From 0fd429a5c85a39054dfd94bd0390dc2b92c83478 Mon Sep 17 00:00:00 2001
From: mblanke <mblanke@gmail.com>
Date: Wed, 24 Dec 2025 13:07:06 -0500
Subject: [PATCH] Add FINDING_LIFECYCLE.md to define finding stages

---
 contracts/FINDING_LIFECYCLE.md | 41 ++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 contracts/FINDING_LIFECYCLE.md

diff --git a/contracts/FINDING_LIFECYCLE.md b/contracts/FINDING_LIFECYCLE.md
new file mode 100644
index 0000000..17a2b08
--- /dev/null
+++ b/contracts/FINDING_LIFECYCLE.md
@@ -0,0 +1,41 @@
+# Finding Lifecycle (Shared)
+
+This defines how findings move across systems.
+
+## Lifecycle Stages
+
+1. **Generated**
+   - Created by ThreatHunt analysis
+   - Created by GooseStrike execution results
+
+2. **Normalized**
+   - Must conform to shared Finding contract
+   - Terminology and severity aligned
+
+3. **Reviewed**
+   - Analyst inspects finding
+   - Confidence assessed
+   - Context added
+
+4. **Escalated (Optional)**
+   - Finding becomes an Alert
+   - Requires action or acknowledgment
+
+5. **Consumed**
+   - Used by GooseStrike for planning
+   - Used by analysts for reporting
+
+---
+
+## Hard Rules
+- A Finding must exist before an Alert
+- Severity is immutable once escalated
+- All actions must trace back to a Finding
+- Findings are never deleted, only closed
+
+---
+
+## Ownership
+- ThreatHunt owns analytical correctness
+- GooseStrike owns action traceability
+- goose-core owns structure and meaning