feat(agent-workspace): add escalation acknowledgement lifecycle audit trail

Author: Jacobinwwey

docs/brainstorms/2026-04-16-mainline-ci-stabilization-and-m7-direction-requirements.md

@@ -470,6 +470,36 @@ Deliverables:
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+### M7.15 (Now): Escalation Acknowledgement Lifecycle and Runbook-Action Status Audit Trail (Lane Ops Bridge)
+
+Deliverables:
+
+- add persisted escalation acknowledgement lifecycle status for operator runbook execution.
+- enforce deterministic escalation status transitions (`open -> acknowledged -> in_progress -> resolved|dismissed`).
+- expose runbook-action status audit trail for compliance and postmortem replay.
+
+#### M7.15 Progress Note (2026-04-16)
+
+- [Done] expanded `src/server.ts` with escalation lifecycle surfaces:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements?limit=...`,
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit?limit=...`,
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge`.
+- [Done] added deterministic escalation lifecycle persistence and transition guardrails:
+  - `acknowledgeAgentWorkspaceDiagnosticsRemediationEscalation(...)`,
+  - `readAgentWorkspaceDiagnosticsRemediationEscalationLifecycleTrail(...)`,
+  - `readAgentWorkspaceDiagnosticsRemediationEscalationAuditTrail(...)`,
+  - transition validation for terminal status protection.
+- [Done] extended escalation route output with lifecycle visibility:
+  - `/triage/remediation/escalation` now includes action-level lifecycle state and aggregate `statusSummary`.
+- [Done] expanded evidence coverage:
+  - `src/server.migration.test.ts` now validates acknowledgement -> in-progress -> resolved lifecycle, invalid reopen block, acknowledgement/audit readbacks, and persisted lifecycle/audit files.
+  - `src/knowledge.api.contract.test.ts` now fail-fast checks escalation lifecycle route contracts.
+  - `src/agent_workspace.verification.contract.test.ts` + `scripts/verify-agent-workspace-runtime.js` now fail fast on escalation lifecycle/audit helper and route drift.
+- [Done] verification evidence:
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern "triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms|approval-policy drift detection and alarm-to-runbook escalation stay deterministic|escalation acknowledgement lifecycle and runbook-action status audit trail stay deterministic"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## Success Criteria
 
 - CI failure mode that previously blocked the three agent-workspace suites is eliminated on mainline.
@@ -479,4 +509,4 @@ Deliverables:
 
 ## Next Step
 
-Proceed to `/prompts:ce-plan` using this document as the source for `M7.15` decomposition (escalation acknowledgement lifecycle and runbook-action status audit trail), while preserving M7 lane boundary constraints.
+Proceed to `/prompts:ce-plan` using this document as the source for `M7.16` decomposition (escalation SLA breach detection and overdue acknowledgement reminders), while preserving M7 lane boundary constraints.

docs/diataxis/en/explanation/development-progress-dashboard.md

@@ -483,6 +483,27 @@ Execution anchor:
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+## Latest Mainline Increment (2026-04-16 M7.15 Escalation Acknowledgement Lifecycle and Runbook-Action Audit Lane)
+
+- Expanded `src/server.ts` with escalation lifecycle governance routes:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements?limit=...`,
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit?limit=...`,
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge`.
+- Added deterministic escalation lifecycle + status-transition guardrails:
+  - persisted acknowledgement trail,
+  - persisted runbook-action status audit trail,
+  - invalid reopen transitions blocked for terminal escalation states.
+- Extended escalation observability:
+  - `/triage/remediation/escalation` now includes per-action lifecycle state and aggregate `statusSummary`.
+- Extended executable evidence:
+  - `src/server.migration.test.ts` now validates acknowledgement lifecycle progression, invalid transition block, lifecycle/audit readbacks, and persistence artifacts for escalation status governance.
+- Hardened runtime verification gate:
+  - `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on escalation acknowledgement/audit routes and helper drift.
+- Verification evidence:
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms|approval-policy drift detection and alarm-to-runbook escalation stay deterministic|escalation acknowledgement lifecycle and runbook-action status audit trail stay deterministic\"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## Mainline vs Working-Branch Snapshot (2026-04-14)
 
 | Capability Slice | Working Branch (`feat/learning-multi-tutor-adapter`) | Mainline (`origin/main`) | Integration Status |
@@ -531,7 +552,7 @@ This dashboard aligns against the following requirement chain:
 | L2 Retrieval | explainable hybrid/vector retrieval + governance | Expanded in branch-oriented plans | Mainline file-backed baseline only (`src/learning/store.ts`) | Re-enter lane after concrete module evidence lands on mainline |
 | L3 Learning | mastery diagnostics + path/session loop | Expanded in branch | Partially integrated | Contract and integration parity |
 | L4 Interaction | agent conversation + focus/path pane runtime | Implemented in branch | M1-M4 baseline integrated on mainline | Expand capability surface via typed contract only |
-| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate + approval-policy hardening/regression-alarms + approval-policy drift/escalation baseline integrated | Add escalation acknowledgement lifecycle and runbook-action status audit trail |
+| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate + approval-policy hardening/regression-alarms + approval-policy drift/escalation + escalation acknowledgement lifecycle/audit baseline integrated | Add escalation SLA breach detection and overdue acknowledgement reminders |
 
 ## Verification Baseline
 

docs/diataxis/zh/explanation/development-progress-dashboard.md

@@ -485,6 +485,27 @@
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
+## 主线最新增量（2026-04-16 M7.15 升级确认生命周期与 Runbook 动作状态审计链路）
+
+- 已在 `src/server.ts` 增加升级生命周期治理路由：
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements?limit=...`，
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit?limit=...`，
+  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge`。
+- 已新增确定性升级生命周期与状态迁移护栏：
+  - 升级确认轨迹持久化，
+  - runbook 动作状态审计轨迹持久化，
+  - 终态升级（`resolved`/`dismissed`）禁止非法回退。
+- 已扩展升级可观测性：
+  - `/triage/remediation/escalation` 输出新增动作级 lifecycle 状态与聚合 `statusSummary`。
+- 已补可执行证据：
+  - `src/server.migration.test.ts` 新增确认 -> 处理中 -> 已解决 生命周期路径、非法状态回退阻断、ack/audit 查询回读与持久化文件断言。
+- 已加固 runtime 门禁：
+  - `src/knowledge.api.contract.test.ts`、`src/agent_workspace.verification.contract.test.ts` 与 `scripts/verify-agent-workspace-runtime.js` 新增 escalation acknowledgement/audit 路由与 helper 的 fail-fast 断言。
+- 验证证据：
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"triage route summarizes replay risk|triage history and alert-threshold governance|adaptive threshold simulation and remediation guardrails|remediation backtest and approval-gate flow|approval policy hardening and remediation trend-regression alarms|approval-policy drift detection and alarm-to-runbook escalation stay deterministic|escalation acknowledgement lifecycle and runbook-action status audit trail stay deterministic\"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+
 ## 主线 vs 工作分支快照（2026-04-14）
 
 | 能力切片 | 工作分支（`feat/learning-multi-tutor-adapter`） | 主线（`origin/main`） | 集成状态 |
@@ -533,7 +554,7 @@
 | L2 检索层 | 可解释混合/向量检索 + 治理 | 分支规划增强中 | 主线当前为 file-backed 基线（`src/learning/store.ts`） | 待主线出现对应模块证据后再收敛 |
 | L3 学习层 | 掌握诊断 + 路径/会话闭环 | 分支增强中 | 主线部分集成 | 契约与集成一致性 |
 | L4 交互层 | agent 对话 + focus/path pane 运行时 | 分支已实现 | 主线 M1-M4 已落入基线 | 继续通过 typed contract 扩展动作面 |
-| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁 + 批准策略硬化/回归告警 + 批准策略漂移/升级基线 | 增补升级确认生命周期与 runbook 动作状态审计轨迹 |
+| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁 + 批准策略硬化/回归告警 + 批准策略漂移/升级 + 升级确认生命周期/审计基线 | 增补升级 SLA 超时检测与逾期确认提醒 |
 
 ## 验证基线
 

scripts/verify-agent-workspace-runtime.js

@@ -148,6 +148,18 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation'),
     'Missing diagnostics remediation escalation route in src/server.ts'
   );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements'),
+    'Missing diagnostics remediation escalation acknowledgement route in src/server.ts'
+  );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit'),
+    'Missing diagnostics remediation escalation audit route in src/server.ts'
+  );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge'),
+    'Missing diagnostics remediation escalation acknowledge route in src/server.ts'
+  );
   assert(
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals'),
     'Missing diagnostics remediation approvals route in src/server.ts'
@@ -208,6 +220,30 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('buildAgentWorkspaceDiagnosticsRemediationEscalationActions'),
     'Missing diagnostics remediation escalation builder in src/server.ts'
   );
+  assert(
+    serverSource.includes('readAgentWorkspaceDiagnosticsRemediationEscalationLifecycleTrail'),
+    'Missing remediation escalation lifecycle reader in src/server.ts'
+  );
+  assert(
+    serverSource.includes('upsertAgentWorkspaceDiagnosticsRemediationEscalationLifecycleRecord'),
+    'Missing remediation escalation lifecycle writer in src/server.ts'
+  );
+  assert(
+    serverSource.includes('readAgentWorkspaceDiagnosticsRemediationEscalationAuditTrail'),
+    'Missing remediation escalation audit reader in src/server.ts'
+  );
+  assert(
+    serverSource.includes('appendAgentWorkspaceDiagnosticsRemediationEscalationAuditEntry'),
+    'Missing remediation escalation audit writer in src/server.ts'
+  );
+  assert(
+    serverSource.includes('annotateAgentWorkspaceDiagnosticsRemediationEscalationActionsWithLifecycle'),
+    'Missing remediation escalation lifecycle annotator in src/server.ts'
+  );
+  assert(
+    serverSource.includes('acknowledgeAgentWorkspaceDiagnosticsRemediationEscalation'),
+    'Missing remediation escalation acknowledge helper in src/server.ts'
+  );
   assert(
     serverSource.includes('requestAgentWorkspaceDiagnosticsRemediationApproval'),
     'Missing diagnostics remediation approval-request helper in src/server.ts'
@@ -262,14 +298,16 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
       'diagnostics remediation policy route exists',
       'diagnostics remediation policy drift route exists',
       'diagnostics remediation escalation route exists',
+      'diagnostics remediation escalation acknowledgement routes exist',
       'diagnostics remediation approval routes exist',
       'diagnostics triage remediation route exists',
       'diagnostics retention governance exists',
       'diagnostics alert-threshold governance helpers exist',
-      'diagnostics threshold simulation, drift, and remediation helpers exist',
+      'diagnostics threshold simulation, drift, remediation, and escalation helpers exist',
       'diagnostics remediation policy and alarm helpers exist',
       'diagnostics threshold audit helpers exist',
       'diagnostics remediation approval trail helpers exist',
+      'diagnostics remediation escalation lifecycle and audit helpers exist',
       'runtime diagnostics persistence surface exists',
       'agent workspace contract test suite passes',
     ],

src/agent_workspace.verification.contract.test.ts

@@ -58,6 +58,9 @@ describe('agent workspace verification script contracts', () => {
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy/drift');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation');
+    expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements');
+    expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit');
+    expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approve');
     expect(runtimeSource).toContain('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation');
@@ -73,6 +76,12 @@ describe('agent workspace verification script contracts', () => {
     expect(runtimeSource).toContain('normalizeAgentWorkspaceDiagnosticsRemediationDriftInspectLimit');
     expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsRemediationPolicyDriftReport');
     expect(runtimeSource).toContain('buildAgentWorkspaceDiagnosticsRemediationEscalationActions');
+    expect(runtimeSource).toContain('readAgentWorkspaceDiagnosticsRemediationEscalationLifecycleTrail');
+    expect(runtimeSource).toContain('upsertAgentWorkspaceDiagnosticsRemediationEscalationLifecycleRecord');
+    expect(runtimeSource).toContain('readAgentWorkspaceDiagnosticsRemediationEscalationAuditTrail');
+    expect(runtimeSource).toContain('appendAgentWorkspaceDiagnosticsRemediationEscalationAuditEntry');
+    expect(runtimeSource).toContain('annotateAgentWorkspaceDiagnosticsRemediationEscalationActionsWithLifecycle');
+    expect(runtimeSource).toContain('acknowledgeAgentWorkspaceDiagnosticsRemediationEscalation');
     expect(runtimeSource).toContain('requestAgentWorkspaceDiagnosticsRemediationApproval');
     expect(runtimeSource).toContain('executeAgentWorkspaceDiagnosticsAutoRemediation');
     expect(runtimeSource).toContain('consumeAgentWorkspaceDiagnosticsRemediationApproval');

src/knowledge.api.contract.test.ts

@@ -22,6 +22,9 @@ describe('Knowledge mastery API contract wiring', () => {
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/policy/drift',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation',
+            '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledgements',
+            '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/audit',
+            '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/acknowledge',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approvals',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/approve',
             '/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation',