longer
+// rides (2)(d) into user_authentication_required — it goes to credential_confidentiality_protection).
+func mappingReaches(m ControlMapping, ob ObligationKey, citationKeys map[string]bool) bool {
+	if m.ObligationID != "" {
+		return m.ObligationID == ob.ObligationID
+	}
+	return citationKeys[citationUnitKey(m.SourceNorm)]
+}
+
+// AcceptedControlsForObligation returns our accepted control mappings that reach an obligation
+// (deduped by target control), obligation_id-exact where adopted, citation_unit otherwise.
+func AcceptedControlsForObligation(ob ObligationKey, mappings *ControlMappingSet) []ControlMapping {
+	keys := make(map[string]bool, len(ob.CitationUnits))
+	for _, cu := range ob.CitationUnits {
+		keys[citationUnitKey(cu)] = true
+	}
+	out := []ControlMapping{}
+	seen := map[string]bool{}
+	for _, m := range mappings.All {
+		if !m.IsAccepted() || !mappingReaches(m, ob, keys) {
+			continue
+		}
+		ck := m.TargetFramework + ":" + m.TargetControl
+		if seen[ck] {
+			continue
+		}
+		seen[ck] = true
+		out = append(out, m)
+	}
+	return out
+}
+
+// ObligationCoverage is one row of the cross-session coverage report.
+type ObligationCoverage struct {
+	ObligationID     string   `json:"obligation_id"`
+	Family           string   `json:"family"`
+	Status           string   `json:"status"` // covered | mapped_rejected | uncovered
+	AcceptedControls []string `json:"accepted_controls"`
+	EvidenceCount    int      `json:"evidence_count"`
+}
+
+// ComputeObligationCoverage joins the Registry obligations to our control mappings — exact via
+// obligation_id where adopted, else via the interim citation_unit join — and reports per
+// obligation: covered (>=1 accepted control reaches it), mapped_rejected (only rejected
+// mappings reach it), or uncovered. The signal back to the Obligation session.
+func ComputeObligationCoverage(joins *ObligationJoinKeys, mappings *ControlMappingSet, evidence *EvidenceRequirementSet) []ObligationCoverage {
+	out := make([]ObligationCoverage, 0, len(joins.ObligationIDs))
+	for _, ob := range joins.ObligationIDs {
+		keys := make(map[string]bool, len(ob.CitationUnits))
+		for _, cu := range ob.CitationUnits {
+			keys[citationUnitKey(cu)] = true
+		}
+		cov := ObligationCoverage{ObligationID: ob.ObligationID, Family: ob.Family}
+		seen := map[string]bool{}
+		rejected := false
+		for _, m := range mappings.All {
+			if !mappingReaches(m, ob, keys) {
+				continue
+			}
+			if m.IsAccepted() {
+				ck := m.TargetFramework + ":" + m.TargetControl
+				if !seen[ck] {
+					seen[ck] = true
+					cov.AcceptedControls = append(cov.AcceptedControls, ck)
+					cov.EvidenceCount += len(evidence.RequiredFor(m.TargetFramework, m.TargetControl))
+				}
+			} else if m.MappingStatus == "rejected" {
+				rejected = true
+			}
+		}
+		switch {
+		case len(cov.AcceptedControls) > 0:
+			cov.Status = "covered"
+		case rejected:
+			cov.Status = "mapped_rejected"
+		default:
+			cov.Status = "uncovered"
+		}
+		out = append(out, cov)
+	}
+	return out
+}

ai-compliance-sdk/internal/ucca/obligation_join_test.go

@@ -0,0 +1,61 @@
+package ucca
+
+import "testing"
+
+func TestCitationUnitKey_Join(t *testing.T) {
+	// our source_norm and the registry citation_unit must collapse to the SAME key.
+	if citationUnitKey("CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff") != citationUnitKey("Annex I (2)(c)") {
+		t.Errorf("interim join broken: %q vs %q",
+			citationUnitKey("CRA Annex I Part I (2)(c)"), citationUnitKey("Annex I (2)(c)"))
+	}
+	// Part II must NOT collide with Part I.
+	if citationUnitKey("Annex I Part II (1)") == citationUnitKey("CRA Annex I Part I (2)(c)") {
+		t.Error("Part II must not join to Part I")
+	}
+}
+
+func TestLoadObligationJoinKeys(t *testing.T) {
+	o, err := LoadObligationJoinKeys("../../../obligations/obligation_join_keys.json")
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if o.Count != len(o.ObligationIDs) {
+		t.Errorf("count %d != len %d", o.Count, len(o.ObligationIDs))
+	}
+	if len(o.ObligationIDs) == 0 {
+		t.Fatal("empty contract")
+	}
+	if got := o.ObligationsForCitation("CRA Annex I Part I (2)(c)"); len(got) == 0 {
+		t.Error("expected an obligation joined to (2)(c)")
+	}
+}
+
+func TestObligationCoverage_Report(t *testing.T) {
+	joins, err := LoadObligationJoinKeys("../../../obligations/obligation_join_keys.json")
+	if err != nil {
+		t.Fatalf("join keys: %v", err)
+	}
+	maps, err := LoadControlMappings("../../data/control_mappings")
+	if err != nil {
+		t.Fatalf("mappings: %v", err)
+	}
+	ev, err := LoadEvidenceRequirements("../../data/evidence_requirements")
+	if err != nil {
+		t.Fatalf("evidence: %v", err)
+	}
+	cov := ComputeObligationCoverage(joins, maps, ev)
+	if len(cov) == 0 {
+		t.Fatal("no coverage computed")
+	}
+	byStatus := map[string]int{}
+	for _, c := range cov {
+		byStatus[c.Status]++
+	}
+	t.Logf("COVERAGE: %d Obligations | covered=%d mapped_rejected=%d uncovered=%d",
+		len(cov), byStatus["covered"], byStatus["mapped_rejected"], byStatus["uncovered"])
+	for _, c := range cov {
+		if c.Status != "uncovered" {
+			t.Logf("  %-15s %-36s controls=%v evidence=%d", c.Status, c.ObligationID, c.AcceptedControls, c.EvidenceCount)
+		}
+	}
+}

obligations/controls_for_obligation_mapping.json

@@ -0,0 +1,67 @@
+{
+ "schema_version": "controls_for_obligation_mapping_v1",
+ "purpose": "Accepted CRA->OWASP controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.",
+ "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25",
+ "filled_by": "obligation-registry-session 2026-06-25 (alle 7/7: 4 auth/crypto + 3 logging via cra_logging.json)",
+ "join_principle": "SEMANTISCH via obligation_id, NICHT via citation_unit/legal_basis-Anker. Die CRA-Anker sind im Registry teils approximativ (siehe anchor_quality_note) — daher ist obligation_id der stabile Primaerschluessel, nicht der Anker.",
+ "anchor_quality_note": "Registry-legal_basis-Anker sind teils CRA-Part-I-fehlzugeordnet (Opus-Synthese): user_authentication_required steht auf (2)(d) statt (2)(c); Crypto-Obligations auf (2)(e) statt (2)(d). CRA Annex I Part I: (2)(c)=Zugriffsschutz, (2)(d)=Vertraulichkeit, (2)(e)=Integritaet. Korrektur kommt mit dem zitierfaehigen Re-Ingest (span-genau). Deshalb: NICHT auf Anker joinen. ABER: der Logging-Cut (V16.*) ist korrekt auf (2)(k) verankert (echte Logging-Subsektion, kein Fehl-Anker).",
+ "count": 7,
+ "controls": [
+  {
+   "framework": "OWASP ASVS", "control": "V6.3.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports",
+   "proposed_obligation_id": "user_authentication_required",
+   "mapping_method": "semantic",
+   "mapping_note": "Zugriffsschutz/Authentisierung-vor-Zugriff = Nutzer-Auth (NICHT firmware, trotz strukturellem (2)(c)-Join)"
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V6.1.1",
+   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
+   "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports",
+   "proposed_obligation_id": "user_authentication_required",
+   "mapping_method": "semantic",
+   "mapping_note": "wie V6.3.1"
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V11.2.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports",
+   "proposed_obligation_id": "credential_confidentiality_protection",
+   "mapping_method": "semantic",
+   "mapping_note": "Vertraulichkeit von Auth-Daten. ALT: encrypted_auth_channel, falls V11.2.1 transit-/kanal-spezifisch ist — bitte aus eurem Control-Text bestaetigen."
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V11.7.1",
+   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
+   "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports",
+   "proposed_obligation_id": "auth_key_management",
+   "mapping_method": "semantic",
+   "mapping_note": "Key Management = Schluessel erzeugen/speichern/HSM"
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V16.3.3",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
+   "proposed_obligation_id": "event_logging_security_events",
+   "mapping_method": "semantic",
+   "mapping_note": "Umbrella-LM 'Produkt protokolliert sicherheitsrelevante Ereignisse' (CRA (2)(k)). ALT bei access-decision-spezifischem Control-Text: access_control_event_logging — bitte aus eurem ASVS-V16.3-Text bestaetigen."
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V16.3.4",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
+   "proposed_obligation_id": "event_logging_security_events",
+   "mapping_method": "semantic",
+   "mapping_note": "Umbrella-LM (CRA (2)(k)). ALT bei admin-/privileg-spezifischem Control-Text: audit_trail_admin_actions — bitte aus eurem ASVS-V16.3-Text bestaetigen."
+  },
+  {
+   "framework": "OWASP ASVS", "control": "V16.1.1",
+   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
+   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
+   "proposed_obligation_id": "event_logging_security_events",
+   "mapping_method": "semantic",
+   "mapping_note": "V16.1 = allgemeine Logging-Anforderung -> Umbrella-LM event_logging_security_events. Hohe Konfidenz."
+  }
+ ]
+}

obligations/cra_procedures.json

@@ -0,0 +1,227 @@
+{
+ "schema_version": "obligation_procedures_v1",
+ "regulation": "CRA",
+ "layer": "Regulation -> Legal Obligation -> Procedure -> Control -> Evidence",
+ "note": "Procedure ist KEINE neue Compliance-Pflicht. LEGAL_MINIMUM liegt an der Obligation; die Procedure beschreibt, WIE sie umgesetzt wird; Evidence belegt die Umsetzung. source_role=procedural_requirement (Konvergenz mit der Legal-Knowledge-Engine der anderen Session).",
+ "citation_status": "pending_span_anchor",
+ "scope": "worked examples: SBOM + Vulnerability Handling",
+ "procedures": [
+  {
+   "procedure_id": "sbom_generation_process",
+   "name": "SBOM-Erstellungsprozess",
+   "description": "Erzeugen einer vollstaendigen, maschinenlesbaren Software Bill of Materials fuer ein Produkt mit digitalen Elementen.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["sbom_creation", "sbom_dependency_coverage", "sbom_format_standard", "sbom_tooling_automation"],
+   "steps": [
+    "Komponenten und (direkte + transitive) Abhaengigkeiten inventarisieren",
+    "SBOM automatisiert in der Build-/Toolchain generieren",
+    "Komponenten, Versionen, Lizenzen und Lieferanten erfassen",
+    "in anerkanntem maschinenlesbarem Format (CycloneDX/SPDX) ausgeben",
+    "Format- und Schemavalidierung durchfuehren"
+   ],
+   "controls": [
+    "SBOM-Datei vorhanden",
+    "Format ist maschinenlesbar und standardkonform (CycloneDX/SPDX)",
+    "direkte und transitive Abhaengigkeiten enthalten"
+   ],
+   "evidence": ["sbom.cyclonedx.json", "Format-Validierungs-Log", "Build-/Toolchain-Konfiguration"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "sbom_update_process",
+   "name": "SBOM-Aktualisierungsprozess",
+   "description": "Halten der SBOM aktuell ueber den Produktlebenszyklus bei Komponenten-, Versions- und Patch-Aenderungen.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["sbom_maintenance_update"],
+   "steps": [
+    "Komponentenaenderung erkennen (Dependency-/Patch-/Versionsaenderung)",
+    "SBOM neu generieren",
+    "Lieferanten-SBOMs aktualisieren",
+    "neue SBOM-Version speichern",
+    "SBOM in Release-Artefakte uebernehmen"
+   ],
+   "controls": [
+    "CI prueft SBOM vorhanden",
+    "SBOM-Version passt zum Release",
+    "Supplier-Komponenten enthalten"
+   ],
+   "evidence": ["sbom.json", "CI-Log", "Release-Artefakt", "Supplier-SBOM"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "sbom_supplier_integration_process",
+   "name": "Lieferanten-SBOM-Integration",
+   "description": "Beschaffen und Einarbeiten von Lieferanten-/Drittkomponenten-SBOMs in die Produkt-SBOM.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["sbom_supply_chain_contracts", "sbom_dependency_coverage"],
+   "steps": [
+    "SBOM-Anforderung in Lieferantenvertraege aufnehmen",
+    "Lieferanten-SBOMs einsammeln",
+    "in die Produkt-SBOM mergen",
+    "Drittkomponenten und deren Abhaengigkeiten nachverfolgen"
+   ],
+   "controls": [
+    "vertragliche SBOM-Klausel vorhanden",
+    "Lieferanten-SBOMs eingegangen",
+    "Drittkomponenten in der SBOM gelistet"
+   ],
+   "evidence": ["Lieferantenvertrag-Klausel", "eingegangene Supplier-SBOMs", "gemergte SBOM"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "sbom_provision_process",
+   "name": "SBOM-Bereitstellungsprozess",
+   "description": "Zugaenglichmachen der SBOM fuer berechtigte Parteien (Nutzer, Behoerde) unter Wahrung der Vertraulichkeit.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["sbom_access_provision", "sbom_authority_provision", "sbom_confidentiality"],
+   "steps": [
+    "Zugangskanal definieren (Portal/API/dokumentierter Pfad)",
+    "Nutzer ueber den Zugangsweg informieren",
+    "auf begruendetes Verlangen der Marktueberwachungsbehoerde vertraulich bereitstellen",
+    "Zugriffskontrolle und Vertraulichkeitsmassnahmen anwenden"
+   ],
+   "controls": [
+    "Zugangspfad dokumentiert",
+    "Zugriffskontrolle/Vertraulichkeit umgesetzt",
+    "Behoerden-Bereitstellungsprozess definiert"
+   ],
+   "evidence": ["Zugangskanal-Dokumentation", "Behoerden-Anfrage-Log", "Zugriffskontroll-Konfiguration"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "sbom_conformity_documentation_process",
+   "name": "SBOM in technischer Dokumentation/Konformitaet",
+   "description": "Aufnehmen der SBOM in die technische Dokumentation und Verifizieren der Vollstaendigkeit fuer die Konformitaetsbewertung.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["sbom_technical_documentation", "sbom_completeness_verification"],
+   "steps": [
+    "SBOM in die technische Dokumentation aufnehmen",
+    "Vollstaendigkeit gegen die real eingesetzte Softwarekomposition pruefen",
+    "der Konformitaetsbewertung beilegen (ggf. EUCC)"
+   ],
+   "controls": [
+    "SBOM Teil der technischen Dokumentation",
+    "Vollstaendigkeit verifiziert",
+    "Konformitaetsnachweis vorhanden"
+   ],
+   "evidence": ["technische Dokumentation", "Vollstaendigkeits-Pruefbericht", "Konformitaetsnachweis"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+
+  {
+   "procedure_id": "vuln_handling_process_setup",
+   "name": "Schwachstellenbehandlungsprozess einrichten",
+   "description": "Dokumentierten Prozess und Meldekanal (CVD) fuer die Schwachstellenbehandlung etablieren.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["vuln_handling_process"],
+   "steps": [
+    "dokumentierten Schwachstellenbehandlungsprozess definieren",
+    "Coordinated-Vulnerability-Disclosure-Richtlinie und Meldekanal veroeffentlichen",
+    "eingehende Meldungen triagieren"
+   ],
+   "controls": [
+    "Behandlungsprozess dokumentiert",
+    "Meldekanal/Kontaktstelle auffindbar (z.B. security.txt)",
+    "Triage-Verfahren vorhanden"
+   ],
+   "evidence": ["Prozessdokument", "security.txt / Kontaktstelle", "Triage-Log"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "vuln_identification_process",
+   "name": "Schwachstellen-Identifikation",
+   "description": "Bekannte Schwachstellen in eingesetzten Komponenten erkennen und inventarisieren.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["vuln_identification_inventory"],
+   "steps": [
+    "Advisories/CVE-Feeds beobachten",
+    "gegen die SBOM-Komponenten abgleichen",
+    "Schwachstellen-Inventar pflegen"
+   ],
+   "controls": [
+    "Advisory-/CVE-Monitoring aktiv",
+    "SBOM-zu-CVE-Abgleich durchgefuehrt",
+    "Schwachstellen-Inventar gepflegt"
+   ],
+   "evidence": ["CVE-Abgleich-Report", "Schwachstellen-Register"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "vuln_assessment_process",
+   "name": "Schwachstellen-Bewertung/Priorisierung",
+   "description": "Identifizierte Schwachstellen nach Schweregrad, Ausnutzbarkeit und Exposition bewerten und priorisieren.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["vuln_assessment_prioritization"],
+   "steps": [
+    "Schweregrad bewerten (z.B. CVSS)",
+    "Ausnutzbarkeit/Exposition einschaetzen",
+    "risikobasiert priorisieren"
+   ],
+   "controls": [
+    "Schweregrad standardisiert bewertet",
+    "risikobasierte Priorisierung vorhanden"
+   ],
+   "evidence": ["Bewertungsdatensatz (CVSS)", "Prioritaetenliste"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "vuln_remediation_process",
+   "name": "Schwachstellen-Behebung",
+   "description": "Bekannte Schwachstellen fristgerecht durch Patches/Gegenmassnahmen beheben und Sicherheitsupdates bereitstellen.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["vuln_remediation_patching"],
+   "steps": [
+    "Fix/Gegenmassnahme entwickeln",
+    "testen",
+    "Sicherheitsupdate kostenfrei und zeitnah bereitstellen",
+    "bis zum Abschluss nachverfolgen"
+   ],
+   "controls": [
+    "zeitnahe Behebung",
+    "Sicherheitsupdate bereitgestellt",
+    "Follow-up bis Closure"
+   ],
+   "evidence": ["Patch/Release", "Behebungs-Zeitleiste", "Follow-up-Log"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "vuln_disclosure_process",
+   "name": "Offenlegung + Nutzerinformation",
+   "description": "Koordinierte Offenlegung behobener Schwachstellen und Information der Nutzer ueber Schutzmassnahmen.",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["coordinated_vulnerability_disclosure", "vuln_info_dissemination_users"],
+   "steps": [
+    "Offenlegungszeitpunkt koordinieren",
+    "Security Advisory / CVE-Eintrag veroeffentlichen",
+    "Nutzer ueber behobene Schwachstelle und Schutzmassnahmen informieren"
+   ],
+   "controls": [
+    "Advisory veroeffentlicht",
+    "Nutzer informiert"
+   ],
+   "evidence": ["Security Advisory", "CVE-Eintrag", "Nutzer-Benachrichtigung"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  },
+  {
+   "procedure_id": "vuln_authority_reporting_process",
+   "name": "Behoerdenmeldung aktiv ausgenutzter Schwachstellen",
+   "description": "Aktiv ausgenutzte Schwachstellen fristgerecht an CSIRT/ENISA melden (CRA Art. 14-Kaskade).",
+   "source_role": "procedural_requirement",
+   "fulfills_obligations": ["exploited_vuln_reporting_authorities"],
+   "applicability_note": "bedingt: nur bei aktiv ausgenutzter Schwachstelle",
+   "steps": [
+    "aktive Ausnutzung erkennen",
+    "Fruehwarnung an CSIRT/ENISA (24h)",
+    "vollstaendige Meldung (72h)",
+    "Abschlussbericht (14 Tage)"
+   ],
+   "controls": [
+    "24h-Fruehwarnung erfolgt",
+    "72h-Meldung erfolgt",
+    "14d-Abschlussbericht erfolgt"
+   ],
+   "evidence": ["CSIRT/ENISA-Meldungsbelege", "Zeitstempel der Kaskade"],
+   "citation_spans": [], "citation_status": "pending_span_anchor"
+  }
+ ]
+}

obligations/obligation_join_keys.json

@@ -0,0 +1,587 @@
+{
+ "schema_version": "obligation_join_keys_v1",
+ "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).",
+ "count": 66,
+ "obligation_ids": [
+  {
+   "obligation_id": "sbom_creation",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_dependency_coverage",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Art. 3(36) i.V.m. Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_format_standard",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_maintenance_update",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_completeness_verification",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "sbom_tooling_automation",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "IMPLEMENTATION"
+  },
+  {
+   "obligation_id": "sbom_access_provision",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "sbom_authority_provision",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Art. 31 / Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_confidentiality",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Art. 31(4)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "sbom_supply_chain_contracts",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "sbom_technical_documentation",
+   "regulation": "CRA",
+   "family": "sbom",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Art. 31 i.V.m. Annex VII"
+   ],
+   "source_role": "EVIDENCE"
+  },
+  {
+   "obligation_id": "vuln_identification_inventory",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "vuln_assessment_prioritization",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (1)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "vuln_remediation_patching",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (2) & (8)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "vuln_handling_process",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Article 13(8) & Annex VII"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "coordinated_vulnerability_disclosure",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (5)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "exploited_vuln_reporting_authorities",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Article 14 & Article 16"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "vuln_info_dissemination_users",
+   "regulation": "CRA",
+   "family": "vuln",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part II (4) & (6)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "user_authentication_required",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(d)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "authentication_policy_documented",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "auth_exceptions_documented",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "mfa_required",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "step_up_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "privileged_op_reauth",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "strong_crypto_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(e)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "credential_lifecycle_management",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "credential_confidentiality_protection",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(e)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "password_policy",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "no_default_credentials",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(a)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "account_lockout_failed_attempts",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "server_side_validation",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "session_binding_management",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "reauth_after_inactivity",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "token_validation_lifecycle",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "mutual_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "revocation_check",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "encrypted_auth_channel",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(e)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "tls_certificate_auth",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "service_to_service_auth",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "auth_key_management",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "biometric_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "federated_auth_assertions",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "separate_authn_authz",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "remote_access_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "supplier_access_auth",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "personal_admin_accounts",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "firmware_software_authentication",
+   "regulation": "CRA",
+   "family": "authentication",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I (2)(c)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "event_logging_security_events",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "access_control_event_logging",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "audit_trail_admin_actions",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "log_integrity_immutability",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "log_access_control_protection",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "log_retention_archival",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "centralized_log_management",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "log_monitoring_alerting",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "LEGAL_MINIMUM",
+   "citation_units": [
+    "Annex I Part I (2)(k)"
+   ],
+   "source_role": "LEGAL_BASIS"
+  },
+  {
+   "obligation_id": "log_data_minimization_privacy",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "log_format_standardization",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "log_timestamp_synchronization",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "logging_availability_resilience",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "logging_thread_safety_correctness",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "IMPLEMENTATION"
+  },
+  {
+   "obligation_id": "logging_library_supply_chain",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "logging_config_management",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "logging_governance_roles",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "incident_response_logging",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "log_transmission_security",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  },
+  {
+   "obligation_id": "network_traffic_logging",
+   "regulation": "CRA",
+   "family": "logging",
+   "tier": "BEST_PRACTICE",
+   "citation_units": [],
+   "source_role": "GUIDANCE"
+  }
+ ]
+}

scripts/obligation_discovery/advisor_proof.py

@@ -0,0 +1,90 @@
+"""P3 — Compliance-Advisor-Proof: obligation-basierte Antwort als vollstaendige
+BEGRUENDUNGSKETTE aus der Registry (NICHT RAG-Text, KEIN LLM):
+  Rechtsgrundlage -> Obligation -> Procedure -> Controls -> Evidence -> Antwort.
+Deterministisch + zitierfaehig. Der Unterschied zu RAG: RAG beantwortet — BreakPilot
+begruendet UND operationalisiert.
+
+  python3 scripts/obligation_discovery/advisor_proof.py --registry obligations/cra.json \
+      --procedures obligations/cra_procedures.json --topic sbom --has-digital-elements
+"""
+from __future__ import annotations
+
+import argparse
+import json
+
+
+def applies(obl: dict, has_digital: bool) -> tuple[bool, str]:
+    a = obl.get("applicability", "universal")
+    if a == "universal":
+        return True, ""
+    if a.startswith("domain:products_with_digital_elements"):
+        return has_digital, "nur fuer Produkte mit digitalen Elementen (CRA Art. 3)"
+    if a.startswith("domain:"):
+        return True, a.split(":", 1)[1]
+    if a.startswith("conditional:"):
+        return True, f"bedingt: {a.split(':',1)[1]}"
+    return True, ""
+
+
+def main() -> None:
+    ap = argparse.ArgumentParser()
+    ap.add_argument("--registry", required=True)
+    ap.add_argument("--procedures", required=True)
+    ap.add_argument("--topic", default="sbom")
+    ap.add_argument("--has-digital-elements", action="store_true")
+    ap.add_argument("--question", default="Muss ich als Maschinenbauer eine SBOM bereitstellen?")
+    a = ap.parse_args()
+    reg = json.load(open(a.registry, encoding="utf-8"))
+    procs = json.load(open(a.procedures, encoding="utf-8"))["procedures"]
+
+    obls = [o for o in reg["obligations"]
+            if a.topic in o.get("family", "") or a.topic in o["id"]]
+    ids = {o["id"] for o in obls}
+    by_obl: dict[str, list] = {}
+    for p in procs:
+        for oid in p.get("fulfills_obligations", []):
+            by_obl.setdefault(oid, []).append(p)
+
+    pflicht = [o for o in obls if o["tier"] == "LEGAL_MINIMUM" and applies(o, a.has_digital_elements)[0]]
+    best = [o for o in obls if o["tier"] != "LEGAL_MINIMUM"]
+
+    print(f"FRAGE: {a.question}")
+    print(f"\nANTWORT: {'JA' if pflicht and a.has_digital_elements else 'NUR WENN CRA-anwendbar'} — "
+          f"sofern das Produkt unter den CRA faellt (product with digital elements, Art. 3).")
+    print("\n══ BEGRUENDUNGSKETTE (Recht → Obligation → Procedure → Controls → Evidence) ══")
+
+    req_evidence: list[str] = []
+    for o in pflicht:
+        lb = "; ".join(f"{b.get('source','')} {b.get('anchor','')}".strip() for b in o.get("legal_basis", []))
+        print(f"\n● PFLICHT: {o['id']} — {o.get('description','')[:80]}")
+        print(f"    Rechtsgrundlage: {lb or '—'}")
+        ps = by_obl.get(o["id"], [])
+        for p in ps:
+            print(f"    Procedure (wie umgesetzt): {p['procedure_id']} — Schritte: {len(p.get('steps',[]))}")
+            print(f"        Controls (Pruefung): {' · '.join(p.get('controls', []))[:96]}")
+            print(f"        Nachweis: {' · '.join(p.get('evidence', []))}")
+            req_evidence += p.get("evidence", [])
+        if not ps:
+            print("    Procedure: (noch keine modelliert)")
+
+    print("\n── REQUIRED EVIDENCE (aggregiert, womit wird es nachgewiesen) ──")
+    print("   " + " · ".join(dict.fromkeys(req_evidence)) if req_evidence else "   —")
+
+    print("\n── BEST PRACTICE (anerkannte Umsetzung, KEINE CRA-Wortlautpflicht) ──")
+    for o in best:
+        gb = "; ".join(b.get("source", "") for b in o.get("guidance_basis", []))
+        print(f"   • {o['id']} — {o.get('description','')[:64]}  | Guidance: {gb or '—'}")
+
+    print("\n── BEZIEHUNG (warum es zaehlt) ──")
+    for r in reg.get("relationships", []):
+        if r.get("from") in ids and r.get("to") not in ids:
+            print(f"   • {r['from']} --{r['type']}--> {r['to']}: {r.get('note','')[:64]}")
+
+    pend = sum(1 for o in pflicht if o.get("citation_status") == "pending_span_anchor")
+    print(f"\n── CITATION ──\n   {pend}/{len(pflicht)} Pflichten: pending_span_anchor "
+          f"(Textstellen-Anker folgen mit dem zitierfaehigen Re-Ingest)")
+    print("\n(RAG beantwortet — BreakPilot begruendet UND operationalisiert.)")
+
+
+if __name__ == "__main__":
+    main()

scripts/obligation_discovery/export_join_keys.py

@@ -0,0 +1,52 @@
+"""Exportiert den OBLIGATION_ID-Join-Key-Vertrag aus den Registry-Artefakten.
+Die obligation_id ist der stabile Brueckenschluessel zwischen Legal Knowledge Graph
+(citation_spans haengen an obligation_id) und Compliance Execution Graph
+(control_mapping.source_norm -> obligation_id). citation_units = die legal_basis-Anker,
+ueber die beide Seiten heute (vor obligation_id-Adoption) bruecken koennen.
+
+DISZIPLIN: obligation_id wird RE-GELINKT, NIE neu vergeben (Pendant zu span_id/control_uuid).
+
+  python3 scripts/obligation_discovery/export_join_keys.py obligations/cra.json obligations/cra_authentication.json
+"""
+from __future__ import annotations
+
+import argparse
+import json
+
+
+def main() -> None:
+    ap = argparse.ArgumentParser()
+    ap.add_argument("registries", nargs="+")
+    ap.add_argument("--out", default="obligations/obligation_join_keys.json")
+    a = ap.parse_args()
+    keys = []
+    for path in a.registries:
+        reg = json.load(open(path, encoding="utf-8"))
+        for o in reg.get("obligations", []):
+            citation_units = [b.get("anchor", "") for b in o.get("legal_basis", []) if b.get("anchor")]
+            keys.append({
+                "obligation_id": o["id"],
+                "regulation": reg.get("regulation", ""),
+                "family": o.get("family", ""),
+                "tier": o.get("tier", ""),
+                "citation_units": citation_units,
+                "source_role": o.get("source_role", ""),
+            })
+    out = {
+        "schema_version": "obligation_join_keys_v1",
+        "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt "
+                    "citation_spans an obligation_id; Compliance Execution Graph mappt "
+                    "control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. "
+                    "obligation_id NIE neu vergeben (re-link).",
+        "count": len(keys),
+        "obligation_ids": keys,
+    }
+    json.dump(out, open(a.out, "w", encoding="utf-8"), ensure_ascii=False, indent=1)
+    from collections import Counter
+    print(f"exportiert: {a.out}  ({len(keys)} obligation_ids)")
+    print("Regulierungen:", dict(Counter(k["regulation"] for k in keys)))
+    print("Familien:", dict(Counter(k["family"] for k in keys)))
+
+
+if __name__ == "__main__":
+    main()

scripts/obligation_discovery/precluster.py

@@ -19,6 +19,9 @@ SCOPES = {
     "vuln": ["%schwachstellenbehandl%", "%schwachstellenmanagement%", "%vulnerability handling%",
              "%coordinated vulnerab%", "%vulnerability disclosure%", "%cvd-konzept%"],
     "auth": ["%authentisierung%", "%authentifizierung%", "%authentication%"],
+    "logging": ["%logging%", "%protokollierung%", "%audit-log%", "%audit-trail%",
+                "%ereignisprotokoll%", "%sicherheitsprotokoll%", "%audit-protokoll%",
+                "%log-management%", "%sicherheitsereignis%protokoll%", "%audit-trail%"],
 }