Import UAPF package: incident-triage.uapf

2026-06-01 18:25:37 +00:00
commit 7fe0fda7a5
26 changed files with 2509 additions and 0 deletions
--- a/docs/host-lookup-tables.md
+++ b/docs/host-lookup-tables.md
@@ -0,0 +1,49 @@
+# Host lookup tables
+
+This package expects the OpenITSM host to maintain three deployment-specific
+lookup tables. They are NOT part of the package (the package only defines the
+abstract triage process); each host deployment populates them.
+
+## Expert groups
+
+The routing DMN resolves to one of these `group_slug` values. The host MUST
+have a matching `expert_groups` row for each:
+
+| slug              | name              |
+|-------------------|-------------------|
+| `helpdesk-l1`     | L1 helpdesk       |
+| `noc-l1`          | Network Ops L1    |
+| `noc-l2`          | Network Ops L2    |
+| `soc-l2`          | Security Ops L2   |
+| `facility-l2`     | Facility & Power L2 |
+| `platform-l2`     | Platform Ops L2   |
+| `external-handoff`| External handoff  |
+
+## Service tiers
+
+The priority DMN consumes these tier codes. Hosts MUST have a matching
+`service_tiers` row.
+
+| code          | name                          | first_response | resolution |
+|---------------|-------------------------------|----------------|------------|
+| `tier_1`      | Tier 1 (mission-critical)     | 15 min         | 240 min    |
+| `tier_2`      | Tier 2 (standard)             | 60 min         | 480 min    |
+| `best_effort` | Best effort (non-SLA)         | — (no SLA)     | —          |
+
+## Taxonomy
+
+The closed list of taxonomy codes `ai.classify@1` can emit, mirrored in the
+classify_incident Algorithm Card's `io.outputs.taxonomy_code.constraints.enum`
+and consumed as input to the priority + routing DMN.
+
+| code                          | LV                       | EN                  |
+|-------------------------------|--------------------------|---------------------|
+| `network.outage.link_down`    | Saites pārtraukums       | Link down           |
+| `network.degradation`         | Tīkla degradācija        | Network degradation |
+| `network.routing`             | Maršrutēšana             | Routing             |
+| `network.dns`                 | DNS                      | DNS                 |
+| `security.incident`           | Drošības incidents       | Security incident   |
+| `facility.power`              | Elektroapgāde            | Power / facility    |
+| `storage.capacity`            | Diska vieta              | Storage capacity    |
+| `service.customer_request`    | Klienta pieprasījums     | Customer request    |
+| `unknown.uncategorized`       | Neklasificēts            | Uncategorized       |
--- a/docs/overview.md
+++ b/docs/overview.md
@@ -0,0 +1,60 @@
+# `lv.itsm.incident.triage` — overview
+
+Level-4 UAPF process for triaging IT-infrastructure incidents at LVRTC.
+
+## What it does
+
+A new Signal lands in OpenITSM (Zabbix webhook, IMAP poll, Jira DC webhook,
+manual entry). The host opens a Case and starts a session of this package
+against the UAPF engine. The engine then drives the linear flow defined in
+`bpmn/incident-triage.bpmn`, calling back to OpenITSM at every step:
+
+1. **Normalize** the source-specific payload to a uniform shape.
+2. **Classify** into one of nine taxonomy codes (LLM + regex fallback).
+3. **Suggest** a soft P1..P4 priority.
+4. **Evaluate** the three DMN tables in order: priority (binding),
+   ownership (LVRTC vs external), routing (which expert group).
+5. **Update** the case with the decided priority + group + status=triaged.
+6. **Draft** a parallel Latvian + English customer notification — flagged
+   PROPOSED, requires operator approval before send.
+7. **Emit** the closing `routed` CaseEvent.
+
+## Why the split
+
+Classification, priority suggestion, and customer-response drafting are
+the AI steps. Everything *binding* — the actual priority, who handles it,
+which group — lives in versioned DMN, not in Python. That keeps the AI
+contestable and the auditor's job tractable: an evaluator can read
+`dmn/priority.dmn` and know exactly what priority an incident *will*
+receive, given its severity and tier, without running anything.
+
+## Cornerstones
+
+- **bpmn/** — `incident-triage.bpmn` — 1 process, 9 service tasks, linear.
+- **dmn/** — `priority.dmn` (14 rules), `ownership.dmn` (6 rules),
+  `routing.dmn` (14 rules), all FIRST hit-policy.
+- **algorithms/** — 7 algorithm cards, each with embedded v2.5.0 tests.
+- **resources/** — guardrails (PII, approval gating, timeouts, retention)
+  and host mappings (expert groups, service tiers, taxonomy).
+- **metadata/** — lifecycle + ownership.
+
+## Versioning
+
+This package targets **UAPF v2.5.0** (track main, refreshed on every
+schema release). Breaking changes follow the spec's CHANGELOG.
+
+## Host requirements
+
+OpenITSM must implement and advertise (via `/uapf/host/manifest`) the
+seven UAPF-IP capabilities listed in `requires_capabilities`:
+
+- `intake.normalize@1`
+- `ai.classify@1`
+- `ai.suggest_priority@1`
+- `ai.draft_response@1`
+- `dmn.evaluate@1`
+- `incident.update@1`
+- `event.emit@1`
+
+The first six are intent-bearing (each governed by its own Algorithm
+Card); `event.emit` is an append-only timeline writer.