Alert Triage UI
OP-024 and OP-066b make alert triage interactive without creating a new alert service. Operators and admins can acknowledge, assign, resolve, and create a ticket from the existing alert detail workflow through real API calls.
What Changed
- Added
PATCH /api/v1/alerts/{alert_id}for alert acknowledgement, assignment, and resolution on the existing tenant-scoped alert row. - Added same-origin frontend API handlers for alert patch and alert-to-ticket creation.
- Added alert detail controls for acknowledge, assign to me, resolve, and create ticket from alert.
- Hid alert mutation controls for auditor sessions.
- Kept
POST /api/v1/alerts/{alert_id}/ticketas the idempotent ticket creation path.
Guardrails
- No fake triage controls are rendered.
- Auditors can inspect alert context but cannot see mutation buttons.
- Operators can assign alerts only to themselves in Phase 1.
- Tenant admins and system admins may assign alerts more broadly.
- Alert resolution stores an
alert-resolution://...reference rather than exposing raw investigation summary through auditor/export paths by default. - SIEM
security.alert.createdand genericalert.createdcontracts remain unchanged.
Validation
make typecheck-python
make test-sqlite
npm --prefix frontend test -- --run
make docs-build
Acceptance
| Requirement | Evidence |
|---|---|
| Operator can acknowledge an alert | Alert detail button patches /console-api/oneprotect/alerts/{alert_id} |
| Operator can assign to self | Alert detail button patches assignee_id using backend session actor |
| Operator can resolve with summary | Alert detail resolution control patches status=resolved |
| Operator can create ticket from alert | Alert detail button posts /console-api/oneprotect/alerts/{alert_id}/ticket |
| Auditor sees no mutation controls | Frontend test covers auditor read-only rendering |