feat(ai-sdk): control-intent — technical_standard may win implementation questions

Mirror the guidance interpretation-intent (PR #35) for control frameworks: when a
query explicitly asks HOW to implement / which controls or measures fit (control,
maßnahme, umsetzen, härten, nist, owasp, grundschutz, ...), a semantically
competitive technical_standard is lifted just above the best binding hit — so
"Welche Controls passen zu Security Updates?" can return NIST/OWASP Top-1, while
"Welche Anforderungen bestehen an Security Updates?" keeps CRA (binding) Top-1.

Generalize applyGuidanceIntent -> liftAboveBinding(sourceClass) and reuse it for
both supervisory_guidance (interpretation intent) and technical_standard
(implementation intent). Same semantic guard keeps off-topic sources demoted.
Rename the shared coefficients guidanceIntent* -> intentLift*.

Tested: queryWantsControls detection + 3 rerank cases (standard wins on control
question, binding stays on norm question, off-topic standard blocked by guard).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ai-compliance-sdk/internal/ucca/authority_rerank.go

@@ -1,6 +1,9 @@
 package ucca
 
-import "sort"
+import (
+	"sort"
+	"strings"
+)
 
 // Re-ranking coefficients (validated in the offline golden harness; Phase A — conservative).
 const (
@@ -13,8 +16,61 @@ const (
 	scopePenalty      = 0.25 // BDSG Teil 3 (law enforcement) on a general DP question
 	topicGain         = 0.18 // amplifier only
 	supersededPenalty = 0.50 // superseded Alt-Quelle (pre-eu-v1): demoted, nicht versteckt
+	intentLiftGain    = 0.10 // epsilon a qualifying interpretative source is lifted ABOVE the best binding
+	intentLiftMargin  = 0.05 // ...only if that source is semantically competitive with binding
 )
 
+// guidanceIntentSignals mark a query that EXPLICITLY asks for an interpretation /
+// recommendation by a guidance body, rather than for the binding obligation. Only
+// then may a (semantically competitive) guideline outrank the binding norm.
+var guidanceIntentSignals = []string{
+	"edpb", "europäischer datenschutzausschuss", "europaeischer datenschutzausschuss",
+	"dsk", "enisa", "bsi", "leitlinie", "guideline", "orientierungshilfe",
+	"auslegung", "empfiehlt", "empfehlung", "sagt", "laut",
+}
+
+// controlIntentSignals mark a query that asks HOW to implement / which controls or
+// measures fit — rather than WHAT the binding obligation is. Only then may a
+// (semantically competitive) technical_standard outrank the binding norm.
+var controlIntentSignals = []string{
+	"control", "controls", "maßnahme", "massnahme", "schutzmaßnahme",
+	"best practice", "best-practice", "umsetzen", "implementier", "absicher",
+	"härt", "haert", "hardening", "nist", "owasp", "grundschutz",
+	"ccm", "iso 27001", "isms",
+}
+
+func queryMatchesAny(query string, signals []string) bool {
+	q := strings.ToLower(query)
+	for _, sig := range signals {
+		if strings.Contains(q, sig) {
+			return true
+		}
+	}
+	return false
+}
+
+// queryWantsGuidance reports whether the query explicitly asks for guidance/interpretation.
+func queryWantsGuidance(query string) bool { return queryMatchesAny(query, guidanceIntentSignals) }
+
+// queryWantsControls reports whether the query asks for implementation controls/measures.
+func queryWantsControls(query string) bool { return queryMatchesAny(query, controlIntentSignals) }
+
+// bestBindingSemantic returns the highest RAW semantic score among binding-law
+// results (0 if none / no intent). Used as the guard threshold so an off-topic
+// interpretative source cannot ride the intent boost.
+func bestBindingSemantic(results []LegalSearchResult, wantsIntent bool) float64 {
+	if !wantsIntent {
+		return 0
+	}
+	best := 0.0
+	for _, r := range results {
+		if r.SourceClass == "binding_law" && r.Score > best {
+			best = r.Score
+		}
+	}
+	return best
+}
+
 // authorityScore computes the normative relevance of a result for a query. It augments the
 // semantic score with authority/jurisdiction/domain/scope/topic signals. Exposed for tests.
 func authorityScore(query string, r LegalSearchResult, qDomain string, qForeign bool) float64 {
@@ -62,14 +118,51 @@ func rerankByAuthority(query string, results []LegalSearchResult) []LegalSearchR
 	}
 	qDomain := queryDomain(query)
 	qForeign := queryIsForeign(query)
+	wantsGuidance := queryWantsGuidance(query)
+	wantsControls := queryWantsControls(query)
+	bestBindingSem := bestBindingSemantic(results, wantsGuidance || wantsControls)
 
 	out := make([]LegalSearchResult, len(results))
 	copy(out, results)
 	for i := range out {
 		out[i].Score = authorityScore(query, out[i], qDomain, qForeign)
 	}
+	// Explicit interpretation intent → a competitive guideline may outrank binding;
+	// explicit implementation intent → a competitive technical_standard may. Both lift
+	// ABOVE the best binding FINAL, so a pure norm question (neither intent) is untouched.
+	if wantsGuidance {
+		liftAboveBinding(out, results, bestBindingSem, "supervisory_guidance")
+	}
+	if wantsControls {
+		liftAboveBinding(out, results, bestBindingSem, "technical_standard")
+	}
 	sort.SliceStable(out, func(a, b int) bool {
 		return out[a].Score > out[b].Score
 	})
 	return out
 }
+
+// liftAboveBinding lifts a semantically-competitive interpretative source (the given
+// sourceClass — supervisory_guidance or technical_standard) just ABOVE the best binding
+// hit, ordered by semantic, so an EXPLICIT guidance/implementation question can return
+// that source Top-1. A pure norm question (no intent → not called) keeps binding on top.
+// Sources below the semantic margin are left untouched, so an off-topic source can never
+// ride the override — and the lift is from the binding FINAL score, so authority/topic/
+// domain bonuses cannot edge it out.
+func liftAboveBinding(out, raw []LegalSearchResult, bestBindingSem float64, sourceClass string) {
+	bestBindingFinal := 0.0
+	for i := range out {
+		if out[i].SourceClass == "binding_law" && out[i].Score > bestBindingFinal {
+			bestBindingFinal = out[i].Score
+		}
+	}
+	for i := range out {
+		if out[i].SourceClass != sourceClass || raw[i].Score < bestBindingSem-intentLiftMargin {
+			continue
+		}
+		lifted := bestBindingFinal + intentLiftGain + (raw[i].Score - bestBindingSem)
+		if lifted > out[i].Score {
+			out[i].Score = lifted
+		}
+	}
+}

ai-compliance-sdk/internal/ucca/legal_rag_intent_test.go

@@ -0,0 +1,134 @@
+package ucca
+
+import "testing"
+
+func intentRes(reg, sourceClass string, sem float64, weight int) LegalSearchResult {
+	return LegalSearchResult{
+		RegulationShort: reg, SourceClass: sourceClass, Score: sem,
+		AuthorityWeight: weight, Jurisdiction: "EU",
+	}
+}
+
+func TestQueryWantsGuidance(t *testing.T) {
+	wants := []string{
+		"Was empfiehlt der EDPB zum DSB?",
+		"Was sagt die ENISA zu Security Updates?",
+		"laut DSK ...",
+		"Orientierungshilfe zur DSFA",
+		"Welche BSI-Empfehlung gilt?",
+		"Auslegung der Aufsichtsbehörde",
+	}
+	plain := []string{
+		"Ab wann braucht man einen Datenschutzbeauftragten?",
+		"Welche Anforderungen bestehen an Security Updates?",
+	}
+	for _, q := range wants {
+		if !queryWantsGuidance(q) {
+			t.Errorf("should detect interpretation intent: %q", q)
+		}
+	}
+	for _, q := range plain {
+		if queryWantsGuidance(q) {
+			t.Errorf("should NOT detect intent (norm question): %q", q)
+		}
+	}
+}
+
+func TestRerank_NormQuestion_BindingStaysTop(t *testing.T) {
+	// No intent signal → binding wins even though guidance is semantically higher.
+	results := []LegalSearchResult{
+		intentRes("EDPB DPO", "supervisory_guidance", 0.64, 70),
+		intentRes("DSGVO", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Ab wann braucht man einen Datenschutzbeauftragten?", results)
+	if out[0].SourceClass != "binding_law" {
+		t.Errorf("norm question: binding must stay Top-1, got %s", out[0].SourceClass)
+	}
+}
+
+func TestRerank_InterpretationQuestion_GuidanceMayWin(t *testing.T) {
+	// Explicit intent + guidance semantically competitive → guidance wins.
+	results := []LegalSearchResult{
+		intentRes("EDPB DPO", "supervisory_guidance", 0.64, 70),
+		intentRes("DSGVO", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Was empfiehlt der EDPB zum Datenschutzbeauftragten?", results)
+	if out[0].SourceClass != "supervisory_guidance" {
+		t.Errorf("interpretation question: guidance should win Top-1, got %s", out[0].SourceClass)
+	}
+}
+
+func TestRerank_OffTopicGuidance_BlockedByGuard(t *testing.T) {
+	// Intent present, but guidance semantic is far below the best binding hit →
+	// the margin guard keeps binding on top (no off-topic guideline override).
+	results := []LegalSearchResult{
+		intentRes("EDPB DPO", "supervisory_guidance", 0.40, 70),
+		intentRes("DSGVO", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Was empfiehlt der EDPB zum Datenschutzbeauftragten?", results)
+	if out[0].SourceClass != "binding_law" {
+		t.Errorf("off-topic guidance must not win even with intent, got %s", out[0].SourceClass)
+	}
+}
+
+func TestQueryWantsControls(t *testing.T) {
+	wants := []string{
+		"Welche Controls passen zu Security Updates?",
+		"Welche Maßnahmen sollten wir umsetzen?",
+		"Wie härten wir den Server ab?",
+		"Gibt es NIST-Controls dafür?",
+		"OWASP Best Practice für Logging?",
+		"BSI Grundschutz Bausteine",
+	}
+	plain := []string{
+		"Welche Anforderungen bestehen an Security Updates?",
+		"Ab wann braucht man einen Datenschutzbeauftragten?",
+	}
+	for _, q := range wants {
+		if !queryWantsControls(q) {
+			t.Errorf("should detect control/implementation intent: %q", q)
+		}
+	}
+	for _, q := range plain {
+		if queryWantsControls(q) {
+			t.Errorf("should NOT detect control intent (norm question): %q", q)
+		}
+	}
+}
+
+func TestRerank_ControlQuestion_StandardMayWin(t *testing.T) {
+	// Explicit implementation intent + standard semantically competitive → standard wins.
+	results := []LegalSearchResult{
+		intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
+		intentRes("CRA", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Welche Controls passen zu Security Updates?", results)
+	if out[0].SourceClass != "technical_standard" {
+		t.Errorf("control question: technical_standard should win Top-1, got %s", out[0].SourceClass)
+	}
+}
+
+func TestRerank_NormQuestion_BindingOverStandard(t *testing.T) {
+	// "Anforderungen" → no control intent → binding stays Top-1 over the standard.
+	results := []LegalSearchResult{
+		intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
+		intentRes("CRA", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Welche Anforderungen bestehen an Security Updates?", results)
+	if out[0].SourceClass != "binding_law" {
+		t.Errorf("norm question: binding must stay Top-1 over standard, got %s", out[0].SourceClass)
+	}
+}
+
+func TestRerank_OffTopicStandard_BlockedByGuard(t *testing.T) {
+	// Control intent present, but the standard is semantically far below binding →
+	// the margin guard keeps binding Top-1 (no off-topic standard override).
+	results := []LegalSearchResult{
+		intentRes("NIST SP 800-82", "technical_standard", 0.40, 80),
+		intentRes("CRA", "binding_law", 0.58, 100),
+	}
+	out := rerankByAuthority("Welche Controls passen zu Security Updates?", results)
+	if out[0].SourceClass != "binding_law" {
+		t.Errorf("off-topic standard must not win even with control intent, got %s", out[0].SourceClass)
+	}
+}