== ACTION GUARD EVIDENCE ==
Tool: rollback_k8s_deployment
Incident: b9abfcc7-1078-44f9-bffd-c2c54628d8a6

NOTE: action_guard.rollback_k8s_deployment_allowed is not a separate log event.
For rollback_k8s_deployment, the guard returning allow (None) is evidenced by
the execution proceeding without a PERMISSION DENIED error.

== GUARD CONTEXT (from incident.json + logs) ==
- approval_status: approved (U0AKT8RE8N9, khmuraandriy)
- tool_name approved: rollback_k8s_deployment
- namespace approved: oncallzero-workloads
- action_id built from tool_name + canonicalized args
- tenant_id: None (tenant_context_active=False, consistent across all log lines)
- ONCALLZERO_ALLOWED_NAMESPACES: ["oncallzero-workloads"] (k8s ConfigMap)
- ONCALLZERO_WORKLOAD_NAMESPACE: oncallzero-workloads (k8s ConfigMap)
- target namespace in tool_args: oncallzero-workloads -> matches allowlist

== EXECUTION GATE LOG SEQUENCE ==
2026-05-23 13:31:07 [info] execute_action_node.start
  args={'deployment_name':'proving-nginx','namespace':'oncallzero-workloads','name':'proving-nginx','reason':'...'}
  incident_id=b9abfcc7-1078-44f9-bffd-c2c54628d8a6
  node=execute_action
  tool=rollback_k8s_deployment

2026-05-23 13:31:07 [critical] AUDIT_ACTION_EXECUTE
  incident_id=b9abfcc7-1078-44f9-bffd-c2c54628d8a6
  tool_name=rollback_k8s_deployment
  tool_args={'deployment_name':'proving-nginx','namespace':'oncallzero-workloads',...}

2026-05-23 13:31:07 [info] rollback_k8s_deployment.start
  dry_run=False
  name=proving-nginx
  namespace=oncallzero-workloads

2026-05-23 13:31:07 [critical] AUDIT_ACTION
  action=rollback_k8s_deployment
  dry_run=False
  environment=production
  reason='Rollback oncallzero-workloads/proving-nginx after failed rollout with ProgressDeadlineExceeded.'
  target=oncallzero-workloads/proving-nginx

2026-05-23 13:31:07 [info] rollback_k8s_deployment.backup_recorded
  current_revision=343
  rollback_target_revision=342
  rollback_target_rs=proving-nginx-584f49ffbd
  rollback_target_images=['nginx=nginx:1.27']

2026-05-23 13:31:07 [critical] AUDIT_ACTION_RESULT
  success=True
  duration_seconds=0.12
  tool_name=rollback_k8s_deployment

== VERDICT ==
action_guard: ALLOWED (no PERMISSION DENIED in log sequence, execution proceeded)
namespace_check: PASSED (oncallzero-workloads in ONCALLZERO_ALLOWED_NAMESPACES)
approval_check: PASSED (status=approved, approver recorded before execution)
tool_match: PASSED (approved tool = executed tool = rollback_k8s_deployment)
dry_run: False (live execution, not dry run)