fix(addie): backfill owner test history + stop dual-write for owner runs

.changeset/dashboard-surfaces-verdict-source.md

@@ -0,0 +1,31 @@
+---
+---
+
+Dashboard `/dashboard/agents` surfaces the new `verdict_source` field on the
+compliance tile and a per-run "Your test / Heartbeat / Manual / Webhook"
+badge in the History panel. PR 2 of the #4247 unification stack —
+read-side cleanup that lets owners distinguish their own on-demand
+runs from scheduled heartbeat verdicts at a glance.
+
+**Context.** PR #4250 added `verdict_source` to
+`/api/registry/agents/:url/compliance` and `triggered_by` to each row
+returned by `/api/registry/agents/:url/compliance/history`. Both fields
+were unrendered in the dashboard until this PR.
+
+**What changes.**
+
+- Compliance tile shows `Last checked: 3m ago (your test)` /
+  `(heartbeat)` / `(manual)` / `(webhook)` after the timestamp. Empty
+  string when `verdict_source` is null (never run).
+- History panel renders a colored badge per run row:
+  - `Your test` (info-blue) for `triggered_by = 'owner_test'`
+  - `Heartbeat` (neutral) for `triggered_by = 'heartbeat'`
+  - `Manual` / `Webhook` (neutral) for the other enum values
+
+No backend changes; this is pure UI surfacing of fields the API already
+emits. Pre-PR-1 rows (which only have `'heartbeat'` / `'manual'` /
+`'webhook'`) render with the neutral badge — no regression.
+
+**Out of scope** (PR 3 of #4247): dropping `agent_test_history` and
+backfilling owner-triggered rows. Tracked separately so the destructive
+migration soaks behind the read-only UI change.

.changeset/unify-owner-compliance-writes.md

@@ -0,0 +1,10 @@
+---
+---
+
+PR 1 of 4 in the compliance-state unification initiative (issue #4247): owner-triggered
+`evaluate_agent_quality` runs now write to canonical compliance tables
+(`agent_compliance_status`, `agent_compliance_runs`, `agent_storyboard_status`) with
+`triggered_by = 'owner_test'`, closing the 12-hour gap between owner tests and the
+public `/api/registry/agents/:url/compliance` endpoint. Non-owner runs continue
+writing to `agent_test_history` (deprecated in PR 3). Adds `'owner_test'` to both
+`triggered_by` CHECK constraints via migration 471.

.changeset/unify-owner-evaluate-agent-stop-legacy-write.md

@@ -0,0 +1,33 @@
+---
+---
+
+PR 3 of the #4247 unification stack. Two coupled changes:
+
+**Backfill historical owner-triggered tests into the canonical compliance
+tables.** Migration `472_backfill_agent_test_history_to_compliance_runs.sql`
+copies every `agent_test_history` row with a `user_id` into
+`agent_compliance_runs` as `triggered_by = 'owner_test'` (carrying the
+source row id in `observations_json.backfill_source_id` so a re-run is a
+no-op via `WHERE NOT EXISTS`). Each agent's most-recent backfilled row
+also upserts into `agent_compliance_status` so the dashboard's compliance
+tile immediately reflects a real verdict for any agent that was tested
+through Addie pre-PR-#4250 and never ran the heartbeat.
+
+**Stop the dual write for owner runs.** `evaluate_agent_quality` no longer
+calls `agentContextDb.recordTest()` when the caller owns the agent — that
+path was the dual-write bug #4247 is closing. The legacy `recordTest` call
+is retained ONLY for third-party runs so a stranger who tests someone
+else's agent still has a session-scoped audit trail in their own
+`agent_test_history`. Owner-triggered runs persist exclusively to
+canonical state going forward.
+
+**Out of scope** (deferred to a follow-up after the soak gates):
+
+- Drop `agent_test_history` table — gated on the 14-day soak from #4250
+  deploy + 7-day soak from #4263 + S3 cold-storage export of the
+  remaining (`user_id IS NULL`) third-party rows. Migration 472 documents
+  this in its trailing comment.
+- Collapse `agent_contexts.last_test_*` into a derived view — PR 4 of
+  the #4247 stack.
+
+**Stacked on** #4263 (PR 2 of #4247) → #4250 (PR 1 of #4247).

dist/schemas/onboarding-openapi.d.ts

@@ -0,0 +1,27 @@
+/**
+ * OpenAPI registrations for the onboarding REST surface.
+ *
+ * `POST /api/organizations` has existed in production for a long time but
+ * has only ever been documented as a private endpoint exercised by the AAO
+ * dashboard's `/onboarding` form. Surfacing it in the public spec is the
+ * minimum-surface answer to the storefront-bootstrap question: a
+ * third-party app holding only a user's OAuth token needs *one* documented
+ * call to materialize the org, then `POST /api/me/agents` to land an agent
+ * (which auto-creates the member profile on first call).
+ *
+ * Two fields the handler accepts but the public schema deliberately omits:
+ *
+ * - `membership_tier` — owned exclusively by the Stripe webhook. Accepting
+ *   it from the caller would let any user stamp tier intent on their org
+ *   row, leaking tier-gated UI state until/unless a real subscription
+ *   overwrites the column.
+ * - `corporate_domain` — server derives the value from the authenticated
+ *   user's email. Accepting it as a field invited 400s when a caller's
+ *   value disagreed with their email and gave nothing back when it agreed.
+ *
+ * Kept in its own module so the spec generator's import graph stays free
+ * of route handlers (each route file's transitive imports pull in WorkOS
+ * init, which fails at module load without env vars).
+ */
+export {};
+//# sourceMappingURL=onboarding-openapi.d.ts.map