Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(onboarding): apply hypothesis/vocabulary review decisions (ISO13485, patch-policy rationale, summary)

Browse Source 
Two reviewed knowledge decisions (2026-06-28) + the deferred cosmetic counter, before #59.

1. ISO13485 removed from the incident_management hypothesis. ISO 13485 CAPA / quality-safety incident
   handling is NOT security incident management — the mapping was too broad and would seed false
   hypotheses for the empirical loop. A dedicated manage_quality_and_safety_incidents capability can come
   later IF a target needs it; not forced now. (ISO27001/TISAX/IEC62443 keep incident_management.)

2. patch_policy_doc -> secure_signed_update_distribution stays `partial`, but the curated rationale is
   sharpened: "indicates update governance, does not evidence signed distribution" (a patch policy is not
   proof of SIGNED distribution). New optional SignalMapping.rationale field carries the curated note.
   (github_actions_ci -> SDL and dependency_scanning -> vuln-mgmt reviewed and APPROVED as-is.)

3. Cosmetic (folded in since we touched the file): the silent-intake summary now counts detected and
   indications SEPARATELY ("N automatisch erkannt, M Indikation(en)") instead of lumping partial signals
   into "automatisch erkannt" — consistent with the three-state model just shipped.

Tests: ISO13485 no longer resolves to incident_management; summary counts split correctly. 29 onboarding
tests pass, mypy --strict clean, demo runs, check-loc 0. Runtime-visible (hypothesis resolution + summary
text) -> deploy + smoke.
This commit is contained in:
Benjamin Admin
2026-06-28 16:18:28 +02:00
parent 3202e555ab
commit 77459d06d6
5 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/knowledge/onboarding/intake_signal_map.yaml
+2 -1
View File
@@ -23,7 +23,8 @@ mappings:
# ── documents ─────────────────────────────────────────────────────────────────────────────
- {signal: ce_conformity_doc, capability: ce_conformity_assessment_and_technical_documentation, relationship: detected, evidence: technical_documentation}
- {signal: product_risk_assessment_doc, capability: product_cyber_risk_assessment, relationship: detected, evidence: product_risk_assessment}
- {signal: patch_policy_doc, capability: secure_signed_update_distribution, relationship: partial, evidence: patch_policy}
- {signal: patch_policy_doc, capability: secure_signed_update_distribution, relationship: partial, evidence: patch_policy,
rationale: "indicates update governance, does not evidence signed distribution"}
- {signal: incident_response_plan_doc, capability: incident_management, relationship: detected, evidence: incident_procedure}
# ── product facts (drive scope / target applicability) ──────────────────────────────────────
- {signal: cloud_connectivity, product_fact: connected_to_internet}