Sprint Review Report — Consolidated Action Plan — March 2026
Generated: 2026-03-23T11:29:31.742Z | Before: 2026-03-19T20:41:53.161Z | After: 2026-03-23T11:28:26.750Z
Executive Summary
| Verdict | Count |
|---|---|
| ✅ DELIVERED | 7 |
| 🔶 PARTIAL | 19 |
| ❌ NOT STARTED | 1 |
| ➖ NOT A BUG | 3 |
| ⏭️ SKIPPED | 0 |
| Total | 30 |
Note on PARTIAL items: 19 items show as PARTIAL because the implementing PRs are merged but follow-up issues remain open. These items are functionally delivered — the open issues track refinements, not missing functionality. Review each item's acceptance criteria for specifics.
Related Reviews
| Document | Purpose |
|---|---|
| Consolidated Action Plan | Single source of truth for what to build |
| CEO Final Report | Business context and market positioning |
| Sergey Feedback | Founder decisions and locked principles |
| MPAS-7 Round 2 | Baseline acceptance scores |
| RSAC Competitor Analysis | Competitive positioning context |
MPAS-7 Acceptance Benchmark
| Role | Round 1 (Mar 15) | Round 2 (Mar 19) | Round 4 (Mar 22) | Target | Target Met? | How to Measure |
|---|---|---|---|---|---|---|
| CISO Executive | 70% | 68% | 62% | ≥85% | No (-23%) | Re-run ciso-reviewer agent |
| SecOps Analyst | 70% (NEEDS WORK) | 74% | 72% | ≥80% | No (-8%) | Re-run secops-analyst agent |
| Product QA | 8 partial, 2 missing | 6 partial, 1 missing, 2 diverged | 57% | ≤2 partial, 0 missing | No | Re-run product-qa agent |
| UX Critic | B- / 23 terms | B / 19 terms | B+ / 11 terms | A- / ≤5 terms | No | Re-run ux-critic agent |
| Security Auditor | Multiple issues | 0 CRITICAL, 2 HIGH | 0C, 0H, 1M, 4L | Zero critical | Yes | Re-run security-auditor agent |
| Enterprise Executive | 1.8/5 | 2.1/5 | 3.2/5 | ≥3.5/5 | No (-0.3) | Re-run enterprise-executive agent |
| CEO (Sergey) | 18/28 (64%) | ~19/28 (68%) | 22/30 (73%) | ≥24/28 (86%) | No (-13%) | Sergey review |
Phase 0: Demo Blockers
MUST — this sprint | 3-5 sessions
0.1 Remediation Must Name Specific Objects
Verdict: 🔶 PARTIAL Effort estimate: 2-3 sessions | Flagged by: CISO, Product QA, SecOps, Sergey explicitly Related PRs: #153 (merged), #151 (merged), #117 (merged), #87 (merged), #85 (merged)
Implemented in #153 (merged), #151 (merged), #117 (merged), #87 (merged), #85 (merged). open follow-ups: #103 Phase 0.1: Remediation must name specific objects.
Acceptance Criteria:
- Path remediation
applies_toincludes named entities/roles from the path - No generic terms like "execution path" or "egress path"
- Cross-cluster deduplication shows choke point impact
- Each action includes one business-impact detail (per Guiding Principle #11)
- Output is handoff-ready for Jira or ServiceNow ticket creation
| Before (main) | After (sprint) |
|---|---|
 |  |
| Authority Path Detail — remediation section — check applies_to includes named entities/roles |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Cluster: orphaned_sensitive — cluster-level remediation — cross-cluster deduplication, choke point impact |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Cluster: orphaned_external — remediation actions — verify named objects, no generic terms |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Cluster: orphaned_sensitive_llm — remediation actions — verify business-impact detail per action |
0.2 Access Path Role Visibility
Verdict: 🔶 PARTIAL Effort estimate: 1-2 sessions | Flagged by: CISO, Product QA, UX, Sergey explicitly Related PRs: #117 (merged)
Implemented in #117 (merged). open follow-ups: #104 Phase 0.2: Access Path role visibility.
Acceptance Criteria:
- Path table row shows role count without expanding
- Expanded row shows identity's total role scope across all paths
- Standing Authority panel shows all roles
| Before (main) | After (sprint) |
|---|---|
 |  |
| Authority Paths — path table rows — role count badge visible without expanding |
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Path Detail — expanded view — identity total role scope, Standing Authority panel (no truncation) |
0.3 Remove Impact Scores Entirely
Verdict: ✅ DELIVERED Related PRs: #89 (merged), #86 (merged)
Marked done in the action plan. Implemented in #89 (merged), #86 (merged).
| Before (main) | After (sprint) |
|---|---|
 |  |
| Overview Dashboard — confirm ImpactBar component removed, remediation is sorted list |
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — confirm no impact score display |
Phase 1: CISO Clarity
SHOULD — this sprint | 7-9 sessions
1.1 Invert Visual Hierarchy on Cluster Cards
Verdict: ✅ DELIVERED Effort estimate: Low (CSS/layout) Related PRs: #123 (merged)
Implemented in #123 (merged).
| Before (main) | After (sprint) |
|---|---|
 |  |
| Risk Clusters — cluster cards — verdict sentence is dominant text, path count is secondary badge |
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — cluster summary cards if shown on overview |
1.2 Add Execution Confidence Labels (Plain English)
Verdict: ➖ NOT A BUG Related PRs: #123 (merged)
Crossed out in the action plan — confirmed not a bug.
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Paths — path rows — Execution Confirmed / Previously Active / Standing Authority Only labels |
| Before (main) | After (sprint) |
|---|---|
| |
| Risk Clusters — cluster summary counts by confidence tier |
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — path rows within cluster — confidence labels |
1.3 Add OWASP/Business Relevance Tags
Verdict: ✅ DELIVERED Effort estimate: Low Related PRs: #135 (merged), #123 (merged)
| Before (main) | After (sprint) |
|---|---|
| |
| Risk Clusters — cluster cards — small OWASP ASI tags (e.g. ASI03, ASI10, ASI02, ASI08) |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Cluster: llm_egress — OWASP tag ASI02 on cluster detail |
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — OWASP tag ASI03/ASI10 on cluster detail |
1.4 Fix Governance Checklist Deduplication
Verdict: ✅ DELIVERED Effort estimate: Low Related PRs: #123 (merged)
Implemented in #123 (merged).
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — governance checklist — distinct labels per finding type, path counts |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Cluster: unbound_sensitive — governance checklist — verify deduplication |
1.5 Promote Highest-Risk Path + Global Risk Ranking
Verdict: ✅ DELIVERED Effort estimate: Low-Medium Related PRs: #123 (merged)
Implemented in #123 (merged).
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — global top 3 absolute risks across all clusters |
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — Section A callout — highest risk path within cluster |
1.6 Replace Secondary Stat Cards with Business Metrics
Verdict: 🔶 PARTIAL Effort estimate: Low Related PRs: #152 (merged), #123 (merged)
Implemented in #152 (merged), #123 (merged). open follow-ups: #137 fix: LLM endpoints metric overcounts — uses cluster path_count not actual LLM paths; #110 Phase 1.6: Replace stat cards with business metrics.
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — stat cards — Sensitive Domains Reached, Departed Owners Unresolved, LLM Endpoints Invoked |
1.7 Add "What Changed Since Yesterday" Filter
Verdict: 🔶 PARTIAL Effort estimate: Medium (API + UI) Related PRs: #123 (merged)
Implemented in #123 (merged). open follow-ups: #111 Phase 1.7: Add "What changed since yesterday" filter.
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — 'New since last visit' section |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Findings — changed_since filter in findings list |
Phase 2: Operator Clarity
SHOULD — this sprint | 3-4 sessions
2.1 Remove Finding Intervals
Verdict: 🔶 PARTIAL Effort estimate: Low. Remove intervals rendering from FindingTile. Keep drift breakdowns. Related PRs: #117 (merged)
Implemented in #117 (merged). open follow-ups: #113 Phase 2.1: Remove finding intervals from UI.
| Before (main) | After (sprint) |
|---|---|
 |  |
| Finding Detail — FindingTile — intervals removed, drift breakdowns kept |
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — finding tiles in list — no interval rendering |
2.2 Fix Ownership Section to Use Actual Names
Verdict: 🔶 PARTIAL
Effort estimate: Low. Replace hardcoded "Service principal owner departed" with actual name from owner_descriptions.
Related PRs: #117 (merged)
Implemented in #117 (merged). open follow-ups: #114 Phase 2.2: Fix ownership section to use actual names.
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Path Detail — ownership section — actual name from owner_descriptions, not hardcoded text |
2.3 Fix Breadcrumbs
Verdict: 🔶 PARTIAL
Effort estimate: Low-Medium. Display entity/cluster names instead of hash IDs. Fix formatBreadcrumbSegment().
Related PRs: #117 (merged)
Implemented in #117 (merged). open follow-ups: #115 Phase 2.3: Fix breadcrumbs — display names instead of hash IDs.
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Path Detail — breadcrumb bar — entity/cluster names instead of hash IDs |
| Before (main) | After (sprint) |
|---|---|
| |
| Finding Detail — breadcrumb bar — display names |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Chain Detail — breadcrumb bar — display names |
2.4 Fix Finding Description Hash IDs
Verdict: 🔶 PARTIAL Related PRs: #117 (merged)
Implemented in #117 (merged). open follow-ups: #116 Phase 2.4: Fix finding descriptions — replace hex IDs with display names.
| Before (main) | After (sprint) |
|---|---|
| |
| Finding Detail — deterministic_explanation — display names instead of hex IDs |
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — finding descriptions in list view |
Phase 3: Data Quality
CAN — this sprint | 2-4 sessions
3.1 Fix added_roles in Evidence Packs
Verdict: ➖ NOT A BUG
Crossed out in the action plan — confirmed not a bug.
No visual evidence — data-layer change only.
3.2 Fix Posture Summary Path Count
Verdict: ✅ DELIVERED Related PRs: #128 (merged)
Implemented in #128 (merged).
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — posture summary path count — should match authority-paths list count |
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Paths — total path count for comparison with posture summary |
3.3 Populate Execution Evidence target_resource
Verdict: ➖ NOT A BUG
Crossed out in the action plan — confirmed not a bug.
No visual evidence — data-layer change only.
3.4 Fix meta.bySeverity/byType Scoping
Verdict: 🔶 PARTIAL Related PRs: #151 (merged), #128 (merged)
Implemented in #151 (merged), #128 (merged). open follow-ups: #141 test: add adapter-level tests for aggregateFindingCounts; #140 fix: misleading comment in connector findings counting loop; #139 perf: aggregateFindingCounts should use $facet for single DB round-trip.
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — meta counts — page-scoped vs total-scoped discrepancy |
3.5 Fix role_history Evidence Completeness Mismatch
Verdict: ✅ DELIVERED Related PRs: #128 (merged)
Implemented in #128 (merged).
No visual evidence — data-layer change only.
Phase 4: Reports & Deliverables
PULL into this sprint; Next sprint | 1-2 sessions; 9-14 sessions
4.1 Compliance Mapping to Data Layer (Pull into this sprint)
Verdict: 🔶 PARTIAL Effort estimate: 1-2 sessions. Low effort, high value for both analysts and reports. Related PRs: #135 (merged)
Implemented in #135 (merged). open follow-ups: #118 Phase 4.1: Compliance mapping in data layer.
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — compliance_references array on findings (if rendered in UI) |
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — compliance mapping tags on cluster findings |
4.2 Report Service + Store
Verdict: 🔶 PARTIAL Related PRs: #135 (merged)
Implemented in #135 (merged). open follow-ups: #119 Phase 4.2: Report Service + Store.
No visual evidence — data-layer change only.
4.3 Report Templates
Verdict: 🔶 PARTIAL Related PRs: #151 (merged), #135 (merged)
Implemented in #151 (merged), #135 (merged). open follow-ups: #148 fix: POST /reports/generate body.title has no length cap; #136 fix: deriveBusinessImpact uses misleading sensitivity prefix; #120 Phase 4.3: Report templates (Scan Digest + Assessment Report).
No visual evidence — data-layer change only.
4.4 Platform Reports Page
Verdict: 🔶 PARTIAL Related PRs: #135 (merged)
Implemented in #135 (merged). open follow-ups: #147 enhancement: add truncated field to UI ReportDetail.metadata type; #121 Phase 4.4: Platform Reports page.
No visual evidence — data-layer change only.
4.5 Delivery Channels
Verdict: 🔶 PARTIAL Related PRs: #151 (merged), #135 (merged)
Implemented in #151 (merged), #135 (merged). open follow-ups: #146 fix: email regex comment should say sanity check, not RFC validation; #145 fix: recipient name quote-escape replaces double-quote with single-quote (lossy); #144 fix: markdownToHtml pipe replace is a no-op — tables render as raw text; #122 Phase 4.5: Report delivery channels (email + PDF).
No visual evidence — data-layer change only.
Phase 5: Polish
Following sprint | 5-8 sessions
5.1 Findings Summary Strip
Verdict: 🔶 PARTIAL Related PRs: #134 (merged)
Implemented in #134 (merged). open follow-ups: #142 ux: hide zero-count severity pills in findings summary strip; #130 Phase 5.1: Findings summary strip — render bySeverity/byType.
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — summary strip rendering bySeverity/byType counts (depends on 3.4 fix) |
5.2 Enable "Create Ticket"
Verdict: 🔶 PARTIAL Related PRs: #134 (merged)
Implemented in #134 (merged). open follow-ups: #143 ux: add Escape key handler and aria-label to TicketModal; #131 Phase 5.2: Enable Create Ticket — ServiceNow stub.
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Path Detail — Create Ticket button / ServiceNow integration stub |
| Before (main) | After (sprint) |
|---|---|
| |
| Finding Detail — Create Ticket action on findings |
5.3 Navigation Orphans
Verdict: 🔶 PARTIAL Related PRs: #134 (merged), #123 (merged)
Implemented in #134 (merged), #123 (merged). open follow-ups: #112 Phase 1.8: Fix sidebar navigation — add missing pages.
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — sidebar — Exposures, Findings, Execution Chains links present |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Exposures — page accessible via sidebar |
| Before (main) | After (sprint) |
|---|---|
 |  |
| Execution Chains — page accessible via sidebar |
5.4 Remove Legacy Dashboard
Verdict: 🔶 PARTIAL Related PRs: #134 (merged)
Implemented in #134 (merged). open follow-ups: #132 Phase 5.4: Remove legacy dashboard — redirect /dashboard to /.
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — /dashboard redirects to / — verify no separate dashboard page |
5.5 Posture Trend Chart
Verdict: ❌ NOT STARTED
No implementing PRs or closed issues found.
| Before (main) | After (sprint) |
|---|---|
| |
| Overview Dashboard — 90-day trend chart using posture_snapshots |
5.6 Standardize Ownership Terminology
Verdict: 🔶 PARTIAL Related PRs: #134 (merged)
Implemented in #134 (merged). open follow-ups: #133 Phase 5.6: Standardize ownership terminology — orphaned → No active owner.
| Before (main) | After (sprint) |
|---|---|
| |
| Cluster: orphaned_sensitive — 'No active owner' instead of 'orphaned' |
| Before (main) | After (sprint) |
|---|---|
| |
| Findings — ownership terminology in finding descriptions |
| Before (main) | After (sprint) |
|---|---|
| |
| Authority Path Detail — ownership labels on path detail |