Phase 6B: approval governance audit UI

[RobinOppenstam]

Summary

• Added Phase 6B approval queue and approval detail routes wired to the Phase 6A approval query/decision API contract.
• Added client decision controls that submit selected demo-mode governance role, approve/reject decision, and rationale to /api/approvals/:id/decide.
• Added audit log browser with filters for actor user/role, action, action type, incident, target, status, outcome, and search.
• Added governance role banner/copy clarifying demo-mode role selection is not secure auth and server-side permission checks are authoritative.
• Added incident detail links into approval detail/queue and incident-filtered audit trail.
• Promoted Approvals and Audit to live navigation and added UI display helper tests.

Files changed

• src/app/(app)/approvals/**
• src/app/(app)/audit/**
• src/modules/approvals/components/**
• src/modules/audit/components/**
• src/modules/governance/**
• src/app/(app)/incidents/[id]/page.tsx
• src/lib/navigation.ts
• tests/governance-ui.test.ts

Verification

• git remote -v confirmed https://github.com/hexitlabs/commandgrid.git.
• git fetch --prune run; branch based on origin/main at Phase 6A merge 0457024dd1720dd8a6f263a4a3329a0e4d46b568.
• npm install ✅ (up to date; npm reports 8 moderate vulnerabilities, existing audit advisory state)
• npm run lint ✅
• npm run typecheck ✅
• npm test ✅ (31 passed, 5 skipped)
• npm run build ✅
• npm run cf:build ✅
• npm run db:check ✅ after npm run demo:reset
• npm run governance:audit-smoke ✅ (unauthorized_blocked=true, continuation resumed)
• Final npm run demo:reset && npm run db:check ✅ to restore demo DB after approval smoke.

Visual / route review

Browser screenshots were not captured because the Clawdbot browser tool could not start: PortInUseError: Port 18801 is already in use and ss showed the port owned by hexos-gateway. Per handoff instructions, I performed curl/API route smoke instead:

• GET /approvals?role=ops-manager → 200
• GET /approvals?role=engineer → 200
• GET /approvals?role=finance-reviewer → 200
• GET /approvals?role=admin → 200
• GET /approvals/approval_buffer_mode?role=ops-manager → 200
• GET /audit?role=admin → 200
• GET /audit?role=ops-manager&outcome=requested → 200
• GET /api/approvals?role=ops-manager&status=pending&limit=5 returned pending approval_buffer_mode with canDecide=true.
• Direct unauthorized decision smoke: engineer POST to /api/approvals/approval_buffer_mode/decide returned 403.
• Ops Manager decision smoke: POST approved approval_buffer_mode, returned 202, continuation resumed, audit query showed approved log with actorRole ops-manager; demo reset was run afterward.

Risks / notes

• UI mirrors canDecide returned by backend but does not replace Phase 6A permission enforcement.
• Audit UI renders metadataSummary only; no raw metadata/log dumps exposed.
• Public role switcher copy is explicitly labeled demo-mode and not secure auth.
• No screenshot artifact due browser tooling blocker above.

Acceptance checklist

• Approval queue renders real pending approvals.
• Ops Manager can approve warehouse restart/remediation from UI/API contract path.
• Unauthorized role cannot approve in UI and direct request remains blocked by backend.
• Approval decision resumes/remediates flagship workflow or updates incident state via backend contract.
• Audit log records decision with actor/role/timestamp/outcome and UI can show it.
• Audit filters work in route/API smoke.
• Scout returns merge-ready.

[CommandGrid][Phase 06B][PR_OPEN] Ralph: please request Scout review for merge-ready verdict.

[RobinOppenstam]

[CommandGrid][Phase 06B][PR_OPEN] Ralph: PR is open and CI is green. Please request Scout review for merge-ready verdict.