v0.2

docs/01-institutional-gap-analysis.md

@@ -1,51 +1,24 @@
-# 01 — Institutional Gap Analysis (AS-IS) and TO-BE Targets
+# 01 — Institutional Gap Analysis
 
-> Non-normative supporting document. This is the analytical core of the package:
-> it maps each publicly-reported coordination failure to a specific element of
-> the BPMN / DMN / CMMN models, so the revised algorithm can be designed against
-> a concrete baseline.
+Gaps identified in the **as-is** algorithm, derived from the public chronology.
+Each gap is addressed by a specific element of this package and is referenced
+from `resources/mappings.yaml` and the diagrams.
 
-## Why this package exists
+| ID | Gap (as-is) | Addressed by (to-be) |
+|----|-------------|----------------------|
+| **G1** | No explicit object-classification step — "is it a drone, and how sure are we?" was implicit. | `Decision_ObjectClassification` makes class **and confidence** explicit before any threat call. |
+| **G2** | Public-broadcast authority was a **single point of failure**: one request from NBS Joint Staff was the only trigger, with no timed fallback. | `Task_AuthorizeBroadcast` carries a 3-minute timeout with a proposed escalation to the Crisis Management Centre (KVC). *Not yet institutionally agreed.* |
+| **G3** | Message wording was composed under time pressure. | `Decision_CellBroadcastScope` selects a **pre-approved template** (`MSG_*`); guardrail GR-4 forbids free-text public messaging. |
+| **G4** | No bounded, threat-graded **time target** for dispatch — the 40-minute delay had no SLA to breach. | `Decision_NotificationUrgency` outputs `broadcastSlaSeconds`; see `03-notification-timing-sla.md`. |
+| **G5** | No automatic detection that the SLA had been missed. | Non-interrupting **SLA-breach boundary timer** on `Task_DispatchBroadcast` → `Task_EscalateSla`. |
+| **G6** | Alert footprint was coarse — not matched to the drones' predicted path. | `Decision_CellBroadcastScope` builds the footprint from `corridorMunicipalities`. |
+| **G7** | Interception safety criteria were not written down or inspectable. | `Decision_InterceptionAuthorization` gates engagement on positive hostile ID, over-populated-area and debris-zone-clear, in that priority order. |
+| **G8** | Follow-on civil decisions (school closures, resident enquiries) had no owner. | CMMN stage `Stage_FieldResponse` (`HT_MunicipalEnquiries`); IZM recorded as a consulted party in `02-raci.md`. |
 
-After the 7 May 2026 Rēzekne incident the Ministry of Defence stated publicly
-that the inter-institutional **information / notification algorithms** must be
-reviewed and improved. The problem reported by municipalities and crisis-management
-officials was not a single mistake but a **structural misalignment**: no single,
-shared, machine-checkable description of who decides what, when, and on which
-inputs. UAPF exists precisely to hold that description as versioned, reviewable
-artifacts. This package is the AS-IS baseline.
+## Residual / open
 
-## Gap register
-
-| # | Reported gap (public record) | Where it lives in the model | TO-BE target |
-|---|---|---|---|
-| G1 | Cell-broadcast reached Rēzekne city only after residents had already seen/heard the drones; ~40-min lag vs Ludza/Balvi. | `Task_RequestBroadcast` → `Task_CellBroadcast` | Tighten the trigger so the request is driven by the **predicted corridor**, not by confirmed overflight. `Decision_CellBroadcastScope` already takes `corridorMunicipalities` — make corridor pre-alerting mandatory at `threatLevel = elevated`. |
-| G2 | Single point of failure: the alert fires only on an explicit NBS request. NBS stated the alert was not sent to Rēzekne because the "incident duration was too short"; the Interior Minister stated VUGD was ready but "a clear algorithm was not triggered". | `Task_RequestBroadcast` (documented GAP) | Define an explicit fallback authority and a time-boxed escalation: if NBS does not issue / decline a request within N minutes of a confirmed corridor, a named role (KVC duty) may trigger. Model as a boundary timer event on `Task_RequestBroadcast` in v0.2. |
-| G3 | Message content too thin — "possible threat" with no nature-of-threat detail; residents phoned municipalities asking whether tanks or drones were coming. | `Decision_CellBroadcastScope` output `messageTemplate` | Replace generic text with typed templates (`MSG_DRONE_IMMINENT`, `MSG_DRONE_POSSIBLE`, `MSG_AIRSPACE_MONITORING`) carrying threat type, recommended action and an information URL. Templates are an output column in the DMN table. |
-| G4 | No unified action algorithm across institutions; municipalities reported missing communication with state institutions and unclear ownership (AM vs VARAM vs IZM). | `Task_NotifyAgencies`; `resources/mappings.yaml` | A single resource mapping with explicit RACI per element (this package), reviewed jointly. Notification to KVC, IeM and municipal commissions modelled as a **parallel** branch so it cannot be skipped. |
-| G5 | Information on number/origin/landing sites of the drones was unavailable for ~5 hours. | CMMN `Stage_Investigation` (`HT_TechExam`, `HT_OriginAttribution`) | Make investigation a first-class case stage with explicit milestones and an information-publishing cadence, not an ad-hoc activity. |
-| G6 | ~3-day delay before clear public acknowledgement of the drones' (Ukrainian) origin created a perception of concealment. | CMMN `HT_OriginAttribution`, `HT_DisinfoMonitor`, `HT_Press` | Decouple "confirm origin" from "inform public": publish what is known on a fixed cadence; disinformation monitoring runs in parallel from the start. |
-| G7 | Interception not attempted; criteria ("all safety criteria") were not transparent or pre-agreed. | `Decision_InterceptionAuthorization` | Make the safety criteria an explicit, inspectable DMN table (civilian risk, debris fall-zone, positive ID, firing-position readiness, BAP availability) rather than a verbal judgement. |
-| G8 | School-closure and resident-guidance decisions lacked timely recommendations from IZM. | `Task_LocalResponse` (IZM consulted) | Bind IZM as a consulted resource on `Task_LocalResponse` with a pre-agreed guidance template issued automatically at `threatLevel >= elevated`. |
-
-## Modelling stance
-
-- The BPMN / DMN / CMMN in v0.1.0 deliberately model the **AS-IS** algorithm
-  *plus* the minimum corrections needed for it to be internally consistent
-  (parallel notification, typed messages, explicit interception table).
-- Items requiring a **policy decision** — notably G2 (fallback trigger
-  authority) — are flagged in `docs/02-raci.md` and left as open questions for
-  v0.2; they must not be silently encoded by a process author.
-- Nothing here is operationally approved. Lifecycle status is `draft`.
-
-## Open questions for the institutional steward
-
-1. **G2** — Who is the named fallback authority if NBS does not act within the
-   escalation window, and what is the window length?
-2. Should cell-broadcast corridor pre-alerting be automatic at
-   `threatLevel = elevated`, or remain a human decision?
-3. Is the cell-broadcast platform owned operationally by VUGD only, or jointly
-   with VARAM for the early-warning evolution? This changes the `Task_CellBroadcast`
-   binding.
-4. What is the mandated public-information cadence during an active incident
-   (G5/G6)?
+- **G2 escalation authority** is a *proposal*. Whether KVC may authorise a
+  public broadcast when NBS Joint Staff is unreachable is an institutional and
+  legal question, not a modelling one, and is flagged for review.
+- SLA values in `03-notification-timing-sla.md` are **proposed defaults** for
+  validation against NBS/VUGD operational reality.