TenantAtlas/specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/contracts/accepted-risk-guidance-signal-map.md
ahmido a9c54205bf feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425)
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #425
2026-06-05 02:20:46 +00:00

3.6 KiB

Accepted Risk Guidance Signal Map: Spec 354

Inventory the existing repo-backed signals that may feed accepted-risk resolution guidance without adding new persistence or new workflow truth.

Required Inputs

Signal Current source Notes
Exception status FindingException.status existing lifecycle truth
Validity state FindingException.current_validity_state and resolver output existing governance-support truth
Review due / expiry FindingException.review_due_at, expires_at existing urgency inputs
Decision posture FindingException.currentDecisionType() and FindingExceptionDecision existing lifecycle/action context
Linked finding state Finding + FindingRiskGovernanceResolver existing risk-accepted workflow truth
Owner / rationale presence existing FindingException fields completeness signals only
Related evidence / audit / review context existing linked routes and summaries only secondary links, not primary truth

Guidance Cases

Case key Required signals Primary action Secondary actions Notes
accepted_risk.ready valid support, no urgent expiry, complete governance support inspect accepted risk or no urgent action finding / existing related context where repo-backed calm state only
accepted_risk.expiring expiring validity review accepted risk open finding / existing related context / evidence references high-priority queue case
accepted_risk.expired expired support review accepted risk open finding / decision history no fake auto-renew
accepted_risk.revoked_or_rejected revoked or rejected support open finding or review accepted risk decision history / related context action depends on current repo-backed source owner
accepted_risk.pending pending approval or pending renewal review accepted risk open finding / decision history keep language conservative
accepted_risk.missing_support existing exception record has current_validity_state=missing_support or equivalent repo-real missing-support posture review accepted risk open finding / decision history owner surfaces do not synthesize no-record accepted-risk rows
accepted_risk.fresh_decision_required FindingException::requiresFreshDecisionForFinding() is true and resolver warning copy is present review accepted risk open finding / decision history preserve current repo-real signal; do not broaden into a new stale-governance framework
accepted_risk.incomplete_governance missing owner, rationale, or review support on an existing exception record review accepted risk open finding / existing related context use only repo-backed completeness signals
accepted_risk.wording_reference conservative accepted-risk wording already exists in current review truth no downstream artifact mutation in this slice open accepted risk / open finding when repo-backed owner-surface wording reference only

Guardrail

Current repo truth already exposes one bounded fresh-decision-required signal through FindingException::requiresFreshDecisionForFinding() and FindingRiskGovernanceResolver.

This slice may preserve and surface that signal more clearly, but it must not add a broader timestamp-, diff-, or change-history-based stale-governance framework.

Forbidden Signals

  • live Graph/provider calls during render
  • synthetic review-impact scores
  • inferred customer-safe summaries that are not already repo-backed
  • hidden shell/session context treated as accepted-risk authority
  • legacy query aliases treated as scope authority