Two reviewed knowledge decisions (2026-06-28) + the deferred cosmetic counter, before #59.
1. ISO13485 removed from the incident_management hypothesis. ISO 13485 CAPA / quality-safety incident
handling is NOT security incident management — the mapping was too broad and would seed false
hypotheses for the empirical loop. A dedicated manage_quality_and_safety_incidents capability can come
later IF a target needs it; not forced now. (ISO27001/TISAX/IEC62443 keep incident_management.)
2. patch_policy_doc -> secure_signed_update_distribution stays `partial`, but the curated rationale is
sharpened: "indicates update governance, does not evidence signed distribution" (a patch policy is not
proof of SIGNED distribution). New optional SignalMapping.rationale field carries the curated note.
(github_actions_ci -> SDL and dependency_scanning -> vuln-mgmt reviewed and APPROVED as-is.)
3. Cosmetic (folded in since we touched the file): the silent-intake summary now counts detected and
indications SEPARATELY ("N automatisch erkannt, M Indikation(en)") instead of lumping partial signals
into "automatisch erkannt" — consistent with the three-state model just shipped.
Tests: ISO13485 no longer resolves to incident_management; summary counts split correctly. 29 onboarding
tests pass, mypy --strict clean, demo runs, check-loc 0. Runtime-visible (hypothesis resolution + summary
text) -> deploy + smoke.
Benjamin Admin
77459d06d6