[Story2] Real-Time Collaboration Interface & Approval Workflows #27
Description
Summary
Build WebSocket-powered real-time interface for analyst collaboration on escalated alerts, with structured decision capture, response action approval workflows, and contextual threat intelligence presentation. Interface must support multiple concurrent analysts, real-time state updates, and mobile-responsive design.
Key Deliverables
Review Dashboard API (extend utils/monitoring.py): Add REST endpoints: POST /api/v1/reviews/claim/{alert_id} (claim review), POST /api/v1/reviews/{alert_id}/decision (submit decision), GET /api/v1/reviews/queue (get assigned reviews), GET /api/v1/reviews/{alert_id}/context (full alert context with correlation data, ReAct reasoning history, tool results, and enriched threat intel).
WebSocket Events: Implement real-time events: review_assigned, review_claimed, review_escalated, decision_submitted, sla_warning (5min before breach). Support analyst presence tracking showing who's viewing/working on each alert.
Approval Workflows: Pre-action approval system requiring explicit analyst authorization before executing: containment actions (quarantine/block), response playbooks affecting production, account lockouts. Display action impact analysis, rollback procedures, and compliance requirements.
Context Presentation: Rich alert details showing: confidence score progression chart, all agent reasoning steps with timestamps, correlation graph visualization, IOC enrichment from threat intel, recommended vs. alternative actions with risk scores, similar historical incidents with analyst decisions.
Acceptance Criteria
Dashboard handles 50+ concurrent analyst connections with <200ms update latency
Review claim/release prevents race conditions with optimistic locking
Approval workflows block automated responses until explicit human authorization
Context API returns full alert lineage with <500ms response time