Fix documentation gaps in compliance_track and security docs

[spoorcc]

• Replace non-existent C-045 with C-043 (release-gate CVE check) in
  security.rst; C-045 was never defined, C-043 is the actual Track B
  control that addresses ECR-a
• Correct "C-043–C-046" to "C-043, C-044, and C-046" in compliance.py
  and compliance_track.rst; C-045 does not exist, so the range notation
  was misleading
• Change plain-text "security.rst" to a proper RST cross-reference
  :doc:security`` in compliance_data.py and compliance_track.rst so
  the rendered docs link to the Security Model page

https://claude.ai/code/session_0182v7TLyKVbi9S1rAqqFAbm

Summary by CodeRabbit

• Documentation
  • Clarified security maintenance policy: only the latest release receives security patches, with no LTS support or backports
  • Added security update commitment describing response expectations and a target 30-day timeline for releasing patches via PyPI
  • Updated compliance documentation to reflect the current implementation status of security controls and requirements

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d3ceaf9b-2375-479c-942b-d7fa9ac67c19

📥 Commits

Reviewing files that changed from the base of the PR and between b0358cc and b8a0c08.

📒 Files selected for processing (5)

• SECURITY.md
• doc/explanation/compliance_track.rst
• doc/explanation/security.rst
• security/compliance.py
• security/compliance_data.py

---

Walkthrough

SECURITY.md is expanded with explicit patch-commitment text (30-day target, PyPI distribution). security/compliance_data.py promotes two security objectives (so-data-minimization, so-reduce-impact-of-incident) from planned to implemented, updates pii-02 controls to include SECURITY.md, and closes pii-07. The RST compliance documents and the control-register renderer are updated to match.

Changes

Track B compliance promotion and SECURITY.md policy

Layer / File(s)	Summary
SECURITY.md patch commitment policy SECURITY.md	Replaces the brief "latest release only" statement with expanded text and adds a "Security Update Commitment" section with a 30-day fix target and PyPI release description.
compliance_data.py: promote SO objectives and close pii-07 security/compliance_data.py	Updates the prEN 40000-1-2 doc reference to a Sphinx cross-reference; promotes so-data-minimization and so-reduce-impact-of-incident from planned to implemented with revised descriptions; adds SECURITY.md to pii-02 controls and condenses its gaps; marks pii-07 as implemented with no remaining gaps.
RST documentation updates and control-register renderer fix doc/explanation/compliance_track.rst, doc/explanation/security.rst, security/compliance.py	Marks ECR-G and ECR-K as ✓ Implemented in the Part I table; cites SECURITY.md in Part II §2 and §7 rows with updated gap/status text; adjusts Final Control Register intro wording; replaces C-045 with C-043 in the Track B bullet list; changes the rendered Track B control reference from a range to an explicit comma-separated list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dfetch-org/dfetch#1271: Directly introduces the CRA Track B compliance data structures and rendering in security/compliance_data.py and security/compliance.py that this PR updates with promoted statuses and SECURITY.md references.

Suggested labels

documentation

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing documentation gaps and inconsistencies across compliance and security documentation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/compliance-track-docs-veiqrl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.