Phase 2 follow-up.
The saas_incident_timeline_events table only carries auto-emitted system events today (DETECTION, CEREBRO_CONTEXT, RESPONSE_ACTION). Operators have no way to leave investigation notes inline with the timeline.
Scope
- Extend
SaasIncidentTimelineKind with a NOTE value (Prisma migration + protobuf enum).
- Add
AddSaasIncidentNote(incident_id, body) RPC; body length validated (e.g. <= 4000 chars).
- Persist the actor (user id + email) and render alongside other timeline events.
- Frontend: composer at the bottom of the timeline panel in
incident-detail-page.tsx.
- Audit log entry per note.
Acceptance
- Notes appear interleaved with auto events in chronological order.
- Tenant isolation enforced (cannot post a note to another tenant's incident).
- Markdown is escaped on render (no XSS).
Phase 2 follow-up.
The
saas_incident_timeline_eventstable only carries auto-emitted system events today (DETECTION,CEREBRO_CONTEXT,RESPONSE_ACTION). Operators have no way to leave investigation notes inline with the timeline.Scope
SaasIncidentTimelineKindwith aNOTEvalue (Prisma migration + protobuf enum).AddSaasIncidentNote(incident_id, body)RPC; body length validated (e.g. <= 4000 chars).incident-detail-page.tsx.Acceptance