Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #425
44 lines
3.6 KiB
Markdown
44 lines
3.6 KiB
Markdown
# Accepted Risk Guidance Signal Map: Spec 354
|
|
|
|
Inventory the existing repo-backed signals that may feed accepted-risk resolution guidance without adding new persistence or new workflow truth.
|
|
|
|
## Required Inputs
|
|
|
|
| Signal | Current source | Notes |
|
|
|---|---|---|
|
|
| Exception status | `FindingException.status` | existing lifecycle truth |
|
|
| Validity state | `FindingException.current_validity_state` and resolver output | existing governance-support truth |
|
|
| Review due / expiry | `FindingException.review_due_at`, `expires_at` | existing urgency inputs |
|
|
| Decision posture | `FindingException.currentDecisionType()` and `FindingExceptionDecision` | existing lifecycle/action context |
|
|
| Linked finding state | `Finding` + `FindingRiskGovernanceResolver` | existing risk-accepted workflow truth |
|
|
| Owner / rationale presence | existing `FindingException` fields | completeness signals only |
|
|
| Related evidence / audit / review context | existing linked routes and summaries only | secondary links, not primary truth |
|
|
|
|
## Guidance Cases
|
|
|
|
| Case key | Required signals | Primary action | Secondary actions | Notes |
|
|
|---|---|---|---|---|
|
|
| `accepted_risk.ready` | valid support, no urgent expiry, complete governance support | inspect accepted risk or no urgent action | finding / existing related context where repo-backed | calm state only |
|
|
| `accepted_risk.expiring` | expiring validity | review accepted risk | open finding / existing related context / evidence references | high-priority queue case |
|
|
| `accepted_risk.expired` | expired support | review accepted risk | open finding / decision history | no fake auto-renew |
|
|
| `accepted_risk.revoked_or_rejected` | revoked or rejected support | open finding or review accepted risk | decision history / related context | action depends on current repo-backed source owner |
|
|
| `accepted_risk.pending` | pending approval or pending renewal | review accepted risk | open finding / decision history | keep language conservative |
|
|
| `accepted_risk.missing_support` | existing exception record has `current_validity_state=missing_support` or equivalent repo-real missing-support posture | review accepted risk | open finding / decision history | owner surfaces do not synthesize no-record accepted-risk rows |
|
|
| `accepted_risk.fresh_decision_required` | `FindingException::requiresFreshDecisionForFinding()` is true and resolver warning copy is present | review accepted risk | open finding / decision history | preserve current repo-real signal; do not broaden into a new stale-governance framework |
|
|
| `accepted_risk.incomplete_governance` | missing owner, rationale, or review support on an existing exception record | review accepted risk | open finding / existing related context | use only repo-backed completeness signals |
|
|
| `accepted_risk.wording_reference` | conservative accepted-risk wording already exists in current review truth | no downstream artifact mutation in this slice | open accepted risk / open finding when repo-backed | owner-surface wording reference only |
|
|
|
|
## Guardrail
|
|
|
|
Current repo truth already exposes one bounded fresh-decision-required signal through `FindingException::requiresFreshDecisionForFinding()` and `FindingRiskGovernanceResolver`.
|
|
|
|
This slice may preserve and surface that signal more clearly, but it must not add a broader timestamp-, diff-, or change-history-based stale-governance framework.
|
|
|
|
## Forbidden Signals
|
|
|
|
- live Graph/provider calls during render
|
|
- synthetic review-impact scores
|
|
- inferred customer-safe summaries that are not already repo-backed
|
|
- hidden shell/session context treated as accepted-risk authority
|
|
- legacy query aliases treated as scope authority
|