Skip to content

feat: adds initial schema for Layer 5 (for discussion) #165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

feat: adds initial schema for Layer 5 (for discussion) #165

wants to merge 6 commits into from

Conversation

@jpower432
Copy link
Contributor

@jpower432 jpower432 commented Oct 16, 2025
edited
Loading

Overview

This PR introduces an initial structure for the Layer 5 schema for discussion

Main Points

Enforcement Actions

A new, top-level object, EnforcementAction, is defined for declaring the required response to a set of Findings. The Finding is the interpreted outcome derived from a Layer 4 AssessmentLog.

The EnforcementAction corresponds to a single control from Layer 2/3, but can be a response to zero or more failures from Layer 4.

The EnforcementAction optionally links to external enforcement , notification, or remediation plans. This approach is similar to how the non-compliance-plan is referenced in Layer 3.

Schema Reuse

Several type definitions are reused directly from Layer 4 like Mapping, MappingReferences, and Metadata.

Exceptions and Risk

This risk-level is explicitly attached enforcement exceptions. I'm thinking we might want to introduce the concept of risk a little earlier, but it made sense here (e.g. accepted risk).

Closes #158

@jpower432 jpower432 requested a review from a team as a code owner October 16, 2025 00:26
jpower432
jpower432 commented Oct 22, 2025
View reviewed changes
schemas/layer-5.cue
#EnforcementAction: {
metadata: #Metadata
// Executed indicates whether the enforcement action was successfully executed.
executed: bool
Copy link
Contributor Author

@jpower432 jpower432 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consideration here - It might be useful to include a more descriptive status here if there was an failure during the enforcement action.

jpower432
jpower432 commented Oct 22, 2025
View reviewed changes
schemas/layer-5.cue
#Result: "Not Run" | "Passed" | "Failed" | "Needs Review" | "Not Applicable" | "Unknown"

// RiskLevel from Layer 3 (Policy layer)
#RiskLevel: "Critical" | "High" | "Medium" | "Low" | "Informational"
Copy link
Contributor Author

@jpower432 jpower432 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not actually defined in explictly Layer 3, but we might want to introduce something like impact-level in Layer 3 at the maybe policy level and/or at the control level (ControlModifier?).

@gvauter gvauter mentioned this pull request Oct 29, 2025
Merged
@jpower432
Copy link
Contributor Author

jpower432 commented Oct 30, 2025

Documenting feedback from the community meeting today:

  • Layer 5 must link to Layer 3 and Layer 4 - through Layer 4 it has a link to Layer 2
  • From a philosophical standpoint, findings should not be optional as they are informing the action taken

@jpower432 jpower432 mentioned this pull request Oct 30, 2025
Open
6 tasks
@jpower432 jpower432 marked this pull request as draft November 3, 2025 13:38
@jpower432
Copy link
Contributor Author

jpower432 commented Nov 3, 2025

Putting back into draft for rework per #170

@jpower432
feat: adds support for multi-source EvaluationDocument workflows
5d43348 
Layer 4 currently breaks the pattern established by
the other layers. This add a top-level documentation
that can be passed into Layer 5 for full context to
execute an enforcement action.

Introduce support for multiple assessment executors
(tools/manual methods) that can execute assessment procedures,
with configurable conflict resolution strategies when multiple executors provide results.

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: add confidence to Layer4 EvaluationLog
5e8acd2 
Adding confidence to EvaluationLog allows an evaluation to
return a confidence level in the result based on inputs

Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: add loaders for EvaluationPlans
f7f9fbc 
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
chore: updates testdata for new layer4 schema changes
f8cc1d1 
Assisted by: Cursor Agent
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
docs: add a specification for finding determination
5644994 
The finding specificiation details how to use the EvaluationPlan
and deconfliction strategies to determine findings for Layer5
action.

Assisted by: Cursor Agent
Signed-off-by: Jennifer Power <[email protected]>
@jpower432
feat: adds initial schema for Layer 5
b8f837d 
Signed-off-by: Jennifer Power <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Proposal for Layer 5 implementation

1 participant

@jpower432