feat(dsms): tech-file DSMS archive now logs CID into IACE audit trail

Before: archiveTechFile called dsms.Archive() and discarded the result. The
file was archived to IPFS but no audit-trail entry was written, so there
was no way to later prove "this CE-Akte export went to DSMS with CID X".

After:
- archiveTechFile is now a method on IACEHandler with access to store + gin
  context, and captures the CID from dsms.Archive().
- Writes an AuditAction "tech_file_export" audit entry whose new_values
  JSON carries {cid, filename, size}, mirroring the Python evidence-upload
  pattern.
- Applies to PDF, XLSX, DOCX, and Markdown exports.

Plus dsms package gets 3 unit tests pinning the contract: success-CID
extraction, gateway-unreachable returns nil, 500-response returns nil.

This closes DSMS Stufe 2 (evidence side was already wired; tech-file side
was missing the audit hook). Stufe 3 next: version chains + delta view.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ai-compliance-sdk/internal/api/handlers/iace_handler_techfile.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
@@ -412,7 +413,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("PDF export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.pdf", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.pdf", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.pdf"`, safeName))
 		c.Data(http.StatusOK, "application/pdf", data)
 
@@ -422,7 +423,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("Excel export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.xlsx", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.xlsx", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.xlsx"`, safeName))
 		c.Data(http.StatusOK, "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", data)
 
@@ -432,7 +433,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("DOCX export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.docx", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.docx", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.docx"`, safeName))
 		c.Data(http.StatusOK, "application/vnd.openxmlformats-officedocument.wordprocessingml.document", data)
 
@@ -442,7 +443,7 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("Markdown export failed: %v", err)})
 			return
 		}
-		archiveTechFile(data, fmt.Sprintf("CE-Akte-%s.md", safeName), projectID.String())
+		h.archiveTechFile(c, data, fmt.Sprintf("CE-Akte-%s.md", safeName), projectID)
 		c.Header("Content-Disposition", fmt.Sprintf(`attachment; filename="CE-Akte-%s.md"`, safeName))
 		c.Data(http.StatusOK, "text/markdown", data)
 
@@ -468,7 +469,30 @@ func (h *IACEHandler) ExportTechFile(c *gin.Context) {
 	}
 }
 
-// archiveTechFile stores a tech-file export to DSMS (best-effort, non-blocking).
-func archiveTechFile(data []byte, filename, projectID string) {
-	dsms.Archive(data, filename, "ce_techfile", projectID, "1")
+// archiveTechFile stores a tech-file export to DSMS (best-effort, non-blocking)
+// AND records the resulting CID in the IACE audit trail so the export is
+// traceable. The "new_values" JSON carries the CID + filename so the audit
+// timeline can later resolve the CID against the DSMS gateway for verify.
+func (h *IACEHandler) archiveTechFile(c *gin.Context, data []byte, filename string, projectID uuid.UUID) {
+	result := dsms.Archive(data, filename, "ce_techfile", projectID.String(), "1")
+	if result == nil || result.CID == "" {
+		return
+	}
+	payload := map[string]string{
+		"cid":      result.CID,
+		"filename": filename,
+		"size":     fmt.Sprintf("%d", result.Size),
+	}
+	newValues, _ := json.Marshal(payload)
+	userID := rbac.GetUserID(c)
+	_ = h.store.AddAuditEntry(
+		c.Request.Context(),
+		projectID,
+		"tech_file_export",
+		projectID,
+		iace.AuditActionCreate,
+		userID.String(),
+		nil,
+		newValues,
+	)
 }

ai-compliance-sdk/internal/dsms/client_test.go

@@ -0,0 +1,74 @@
+package dsms
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestArchive_Success_ReturnsCID(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" || r.URL.Path != "/api/v1/documents" {
+			http.Error(w, "wrong route", http.StatusNotFound)
+			return
+		}
+		if !strings.HasPrefix(r.Header.Get("Content-Type"), "multipart/form-data") {
+			http.Error(w, "wrong content-type", http.StatusBadRequest)
+			return
+		}
+		if r.Header.Get("Authorization") == "" {
+			http.Error(w, "missing auth", http.StatusUnauthorized)
+			return
+		}
+		io.ReadAll(r.Body)
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(ArchiveResult{
+			CID:        "bafytest123",
+			Size:       42,
+			GatewayURL: "/ipfs/bafytest123",
+		})
+	}))
+	defer server.Close()
+	old := gatewayURL
+	defer func() { gatewayURL = old }()
+	gatewayURL = server.URL
+
+	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
+	if got == nil {
+		t.Fatal("expected non-nil result on 200 OK")
+	}
+	if got.CID != "bafytest123" {
+		t.Errorf("expected CID bafytest123, got %q", got.CID)
+	}
+	if got.Size != 42 {
+		t.Errorf("expected Size 42, got %d", got.Size)
+	}
+}
+
+func TestArchive_GatewayDown_ReturnsNil(t *testing.T) {
+	old := gatewayURL
+	defer func() { gatewayURL = old }()
+	gatewayURL = "http://127.0.0.1:1" // unreachable
+	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
+	if got != nil {
+		t.Errorf("expected nil when gateway unreachable, got %+v", got)
+	}
+}
+
+func TestArchive_GatewayReturnsError_ReturnsNil(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "internal error", http.StatusInternalServerError)
+	}))
+	defer server.Close()
+	old := gatewayURL
+	defer func() { gatewayURL = old }()
+	gatewayURL = server.URL
+
+	got := Archive([]byte("hello"), "test.pdf", "ce_techfile", "proj-1", "1")
+	if got != nil {
+		t.Errorf("expected nil on 500 response, got %+v", got)
+	}
+}