breakpilot-compliance/backend-compliance/knowledge/onboarding/signal_vocabulary.yaml

# Signal Vocabulary — canonical signal id + the producer-specific aliases that mean the same thing.
#
# The same fact ("SBOM present") can arrive as CycloneDX, SPDX, a GitHub Action, a Maven plugin, a
# document upload, a customer statement, a tender clause or a repo file. For the Silent Pass they are
# ALL identical: `sbom_file_found`. This file reduces them to one canonical signal — same pattern as the
# regulation-alias vocabulary, MCAPs and Requirement Sources: many inputs, one language. No scanner-
# specific logic ever reaches the Silent Pass. Pure DATA, injected into normalize_signals(). No real names.

signals:
  - {id: sbom_file_found, aliases: [cyclonedx_found, spdx_found, sbom_in_repo, sbom_present, sbom_uploaded, requires_sbom, sbom_in_tender]}
  - {id: security_txt_or_cvd_policy, aliases: [security_txt, vdp_found, cvd_policy_pdf, psirt_page, coordinated_disclosure_policy, supplier_requires_psirt]}
  - {id: signed_releases, aliases: [signed_artifacts, cosign_found, gpg_signed_releases, code_signing_cert, secure_boot]}
  - {id: github_actions_ci, aliases: [ci_pipeline, gitlab_ci, jenkins_pipeline, build_automation]}
  - {id: dependency_scanning, aliases: [dependabot, renovate, snyk_found, trivy_in_ci, sca_tool]}
  - {id: ce_marking_on_site, aliases: [ce_logo_detected, ce_mark_image]}
  - {id: ce_conformity_doc, aliases: [declaration_of_conformity_doc, ce_doc_uploaded, conformity_pdf]}
  - {id: support_lifecycle_page, aliases: [eol_policy_page, lifecycle_doc, support_period_stated]}
  - {id: security_policy_page, aliases: [isms_statement, iso27001_badge, security_overview_page]}
  - {id: product_risk_assessment_doc, aliases: [risk_assessment_pdf, hazard_analysis_doc, tara_doc]}
  - {id: patch_policy_doc, aliases: [patch_management_policy, update_policy_pdf]}
  - {id: incident_response_plan_doc, aliases: [irp_doc, incident_playbook]}
  # product facts
  - {id: cloud_connectivity, aliases: [cloud_hosted, saas, internet_facing, connected_product]}
  - {id: plc_sps, aliases: [plc_detected, sps_steuerung, industrial_controller]}
  - {id: embedded_software, aliases: [firmware_present, embedded_device]}
  - {id: wireless_radio, aliases: [bluetooth, wifi_module, radio_equipment, funkmodul]}
  - {id: remote_access, aliases: [remote_maintenance, vpn_access, teleservice, fernwartung]}
  - {id: generates_usage_data, aliases: [telemetry_collected, usage_analytics]}