feat(ai-sdk): source_role control-pool — controls are not only technical_standard
CI / detect-changes (pull_request) Successful in 6s
CI / branch-name (pull_request) Successful in 1s
CI / guardrail-integrity (pull_request) Successful in 6s
CI / secret-scan (pull_request) Successful in 5s
CI / dep-audit (pull_request) Failing after 55s
CI / sbom-scan (pull_request) Failing after 58s
CI / build-sha-integrity (pull_request) Successful in 6s
CI / validate-canonical-controls (pull_request) Successful in 3s
CI / loc-budget (pull_request) Successful in 18s
CI / go-lint (pull_request) Successful in 43s
CI / python-lint (pull_request) Failing after 14s
CI / nodejs-lint (pull_request) Failing after 1m6s
CI / nodejs-build (pull_request) Successful in 3m0s
CI / test-go (pull_request) Successful in 58s
CI / iace-gt-coverage (pull_request) Successful in 16s
CI / test-python-backend (pull_request) Successful in 26s
CI / test-python-document-crawler (pull_request) Successful in 13s
CI / test-python-dsms-gateway (pull_request) Successful in 9s
CI / detect-changes (pull_request) Successful in 6s
CI / branch-name (pull_request) Successful in 1s
CI / guardrail-integrity (pull_request) Successful in 6s
CI / secret-scan (pull_request) Successful in 5s
CI / dep-audit (pull_request) Failing after 55s
CI / sbom-scan (pull_request) Failing after 58s
CI / build-sha-integrity (pull_request) Successful in 6s
CI / validate-canonical-controls (pull_request) Successful in 3s
CI / loc-budget (pull_request) Successful in 18s
CI / go-lint (pull_request) Successful in 43s
CI / python-lint (pull_request) Failing after 14s
CI / nodejs-lint (pull_request) Failing after 1m6s
CI / nodejs-build (pull_request) Successful in 3m0s
CI / test-go (pull_request) Successful in 58s
CI / iace-gt-coverage (pull_request) Successful in 16s
CI / test-python-backend (pull_request) Successful in 26s
CI / test-python-document-crawler (pull_request) Successful in 13s
CI / test-python-dsms-gateway (pull_request) Successful in 9s
Live gate test showed control-intent (#36/#37) was inert for the EU cyber corpus: "Welche Controls passen zu Security Updates?" recalls ENISA good-practices (relevant measures, but source_class=supervisory_guidance) + binding regs, never NIST — so lifting technical_standard above binding did nothing. Per the finalized control-corpus model (User 2026-06-24): add source_role (functional role) ORTHOGONAL to source_class (legal authority). source_class still decides rank; source_role decides CONTROL-POOL membership. classifyRole derives 7 roles from markers (no re-tagging): obligation / operational_requirement / procedural_requirement / control_standard / implementation_guidance / interpretation / definition. Control-intent now boosts the control-pool (operational/procedural requirement, control standard, implementation guidance) over the abstract obligation, soft- ordered op_req > procedural > standard > guidance (controlPoolGain + role bonus) — replacing "lift technical_standard above binding". So CRA Annex I (operational_requirement) wins over NIST (control_standard) for "which measures", and ENISA (implementation_guidance) enters the pool while staying guidance. Recall of not-retrieved standards (NIST) for generic control queries = next step (searchControls). Tested: classifyRole table, role-preference, op_req-Top-1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -96,20 +96,21 @@ func TestQueryWantsControls(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestRerank_ControlQuestion_StandardMayWin(t *testing.T) {
|
||||
// Explicit implementation intent + standard semantically competitive → standard wins.
|
||||
func TestRerank_ControlQuestion_OperationalReqTop(t *testing.T) {
|
||||
// User priority for implementation questions: operational_requirement (binding concrete,
|
||||
// CRA Anhang I) > control_standard (NIST). Both are in the control-pool; op_req wins.
|
||||
results := []LegalSearchResult{
|
||||
intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
|
||||
intentRes("CRA", "binding_law", 0.58, 100),
|
||||
{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.60},
|
||||
{RegulationShort: "CRA", ArticleLabel: "CRA Anhang I", Category: "regulation", Score: 0.58},
|
||||
}
|
||||
out := rerankByAuthority("Welche Controls passen zu Security Updates?", results)
|
||||
if out[0].SourceClass != "technical_standard" {
|
||||
t.Errorf("control question: technical_standard should win Top-1, got %s", out[0].SourceClass)
|
||||
out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
|
||||
if out[0].RegulationShort != "CRA" {
|
||||
t.Errorf("operational_requirement (CRA Anhang I) should be Top-1 over control_standard, got %q", out[0].RegulationShort)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRerank_NormQuestion_BindingOverStandard(t *testing.T) {
|
||||
// "Anforderungen" → no control intent → binding stays Top-1 over the standard.
|
||||
// "Anforderungen" → no control intent → binding obligation stays Top-1 over the standard.
|
||||
results := []LegalSearchResult{
|
||||
intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
|
||||
intentRes("CRA", "binding_law", 0.58, 100),
|
||||
@@ -120,29 +121,15 @@ func TestRerank_NormQuestion_BindingOverStandard(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestRerank_OffTopicStandard_BlockedByGuard(t *testing.T) {
|
||||
// Control intent present, but the standard is semantically far below binding →
|
||||
// the margin guard keeps binding Top-1 (no off-topic standard override).
|
||||
func TestRerank_ControlQuestion_PoolBeatsBareObligation(t *testing.T) {
|
||||
// A control-pool source (NIST control_standard) outranks an abstract obligation with no
|
||||
// domain/topic advantage, because the implementation intent boosts the control-pool.
|
||||
results := []LegalSearchResult{
|
||||
intentRes("NIST SP 800-82", "technical_standard", 0.40, 80),
|
||||
intentRes("CRA", "binding_law", 0.58, 100),
|
||||
{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.55},
|
||||
{RegulationShort: "XYZ", ArticleLabel: "Art. 5 XYZ", Category: "regulation", Score: 0.58},
|
||||
}
|
||||
out := rerankByAuthority("Welche Controls passen zu Security Updates?", results)
|
||||
if out[0].SourceClass != "binding_law" {
|
||||
t.Errorf("off-topic standard must not win even with control intent, got %s", out[0].SourceClass)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRerank_ControlQuestion_UntaggedNISTLifted(t *testing.T) {
|
||||
// The existing NIST corpus is UNtagged (no source_class). It must still be classified
|
||||
// technical_standard via markers and lifted on a control question — the whole reason
|
||||
// the lift path classifies instead of trusting the raw payload field.
|
||||
results := []LegalSearchResult{
|
||||
{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", Score: 0.62},
|
||||
{RegulationShort: "CRA", ArticleLabel: "Art. 13 CRA", Category: "regulation", Score: 0.58},
|
||||
}
|
||||
out := rerankByAuthority("Welche Controls passen zu Security Updates?", results)
|
||||
out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
|
||||
if out[0].RegulationShort != "NIST SP 800-82r3" {
|
||||
t.Errorf("untagged NIST should be lifted Top-1 on a control question, got %q", out[0].RegulationShort)
|
||||
t.Errorf("control_standard should beat a bare abstract obligation on a control question, got %q", out[0].RegulationShort)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user