Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(onboarding): apply hypothesis/vocabulary review decisions (ISO13485, patch-policy rationale, summary)

Browse Source 
Two reviewed knowledge decisions (2026-06-28) + the deferred cosmetic counter, before #59.

1. ISO13485 removed from the incident_management hypothesis. ISO 13485 CAPA / quality-safety incident
   handling is NOT security incident management — the mapping was too broad and would seed false
   hypotheses for the empirical loop. A dedicated manage_quality_and_safety_incidents capability can come
   later IF a target needs it; not forced now. (ISO27001/TISAX/IEC62443 keep incident_management.)

2. patch_policy_doc -> secure_signed_update_distribution stays `partial`, but the curated rationale is
   sharpened: "indicates update governance, does not evidence signed distribution" (a patch policy is not
   proof of SIGNED distribution). New optional SignalMapping.rationale field carries the curated note.
   (github_actions_ci -> SDL and dependency_scanning -> vuln-mgmt reviewed and APPROVED as-is.)

3. Cosmetic (folded in since we touched the file): the silent-intake summary now counts detected and
   indications SEPARATELY ("N automatisch erkannt, M Indikation(en)") instead of lumping partial signals
   into "automatisch erkannt" — consistent with the three-state model just shipped.

Tests: ISO13485 no longer resolves to incident_management; summary counts split correctly. 29 onboarding
tests pass, mypy --strict clean, demo runs, check-loc 0. Runtime-visible (hypothesis resolution + summary
text) -> deploy + smoke.
This commit is contained in:
Benjamin Admin
2026-06-28 16:18:28 +02:00
parent 3202e555ab
commit 77459d06d6
5 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/tests/test_certification_hypotheses.py
+9
View File
@@ -71,6 +71,15 @@ def test_resolve_adapts_to_advisor_input():
assert "document_and_change_control" in res["ISO9001"]
def test_iso13485_does_not_suggest_security_incident_management():
# ISO 13485 CAPA / quality-safety incident handling is NOT security incident management -> too broad,
# removed from the incident_management hypothesis (review decision 2026-06-28).
res = resolve_for_certifications(["ISO13485"], _LIB)
assert "incident_management" not in res.get("ISO13485", [])
inc = next(h for h in _LIB if h.capability == "incident_management")
assert "ISO13485" not in inc.supported_by
def test_advisor_consumes_the_library_end_to_end():
cra = yaml.safe_load(open(os.path.join(_DIR, "..", "knowledge", "transition_patterns",
"transition_pattern_iso27001_to_cra_maschinenvo_v1.yaml"), encoding="utf-8"))