feat(pipeline): implement Control Dependency Engine (Block 9)

Core engine (dependency_engine.py):
- 5 dependency types: prerequisite, supersedes, compensating_control,
  conditional_requirement, scope_exclusion
- Generic condition evaluator (JSONB rules with AND/OR/NOT/field ops)
- Priority-based conflict resolution
- Cycle detection (DFS) + topological sort
- Full evaluation with MCP-compatible dependency_resolution trace
- 39 tests all passing (incl. GHV scenario from user requirements)

Automatic generator (dependency_generator.py):
- Ontology-based: same normalized_object + phase sequence -> prerequisite
- Pattern-based: define->implement, implement->monitor, etc.
- Domain packs: YAML rules for GDPR, AI Act, CRA, Security, Labor Contracts
- 14 tests all passing

API routes (dependency_routes.py):
- CRUD for dependencies
- POST /evaluate with dependency resolution
- POST /generate (auto-generation with dry_run)
- POST /validate (cycle detection)
- GET /graph (nodes + edges for visualization)

Prompt enhancement (decomposition_pass.py):
- Added dependency_hints + lifecycle_phase_order to Pass 0b prompt
- Stored in generation_metadata for post-processing

DB migration: control_dependencies + control_evaluation_results tables

126 tests total, all passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

control-pipeline/data/domain_packs/ai_act.yaml

@@ -0,0 +1,22 @@
+domain: ai_act
+version: "1.0"
+description: "AI Act spezifische Abhaengigkeiten"
+
+rules:
+  - name: risk_classification_before_requirements
+    description: "Risikoklassifizierung muss vor High-Risk-Anforderungen stehen"
+    source_match:
+      title_contains: ["Risikoklassifizierung", "KI-System klassifiziert"]
+    target_match:
+      title_contains: ["Hochrisiko-Anforderung", "High-Risk"]
+    dependency_type: prerequisite
+    priority: 30
+
+  - name: fria_before_deployment
+    description: "Grundrechte-Folgenabschaetzung vor KI-Einsatz"
+    source_match:
+      title_contains: ["Grundrechte-Folgenabschaetzung", "FRIA"]
+    target_match:
+      title_contains: ["KI-System eingesetzt", "KI-System betrieben"]
+    dependency_type: prerequisite
+    priority: 30

control-pipeline/data/domain_packs/cra.yaml

@@ -0,0 +1,34 @@
+domain: cra
+version: "1.0"
+description: "Cyber Resilience Act spezifische Abhaengigkeiten"
+
+rules:
+  - name: sbom_triggers_vuln_monitoring
+    description: "SBOM fuehrt zu Schwachstellenmonitoring-Pflicht"
+    source_match:
+      title_contains: ["SBOM", "Komponentenverzeichnis"]
+    target_match:
+      title_contains: ["Schwachstellenmonitoring", "Vulnerability Monitoring"]
+    dependency_type: prerequisite
+    condition:
+      field: source.status
+      op: "=="
+      value: pass
+    effect:
+      set_status: review_required
+    priority: 40
+
+  - name: ce_partially_satisfies_evidence
+    description: "CE-Zertifizierung ersetzt Teile der Einzelnachweise"
+    source_match:
+      title_contains: ["CE-Konformitaet", "CE-Zertifizierung", "Konformitaetserklaerung"]
+    target_match:
+      title_contains: ["Einzelnachweis", "Konformitaetsnachweis"]
+    dependency_type: compensating_control
+    condition:
+      field: source.status
+      op: "=="
+      value: pass
+    effect:
+      set_status: compensated_fail
+    priority: 80

control-pipeline/data/domain_packs/gdpr.yaml

@@ -0,0 +1,31 @@
+domain: gdpr
+version: "1.0"
+description: "DSGVO-spezifische Abhaengigkeiten"
+
+rules:
+  - name: vvt_before_dsfa
+    description: "Verarbeitungsverzeichnis muss vor DSFA existieren"
+    source_match:
+      title_contains: ["Verarbeitungsverzeichnis", "VVT"]
+    target_match:
+      title_contains: ["Datenschutz-Folgenabschaetzung", "DSFA"]
+    dependency_type: prerequisite
+    priority: 40
+
+  - name: rechtsgrundlage_before_verarbeitung
+    description: "Rechtsgrundlage muss vor Datenverarbeitung definiert sein"
+    source_match:
+      title_contains: ["Rechtsgrundlage", "Einwilligung definiert"]
+    target_match:
+      title_contains: ["Datenverarbeitung implementiert", "personenbezogene Daten verarbeitet"]
+    dependency_type: prerequisite
+    priority: 30
+
+  - name: tom_before_documentation
+    description: "TOMs muessen implementiert sein bevor sie dokumentiert werden"
+    source_match:
+      title_contains: ["TOM implementiert", "Technische Massnahmen umgesetzt"]
+    target_match:
+      title_contains: ["TOM dokumentiert", "Massnahmen dokumentiert"]
+    dependency_type: prerequisite
+    priority: 50

control-pipeline/data/domain_packs/labor_contracts.yaml

@@ -0,0 +1,31 @@
+domain: labor_contracts
+version: "1.0"
+description: "Arbeitsrechtliche Abhaengigkeiten (GHV, Schulung, Nachschulung)"
+
+rules:
+  - name: ghv_supersedes_training
+    description: "GHV-Klausel im Vertrag macht Vertraulichkeitsschulung nicht notwendig"
+    source_match:
+      title_contains: ["GHV-Klausel", "Vertraulichkeitsklausel", "Geheimhaltungsvereinbarung", "Vertraulichkeit im Vertrag"]
+    target_match:
+      title_contains: ["Vertraulichkeitsschulung", "Vertraulichkeit geschult"]
+    dependency_type: supersedes
+    condition:
+      field: source.status
+      op: "=="
+      value: pass
+    effect:
+      set_status: not_applicable
+    priority: 10
+
+  - name: training_prerequisite_for_refresher
+    description: "Erstschulung muss vor Nachschulung existieren"
+    source_match:
+      title_contains: ["Vertraulichkeitsschulung", "Erstschulung"]
+    target_match:
+      title_contains: ["Nachschulung", "jaehrliche Schulung"]
+    dependency_type: prerequisite
+    condition: {}
+    effect:
+      set_status: review_required
+    priority: 50

control-pipeline/data/domain_packs/security.yaml

@@ -0,0 +1,34 @@
+domain: security
+version: "1.0"
+description: "Security-spezifische Abhaengigkeiten"
+
+rules:
+  - name: mfa_compensates_password
+    description: "MFA kompensiert teilweise schwache Passwortanforderungen"
+    source_match:
+      title_contains: ["MFA aktiviert", "Multi-Faktor-Authentifizierung"]
+    target_match:
+      title_contains: ["Passwortlaenge", "Passwortkomplexitaet", "Passwortrichtlinie"]
+    dependency_type: compensating_control
+    condition:
+      field: source.status
+      op: "=="
+      value: pass
+    effect:
+      set_status: compensated_fail
+    priority: 80
+
+  - name: cert_compensates_individual
+    description: "ISO 27001 Zertifizierung kompensiert einzelne Security-Controls"
+    source_match:
+      title_contains: ["ISO 27001 Zertifizierung", "ISMS Zertifizierung"]
+    target_match:
+      title_contains: ["Zugriffskontrolle", "Protokollierung", "Verschluesselung"]
+    dependency_type: compensating_control
+    condition:
+      field: source.status
+      op: "=="
+      value: pass
+    effect:
+      set_status: compensated_fail
+    priority: 80