feat(augment): Phase 5 - SonataFlow agent-approval workflow#3226
Merged
pkliczewski merged 3 commits intoMay 21, 2026
Conversation
rrbanda
force-pushed
the
pr/lifecycle-hardening-phase5
branch
from
70e2bea to
b5058c0
Compare
Contributor
|
This pull request adds a new top-level directory under |
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
rrbanda
force-pushed
the
pr/lifecycle-hardening-phase5
branch
2 times, most recently
from
133da88 to
8e2a61b
Compare
3 tasks
rrbanda
force-pushed
the
pr/lifecycle-hardening-phase5
branch
from
8e2a61b to
67bb121
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3226 +/- ##
==========================================
+ Coverage 53.80% 53.82% +0.01%
==========================================
Files 2362 2362
Lines 84772 84815 +43
Branches 23497 23512 +15
==========================================
+ Hits 45612 45650 +38
- Misses 37638 37643 +5
Partials 1522 1522
*This pull request uses carry forward flags. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Phase 3 of lifecycle hardening: adds 30-second polling to ReviewQueue and OpsOverview for real-time admin visibility. Key fix: only sets loading=true on the initial load, not on subsequent polls. This eliminates the skeleton flash that occurred every 30 seconds in the previous implementation (PR G). ReviewQueue: - 30s polling interval for review queue agents - initialLoadDone ref prevents loading flash on polls OpsOverview: - 30s polling interval for agent and tool data - Same loading flash fix via initialLoadDone ref
…ement
Phase 4 of lifecycle hardening: source-aware cascading delete and
lifecycle graph enforcement for publish routes.
Cascading DELETE /agents/:agentId:
- Detects agent source via unified agent list (kagenti/orchestration/workflow)
- For orchestration agents: removes from 'agents' admin config key AND
chatAgents lifecycle entry in a single operation
- For Kagenti agents: removes chatAgents entry, notes that K8s cleanup
requires the dedicated admin endpoint
- Returns detailed cleanupResults per store for transparency
- Ownership enforcement: non-admins restricted to own draft agents
Lifecycle enforcement on publish routes:
- PUT /agents/:agentId/publish: detects when admin bypasses lifecycle
stages (e.g. draft -> production), logs audit warning with
lifecycleBypassed flag, still allows the operation
- PUT /agents/bulk-publish: same bypass detection per agent, logs
warning with count of bypassed agents
OrchAgentDetailView:
- Updated handleDelete to use the cascading DELETE /agents/:agentId
endpoint instead of directly mutating admin config
- Removed unused useAdminConfig('agents') hook
Phase 5 of lifecycle hardening: SonataFlow workflow for automated agent lifecycle approval, based on the RHDH orchestrator escalation pattern. Workflow (agent-approval.sw.yaml): - Triggered when agent is submitted for review (draft -> review) - Sends Backstage notification to admins on submission - Suspends in callback state awaiting admin decision CloudEvent - Approval: promotes agent to staging, notifies creator - Rejection: demotes to draft with reason, notifies creator - 72-hour timeout: sends escalation notification, re-enters wait state - Uses kogitoprocrefid CloudEvent extension for instance correlation Infrastructure: - OpenAPI spec for augment promote/demote endpoints - JSON Schema for workflow input validation - Application properties for SonataFlow Operator deployment - Knative Eventing configuration for CloudEvent routing CloudEvent type: io.rhdhorchestrator.agent.approval.decision Correlation: kogitoprocrefid (SonataFlow process instance ID) Prerequisites: SonataFlow Operator, Knative Eventing, Backstage Notifications plugin, OIDC service account.
rrbanda
force-pushed
the
pr/lifecycle-hardening-phase5
branch
from
67bb121 to
8365e4c
Compare
|
pkliczewski
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 5 of the Deep-Dive Lifecycle Hardening plan. Adds a SonataFlow workflow for automated agent lifecycle approval, based on the RHDH orchestrator
escalationpattern from the serverless-workflows repository. Depends on Phase 4 (PR #3225).Workflow Flow
Files
agent-approval.sw.yaml- SonataFlow workflow definitionschemas/agent-approval-input.json- Input validation schemaspecs/augment-agent-lifecycle.yaml- OpenAPI spec for promote/demote endpointsapplication.properties- SonataFlow Operator deployment configREADME.md- Architecture, CloudEvent format, deployment guideCloudEvent Correlation
Admin decisions are sent as CloudEvents with type
io.rhdhorchestrator.agent.approval.decisionand correlated to workflow instances via thekogitoprocrefidextension attribute.Prerequisites
Test plan