Files
breakpilot-compliance/obligations/cra_core.json
T
Benjamin Admin a4cb104258 feat(citability): KB-v2-Verifikation der norm_ids einarbeiten (16/19 confirmed)
Feedback der Compliance/KB-Session (2026-07-01): die 19 verify_pending norm_ids
gegen KB-v2 (bp_compliance_kb_2026_1_build) geprüft — 16/19 bestätigt (alle
CRA+MaschVO-Artikel existieren). Die 3 fehlenden = Kapitel-Ebene
(EU-MaschVO-KapitelIV/V/VI): der KB-Compiler mintet Artikel+Annex, KEINE Kapitel.

- Artikel-norm_ids verify_pending -> article_confirmed (16 distinkt).
- Kapitel-norm_ids -> chapter_no_kb_unit (danglender Join-Key) + norm_id_note
  (Re-Anchor auf Konstituenten-Artikel = Enhancement, KB-v2 hat sie; NICHT geraten).
- 2 Kapitel-Obligations (notifizierte Stellen · Marktüberwachung/Schutzklausel,
  beide rein prozedural, obligation_id=None) citation_status norm_id_linked ->
  chapter_reanchor_pending. Joinbar bleiben 62 Obligations.
- Status gesamt: 53 annex_confirmed + 10 article_confirmed + 2 chapter_no_kb_unit.
- norm_id_manifest.json + Contract-Block um kb_v2_verification ergänzt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 12:31:35 +02:00

98 lines
3.3 KiB
JSON

{
"schema_version": "obligation_registry_v1",
"regulation": "CRA",
"regulation_code": "CRA",
"family": "core",
"theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)",
"generated_by": "materialize_capabilities.py (#5b, Modell C)",
"note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.",
"citation_status": "pending_span_anchor",
"obligations": [
{
"id": "attack_surface_minimization",
"name": "Minimierung der Angriffsflaeche",
"family": "core",
"description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"attack_surface"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(j)",
"citation": "limit attack surfaces, including external interfaces",
"norm_ids": [
"EU-CRA-AnhangI"
],
"norm_id_status": "annex_confirmed"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "CM-7 Least Functionality",
"role": "best_practice"
}
],
"specialized_by": [
"remote_access_attack_surface_min",
"component_remote_interface_security"
],
"primary_implementation": "NIST CM-7",
"citation_status": "norm_id_linked",
"review_status": "core_from_5b"
},
{
"id": "software_integrity_protection",
"name": "Schutz der Software-/Firmware-Integritaet",
"family": "core",
"description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"integrity"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(f)",
"citation": "protect the integrity of stored, transmitted or processed data, software and configuration",
"norm_ids": [
"EU-CRA-AnhangI"
],
"norm_id_status": "annex_confirmed"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SI-7 Software, Firmware, and Information Integrity",
"role": "best_practice"
}
],
"specialized_by": [
"signed_update_integrity",
"firmware_software_authentication"
],
"realized_by_capabilities": [
"code_signing"
],
"primary_implementation": "NIST SI-7",
"citation_status": "norm_id_linked",
"review_status": "core_from_5b"
}
],
"relationships": [],
"norm_id_contract": {
"convention": "EU-<ACT>-Anhang<ROM> (Annex-Ebene) / EU-<ACT>-Art<N> (verify) — KB-v2 bp_compliance_kb_2026_1_build",
"act_naming": "EU-MaschVO-* (NICHT MaschinenVO)",
"granularity": "annex-grob — 'Annex I Part II (1)' -> EU-CRA-AnhangI; Part/Punkt = KB-Enhancement TBD",
"article_status": "EU-<ACT>-Art<N> in KB-v2 BESTÄTIGT (16/16); Annex-IDs confirmed",
"source": "Board Compliance/KB-v2 2026-07-01",
"kb_v2_verification": "2026-07-01: 16/19 verify_pending IDs in KB-v2 bestätigt (alle Artikel); 3 Kapitel-IDs = chapter_no_kb_unit (Compiler mintet keine Kapitel)."
}
}