expectation/waiver policy layer

2026-05-07 14:05:22 +02:00
parent 5a6091fd2a
commit 4f8d8a1f52
13 changed files with 313 additions and 3 deletions
--- a/docs/ARCHITECTURE-BLUEPRINT.md
+++ b/docs/ARCHITECTURE-BLUEPRINT.md
@@ -377,6 +377,10 @@ accepted gaps.
 Use waivers for time-bounded exceptions with owner, reason, expiry, and review
 metadata.

+The first implementation supports assessment-profile references to JSON
+expectation and waiver sets. These policies annotate findings as expected or
+waived after evidence normalization and finding creation.
+
 ### Report Builder

 Builds human and machine-readable outputs:
--- a/docs/EXTENSION-SDK.md
+++ b/docs/EXTENSION-SDK.md
@@ -127,6 +127,21 @@ to extension-owned mappings and writes normalized mapping records to:
 runs/<run-id>/normalized/mappings.json
 ```

+## Expectations And Waivers
+
+Assessment profiles may reference expectation and waiver sets:
+
+```json
+{
+  "expectations_ref": "profiles/expectations/example.json",
+  "waivers_ref": "profiles/waivers/example.json"
+}
+```
+
+Expectation sets mark known posture as expected. Waiver sets mark approved,
+time-bounded exceptions. Both are applied after findings are generated, and the
+assessment package records policy summary counts.
+
 ## Python Runner Contract

 A Python runner receives one context object and returns one result object.
--- a/docs/schemas/assessment-package.schema.json
+++ b/docs/schemas/assessment-package.schema.json
@@ -12,6 +12,7 @@
    "source_lock",
    "summary",
    "mapping_summary",
+    "policy_summary",
    "findings",
    "evidence_refs",
    "artifact_manifest",
@@ -28,6 +29,7 @@
    "source_lock": { "type": "object" },
    "summary": { "type": "object" },
    "mapping_summary": { "type": "object" },
+    "policy_summary": { "type": "object" },
    "findings": { "type": "array", "items": { "type": "object" } },
    "evidence_refs": { "type": "array", "items": { "type": "string" } },
    "artifact_manifest": { "type": "array", "items": { "type": "object" } },
--- a/docs/schemas/expectation-set.schema.json
+++ b/docs/schemas/expectation-set.schema.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Guide Board Expectation Set",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "target_profile_ref",
+    "expectations"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "target_profile_ref": { "type": "string" },
+    "expectations": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": [
+          "id",
+          "requirement_refs",
+          "check_refs",
+          "result_refs",
+          "classification_refs",
+          "expected",
+          "reason",
+          "status"
+        ],
+        "properties": {
+          "id": { "type": "string" },
+          "requirement_refs": { "type": "array", "items": { "type": "string" } },
+          "check_refs": { "type": "array", "items": { "type": "string" } },
+          "result_refs": { "type": "array", "items": { "type": "string" } },
+          "classification_refs": { "type": "array", "items": { "type": "string" } },
+          "expected": { "type": "boolean" },
+          "reason": { "type": "string" },
+          "status": { "type": "string" }
+        }
+      }
+    }
+  }
+}
--- a/docs/schemas/finding.schema.json
+++ b/docs/schemas/finding.schema.json
@@ -6,6 +6,7 @@
  "required": [
    "id",
    "run_id",
+    "check_id",
    "status",
    "severity",
    "classification",
@@ -13,11 +14,13 @@
    "evidence_refs",
    "expected",
    "waiver_ref",
+    "policy_ref",
    "remediation"
  ],
  "properties": {
    "id": { "type": "string" },
    "run_id": { "type": "string" },
+    "check_id": { "type": "string" },
    "status": { "type": "string" },
    "severity": { "type": "string" },
    "classification": { "type": "string" },
@@ -25,6 +28,7 @@
    "evidence_refs": { "type": "array", "items": { "type": "string" } },
    "expected": { "type": "boolean" },
    "waiver_ref": { "type": ["string", "null"] },
+    "policy_ref": { "type": ["string", "null"] },
    "remediation": { "type": ["string", "null"] }
  }
 }
--- a/docs/schemas/waiver-set.schema.json
+++ b/docs/schemas/waiver-set.schema.json
@@ -0,0 +1,50 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Guide Board Waiver Set",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "target_profile_ref",
+    "waivers"
+  ],
+  "properties": {
+    "id": { "type": "string" },
+    "target_profile_ref": { "type": "string" },
+    "waivers": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": [
+          "id",
+          "scope",
+          "requirement_refs",
+          "check_refs",
+          "result_refs",
+          "classification_refs",
+          "reason",
+          "owner",
+          "approved_by",
+          "created_at",
+          "expires_at",
+          "review_status"
+        ],
+        "properties": {
+          "id": { "type": "string" },
+          "scope": { "type": "string" },
+          "requirement_refs": { "type": "array", "items": { "type": "string" } },
+          "check_refs": { "type": "array", "items": { "type": "string" } },
+          "result_refs": { "type": "array", "items": { "type": "string" } },
+          "classification_refs": { "type": "array", "items": { "type": "string" } },
+          "reason": { "type": "string" },
+          "owner": { "type": "string" },
+          "approved_by": { "type": ["string", "null"] },
+          "created_at": { "type": "string" },
+          "expires_at": { "type": ["string", "null"] },
+          "review_status": { "type": "string" }
+        }
+      }
+    }
+  }
+}