TenantAtlas/specs/354-finding-exceptions-accepted-risk-resolution-guidance-v1/contracts/accepted-risk-guidance-signal-map.md
ahmido a9c54205bf feat: finding exceptions accepted risk resolution guidance v1 (spec 354) (#425)
Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #425
2026-06-05 02:20:46 +00:00

44 lines
3.6 KiB
Markdown

# Accepted Risk Guidance Signal Map: Spec 354
Inventory the existing repo-backed signals that may feed accepted-risk resolution guidance without adding new persistence or new workflow truth.
## Required Inputs
| Signal | Current source | Notes |
|---|---|---|
| Exception status | `FindingException.status` | existing lifecycle truth |
| Validity state | `FindingException.current_validity_state` and resolver output | existing governance-support truth |
| Review due / expiry | `FindingException.review_due_at`, `expires_at` | existing urgency inputs |
| Decision posture | `FindingException.currentDecisionType()` and `FindingExceptionDecision` | existing lifecycle/action context |
| Linked finding state | `Finding` + `FindingRiskGovernanceResolver` | existing risk-accepted workflow truth |
| Owner / rationale presence | existing `FindingException` fields | completeness signals only |
| Related evidence / audit / review context | existing linked routes and summaries only | secondary links, not primary truth |
## Guidance Cases
| Case key | Required signals | Primary action | Secondary actions | Notes |
|---|---|---|---|---|
| `accepted_risk.ready` | valid support, no urgent expiry, complete governance support | inspect accepted risk or no urgent action | finding / existing related context where repo-backed | calm state only |
| `accepted_risk.expiring` | expiring validity | review accepted risk | open finding / existing related context / evidence references | high-priority queue case |
| `accepted_risk.expired` | expired support | review accepted risk | open finding / decision history | no fake auto-renew |
| `accepted_risk.revoked_or_rejected` | revoked or rejected support | open finding or review accepted risk | decision history / related context | action depends on current repo-backed source owner |
| `accepted_risk.pending` | pending approval or pending renewal | review accepted risk | open finding / decision history | keep language conservative |
| `accepted_risk.missing_support` | existing exception record has `current_validity_state=missing_support` or equivalent repo-real missing-support posture | review accepted risk | open finding / decision history | owner surfaces do not synthesize no-record accepted-risk rows |
| `accepted_risk.fresh_decision_required` | `FindingException::requiresFreshDecisionForFinding()` is true and resolver warning copy is present | review accepted risk | open finding / decision history | preserve current repo-real signal; do not broaden into a new stale-governance framework |
| `accepted_risk.incomplete_governance` | missing owner, rationale, or review support on an existing exception record | review accepted risk | open finding / existing related context | use only repo-backed completeness signals |
| `accepted_risk.wording_reference` | conservative accepted-risk wording already exists in current review truth | no downstream artifact mutation in this slice | open accepted risk / open finding when repo-backed | owner-surface wording reference only |
## Guardrail
Current repo truth already exposes one bounded fresh-decision-required signal through `FindingException::requiresFreshDecisionForFinding()` and `FindingRiskGovernanceResolver`.
This slice may preserve and surface that signal more clearly, but it must not add a broader timestamp-, diff-, or change-history-based stale-governance framework.
## Forbidden Signals
- live Graph/provider calls during render
- synthetic review-impact scores
- inferred customer-safe summaries that are not already repo-backed
- hidden shell/session context treated as accepted-risk authority
- legacy query aliases treated as scope authority