Files
breakpilot-compliance/obligations/cra_core.json
T
Benjamin Admin ffbedfa0dc feat(citability): logischer norm_id-Join auf legal_basis (KB-v2 Zitier-Vertrag)
Wake-up #2 (Domaene 2): Zitierfaehigkeit ohne char-Level-Spans via logischem
norm_id-Join auf KB-v2-Units (bp_compliance_kb_2026_1_build). Konvention (Board
Compliance/KB-v2 2026-07-01): EU-<ACT>-Anhang<ROM> (Annex-Ebene, confirmed) /
EU-<ACT>-Art<N> + EU-<ACT>-Kapitel<ROM> (verify_pending). Namensvariante
EU-MaschVO-* (NICHT MaschinenVO). KEINE neue Klasse — norm_ids ist ein Attribut
auf legal_basis (freeze-safe).

- 65/65 legal_basis gejoint (CRA 40 + MaschVO 25), 0 unparsed; 64 Obligations
  citation_status -> norm_id_linked (BP/guidance-anchored bleiben ohne norm_id).
- 53 annex_confirmed, 12 verify_pending; distinkt 5 Annex-IDs + 19 Art/Kapitel.
- norm_id_manifest.json = KB-v2-Handoff (verify_pending Art-/Kapitel-IDs pruefen).
- Granularitaet annex-grob (Part/Punkt = KB-Enhancement TBD); Artikel-norm_ids in
  KB-v2 noch zu verifizieren.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-07-01 12:14:55 +02:00

97 lines
3.2 KiB
JSON

{
"schema_version": "obligation_registry_v1",
"regulation": "CRA",
"regulation_code": "CRA",
"family": "core",
"theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)",
"generated_by": "materialize_capabilities.py (#5b, Modell C)",
"note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.",
"citation_status": "pending_span_anchor",
"obligations": [
{
"id": "attack_surface_minimization",
"name": "Minimierung der Angriffsflaeche",
"family": "core",
"description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"attack_surface"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(j)",
"citation": "limit attack surfaces, including external interfaces",
"norm_ids": [
"EU-CRA-AnhangI"
],
"norm_id_status": "annex_confirmed"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "CM-7 Least Functionality",
"role": "best_practice"
}
],
"specialized_by": [
"remote_access_attack_surface_min",
"component_remote_interface_security"
],
"primary_implementation": "NIST CM-7",
"citation_status": "norm_id_linked",
"review_status": "core_from_5b"
},
{
"id": "software_integrity_protection",
"name": "Schutz der Software-/Firmware-Integritaet",
"family": "core",
"description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).",
"tier": "LEGAL_MINIMUM",
"source_role": "LEGAL_BASIS",
"applicability": "universal",
"objective_tags": [
"integrity"
],
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I Part I (2)(f)",
"citation": "protect the integrity of stored, transmitted or processed data, software and configuration",
"norm_ids": [
"EU-CRA-AnhangI"
],
"norm_id_status": "annex_confirmed"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SI-7 Software, Firmware, and Information Integrity",
"role": "best_practice"
}
],
"specialized_by": [
"signed_update_integrity",
"firmware_software_authentication"
],
"realized_by_capabilities": [
"code_signing"
],
"primary_implementation": "NIST SI-7",
"citation_status": "norm_id_linked",
"review_status": "core_from_5b"
}
],
"relationships": [],
"norm_id_contract": {
"convention": "EU-<ACT>-Anhang<ROM> (Annex-Ebene) / EU-<ACT>-Art<N> (verify) — KB-v2 bp_compliance_kb_2026_1_build",
"act_naming": "EU-MaschVO-* (NICHT MaschinenVO)",
"granularity": "annex-grob — 'Annex I Part II (1)' -> EU-CRA-AnhangI; Part/Punkt = KB-Enhancement TBD",
"article_status": "EU-<ACT>-Art<N> in KB-v2 noch zu verifizieren; Annex-IDs confirmed",
"source": "Board Compliance/KB-v2 2026-07-01"
}
}