breakpilot-compliance/backend-compliance/knowledge/onboarding/intake_signal_map.yaml

# Silent Knowledge Pass — signal -> conclusion map (curated DATA, injected).
#
# What a scanner finding lets us conclude WITHOUT asking the user. A signal yields either a capability
# the company demonstrably has (with the evidence already in hand) or a product fact that drives scope.
# `relationship: detected` = a concrete artifact (strong, no question); `partial` = indicative (still
# verify, but lower priority). The scanners (website crawler, repo scanner, doc parser, product intake)
# are UPSTREAM and produce the signals; this file only interprets them. No norm text, no real names.

mappings:
  # Only OBSERVATION-kind signals appear here. requirement-kind signals (sbom_required, psirt_required,
  # signed_updates_required) are intentionally ABSENT — they describe a target, never the present state,
  # and the Silent Pass would never consume them anyway (it filters on kind == observation).
  # ── website ───────────────────────────────────────────────────────────────────────────────
  - {signal: cvd_policy_present, capability: coordinated_vulnerability_disclosure, relationship: detected, evidence: cvd_policy}
  - {signal: ce_marking_on_site, capability: ce_conformity_assessment_and_technical_documentation, relationship: partial, evidence: ce_declaration}
  - {signal: support_lifecycle_page, capability: security_update_support_period, relationship: partial, evidence: support_policy}
  - {signal: security_policy_page, capability: information_security_management, relationship: partial}
  # ── repository ────────────────────────────────────────────────────────────────────────────
  - {signal: sbom_present, capability: sbom_creation, relationship: detected, evidence: sbom}
  - {signal: signed_releases, capability: secure_signed_update_distribution, relationship: detected, evidence: signing_config}
  - {signal: github_actions_ci, capability: secure_development_lifecycle, relationship: partial, evidence: ci_pipeline}
  - {signal: dependency_scanning, capability: technical_vulnerability_management, relationship: partial, evidence: vuln_scanning_config}
  # ── documents ─────────────────────────────────────────────────────────────────────────────
  - {signal: ce_conformity_doc, capability: ce_conformity_assessment_and_technical_documentation, relationship: detected, evidence: technical_documentation}
  - {signal: product_risk_assessment_doc, capability: product_cyber_risk_assessment, relationship: detected, evidence: product_risk_assessment}
  - {signal: patch_policy_doc, capability: secure_signed_update_distribution, relationship: partial, evidence: patch_policy,
     rationale: "indicates update governance, does not evidence signed distribution"}
  - {signal: incident_response_plan_doc, capability: incident_management, relationship: detected, evidence: incident_procedure}
  # ── product facts (drive scope / target applicability) ──────────────────────────────────────
  - {signal: cloud_connectivity, product_fact: connected_to_internet}
  - {signal: plc_sps, product_fact: is_machine}
  - {signal: embedded_software, product_fact: has_embedded_software}
  - {signal: wireless_radio, product_fact: has_radio_equipment}
  - {signal: remote_access, product_fact: has_remote_access}
  - {signal: generates_usage_data, product_fact: generates_usage_data}