Skip to content

Design: Consume gap detection endpoint in posture workflow #5

Description

@jpower432

Design Question

Should the posture check workflow delegate gap analysis to core's new coverage endpoint, or continue computing it client-side?

Context

Core #70 (Add gap detection API endpoint) adds GET /api/policies/{id}/coverage:

{
  "policy_id": "nist-800-53-rev5",
  "total_controls": 50,
  "covered_controls": 35,
  "coverage_pct": 70.0,
  "covered": ["AC-1", "AC-2", "CM-1"],
  "gaps": ["AC-3", "AC-4", "SI-1"]
}

Today, the posture check workflow in the assistant computes gaps client-side by comparing policy assessment plans against evidence rows fetched via query_evidence. The workbench /posture endpoint does similar aggregation. Both duplicate logic that core can now own.

Options Considered

  • Option A: Add a query_coverage gateway tool for the assistant; update /workbench/posture to call core's coverage endpoint. Remove client-side gap logic.
  • Option B: Keep client-side analysis for the assistant (it needs richer context than just gap lists) but use the core endpoint in the workbench BFF for dashboard views.

Related

  • complytime-core#70 — Add gap detection API endpoint
  • agents/assistant/prompt.md — Posture Check Workflow step 3 (client-side gap analysis)
  • workbench/app.py:posture_summary — current aggregation
  • agents/assistant/skills/posture-check/SKILL.md — classification logic

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentStudio assistant agent, graph, skillsarea/workbenchWorkbench HTTP server, BFF endpointstype/designDesign discussion or architectural exploration

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions