feat(onboarding): surface curated expert text + human capability labels (advisor was showing snake_case)
The advisor was structurally correct but unusable: every question showed a snake_case capability id plus a
single generic fallback reason ("Keine Anhaltspunkte im Unternehmensprofil — klären"). The expert text
already EXISTED in the transition patterns (why_asked / reviewable_claim) — the pipeline just dropped it.
- transition_reasoning: TargetRequirement gains `rationale`; assess_transition uses it as the request
reason when present, else the generic fallback (additive, backward-compatible for all consumers).
- onboarding_service._target carries the pattern's why_asked (delta) and reviewable_claim (likely_covered)
into the requirement rationale -> the question's `why`.
- knowledge/onboarding/capability_labels.yaml: curated DE labels (id -> human), reusable across targets;
labels_for() + response.capability_labels expose them; the frontend renders label || prettified id.
Now ISO27001->TISAX reads "Auftragsverarbeitung (Art. 28 DSGVO) — If a TISAX data label is in scope, you
must show Art. 28 GDPR processing-on-behalf controls; ISO 27001 does not establish these." instead of
"data_protection_processing_on_behalf — klären". why_asked text is still EN (existing knowledge; translation
is curation). 34 onboarding+transition tests pass, mypy --strict clean (13 modules), check-loc 0.
This commit is contained in:
Benjamin Admin
@@ -0,0 +1,45 @@
|
||||
# Human-readable capability labels (DE) — presentation only, reusable across all targets.
|
||||
# A capability id is the stable machine identity; this maps it to an expert-facing label for the UI.
|
||||
# Curated knowledge (draft — to be corrected by the domain expert). Missing ids fall back to a
|
||||
# prettified id in the frontend. NO real company names. Keep labels short + concrete.
|
||||
|
||||
labels:
|
||||
# ── ISMS / ISO 27001 core ───────────────────────────────────────────────
|
||||
information_security_management: "Informationssicherheits-Managementsystem (ISMS)"
|
||||
access_control_and_authentication: "Zugriffskontrolle & Authentifizierung"
|
||||
asset_and_configuration_management: "Asset- & Konfigurationsverwaltung"
|
||||
cryptography: "Kryptographie / Verschlüsselung"
|
||||
incident_management: "Security-Incident-Management"
|
||||
security_awareness_training: "Security-Awareness-Schulungen"
|
||||
supplier_security: "Lieferanten-Sicherheit"
|
||||
security_logging_and_monitoring: "Security-Logging & Monitoring"
|
||||
technical_vulnerability_management: "Technisches Schwachstellen-Management"
|
||||
# ── TISAX / VDA-spezifisch ──────────────────────────────────────────────
|
||||
prototype_protection: "Prototypenschutz (physisch & logisch)"
|
||||
tisax_label_scope_selection: "TISAX-Label-/Scope-Festlegung"
|
||||
tisax_assessment_via_enx: "TISAX-Assessment über die ENX-Plattform"
|
||||
vda_isa_self_assessment: "VDA-ISA-Selbstauskunft"
|
||||
data_protection_processing_on_behalf: "Auftragsverarbeitung (Art. 28 DSGVO)"
|
||||
physical_security: "Physische Sicherheit / Zutrittskontrolle"
|
||||
# ── QM / ISO 9001 ───────────────────────────────────────────────────────
|
||||
document_and_change_control: "Dokumenten- & Änderungslenkung"
|
||||
supplier_evaluation: "Lieferantenbewertung"
|
||||
release_and_approval_process: "Freigabe- & Genehmigungsprozess"
|
||||
ce_conformity_assessment_and_technical_documentation: "CE-Konformitätsbewertung & technische Dokumentation"
|
||||
# ── CRA / Produkt-Cybersecurity ─────────────────────────────────────────
|
||||
sbom_creation: "SBOM-Erstellung (Software-Stückliste)"
|
||||
coordinated_vulnerability_disclosure: "Coordinated Vulnerability Disclosure (CVD)"
|
||||
secure_development_lifecycle: "Sicherer Entwicklungslebenszyklus (SDLC)"
|
||||
secure_signed_update_distribution: "Sichere, signierte Update-Verteilung"
|
||||
security_update_support_period: "Sicherheits-Update-Supportzeitraum"
|
||||
product_cyber_risk_assessment: "Produkt-Cyber-Risikobewertung"
|
||||
exploited_vuln_and_incident_reporting: "Meldung ausgenutzter Schwachstellen & Vorfälle"
|
||||
public_security_advisories: "Öffentliche Security Advisories"
|
||||
cybersecurity_management_system: "Cybersecurity-Managementsystem (CSMS)"
|
||||
# ── MaschinenVO / Safety ────────────────────────────────────────────────
|
||||
machine_safety_risk_assessment: "Maschinen-Risikobeurteilung"
|
||||
mechanical_safety_and_guards: "Mechanische Sicherheit & Schutzeinrichtungen"
|
||||
operating_instructions_and_safety_information: "Betriebsanleitung & Sicherheitshinweise"
|
||||
protection_against_corruption_of_safety_functions: "Schutz der Sicherheitsfunktionen vor Manipulation"
|
||||
# ── Umwelt ──────────────────────────────────────────────────────────────
|
||||
environmental_management_documentation: "Umweltmanagement-Dokumentation"
|
||||
Reference in New Issue
Block a user