Import UAPF package: incident-triage.uapf

2026-06-01 18:25:37 +00:00
commit 7fe0fda7a5
26 changed files with 2509 additions and 0 deletions
--- a/algorithms/classify_incident.card.yaml
+++ b/algorithms/classify_incident.card.yaml
@@ -0,0 +1,133 @@
+kind: uapf.algorithm.card
+id: algo.incident_triage.classify_incident
+version: 1.0.0
+name: Incident classifier
+intent: |
+  Reads the normalised payload and picks one taxonomy code from a fixed
+  closed list. The classifier is LLM-backed at runtime (Claude via the
+  LLM gateway) and falls back to a deterministic keyword matcher when
+  the gateway is unreachable. The taxonomy code is the primary driver
+  for the priority and routing DMN decisions; downstream rules treat
+  this output as authoritative.
+algorithm_kind: classifier
+
+io:
+  inputs:
+    - id: payload
+      type: object
+      cardinality: single
+      documentation: |
+        The normalized_payload from the upstream intake.normalize step.
+        At minimum {title, description?, host?, severity?}.
+    - id: text
+      type: string
+      cardinality: single
+      documentation: |
+        Optional pre-flattened text. If absent, the host derives it from
+        payload.title + payload.description + payload.host.
+  outputs:
+    - id: taxonomy_code
+      type: string
+      constraints:
+        enum:
+          - network.outage.link_down
+          - network.degradation
+          - network.routing
+          - network.dns
+          - security.incident
+          - facility.power
+          - storage.capacity
+          - service.customer_request
+          - unknown.uncategorized
+      documentation: The chosen taxonomy code from the closed list above.
+    - id: confidence
+      type: probability
+      constraints:
+        minimum: 0
+        maximum: 1
+      documentation: Model-reported confidence; the stub fallback returns 0.75 for matched / 0.20 for unmatched.
+    - id: reasoning
+      type: string
+      documentation: One-sentence justification (English). Persisted with the AI decision; not shown to operator by default.
+    - id: label_hint
+      type: string
+      documentation: Human-friendly short label derived from the taxonomy code (e.g. "link_down").
+
+implementation:
+  type: external
+  medium: mcp_tool
+  uri: uapf-ip://capability/ai.classify@1
+  hash: sha256:0000000000000000000000000000000000000000000000000000000000000000
+  runtime:
+    capability: ai.classify@1
+    note: |
+      Host-fulfilled UAPF-IP capability backed by the LLM gateway
+      (default Anthropic). When LLM_PROVIDER is unavailable, the host
+      falls back to a regex-driven keyword matcher that produces the
+      same output shape.
+
+determinism: stochastic
+side_effects: pure
+complexity:
+  typical_latency_ms: 800
+  max_latency_ms: 30000
+failure_mode: |
+  Returns taxonomy_code='unknown.uncategorized' with confidence<=0.25.
+  Triage continues; the DMN priority table treats unknown as P4 default.
+
+reference:
+  legal: |
+    Latvijas Republikas Datu valsts inspekcijas vadlīnijas par
+    automatizētu lēmumu pieņemšanu — operators may override at any time.
+  standard: |
+    ITIL 4 — Incident Management practice; ISO/IEC 20000-1 — service
+    management taxonomy alignment.
+
+limitations:
+  - Closed taxonomy of 9 codes — broader incident types fall to unknown.uncategorized.
+  - Latvian and English input supported; mixed-locale text may degrade confidence.
+
+owners:
+  - type: team
+    id: openitsm-stewards
+    contact: stewards@openitsm.algomation.io
+
+lifecycle:
+  status: draft
+
+tests:
+  - name: bgp-flap-network-routing
+    description: |
+      Edge router BGP session flapping — the classifier should pick
+      network.routing, not the broader network.outage.link_down.
+    inputs:
+      payload:
+        title: "BGP session flapping rtr-core-02 → AS6939"
+        host: "rtr-core-02.lvrtc.lv"
+        description: "BGP peer 198.51.100.1 toggled UP/DOWN 7 times in 12 minutes."
+        severity: "high"
+    expected_outputs:
+      taxonomy_code: "network.routing"
+  - name: customer-bandwidth-request
+    description: |
+      Latvian customer email asking for a bandwidth uplift — a
+      service.customer_request, not a network outage.
+    inputs:
+      payload:
+        title: "Klients SIA Latvija Tev: lūgums palielināt joslas platumu"
+        description: "Mūsu uzņēmumam nepieciešams palielināt internet pieslēguma joslas platumu no 100 Mbps uz 500 Mbps."
+        severity: "average"
+    expected_outputs:
+      taxonomy_code: "service.customer_request"
+  - name: ddos-volumetric
+    description: |
+      Volumetric UDP flood pattern — security.incident takes precedence
+      over generic network classifications even when the symptom is
+      network-shaped.
+    inputs:
+      payload:
+        title: "DDoS attack pattern detected on edge"
+        description: "Volumetric UDP flood, 4.2 Gbps inbound to 192.0.2.0/24."
+        severity: "critical"
+    expected_outputs:
+      taxonomy_code: "security.incident"