# Findings workspace

Purpose
- Present materialized policy verdicts with explainability, filtering, and export support.
- Preserve aggregation-only provenance while enabling triage and automation.

Access and dependencies
- Route: /console/findings with optional panel=explain.
- Scopes: findings.read, policy:runs, policy:simulate, downloads.read.
- Depends on Policy Engine effective findings, Concelier and Excititor provenance, SBOM service metadata.
- Feature flags: findings.explain.enabled, findings.savedViews.enabled, findings.simulationDiff.enabled.

Layout
- Header with tenant badge, policy selector, global filters, and actions.
- Summary cards: affected assets, critical count, KEV count.
- Findings grid (virtualized) with right-side drawer for details.

Filters and saved views
- Status: affected, at_risk, quieted, fixed, not_applicable, mitigated.
- Severity: critical, high, medium, low, informational, untriaged.
- KEV toggle and exploitability hints.
- Policy view: active, staged, simulation.
- Component search by PURL or substring.
- SBOM filter by image digest or SBOM ID.
- Tags from policy outputs.
- Run window and explain hints (rule ID, justification, VEX provider).
- Saved views persist per tenant and policy; shared views appear in the rail.

Grid columns and badges
- Status badge with rationale and quieted expiry.
- Severity with score tooltip.
- Component PURL and SBOM link.
- Policy name and revision digest.
- Source signals (VEX, advisory, runtime overlays).
- Age since last evaluation.
- Row badges: KEV, override, simulation only, determinism alert.

Bulk actions
- Open explains (batch drawer).
- Export CSV or JSON.
- Copy CLI batch explain commands.
- Create ticket using configured integrations.

Explain drawer
- Summary: status, severity, policy decision, rule ID, run ID, SBOM link.
- Rule chain: ordered rule hits with actions and score contributions.
- Evidence: advisory, VEX, runtime signals, overrides.
- VEX impact: claims used, justification, acceptance.
- History: state transitions with timestamps and operators.
- Raw trace: canonical policy trace with CLI parity.

Simulations and comparisons
- Compare active vs staged or simulation snapshots with diff banners.
- Side-by-side view highlights added, removed, and severity changes.
- Simulation results expire after a retention window and prompt re-run.

Exports and automation
- Immediate CSV, JSON, and Markdown summary exports.
- Scheduled exports produce full tenant reports with manifests.
- Explain bundle export packages traces for audit.
- Webhook subscription hints for export completion.

Real-time updates
- SSE stream updates new findings, status changes, and quieted expirations.
- Metrics cards mirror findings_critical_total, findings_quieted_total, findings_kev_total.
- Errors surface correlation IDs for logs.

Offline behavior
- Snapshot banner shows offline dataset and staleness.
- Explain drawer notes cached evidence sources.
- Exports default to local paths with transfer guidance.
- Tenants missing in the snapshot are hidden.