Founder Feedback Action Plan — March 31
Source: Sergey's feedback on sprint review deliverables (access chain grouping, evidence model, ownership workflow, operating layer scope).
Feedback document: Founder Response: Access Chain Based on Observed Execution
Feedback Summary
Sergey provided feedback across four areas:
-
Access Chain model — Collapse/group the execution surface. "Access Chain" is the canonical name (Notion already updated). The unit of risk, control, remediation, and prioritization — not just a grouped view.
-
Evidence model — Direction is right, but the model mixes claim type and evidence strength. Separate into distinct fields. Simplify user-facing trust language.
owner_roleis a routing hint only, not the ownership solution. -
Ownership workflow — The ownership assignment workflow (PR #243) is the real mechanism for assigning accountable people.
owner_roleshould not be framed as the ownership answer. -
Operating layer — Strongest product idea is routing + accountability + mitigation tracking + attestation on top of access-chain analysis. NOT full posture management. Phase ordering and API proposals are engineering proposals, not founder-approved roadmap.
Current State vs Feedback
1. Access Chain Naming & Model
| Aspect | Current State | Required Change |
|---|---|---|
| Terminology | IdentityAccessSurface, AuthorityPathDoc, authority-paths in URLs | Rename to AccessChain in all docs and new code |
| Product framing | Grouped view toggle over paths (Option A) | Virtual first-class object — access chain IS the product unit |
| Canonical axis | "Unresolved" between identity/workload/domain | Identity is the default axis for v1 (decided) |
| UX model | Parent row with expandable child paths | Access-chain-first card: identity → what it reaches → why it matters → what to do |
| Remediation | Per-path actions (5 actions for 1 identity) | One remediation object per access chain |
| Prioritization | max_severity + finding_count only | Surface score: blast radius, sensitivity, execution intensity, drift, cross-workload reuse, ownership quality |
| Time narrative | execution_30d + last_execution_at aggregated | Behavioral profile: newly active, steadily active, bursty, expanding, dormant |
2. Evidence Model
| Aspect | Current State | Required Change |
|---|---|---|
| Classification | Single EvidenceClassification axis (5 values mixing claim type + strength) | Two fields: claim_type (what we assert) + evidence_strength (how confident) |
| User-facing language | 5 labels ("Proven from execution logs", "Correlated across data sources", etc.) | Simplified set of 3-4 plain-English trust states |
owner_role | DEFAULT_OWNER_ROLES maps finding type → team name, exposed in EvidenceClaim | Rename to routing_hint or suggested_team — clarify it's not ownership |
| UI badges | Color-coded by classification (PR #242) | Update to reflect separated claim type + strength |
3. Ownership Workflow
| Aspect | Current State | Required Change |
|---|---|---|
| Assignment mechanism | OwnershipAssignmentDoc with assign/revoke (PR #243) | Already correct — this IS the ownership solution |
owner_role confusion | Named owner_role in EvidenceClaim, suggests it's ownership | Rename + document as routing hint only |
| Scope | Targets path or entity | Should target access_chain once the model is first-class |
4. Operating Layer
| Aspect | Current State | Required Change |
|---|---|---|
| Routing | DEFAULT_OWNER_ROLES suggests a team per finding type | Keep as initial routing hint |
| Accountability | Ownership assignment workflow exists | Extend to access-chain level |
| Mitigation tracking | Referenced in research (#215), not built | Design needed — one mitigation per access chain |
| Attestation | Not started | Near-term scope if it strengthens the operating loop |
| Scope framing | Not explicitly scoped | NOT posture management — operating layer on top of access-chain analysis |
Action Plan
Wave 1: Reframe the Research Doc (documentation only)
Goal: Align the core research document with Sergey's access-chain-first model.
Changes to 2026-03-26-access-path-identity-scoped-grouping.md:
- Rename
IdentityAccessSurface→AccessChainthroughout - State explicitly: identity is the default canonical axis for v1
- Reframe Option A from "grouped view" to "virtual first-class object"
- Define one remediation object per access chain (Sergey's point #4)
- Sketch access-chain ranking model (blast radius, sensitivity, execution intensity, drift, cross-workload reuse, ownership quality)
- Add behavior/drift narrative at access-chain level (newly active, bursty, expanding, dormant)
- Rework UX section: access-chain-first card/detail model, paths as expandable evidence
Update founder feedback doc: Link to revised research, update status.
Wave 2: Evidence Model Design (new research doc)
Goal: Design the separated evidence model before touching code.
Deliverable: New research doc 2026-03-31-evidence-model-separation.md
- Propose two-field model:
claim_type+evidence_strength - Map current 5 classifications into the two-axis model
- Define simplified user-facing trust language (3-4 plain-English states)
- Impact assessment: evaluator rules, UI badges, evidence packs, API response shapes
- Migration path from current single-axis model
Wave 3: Terminology Alignment (code + docs)
Goal: Eliminate owner_role confusion.
- Rename
owner_role→routing_hintinEvidenceClaimandDEFAULT_OWNER_ROLES→DEFAULT_ROUTING_HINTS - Update evaluator
buildEvidenceClaim()and all rule files - Update UI if
owner_roleis displayed anywhere - Run full typecheck + tests after rename
Wave 4: Operating Layer Scope Doc (new research doc)
Goal: Define the operating layer without overcommitting to posture management.
Deliverable: New research doc 2026-03-31-operating-layer-scope.md
- Scope: routing → assignment → mitigation tracking → attestation
- Explicitly NOT posture management
- Reference existing ownership workflow (PR #243) as foundation
- Access-chain-level remediation design
- Attestation workflow sketch (if near-term)
- Phase ordering as engineering proposal, not roadmap commitment
Decisions Needed
| Decision | Owner | Options |
|---|---|---|
| Approve access-chain-first reframe | Sergey | Adopt as described, or adjust scope |
| Evidence model separation scope | Sergey + Ivan | Full two-axis redesign now, or cosmetic rename + defer structural change |
| Operating layer scope boundary | Sergey | Include attestation in near-term, or defer |
owner_role rename timing | Ivan | Wave 3 (now) or bundle with evidence model redesign |
Next Action
Status: research-in-progress
Decision needed from: Ivan (engineering scope and sequencing)
Immediate next steps:
- Wave 1 is in progress — reframing the access path grouping research doc
- Wave 2 evidence model design can start in parallel
- Waves 3-4 depend on decisions above
GitHub Issues: To be created after Wave 1-2 designs are reviewed