From 00fb93544c8c1662e68512368cd5f467c7493bbd Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 28 Jun 2026 01:17:41 +0200 Subject: [PATCH] Add CCR decision template task --- ...007-credential-change-approval-workflow.md | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md b/workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md index 9bb2210..c7a9ff3 100644 --- a/workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md +++ b/workplans/RAILIANCE-WP-0007-credential-change-approval-workflow.md @@ -10,7 +10,7 @@ topic_slug: railiance planning_priority: high planning_order: 7 created: "2026-06-27" -updated: "2026-06-27" +updated: "2026-06-28" depends_on_workplans: - RAIL-PL-WP-0002 - RAILIANCE-WP-0005 @@ -295,6 +295,32 @@ Acceptance: - Deactivation disables the relevant access front door and auth/policy path. - Compromise flow records blast-radius notes and required follow-up tasks. +## T09 - Add decision templates and guided review actions + +```task +id: RAILIANCE-WP-0007-T09 +status: todo +priority: high +state_hub_task_id: "c436fd8b-cd82-4600-81b0-87ec069d7ae6" +``` + +Remove the current friction where reviewers must know magic rationale prefixes +for State Hub decisions to sync back into CCR status. + +Acceptance: + +- Each CCR review page or chat handoff shows explicit approve, deny, and needs + changes templates. +- Generated templates include the accepted prefixes (`APPROVE:`, `DENY:`, and + `NEEDS_CHANGES:`) and pre-fill the CCR id, corrected path, policy, auth role, + and non-secret rationale prompt. +- The dashboard or agent response links directly to the decision and states what + phrase or button will be recognized. +- The sync tooling refuses ambiguous free-text approvals with a friendly message + that shows the valid templates. +- Future UI work can replace prefix parsing with structured decision outcomes + without changing the CCR audit trail. + ## Exit Criteria - A human can review and approve or deny a credential/security change without