breakpilot-compliance

Benjamin_Boenisch/breakpilot-compliance

Fork 0

Commit Graph

Author	SHA1	Message	Date
Benjamin Admin	659b37cc21	feat(ai-sdk): source_role control-pool — controls are not only technical_standard CI / detect-changes (pull_request) Successful in 6s Details CI / branch-name (pull_request) Successful in 1s Details CI / guardrail-integrity (pull_request) Successful in 6s Details CI / secret-scan (pull_request) Successful in 5s Details CI / dep-audit (pull_request) Failing after 55s Details CI / sbom-scan (pull_request) Failing after 58s Details CI / build-sha-integrity (pull_request) Successful in 6s Details CI / validate-canonical-controls (pull_request) Successful in 3s Details CI / loc-budget (pull_request) Successful in 18s Details CI / go-lint (pull_request) Successful in 43s Details CI / python-lint (pull_request) Failing after 14s Details CI / nodejs-lint (pull_request) Failing after 1m6s Details CI / nodejs-build (pull_request) Successful in 3m0s Details CI / test-go (pull_request) Successful in 58s Details CI / iace-gt-coverage (pull_request) Successful in 16s Details CI / test-python-backend (pull_request) Successful in 26s Details CI / test-python-document-crawler (pull_request) Successful in 13s Details CI / test-python-dsms-gateway (pull_request) Successful in 9s Details Live gate test showed control-intent (#36/#37) was inert for the EU cyber corpus: "Welche Controls passen zu Security Updates?" recalls ENISA good-practices (relevant measures, but source_class=supervisory_guidance) + binding regs, never NIST — so lifting technical_standard above binding did nothing. Per the finalized control-corpus model (User 2026-06-24): add source_role (functional role) ORTHOGONAL to source_class (legal authority). source_class still decides rank; source_role decides CONTROL-POOL membership. classifyRole derives 7 roles from markers (no re-tagging): obligation / operational_requirement / procedural_requirement / control_standard / implementation_guidance / interpretation / definition. Control-intent now boosts the control-pool (operational/procedural requirement, control standard, implementation guidance) over the abstract obligation, soft- ordered op_req > procedural > standard > guidance (controlPoolGain + role bonus) — replacing "lift technical_standard above binding". So CRA Annex I (operational_requirement) wins over NIST (control_standard) for "which measures", and ENISA (implementation_guidance) enters the pool while staying guidance. Recall of not-retrieved standards (NIST) for generic control queries = next step (searchControls). Tested: classifyRole table, role-preference, op_req-Top-1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-06-24 13:07:22 +02:00

Author

SHA1

Message

Date

Benjamin Admin

659b37cc21

feat(ai-sdk): source_role control-pool — controls are not only technical_standard

CI / detect-changes (pull_request) Successful in 6s

Details

CI / branch-name (pull_request) Successful in 1s

Details

CI / guardrail-integrity (pull_request) Successful in 6s

Details

CI / secret-scan (pull_request) Successful in 5s

Details

CI / dep-audit (pull_request) Failing after 55s

Details

CI / sbom-scan (pull_request) Failing after 58s

Details

CI / build-sha-integrity (pull_request) Successful in 6s

Details

CI / validate-canonical-controls (pull_request) Successful in 3s

Details

CI / loc-budget (pull_request) Successful in 18s

Details

CI / go-lint (pull_request) Successful in 43s

Details

CI / python-lint (pull_request) Failing after 14s

Details

CI / nodejs-lint (pull_request) Failing after 1m6s

Details

CI / nodejs-build (pull_request) Successful in 3m0s

Details

CI / test-go (pull_request) Successful in 58s

Details

CI / iace-gt-coverage (pull_request) Successful in 16s

Details

CI / test-python-backend (pull_request) Successful in 26s

Details

CI / test-python-document-crawler (pull_request) Successful in 13s

Details

CI / test-python-dsms-gateway (pull_request) Successful in 9s

Details

Live gate test showed control-intent (#36/#37) was inert for the EU cyber corpus:
"Welche Controls passen zu Security Updates?" recalls ENISA good-practices
(relevant measures, but source_class=supervisory_guidance) + binding regs, never
NIST — so lifting technical_standard above binding did nothing.

Per the finalized control-corpus model (User 2026-06-24): add source_role
(functional role) ORTHOGONAL to source_class (legal authority). source_class still
decides rank; source_role decides CONTROL-POOL membership. classifyRole derives 7
roles from markers (no re-tagging): obligation / operational_requirement /
procedural_requirement / control_standard / implementation_guidance /
interpretation / definition.

Control-intent now boosts the control-pool (operational/procedural requirement,
control standard, implementation guidance) over the abstract obligation, soft-
ordered op_req > procedural > standard > guidance (controlPoolGain + role bonus) —
replacing "lift technical_standard above binding". So CRA Annex I
(operational_requirement) wins over NIST (control_standard) for "which measures",
and ENISA (implementation_guidance) enters the pool while staying guidance.

Recall of not-retrieved standards (NIST) for generic control queries = next step
(searchControls). Tested: classifyRole table, role-preference, op_req-Top-1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-24 13:07:22 +02:00

1 Commits