153 lines
10 KiB
Markdown
153 lines
10 KiB
Markdown
# Research — Compliance Evidence Mapping v1
|
|
|
|
**Date**: 2026-04-30
|
|
**Spec**: [spec.md](spec.md)
|
|
|
|
This document resolves the planning decisions for the smallest safe versioned interpretation overlay over the repo's existing canonical control references and released review truth.
|
|
|
|
## Decision 1 — Keep the existing customer review workspace and released-review detail flow as the only primary and secondary surfaces
|
|
|
|
**Decision**: Reuse [../../apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php](../../apps/platform/app/Filament/Pages/Reviews/CustomerReviewWorkspace.php) as the primary decision surface and [../../apps/platform/app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php](../../apps/platform/app/Filament/Resources/TenantReviewResource/Pages/ViewTenantReview.php) under the existing `customer_workspace` query flag as the only secondary context surface.
|
|
|
|
**Rationale**:
|
|
- The repo already has the admin-plane route, tenant-safe prefilter behavior, customer-workspace query context, and bounded feature and browser tests for these surfaces.
|
|
- The missing piece is shared interpretation, not new routing, a new panel, or a portal shell.
|
|
- Reusing the existing surfaces keeps the feature aligned with the authoritative spec and avoids a second customer-review UX vocabulary.
|
|
|
|
**Alternatives considered**:
|
|
- Add a dedicated compliance portal or a second customer-only page.
|
|
- Rejected: duplicates the current review-consumption path and widens scope into shell-level IA.
|
|
- Push all explanation into the workspace only.
|
|
- Rejected: would leave the first drilldown without the detailed control explanation the spec requires.
|
|
|
|
## Decision 2 — Derive the interpretation once during tenant review composition and reuse it through existing review payloads
|
|
|
|
**Decision**: Materialize the mapped control/readiness contract during tenant review composition by extending [../../apps/platform/app/Services/TenantReviews/TenantReviewSectionFactory.php](../../apps/platform/app/Services/TenantReviews/TenantReviewSectionFactory.php) and [../../apps/platform/app/Services/TenantReviews/TenantReviewComposer.php](../../apps/platform/app/Services/TenantReviews/TenantReviewComposer.php), then reuse that stored result in both workspace and detail surfaces.
|
|
|
|
**Rationale**:
|
|
- The spec requires the same mapped control meaning and interpretation version to remain consistent between workspace and released-review detail.
|
|
- Carrying the result inside existing `TenantReview` and `TenantReviewSection` payloads preserves traceability for older released reviews without a new persistence table.
|
|
- A single compose-time pass is the narrowest way to prevent page-level drift.
|
|
|
|
**Alternatives considered**:
|
|
- Compute the interpretation separately in each page.
|
|
- Rejected: two local mappers would drift and would not preserve older review history against the version used at release time.
|
|
- Add a new projection table or report artifact for the overlay.
|
|
- Rejected: violates the no-new-persistence constraint.
|
|
|
|
## Decision 3 — Keep canonical control identity on the existing catalog and resolver seams
|
|
|
|
**Decision**: Reuse [../../apps/platform/app/Support/Governance/Controls/CanonicalControlCatalog.php](../../apps/platform/app/Support/Governance/Controls/CanonicalControlCatalog.php), [../../apps/platform/app/Support/Governance/Controls/CanonicalControlDefinition.php](../../apps/platform/app/Support/Governance/Controls/CanonicalControlDefinition.php), and [../../apps/platform/app/Support/Governance/Controls/CanonicalControlResolver.php](../../apps/platform/app/Support/Governance/Controls/CanonicalControlResolver.php) as the only control identity and resolution path.
|
|
|
|
**Rationale**:
|
|
- The catalog already exposes provider-neutral control keys, names, summaries, and domain metadata suitable for customer-safe labels.
|
|
- The resolver already maps Microsoft-owned evidence signals onto canonical controls upstream in evidence collection.
|
|
- The feature needs an interpretation overlay over canonical controls, not a second control taxonomy or framework registry.
|
|
|
|
**Alternatives considered**:
|
|
- Add a second customer-facing control catalog.
|
|
- Rejected: duplicates platform-core control truth and increases drift risk.
|
|
- Move provider-specific signal mapping into the UI.
|
|
- Rejected: deepens provider coupling in the wrong layer and violates the one-shared-path requirement.
|
|
|
|
## Decision 4 — Carry one explicit version label inside existing review truth and audit metadata
|
|
|
|
**Decision**: Use one explicit overlay version key, carried inside existing review payloads and surfaced anywhere the mapped control/readiness view appears. The planning baseline is a single v1 key such as `compliance_evidence_mapping.v1`.
|
|
|
|
**Rationale**:
|
|
- FR-003 and FR-014 require the interpretation version to be visible and traceable.
|
|
- Embedding the version into current review payloads preserves what an older released review meant at the time it was composed.
|
|
- The existing audit pipeline can carry the same version context without a new audit store.
|
|
|
|
**Alternatives considered**:
|
|
- Recompute the current version at render time only.
|
|
- Rejected: older released reviews could silently change meaning after later rule updates.
|
|
- Add a dedicated database column or separate version-history model.
|
|
- Rejected: broader persistence change than the current release truth needs.
|
|
|
|
## Decision 5 — Use a bounded readiness contract with explicit limitation flags instead of pass/fail or certification language
|
|
|
|
**Decision**: Keep the customer-safe interpretation contract bounded to a small readiness vocabulary plus explicit limitation flags. The planned primary readiness buckets are:
|
|
|
|
- `follow_up_required`
|
|
- `review_recommended`
|
|
- `evidence_on_record`
|
|
|
|
The planned limitation flags are:
|
|
|
|
- `accepted_risk_influenced`
|
|
- `partial_mapping`
|
|
- `stale_evidence`
|
|
- `supporting_evidence_unavailable`
|
|
- `unmapped`
|
|
|
|
**Rationale**:
|
|
- The feature must help a customer decide what needs follow-up without implying formal certification or legal compliance.
|
|
- A small readiness vocabulary with explicit limitation modifiers is easier to localize, easier to test, and less likely to overstate the evidence basis than a large scoring system.
|
|
- Keeping accepted risk as a modifier preserves the distinction between a governed exception and a fully positive readiness claim.
|
|
|
|
**Alternatives considered**:
|
|
- Use compliant / non-compliant / certified language.
|
|
- Rejected: overstates what the product can legitimately claim.
|
|
- Add a larger scorecard or framework-specific status ladder.
|
|
- Rejected: imports framework-engine complexity that the spec explicitly defers.
|
|
|
|
## Decision 6 — Keep supporting proof on the existing evidence routes and current capability checks
|
|
|
|
**Decision**: Reuse [../../apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php](../../apps/platform/app/Filament/Resources/EvidenceSnapshotResource.php) and existing evidence detail pages as the only supporting-proof routes for this slice.
|
|
|
|
**Rationale**:
|
|
- Existing evidence resources already enforce tenant scope, capability checks, and audit semantics.
|
|
- The spec calls for deeper proof only after explicit drilldown, not a new proof viewer or raw payload surface.
|
|
- Keeping proof access secondary preserves one dominant workspace action and avoids export/package redesign.
|
|
|
|
**Alternatives considered**:
|
|
- Add a new customer-only proof viewer.
|
|
- Rejected: duplicates evidence routing and widens scope.
|
|
- Put raw proof details directly on the workspace row.
|
|
- Rejected: violates the decision-first disclosure hierarchy.
|
|
|
|
## Decision 7 — Reuse existing audit action IDs and enrich metadata before creating new audit concepts
|
|
|
|
**Decision**: Keep the audit path on [../../apps/platform/app/Support/Audit/AuditActionId.php](../../apps/platform/app/Support/Audit/AuditActionId.php) and [../../apps/platform/app/Services/Audit/WorkspaceAuditLogger.php](../../apps/platform/app/Services/Audit/WorkspaceAuditLogger.php), reusing `customer_review_workspace.opened`, `tenant_review.opened`, and `evidence_snapshot.opened` with interpretation-version metadata where needed.
|
|
|
|
**Rationale**:
|
|
- The required access moments already exist as auditable actions in the repo.
|
|
- The remaining requirement is traceability of the interpretation version and source surface, which fits shared metadata better than a new event family.
|
|
- Reusing the current audit path preserves consistent redaction and workspace or tenant context handling.
|
|
|
|
**Alternatives considered**:
|
|
- Create a new compliance-evidence audit stream.
|
|
- Rejected: unnecessary persistence and ownership cost for a read-only slice.
|
|
- Leave version context unaudited.
|
|
- Rejected: weakens FR-014 traceability.
|
|
|
|
## Decision 8 — Keep validation inside the current review and evidence feature families plus the single existing browser smoke
|
|
|
|
**Decision**: Expand the existing review and evidence feature tests and keep [../../apps/platform/tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php](../../apps/platform/tests/Browser/Reviews/CustomerReviewWorkspaceSmokeTest.php) as the only browser proof.
|
|
|
|
**Rationale**:
|
|
- The repo already has narrow feature files for canonical control references, workspace behavior, detail explanation, authorization, navigation context, and evidence routes.
|
|
- Those files are the cheapest honest proof for isolation, consistent wording, and cross-surface reuse.
|
|
- One bounded smoke is enough to catch rendered disclosure regressions without creating a new heavy test family.
|
|
|
|
**Alternatives considered**:
|
|
- Add a broader browser suite for every control state and evidence path.
|
|
- Rejected: too expensive for the bounded value of this slice.
|
|
- Rely only on unit tests around a new helper.
|
|
- Rejected: feature behavior and tenant-safe disclosure still need surface-level proof.
|
|
|
|
## Decision 9 — Keep Governance-as-a-Service Packaging and framework-specific overlays explicitly deferred
|
|
|
|
**Decision**: Treat this package as the foundational shared interpretation contract only. Governance-as-a-Service Packaging and framework-specific overlays remain follow-up work after the v1 overlay is stable.
|
|
|
|
**Rationale**:
|
|
- The spec explicitly defers both areas.
|
|
- Packaging work should consume a proven shared interpretation contract rather than shaping it prematurely.
|
|
- Framework-specific overlays would force broader taxonomy and copy decisions before one customer-safe path is validated.
|
|
|
|
**Alternatives considered**:
|
|
- Fold packaging-ready exports into this feature.
|
|
- Rejected: broadens scope into report-system territory.
|
|
- Add BSI, NIS2, CIS, or ISO-specific overlay semantics now.
|
|
- Rejected: imports a framework engine before the base interpretation path is proven. |