Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(onboarding): apply hypothesis/vocabulary review decisions (ISO13485, patch-policy rationale, summary)

Browse Source 
Two reviewed knowledge decisions (2026-06-28) + the deferred cosmetic counter, before #59.

1. ISO13485 removed from the incident_management hypothesis. ISO 13485 CAPA / quality-safety incident
   handling is NOT security incident management — the mapping was too broad and would seed false
   hypotheses for the empirical loop. A dedicated manage_quality_and_safety_incidents capability can come
   later IF a target needs it; not forced now. (ISO27001/TISAX/IEC62443 keep incident_management.)

2. patch_policy_doc -> secure_signed_update_distribution stays `partial`, but the curated rationale is
   sharpened: "indicates update governance, does not evidence signed distribution" (a patch policy is not
   proof of SIGNED distribution). New optional SignalMapping.rationale field carries the curated note.
   (github_actions_ci -> SDL and dependency_scanning -> vuln-mgmt reviewed and APPROVED as-is.)

3. Cosmetic (folded in since we touched the file): the silent-intake summary now counts detected and
   indications SEPARATELY ("N automatisch erkannt, M Indikation(en)") instead of lumping partial signals
   into "automatisch erkannt" — consistent with the three-state model just shipped.

Tests: ISO13485 no longer resolves to incident_management; summary counts split correctly. 29 onboarding
tests pass, mypy --strict clean, demo runs, check-loc 0. Runtime-visible (hypothesis resolution + summary
text) -> deploy + smoke.
This commit is contained in:
Benjamin Admin
2026-06-28 16:18:28 +02:00
parent 3202e555ab
commit 77459d06d6
5 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/knowledge/certification_hypotheses/hypotheses.yaml
+4 -1
View File
@@ -22,8 +22,11 @@ hypotheses:
- {id: HYP-document_control, capability: document_and_change_control, relationship: supports, kind: shared,
supported_by: [ISO9001, ISO13485, ISO27001, TISAX, ASPICE, IATF16949],
verification_required: true, question_intent: verify_existence, expected_evidence: [document_control_procedure]}
# NOTE: ISO13485 deliberately NOT here — its CAPA / quality-safety incident handling is not security
# incident management; that mapping was too broad (would seed false hypotheses). A dedicated
# manage_quality_and_safety_incidents capability can be added later if a target actually needs it.
- {id: HYP-incident_management, capability: incident_management, relationship: supports, kind: shared,
supported_by: [ISO27001, TISAX, IEC62443, ISO13485],
supported_by: [ISO27001, TISAX, IEC62443],
verification_required: true, question_intent: verify_existence, expected_evidence: [incident_procedure]}
- {id: HYP-supplier_security, capability: supplier_security, relationship: supports, kind: shared,
supported_by: [ISO27001, TISAX, IEC62443],