feat: add governance approval audit backend

[RobinOppenstam]

Summary

• Added Phase 6A governance backend: approval action/risk semantics, server-side demo role permission matrix, queue/detail services, decide service, and approval/audit API routes.
• Added append-only governance decision/audit behavior with workflow continuation hooks for Phase 5 and flagship remediation paths.
• Added sanitized audit query/filter service and Pixel-facing contract docs.
• Added Phase 6 unit tests plus DB smoke script for permission/side-effect/audit verification.

Changed files

• src/modules/permissions/governance.ts — server-side role/action/risk permission matrix.
• src/modules/approvals/* — approval types, governance derivation, queue/detail queries, approve/reject service.
• src/modules/audit/* — sanitized audit metadata, audit filters/query contract, append-only write behavior.
• src/app/api/approvals/* — queue/detail/decide API routes.
• src/app/api/audit/route.ts — audit filter API route.
• src/modules/workflows/incident-response/service.ts and src/lib/demo/northstar-seed.ts — approval metadata/action semantics for seeded and Phase 5 approvals.
• scripts/governance-audit-smoke.ts — opt-in DB smoke for unauthorized direct calls, approve side effects, and audit filters.
• tests/governance-audit.test.ts — permission matrix, decision side effects, audit filter/sanitize coverage.
• docs/governance-audit-contract.md — Pixel service/data contract.

Verification

• npm install
• npm run lint
• npm run typecheck
• npm test — 6 files passed, 26 tests passed, 3 skipped
• npm run build
• npm run cf:build
• npm run demo:reset
• npm run governance:audit-smoke — governance_audit_smoke ok=true approvals=1 decisions=1 audit=1 unauthorized_blocked=true continuation=resumed
• npm run demo:reset after smoke to restore demo data
• npm run db:check

Acceptance checklist

• Approval action types and risk semantics defined.
• Server-side role permission matrix implemented.
• Approval queue filters by role relevance.
• Approval detail includes linked incident/recommendation/evidence/decision/audit context.
• Approve/reject validates selected demo role allowlist server-side.
• Unauthorized direct calls fail with 403.
• Decision record and audit log are written.
• Approval status updates on approve/reject.
• Approve resumes Phase 5/flagship remediation continuation where applicable.
• Reject records stop impact and leaves incident active for alternate handling.
• Audit filters by actor/role/action/actionType/incident/status/outcome/search.
• Audit metadata is summarized/redacted for UI contracts.

Pixel service/data contract

• Full contract: docs/governance-audit-contract.md.
• Queue: GET /api/approvals?role=<demo-role>&status=pending&limit=50.
• Detail: GET /api/approvals/:id?role=<demo-role>.
• Decide: POST /api/approvals/:id/decide with { role, decision: "approved" | "rejected", rationale }.
• Audit: GET /api/audit?role=<demo-role>&actorRole=&action=&actionType=&incidentId=&status=&outcome=&search=&limit=.
• UI must render typed fields and metadataSummary; do not render raw metadata.
• Treat role switcher as public demo input only; backend still enforces allowlist and permissions.

Risks / notes

• V1 uses existing schema and stores action/continuation semantics in metadata to avoid a migration.
• writeAuditLog now uses onConflictDoNothing() to preserve append-only behavior; new governance events use unique IDs.
• Real auth/export/legal audit certification remains out of scope for Phase 6A.