Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'fix(onboarding): partial != detected — indication, not auto-detect (Fix B)' (#49) from feat/partial-decouple into main
CI / detect-changes (push) Successful in 5s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Successful in 5s
Details
CI / validate-canonical-controls (push) Successful in 3s
Details
CI / loc-budget (push) Successful in 18s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Has been skipped
Details
CI / test-go (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 23s
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details

Browse Source
This commit is contained in:
pilotadmin
2026-06-28 16:02:55 +02:00
parent 19931208a9 978052b5a2
commit 3202e555ab
7 changed files with 51 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/compliance/api/onboarding_routes.py
+2
View File
@@ -41,6 +41,7 @@ class AdvisorResponse(BaseModel):
silent_intake_summary: str = "" silent_intake_summary: str = ""
headline: str = "" headline: str = ""
auto_detected: List[str] = Field(default_factory=list) auto_detected: List[str] = Field(default_factory=list)
indications: List[str] = Field(default_factory=list) # partial signal: raises strength, still asked
inferred_assumptions: List[InferredAssumption] = Field(default_factory=list) inferred_assumptions: List[InferredAssumption] = Field(default_factory=list)
rejected_assumptions: List[RejectedAssumption] = Field(default_factory=list) rejected_assumptions: List[RejectedAssumption] = Field(default_factory=list)
top_5_questions: List[AdvisorQuestion] = Field(default_factory=list) top_5_questions: List[AdvisorQuestion] = Field(default_factory=list)
@@ -66,6 +67,7 @@ def advisor_start_endpoint(req: OnboardingAdvisorRequest) -> AdvisorResponse:
products=req.products, markets=req.markets, industry=req.industry or "") products=req.products, markets=req.markets, industry=req.industry or "")
return AdvisorResponse( return AdvisorResponse(
silent_intake_summary=si_summary, headline=result.headline, auto_detected=result.auto_detected, silent_intake_summary=si_summary, headline=result.headline, auto_detected=result.auto_detected,
indications=result.indications,
inferred_assumptions=result.inferred_assumptions, rejected_assumptions=result.rejected_assumptions, inferred_assumptions=result.inferred_assumptions, rejected_assumptions=result.rejected_assumptions,
top_5_questions=result.next_best_questions, capability_delta=result.capability_delta, top_5_questions=result.next_best_questions, capability_delta=result.capability_delta,
top_measures=result.top_measures, evidence_requests=result.evidence_requests, top_measures=result.top_measures, evidence_requests=result.evidence_requests,
backend-compliance/compliance/onboarding/engine.py
+5
View File
@@ -75,6 +75,7 @@ def advisor_start(
corpus_status: Optional[Dict[str, str]] = None, corpus_status: Optional[Dict[str, str]] = None,
uncertain: Optional[List[Dict[str, str]]] = None, uncertain: Optional[List[Dict[str, str]]] = None,
detected_capabilities: Optional[Sequence[str]] = None, detected_capabilities: Optional[Sequence[str]] = None,
indicative_capabilities: Optional[Sequence[str]] = None,
) -> AdvisorResult: ) -> AdvisorResult:
"""Run the onboarding flow: (silent intake +) certs -> profile -> delta -> ranked questions + measures. """Run the onboarding flow: (silent intake +) certs -> profile -> delta -> ranked questions + measures.
@@ -86,6 +87,9 @@ def advisor_start(
required = {r.capability_id for r in target_requirements} required = {r.capability_id for r in target_requirements}
profile = _profile(inp, cert_hypotheses, detected_capabilities) profile = _profile(inp, cert_hypotheses, detected_capabilities)
auto_detected = sorted(set(detected_capabilities or []) & required) auto_detected = sorted(set(detected_capabilities or []) & required)
# partial/indicative signals raise assumption strength but are NOT fed into the profile -> the gap
# stays open and is still asked. Surface only those still relevant and NOT already auto-detected.
indications = sorted((set(indicative_capabilities or []) & required) - set(auto_detected))
assess = assess_transition( assess = assess_transition(
TransitionContext(company_id=inp.company or "company", target=TransitionGoal(target_id=target_id)), TransitionContext(company_id=inp.company or "company", target=TransitionGoal(target_id=target_id)),
list(target_requirements), profile) list(target_requirements), profile)
@@ -135,6 +139,7 @@ def advisor_start(
probably = [c for c in assess.summary.probably_covered if c not in set(auto_detected)] probably = [c for c in assess.summary.probably_covered if c not in set(auto_detected)]
return AdvisorResult( return AdvisorResult(
inferred_assumptions=inferred, rejected_assumptions=rejected, auto_detected=auto_detected, inferred_assumptions=inferred, rejected_assumptions=rejected, auto_detected=auto_detected,
indications=indications,
next_best_questions=next_q, capability_delta=delta, top_measures=measures, next_best_questions=next_q, capability_delta=delta, top_measures=measures,
evidence_requests=evidence, unsupported_domains=unsupported, evidence_requests=evidence, unsupported_domains=unsupported,
completeness_summary=rep.completeness_summary, completeness_summary=rep.completeness_summary,
backend-compliance/compliance/onboarding/schemas.py
+2 -1
View File
@@ -53,7 +53,8 @@ class AdvisorMeasure(BaseModel):
class AdvisorResult(BaseModel): class AdvisorResult(BaseModel):
inferred_assumptions: List[InferredAssumption] = Field(default_factory=list) inferred_assumptions: List[InferredAssumption] = Field(default_factory=list)
rejected_assumptions: List[RejectedAssumption] = Field(default_factory=list) rejected_assumptions: List[RejectedAssumption] = Field(default_factory=list)
auto_detected: List[str] = Field(default_factory=list) # Silent Pass: recognised w/o asking auto_detected: List[str] = Field(default_factory=list) # detected (concrete artifact): recognised w/o asking
indications: List[str] = Field(default_factory=list) # partial signal: raises assumption strength, STILL asked
next_best_questions: List[AdvisorQuestion] = Field(default_factory=list) # max 5 next_best_questions: List[AdvisorQuestion] = Field(default_factory=list) # max 5
capability_delta: List[str] = Field(default_factory=list) capability_delta: List[str] = Field(default_factory=list)
top_measures: List[AdvisorMeasure] = Field(default_factory=list) top_measures: List[AdvisorMeasure] = Field(default_factory=list)
backend-compliance/compliance/onboarding/silent_intake.py
+8 -3
View File
@@ -66,10 +66,15 @@ class SilentIntakeResult(BaseModel):
summary: str = "" summary: str = ""
def capability_ids(self) -> List[str]: def capability_ids(self) -> List[str]:
"""The detected capability ids — fed into the Advisor as already-present (delta-reducing). """The DETECTED capability ids (relationship == detected) — fed into the Advisor as already-present
(delta-reducing, not asked). ONLY observation-kind signals reach here (requirements never become a
present capability); a merely PARTIAL/indicative signal does NOT (see indicative_capability_ids)."""
return sorted({d.capability for d in self.detected_capabilities if d.relationship == "detected"})
ONLY observation-kind signals reach here (requirements never become a present capability).""" def indicative_capability_ids(self) -> List[str]:
return sorted({d.capability for d in self.detected_capabilities}) """Capabilities backed only by a PARTIAL/indicative signal — they raise assumption strength but do
NOT replace a question (the gap stays open and is still asked, just with an indication shown)."""
return sorted({d.capability for d in self.detected_capabilities if d.relationship != "detected"})
def silent_intake( def silent_intake(
backend-compliance/compliance/services/onboarding_service.py
+2 -1
View File
@@ -76,5 +76,6 @@ def run_advisor(
known_evidence=list(known_evidence), target=[target]) known_evidence=list(known_evidence), target=[target])
result = advisor_start( result = advisor_start(
inp, resolve_for_certifications(certifications, _HYP_LIB), reqs, target_id=target, inp, resolve_for_certifications(certifications, _HYP_LIB), reqs, target_id=target,
covers_targets=covers, corpus_status={target: "validated"}, detected_capabilities=si.capability_ids()) covers_targets=covers, corpus_status={target: "validated"},
detected_capabilities=si.capability_ids(), indicative_capabilities=si.indicative_capability_ids())
return result, si.summary return result, si.summary
backend-compliance/tests/test_onboarding_endpoint.py
+12
View File
@@ -61,6 +61,18 @@ def test_requirement_signal_does_not_auto_detect_capability():
assert "sbom_creation" in asked or "sbom_creation" in d["capability_delta"] # still an open gap assert "sbom_creation" in asked or "sbom_creation" in d["capability_delta"] # still an open gap
def test_partial_signal_surfaces_as_indication_and_is_still_asked():
# a PARTIAL observation (a CI pipeline) raises assumption strength but does NOT replace the question
body = dict(_BODY, scanner_findings=[{"signal_id": "github_actions_ci", "source_type": "repository"}])
r = _client.post("/onboarding/advisor-start", json=body)
assert r.status_code == 200, r.text
d = r.json()
assert "secure_development_lifecycle" not in d["auto_detected"] # partial != detected
assert "secure_development_lifecycle" in d["indications"] # but its strength is shown
asked = {q["capability_id"] for q in d["top_5_questions"]}
assert "secure_development_lifecycle" in asked or "secure_development_lifecycle" in d["capability_delta"]
def test_unknown_target_is_404(): def test_unknown_target_is_404():
body = dict(_BODY, target="NOPE") body = dict(_BODY, target="NOPE")
r = _client.post("/onboarding/advisor-start", json=body) r = _client.post("/onboarding/advisor-start", json=body)
backend-compliance/tests/test_silent_intake.py
+20
View File
@@ -77,3 +77,23 @@ def test_detected_capabilities_are_not_asked_again():
detected_capabilities=detected) detected_capabilities=detected)
asked = {q.capability_id for q in res.next_best_questions} asked = {q.capability_id for q in res.next_best_questions}
assert "sbom_creation" not in asked and "sbom_creation" not in res.capability_delta assert "sbom_creation" not in asked and "sbom_creation" not in res.capability_delta
def test_partial_signal_is_indicative_not_detected():
# a PARTIAL signal (CI present -> secure dev lifecycle) raises assumption strength but is NOT a
# detected capability: it must NOT shrink the delta the way a concrete artifact does.
res = silent_intake([IntakeSignal(source="repository", signal="github_actions_ci")], _MAP)
assert "secure_development_lifecycle" not in res.capability_ids() # not counted as present
assert res.indicative_capability_ids() == ["secure_development_lifecycle"] # surfaced as an indication
def test_partial_indication_does_not_remove_the_question():
inp = OnboardingInput(company="x", certifications=["ISO27001"], target=["CRA"])
hyp = resolve_for_certifications(inp.certifications, _LIB)
si = silent_intake([IntakeSignal(source="repository", signal="github_actions_ci")], _MAP)
res = advisor_start(inp, hyp, _REQ, target_id="CRA", corpus_status={"CRA": "validated"},
detected_capabilities=si.capability_ids(),
indicative_capabilities=si.indicative_capability_ids())
assert "secure_development_lifecycle" not in res.auto_detected # partial != detected
assert "secure_development_lifecycle" in res.indications # strength shown
assert "secure_development_lifecycle" in res.capability_delta # gap still open / asked