feat: upgrade SAFE-UC-0010 (In-vehicle voice assistant) to draft

[arjunastha]

Summary

Promotes SAFE-UC-0010 from seed to full draft, aligned with the latest community precedent (SAFE-UC-0007 mobile fleet maintenance dispatch and SAFE-UC-0008 OTA orchestration are the closest cyber-physical siblings; SAFE-UC-0006 telematics is the read-side anchor).

Changes

• New use-cases/SAFE-UC-0010/README.md (656 lines, 12-section template + Appendix A and B with 6 subsections).
• §1 explicitly notes the absence of a finalized NHTSA Phase 3 voice-HMI rule and cites NHTSA Phase 1 (78 FR 24817, April 26, 2013) plus Auto Innovators 2006 guidelines as the operative cross-references.
• §7 8-stage cyber-physical kill chain with 7 stages flagged NOVEL versus SAFE-UC-0006 / 0007 / 0008. Novelty centers on physical-side-channel acoustic injection (DolphinAttack, Light Commands, NUIT), broadcast-media wake-word false-trigger, in-cabin identity hexangle (extends 0006's 5-party telematics quintet to 6+ in-cabin occupants), child-occupant axis with crossover into SAFE-UC-0030, NHTSA distraction-cap as AI-decision constraint, voiceprint biometric persistence and BIPA / federal Wiretap Act exposure, and the voice-to-OTA bridge into SAFE-UC-0008.
• §8 19 SAFE-MCP techniques across 8 stages with explicit framework-gap notes where the SAFE-MCP catalog does not yet have first-class techniques (acoustic injection, broadcast-media wake-word, multi-occupant identity arbitration, child-occupant axis, voiceprint persistence). SAFE-T1110 (Multimodal Prompt Injection via Images/Audio) is the umbrella anchor.
• Crosswalk: status seed to draft; maturity added; NAICS 31-33 / 3361 / 3363 / 5132; 20 tags; 15 evidence items; workflow_family In-cabin voice-assistant operations.
• Root README.md index row flipped from Seed to Draft.

Citation accuracy

59 unique URLs across the document, all independently verified before commit. Key data points:

• Cerence: 525M vehicles across 17 OEMs; 12 OEMs explicitly named at IAA Mobility 2025 (BYD, BMW, Ford, Genesis, Hyundai, Leapmotor, Lucid, Mini, Opel, Polestar, Togg, XPENG)
• Mercedes-Benz USA: 3M MBUX Voice Assistant cumulative as of December 17, 2024 release
• BMW iX3: first to integrate Amazon Alexa+ as a Custom Assistant (CES 2026; H2 2026 rollout)
• Smart Eye: 24 OEMs, 372 production models, more than 3M cars
• DolphinAttack: Audi Q3 navigation specifically
• NUIT: 16-22 kHz range, less than 77 ms attack latency
• Garner v. Amazon: class certification granted by Judge Lasnik on July 7, 2025 (W.D. Wash.)
• UN R116 (effective 10 February 2009), not R161

Safety attestation

No exploit steps, no sensitive info, defender-friendly throughout. Acoustic-injection citations link to the published academic papers (DolphinAttack CCS 2017, Light Commands USENIX 2020, NUIT USENIX 2023, Carlini and Wagner IEEE S&P Workshops 2018) and describe defensive controls only.

Requesting DSO review per CONTRIBUTING.md.

[bishnubista]

Action items (DSO review) — please address before re-requesting:

1. Remove "maturity" from use-cases.naics2022.crosswalk.json and the Maturity row from the README metadata table on the use-case page (batch-wide ask across all 8 open PRs; field isn't in the documented schema).
2. Trim §1 to a reference-guide tone — currently reads as marketing/market-scan with heavy OEM and product naming, which conflicts with CONTRIBUTING.md's "no organizations beyond strictly necessary" rule.
3. Restructure the §4.5 currently labeled "Tool inventory" into the §4.5 governance/authorization matrix the template specifies; move the tool inventory back to §4.4.
4. Reconcile the version-history author byline.

CI green. No safety/disclosure issues. Ready for DSO signoff once items 1–4 are addressed.