feat: add notification-threshold apply reconciliation

Author: Jacobinwwey

docs/brainstorms/2026-04-16-mainline-ci-stabilization-and-m7-direction-requirements.md

@@ -848,7 +848,7 @@ Suggested verification slice:
 - Best next increment is not broader remediation scope.
   Best next increment is a narrow apply-outcome reconciliation surface on top of existing audit artifacts.
 
-### M7.25 (Next): Notification-Threshold Apply Outcome Reconciliation (Lane Ops Bridge)
+### M7.25 (Now): Notification-Threshold Apply Outcome Reconciliation (Lane Ops Bridge)
 
 Deliverables:
 
@@ -864,6 +864,69 @@ Suggested verification slice:
 - `npm run docs:diataxis:check`
 - `npm run docs:site:build`
 
+#### M7.25 Progress Note (2026-04-16)
+
+- [Done] expanded `src/server.ts` with explicit reconciliation route:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/reconciliation`.
+- [Done] added file-backed latest-apply outcome persistence:
+  - `runtime_data/agent_workspace_diagnostics/triage_remediation_escalation_notification_threshold_apply_outcome.v1.json`.
+- [Done] added deterministic reconciliation helper stack:
+  - `readAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`,
+  - `writeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`,
+  - `buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcomeReconciliation(...)`.
+- [Done] apply execution now persists reconciliation evidence:
+  - latest `previewFingerprint`,
+  - applied mode,
+  - applied audit id / changedAt,
+  - source / reason,
+  - applied threshold snapshot.
+- [Done] reconciliation payload now surfaces bounded readback state:
+  - `latestApplyOutcome`,
+  - `currentActiveThresholds`,
+  - `latestAuditEntry`,
+  - `reconciliation.status`,
+  - `reconciliation.latestAuditMatchesApply`,
+  - `reconciliation.activeThresholdsMatchApply`,
+  - `reconciliation.driftReasons`.
+- [Done] drift semantics are now explicit and deterministic:
+  - no outcome file returns bounded `no-apply-outcome`,
+  - superseding audits mark the latest apply outcome as drifted,
+  - active threshold divergence is reported independently of audit supersession.
+- [Done] expanded evidence coverage:
+  - `src/server.migration.test.ts` now validates reconciliation success immediately after apply, persisted apply-outcome file contents, and drift detection after a later threshold override.
+  - `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on reconciliation-route and apply-outcome helper drift.
+- [Done] verification evidence:
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern "notification threshold apply outcome reconciliation stays deterministic"`
+  - `npm run test:agent-workspace:contracts`
+  - `npm run verify:agent-workspace:runtime`
+  - `npm run docs:diataxis:check`
+  - `npm run docs:site:build`
+
+### Post-M7.25 Architecture Judgment
+
+- L5 governance now covers preview, guarded apply, and latest-outcome reconciliation for notification-threshold mutations.
+- Current weak point shifts from latest-outcome truthiness to bounded operator handoff:
+  - operators can now tell whether the most recent applied preview is still current,
+  - operators still cannot inspect a compact history of earlier apply outcomes once the latest one is superseded.
+- Best next increment is not broader remediation expansion.
+  Best next increment is a narrow history surface for apply outcomes and their reconciliation statuses.
+
+### M7.26 (Next): Notification-Threshold Apply Outcome History Surface (Lane Ops Bridge)
+
+Deliverables:
+
+- add bounded history surface for recent notification-threshold apply outcomes.
+- include per-entry apply metadata plus latest reconciliation status so operator handoff does not depend on a single latest record.
+- keep scope limited to notification-threshold governance; do not reopen UI, unrelated remediation lanes, or retrieval/memory work.
+
+Suggested verification slice:
+
+- `npm test -- src/server.migration.test.ts --runInBand --testNamePattern "notification threshold apply outcome history"`
+- `npm run test:agent-workspace:contracts`
+- `npm run verify:agent-workspace:runtime`
+- `npm run docs:diataxis:check`
+- `npm run docs:site:build`
+
 ## Success Criteria
 
 - CI failure mode that previously blocked the three agent-workspace suites is eliminated on mainline.
@@ -873,4 +936,4 @@ Suggested verification slice:
 
 ## Next Step
 
-Proceed to `/prompts:ce-plan` using this document as the source for `M7.25` decomposition (notification-threshold apply outcome reconciliation), while preserving M7 lane boundary constraints.
+Proceed to `/prompts:ce-plan` using this document as the source for `M7.26` decomposition (notification-threshold apply outcome history surface), while preserving M7 lane boundary constraints.

docs/diataxis/en/explanation/development-progress-dashboard.md

@@ -599,32 +599,34 @@ Execution anchor:
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
-## Latest Mainline Increment (2026-04-16 M7.24 Notification-Threshold Rollback Apply Guardrails Lane)
-
-- Expanded `src/server.ts` with explicit apply route:
-  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/apply`.
-- Added deterministic preview-to-apply helper stack:
-  - `buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreviewFingerprint(...)`,
-  - `applyAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreview(...)`,
-  - `normalizeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreviewMode(...)`.
-- Hardened mutation safety without widening scope:
-  - preview payloads now expose `preview.resetToDefault.previewFingerprint` and `preview.rollbackToPrevious.previewFingerprint`,
-  - apply requests must match the reviewed fingerprint,
-  - rollback-to-previous apply requests must also match the reviewed `auditId`,
-  - stale fingerprints, unavailable rollback previews, mismatched audit ids, and no-op targets are rejected deterministically.
-- Added bounded execution receipts:
-  - apply responses now return `appliedMode`, `previewFingerprint`, `matchedPreview`, and `appliedAuditEntry`.
+## Latest Mainline Increment (2026-04-16 M7.25 Notification-Threshold Apply Outcome Reconciliation Lane)
+
+- Expanded `src/server.ts` with explicit reconciliation route:
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/reconciliation`.
+- Added file-backed latest-apply outcome persistence:
+  - `runtime_data/agent_workspace_diagnostics/triage_remediation_escalation_notification_threshold_apply_outcome.v1.json`.
+- Added deterministic reconciliation helper stack:
+  - `readAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`,
+  - `writeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`,
+  - `buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcomeReconciliation(...)`.
+- Hardened operator readback without widening scope:
+  - apply execution now persists latest preview fingerprint, applied mode, audit id/changedAt, source/reason, and applied threshold snapshot,
+  - reconciliation payload now exposes `latestApplyOutcome`, `currentActiveThresholds`, `latestAuditEntry`, and bounded drift booleans/reasons.
+- Added deterministic reconciliation semantics:
+  - no apply outcome yields bounded `no-apply-outcome`,
+  - superseding audit entries mark the last apply outcome as drifted,
+  - active threshold divergence is reported independently from audit supersession.
 - Expanded executable evidence:
-  - `src/server.migration.test.ts` now validates audit-id mismatch blocking, stale fingerprint blocking, rollback apply success, reset apply success, and persisted audit ordering.
+  - `src/server.migration.test.ts` now validates immediate post-apply reconciliation, persisted apply-outcome file contents, and drift detection after a later override.
 - Hardened runtime verification gate:
-  - `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on notification-threshold apply route and fingerprint/apply helper drift.
+  - `src/knowledge.api.contract.test.ts`, `src/agent_workspace.verification.contract.test.ts`, and `scripts/verify-agent-workspace-runtime.js` now fail fast on notification-threshold reconciliation route and apply-outcome helper drift.
 - Verification evidence:
-  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"notification threshold rollback apply guardrails stay deterministic\"`
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"notification threshold apply outcome reconciliation stays deterministic\"`
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 - Next direction judgment:
-  - current bottleneck shifts from guarded execution to post-apply reconciliation,
-  - M7.25 should stay bounded to apply-outcome reconciliation, not broader remediation or UI expansion.
+  - current bottleneck shifts from latest-outcome readback to bounded operator handoff/history,
+  - M7.26 should stay bounded to apply-outcome history, not broader remediation or UI expansion.
 
 ## Mainline vs Working-Branch Snapshot (2026-04-14)
 
@@ -674,7 +676,7 @@ This dashboard aligns against the following requirement chain:
 | L2 Retrieval | explainable hybrid/vector retrieval + governance | Expanded in branch-oriented plans | Mainline file-backed baseline only (`src/learning/store.ts`) | Re-enter lane after concrete module evidence lands on mainline |
 | L3 Learning | mastery diagnostics + path/session loop | Expanded in branch | Partially integrated | Contract and integration parity |
 | L4 Interaction | agent conversation + focus/path pane runtime | Implemented in branch | M1-M4 baseline integrated on mainline | Expand capability surface via typed contract only |
-| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate + approval-policy hardening/regression-alarms + approval-policy drift/escalation + escalation acknowledgement lifecycle/audit + escalation SLA/reminder baseline + notification digest/suppression baseline + delivery-log observability + stale-cleanup health auditing + anomaly/retention governance + notification SLO governance + notification-threshold override/audit governance + rollback preview/drift-diff governance + rollback apply guardrails integrated | M7.25: notification-threshold apply outcome reconciliation |
+| L5 Governance | runbook, diagnostics, replay/autonomy controls | Expanded in branch | Operator diagnostics persistence/triage/history/threshold governance + runbook automation/audit + adaptive simulation/remediation + remediation backtest/approval-gate + approval-policy hardening/regression-alarms + approval-policy drift/escalation + escalation acknowledgement lifecycle/audit + escalation SLA/reminder baseline + notification digest/suppression baseline + delivery-log observability + stale-cleanup health auditing + anomaly/retention governance + notification SLO governance + notification-threshold override/audit governance + rollback preview/drift-diff governance + rollback apply guardrails + latest apply-outcome reconciliation integrated | M7.26: notification-threshold apply outcome history surface |
 
 ## Verification Baseline
 

docs/diataxis/zh/explanation/development-progress-dashboard.md

@@ -601,32 +601,34 @@
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 
-## 主线最新增量（2026-04-16 M7.24 通知阈值回滚 apply guardrails 链路）
-
-- 已在 `src/server.ts` 增加显式 apply 路由：
-  - `POST /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/apply`。
-- 已增加确定性 preview-to-apply helper 栈：
-  - `buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreviewFingerprint(...)`，
-  - `applyAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreview(...)`，
-  - `normalizeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreviewMode(...)`。
-- 已在不扩 scope 前提下加固 mutation 安全：
-  - 预览载荷现在输出 `preview.resetToDefault.previewFingerprint` 与 `preview.rollbackToPrevious.previewFingerprint`，
-  - apply 请求必须匹配已审阅的 preview fingerprint，
-  - rollback-to-previous apply 请求还必须匹配已审阅的 `auditId`，
-  - stale fingerprint、不可用 rollback preview、auditId 不匹配与 no-op target 都会被确定性拒绝。
-- 已增加有界执行回执：
-  - apply 响应现在返回 `appliedMode`、`previewFingerprint`、`matchedPreview` 与 `appliedAuditEntry`。
+## 主线最新增量（2026-04-16 M7.25 通知阈值 apply 结果对账链路）
+
+- 已在 `src/server.ts` 增加显式 reconciliation 路由：
+  - `GET /api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/reconciliation`。
+- 已增加 file-backed latest-apply outcome 持久化：
+  - `runtime_data/agent_workspace_diagnostics/triage_remediation_escalation_notification_threshold_apply_outcome.v1.json`。
+- 已增加确定性 reconciliation helper 栈：
+  - `readAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`，
+  - `writeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome(...)`，
+  - `buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcomeReconciliation(...)`。
+- 已在不扩 scope 前提下补足 operator readback：
+  - apply 执行现在持久化 latest preview fingerprint、applied mode、audit id/changedAt、source/reason 与 applied threshold snapshot，
+  - reconciliation 载荷现在输出 `latestApplyOutcome`、`currentActiveThresholds`、`latestAuditEntry` 与有界 drift 布尔量/原因。
+- 已增加确定性 reconciliation 语义：
+  - 没有 apply outcome 时返回有界 `no-apply-outcome`，
+  - 后续 superseding audit 会把上一条 apply outcome 标记为 drifted，
+  - active threshold divergence 会独立于 audit supersession 单独报告。
 - 已补可执行证据：
-  - `src/server.migration.test.ts` 现在覆盖 auditId mismatch 阻断、stale fingerprint 阻断、rollback apply 成功、reset apply 成功与持久化 audit 顺序断言。
+  - `src/server.migration.test.ts` 现在覆盖 apply 后即时 reconciliation、apply-outcome 文件持久化内容，以及后续 override 触发的 drift 检测。
 - 已加固 runtime 门禁：
-  - `src/knowledge.api.contract.test.ts`、`src/agent_workspace.verification.contract.test.ts` 与 `scripts/verify-agent-workspace-runtime.js` 现在对 notification-threshold apply 路由与 fingerprint/apply helper 做 fail-fast 断言。
+  - `src/knowledge.api.contract.test.ts`、`src/agent_workspace.verification.contract.test.ts` 与 `scripts/verify-agent-workspace-runtime.js` 现在对 notification-threshold reconciliation 路由与 apply-outcome helper 做 fail-fast 断言。
 - 验证证据：
-  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"notification threshold rollback apply guardrails stay deterministic\"`
+  - `npm test -- src/server.migration.test.ts --runInBand --testNamePattern \"notification threshold apply outcome reconciliation stays deterministic\"`
   - `npm run test:agent-workspace:contracts`
   - `npm run verify:agent-workspace:runtime`
 - 后续方向判断：
-  - 当前瓶颈从受控执行转向 post-apply reconciliation，
-  - M7.25 应继续收敛在 apply 结果对账，不要扩成更大的 remediation 或 UI 子系统。
+  - 当前瓶颈从 latest-outcome readback 转向有界 operator handoff/history，
+  - M7.26 应继续收敛在 apply outcome history，不要扩成更大的 remediation 或 UI 子系统。
 
 ## 主线 vs 工作分支快照（2026-04-14）
 
@@ -676,7 +678,7 @@
 | L2 检索层 | 可解释混合/向量检索 + 治理 | 分支规划增强中 | 主线当前为 file-backed 基线（`src/learning/store.ts`） | 待主线出现对应模块证据后再收敛 |
 | L3 学习层 | 掌握诊断 + 路径/会话闭环 | 分支增强中 | 主线部分集成 | 契约与集成一致性 |
 | L4 交互层 | agent 对话 + focus/path pane 运行时 | 分支已实现 | 主线 M1-M4 已落入基线 | 继续通过 typed contract 扩展动作面 |
-| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁 + 批准策略硬化/回归告警 + 批准策略漂移/升级 + 升级确认生命周期/审计 + 升级 SLA/提醒基线 + 通知摘要/抑制基线 + 交付日志可观测性 + 陈旧通知健康审计 + 异常/retention 治理 + 通知 SLO 治理 + 通知阈值覆盖/审计治理 + 回滚预览/drift-diff 治理 + 回滚 apply guardrails | M7.25：通知阈值 apply 结果对账 |
+| L5 治理层 | runbook/诊断/回放与自动化 | 分支增强中 | 主线已集成运维诊断持久化/分级/趋势历史/阈值治理 + runbook 自动化/阈值审计 + 自适应模拟/自动修复 + 回测/批准门禁 + 批准策略硬化/回归告警 + 批准策略漂移/升级 + 升级确认生命周期/审计 + 升级 SLA/提醒基线 + 通知摘要/抑制基线 + 交付日志可观测性 + 陈旧通知健康审计 + 异常/retention 治理 + 通知 SLO 治理 + 通知阈值覆盖/审计治理 + 回滚预览/drift-diff 治理 + 回滚 apply guardrails + latest apply-outcome reconciliation | M7.26：通知阈值 apply outcome history surface |
 
 ## 验证基线
 

scripts/verify-agent-workspace-runtime.js

@@ -168,6 +168,10 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/apply'),
     'Missing diagnostics remediation escalation notification-threshold apply route in src/server.ts'
   );
+  assert(
+    serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/reconciliation'),
+    'Missing diagnostics remediation escalation notification-threshold reconciliation route in src/server.ts'
+  );
   assert(
     serverSource.includes('/api/knowledge/operator/agent-workspace-diagnostics/triage/remediation/escalation/notification-thresholds/audit'),
     'Missing diagnostics remediation escalation notification-threshold audit route in src/server.ts'
@@ -360,6 +364,18 @@ function verifyAgentWorkspaceRuntime(repoRoot = path.resolve(__dirname, '..')) {
     serverSource.includes('applyAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdPreview'),
     'Missing remediation escalation notification threshold apply helper in src/server.ts'
   );
+  assert(
+    serverSource.includes('readAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome'),
+    'Missing remediation escalation notification threshold apply outcome reader in src/server.ts'
+  );
+  assert(
+    serverSource.includes('writeAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcome'),
+    'Missing remediation escalation notification threshold apply outcome writer in src/server.ts'
+  );
+  assert(
+    serverSource.includes('buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationThresholdApplyOutcomeReconciliation'),
+    'Missing remediation escalation notification threshold reconciliation helper in src/server.ts'
+  );
   assert(
     serverSource.includes('buildAgentWorkspaceDiagnosticsRemediationEscalationNotificationAnomalyReport'),
     'Missing remediation escalation notification anomaly report helper in src/server.ts'