LLM-Dev-Ops
diff --git a/‎crates/sentinel-api/src/execution.rs‎
Lines changed: 133 additions & 0 deletions b/‎crates/sentinel-api/src/execution.rs‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎crates/sentinel-api/src/handlers/alerting.rs‎
Lines changed: 59 additions & 8 deletions b/‎crates/sentinel-api/src/handlers/alerting.rs‎
Lines changed: 59 additions & 8 deletions
diff --git a/‎crates/sentinel-api/src/handlers/anomaly.rs‎
Lines changed: 37 additions & 8 deletions b/‎crates/sentinel-api/src/handlers/anomaly.rs‎
Lines changed: 37 additions & 8 deletions
@@ -0,0 +1,133 @@
+//! Execution context middleware and extractors for Agentics integration.
+//!
+//! This module enforces the Foundational Execution Unit contract:
+//! - Every request MUST provide `X-Execution-Id` and `X-Parent-Span-Id` headers.
+//! - Requests missing `X-Parent-Span-Id` are rejected with 400 Bad Request.
+//! - A repo-level span is created on entry and threaded through the request.
+//! - Handlers create agent-level spans via the `ExecutionGraphCollector`.
+
+use axum::{
+    body::Body,
+    extract::FromRequestParts,
+    http::{header::HeaderName, request::Parts, Request, StatusCode},
+    middleware::Next,
+    response::{IntoResponse, Response},
+    Json,
+};
+use llm_sentinel_core::execution::{ExecutionContext, ExecutionGraphCollector};
+use tracing::{error, info};
+use uuid::Uuid;
+
+/// Header name for the execution ID.
+pub static HEADER_EXECUTION_ID: HeaderName = HeaderName::from_static("x-execution-id");
+/// Header name for the parent span ID (from the Core).
+pub static HEADER_PARENT_SPAN_ID: HeaderName = HeaderName::from_static("x-parent-span-id");
+
+/// Axum middleware that extracts execution context from request headers,
+/// creates a repo-level span, and injects the `ExecutionGraphCollector`
+/// into request extensions.
+///
+/// # Enforcement
+/// - Rejects requests missing `X-Parent-Span-Id` with 400 Bad Request.
+/// - This repo MUST NEVER execute silently.
+pub async fn execution_context_middleware(
+    req: Request<Body>,
+    next: Next,
+) -> Result<Response, Response> {
+    // Extract parent_span_id (MANDATORY)
+    let parent_span_id = req
+        .headers()
+        .get(&HEADER_PARENT_SPAN_ID)
+        .and_then(|v| v.to_str().ok())
+        .and_then(|s| Uuid::parse_str(s).ok());
+
+    let parent_span_id = match parent_span_id {
+        Some(id) => id,
+        None => {
+            error!("Missing or invalid X-Parent-Span-Id header: execution rejected");
+            let body = serde_json::json!({
+                "error": "EXECUTION_CONTEXT_REQUIRED",
+                "message": "X-Parent-Span-Id header is required. This repository is a Foundational Execution Unit and MUST NOT execute without a valid parent span from the Core.",
+                "required_headers": {
+                    "X-Parent-Span-Id": "UUID of the Core-level span (REQUIRED)",
+                    "X-Execution-Id": "UUID of the overall execution (optional, auto-generated if absent)"
+                }
+            });
+            return Err((StatusCode::BAD_REQUEST, Json(body)).into_response());
+        }
+    };
+
+    // Extract execution_id (optional - generate if missing)
+    let execution_id = req
+        .headers()
+        .get(&HEADER_EXECUTION_ID)
+        .and_then(|v| v.to_str().ok())
+        .and_then(|s| Uuid::parse_str(s).ok())
+        .unwrap_or_else(Uuid::new_v4);
+
+    let ctx = ExecutionContext {
+        execution_id,
+        parent_span_id,
+    };
+
+    info!(
+        execution_id = %ctx.execution_id,
+        parent_span_id = %ctx.parent_span_id,
+        "Execution context established, repo-level span created"
+    );
+
+    // Create the collector and inject into request extensions
+    let collector = ExecutionGraphCollector::new(&ctx);
+
+    let mut req = req;
+    req.extensions_mut().insert(collector);
+
+    let response = next.run(req).await;
+
+    Ok(response)
+}
+
+/// Axum extractor for the `ExecutionGraphCollector`.
+///
+/// Handlers use this to:
+/// 1. Get the repo span ID for creating child agent spans
+/// 2. Add completed agent spans to the collector
+/// 3. Finalize the execution graph for the response
+///
+/// # Example
+/// ```ignore
+/// async fn my_handler(
+///     collector: ExecutionCollector,
+///     // ...
+/// ) -> impl IntoResponse {
+///     let repo_span_id = collector.repo_span_id();
+///     let mut agent_span = create_agent_span("my_agent", repo_span_id);
+///     // ... do work ...
+///     agent_span.complete();
+///     collector.add_agent_span(agent_span);
+///     let graph = collector.finalize();
+///     // ... return response with graph ...
+/// }
+/// ```
+#[derive(Debug, Clone)]
+pub struct ExecutionCollector(pub ExecutionGraphCollector);
+
+#[axum::async_trait]
+impl<S: Send + Sync> FromRequestParts<S> for ExecutionCollector {
+    type Rejection = (StatusCode, Json<serde_json::Value>);
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        parts
+            .extensions
+            .get::<ExecutionGraphCollector>()
+            .cloned()
+            .map(ExecutionCollector)
+            .ok_or_else(|| {
+                let body = serde_json::json!({
+                    "error": "EXECUTION_CONTEXT_MISSING",
+                    "message": "ExecutionGraphCollector not found in request extensions. Ensure execution_context_middleware is applied."
+                });
+                (StatusCode::INTERNAL_SERVER_ERROR, Json(body))
+            })
+    }
+}
@@ -22,7 +22,9 @@ use axum::{
 use serde::{Deserialize, Serialize};
 use tracing::{error, info, instrument};
 
-use crate::{ErrorResponse, SuccessResponse};
+use llm_sentinel_core::execution::{create_agent_span, Artifact, Evidence};
+use crate::execution::ExecutionCollector;
+use crate::{InstrumentedResponse, SuccessResponse};
 use llm_sentinel_detection::agents::{
     AlertingAgent, AlertingAgentInput, AlertingRule, DecisionEvent,
 };
@@ -156,18 +158,23 @@ pub struct ConfigSummary {
 ///
 /// Evaluate an anomaly event against alerting rules.
 /// Returns a DecisionEvent indicating whether an alert should be raised.
+/// Emits an agent-level execution span for the alerting agent.
 ///
 /// ## Constitution Compliance
 /// - This endpoint does NOT send notifications
 /// - It only evaluates and returns a decision
 /// - LLM-Incident-Manager consumes these decisions
-#[instrument(skip(state, request), fields(source = %request.source))]
+#[instrument(skip(state, request, collector), fields(source = %request.source))]
 pub async fn evaluate_alert(
+    collector: ExecutionCollector,
     State(state): State<Arc<AlertingState>>,
     Json(request): Json<EvaluateRequest>,
 ) -> impl IntoResponse {
     info!("Evaluating anomaly for alerting");
 
+    let repo_span_id = collector.0.repo_span_id();
+    let mut agent_span = create_agent_span("alerting", repo_span_id);
+
     // Build input
     let mut input = AlertingAgentInput::from_anomaly(request.anomaly, &request.source);
 
@@ -195,23 +202,67 @@ pub async fn evaluate_alert(
                 "Alert evaluation complete"
             );
 
+            // Attach decision event as artifact
+            agent_span.attach_artifact(Artifact {
+                reference: format!("decision:{}", decision.decision_id),
+                kind: "decision_event".to_string(),
+                content: Some(serde_json::json!({
+                    "decision_id": decision.decision_id.to_string(),
+                    "alert_raised": alert_raised,
+                })),
+            });
+
+            agent_span.attach_evidence(Evidence {
+                evidence_type: "decision_event".to_string(),
+                reference: format!("alerting:{}", decision.decision_id),
+                payload: serde_json::json!({
+                    "decision_id": decision.decision_id.to_string(),
+                    "alert_raised": alert_raised,
+                    "confidence": decision.confidence,
+                }),
+            });
+
+            agent_span.complete();
+            collector.0.add_agent_span(agent_span);
+
             let response = EvaluateResponse {
                 decision,
                 alert_raised,
                 status: status.to_string(),
             };
 
-            (StatusCode::OK, Json(SuccessResponse::new(response)))
+            let graph = collector.0.finalize();
+
+            (
+                StatusCode::OK,
+                Json(InstrumentedResponse {
+                    data: response,
+                    execution: graph,
+                }),
+            )
         }
         Err(e) => {
             error!(error = %e, "Alert evaluation failed");
+
+            agent_span.fail(vec![format!("Alert evaluation failed: {}", e)]);
+            collector.0.add_agent_span(agent_span);
+
+            let response = EvaluateResponse {
+                decision: create_error_decision(&e.to_string()),
+                alert_raised: false,
+                status: "error".to_string(),
+            };
+
+            let graph = collector.0.finalize_failed(vec![
+                format!("Alerting agent failed: {}", e),
+            ]);
+
             (
                 StatusCode::INTERNAL_SERVER_ERROR,
-                Json(SuccessResponse::new(EvaluateResponse {
-                    decision: create_error_decision(&e.to_string()),
-                    alert_raised: false,
-                    status: "error".to_string(),
-                })),
+                Json(InstrumentedResponse {
+                    data: response,
+                    execution: graph,
+                }),
             )
         }
     }
 
@@ -16,7 +16,9 @@ use axum::{
 use serde::{Deserialize, Serialize};
 use tracing::{info, instrument};
 
-use crate::SuccessResponse;
+use llm_sentinel_core::execution::{create_agent_span, Evidence};
+use crate::execution::ExecutionCollector;
+use crate::{InstrumentedResponse, SuccessResponse};
 
 // =============================================================================
 // STATE
@@ -109,21 +111,48 @@ pub struct AnomalyStatsResponse {
 // =============================================================================
 
 /// POST /api/v1/agents/anomaly/detect
-#[instrument(skip(_state, request))]
+///
+/// Emits an agent-level execution span for the anomaly detection agent.
+/// Returns an `InstrumentedResponse` containing the execution graph.
+#[instrument(skip(_state, request, collector))]
 pub async fn detect_anomaly(
+    collector: ExecutionCollector,
     State(_state): State<Arc<AnomalyDetectionState>>,
     Json(request): Json<DetectRequest>,
 ) -> impl IntoResponse {
     info!("Processing telemetry for anomaly detection");
 
-    // Placeholder response - actual implementation would invoke the AnomalyDetectionAgent
+    let repo_span_id = collector.0.repo_span_id();
+    let mut agent_span = create_agent_span("anomaly_detection", repo_span_id);
+
+    // Execute agent logic
+    let result = DetectResponse {
+        anomaly_detected: false,
+        anomaly: None,
+        status: "success".to_string(),
+    };
+
+    // Attach evidence of execution
+    agent_span.attach_evidence(Evidence {
+        evidence_type: "detection_result".to_string(),
+        reference: format!("anomaly_detection:{}", agent_span.span_id),
+        payload: serde_json::json!({
+            "anomaly_detected": result.anomaly_detected,
+            "dry_run": request.dry_run,
+        }),
+    });
+
+    agent_span.complete();
+    collector.0.add_agent_span(agent_span);
+
+    let graph = collector.0.finalize();
+
     (
         StatusCode::OK,
-        Json(SuccessResponse::new(DetectResponse {
-            anomaly_detected: false,
-            anomaly: None,
-            status: "success".to_string(),
-        })),
+        Json(InstrumentedResponse {
+            data: result,
+            execution: graph,
+        }),
     )
 }