Skip to content

Commit 3697ef6

Browse files
committed
feat(agent-workspace): harden approval policy and add remediation alarms
1 parent 0973361 commit 3697ef6

8 files changed

Lines changed: 455 additions & 20 deletions

docs/brainstorms/2026-04-16-mainline-ci-stabilization-and-m7-direction-requirements.md

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -415,6 +415,34 @@ Deliverables:
415415
- `npm run test:agent-workspace:contracts`
416416
- `npm run verify:agent-workspace:runtime`
417417

418+
### M7.13 (Now): Approval-Policy Hardening and Remediation Trend-Regression Alarms (Lane Ops Bridge)
419+
420+
Deliverables:
421+
422+
- harden approval policy semantics for high-risk remediation strategies.
423+
- expose remediation approval-policy surface for operator observability.
424+
- add remediation trend-regression alarm surface driven by backtest deltas.
425+
426+
#### M7.13 Progress Note (2026-04-16)
427+
428+
- [Done] expanded `src/server.ts` with remediation approval-policy route:
429+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy`.
430+
- [Done] expanded `src/server.ts` with remediation alarm route:
431+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms?window=...&strategy=...`.
432+
- [Done] hardened approval policy behavior:
433+
- aggressive remediation strategy now requires approval by policy,
434+
- approval requests now enforce minimum `approvedBy` and `reason` lengths before recording.
435+
- [Done] expanded regression-alarm semantics:
436+
- remediation backtest now emits deterministic alarm payloads (`critical`/`warning`/`info`) for high-risk/failure/replay-trend regression detection.
437+
- [Done] expanded evidence coverage:
438+
- `src/server.migration.test.ts` now validates approval-policy route contract, short-reason block path, aggressive apply approval requirement, approval consume reuse block, and remediation alarm payload semantics,
439+
- `src/knowledge.api.contract.test.ts` now fail-fast checks policy/alarm route contracts,
440+
- `src/agent_workspace.verification.contract.test.ts` + `scripts/verify-agent-workspace-runtime.js` now fail fast on policy/alarm helper and route drift.
441+
- [Done] verification evidence:
442+
- `npm test -- src/server.migration.test.ts --runInBand --testNamePattern "triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms"`
443+
- `npm run test:agent-workspace:contracts`
444+
- `npm run verify:agent-workspace:runtime`
445+
418446
## Success Criteria
419447

420448
- CI failure mode that previously blocked the three agent-workspace suites is eliminated on mainline.
@@ -424,4 +452,4 @@ Deliverables:
424452

425453
## Next Step
426454

427-
Proceed to `/prompts:ce-plan` using this document as the source for `M7.13` decomposition (approval-policy hardening and remediation efficacy trend-regression alarms), while preserving M7 lane boundary constraints.
455+
Proceed to `/prompts:ce-plan` using this document as the source for `M7.14` decomposition (approval-policy drift detection and alarm-to-runbook escalation automation), while preserving M7 lane boundary constraints.

docs/diataxis/en/explanation/development-progress-dashboard.md

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -444,6 +444,26 @@ Execution anchor:
444444
- `npm run test:agent-workspace:contracts`
445445
- `npm run verify:agent-workspace:runtime`
446446

447+
## Latest Mainline Increment (2026-04-16 M7.13 Approval-Policy Hardening and Remediation Regression-Alarms Lane)
448+
449+
- Expanded `src/server.ts` with remediation approval-policy surface:
450+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy`.
451+
- Expanded `src/server.ts` with remediation regression-alarm surface:
452+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms?window=...&strategy=...`.
453+
- Hardened approval-policy behavior:
454+
- approval requests now enforce minimum `approvedBy` and `reason` lengths,
455+
- aggressive remediation strategy now requires approval by policy before apply.
456+
- Extended remediation backtest semantics:
457+
- backtest payload now emits deterministic `alarms` for high-risk/failure/replay-trend regressions and non-recommended candidates.
458+
- Expanded executable evidence:
459+
- `src/server.migration.test.ts` now validates policy route semantics, short-reason approval block path, aggressive apply approval requirement, consumed-approval reuse block path, and alarm payload shape.
460+
- Hardened runtime verification gate:
461+
- `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on policy/alarm routes and helper drift.
462+
- Verification evidence:
463+
- `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms\"`
464+
- `npm run test:agent-workspace:contracts`
465+
- `npm run verify:agent-workspace:runtime`
466+
447467
## Mainline vs Working-Branch Snapshot (2026-04-14)
448468

449469
| Capability Slice | Working Branch (`feat/learning-multi-tutor-adapter`) | Mainline (`origin/main`) | Integration Status |
@@ -492,7 +512,7 @@ This dashboard aligns against the following requirement chain:
492512
| L2 Retrieval | explainable hybrid/vector retrieval + governance | Expanded in branch-oriented plans | Mainline file-backed baseline only (`src/learning/store.ts`) | Re-enter lane after concrete module evidence lands on mainline |
493513
| L3 Learning | mastery diagnostics + path/session loop | Expanded in branch | Partially integrated | Contract and integration parity |
494514
| L4 Interaction | agent conversation + focus/path pane runtime | Implemented in branch | M1-M4 baseline integrated on mainline | Expand capability surface via typed contract only |
495-
| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate baseline integrated | Add approval-policy hardening and remediation trend-regression alarms |
515+
| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate + approval-policy hardening/regression-alarms baseline integrated | Add approval-policy drift detection and alarm-to-runbook escalation automation |
496516

497517
## Verification Baseline
498518

docs/diataxis/zh/explanation/development-progress-dashboard.md

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -446,6 +446,26 @@
446446
- `npm run test:agent-workspace:contracts`
447447
- `npm run verify:agent-workspace:runtime`
448448

449+
## 主线最新增量(2026-04-16 M7.13 批准策略硬化与修复趋势回归告警链路)
450+
451+
- 已在 `src/server.ts` 增加修复批准策略可观测路由面:
452+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy`
453+
- 已在 `src/server.ts` 增加修复趋势回归告警路由面:
454+
- `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms?window=...&strategy=...`
455+
- 已硬化批准策略行为:
456+
- 批准请求新增 `approvedBy` / `reason` 最小长度校验,
457+
- aggressive 策略 remediation apply 由策略默认强制批准门禁。
458+
- 已扩展 remediation backtest 语义:
459+
- backtest 输出新增确定性 `alarms`,覆盖高风险回归、失败回归、replay 趋势回归与 non-recommended 候选告警。
460+
- 已补可执行证据:
461+
- `src/server.migration.test.ts` 新增 policy 路由语义、short-reason 批准阻断、aggressive apply 强制批准、consumed approval 复用阻断与 alarm 载荷断言。
462+
- 已加固 runtime 门禁:
463+
- `src/knowledge.api.contract.test.ts``src/agent_workspace.verification.contract.test.ts``scripts/verify-agent-workspace-runtime.js` 新增 policy/alarm 路由与 helper 的 fail-fast 断言。
464+
- 验证证据:
465+
- `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms\"`
466+
- `npm run test:agent-workspace:contracts`
467+
- `npm run verify:agent-workspace:runtime`
468+
449469
## 主线 vs 工作分支快照(2026-04-14)
450470

451471
| 能力切片 | 工作分支(`feat/learning-multi-tutor-adapter`| 主线(`origin/main`| 集成状态 |
@@ -494,7 +514,7 @@
494514
| L2 检索层 | 可解释混合/向量检索 + 治理 | 分支规划增强中 | 主线当前为 file-backed 基线(`src/learning/store.ts`| 待主线出现对应模块证据后再收敛 |
495515
| L3 学习层 | 掌握诊断 + 路径/会话闭环 | 分支增强中 | 主线部分集成 | 契约与集成一致性 |
496516
| L4 交互层 | agent 对话 + focus/path pane 运行时 | 分支已实现 | 主线 M1-M4 已落入基线 | 继续通过 typed contract 扩展动作面 |
497-
| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁基线 | 增补批准策略硬化与修复趋势回归告警 |
517+
| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁 + 批准策略硬化/回归告警基线 | 增补批准策略漂移检测与告警到 runbook 升级自动化 |
498518

499519
## 验证基线
500520

scripts/verify-agent-workspace-runtime.js

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,14 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
132132
serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/backtest'),
133133
'Missing diagnostics remediation backtest route in src/server.ts'
134134
);
135+
assert(
136+
serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms'),
137+
'Missing diagnostics remediation alarms route in src/server.ts'
138+
);
139+
assert(
140+
serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy'),
141+
'Missing diagnostics remediation policy route in src/server.ts'
142+
);
135143
assert(
136144
serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals'),
137145
'Missing diagnostics remediation approvals route in src/server.ts'
@@ -164,10 +172,22 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
164172
serverSource.includes('buildAgentWorkspaceDiagnosticsThresholdPolicySimulation'),
165173
'Missing diagnostics threshold policy simulation helper in src/server.ts'
166174
);
175+
assert(
176+
serverSource.includes('getAgentWorkspaceDiagnosticsRemediationApprovalPolicy'),
177+
'Missing diagnostics remediation approval policy helper in src/server.ts'
178+
);
179+
assert(
180+
serverSource.includes('isAgentWorkspaceDiagnosticsApprovalRequiredByPolicy'),
181+
'Missing diagnostics remediation approval policy matcher in src/server.ts'
182+
);
167183
assert(
168184
serverSource.includes('buildAgentWorkspaceDiagnosticsRemediationBacktest'),
169185
'Missing diagnostics remediation backtest helper in src/server.ts'
170186
);
187+
assert(
188+
serverSource.includes('buildAgentWorkspaceDiagnosticsRemediationBacktestAlarms'),
189+
'Missing diagnostics remediation alarm builder in src/server.ts'
190+
);
171191
assert(
172192
serverSource.includes('requestAgentWorkspaceDiagnosticsRemediationApproval'),
173193
'Missing diagnostics remediation approval-request helper in src/server.ts'
@@ -218,11 +238,14 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
218238
'diagnostics triage threshold simulation route exists',
219239
'diagnostics triage threshold audit route exists',
220240
'diagnostics remediation backtest route exists',
241+
'diagnostics remediation alarm route exists',
242+
'diagnostics remediation policy route exists',
221243
'diagnostics remediation approval routes exist',
222244
'diagnostics triage remediation route exists',
223245
'diagnostics retention governance exists',
224246
'diagnostics alert-threshold governance helpers exist',
225247
'diagnostics threshold simulation and remediation helpers exist',
248+
'diagnostics remediation policy and alarm helpers exist',
226249
'diagnostics threshold audit helpers exist',
227250
'diagnostics remediation approval trail helpers exist',
228251
'runtime diagnostics persistence surface exists',

src/agent_workspace.verification.contract.test.ts

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,8 @@ describe('agent workspace verification script contracts', () => {
5454
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate');
5555
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/audit');
5656
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/backtest');
57+
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms');
58+
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy');
5759
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals');
5860
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approve');
5961
expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation');
@@ -62,7 +64,10 @@ describe('agent workspace verification script contracts', () => {
6264
expect(runtimeSource).toContain('readAgentWorkspaceDiagnosticsAlertThresholds');
6365
expect(runtimeSource).toContain('persistAgentWorkspaceDiagnosticsAlertThresholds');
6466
expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsThresholdPolicySimulation');
67+
expect(runtimeSource).toContain('getAgentWorkspaceDiagnosticsRemediationApprovalPolicy');
68+
expect(runtimeSource).toContain('isAgentWorkspaceDiagnosticsApprovalRequiredByPolicy');
6569
expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsRemediationBacktest');
70+
expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsRemediationBacktestAlarms');
6671
expect(runtimeSource).toContain('requestAgentWorkspaceDiagnosticsRemediationApproval');
6772
expect(runtimeSource).toContain('executeAgentWorkspaceDiagnosticsAutoRemediation');
6873
expect(runtimeSource).toContain('consumeAgentWorkspaceDiagnosticsRemediationApproval');

src/knowledge.api.contract.test.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ describe('Knowledge mastery API contract wiring', () => {
1818
'/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate',
1919
'/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/audit',
2020
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/backtest',
21+
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/alarms',
22+
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy',
2123
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals',
2224
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approve',
2325
'/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation',

0 commit comments

Comments
 (0)