feat(agent-workspace): add adaptive threshold simulation and guarded remediation

Author: Jacobinwwey

docs/brainstorms/2026-04-16-mainline-ci-stabilization-and-m7-direction-requirements.md

@@ -360,6 +360,33 @@ Deliverables:
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+### M7.11 (Now): Adaptive Threshold-Policy Simulation and Auto-Remediation Guardrails (Lane Ops Bridge)
+
+Deliverables:
+
+- add adaptive threshold-policy simulation route bound to triage/history signals.
+- add guarded auto-remediation route with dry-run/apply/blocked modes.
+- enforce deterministic remediation guardrails (minimum sample depth and bounded deltas) before persistence.
+
+#### M7.11 Progress Note (2026-04-16)
+
+- [Done] expanded `src/server.ts` with adaptive policy simulation route:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate?window=...&strategy=...`.
+- [Done] expanded `src/server.ts` with guarded remediation route:
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation`.
+- [Done] landed bounded remediation guardrails:
+  - minimum indexed/history sample requirements before apply,
+  - replay-rate/top-limit/history-window delta caps before apply,
+  - deterministic mode outputs (`dry-run`, `applied`, `blocked`, `noop`).
+- [Done] expanded evidence coverage:
+  - `src/server.migration.test.ts` now validates simulation payloads, dry-run immutability, apply-path persistence, blocked-path guardrails, and audit traceability,
+  - `src/knowledge.api.contract.test.ts` now fail-fast checks simulation/remediation route contracts,
+  - `src/agent_workspace.verification.contract.test.ts` + `scripts/verify-agent-workspace-runtime.js` now fail fast on simulation/remediation helper/route drift.
+- [Done] verification evidence:
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern "triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## Success Criteria
 
 - CI failure mode that previously blocked the three agent-workspace suites is eliminated on mainline.
@@ -369,4 +396,4 @@ Deliverables:
 
 ## Next Step
 
-Proceed to `/prompts:ce-plan` using this document as the source for `M7.11` decomposition (adaptive threshold-policy simulation and auto-remediation guardrails), while preserving M7 lane boundary constraints.
+Proceed to `/prompts:ce-plan` using this document as the source for `M7.12` decomposition (remediation efficacy backtesting and operator approval gates), while preserving M7 lane boundary constraints.

docs/diataxis/en/explanation/development-progress-dashboard.md

@@ -405,6 +405,25 @@ Execution anchor:
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+## Latest Mainline Increment (2026-04-16 M7.11 Adaptive Threshold Simulation and Guarded Auto-Remediation Lane)
+
+- Expanded `src/server.ts` with adaptive threshold-policy simulation route:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate?window=...&strategy=...`.
+- Expanded `src/server.ts` with guarded auto-remediation route:
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation`.
+- Added deterministic remediation guardrails:
+  - minimum indexed/history sample depth before apply,
+  - bounded replay-rate/top-replay/history-window deltas before apply,
+  - deterministic remediation outcome modes (`dry-run`, `applied`, `blocked`, `noop`).
+- Expanded executable evidence:
+  - `src/server.migration.test.ts` now validates simulation payload semantics, dry-run immutability, apply-path threshold persistence, blocked-path guardrail enforcement, and audit traceability.
+- Hardened runtime verification gate:
+  - `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on simulation/remediation route and helper drift.
+- Verification evidence:
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails\"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## Mainline vs Working-Branch Snapshot (2026-04-14)
 
 | Capability Slice | Working Branch (`feat/learning-multi-tutor-adapter`) | Mainline (`origin/main`) | Integration Status |
@@ -453,7 +472,7 @@ This dashboard aligns against the following requirement chain:
 | L2 Retrieval | explainable hybrid/vector retrieval + governance | Expanded in branch-oriented plans | Mainline file-backed baseline only (`src/learning/store.ts`) | Re-enter lane after concrete module evidence lands on mainline |
 | L3 Learning | mastery diagnostics + path/session loop | Expanded in branch | Partially integrated | Contract and integration parity |
 | L4 Interaction | agent conversation + focus/path pane runtime | Implemented in branch | M1-M4 baseline integrated on mainline | Expand capability surface via typed contract only |
-| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit baseline integrated | Expand adaptive policy simulation and CI evidence depth |
+| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation baseline integrated | Add remediation efficacy backtesting and approval-gate evidence |
 
 ## Verification Baseline
 

docs/diataxis/zh/explanation/development-progress-dashboard.md

@@ -407,6 +407,25 @@
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+## 主线最新增量（2026-04-16 M7.11 自适应阈值模拟与受护栏自动修复链路）
+
+- 已在 `src/server.ts` 增加自适应阈值策略模拟路由面：
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate?window=...&strategy=...`。
+- 已在 `src/server.ts` 增加受护栏自动修复路由面：
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation`。
+- 已增加确定性自动修复护栏：
+  - apply 前强制最小 indexed/history 样本深度，
+  - apply 前强制 replay-rate/top-replay/history-window 的有界 delta，
+  - 输出确定性 remediation mode（`dry-run`、`applied`、`blocked`、`noop`）。
+- 已补可执行证据：
+  - `src/server.migration.test.ts` 新增 simulation 语义、dry-run 不变性、apply 路径阈值落盘、blocked 路径护栏与审计追踪断言。
+- 已加固 runtime 门禁：
+  - `src/knowledge.api.contract.test.ts`、`src/agent_workspace.verification.contract.test.ts` 与 `scripts/verify-agent-workspace-runtime.js` 新增 simulation/remediation 路由与 helper 的 fail-fast 断言。
+- 验证证据：
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails\"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## 主线 vs 工作分支快照（2026-04-14）
 
 | 能力切片 | 工作分支（`feat/learning-multi-tutor-adapter`） | 主线（`origin/main`） | 集成状态 |
@@ -455,7 +474,7 @@
 | L2 检索层 | 可解释混合/向量检索 + 治理 | 分支规划增强中 | 主线当前为 file-backed 基线（`src/learning/store.ts`） | 待主线出现对应模块证据后再收敛 |
 | L3 学习层 | 掌握诊断 + 路径/会话闭环 | 分支增强中 | 主线部分集成 | 契约与集成一致性 |
 | L4 交互层 | agent 对话 + focus/path pane 运行时 | 分支已实现 | 主线 M1-M4 已落入基线 | 继续通过 typed contract 扩展动作面 |
-| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计基线 | 扩展自适应策略模拟与 CI 证据深度 |
+| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复基线 | 增补修复效果回测与人工批准门禁证据 |
 
 ## 验证基线
 

scripts/verify-agent-workspace-runtime.js

@@ -120,10 +120,18 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds'),
     'Missing diagnostics triage thresholds route in src/server.ts'
   );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate'),
+    'Missing diagnostics triage threshold simulation route in src/server.ts'
+  );
   assert(
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/audit'),
     'Missing diagnostics triage thresholds audit route in src/server.ts'
   );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation'),
+    'Missing diagnostics triage remediation route in src/server.ts'
+  );
   assert(
     serverSource.includes('cleanupStaleAgentWorkspaceDiagnosticsReports'),
     'Missing diagnostics retention cleanup helper in src/server.ts'
@@ -140,6 +148,14 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('persistAgentWorkspaceDiagnosticsAlertThresholds'),
     'Missing diagnostics triage threshold writer in src/server.ts'
   );
+  assert(
+    serverSource.includes('buildAgentWorkspaceDiagnosticsThresholdPolicySimulation'),
+    'Missing diagnostics threshold policy simulation helper in src/server.ts'
+  );
+  assert(
+    serverSource.includes('executeAgentWorkspaceDiagnosticsAutoRemediation'),
+    'Missing diagnostics auto-remediation helper in src/server.ts'
+  );
   assert(
     serverSource.includes('readAgentWorkspaceDiagnosticsThresholdAuditTrail'),
     'Missing diagnostics threshold audit reader in src/server.ts'
@@ -167,9 +183,12 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
       'diagnostics triage history route exists',
       'diagnostics triage runbook route exists',
       'diagnostics triage threshold governance routes exist',
+      'diagnostics triage threshold simulation route exists',
       'diagnostics triage threshold audit route exists',
+      'diagnostics triage remediation route exists',
       'diagnostics retention governance exists',
       'diagnostics alert-threshold governance helpers exist',
+      'diagnostics threshold simulation and remediation helpers exist',
       'diagnostics threshold audit helpers exist',
       'runtime diagnostics persistence surface exists',
       'agent workspace contract test suite passes',

src/agent_workspace.verification.contract.test.ts

@@ -51,11 +51,15 @@ describe('agent workspace verification script contracts', () => {
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/history');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/runbook');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds');
+    expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/audit');
+    expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation');
     expect(runtimeSource).toContain('cleanupStaleAgentWorkspaceDiagnosticsReports');
     expect(runtimeSource).toContain('AGENT_WORKSPACE_DIAGNOSTICS_MAX_ENTRIES');
     expect(runtimeSource).toContain('readAgentWorkspaceDiagnosticsAlertThresholds');
     expect(runtimeSource).toContain('persistAgentWorkspaceDiagnosticsAlertThresholds');
+    expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsThresholdPolicySimulation');
+    expect(runtimeSource).toContain('executeAgentWorkspaceDiagnosticsAutoRemediation');
     expect(runtimeSource).toContain('readAgentWorkspaceDiagnosticsThresholdAuditTrail');
     expect(runtimeSource).toContain('appendAgentWorkspaceDiagnosticsThresholdAuditEntry');
     expect(runtimeSource).toContain('persistDiagnosticsReport');

src/knowledge.api.contract.test.ts

@@ -15,7 +15,9 @@ describe('Knowledge mastery API contract wiring', () => {
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/history',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/runbook',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds',
+            '/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/simulate',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/thresholds/audit',
+            '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation',
             '/api/knowledge/operator/agent-workspace-diagnostics/report',
             '/api/knowledge/store/reload',
             '/api/knowledge/ingest',