Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aa99111a87cc0fee01653eb7df2a8efce2147c70
breakpilot-compliance/backend-compliance/knowledge/reference_transition_scenarios/RTS-001.yaml
T
Benjamin Admin a0f72fc39b feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO) 
Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the
convergence USP is a living regression, not just a one-off section.

- RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo
  expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1).
  Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING +
  4/4 expected multi-target caps converge. PASS.
- RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a
  machine; deciding question is_safety_component) — engine must never assert it applies. Honest,
  parallel to the Data-Act handling.
- RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS
  means the cyber side is entirely delta, so few caps are shared. The honest contrast that the
  convergence USP rewards companies who already run an ISMS.
- generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and
  reused. Data Act stays `uncertain` everywhere, never asserted.

All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0.
Non-runtime (knowledge + reference harness) -> no deploy (ADR-001).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-27 09:26:01 +02:00

62 lines
2.9 KiB
YAML
Raw Blame History

# Reference Transition Scenario — canonical regression scenario (NOT a test fixture).
# ANONYMIZED ARCHETYPE ONLY — no real company names are stored in the system; illustrative.
# Each RTS pins an Expected Outcome so every commit must reproduce it (identical or better).
id: RTS-001
archetype: "Automotive supplier with a mature ISMS — embedded electronics + software, CE products, OEM supply chain"
note: "Anonymized typical starting situation; illustrative only."
reference_company:
sector: automotive_supply
known_certifications: [TISAX, ISO27001]
product_traits:
is_machine: false # component / embedded supplier
is_component: true
has_embedded_software: true
connected_to_internet: true
has_remote_access: true
generates_usage_data: null # UNKNOWN -> a deciding question, not an assertion
market: [EU]
transition_goal:
from: [TISAX, ISO27001]
to:
- target: CRA
pattern: TP-ISO27001-CRA-v1 # executed through RS-005 below
- target: MaschinenVO
pattern: null
note: applicability_uncertain # a pure component is usually NOT a machine -> see expected_outcome.maschinenvo
expected_outcome:
cra:
pattern: TP-ISO27001-CRA-v1
# The mature ISMS reduces effort here (most info-security capabilities probably covered).
expected_likely_covered_at_least:
- incident_management
- supplier_security
- secure_development_lifecycle
- asset_and_configuration_management
- security_logging_and_monitoring
- access_control_and_authentication
# ... but the CRA product-cyber delta remains.
expected_delta_at_least:
- sbom_creation
- coordinated_vulnerability_disclosure
- security_update_support_period
- secure_signed_update_distribution
- exploited_vuln_and_incident_reporting
- product_cyber_risk_assessment
- ce_conformity_assessment_and_technical_documentation
maschinenvo:
expectation: uncertain # a pure component is usually NOT a machine -> NOT asserted
deciding_questions: [is_machine, is_safety_component, partly_completed_machinery]
rationale: >
The Machinery Regulation applies to machines, safety components and partly completed machinery.
A pure embedded component is usually out of scope, but a SAFETY component is not — so applicability
is itself a deciding question. The engine must ask (is_safety_component?), not assert gilt/gilt-nicht.
Contrast RTS-003, where is_machine: true makes MaschinenVO a settled second target with real convergence.
data_act:
expectation: uncertain # NEVER a fixed gilt/gilt-nicht
deciding_questions: [generates_usage_data, connected_product, data_act_scope]
rationale: "A connected component MAY fall under the Data Act; applicability depends on usage-data generation + scope. The engine must SURFACE this uncertainty and ask, not assert."
Reference in New Issue View Git Blame Copy Permalink