Phase 5: autonomous incident workflows

[RobinOppenstam]

Summary

• Adds demo-scoped autonomous incident workflow APIs for Northstar Logistics:
  • POST /api/demo/run-incident
  • POST /api/demo/approve-remediation
• Adds event envelopes, Cloudflare Queue producer support, and a queue-consumer-compatible workflow handler module.
• Adds deterministic Phase 5 agent outputs for Ops, Support, Finance, Security, Comms, and Governance.
• Adds AI Gateway generation wrapper with timeout/retry/fallback handling.
• Writes real Phase 2 schema records: agent runs/events, recommendations, approval, decision, timeline events, notifications, reports, and audit logs.
• Adds workflow smoke script, tests, and docs with exact demo commands.

Changed files summary

• src/app/api/demo/* — guarded/rate-limited demo trigger + approval APIs.
• src/modules/workflows/incident-response/* — workflow constants, deterministic plan, start/pause/approval continuation services.
• src/modules/agents/fallbacks.ts — deterministic public-demo agent response library.
• src/lib/ai/gateway.ts — AI Gateway generation wrapper with safe fallback.
• src/modules/events/* — event envelope and Queue publisher.
• src/workflows/incident-response/queue-consumer.ts — Queue consumer-compatible workflow dispatcher.
• src/modules/audit/service.ts — idempotent audit log helper.
• scripts/workflow-smoke.ts + package.json — Phase 5 workflow smoke.
• tests/autonomous-workflows.test.ts — fallback, idempotency plan, approval gate, and audit continuation coverage.
• docs/autonomous-workflows.md — demo trigger/approval instructions and operational notes.
• .env.example, src/types/cloudflare.ts — AI-disabled flag typing/example.

Verification

• npm install ✅ — up to date; npm reported 8 moderate audit findings already present in dependency tree.
• npm run lint ✅
• npm run typecheck ✅
• npm test ✅ — 5 files passed, 19 tests passed, 3 skipped.
• npm run build ✅
• npm run cf:build ✅
• npm run demo:reset ✅ — reset Northstar demo successfully.
• npm run db:check ✅ — DB smoke ok with flagship active incident.
• npm run workflow:smoke ✅ — workflow smoke ok=true start=paused-for-approval approval=pending approve=remediated rerun=already-approved audit_seen=7.
• npm run ai:smoke ✅ — fallback mode ok.
• git diff --check ✅

Demo trigger / approval smoke instructions

Set BASE_URL to local/preview URL and ensure DEMO_MODE=true.

curl -X POST "$BASE_URL/api/demo/run-incident" \
  -H "content-type: application/json" \
  -d '{"demo":"northstar","action":"run-demo-incident"}'

Expected: HTTP 202, status: "paused-for-approval", approval approval_phase5_buffer_mode_remediation exists, no Phase 5 postmortem yet.

curl -X POST "$BASE_URL/api/demo/approve-remediation" \
  -H "content-type: application/json" \
  -d '{"demo":"northstar","action":"approve-remediation"}'

Expected: HTTP 202, status: "remediated", incident timeline/status updated, report report_phase5_postmortem_warehouse_latency generated, audit rows written.

Local DB smoke:

npm run demo:reset
npm run workflow:smoke
npm run demo:reset

Acceptance checklist

• Run Demo Incident API works locally via documented endpoint/script.
• Agent events are written to real DB records consumed by existing incident UI queries.
• Approval request is created by workflow.
• Workflow does not remediate before approval.
• Approval endpoint resumes via explicit continuation and simulates remediation safely.
• Postmortem/report record is generated after approval.
• Audit log contains major workflow events.
• AI unavailable/disabled uses deterministic fallback.
• Public trigger is demo-scoped and rate-limited/guarded.
• Scout review pending.

Risks / notes

• OpenNext worker entrypoint is still the generated .open-next/worker.js; this PR includes Queue producer support and a Queue consumer-compatible module, but does not replace the OpenNext worker entrypoint to export a live queue handler. APIs process synchronously after publishing the event for local/preview reliability.
• Demo endpoints are public-demo scoped, guarded by explicit body + DEMO_MODE=true, and rate-limited, but Phase 6 should add stronger auth/governance UI controls.
• npm install reports 8 moderate audit findings in the existing dependency tree; no new dependency was added.

Preview/deploy URL

• Not deployed by this PR.