Add shared alert policy document

This document outlines the shared alert policy, including definitions, creation rules, severity rules, ownership, visual rules, and non-goals for alerts.

governance/ALERT_POLICY.md

@@ -0,0 +1,59 @@
+# Shared Alert Policy
+
+This document defines when and how Alerts exist across the platform.
+
+---
+
+## Definitions
+
+Finding:
+An analytical result produced by analysis or execution.
+
+Alert:
+A Finding that requires attention, acknowledgment, or action.
+
+---
+
+## Alert Creation Rules
+
+- An Alert must always be derived from a Finding
+- A Finding may exist without becoming an Alert
+- Alerts are explicit, not implied
+- Alerts must have a defined reason for escalation
+
+---
+
+## Severity Rules
+
+- Severity is assigned at Finding creation
+- Severity may be escalated once during Alert creation
+- Severity may not be downgraded after escalation
+- Severity meaning is defined in goose-core
+
+---
+
+## Alert Ownership
+
+- ThreatHunt may suggest Alerts
+- GooseStrike may act on Alerts
+- Analysts approve or acknowledge Alerts
+- goose-core defines structure and semantics
+
+---
+
+## Visual Rules
+
+- Alerts have higher visual emphasis than Findings
+- Alerts may use animation for initial attention
+- Alerts must not use persistent or looping animation
+- Visual treatment must align with severity
+
+---
+
+## Non-Goals
+
+- Alerts are not automated actions
+- Alerts do not bypass analyst review
+- Alerts are not notifications by default
+
+Alerts represent **intent to act**, not action itself.