Benjamin Admin
f78e03bd0a
Three ANONYMIZED reference transition scenarios (no real company names stored) = canonical regression scenarios that test the KNOWLEDGE, not just the engine. Each pins an Expected Outcome (expected_likely_covered + expected_delta); every commit must reproduce it (identical or better). - RTS-001 automotive supplier (TISAX+ISO27001) -> CRA: mature ISMS, standard CRA delta. - RTS-002 classic machine builder (ISO9001) -> CRA: only process discipline -> MUCH larger delta (10 missing vs 3 covered). New TP-ISO9001-CRA-v1 pattern (different shape). - RTS-003 networked machine builder (ISMS) -> CRA: highlights the Data Act. Data Act is modelled as UNCERTAIN (a hypothesis), never a fixed gilt/gilt-nicht: the generator checks the engine SURFACES the uncertainty + the deciding question (generates_usage_data) and never wrongly ASSERTS applicability. All three RTS PASS. Non-runtime knowledge + reference harness -> no deploy (ADR-001). Names deliberately absent. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
55 lines
2.1 KiB
YAML
55 lines
2.1 KiB
YAML
# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
|
|
id: RTS-003
|
|
archetype: "Machine builder with an ISMS and networked products — connected machines that may generate usage data"
|
|
note: "Anonymized typical starting situation; illustrative only. Highlights the Data-Act uncertainty."
|
|
|
|
reference_company:
|
|
sector: mechanical_engineering
|
|
known_certifications: [ISO27001] # ISMS ~ ISO 27001
|
|
product_traits:
|
|
is_machine: true
|
|
is_component: false
|
|
has_embedded_software: true
|
|
connected_to_internet: true
|
|
has_remote_access: true
|
|
generates_usage_data: null # UNKNOWN -> the Data-Act deciding question
|
|
market: [EU]
|
|
|
|
transition_goal:
|
|
from: [ISO27001]
|
|
to:
|
|
- target: CRA
|
|
pattern: TP-ISO27001-CRA-v1
|
|
- target: MaschinenVO
|
|
pattern: null
|
|
note: pattern_pending
|
|
- target: DataAct
|
|
pattern: null
|
|
note: uncertain_hypothesis # NOT asserted — see expected_outcome.data_act
|
|
|
|
expected_outcome:
|
|
cra:
|
|
pattern: TP-ISO27001-CRA-v1
|
|
expected_likely_covered_at_least:
|
|
- incident_management
|
|
- technical_vulnerability_management
|
|
- secure_development_lifecycle
|
|
- access_control_and_authentication
|
|
- security_logging_and_monitoring
|
|
expected_delta_at_least:
|
|
- sbom_creation
|
|
- coordinated_vulnerability_disclosure
|
|
- security_update_support_period
|
|
- secure_signed_update_distribution
|
|
- exploited_vuln_and_incident_reporting
|
|
- product_cyber_risk_assessment
|
|
- ce_conformity_assessment_and_technical_documentation
|
|
data_act:
|
|
expectation: uncertain # the core correction: a connected machine MAY fall under the Data Act
|
|
deciding_questions: [generates_usage_data, connected_product, data_act_scope]
|
|
rationale: >
|
|
A networked machine is MORE likely to fall under the Data Act than a pure component, but it is NOT
|
|
a settled fact — it depends on usage-data generation, user access, and scope. The Reference Suite
|
|
checks that the engine recognises the RIGHT uncertainty and asks the deciding question, NOT that it
|
|
writes a fixed gilt/gilt-nicht.
|