fix(onboarding): apply hypothesis/vocabulary review decisions (ISO13485, patch-policy rationale, summary)

Two reviewed knowledge decisions (2026-06-28) + the deferred cosmetic counter, before #59.

1. ISO13485 removed from the incident_management hypothesis. ISO 13485 CAPA / quality-safety incident
   handling is NOT security incident management — the mapping was too broad and would seed false
   hypotheses for the empirical loop. A dedicated manage_quality_and_safety_incidents capability can come
   later IF a target needs it; not forced now. (ISO27001/TISAX/IEC62443 keep incident_management.)

2. patch_policy_doc -> secure_signed_update_distribution stays `partial`, but the curated rationale is
   sharpened: "indicates update governance, does not evidence signed distribution" (a patch policy is not
   proof of SIGNED distribution). New optional SignalMapping.rationale field carries the curated note.
   (github_actions_ci -> SDL and dependency_scanning -> vuln-mgmt reviewed and APPROVED as-is.)

3. Cosmetic (folded in since we touched the file): the silent-intake summary now counts detected and
   indications SEPARATELY ("N automatisch erkannt, M Indikation(en)") instead of lumping partial signals
   into "automatisch erkannt" — consistent with the three-state model just shipped.

Tests: ISO13485 no longer resolves to incident_management; summary counts split correctly. 29 onboarding
tests pass, mypy --strict clean, demo runs, check-loc 0. Runtime-visible (hypothesis resolution + summary
text) -> deploy + smoke.

backend-compliance/knowledge/certification_hypotheses/hypotheses.yaml

@@ -22,8 +22,11 @@ hypotheses:
   - {id: HYP-document_control, capability: document_and_change_control, relationship: supports, kind: shared,
      supported_by: [ISO9001, ISO13485, ISO27001, TISAX, ASPICE, IATF16949],
      verification_required: true, question_intent: verify_existence, expected_evidence: [document_control_procedure]}
+  # NOTE: ISO13485 deliberately NOT here — its CAPA / quality-safety incident handling is not security
+  # incident management; that mapping was too broad (would seed false hypotheses). A dedicated
+  # manage_quality_and_safety_incidents capability can be added later if a target actually needs it.
   - {id: HYP-incident_management, capability: incident_management, relationship: supports, kind: shared,
-     supported_by: [ISO27001, TISAX, IEC62443, ISO13485],
+     supported_by: [ISO27001, TISAX, IEC62443],
      verification_required: true, question_intent: verify_existence, expected_evidence: [incident_procedure]}
   - {id: HYP-supplier_security, capability: supplier_security, relationship: supports, kind: shared,
      supported_by: [ISO27001, TISAX, IEC62443],

backend-compliance/knowledge/onboarding/intake_signal_map.yaml

@@ -23,7 +23,8 @@ mappings:
   # ── documents ─────────────────────────────────────────────────────────────────────────────
   - {signal: ce_conformity_doc, capability: ce_conformity_assessment_and_technical_documentation, relationship: detected, evidence: technical_documentation}
   - {signal: product_risk_assessment_doc, capability: product_cyber_risk_assessment, relationship: detected, evidence: product_risk_assessment}
-  - {signal: patch_policy_doc, capability: secure_signed_update_distribution, relationship: partial, evidence: patch_policy}
+  - {signal: patch_policy_doc, capability: secure_signed_update_distribution, relationship: partial, evidence: patch_policy,
+     rationale: "indicates update governance, does not evidence signed distribution"}
   - {signal: incident_response_plan_doc, capability: incident_management, relationship: detected, evidence: incident_procedure}
   # ── product facts (drive scope / target applicability) ──────────────────────────────────────
   - {signal: cloud_connectivity, product_fact: connected_to_internet}