SecurityV0 · Open questions for the founder
Decisions deferred to the writer / product owner. The tool builds layout; these are the places prose, taxonomy, and scope need a human.
Each row names a decision, the surface it affects, and the reason it cannot be resolved from source material alone.
Copy
| # | Question | Surface | Why it's open |
|---|---|---|---|
| 1 | The posture sentence for Nimbus-prod — one line, names the four stories, states which leads. | overview.html | Only Sergey's §5 feedback is authored; the posture line is in placeholder state. |
| 2 | "What Happened" prose for Stories 01 / 02 / 04. | brief.html (non-verbatim) | Draft pending. Structure is wired; voice is missing. |
| 3 | "Why it matters" for Stories 01 / 02 / 04. | brief.html | Pull-quote slot on the editorial variant depends on this. |
| 4 | "Am I Exposed?" prose sentences for Stories 01 / 02 / 04. | brief.html | Metrics support a sentence that hasn't landed. |
| 5 | "Safest first action" verb-led line for Stories 01 / 02 / 04. | brief.html + chain.html + ActionTracker | The tracker currently shows placeholder text for 3 of 4 stories. |
| 6 | Strategic Context paragraphs for Nimbus-prod. | overview.html | The "governance decay vs. intrusion" framing needs the founder's voice. |
| 7 | Path-level narrative ("what this path allows" / "why this path matters") for any chain beyond Story 03. | chain.html | Only Story 03's chain is authored. |
Taxonomy
| # | Question | Surface | Why it's open |
|---|---|---|---|
| 8 | Is "Standing Authority — Dormant" the right cluster name, or should it split? | clusters.html | Currently one cluster; Story 04 is its only member. |
| 9 | Should "Orphaned Sensitive Access" distinguish orphaned-by-offboarding from orphaned-by-departure? | clusters.html, drift.html | Drift row shows owner-loss as a first-class event; cluster taxonomy doesn't. |
| 10 | Preferred label for the runtime states: "Active / Dormant / Standing" or "Executing / Latent / Reachable"? | All surfaces | The pilot uses the first set. UX-GUIDE doesn't commit either way. |
| 11 | Should supporting paths under a cluster be collapsible or always-visible? | clusters.html | Currently always-visible, capped at 3 rows with a "+N more" link. |
Action + ownership
| # | Question | Surface | Why it's open |
|---|---|---|---|
| 12 | What counts as "tracked"? Any ticket reference, or only an open PR? | ActionTracker | Story 03 demos both; the semantic rule isn't chosen. |
| 13 | If an action resolves multiple paths, how should the tracker credit them? | ActionTracker, chain.html | Chain page says "resolves 2 other paths" — unclear if this is a tracker state or a suggestion. |
| 14 | Owner model — individual human, team, or rotation? | All surfaces | Current data mixes all three; Strategic Context tile reads "2 of 4 stories have no active owner." |
Scope
| # | Question | Surface | Why it's open |
|---|---|---|---|
| 15 | Should the Overview expose a "by cluster" cut, or is clusters.html sufficient? | overview.html / clusters.html | Currently the Overview ranks stories only; clusters live on their own surface. |
| 16 | Drift window — 30 days is the demo default. Production default? | drift.html, overview.html | Both currently hard-code 30d. |
| 17 | Print/PDF — should the editorial variant be the default print layout, or conservative? | brief.html?print=1 | Current default is the user's last-selected variant, which may not be print-friendly for conservative. |
Form record · round one
One round of focused questions was posed at the start of this pilot. The form timed out, so defaults were taken.
Defaults applied
- Scope: All surfaces (Overview, Brief, Chain, Clusters, Exposures, Drift)
- Variants: 3 Brief variants — conservative / balanced / editorial
- Lead story: Nimbus ops monitor (shell authority) — per Sergey's Apr 10 note
- Fidelity: Strict token usage from
ui/src/index.css— zero arbitrary values - Divergence: Mixed — one conservative, one bolder, one editorial
- UI kit: DESIGN.md baseline ("Deterministic Brief"), pushed editorial
- Copy source: Sergey's verbatim Apr 10 copy for Story 03; explicit placeholders elsewhere
- "Am I Exposed?" metrics: Paths reachable · Active vs dormant · Sensitive domains · External egress · Owner status
- Chain header: 1–2 sentence plain-English summary above the diagram
- Tweaks exposed: Variant cycling · verbose/terse · header style
- Interaction: Overview → Brief → Chain wired; cross-cutting list pages linked
- Demoted/removed from Overview: 7/4/2 KPI strip, footer stat cards, KPI-style drift banner
- Deliverable: Single HTML prototype with variants as Tweaks + linked pages
Full question set
- Which surfaces should this pilot cover?
- How many Brief variants for 'Drifted Sensitive Access'?
- Which cluster should lead the Overview?
- Design fidelity & token discipline
- How divergent should variants be?
- Which visual DNA to lean on?
- Copy for Drifted Sensitive Access — verbatim / edited / fresh?
- What should 'Am I Exposed?' foreground?
- Chain narrative header style — sentence / structured / pull-quote?
- Which Tweaks to expose?
- Interaction depth
- What to demote or remove from current Overview?
- Deliverable format
- Anything else — constraints, taste notes, things to avoid?