@hotmeshio/long-tail 0.1.13 → 0.1.15

package/build/api/escalations.js

@@ -1,932 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createEscalation = createEscalation;
-exports.listEscalations = listEscalations;
-exports.listAvailableEscalations = listAvailableEscalations;
-exports.listDistinctTypes = listDistinctTypes;
-exports.getEscalationStats = getEscalationStats;
-exports.getEscalation = getEscalation;
-exports.getEscalationsByWorkflowId = getEscalationsByWorkflowId;
-exports.escalateToRole = escalateToRole;
-exports.claimEscalation = claimEscalation;
-exports.releaseEscalation = releaseEscalation;
-exports.releaseExpiredClaims = releaseExpiredClaims;
-exports.updatePriority = updatePriority;
-exports.bulkClaim = bulkClaim;
-exports.bulkAssign = bulkAssign;
-exports.bulkEscalate = bulkEscalate;
-exports.bulkTriage = bulkTriage;
-exports.resolveEscalation = resolveEscalation;
-const escalationService = __importStar(require("../services/escalation"));
-const userService = __importStar(require("../services/user"));
-const roleService = __importStar(require("../services/role"));
-const taskService = __importStar(require("../services/task"));
-const publish_1 = require("../lib/events/publish");
-const escalation_strategy_1 = require("../services/escalation-strategy");
-const ephemeral_1 = require("../services/iam/ephemeral");
-const deployer_1 = require("../services/yaml-workflow/deployer");
-const workers_1 = require("../workers");
-const defaults_1 = require("../modules/defaults");
-// ── Private helpers ────────────────────────────────────────────────────────
-async function getVisibleRoles(userId) {
-    const isSuperAdminUser = await userService.isSuperAdmin(userId);
-    if (isSuperAdminUser)
-        return undefined;
-    const userRoles = await userService.getUserRoles(userId);
-    return userRoles.map((r) => r.role);
-}
-function validateIds(ids) {
-    return Array.isArray(ids) && ids.length > 0;
-}
-async function checkBulkPermission(userId, ids) {
-    const isSuperAdminUser = await userService.isSuperAdmin(userId);
-    if (isSuperAdminUser)
-        return { allowed: true };
-    const roles = await escalationService.getEscalationRoles(ids);
-    for (const role of roles) {
-        const canManage = await userService.isGroupAdmin(userId, role);
-        if (!canManage) {
-            return { allowed: false, status: 403, error: `Insufficient permissions for role "${role}"` };
-        }
-    }
-    return { allowed: true };
-}
-function publishBulkClaimEvents(ids, assignedTo) {
-    for (const id of ids) {
-        (0, publish_1.publishEscalationEvent)({
-            type: 'escalation.claimed',
-            source: 'api',
-            workflowId: '',
-            workflowName: '',
-            taskQueue: '',
-            escalationId: id,
-            status: 'claimed',
-            data: { assigned_to: assignedTo, bulk: true },
-        });
-    }
-}
-// ── Create ────────────────────────────────────────────────────────────────
-/**
- * Create a standalone escalation (not tied to a workflow).
- *
- * Useful for manual work items, support tickets, or approval requests
- * that originate outside the durable workflow engine. The caller must
- * hold the target role or be a superadmin.
- *
- * @param input.type — escalation category (e.g. `"support"`, `"approval"`)
- * @param input.subtype — subcategory for finer routing
- * @param input.role — role responsible for resolving this escalation
- * @param input.description — human-readable summary
- * @param input.priority — 1 (critical) through 4 (low), default 2
- * @param input.envelope — serialized context for the resolver
- * @param input.metadata — arbitrary key-value data (e.g. signal_routing)
- * @param input.escalation_payload — serialized payload for the resolver UI
- * @param auth — authenticated user context (must hold target role or be superadmin)
- * @returns `{ status: 201, data: <escalation record> }`
- */
-async function createEscalation(input, auth) {
-    try {
-        const { type, role } = input;
-        if (!type || typeof type !== 'string') {
-            return { status: 400, error: 'type is required' };
-        }
-        if (!role || typeof role !== 'string') {
-            return { status: 400, error: 'role is required' };
-        }
-        // RBAC: caller must hold the target role or be superadmin
-        const isSuperAdminUser = await userService.isSuperAdmin(auth.userId);
-        if (!isSuperAdminUser) {
-            const userHasRole = await userService.hasRole(auth.userId, role);
-            if (!userHasRole) {
-                return { status: 403, error: `You must hold the "${role}" role or be a superadmin to create escalations for it` };
-            }
-        }
-        const escalation = await escalationService.createEscalation({
-            type,
-            subtype: input.subtype ?? type,
-            description: input.description,
-            priority: input.priority,
-            role,
-            envelope: input.envelope ?? '{}',
-            metadata: input.metadata,
-            escalation_payload: input.escalation_payload,
-        });
-        (0, publish_1.publishEscalationEvent)({
-            type: 'escalation.created',
-            source: 'api',
-            workflowId: '',
-            workflowName: '',
-            taskQueue: '',
-            escalationId: escalation.id,
-            status: 'pending',
-            data: { type: input.type, role },
-        });
-        return { status: 201, data: escalation };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-// ── List routes ────────────────────────────────────────────────────────────
-/**
- * List escalations with optional filters.
- *
- * Results are scoped to the authenticated user's roles unless the user
- * is a superadmin (who sees all roles).
- *
- * @param input.status — filter by `pending`, `resolved`, or `cancelled`
- * @param input.role — filter by assigned role
- * @param input.type — filter by workflow type
- * @param input.subtype — filter by subtype
- * @param input.assigned_to — filter by assigned user ID
- * @param input.priority — filter by priority (1–4)
- * @param input.limit — max results (default: 50)
- * @param input.offset — pagination offset
- * @param input.sort_by — column to sort by (e.g. `created_at`, `priority`)
- * @param input.order — `asc` or `desc`
- * @param auth — authenticated user context (required for role scoping)
- * @returns `{ status: 200, data: { escalations, total } }`
- */
-async function listEscalations(input, auth) {
-    try {
-        const visibleRoles = await getVisibleRoles(auth.userId);
-        if (visibleRoles && visibleRoles.length === 0) {
-            return { status: 200, data: { escalations: [], total: 0 } };
-        }
-        const result = await escalationService.listEscalations({
-            status: input.status,
-            role: input.role,
-            type: input.type,
-            subtype: input.subtype,
-            assigned_to: input.assigned_to,
-            priority: input.priority,
-            limit: input.limit,
-            offset: input.offset,
-            sort_by: input.sort_by,
-            order: input.order,
-            visibleRoles,
-        });
-        return { status: 200, data: result };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * List escalations available for claim (pending and not actively claimed).
- *
- * Similar to `listEscalations` but excludes escalations with active claims.
- * Scoped to the authenticated user's roles.
- *
- * @param input.role — filter by role
- * @param input.type — filter by workflow type
- * @param input.subtype — filter by subtype
- * @param input.priority — filter by priority (1–4)
- * @param input.limit — max results (default: 50)
- * @param input.offset — pagination offset
- * @param input.sort_by — column to sort by
- * @param input.order — `asc` or `desc`
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { escalations, total } }`
- */
-async function listAvailableEscalations(input, auth) {
-    try {
-        const visibleRoles = await getVisibleRoles(auth.userId);
-        if (visibleRoles && visibleRoles.length === 0) {
-            return { status: 200, data: { escalations: [], total: 0 } };
-        }
-        const result = await escalationService.listAvailableEscalations({
-            role: input.role,
-            type: input.type,
-            subtype: input.subtype,
-            priority: input.priority,
-            limit: input.limit,
-            offset: input.offset,
-            sort_by: input.sort_by,
-            order: input.order,
-            visibleRoles,
-        });
-        return { status: 200, data: result };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * List all distinct escalation type values.
- *
- * @returns `{ status: 200, data: { types: string[] } }`
- */
-async function listDistinctTypes() {
-    try {
-        const types = await escalationService.listDistinctTypes();
-        return { status: 200, data: { types } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Get aggregate escalation statistics scoped to the user's roles.
- *
- * @param input.period — time window (`1h`, `24h`, `7d`, `30d`)
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { pending, claimed, created, resolved, by_role, by_type } }`
- */
-async function getEscalationStats(input, auth) {
-    try {
-        const visibleRoles = await getVisibleRoles(auth.userId);
-        if (visibleRoles && visibleRoles.length === 0) {
-            return {
-                status: 200,
-                data: {
-                    pending: 0,
-                    claimed: 0,
-                    created: 0,
-                    resolved: 0,
-                    by_role: [],
-                    by_type: [],
-                },
-            };
-        }
-        const stats = await escalationService.getEscalationStats(visibleRoles, input.period);
-        return { status: 200, data: stats };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-// ── Single-escalation routes ───────────────────────────────────────────────
-/**
- * Get a single escalation by ID.
- *
- * Non-superadmin users must hold the escalation's assigned role.
- *
- * @param input.id — escalation UUID
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: <escalation record> }` or 403/404
- */
-async function getEscalation(input, auth) {
-    try {
-        const escalation = await escalationService.getEscalation(input.id);
-        if (!escalation) {
-            return { status: 404, error: 'Escalation not found' };
-        }
-        const isSuperAdminUser = await userService.isSuperAdmin(auth.userId);
-        if (!isSuperAdminUser) {
-            const userHasRole = await userService.hasRole(auth.userId, escalation.role);
-            if (!userHasRole) {
-                return { status: 403, error: 'Not authorized to view this escalation' };
-            }
-        }
-        return { status: 200, data: escalation };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * List all escalations for a given workflow ID.
- *
- * @param input.workflowId — HotMesh workflow ID
- * @returns `{ status: 200, data: { escalations } }`
- */
-async function getEscalationsByWorkflowId(input) {
-    try {
-        const escalations = await escalationService.getEscalationsByWorkflowId(input.workflowId);
-        return { status: 200, data: { escalations } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Route a pending escalation to a different role.
- *
- * The user must be authorized to escalate from the current role to the
- * target role (checked via escalation chain configuration).
- *
- * @param input.id — escalation UUID
- * @param input.targetRole — destination role
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: <updated escalation> }` or 403/404/409
- */
-async function escalateToRole(input, auth) {
-    try {
-        const { id, targetRole } = input;
-        if (!targetRole || typeof targetRole !== 'string') {
-            return { status: 400, error: 'targetRole is required' };
-        }
-        const escalation = await escalationService.getEscalation(id);
-        if (!escalation) {
-            return { status: 404, error: 'Escalation not found' };
-        }
-        if (escalation.status !== 'pending') {
-            return { status: 409, error: 'Escalation is not pending' };
-        }
-        const canEscalate = await roleService.canEscalateTo(auth.userId, escalation.role, targetRole);
-        if (!canEscalate) {
-            return { status: 403, error: 'Not authorized to escalate to this role' };
-        }
-        const updated = await escalationService.escalateToRole(id, targetRole);
-        if (!updated) {
-            return { status: 409, error: 'Escalation could not be updated' };
-        }
-        return { status: 200, data: updated };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Claim a pending escalation for the authenticated user.
- *
- * Sets `assigned_to` and `assigned_until` on the escalation (soft lock).
- * Non-superadmin users must hold the escalation's role. Publishes a
- * `escalation.claimed` event.
- *
- * @param input.id — escalation UUID
- * @param input.durationMinutes — claim duration (default: 30)
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { escalation, isExtension } }` or 403/404/409
- */
-async function claimEscalation(input, auth) {
-    try {
-        const { id, durationMinutes } = input;
-        const escalation = await escalationService.getEscalation(id);
-        if (!escalation) {
-            return { status: 404, error: 'Escalation not found' };
-        }
-        const isSuperAdminUser = await userService.isSuperAdmin(auth.userId);
-        if (!isSuperAdminUser) {
-            const userHasRole = await userService.hasRole(auth.userId, escalation.role);
-            if (!userHasRole) {
-                return {
-                    status: 403,
-                    error: `You must have the "${escalation.role}" role to claim this escalation`,
-                };
-            }
-        }
-        const result = await escalationService.claimEscalation(id, auth.userId, durationMinutes);
-        if (!result) {
-            return { status: 409, error: 'Escalation not available for claim' };
-        }
-        (0, publish_1.publishEscalationEvent)({
-            type: 'escalation.claimed',
-            source: 'api',
-            workflowId: escalation.workflow_id || '',
-            workflowName: escalation.workflow_type || '',
-            taskQueue: escalation.task_queue || '',
-            escalationId: id,
-            status: 'claimed',
-            data: { assigned_to: auth.userId },
-        });
-        return { status: 200, data: result };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Release a claimed escalation back to the pool.
- *
- * Only the user who holds the claim can release it. Publishes a
- * `escalation.released` event.
- *
- * @param input.id — escalation UUID
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { escalation } }` or 409
- */
-async function releaseEscalation(input, auth) {
-    try {
-        const result = await escalationService.releaseEscalation(input.id, auth.userId);
-        if (!result) {
-            return { status: 409, error: 'Escalation not found or not claimed by you' };
-        }
-        (0, publish_1.publishEscalationEvent)({
-            type: 'escalation.released',
-            source: 'api',
-            workflowId: result.workflow_id || '',
-            workflowName: result.workflow_type || '',
-            taskQueue: result.task_queue || '',
-            escalationId: input.id,
-            status: 'released',
-            data: { released_by: auth.userId },
-        });
-        return { status: 200, data: { escalation: result } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-// ── Bulk routes ────────────────────────────────────────────────────────────
-/**
- * Release all escalation claims past their `assigned_until` deadline.
- *
- * Typically called on a maintenance schedule. Returns the count of
- * released claims.
- *
- * @returns `{ status: 200, data: { released: number } }`
- */
-async function releaseExpiredClaims() {
-    try {
-        const released = await escalationService.releaseExpiredClaims();
-        return { status: 200, data: { released } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Update priority for one or more escalations.
- *
- * @param input.ids — array of escalation UUIDs
- * @param input.priority — new priority (1=critical, 2=high, 3=medium, 4=low)
- * @param auth — authenticated user context (admin or role-holder required)
- * @returns `{ status: 200, data: { updated: number } }`
- */
-async function updatePriority(input, auth) {
-    try {
-        const { ids, priority } = input;
-        if (!validateIds(ids)) {
-            return { status: 400, error: 'ids must be a non-empty array' };
-        }
-        if (![1, 2, 3, 4].includes(priority)) {
-            return { status: 400, error: 'priority must be 1, 2, 3, or 4' };
-        }
-        const perm = await checkBulkPermission(auth.userId, ids);
-        if (!perm.allowed)
-            return perm;
-        const updated = await escalationService.updateEscalationsPriority(ids, priority);
-        return { status: 200, data: { updated } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Claim multiple escalations at once for the authenticated user.
- *
- * @param input.ids — array of escalation UUIDs
- * @param input.durationMinutes — claim duration (default: 30)
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { claimed, skipped } }`
- */
-async function bulkClaim(input, auth) {
-    try {
-        const { ids, durationMinutes } = input;
-        if (!validateIds(ids)) {
-            return { status: 400, error: 'ids must be a non-empty array' };
-        }
-        const perm = await checkBulkPermission(auth.userId, ids);
-        if (!perm.allowed)
-            return perm;
-        const result = await escalationService.bulkClaimEscalations(ids, auth.userId, durationMinutes ?? 30);
-        if (result.claimed > 0)
-            publishBulkClaimEvents(ids, auth.userId);
-        return { status: 200, data: result };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Assign multiple escalations to a specific user.
- *
- * Non-superadmin callers must verify the target user holds each
- * escalation's role. Publishes claim events for assigned items.
- *
- * @param input.ids — array of escalation UUIDs
- * @param input.targetUserId — user to assign to
- * @param input.durationMinutes — assignment duration (default: 30)
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { assigned, skipped } }`
- */
-async function bulkAssign(input, auth) {
-    try {
-        const { ids, targetUserId, durationMinutes } = input;
-        if (!validateIds(ids)) {
-            return { status: 400, error: 'ids must be a non-empty array' };
-        }
-        if (!targetUserId || typeof targetUserId !== 'string') {
-            return { status: 400, error: 'targetUserId is required' };
-        }
-        const perm = await checkBulkPermission(auth.userId, ids);
-        if (!perm.allowed)
-            return perm;
-        // Non-superadmin: target user must hold each escalation's role
-        const isSuperAdminUser = await userService.isSuperAdmin(auth.userId);
-        if (!isSuperAdminUser) {
-            const roles = await escalationService.getEscalationRoles(ids);
-            for (const role of roles) {
-                const targetHasRole = await userService.hasRole(targetUserId, role);
-                if (!targetHasRole) {
-                    return { status: 400, error: `Target user does not hold the "${role}" role` };
-                }
-            }
-        }
-        const result = await escalationService.bulkAssignEscalations(ids, targetUserId, durationMinutes ?? 30);
-        if (result.assigned > 0)
-            publishBulkClaimEvents(ids, targetUserId);
-        return { status: 200, data: result };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Route multiple escalations to a different role.
- *
- * @param input.ids — array of escalation UUIDs
- * @param input.targetRole — destination role
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { updated: number } }`
- */
-async function bulkEscalate(input, auth) {
-    try {
-        const { ids, targetRole } = input;
-        if (!validateIds(ids)) {
-            return { status: 400, error: 'ids must be a non-empty array' };
-        }
-        if (!targetRole || typeof targetRole !== 'string') {
-            return { status: 400, error: 'targetRole is required' };
-        }
-        const perm = await checkBulkPermission(auth.userId, ids);
-        if (!perm.allowed)
-            return perm;
-        const updated = await escalationService.bulkEscalateToRole(ids, targetRole);
-        return { status: 200, data: { updated } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-/**
- * Trigger AI triage for multiple escalations.
- *
- * Resolves each escalation and starts a triage workflow that uses MCP
- * tools to analyze and potentially auto-resolve the issue.
- *
- * @param input.ids — array of escalation UUIDs
- * @param input.hint — optional natural-language guidance for the triage AI
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { triaged, workflows } }`
- */
-async function bulkTriage(input, auth) {
-    try {
-        const { ids, hint } = input;
-        if (!validateIds(ids)) {
-            return { status: 400, error: 'ids must be a non-empty array' };
-        }
-        const perm = await checkBulkPermission(auth.userId, ids);
-        if (!perm.allowed)
-            return perm;
-        const resolved = await escalationService.bulkResolveForTriage(ids, hint);
-        const client = (0, workers_1.createClient)();
-        const workflowIds = [];
-        for (const escalation of resolved) {
-            const triageWorkflowId = await startTriageWorkflow(escalation, hint, auth.userId, client);
-            workflowIds.push(triageWorkflowId);
-        }
-        return { status: 200, data: { triaged: resolved.length, workflows: workflowIds } };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-// ── Resolve route ──────────────────────────────────────────────────────────
-/**
- * Resolve a pending escalation with a human-provided payload.
- *
- * Handles two resolution paths:
- * 1. **Signal-routed** — if the escalation has `signal_routing` metadata,
- *    the resolver payload is sent directly to the paused workflow via
- *    `handle.signal()`. Supports both Durable and YAML engines.
- * 2. **Re-run** — the original workflow is re-started with the resolver
- *    payload injected into `envelope.resolver`. The interceptor detects
- *    the re-run and skips to the resolution branch.
- *
- * Password fields in the resolver payload are replaced with ephemeral
- * tokens (15-minute TTL) so plaintext never enters the signal store.
- *
- * Supports optional escalation strategy execution after resolution.
- *
- * @param input.id — escalation UUID
- * @param input.resolverPayload — human decision data
- * @param auth — authenticated user context
- * @returns `{ status: 200, data: { signaled, escalationId, workflowId } }` (signal path)
- *          or `{ status: 200, data: { workflowId, resumed, escalationId } }` (re-run path)
- */
-async function resolveEscalation(input, auth) {
-    try {
-        const { id, resolverPayload } = input;
-        if (!resolverPayload) {
-            return { status: 400, error: 'resolverPayload is required' };
-        }
-        // 1. Read escalation (verify pending)
-        const escalation = await escalationService.getEscalation(id);
-        if (!escalation) {
-            return { status: 404, error: 'Escalation not found' };
-        }
-        if (escalation.status !== 'pending') {
-            return { status: 409, error: 'Escalation not available for resolution' };
-        }
-        // 2. Lightweight signal path: metadata.signal_id + escalation fields
-        //    The workflow called `await conditionLT(signalId)` and created its
-        //    own escalation with the signal_id in metadata. On resolution, we
-        //    inject $escalation_id into the payload and signal the running
-        //    workflow. The workflow is responsible for resolving the escalation
-        //    (conditionLT handles this automatically via a durable activity).
-        const metadataSignalId = escalation.metadata?.signal_id;
-        if (metadataSignalId && escalation.workflow_id && escalation.task_queue && escalation.workflow_type) {
-            const client = (0, workers_1.createClient)();
-            const handle = await client.workflow.getHandle(escalation.task_queue, escalation.workflow_type, escalation.workflow_id);
-            await handle.signal(metadataSignalId, {
-                ...resolverPayload,
-                $escalation_id: escalation.id,
-            });
-            (0, publish_1.publishEscalationEvent)({
-                type: 'escalation.resolved',
-                source: 'api',
-                workflowId: escalation.workflow_id,
-                workflowName: escalation.workflow_type,
-                taskQueue: escalation.task_queue,
-                taskId: escalation.task_id,
-                escalationId: escalation.id,
-                originId: escalation.origin_id ?? undefined,
-                status: 'resolved',
-            });
-            return {
-                status: 200,
-                data: {
-                    signaled: true,
-                    escalationId: escalation.id,
-                    workflowId: escalation.workflow_id,
-                },
-            };
-        }
-        // 3. waitFor signal escalation -- signal the paused workflow directly
-        //    (full signal_routing object from interceptor/MCP tool)
-        const signalRouting = escalation.metadata?.signal_routing;
-        if (signalRouting?.signalId) {
-            // Replace password fields with ephemeral tokens so plaintext never enters the signal store
-            let signalPayload = resolverPayload;
-            const formSchema = escalation.metadata?.form_schema;
-            if (formSchema?.properties) {
-                signalPayload = { ...resolverPayload };
-                for (const [key, def] of Object.entries(formSchema.properties)) {
-                    if (def?.format === 'password' && typeof signalPayload[key] === 'string') {
-                        const uuid = await (0, ephemeral_1.storeEphemeral)(signalPayload[key], {
-                            ttlSeconds: 900,
-                            label: key,
-                        });
-                        signalPayload[key] = (0, ephemeral_1.formatEphemeralToken)(uuid, key);
-                    }
-                }
-            }
-            if (signalRouting.engine === 'yaml' && signalRouting.hookTopic && signalRouting.appId) {
-                const engine = await (0, deployer_1.getEngine)(signalRouting.appId);
-                await engine.signal(signalRouting.hookTopic, {
-                    ...signalPayload,
-                    escalationId: escalation.id,
-                    job_id: signalRouting.jobId,
-                });
-            }
-            else if (signalRouting.workflowId) {
-                const client = (0, workers_1.createClient)();
-                const handle = await client.workflow.getHandle(signalRouting.taskQueue, signalRouting.workflowType, signalRouting.workflowId);
-                await handle.signal(signalRouting.signalId, signalPayload);
-            }
-            // For YAML workflows, the resolve worker inside the workflow calls
-            // claim_and_resolve to close the escalation transactionally. Only resolve
-            // here for Durable workflows that lack an in-workflow resolve step.
-            if (signalRouting.engine !== 'yaml') {
-                await escalationService.resolveEscalation(escalation.id, resolverPayload);
-            }
-            (0, publish_1.publishEscalationEvent)({
-                type: 'escalation.resolved',
-                source: 'api',
-                workflowId: escalation.workflow_id || signalRouting.workflowId,
-                workflowName: escalation.workflow_type || signalRouting.workflowType,
-                taskQueue: escalation.task_queue || signalRouting.taskQueue || signalRouting.appId,
-                taskId: escalation.task_id,
-                escalationId: escalation.id,
-                originId: escalation.origin_id ?? undefined,
-                status: signalRouting.engine === 'yaml' ? 'signaled' : 'resolved',
-            });
-            return {
-                status: 200,
-                data: {
-                    signaled: true,
-                    escalationId: escalation.id,
-                    workflowId: signalRouting.workflowId || signalRouting.appId,
-                },
-            };
-        }
-        // 4. Reconstruct the original envelope from the escalation or task
-        let envelope = {};
-        if (escalation.envelope) {
-            try {
-                envelope = JSON.parse(escalation.envelope);
-            }
-            catch { /* use empty */ }
-        }
-        else if (escalation.task_id) {
-            const task = await taskService.getTask(escalation.task_id);
-            if (task?.envelope) {
-                try {
-                    envelope = JSON.parse(task.envelope);
-                }
-                catch { /* use empty */ }
-            }
-        }
-        // 5. Check escalation strategy for triage routing
-        const strategy = escalation_strategy_1.escalationStrategyRegistry.current;
-        if (strategy) {
-            const directive = await strategy.onResolution({
-                escalation,
-                resolverPayload,
-                envelope,
-            });
-            if (directive.action === 'triage') {
-                const originalTask = escalation.task_id
-                    ? await taskService.getTask(escalation.task_id)
-                    : null;
-                const routing = originalTask?.metadata;
-                const triageWorkflowId = `triage-${escalation.id}-${Date.now()}`;
-                const client = (0, workers_1.createClient)();
-                await taskService.createTask({
-                    workflow_id: triageWorkflowId,
-                    workflow_type: 'mcpTriageRouter',
-                    lt_type: 'mcpTriage',
-                    task_queue: 'long-tail-system',
-                    signal_id: `lt-triage-${triageWorkflowId}`,
-                    parent_workflow_id: triageWorkflowId,
-                    origin_id: escalation.origin_id || triageWorkflowId,
-                    parent_id: escalation.parent_id ?? undefined,
-                    envelope: JSON.stringify(directive.triageEnvelope),
-                });
-                await client.workflow.start({
-                    workflowName: 'mcpTriageRouter',
-                    args: [directive.triageEnvelope],
-                    taskQueue: 'long-tail-system',
-                    workflowId: triageWorkflowId,
-                    expire: defaults_1.JOB_EXPIRE_SECS,
-                    entity: 'mcpTriageRouter',
-                });
-                await escalationService.resolveEscalation(escalation.id, {
-                    ...resolverPayload,
-                    _lt: { ...resolverPayload._lt, triaged: true, triageWorkflowId },
-                });
-                (0, publish_1.publishEscalationEvent)({
-                    type: 'escalation.resolved',
-                    source: 'api',
-                    workflowId: escalation.workflow_id,
-                    workflowName: escalation.workflow_type,
-                    taskQueue: escalation.task_queue,
-                    taskId: escalation.task_id,
-                    escalationId: escalation.id,
-                    originId: escalation.origin_id ?? undefined,
-                    status: 'resolved',
-                });
-                return {
-                    status: 200,
-                    data: {
-                        started: true,
-                        escalationId: escalation.id,
-                        workflowId: triageWorkflowId,
-                        triage: true,
-                    },
-                };
-            }
-        }
-        // 6. If no workflow_type, this is a notification-only escalation -- acknowledge and close
-        if (!escalation.workflow_type || !escalation.task_queue) {
-            await escalationService.resolveEscalation(escalation.id, resolverPayload);
-            return { status: 200, data: { acknowledged: true, escalationId: escalation.id } };
-        }
-        // 7. Standard re-run: inject resolver data and start original workflow
-        envelope.resolver = resolverPayload;
-        envelope.lt = {
-            ...envelope.lt,
-            escalationId: escalation.id,
-        };
-        const newWorkflowId = `rerun-${escalation.id}-${Date.now()}`;
-        const client = (0, workers_1.createClient)();
-        await client.workflow.start({
-            workflowName: escalation.workflow_type,
-            args: [envelope],
-            taskQueue: escalation.task_queue,
-            workflowId: newWorkflowId,
-            expire: 180,
-        });
-        (0, publish_1.publishEscalationEvent)({
-            type: 'escalation.resolved',
-            source: 'api',
-            workflowId: escalation.workflow_id,
-            workflowName: escalation.workflow_type,
-            taskQueue: escalation.task_queue,
-            taskId: escalation.task_id,
-            escalationId: escalation.id,
-            originId: escalation.origin_id ?? undefined,
-            status: 'resolved',
-        });
-        return {
-            status: 200,
-            data: { started: true, escalationId: escalation.id, workflowId: newWorkflowId },
-        };
-    }
-    catch (err) {
-        return { status: 500, error: err.message };
-    }
-}
-// ── Triage workflow launcher (shared by bulkTriage) ────────────────────────
-async function startTriageWorkflow(escalation, hint, userId, client) {
-    let escalationPayload = {};
-    if (escalation.escalation_payload) {
-        try {
-            escalationPayload = JSON.parse(escalation.escalation_payload);
-        }
-        catch { }
-    }
-    let envelope = {};
-    if (escalation.envelope) {
-        try {
-            envelope = JSON.parse(escalation.envelope);
-        }
-        catch { }
-    }
-    const triageWorkflowId = `triage-${escalation.id}-${Date.now()}`;
-    const triageEnvelope = {
-        data: {
-            escalationId: escalation.id,
-            originId: escalation.origin_id ?? undefined,
-            originalWorkflowType: escalation.workflow_type,
-            originalTaskQueue: escalation.task_queue,
-            originalTaskId: escalation.task_id,
-            escalationPayload,
-            resolverPayload: {
-                _lt: { needsTriage: true, ...(hint ? { hint } : {}) },
-            },
-        },
-        metadata: envelope.metadata || {},
-        lt: { ...(envelope.lt || {}), userId },
-    };
-    const routing = escalation.task_id
-        ? (await taskService.getTask(escalation.task_id))?.metadata
-        : null;
-    await taskService.createTask({
-        workflow_id: triageWorkflowId,
-        workflow_type: 'mcpTriage',
-        lt_type: 'mcpTriage',
-        task_queue: 'long-tail-system',
-        signal_id: `lt-triage-${triageWorkflowId}`,
-        parent_workflow_id: routing?.parentWorkflowId || triageWorkflowId,
-        origin_id: escalation.origin_id || triageWorkflowId,
-        parent_id: escalation.parent_id ?? undefined,
-        envelope: JSON.stringify(triageEnvelope),
-        metadata: routing || undefined,
-    });
-    await client.workflow.start({
-        workflowName: 'mcpTriage',
-        args: [triageEnvelope],
-        taskQueue: 'long-tail-system',
-        workflowId: triageWorkflowId,
-        expire: defaults_1.JOB_EXPIRE_SECS,
-        entity: 'mcpTriage',
-    });
-    return triageWorkflowId;
-}