Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
978052b5a270d01baf79bbe103e9455e2a5b8ef4
breakpilot-compliance/backend-compliance/tests/test_onboarding_endpoint.py
T
Benjamin Admin 978052b5a2 fix(onboarding): decouple partial/indicative signals from detected — partial no longer removes a question 
Fix B of the pre-#59 semantic correction. The Silent Pass had only TWO effective states though the data
carries three: a `detected` mapping (a concrete artifact) AND a `partial` mapping (an indicative signal,
e.g. a CI pipeline -> secure-development-lifecycle) both flowed through capability_ids() and were fed to
the Advisor as already-present — so a weak indication silently removed a question, exactly the Welt-1/
Welt-2 transparency we want to keep.

Now three distinct states:
  - detected   -> reduces the delta immediately (auto_detected, not asked).   [unchanged]
  - partial    -> raises assumption strength but does NOT replace the question (surfaced as `indications`,
                  the capability stays in the delta and is still asked).
  - requirement-> describes a target, never the present state (already handled by Fix A's kind split).

Changes (data + thin wiring, no new architecture):
  - SilentIntakeResult.capability_ids() returns only relationship==detected; new indicative_capability_ids()
    returns the partial ones.
  - advisor_start() gains indicative_capabilities (NOT fed into the profile) and surfaces result.indications
    = indicative ∩ required − auto_detected.
  - AdvisorResult / AdvisorResponse gain `indications` (additive, contract-safe); the service passes the
    indicative ids through.

Tests: a partial CI signal is indicative-not-detected and does NOT shrink the delta; end-to-end it appears
in `indications`, not `auto_detected`, and the gap is still asked. 28 onboarding tests pass, mypy --strict
clean on the onboarding modules, demo runs, check-loc 0. Runtime effect -> deploy + smoke.
2026-06-28 16:02:35 +02:00

80 lines
3.7 KiB
Python
Raw Blame History

"""POST /onboarding/advisor-start — the runtime endpoint that exposes the existing Advisor.
Exercises the router in isolation (no DB, no full app): scanner findings (ProducedSignal) -> normalize
-> Silent Pass -> Advisor -> the advisory payload. No new reasoning logic — just the wiring.
"""
from __future__ import annotations
from fastapi import FastAPI
from fastapi.testclient import TestClient
from compliance.api.onboarding_routes import router
_app = FastAPI()
_app.include_router(router)
_client = TestClient(_app)
_BODY = {
"company": "synthetic", "industry": "machine_builder", "products": ["parking payment system"],
"markets": ["EU"], "certifications": ["ISO27001", "ISO9001"], "known_evidence": ["CE process"],
"target": "CRA",
"scanner_findings": [
{"signal_id": "cyclonedx_found", "source_type": "repository", "evidence": "sbom", "provenance": "sbom.cdx.json"},
{"signal_id": "vdp_found", "source_type": "website", "provenance": "/.well-known/security.txt"},
{"signal_id": "risk_assessment_pdf", "source_type": "document", "provenance": "risk.pdf"},
{"signal_id": "cloud_hosted", "source_type": "product"},
],
}
def test_targets_endpoint_lists_supported():
r = _client.get("/onboarding/targets")
assert r.status_code == 200
assert "CRA" in r.json()["targets"]
def test_advisor_start_returns_full_payload():
r = _client.post("/onboarding/advisor-start", json=_BODY)
assert r.status_code == 200, r.text
d = r.json()
for field in ["silent_intake_summary", "inferred_assumptions", "rejected_assumptions",
"top_5_questions", "capability_delta", "top_measures", "evidence_requests",
"completeness_summary"]:
assert field in d
assert len(d["top_5_questions"]) <= 5
assert d["auto_detected"] # Silent Pass recognised things from the scanners
assert "sbom_creation" not in {q["capability_id"] for q in d["top_5_questions"]} # detected -> not asked
def test_requirement_signal_does_not_auto_detect_capability():
# a tender that DEMANDS an SBOM (requirement) must NOT be read as "SBOM present": sbom_creation stays
# open (asked / in the delta), unlike a real cyclonedx_found observation.
body = dict(_BODY, scanner_findings=[
{"signal_id": "requires_sbom", "source_type": "tender", "provenance": "tender §4.2"},
])
r = _client.post("/onboarding/advisor-start", json=body)
assert r.status_code == 200, r.text
d = r.json()
assert "sbom_creation" not in d["auto_detected"] # demanded != present
asked = {q["capability_id"] for q in d["top_5_questions"]}
assert "sbom_creation" in asked or "sbom_creation" in d["capability_delta"] # still an open gap
def test_partial_signal_surfaces_as_indication_and_is_still_asked():
# a PARTIAL observation (a CI pipeline) raises assumption strength but does NOT replace the question
body = dict(_BODY, scanner_findings=[{"signal_id": "github_actions_ci", "source_type": "repository"}])
r = _client.post("/onboarding/advisor-start", json=body)
assert r.status_code == 200, r.text
d = r.json()
assert "secure_development_lifecycle" not in d["auto_detected"] # partial != detected
assert "secure_development_lifecycle" in d["indications"] # but its strength is shown
asked = {q["capability_id"] for q in d["top_5_questions"]}
assert "secure_development_lifecycle" in asked or "secure_development_lifecycle" in d["capability_delta"]
def test_unknown_target_is_404():
body = dict(_BODY, target="NOPE")
r = _client.post("/onboarding/advisor-start", json=body)
assert r.status_code == 404
Reference in New Issue View Git Blame Copy Permalink