breakpilot-compliance

Benjamin_Boenisch/breakpilot-compliance

Fork 0

Commit Graph

Author	SHA1	Message	Date
Benjamin Admin	90c3fe16b5	feat: Automotive convergence stress test — same capability from many sources (Phase Ω #2 ) Not another domain to prove agnosticism (Environmental did that) but a DIFFERENT property: can the SAME capability be fed by many overlapping Requirement Sources at once without the model becoming unstable? Realistic setup — a supplier with ISO 9001 + IATF 16949 + TISAX + ASPICE + CSMS + SUMS developing an ECU for OEM X. Seven sources (CRA, UNECE R155/CSMS, R156/SUMS, IATF, TISAX, ASPICE, OEM X) with deliberate overlap, run through the SAME engine (0 runtime code, data only). Three new measurements (user-requested): - Capability Convergence: technical_vulnerability_management = 4 sources across 3 source TYPES (regulation + certification + contract); secure_signed_update_distribution = 4 sources. The overlap is where the economic value lives ("one capability replaces five evidence worlds"). - Existing-vs-New: 13/27 required caps reuse existing cyber/environmental MCAPs (48%) -> the registry is starting to converge; the automotive-specific rest (CSMS/SUMS/ASPICE/functional safety) is expectedly new (a maturity hint, not an architecture break). - Business Leverage: a convergent capability satisfies N regulations AND unlocks the OEM market — more convincing to a GF than "satisfies five laws". (Regulatory Leverage counts regulations; Business Leverage counts regulations + markets/customers.) Ledger gains the automotive row (0/0, 14 new types, data_only); stability stays 7/7 = 100%. The verdict recommends the user's next step: NOT a new domain but PAUSE and analyse the registry for the cross-domain high-convergence core MCAPs. Non-runtime -> no deploy. 12 tests pass, check-loc 0.	2026-06-28 11:30:30 +02:00
Benjamin Admin	fbbd0957bd	feat: Environmental stress test — the architecture works OUTSIDE cyber (Phase Ω, data-only) First NON-cyber stress test. Every prior journey was cyber (infosec/software/product security). Environmental brings a completely different mental model (substance flows, emissions, water, chemicals, energy, circularity). The claim under test: RS-005 carries it UNCHANGED — only new DATA, zero runtime code. ISO 14001 (an EMS) is modelled as a Company Profile and run through the SAME engines as ISO 27001 -> CRA (new pattern transition_pattern_iso14001_to_environmental_v1.yaml, capabilities as VERBS): - ISO 14001 yields 5 environmental MANAGEMENT capabilities (Welt-1, probably present) - the concrete substance/emission/water/material EVIDENCE is the 11-capability delta - rejected_assumptions state what ISO 14001 does NOT produce (substance lists, REACH, emissions, battery passports, water analyses) — preserving the Welt-1/Welt-2 separation - the Journey Matcher stays domain-agnostic: ISO14001->Environmental 100%, cyber journeys 0% Result: a non-cyber domain ran through Reality -> ... -> Journey with 0 new runtime classes and 0 new pipeline — a stronger generality proof than ten more cyber regulations. Also extends the Architecture Stability ledger with the third KPI column the user requested — "new capability types" — as a granularity Frühindikator (a domain needing ~80 new types at 0 runtime would flag a too-coarse/too-fine capability model). Environmental = 16 types (5 mgmt + 11 evidence), in range. Ledger now flags cyber vs non_cyber family. Non-runtime -> no deploy. 19 tests pass, check-loc 0.	2026-06-28 11:10:07 +02:00
Benjamin Admin	cefacb87af	feat: Architecture Stability + Knowledge Velocity KPI — Phase Ω (Evidence of Generality) The focus has shifted: no more architecture epics (the Journey Matcher was the last building block). The question is no longer "can the architecture do this?" but "where does it fail under real domain knowledge?". This operationalises the two KPIs almost nobody measures, as a non- runtime, auditable ledger: - Architecture Stability : per integrated Requirement Source — new runtime classes? new pipeline? - Knowledge Velocity : can a domain EXPERT integrate a source data-only, without a developer? A new domain is a ROW in knowledge/architecture_stability/integration_ledger.yaml (data), never a code change — so the KPI improves by adding data, which IS the proof. Current state: 6 sources across 5 target types (CRA, MaschinenVO, TISAX, Tender, OEM, Environmental) = 6/6 = 100% stability and 100% data-only. The pipeline functions are listed honestly as one-time, domain-agnostic infrastructure (now frozen), so the KPI cannot be gamed. The test is a LIVING GUARDRAIL: it fails the day a source needs runtime code, surfacing the exact moment generality breaks. Non-runtime -> no deploy. 5 tests pass, check-loc 0.	2026-06-28 10:49:00 +02:00

Author

SHA1

Message

Date

Benjamin Admin

90c3fe16b5

feat: Automotive convergence stress test — same capability from many sources (Phase Ω #2 )

Not another domain to prove agnosticism (Environmental did that) but a DIFFERENT property: can the
SAME capability be fed by many overlapping Requirement Sources at once without the model becoming
unstable? Realistic setup — a supplier with ISO 9001 + IATF 16949 + TISAX + ASPICE + CSMS + SUMS
developing an ECU for OEM X. Seven sources (CRA, UNECE R155/CSMS, R156/SUMS, IATF, TISAX, ASPICE,
OEM X) with deliberate overlap, run through the SAME engine (0 runtime code, data only).

Three new measurements (user-requested):
  - Capability Convergence: technical_vulnerability_management = 4 sources across 3 source TYPES
    (regulation + certification + contract); secure_signed_update_distribution = 4 sources. The
    overlap is where the economic value lives ("one capability replaces five evidence worlds").
  - Existing-vs-New: 13/27 required caps reuse existing cyber/environmental MCAPs (48%) -> the
    registry is starting to converge; the automotive-specific rest (CSMS/SUMS/ASPICE/functional
    safety) is expectedly new (a maturity hint, not an architecture break).
  - Business Leverage: a convergent capability satisfies N regulations AND unlocks the OEM market —
    more convincing to a GF than "satisfies five laws". (Regulatory Leverage counts regulations;
    Business Leverage counts regulations + markets/customers.)

Ledger gains the automotive row (0/0, 14 new types, data_only); stability stays 7/7 = 100%. The
verdict recommends the user's next step: NOT a new domain but PAUSE and analyse the registry for the
cross-domain high-convergence core MCAPs. Non-runtime -> no deploy. 12 tests pass, check-loc 0.

2026-06-28 11:30:30 +02:00

Benjamin Admin

fbbd0957bd

feat: Environmental stress test — the architecture works OUTSIDE cyber (Phase Ω, data-only)

First NON-cyber stress test. Every prior journey was cyber (infosec/software/product security).
Environmental brings a completely different mental model (substance flows, emissions, water,
chemicals, energy, circularity). The claim under test: RS-005 carries it UNCHANGED — only new DATA,
zero runtime code.

ISO 14001 (an EMS) is modelled as a Company Profile and run through the SAME engines as ISO 27001 ->
CRA (new pattern transition_pattern_iso14001_to_environmental_v1.yaml, capabilities as VERBS):
- ISO 14001 yields 5 environmental MANAGEMENT capabilities (Welt-1, probably present)
- the concrete substance/emission/water/material EVIDENCE is the 11-capability delta
- rejected_assumptions state what ISO 14001 does NOT produce (substance lists, REACH, emissions,
battery passports, water analyses) — preserving the Welt-1/Welt-2 separation
- the Journey Matcher stays domain-agnostic: ISO14001->Environmental 100%, cyber journeys 0%

Result: a non-cyber domain ran through Reality -> ... -> Journey with 0 new runtime classes and 0
new pipeline — a stronger generality proof than ten more cyber regulations.

Also extends the Architecture Stability ledger with the third KPI column the user requested — "new
capability types" — as a granularity Frühindikator (a domain needing ~80 new types at 0 runtime would
flag a too-coarse/too-fine capability model). Environmental = 16 types (5 mgmt + 11 evidence), in
range. Ledger now flags cyber vs non_cyber family. Non-runtime -> no deploy. 19 tests pass, check-loc 0.

2026-06-28 11:10:07 +02:00

Benjamin Admin

cefacb87af

feat: Architecture Stability + Knowledge Velocity KPI — Phase Ω (Evidence of Generality)

The focus has shifted: no more architecture epics (the Journey Matcher was the last building
block). The question is no longer "can the architecture do this?" but "where does it fail under
real domain knowledge?". This operationalises the two KPIs almost nobody measures, as a non-
runtime, auditable ledger:

  - Architecture Stability : per integrated Requirement Source — new runtime classes? new pipeline?
  - Knowledge Velocity     : can a domain EXPERT integrate a source data-only, without a developer?

A new domain is a ROW in knowledge/architecture_stability/integration_ledger.yaml (data), never a
code change — so the KPI improves by adding data, which IS the proof. Current state: 6 sources
across 5 target types (CRA, MaschinenVO, TISAX, Tender, OEM, Environmental) = 6/6 = 100% stability
and 100% data-only. The pipeline functions are listed honestly as one-time, domain-agnostic
infrastructure (now frozen), so the KPI cannot be gamed.

The test is a LIVING GUARDRAIL: it fails the day a source needs runtime code, surfacing the exact
moment generality breaks. Non-runtime -> no deploy. 5 tests pass, check-loc 0.

2026-06-28 10:49:00 +02:00

3 Commits