Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO)

Browse Source 
Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the
convergence USP is a living regression, not just a one-off section.

- RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo
  expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1).
  Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING +
  4/4 expected multi-target caps converge. PASS.
- RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a
  machine; deciding question is_safety_component) — engine must never assert it applies. Honest,
  parallel to the Data-Act handling.
- RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS
  means the cyber side is entirely delta, so few caps are shared. The honest contrast that the
  convergence USP rewards companies who already run an ISMS.
- generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and
  reused. Data Act stays `uncertain` everywhere, never asserted.

All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0.
Non-runtime (knowledge + reference harness) -> no deploy (ADR-001).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-27 09:26:01 +02:00
parent 5fde7690a5
commit a0f72fc39b
5 changed files with 102 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/knowledge/reference_transition_scenarios/RTS-001.yaml
+9 -1
View File
@@ -25,7 +25,7 @@ transition_goal:
pattern: TP-ISO27001-CRA-v1 # executed through RS-005 below
- target: MaschinenVO
pattern: null
note: pattern_pending # no MaschinenVO pattern yet
note: applicability_uncertain # a pure component is usually NOT a machine -> see expected_outcome.maschinenvo
expected_outcome:
cra:
@@ -47,6 +47,14 @@ expected_outcome:
- exploited_vuln_and_incident_reporting
- product_cyber_risk_assessment
- ce_conformity_assessment_and_technical_documentation
maschinenvo:
expectation: uncertain # a pure component is usually NOT a machine -> NOT asserted
deciding_questions: [is_machine, is_safety_component, partly_completed_machinery]
rationale: >
The Machinery Regulation applies to machines, safety components and partly completed machinery.
A pure embedded component is usually out of scope, but a SAFETY component is not — so applicability
is itself a deciding question. The engine must ask (is_safety_component?), not assert gilt/gilt-nicht.
Contrast RTS-003, where is_machine: true makes MaschinenVO a settled second target with real convergence.
data_act:
expectation: uncertain # NEVER a fixed gilt/gilt-nicht
deciding_questions: [generates_usage_data, connected_product, data_act_scope]