Implemented the accepted risk resolution guidance, including the AcceptedRiskResolutionAdapter, guidance cards, and updated related Filament views. Added unit, feature, and browser tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #425
3.6 KiB
3.6 KiB
Accepted Risk Guidance Signal Map: Spec 354
Inventory the existing repo-backed signals that may feed accepted-risk resolution guidance without adding new persistence or new workflow truth.
Required Inputs
| Signal | Current source | Notes |
|---|---|---|
| Exception status | FindingException.status |
existing lifecycle truth |
| Validity state | FindingException.current_validity_state and resolver output |
existing governance-support truth |
| Review due / expiry | FindingException.review_due_at, expires_at |
existing urgency inputs |
| Decision posture | FindingException.currentDecisionType() and FindingExceptionDecision |
existing lifecycle/action context |
| Linked finding state | Finding + FindingRiskGovernanceResolver |
existing risk-accepted workflow truth |
| Owner / rationale presence | existing FindingException fields |
completeness signals only |
| Related evidence / audit / review context | existing linked routes and summaries only | secondary links, not primary truth |
Guidance Cases
| Case key | Required signals | Primary action | Secondary actions | Notes |
|---|---|---|---|---|
accepted_risk.ready |
valid support, no urgent expiry, complete governance support | inspect accepted risk or no urgent action | finding / existing related context where repo-backed | calm state only |
accepted_risk.expiring |
expiring validity | review accepted risk | open finding / existing related context / evidence references | high-priority queue case |
accepted_risk.expired |
expired support | review accepted risk | open finding / decision history | no fake auto-renew |
accepted_risk.revoked_or_rejected |
revoked or rejected support | open finding or review accepted risk | decision history / related context | action depends on current repo-backed source owner |
accepted_risk.pending |
pending approval or pending renewal | review accepted risk | open finding / decision history | keep language conservative |
accepted_risk.missing_support |
existing exception record has current_validity_state=missing_support or equivalent repo-real missing-support posture |
review accepted risk | open finding / decision history | owner surfaces do not synthesize no-record accepted-risk rows |
accepted_risk.fresh_decision_required |
FindingException::requiresFreshDecisionForFinding() is true and resolver warning copy is present |
review accepted risk | open finding / decision history | preserve current repo-real signal; do not broaden into a new stale-governance framework |
accepted_risk.incomplete_governance |
missing owner, rationale, or review support on an existing exception record | review accepted risk | open finding / existing related context | use only repo-backed completeness signals |
accepted_risk.wording_reference |
conservative accepted-risk wording already exists in current review truth | no downstream artifact mutation in this slice | open accepted risk / open finding when repo-backed | owner-surface wording reference only |
Guardrail
Current repo truth already exposes one bounded fresh-decision-required signal through FindingException::requiresFreshDecisionForFinding() and FindingRiskGovernanceResolver.
This slice may preserve and surface that signal more clearly, but it must not add a broader timestamp-, diff-, or change-history-based stale-governance framework.
Forbidden Signals
- live Graph/provider calls during render
- synthetic review-impact scores
- inferred customer-safe summaries that are not already repo-backed
- hidden shell/session context treated as accepted-risk authority
- legacy query aliases treated as scope authority