ahmido
a9c54205bf
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #425
5.8 KiB
5.8 KiB
Repo Truth Map: Spec 354 - Finding Exceptions / Accepted Risk Resolution Guidance v1
Scope
Bounded accepted-risk guidance follow-up over the existing queue and detail owner surfaces.
This prep package must not reopen completed customer-review, provider-readiness, or broad governance-workbench packages.
Candidate Selection Summary
- Selected candidate: direct user-provided Spec 354 draft
- Why selected:
- explicit user-provided next slice
- explicit follow-up note in Spec 353
- strategic queue audit
ui-012-finding-exceptions-queue.md - existing repo-real accepted-risk foundations already exist, so the narrow next step is productization on the owning surfaces
- Why not the older backlog items:
- the active candidate queue says no safe automatic next-best-prep target remains
- earlier customer-review/provider/governance lanes already have newer spec packages
- this user-provided candidate is a bounded direct follow-up rather than a duplicate refresh of an older manual-promotion item
Completed-Spec Guardrail Result
| Related spec | Status in repo | Guardrail handling |
|---|---|---|
| Spec 343 - Customer Review Attestation / Accepted Risk Lifecycle | Implemented | context only |
| Spec 346 - Governance Inbox Final Operator Workflow | Draft | adjacent context only |
| Spec 349 - Customer Review Workspace Output Resolution Guidance | Draft | adjacent context only |
| Spec 350 - Operator Resolution Guidance Framework v1 | Draft | shared-contract context only |
| Spec 351 - Review Output Resolve Actions v1 | Draft | adjacent action-mapping context only |
| Spec 352 - Environment Dashboard Operator Guidance Consolidation | Draft | adjacent routing/wiring context only |
| Spec 353 - Provider Connections Resolution Guidance v1 | Implemented (close-out audit pending) | context only; do not reopen |
No completed spec package is being normalized back into preparation-only wording.
Primary Runtime Surfaces
| Surface | Repo truth | Why it matters to Spec 354 |
|---|---|---|
FindingExceptionsQueue |
workspace-wide accepted-risk queue with selected-record review state, explicit environment_id filter, approve/reject actions, and related links |
primary operator owner surface |
ViewFindingException |
environment-bound accepted-risk detail with renew/revoke actions and decision-register return-link support | action-owning detail surface |
FindingExceptionResource |
accepted-risk resource with global search disabled | keep global search unchanged and preserve current resource contract |
FindingRiskGovernanceResolver |
derives workflow family, warnings, narrative, next action, validity, and governance attention | primary existing truth source for guidance selection |
GovernanceInboxSectionBuilder |
emits accepted-risk lane labels, due context, and Review accepted risk deep link |
continuity source, not owner surface |
EnvironmentReviewComposer and current review-pack summaries |
already emit customer-safe accepted-risk wording | wording reference only; downstream artifacts stay unchanged in this slice |
Runtime Signals Already Available
| Signal family | Existing repo-backed inputs |
|---|---|
| Exception lifecycle | status, current_validity_state, expires_at, review_due_at, revoked_at, currentDecisionType() |
| Governance support completeness | owner, request reason, evidence refs, pending-renewal state, valid exception presence |
| Finding relationship | linked Finding, workflow family, accepted-risk status, stale-governance warning text |
| Queue/detail action truth | approve, reject, renew, revoke, inspect/open links, and current related-context disclosure |
| Downstream review impact | current review-output accepted-risk wording exists as reference truth, but downstream artifacts are not in-scope mutation targets for this slice |
Draft-To-Repo Corrections
- The queue already exists and is already the accepted-risk workbench. Spec 354 must productize it rather than inventing a new queue or register.
- The detail page already owns renew/revoke actions. Spec 354 must keep those actions source-owned.
FindingRiskGovernanceResolveralready contains accepted-risk narrative and next-action truth. Spec 354 must adapt or wrap it instead of writing a second lifecycle interpreter from scratch.- Governance Inbox already routes accepted-risk work into the queue with a repo-real label. Spec 354 only needs continuity, not a new inbox lane.
- Customer-safe accepted-risk wording already exists in downstream review surfaces. Spec 354 must keep those surfaces secondary.
Current Gaps This Spec May Close
| Gap | Repo evidence |
|---|---|
| No single dominant guidance case on queue owner surface | queue audit ui-012 and current queue/detail runtime split |
| Accepted-risk explanation still distributed across badges, warnings, and grouped actions | current queue/detail structure plus resolver copy |
| Existing fresh-decision-required warning is not yet promoted into a decision-first summary on the owner surfaces | requiresFreshDecisionForFinding() plus resolver warning copy already exist, but remain embedded inside secondary warning treatment |
Out Of Scope Confirmed By Repo Truth
- No new accepted-risk or attestation table
- No new review-pack format or export renderer
- No new provider-readiness work
- No new Governance Inbox or dashboard rebuild
- No new portal or customer-facing standalone accepted-risk page
- No new global-search enablement for
FindingExceptionResource
Likely Narrow Implementation Shape
- one bounded accepted-risk adapter or selector under the existing resolution-guidance support path
- queue summary integration
- detail summary integration
- continuity fixes only where current Governance Inbox deep links or owner-surface wording would otherwise contradict the new guidance