Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
77459d06d6948ea8a4be9ecc5f54b97de25e20cf
breakpilot-compliance/backend-compliance/tests/test_mcap_convergence_analysis.py
T
Benjamin Admin 80f2e2f619 feat: Medical stress test (safety+security coupled) + Missing Convergence report (Phase Ω #3) 
Medical before Payment: the harder scientific test (safety AND security coupled, full lifecycle,
deep risk/evidence demands). ISO 13485 runs through the SAME engine as ISO 27001 -> CRA, only new
data, 0 runtime. The key result: IEC 81001-5-1 (health-software security) pulls in the SAME security
MCAPs as the CRA, so Medical REUSES cyber capabilities (the safety/security coupling appears as
capability reuse) while adding 7 genuinely new medical caps (clinical evaluation, software safety
classification, ISO 14971 risk file, benefit-risk). rejected_assumptions intact.

Effect on the convergence core: secure_signed_update_distribution 18 -> 24 and
technical_vulnerability_management 17 -> 23, now spanning 3 domains (cyber + industrial + medical) —
the core visibly GROWS, exactly the convergence signal.

New 5th report: MISSING CONVERGENCE — deterministic (no ML) token-cluster detector for potential
structural duplications: a name token shared by >=3 MCAPs across >=2 distinct sources is flagged for
EXPERT REVIEW (never auto-merged). Surfaces e.g. the `risk` cluster (6 risk MCAPs across 6 sources)
and `security`/`software`; single-source decompositions are filtered out. Complements Suspicious by
looking at cross-source duplication, not single MCAPs.

Also records the durable modelling rule extracted from the frequency fix: evidence is attributed to
its ORIGIN; its value against a target is computed later (relevance(evidence,target)). Ledger now 8
sources, Architecture Stability 8/8 = 100%. Non-runtime -> no deploy. 29 tests pass, check-loc 0.
2026-06-28 12:09:52 +02:00

78 lines
2.9 KiB
Python
Raw Blame History

"""Cross-Domain MCAP Convergence Analysis — impact over frequency (Phase Ω pause).
Pins the deterministic MCAP Impact analysis and, critically, the anti-frequency-deception property:
a capability that bridges many target TYPES / domains / journeys (secure_signed_update_distribution)
must outrank a high-frequency single-domain management cap (conduct_internal_environmental_audits).
Four reports (Core / Emerging / Isolated / Suspicious), pure aggregation over existing data, no runtime.
"""
from __future__ import annotations
import os
import subprocess
import sys
def _run():
root = os.path.join(os.path.dirname(__file__), "..")
r = subprocess.run(
[sys.executable, "reference_scenarios/mcap_convergence_analysis.py"],
cwd=root, env={**os.environ, "PYTHONPATH": "."}, capture_output=True, text=True,
)
assert r.returncode == 0, r.stderr
return r.stdout
def _section(out, header):
start = out.index(header)
nxt = out.find("\n## ", start + 1)
return out[start: nxt if nxt != -1 else len(out)]
def test_runs_end_to_end():
out = _run()
assert "Cross-Domain MCAP Convergence Analysis" in out
assert "Impact = distinct Sources" in out
def test_core_is_cross_cutting_not_frequency():
out = _run()
core = _section(out, "## 1. Core MCAPs")
# the most cross-cutting capability tops the Core report; with Medical it now spans 3 domains
assert "`secure_signed_update_distribution` | **24** |" in core
assert "technical_vulnerability_management" in core
# a high-frequency BUT single-domain management cap must NOT be in Core (frequency != impact)
assert "conduct_internal_environmental_audits" not in core
def test_all_five_reports_present():
out = _run()
for header in ["## 1. Core MCAPs", "## 2. Emerging MCAPs", "## 3. Isolated MCAPs",
"## 4. Suspicious MCAPs", "## 5. Missing Convergence"]:
assert header in out
def test_missing_convergence_flags_cross_source_duplication():
out = _run()
mc = _section(out, "## 5. Missing Convergence")
# the 'risk' token clusters several distinct risk MCAPs across many sources -> a review candidate
assert "Token `risk`" in mc
assert "maintain_risk_management_file_iso14971" in mc and "product_cyber_risk_assessment" in mc
assert "KEIN Auto-Merge" in out
# single-source decompositions (all-environmental) must be filtered out (>=2 sources required)
assert "Token `environmental`" not in mc
def test_isolated_and_suspicious_are_review_tools():
out = _run()
iso = _section(out, "## 3. Isolated MCAPs")
assert "Review: spezialisiert ODER Konvergenz übersehen" in iso
assert "conduct_clinical_evaluation" in iso or "cybersecurity_management_system" in iso
susp = _section(out, "## 4. Suspicious MCAPs")
assert "zu grob" in susp and "zu fein" in susp
def test_abstraction_level_signal():
out = _run()
assert "richtigen Abstraktionsniveau" in out
assert "Strukturkern" in out
Reference in New Issue View Git Blame Copy Permalink