crewly 1.6.0 → 1.6.2

package/dist/backend/backend/src/services/task-pool/task-pool.service.js

@@ -11,7 +11,8 @@
 import { PoolStorage } from './pool-storage.js';
 import { ClaimService } from './claim.service.js';
 import { LoggerService } from '../core/logger.service.js';
-import { isWorkItem, isValidWorkItemTransition } from '../../types/v2/work-item.types.js';
+import { formatError } from '../../utils/format-error.js';
+import { isWorkItem, isValidWorkItemTransition, isTransitionPermitted } from '../../types/v2/work-item.types.js';
 import { createTaskClaim, } from '../../types/v2/claim.types.js';
 // ---------------------------------------------------------------------------
 // Service
@@ -42,6 +43,15 @@ export class TaskPoolService {
     storage;
     claimService;
     logger;
+    /**
+     * Optional EventBus reference — wired via {@link setEventBusService} from
+     * the boot path. When set, {@link addToPool} publishes a `workitem:queued`
+     * event so subscribers (notably {@link RequestSlaSubscriber}) can react to
+     * queue mutations. Optional because singleton callers (tests, CLI) bring
+     * up the pool before the bus exists; missing bus is treated as a no-op
+     * publish at warn level.
+     */
+    eventBus = null;
     /**
      * Serializes claim operations to prevent the race where two concurrent
      * claimFromPool / claimSpecificItem calls both select the same queued
@@ -55,6 +65,17 @@ export class TaskPoolService {
         this.claimService = new ClaimService(this.storage);
         this.logger = LoggerService.getInstance().createComponentLogger('TaskPoolService');
     }
+    /**
+     * Wire the EventBus reference used by {@link addToPool} to publish
+     * `workitem:queued` events (INBOUND-1.f1). Called from the backend boot
+     * path after both services have been constructed. Idempotent and may be
+     * called with `null` to disable publishing (testing).
+     *
+     * @param bus - The EventBus instance, or null to clear
+     */
+    setEventBusService(bus) {
+        this.eventBus = bus;
+    }
     /**
      * Chains the given critical section after any in-flight claim operation.
      * Guarantees FIFO ordering even under concurrent invocation.
@@ -118,6 +139,177 @@ export class TaskPoolService {
             type: workItem.type,
             title: workItem.title,
         });
+        // INBOUND-1.f1: announce the queue mutation so subscribers (notably the
+        // RequestSlaSubscriber) can react. We publish AFTER the storage flush
+        // so any subscriber that re-reads via taskPool.findWorkItem sees the
+        // committed item. Publish failures are logged-but-isolated — the pool
+        // mutation is the source of truth, the event is informational.
+        this.publishWorkItemQueued(workItem);
+    }
+    /**
+     * INBOUND-1.f1 helper: publish a `workitem:queued` event with correlation
+     * ids the SLA subscriber needs (`requestId`, `missionId`, plus the new
+     * `workItemId`). Called by {@link addToPool} after the storage flush.
+     *
+     * Stays a separate method (vs inlining) so:
+     *   1. The dependency on EventBus stays explicit and grep-able.
+     *   2. A future caller adding an alternate enqueue path (e.g. a batch
+     *      addAll) can route through the same publisher for consistent
+     *      observability.
+     *   3. Error handling stays in one place — a thrown publisher must NOT
+     *      back out the pool mutation (the storage write already committed).
+     */
+    publishWorkItemQueued(workItem) {
+        if (!this.eventBus) {
+            this.logger.debug('No EventBus wired — skipping workitem:queued publish', {
+                workItemId: workItem.id,
+            });
+            return;
+        }
+        try {
+            this.eventBus.publish({
+                // Deterministic event id keyed on the WI id so a redelivered storage
+                // path (theoretical) collapses through the bus's per-(type,session)
+                // debounce window without firing the SLA handler twice.
+                id: `workitem:queued:${workItem.id}`,
+                type: 'workitem:queued',
+                timestamp: new Date().toISOString(),
+                teamId: '',
+                teamName: '',
+                memberId: '',
+                memberName: '',
+                // sessionName is empty — `workitem:queued` is a system-level event
+                // not attributable to a specific agent session. The bus's dedup key
+                // is `${type}:${sessionName}` so a unique sessionName per WI would
+                // defeat the dedup; an empty sessionName scoped per-id is fine since
+                // the event id already encodes the WI uniquely.
+                sessionName: '',
+                previousValue: '',
+                newValue: workItem.status,
+                changedField: 'taskStatus',
+                // INBOUND-1.f1 correlation fields. Mandatory: workItemId. Optional:
+                // requestId, missionId — populated when the WI carries them. The SLA
+                // subscriber no-ops when requestId is undefined (per spec), so we
+                // don't need a fallback chain here.
+                workItemId: workItem.id,
+                requestId: workItem.requestId,
+                missionId: workItem.missionId,
+            });
+        }
+        catch (err) {
+            this.logger.warn('workitem:queued publish threw', {
+                workItemId: workItem.id,
+                error: formatError(err),
+            });
+        }
+    }
+    /**
+     * F1-BRIDGE-1 helper: publish `task:done_by_worker` after a successful
+     * `submitForVerification` transition. The {@link EventToWorkItemBridge}
+     * subscribes to this event and creates a verification WorkItem for the
+     * resolved team-lead session.
+     *
+     * Stays a separate method (mirrors {@link publishWorkItemQueued}) so:
+     *   1. The dependency on EventBus stays explicit and grep-able — Arch's
+     *      grep guard checks both the type declaration AND a publish call
+     *      site for `task:done_by_worker`.
+     *   2. Error handling is uniform with the other publishers — a thrown
+     *      bus must NOT back out the verified state transition; the storage
+     *      flush has already committed.
+     *   3. A future caller adding an alternate verification-submission path
+     *      (e.g. an admin endpoint or a CLI) routes through the same publisher.
+     *
+     * The deterministic event id (`task:done_by_worker:${workItemId}`) keys
+     * dedup so a redelivered submitForVerification (theoretical) collapses
+     * through the bus without firing the bridge handler twice.
+     */
+    publishTaskDoneByWorker(workItem) {
+        if (!this.eventBus) {
+            this.logger.debug('No EventBus wired — skipping task:done_by_worker publish', {
+                workItemId: workItem.id,
+            });
+            return;
+        }
+        try {
+            this.eventBus.publish({
+                id: `task:done_by_worker:${workItem.id}`,
+                type: 'task:done_by_worker',
+                timestamp: new Date().toISOString(),
+                teamId: '',
+                teamName: '',
+                memberId: '',
+                memberName: '',
+                // sessionName is empty — `task:done_by_worker` is published from the
+                // pool layer which doesn't carry the worker's PTY session. The bridge
+                // uses `workItemId` (and falls back to `taskId`) to resolve the
+                // source WI; sessionName is informational. Empty matches the
+                // workitem:queued publish convention.
+                sessionName: '',
+                // The state machine just landed at done_by_worker. Carry both ends
+                // so any subscriber filtering on (previousValue, newValue) sees
+                // the canonical transition.
+                previousValue: 'running',
+                newValue: 'done_by_worker',
+                changedField: 'taskStatus',
+                // BRIDGE-1.1 hybrid extension. `workItemId` is mandatory for the
+                // bridge handler; the `taskId` fallback path is unused here because
+                // WorkItem itself does not carry a taskId (the bridge resolves the
+                // source WI by id alone via taskPool.findWorkItem).
+                workItemId: workItem.id,
+                missionId: workItem.missionId,
+                requestId: workItem.requestId,
+            });
+        }
+        catch (err) {
+            this.logger.warn('task:done_by_worker publish threw', {
+                workItemId: workItem.id,
+                error: formatError(err),
+            });
+        }
+    }
+    /**
+     * F1-BRIDGE-1 helper: publish `task:rejected` after a successful
+     * `verifyItem` transition with verdict='rejected'. The
+     * {@link EventToWorkItemBridge} subscribes and either creates a retry
+     * WI (`retryCount < maxRetries`) or escalates to a TL review WI with
+     * `reviewReason='max_retries_exceeded'` at the cap.
+     *
+     * Mirrors {@link publishTaskDoneByWorker} for symmetry. Only the
+     * verdict='rejected' branch reaches this publisher — `verdict='verified'`
+     * does NOT publish (terminal-success path goes through
+     * {@link resolveBlockedDependents}, which is not a bridge trigger).
+     */
+    publishTaskRejected(workItem) {
+        if (!this.eventBus) {
+            this.logger.debug('No EventBus wired — skipping task:rejected publish', {
+                workItemId: workItem.id,
+            });
+            return;
+        }
+        try {
+            this.eventBus.publish({
+                id: `task:rejected:${workItem.id}`,
+                type: 'task:rejected',
+                timestamp: new Date().toISOString(),
+                teamId: '',
+                teamName: '',
+                memberId: '',
+                memberName: '',
+                sessionName: '',
+                previousValue: 'done_by_worker',
+                newValue: 'rejected',
+                changedField: 'taskStatus',
+                workItemId: workItem.id,
+                missionId: workItem.missionId,
+                requestId: workItem.requestId,
+            });
+        }
+        catch (err) {
+            this.logger.warn('task:rejected publish threw', {
+                workItemId: workItem.id,
+                error: formatError(err),
+            });
+        }
     }
     /**
      * Claims the next available WorkItem from the pool for an agent.
@@ -159,13 +351,15 @@ export class TaskPoolService {
                 return null;
             }
             const selected = candidates[0];
-            // Transition item to 'running'
-            const updated = await this.storage.updateWorkItem(selected.id, (wi) => {
-                wi.status = 'running';
-                wi.startedAt = new Date().toISOString();
+            // TRANS-2: route the queued → running flip through the guarded
+            // transitionStatus helper so internal callers are subject to the
+            // same V3 actor-role + state-machine gates as external callers.
+            // `startedAt` is set automatically by transitionStatus when
+            // newStatus === 'running'; the mutator carries the agent target.
+            const claimedItem = await this.transitionStatus(selected.id, 'running', 'system', (wi) => {
                 wi.target = agentId;
             });
-            if (!updated) {
+            if (!claimedItem) {
                 this.logger.warn('Failed to update WorkItem during claim', { workItemId: selected.id });
                 return null;
             }
@@ -183,8 +377,6 @@ export class TaskPoolService {
                 claimId: claim.id,
                 title: selected.title,
             });
-            // Return the updated item
-            const claimedItem = await this.storage.findWorkItem(selected.id);
             return {
                 workItem: claimedItem,
                 claim,
@@ -214,20 +406,19 @@ export class TaskPoolService {
             const claims = await this.storage.getClaims();
             if (claims.some((c) => c.workItemId === workItemId && c.status === 'active'))
                 return null;
-            const updated = await this.storage.updateWorkItem(workItemId, (wi) => {
-                wi.status = 'running';
-                wi.startedAt = new Date().toISOString();
+            // TRANS-2: route the queued → running flip through transitionStatus
+            // (mirrors claimFromPool — same V3 + state-machine gates).
+            const claimedItem = await this.transitionStatus(workItemId, 'running', 'system', (wi) => {
                 wi.target = agentId;
             });
-            if (!updated)
+            if (!claimedItem)
                 return null;
             const claimInput = { workItemId, agentId };
             const claim = createTaskClaim(claimInput);
             await this.storage.addClaim(claim);
             await this.storage.flush();
             this.logger.info('WorkItem claimed (specific)', { workItemId, agentId, claimId: claim.id });
-            const claimedItem = await this.storage.findWorkItem(workItemId);
-            return claimedItem ? { workItem: claimedItem, claim } : null;
+            return { workItem: claimedItem, claim };
         });
     }
     /**
@@ -256,11 +447,14 @@ export class TaskPoolService {
                 c.endReason = reason;
             });
         }
-        // Revert item to queued. Preserve target when unblocking so the
-        // same agent can re-claim via target filter.
+        // TRANS-2: route the (running|blocked) → queued flip through the
+        // guarded transitionStatus helper. The state-machine entry for
+        // `running → queued` is a TRANS-2 addition, gated to system/TL/orc;
+        // `blocked → queued` was already TL/orc/system-gated by TRANS-1.
+        // Side-effect mutations (startedAt clear, target preservation when
+        // unblocking, retryCount bump) move into the atomic mutator.
         const wasBlocked = workItem.status === 'blocked';
-        await this.storage.updateWorkItem(workItemId, (wi) => {
-            wi.status = 'queued';
+        await this.transitionStatus(workItemId, 'queued', 'system', (wi) => {
             wi.startedAt = undefined;
             if (!wasBlocked) {
                 wi.target = undefined;
@@ -275,40 +469,204 @@ export class TaskPoolService {
         });
     }
     /**
-     * Marks a work item as completed ('done').
+     * Decide whether a WorkItem requires TL verification before reaching a
+     * terminal-success status.
      *
-     * @param workItemId - ID of the work item
-     * @param result - Optional result data
-     * @throws Error if work item not found or not in 'running' status
+     * Default policy (VERIF-1):
+     *   - `delegate` items default to *requires verification* — a worker
+     *     marking their own delegated work as "done" should produce
+     *     `done_by_worker` and wake the TL for sign-off.
+     *   - All other types (`cron_run`, `notify`, `reconcile`, `check`,
+     *     `confirm`, `review`, ...) default to simple completion (`done`).
+     *
+     * The default is overridable via `wi.metadata.requiresVerification`:
+     *   - `true`  — force verification path even for non-delegate types
+     *   - `false` — skip verification even for delegate types (this is the
+     *     F-H affordance REVIEW-1 needs: review WIs are themselves the
+     *     verification step, so they must NOT loop back to TL self-verify)
+     *
+     * @param wi - The WorkItem under inspection
+     * @returns true when the verification path should fire
      */
-    async completeItem(workItemId, result) {
-        const workItem = await this.storage.findWorkItem(workItemId);
-        if (!workItem) {
-            throw new Error(`WorkItem not found: ${workItemId}`);
-        }
-        if (workItem.status !== 'running') {
-            throw new Error(`Cannot complete WorkItem: status must be 'running', got '${workItem.status}'`);
-        }
-        // Release the claim
+    requiresVerification(wi) {
+        const metaFlag = wi.metadata?.requiresVerification;
+        if (metaFlag === true)
+            return true;
+        if (metaFlag === false)
+            return false;
+        return wi.type === 'delegate';
+    }
+    /**
+     * Internal: release the active claim on a WorkItem (if any). Shared by
+     * `completeSimpleItem` and `submitForVerification` because both
+     * represent the worker handing the item back to the system.
+     *
+     * @param workItemId - WorkItem whose claim should be released
+     * @param endReason - Reason recorded on the claim (`completed` /
+     *   `submitted_for_verification`) for auditability
+     */
+    async releaseClaim(workItemId, endReason) {
         const claim = await this.storage.findActiveClaimByWorkItem(workItemId);
-        if (claim) {
-            await this.storage.updateClaim(claim.id, (c) => {
-                c.status = 'released';
-                c.endedAt = new Date().toISOString();
-                c.endReason = 'completed';
-            });
+        if (!claim)
+            return;
+        await this.storage.updateClaim(claim.id, (c) => {
+            c.status = 'released';
+            c.endedAt = new Date().toISOString();
+            c.endReason = endReason;
+        });
+    }
+    /**
+     * Worker reports a delegated WorkItem as done and submits it for TL
+     * verification.
+     *
+     * Transitions `running → done_by_worker` via {@link transitionStatus},
+     * which enforces the V3 actor-role gate (`'agent'` is allowed; any
+     * other role throws). The active claim is released as
+     * `submitted_for_verification` so the TL queue is the only thing
+     * blocking forward progress.
+     *
+     * Used by the `completeItem` facade for `delegate`-type items and any
+     * item whose `metadata.requiresVerification === true`.
+     *
+     * @param workItemId - WorkItem id
+     * @param actorRole - Role of the caller (`'agent'` for normal worker
+     *   submissions; passed through to `isTransitionPermitted`)
+     * @param result - Optional result payload to attach to the WorkItem
+     * @returns The updated WorkItem, or `null` if the WI was deleted
+     *   between the find and the update (race window)
+     * @throws When the WorkItem is missing, the transition is invalid, or
+     *   the actor is not permitted to perform `running → done_by_worker`.
+     */
+    async submitForVerification(workItemId, actorRole, result) {
+        await this.releaseClaim(workItemId, 'submitted_for_verification');
+        const updated = await this.transitionStatus(workItemId, 'done_by_worker', actorRole, (wi) => {
+            if (result)
+                wi.result = result;
+        });
+        await this.storage.flush();
+        this.logger.info('WorkItem submitted for verification', {
+            workItemId,
+            actorRole,
+            // BRIDGE-1 turns this into a real `task:done_by_worker` event below
+            // (F1-BRIDGE-1). The log line is preserved as a wake signal for any
+            // tail-based TL-watching subscriber that still greps it.
+            tlWakeRequested: true,
+        });
+        // F1-BRIDGE-1: publish AFTER the storage flush so any subscriber that
+        // re-reads via taskPool.findWorkItem sees the committed `done_by_worker`
+        // status. `updated` is null only on race-window deletion — skip the
+        // publish in that case (no source WI for the bridge to resolve).
+        if (updated) {
+            this.publishTaskDoneByWorker(updated);
         }
-        // Mark item done
-        await this.storage.updateWorkItem(workItemId, (wi) => {
-            wi.status = 'done';
-            wi.completedAt = new Date().toISOString();
+        return updated;
+    }
+    /**
+     * Worker (or system) marks a non-delegated WorkItem as fully done.
+     *
+     * Transitions `running → done` via {@link transitionStatus}. Used by
+     * the `completeItem` facade for `cron_run`, `notify`, `reconcile`,
+     * `check`, `confirm`, `review` types — anything whose lifecycle does
+     * NOT include a TL verification step.
+     *
+     * The Reconciler service is the only system-actor caller and uses
+     * `actorRole='system'`, which bypasses the actor check while still
+     * respecting the state-machine legality check.
+     *
+     * @param workItemId - WorkItem id
+     * @param actorRole - Role of the caller (`'agent'`, `'system'`, etc.)
+     * @param result - Optional result payload to attach
+     * @returns The updated WorkItem, or `null` if the WI was deleted
+     *   between the find and the update (race window)
+     * @throws When the WorkItem is missing, the transition is invalid, or
+     *   the actor is not permitted to perform `running → done`.
+     */
+    async completeSimpleItem(workItemId, actorRole, result) {
+        await this.releaseClaim(workItemId, 'completed');
+        const updated = await this.transitionStatus(workItemId, 'done', actorRole, (wi) => {
             if (result)
                 wi.result = result;
         });
         // Promote any blocked dependents whose deps are now all satisfied.
         await this.resolveBlockedDependents(workItemId);
         await this.storage.flush();
-        this.logger.info('WorkItem completed', { workItemId });
+        this.logger.info('WorkItem completed', { workItemId, actorRole });
+        return updated;
+    }
+    /**
+     * TL records a verdict on a WorkItem in `done_by_worker` status.
+     *
+     * `verified` advances to terminal success and unblocks dependents;
+     * `rejected` parks the item until the TL re-queues it (which TRANS-1
+     * gates to TL/orchestrator/system actors). Worker-actor calls throw
+     * automatically via {@link transitionStatus}'s permission gate — we
+     * do NOT need to add an explicit role check here, the matrix in
+     * `TRANSITION_PERMISSIONS` handles it.
+     *
+     * @param workItemId - WorkItem id (must currently be `done_by_worker`)
+     * @param actorRole - Role of the caller (`'team_lead'` or `'orchestrator'`
+     *   for verify/reject; worker calls throw)
+     * @param verdict - `'verified'` or `'rejected'`
+     * @param comment - Optional reviewer comment recorded in `wi.error`
+     *   (the field is reused — the WorkItem schema does not yet have a
+     *   dedicated `verifierComment` slot; keeping this on `error` lets
+     *   downstream UIs render TL feedback alongside failure causes)
+     * @returns The updated WorkItem, or `null` on race-window deletion
+     * @throws When the WorkItem is missing, the verdict is invalid, the
+     *   transition is illegal, or the actor is not permitted to verify.
+     */
+    async verifyItem(workItemId, actorRole, verdict, comment) {
+        if (verdict !== 'verified' && verdict !== 'rejected') {
+            throw new Error(`Invalid verdict: "${verdict}". Must be "verified" or "rejected".`);
+        }
+        const updated = await this.transitionStatus(workItemId, verdict, actorRole, (wi) => {
+            if (comment)
+                wi.error = comment;
+        });
+        if (verdict === 'verified') {
+            await this.resolveBlockedDependents(workItemId);
+        }
+        await this.storage.flush();
+        this.logger.info('WorkItem verdict recorded', { workItemId, verdict, actorRole });
+        // F1-BRIDGE-1: only the `rejected` branch publishes. The bridge's
+        // task:rejected handler creates the retry-or-escalate WI; the `verified`
+        // branch is terminal-success and unblocks dependents above without any
+        // bridge involvement. Skip the publish on race-window deletion.
+        if (verdict === 'rejected' && updated) {
+            this.publishTaskRejected(updated);
+        }
+        return updated;
+    }
+    /**
+     * Legacy facade — picks the verification path for the caller.
+     *
+     * Existing call sites (REST controller, task-management controllers,
+     * V3 data service) invoke `completeItem(id, result)` without an
+     * explicit actor role. The facade reads the WorkItem, applies the
+     * {@link requiresVerification} policy, and dispatches to either
+     * {@link submitForVerification} (delegate items / explicit opt-in)
+     * or {@link completeSimpleItem} (everything else).
+     *
+     * The legacy actor role for these implicit callers is `'agent'`.
+     * Migrations to explicit-actor calls can land in follow-up tickets
+     * without touching the five call sites in this PR.
+     *
+     * @param workItemId - WorkItem id
+     * @param result - Optional result payload
+     * @throws When the WorkItem is missing or the underlying transition
+     *   is rejected (invalid state, forbidden actor).
+     */
+    async completeItem(workItemId, result) {
+        const workItem = await this.storage.findWorkItem(workItemId);
+        if (!workItem) {
+            throw new Error(`WorkItem not found: ${workItemId}`);
+        }
+        if (this.requiresVerification(workItem)) {
+            await this.submitForVerification(workItemId, 'agent', result);
+        }
+        else {
+            await this.completeSimpleItem(workItemId, 'agent', result);
+        }
     }
     /**
      * Scans blocked WorkItems that list `completedId` in their `dependsOn` and
@@ -332,9 +690,12 @@ export class TaskPoolService {
                 const allSatisfied = (candidate.dependsOn ?? []).every((depId) => terminalSuccess.has(depId));
                 if (!allSatisfied)
                     continue;
-                await this.storage.updateWorkItem(candidate.id, (wi) => {
-                    wi.status = 'queued';
-                });
+                // TRANS-2: route the blocked → queued promotion through
+                // transitionStatus. The 'system' actor matches both the V3
+                // permission gate (blocked→queued requires TL/orc/system) and
+                // the existing intent — dependency resolution is server-side
+                // bookkeeping, not a user-initiated action.
+                await this.transitionStatus(candidate.id, 'queued', 'system');
                 this.logger.info('WorkItem unblocked — all deps satisfied', {
                     workItemId: candidate.id,
                     via: completedId,
@@ -366,10 +727,10 @@ export class TaskPoolService {
                 c.endReason = `failed: ${error}`;
             });
         }
-        // Mark item failed
-        await this.storage.updateWorkItem(workItemId, (wi) => {
-            wi.status = 'failed';
-            wi.completedAt = new Date().toISOString();
+        // TRANS-2: route the running → failed flip through transitionStatus.
+        // `completedAt` is set automatically when newStatus === 'failed'; the
+        // mutator only needs to attach the error description.
+        await this.transitionStatus(workItemId, 'failed', 'system', (wi) => {
             wi.error = error;
         });
         await this.storage.flush();
@@ -514,6 +875,22 @@ export class TaskPoolService {
     async getAllItems() {
         return this.storage.getWorkItems();
     }
+    /**
+     * Find a WorkItem by id without mutating it.
+     *
+     * Public read accessor used by callers that need to inspect a
+     * specific item — for example REVIEW-1's reentrancy lock checks the
+     * status of a Mission's `pendingReviewWorkItemId` to decide whether
+     * to clear the lock. Returns `null` (not `undefined`) so callers can
+     * use a uniform null-fallthrough idiom shared with
+     * `getWorkItemSnapshot` and `transitionStatus`.
+     *
+     * @param workItemId - WorkItem id to look up
+     * @returns The WorkItem, or `null` if no item has that id
+     */
+    async findWorkItem(workItemId) {
+        return (await this.storage.findWorkItem(workItemId)) ?? null;
+    }
     /**
      * Removes a WorkItem from the pool entirely.
      * Used for purging old completed/cancelled items.
@@ -543,11 +920,19 @@ export class TaskPoolService {
      * Updates a work item's status directly.
      * Used by the Reconciler for corrections (e.g., stuck → blocked).
      *
+     * Reconciler invocations pass through `actorRole='system'` (default) which
+     * bypasses the per-role gate at {@link isTransitionPermitted} but still
+     * enforces the state-machine via {@link isValidWorkItemTransition}. Other
+     * callers MUST supply the actor's role so TRANS-1 V3 enforcement applies.
+     *
      * @param workItemId - The work item ID
      * @param newStatus - The target status
-     * @throws Error if work item not found or transition is invalid
+     * @param actorRole - Role of the caller (defaults to `'system'` for Reconciler)
+     * @throws Error if work item not found
+     * @throws Error if transition is invalid (state machine — see WORK_ITEM_TRANSITIONS)
+     * @throws Error if actor is not permitted (role check — see TRANSITION_PERMISSIONS)
      */
-    async updateItemStatus(workItemId, newStatus) {
+    async updateItemStatus(workItemId, newStatus, actorRole = 'system') {
         const items = await this.storage.getWorkItems();
         const item = items.find((wi) => wi.id === workItemId);
         if (!item) {
@@ -556,6 +941,11 @@ export class TaskPoolService {
         if (!isValidWorkItemTransition(item.status, newStatus)) {
             throw new Error(`Invalid status transition for WorkItem ${workItemId}: ${item.status} → ${newStatus}`);
         }
+        // TRANS-1 V3: enforce per-role permissions. system role always passes.
+        if (!isTransitionPermitted(item.status, newStatus, actorRole)) {
+            throw new Error(`Forbidden transition for WorkItem ${workItemId}: actor='${actorRole}' ` +
+                `not permitted to perform ${item.status} → ${newStatus}.`);
+        }
         await this.storage.updateWorkItem(workItemId, (wi) => {
             wi.status = newStatus;
             // Use startedAt for running, completedAt for done/failed
@@ -570,7 +960,97 @@ export class TaskPoolService {
             workItemId,
             from: item.status,
             to: newStatus,
+            actorRole,
+        });
+    }
+    /**
+     * Public guarded transition helper — TRANS-1's canonical entrypoint.
+     *
+     * Routes any externally-initiated WorkItem status change through the
+     * combined state-machine + actor-role gates. Designed as the public API
+     * VERIF-1 will call from `submitForVerification` / `verifyItem`, and as
+     * the recommended path for any future caller that previously reached
+     * for `storage.updateWorkItem` to flip status.
+     *
+     * Differences vs {@link updateItemStatus}:
+     *   - Requires `actorRole` explicitly (no default) — forces the caller to
+     *     decide the trust posture rather than silently inheriting `'system'`.
+     *   - Accepts an optional `mutator` so callers can carry additional field
+     *     updates (e.g. `result`, `error`, `completedAt`) atomically with the
+     *     status flip — preventing races between status update and metadata
+     *     attachment that direct `storage.updateWorkItem` callers risked.
+     *
+     * @param workItemId - The work item ID
+     * @param newStatus - The target status
+     * @param actorRole - Role of the caller (REQUIRED; pass `'system'` for trusted server-internal paths)
+     * @param mutator - Optional additional WorkItem field updates applied atomically with the status change
+     * @returns The updated WorkItem after the transition
+     * @throws Error if work item not found
+     * @throws Error if transition is invalid (state machine)
+     * @throws Error if actor is not permitted (role check)
+     *
+     * @example
+     * ```typescript
+     * // VERIF-1 worker submitting for verification
+     * await pool.transitionStatus(wiId, 'done_by_worker', 'agent', (wi) => {
+     *   wi.result = output;
+     * });
+     *
+     * // VERIF-1 TL verifying
+     * await pool.transitionStatus(wiId, 'verified', 'team_lead');
+     *
+     * // VERIF-1 TL rejecting (allowed for TL only)
+     * await pool.transitionStatus(wiId, 'rejected', 'team_lead', (wi) => {
+     *   wi.error = 'Did not meet acceptance criteria';
+     * });
+     * ```
+     */
+    async transitionStatus(workItemId, newStatus, actorRole, mutator) {
+        const item = await this.storage.findWorkItem(workItemId);
+        if (!item) {
+            throw new Error(`WorkItem not found: ${workItemId}`);
+        }
+        if (!isValidWorkItemTransition(item.status, newStatus)) {
+            throw new Error(`Invalid status transition for WorkItem ${workItemId}: ${item.status} → ${newStatus}`);
+        }
+        if (!isTransitionPermitted(item.status, newStatus, actorRole)) {
+            throw new Error(`Forbidden transition for WorkItem ${workItemId}: actor='${actorRole}' ` +
+                `not permitted to perform ${item.status} → ${newStatus}.`);
+        }
+        const ok = await this.storage.updateWorkItem(workItemId, (wi) => {
+            wi.status = newStatus;
+            // Standard timestamp side-effects mirror updateItemStatus so callers
+            // get consistent metadata regardless of which API they used.
+            if (newStatus === 'running') {
+                wi.startedAt = new Date().toISOString();
+            }
+            else if (newStatus === 'done' ||
+                newStatus === 'failed' ||
+                newStatus === 'verified' ||
+                newStatus === 'done_by_worker' ||
+                newStatus === 'rejected') {
+                wi.completedAt = new Date().toISOString();
+            }
+            if (mutator)
+                mutator(wi);
+        });
+        if (!ok) {
+            // Race window: someone else removed the WorkItem between findWorkItem
+            // and updateWorkItem. Surface as null so callers can distinguish from
+            // a thrown invalid-transition / forbidden-transition error.
+            return null;
+        }
+        this.logger.info('WorkItem transitioned', {
+            workItemId,
+            from: item.status,
+            to: newStatus,
+            actorRole,
         });
+        // Return the post-update WorkItem snapshot so callers can chain on the
+        // resolved value rather than re-fetching. Coerce `undefined` (item
+        // removed during the race window) to `null` to match the declared
+        // return type.
+        return (await this.storage.findWorkItem(workItemId)) ?? null;
     }
     /**
      * Update token usage and cost on a WorkItem.