feat(cra): coarse priority engine — P0 floor + customer weights + quick wins

Deterministic prioritisation on top of the mapper (cra_prioritizer.py): a non-negotiable P0 floor (safety-function compromise / actively exploited / CRITICAL — customer weights cannot demote) plus a discretionary tier ranked by severity x the customer's weight (high/medium/low) for the 5 business objectives (access/data/network_api/supply_updates/monitoring). Quick-win flag (high impact, low effort) for a second view; each finding carries a short priority reason. Endpoint accepts weights + per-finding safety_impact/exploited. Rough pre-sort only (devs re-sort in Jira). No DB. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-14 08:21:56 +02:00
parent ad83b8dc67
commit 12fa179bfd
6 changed files with 211 additions and 8 deletions
@@ -38,3 +38,26 @@ def test_assess_requires_finding_id():
    # id is required by the schema -> 422
    r = client.post("/api/v1/cra/assess", json={"findings": [{"title": "no id"}]})
    assert r.status_code == 422
+
+
+def test_assess_prioritizes_with_weights():
+    r = client.post("/api/v1/cra/assess", json={
+        "findings": [
+            {"id": "mfa", "cwe": "CWE-306", "severity": "high"},
+            {"id": "log", "cwe": "CWE-778", "severity": "high"},
+        ],
+        "weights": {"access": "high", "monitoring": "low"},
+    })
+    assert r.status_code == 200
+    d = r.json()
+    order = [m["finding_id"] for m in d["mapped"]]
+    assert order.index("mfa") < order.index("log")
+    assert all("priority_tier" in m for m in d["mapped"])
+
+
+def test_assess_p0_floor_on_safety_impact():
+    r = client.post("/api/v1/cra/assess", json={"findings": [
+        {"id": "s", "cwe": "CWE-319", "severity": "low", "safety_impact": True},
+    ]})
+    assert r.status_code == 200
+    assert r.json()["mapped"][0]["priority_tier"] == "P0"