Why now
docs/design/iso26262-artifact-mapping.md row 32 has flagged the TCL/TD gap since v0.4. safety/stpa/tool-qualification.yaml already self-positions rivet at "TCL 1 (highest)" — but uses DO-330 numbering on a 26262 acronym (lower TCL number = lower demand in 26262). The existing wording is itself an audit-flag in our own dogfood.
A new design note worked through the standards (ISO 26262 §11 / IEC 61508 / DO-330 / EN 50128 / ISO/PAS 8800), Polarion's TI2/TD1 → TCL1 posture, the competitor baseline, and what rivet would have to do to defend a stronger claim:
docs/design/tool-confidence-level.md
The conclusion: rivet's right target is TCL1 in 26262 units but with the evidence bundle of a TCL2 tool, because the TD1 claim cannot rest on "human reviewer caught it" once the upstream author is an AI agent. The TD-raising substitutes (validate, oracles, cited-source hashing, docs-check, schema-migrate snapshot/abort) are already shipped — they just need to be packaged as a dossier.
Workstream A — one developer-week, in priority order
A1. Rename the existing STPA's TCL annotation. Change safety/stpa/tool-qualification.yaml line 14 from "TCL 1 (highest)" to "TCL 3 (highest demand)" to match ISO 26262-8 numbering. (~1h)
A2. Add tool-confidence typed artifact to schemas/iso-26262.yaml. Fields: ti: TI1..TI2, td: TD1..TD3, derived tcl, link-fields for qualification-evidence. Closes iso26262-artifact-mapping.md §C row 32. (~4h)
A3. Add ai-found-defect artifact type to schemas/common.yaml plus defect-against and corrects link types. This is the type that operationalises the user-facing requirement "any error found while AI is working would get reflected into the safety case". (~4h, schema sketch in §6.2 of the design note)
A4. Write docs/design/tool-qualification-dossier.md and a matching rivet docs tool-qualification topic. Sections: TOR, Use Cases, Verification Plan, Configuration Baseline, Known Limitations, Tool Error Detection & Reporting Process, TCL/TQL Position Statement per Regime. (~1-2 days)
A5. Add rivet --qualification-mode flag and rivet stats --qualification to emit a configuration-baseline manifest (binary version, schema hashes, oracle inventory, cargo vet status). (~1 day)
Decision the user should make first
Which regime is the lead for the dossier — ISO 26262, DO-178C, or IEC 62304? The other two follow as cross-walks, but picking one governs numbering, dossier structure, and which customer pilot to prioritise.
Out of scope (intentionally)
- Customer-project-level qualification — that is the customer safety manager's call. Rivet ships the dossier.
- Numeric-safety-output features (SPFM/LFM/PMHF) — broader iso-26262 schema completion (gap §C rows 2/20/21).
- E-signature / 21 CFR Part 11 — explicitly disclaimed in
ai-safety-cyber-hitl.md §5.2.
References
docs/design/tool-confidence-level.md — this workstream's design notedocs/design/iso26262-artifact-mapping.md §C row 32docs/design/ai-safety-cyber-hitl.md §5safety/stpa/tool-qualification.yamlschemas/iso-pas-8800.yaml, schemas/score.yaml, schemas/en-50128.yaml
Refs: FEAT-001
Why now
docs/design/iso26262-artifact-mapping.mdrow 32 has flagged the TCL/TD gap since v0.4.safety/stpa/tool-qualification.yamlalready self-positions rivet at "TCL 1 (highest)" — but uses DO-330 numbering on a 26262 acronym (lower TCL number = lower demand in 26262). The existing wording is itself an audit-flag in our own dogfood.A new design note worked through the standards (ISO 26262 §11 / IEC 61508 / DO-330 / EN 50128 / ISO/PAS 8800), Polarion's TI2/TD1 → TCL1 posture, the competitor baseline, and what rivet would have to do to defend a stronger claim:
docs/design/tool-confidence-level.mdThe conclusion: rivet's right target is TCL1 in 26262 units but with the evidence bundle of a TCL2 tool, because the TD1 claim cannot rest on "human reviewer caught it" once the upstream author is an AI agent. The TD-raising substitutes (validate, oracles, cited-source hashing, docs-check, schema-migrate snapshot/abort) are already shipped — they just need to be packaged as a dossier.
Workstream A — one developer-week, in priority order
A1. Rename the existing STPA's TCL annotation. Change
safety/stpa/tool-qualification.yamlline 14 from "TCL 1 (highest)" to "TCL 3 (highest demand)" to match ISO 26262-8 numbering. (~1h)A2. Add
tool-confidencetyped artifact toschemas/iso-26262.yaml. Fields:ti: TI1..TI2,td: TD1..TD3, derivedtcl, link-fields forqualification-evidence. Closesiso26262-artifact-mapping.md§C row 32. (~4h)A3. Add
ai-found-defectartifact type toschemas/common.yamlplusdefect-againstandcorrectslink types. This is the type that operationalises the user-facing requirement "any error found while AI is working would get reflected into the safety case". (~4h, schema sketch in §6.2 of the design note)A4. Write
docs/design/tool-qualification-dossier.mdand a matchingrivet docs tool-qualificationtopic. Sections: TOR, Use Cases, Verification Plan, Configuration Baseline, Known Limitations, Tool Error Detection & Reporting Process, TCL/TQL Position Statement per Regime. (~1-2 days)A5. Add
rivet --qualification-modeflag andrivet stats --qualificationto emit a configuration-baseline manifest (binary version, schema hashes, oracle inventory,cargo vetstatus). (~1 day)Decision the user should make first
Which regime is the lead for the dossier — ISO 26262, DO-178C, or IEC 62304? The other two follow as cross-walks, but picking one governs numbering, dossier structure, and which customer pilot to prioritise.
Out of scope (intentionally)
ai-safety-cyber-hitl.md§5.2.References
docs/design/tool-confidence-level.md— this workstream's design notedocs/design/iso26262-artifact-mapping.md§C row 32docs/design/ai-safety-cyber-hitl.md§5safety/stpa/tool-qualification.yamlschemas/iso-pas-8800.yaml,schemas/score.yaml,schemas/en-50128.yamlRefs: FEAT-001