Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
37c9b8e7736f3b3dd8533cc7a29ff322bd818f7b
breakpilot-compliance/obligations/capabilities.json
T
Benjamin Admin 2063615d37 feat: Capability Registry v1 API-Vertrag (#59) + Ownership-Modell finalisiert 
#59 (geschaerft, User): capabilities.json -> capability_registry_v1 (contract_version 1.0):
stabile `cap.*`-IDs (NIE umbenennen) + 5 Vertragsfelder (description/guidance_basis/
realizes_obligations/required_procedures/evidence_patterns), PRODUKTNEUTRAL (keine Features).
= stabiler API-Vertrag fuer die Product->Compliance-Schnittstelle (Feature->Capability,
Session 3 mappt read-only dagegen).
session_ownership_model_v1.md RESOLVED: Legal-Owner = Re-Ingest-Session (vergibt KEINE
obligation_id, nur citation_span->legal_basis) · 4. Session -> Quality & Validation (nur
Tests, KEINE Daten) · Compliance 2 Branches DAUERHAFT (A=Build, B=Runtime). 4-Bibliotheken-
Zielbild (Legal/Product/Capability/Evidence).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-26 10:35:49 +02:00

289 lines
6.9 KiB
JSON
Raw Blame History

{
"schema_version": "capability_registry_v1",
"contract_version": "1.0",
"status": "stable_api_contract",
"note": "PRODUKTNEUTRALER Vertrag zwischen Product Knowledge Graph (Domaene 3, Feature->Capability) und Compliance Execution Graph (Domaene 2). Stabile cap.*-IDs NIE umbenennen. KEINE Business-Features hier (die besitzt die Product-Session). Siehe docs-src/development/session_ownership_model_v1.md + compliance_meta_model_v1.md (Freeze v1.0).",
"id_namespace": "cap.",
"contract_fields": [
"id",
"name",
"description",
"guidance_basis",
"realizes_obligations",
"required_procedures",
"evidence_patterns",
"domains"
],
"dropped": {
"access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert"
},
"candidate_capabilities_followup": [
"automatic_update_delivery",
"update_rollback",
"trusted_update_source",
"hash_verification",
"secure_boot",
"least_functionality",
"credential_storage"
],
"capabilities": [
{
"id": "cap.multi_factor_authentication",
"slug": "multi_factor_authentication",
"name": "Multi-Factor Authentication",
"description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).",
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-63B",
"role": "best_practice"
},
{
"source": "Out-of-Band-Authentifizierung",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "out_of_band_authentication"
},
{
"source": "Hardware-basierte Authentifizierung (AAL3)",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "hardware_authenticators"
},
{
"source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)",
"anchor": "",
"role": "implementation_guidance",
"merged_from": "email_authentication"
},
{
"source": "NIST",
"anchor": "IA-02",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-02(1)",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "AC-17",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-53 IA-2",
"role": "best_practice"
},
{
"source": "BSI",
"anchor": "ICS Security Kompendium",
"role": "best_practice"
},
{
"source": "ISO",
"anchor": "ISO 27001 A.5.19",
"role": "best_practice"
}
],
"realizes_obligations": [
"mfa_required",
"privileged_op_reauth",
"remote_access_authentication",
"remote_access_mfa",
"remote_access_user_validation_ot",
"supplier_access_auth"
],
"required_procedures": [],
"evidence_patterns": [
"iam_config_export",
"mfa_policy_export",
"auth_audit_log"
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"id": "cap.session_management",
"slug": "session_management",
"name": "Session Management",
"description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.",
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-63B 4.3",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-53 AC-12",
"role": "best_practice"
},
{
"source": "OWASP",
"anchor": "ASVS V3",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "AC-2(5)",
"role": "best_practice"
}
],
"realizes_obligations": [
"reauth_after_inactivity",
"remote_session_management",
"session_binding_management",
"temporary_remote_access_mgmt"
],
"required_procedures": [],
"evidence_patterns": [
"session_config_export",
"timeout_policy_export"
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"id": "cap.transport_encryption",
"slug": "transport_encryption",
"name": "Transport Encryption",
"description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).",
"guidance_basis": [
{
"source": "BSI",
"anchor": "TR-02102-2",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-03",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SC-8",
"role": "best_practice"
},
{
"source": "BSI",
"anchor": "IT-Grundschutz NET.3.3",
"role": "best_practice"
},
{
"source": "OWASP",
"anchor": "API Security Top 10",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "IA-05(2)",
"role": "best_practice"
}
],
"realizes_obligations": [
"encrypted_auth_channel",
"mutual_authentication",
"reject_insecure_remote_protocols",
"remote_access_confidentiality_integrity",
"remote_access_encryption",
"service_to_service_auth",
"tls_certificate_auth"
],
"required_procedures": [],
"evidence_patterns": [
"tls_config_export",
"cipher_scan",
"cert_inventory"
],
"domains": [
"authentication",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"id": "cap.code_signing",
"slug": "code_signing",
"name": "Code & Update Signing",
"description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.",
"guidance_basis": [
{
"source": "NIST",
"anchor": "SI-07",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-147 BIOS Protection",
"role": "best_practice"
}
],
"realizes_obligations": [
"firmware_software_authentication",
"signed_update_integrity"
],
"required_procedures": [],
"evidence_patterns": [
"signature_verification_log",
"sbom",
"signing_key_policy"
],
"domains": [
"authentication",
"updates"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
},
{
"id": "cap.security_monitoring_alerting",
"slug": "security_monitoring_alerting",
"name": "Security Monitoring & Alerting",
"description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.",
"guidance_basis": [
{
"source": "NIST",
"anchor": "AU-6/SI-4",
"role": "best_practice"
},
{
"source": "NIST",
"anchor": "SP 800-94",
"role": "best_practice"
}
],
"realizes_obligations": [
"log_monitoring_alerting",
"remote_access_threat_detection"
],
"required_procedures": [],
"evidence_patterns": [
"siem_config_export",
"alert_rule_export",
"monitoring_audit_log"
],
"domains": [
"logging",
"remote_access"
],
"provenance": {
"source": "cross_domain_relationships.json SHARED_CAPABILITY"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink