Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
659b37cc21ac20b80c36ac9eef34ee00acc686fa
breakpilot-compliance/ai-compliance-sdk/internal/ucca/legal_rag_intent_test.go
T
Benjamin Admin 659b37cc21
CI / detect-changes (pull_request) Successful in 6s
Details
CI / branch-name (pull_request) Successful in 1s
Details
CI / guardrail-integrity (pull_request) Successful in 6s
Details
CI / secret-scan (pull_request) Successful in 5s
Details
CI / dep-audit (pull_request) Failing after 55s
Details
CI / sbom-scan (pull_request) Failing after 58s
Details
CI / build-sha-integrity (pull_request) Successful in 6s
Details
CI / validate-canonical-controls (pull_request) Successful in 3s
Details
CI / loc-budget (pull_request) Successful in 18s
Details
CI / go-lint (pull_request) Successful in 43s
Details
CI / python-lint (pull_request) Failing after 14s
Details
CI / nodejs-lint (pull_request) Failing after 1m6s
Details
CI / nodejs-build (pull_request) Successful in 3m0s
Details
CI / test-go (pull_request) Successful in 58s
Details
CI / iace-gt-coverage (pull_request) Successful in 16s
Details
CI / test-python-backend (pull_request) Successful in 26s
Details
CI / test-python-document-crawler (pull_request) Successful in 13s
Details
CI / test-python-dsms-gateway (pull_request) Successful in 9s
Details
feat(ai-sdk): source_role control-pool — controls are not only technical_standard 
Live gate test showed control-intent (#36/#37) was inert for the EU cyber corpus:
"Welche Controls passen zu Security Updates?" recalls ENISA good-practices
(relevant measures, but source_class=supervisory_guidance) + binding regs, never
NIST — so lifting technical_standard above binding did nothing.

Per the finalized control-corpus model (User 2026-06-24): add source_role
(functional role) ORTHOGONAL to source_class (legal authority). source_class still
decides rank; source_role decides CONTROL-POOL membership. classifyRole derives 7
roles from markers (no re-tagging): obligation / operational_requirement /
procedural_requirement / control_standard / implementation_guidance /
interpretation / definition.

Control-intent now boosts the control-pool (operational/procedural requirement,
control standard, implementation guidance) over the abstract obligation, soft-
ordered op_req > procedural > standard > guidance (controlPoolGain + role bonus) —
replacing "lift technical_standard above binding". So CRA Annex I
(operational_requirement) wins over NIST (control_standard) for "which measures",
and ENISA (implementation_guidance) enters the pool while staying guidance.

Recall of not-retrieved standards (NIST) for generic control queries = next step
(searchControls). Tested: classifyRole table, role-preference, op_req-Top-1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-24 13:07:22 +02:00

136 lines
5.3 KiB
Go
Raw Blame History

package ucca
import "testing"
func intentRes(reg, sourceClass string, sem float64, weight int) LegalSearchResult {
return LegalSearchResult{
RegulationShort: reg, SourceClass: sourceClass, Score: sem,
AuthorityWeight: weight, Jurisdiction: "EU",
}
}
func TestQueryWantsGuidance(t *testing.T) {
wants := []string{
"Was empfiehlt der EDPB zum DSB?",
"Was sagt die ENISA zu Security Updates?",
"laut DSK ...",
"Orientierungshilfe zur DSFA",
"Welche BSI-Empfehlung gilt?",
"Auslegung der Aufsichtsbehörde",
}
plain := []string{
"Ab wann braucht man einen Datenschutzbeauftragten?",
"Welche Anforderungen bestehen an Security Updates?",
}
for _, q := range wants {
if !queryWantsGuidance(q) {
t.Errorf("should detect interpretation intent: %q", q)
}
}
for _, q := range plain {
if queryWantsGuidance(q) {
t.Errorf("should NOT detect intent (norm question): %q", q)
}
}
}
func TestRerank_NormQuestion_BindingStaysTop(t *testing.T) {
// No intent signal → binding wins even though guidance is semantically higher.
results := []LegalSearchResult{
intentRes("EDPB DPO", "supervisory_guidance", 0.64, 70),
intentRes("DSGVO", "binding_law", 0.58, 100),
}
out := rerankByAuthority("Ab wann braucht man einen Datenschutzbeauftragten?", results)
if out[0].SourceClass != "binding_law" {
t.Errorf("norm question: binding must stay Top-1, got %s", out[0].SourceClass)
}
}
func TestRerank_InterpretationQuestion_GuidanceMayWin(t *testing.T) {
// Explicit intent + guidance semantically competitive → guidance wins.
results := []LegalSearchResult{
intentRes("EDPB DPO", "supervisory_guidance", 0.64, 70),
intentRes("DSGVO", "binding_law", 0.58, 100),
}
out := rerankByAuthority("Was empfiehlt der EDPB zum Datenschutzbeauftragten?", results)
if out[0].SourceClass != "supervisory_guidance" {
t.Errorf("interpretation question: guidance should win Top-1, got %s", out[0].SourceClass)
}
}
func TestRerank_OffTopicGuidance_BlockedByGuard(t *testing.T) {
// Intent present, but guidance semantic is far below the best binding hit →
// the margin guard keeps binding on top (no off-topic guideline override).
results := []LegalSearchResult{
intentRes("EDPB DPO", "supervisory_guidance", 0.40, 70),
intentRes("DSGVO", "binding_law", 0.58, 100),
}
out := rerankByAuthority("Was empfiehlt der EDPB zum Datenschutzbeauftragten?", results)
if out[0].SourceClass != "binding_law" {
t.Errorf("off-topic guidance must not win even with intent, got %s", out[0].SourceClass)
}
}
func TestQueryWantsControls(t *testing.T) {
wants := []string{
"Welche Controls passen zu Security Updates?",
"Welche Maßnahmen sollten wir umsetzen?",
"Wie härten wir den Server ab?",
"Gibt es NIST-Controls dafür?",
"OWASP Best Practice für Logging?",
"BSI Grundschutz Bausteine",
}
plain := []string{
"Welche Anforderungen bestehen an Security Updates?",
"Ab wann braucht man einen Datenschutzbeauftragten?",
}
for _, q := range wants {
if !queryWantsControls(q) {
t.Errorf("should detect control/implementation intent: %q", q)
}
}
for _, q := range plain {
if queryWantsControls(q) {
t.Errorf("should NOT detect control intent (norm question): %q", q)
}
}
}
func TestRerank_ControlQuestion_OperationalReqTop(t *testing.T) {
// User priority for implementation questions: operational_requirement (binding concrete,
// CRA Anhang I) > control_standard (NIST). Both are in the control-pool; op_req wins.
results := []LegalSearchResult{
{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.60},
{RegulationShort: "CRA", ArticleLabel: "CRA Anhang I", Category: "regulation", Score: 0.58},
}
out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
if out[0].RegulationShort != "CRA" {
t.Errorf("operational_requirement (CRA Anhang I) should be Top-1 over control_standard, got %q", out[0].RegulationShort)
}
}
func TestRerank_NormQuestion_BindingOverStandard(t *testing.T) {
// "Anforderungen" → no control intent → binding obligation stays Top-1 over the standard.
results := []LegalSearchResult{
intentRes("NIST SP 800-82", "technical_standard", 0.62, 80),
intentRes("CRA", "binding_law", 0.58, 100),
}
out := rerankByAuthority("Welche Anforderungen bestehen an Security Updates?", results)
if out[0].SourceClass != "binding_law" {
t.Errorf("norm question: binding must stay Top-1 over standard, got %s", out[0].SourceClass)
}
}
func TestRerank_ControlQuestion_PoolBeatsBareObligation(t *testing.T) {
// A control-pool source (NIST control_standard) outranks an abstract obligation with no
// domain/topic advantage, because the implementation intent boosts the control-pool.
results := []LegalSearchResult{
{RegulationShort: "NIST SP 800-82r3", ArticleLabel: "AU-8", SourceClass: "technical_standard", AuthorityWeight: 80, Jurisdiction: "EU", Score: 0.55},
{RegulationShort: "XYZ", ArticleLabel: "Art. 5 XYZ", Category: "regulation", Score: 0.58},
}
out := rerankByAuthority("Welche Controls und Massnahmen passen zu Security Updates?", results)
if out[0].RegulationShort != "NIST SP 800-82r3" {
t.Errorf("control_standard should beat a bare abstract obligation on a control question, got %q", out[0].RegulationShort)
}
}
Reference in New Issue View Git Blame Copy Permalink