feat(engine): shadow would-have-acted report at /report (JEF-143)

[thejefflarson]

Closes JEF-143.

What

Nothing answered the question that gates exiting shadow (JEF-50): over the last N days, how many cuts would protector have made, on what, and were any wrong? This adds a read-only /report view (HTML + /report.json) on the dashboard server that aggregates the durable decision journal (JEF-141) into that diff.

Framed as a diff: "over the last N protector would have isolated N workloads and deliberately left M proven-but-cleared paths alone" — the left-alone half is the trust evidence.

• Would-act episodes — each internet-facing entry's breach decisions are folded chronologically into runs of consecutive exploitable verdicts. The projected would-be cut lifetime runs from the first exploitable verdict to the clear that follows (or to now if still open).
• Short-lived vs sustained — a would-be cut lifted within the threshold (default 5m) is visually distinct (short-lived, likely FP) from a sustained one. An open episode is never short-lived (still standing).
• Left-alone count — proven paths the model cleared, shown alongside the would-act count.
• Enrichment-coverage gap — an exploitable verdict with no CVE- backing it is flagged coverage gap as the would-act to scrutinize first.
• Empty journal → honest "no decisions yet" state (distinct from "history exists, but nothing in this window").
• OTLP mirror — the headline counts (would-act / left-alone / short-lived / coverage-gap) are recorded to OTLP gauges per pass, mirroring the bake metrics, so the JEF-50 figures are scrapeable without the dashboard.

Window + thresholds are query-configurable: ?days=N, ?hours=N, ?short_lived_secs=N. Read-side aggregation only — no new signals, no action; the engine stays shadow.

Where

• engine/src/engine/dashboard.rs — the Report/WouldActEntry/LeftAloneEntry types, the pure aggregate_report fold, the HTML panel + standalone page, and the /report + /report.json routes (mirrors the /bake panel + json_view patterns, reuses the existing escape/short conventions).
• engine/src/engine/mod.rs — shares the DecisionJournal (Arc) with the dashboard, and mirrors the report headline to four OTLP gauges per pass. Stayed out of reason/{adjudicate,proof}.rs (JEF-134 in flight).

Tests

14 new unit tests covering: verdict classification, coverage-gap detection, empty-journal state, window filtering, sustained/short-lived/open lifetime classification, left-alone, recurring episodes, sustained-first ranking, query defaults, the HTML render, and the disabled-journal OTLP helper.

cargo fmt --check        # clean
cargo clippy --all-targets -- -D warnings   # clean
cargo test               # 185 passed; 0 failed (lib) + 1 (bin) + 0 (doc)

Decisions for the architect

• Default window 7 days; short-lived threshold 5 minutes — both query-overridable. 7d is a reasonable "last week of would-acts" default; 5m matches the ticket's "lifted within minutes" FP framing.
• Coverage-gap heuristic — the journal's Breach record carries no structured enrichment metadata, so a coverage-gap would-act is detected as an exploitable verdict whose text contains no CVE- token. If a richer enrichment-coverage signal is wanted, the Decision::Breach record would need to carry it (out of scope here).

🤖 Generated with Claude Code