incidents: promote to standalone /incidents page + manual creation

The AI Incident Reports panel lived inside /mcp, but incidents are
referenced from two pages — both /mcp and the SentinelPage RunDetailDrawer
deep-link to /incidents/:id, which previously 404'd because no route
existed.  Conceptually incidents are their own surface, not an MCP
sub-feature, so the panel moves out and the broken Sentinel deep-link
finally lands somewhere real.  While extracting, add the missing piece:
operators can now manually file incidents through a new POST endpoint
that mirrors the MCP create_incident tool's validation and notification
behavior.

Backend
- POST /api/incidents (admin-only, all tiers).  Same validation as the
  MCP create_incident tool — title/summary required, severity in the
  enum, camera_id must exist if provided.  Stamps created_by="user:<id>"
  vs MCP's "mcp:<key_name>" so the dashboard can badge AI vs human.
  Fires the same incident_created notification (kind, audience, link)
  so notification preferences cover both author types.
- 60/min rate limit (matches DELETE).

Frontend
- New /incidents and /incidents/:incidentId routes (same component,
  reads useParams to deep-link into the report modal).  RequireAdmin
  wrapper, no plan gate — Free admins can file incidents too; AI
  agents only show up if Sentinel runs (Pro Plus).
- New IncidentsPage: lifted state/loaders/polling from McpPage, full
  width, "+ New Incident" button, filter tabs (Open/All) preserved.
  Each row gets an AI / Human badge keyed off created_by prefix.
- New NewIncidentModal: title + summary + severity dropdown + camera
  dropdown.  On success refreshes list and immediately opens the
  report modal so the operator can add long-form report or evidence.
- Sidebar: "Incidents" entry between MCP and Sentinel (admin only).
- McpPage surgery: removed the AI Incident Reports panel, four state
  hooks, both loaders, the IncidentReportModal mount, the
  SEVERITY_ORDER + STATUS_LABELS constants, and the stale getIncidents
  / getIncidentCounts imports.  The "Open Incidents" stat tile
  becomes a Link to /incidents (drops the live count — saves a 10 s
  poll for every /mcp viewer; the bell inbox already pings on
  creation).

Existing IncidentReportModal is reused unchanged — view/edit semantics
were already exactly what we need for both author types.

Author: Sbussiso

backend/app/api/incidents.py

@@ -1,12 +1,17 @@
 """
-AI-generated incident reports.
+Incident reports.
 
-The MCP server writes here via the `create_incident`/`add_observation`/etc.
-tools (see app/mcp/server.py). The dashboard reads here through the
-`/api/incidents` endpoints, which are admin-only — incidents live alongside
-the rest of the MCP audit surface.
+Two write paths into the same `incidents` table:
+  - MCP `create_incident` / `add_observation` / ... tools (agents).  See
+    `app/mcp/server.py` — agent rows land with ``created_by="mcp:<key_name>"``.
+  - This module's `POST /api/incidents` (humans).  Operator-filed rows
+    land with ``created_by="user:<clerk_user_id>"`` so the dashboard can
+    badge AI vs human at a glance.
+
+Reads are dashboard-only (admin) and live under `/api/incidents`.
 """
 
+import logging
 from datetime import UTC, datetime
 from typing import Optional
 
@@ -20,10 +25,12 @@
 from app.models.models import (
     INCIDENT_SEVERITIES,
     INCIDENT_STATUSES,
+    Camera,
     Incident,
     IncidentEvidence,
 )
 
+logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/api/incidents", tags=["incidents"])
 
 
@@ -39,6 +46,112 @@ class IncidentPatch(BaseModel):
     report: Optional[str] = Field(default=None)
 
 
+class IncidentCreate(BaseModel):
+    """Operator-filed incident.  Mirrors the MCP `create_incident`
+    tool's input shape so the same DB row layout serves both authors."""
+
+    title: str = Field(..., min_length=1, max_length=200)
+    summary: str = Field(..., min_length=1)
+    severity: str = Field(default="medium")
+    camera_id: Optional[str] = Field(default=None)
+
+
+# ---------------------------------------------------------------------------
+# Create (human-authored)
+# ---------------------------------------------------------------------------
+
+
+@router.post("", status_code=201)
+@limiter.limit("60/minute")
+async def create_incident(
+    request: Request,
+    body: IncidentCreate,
+    user: AuthUser = Depends(require_admin),
+    db: Session = Depends(get_db),
+):
+    """File a new incident manually.
+
+    Mirrors the MCP `create_incident` tool's validation (title and
+    summary required, severity in the allowed enum, camera_id must
+    exist within the org if provided) and fires the same
+    `incident_created` notification so the inbox + email channels
+    don't care which author wrote the row.
+
+    The only difference from the MCP path: ``created_by`` is stamped
+    ``user:<clerk_id>`` instead of ``mcp:<key_name>``.  The dashboard
+    keys off this prefix to badge AI- vs human-authored rows.
+    """
+    if body.severity not in INCIDENT_SEVERITIES:
+        raise HTTPException(
+            status_code=400, detail=f"Invalid severity: {body.severity}"
+        )
+
+    title = body.title.strip()
+    summary = body.summary.strip()
+    if not title:
+        raise HTTPException(status_code=400, detail="title is required")
+    if not summary:
+        raise HTTPException(status_code=400, detail="summary is required")
+
+    if body.camera_id:
+        cam = (
+            db.query(Camera)
+            .filter_by(org_id=user.org_id, camera_id=body.camera_id)
+            .first()
+        )
+        if not cam:
+            raise HTTPException(
+                status_code=400,
+                detail=f"Camera '{body.camera_id}' not found",
+            )
+
+    incident = Incident(
+        org_id=user.org_id,
+        camera_id=body.camera_id,
+        title=title[:200],
+        summary=summary,
+        severity=body.severity,
+        status="open",
+        created_by=f"user:{user.user_id}",
+    )
+    db.add(incident)
+    db.commit()
+    db.refresh(incident)
+
+    # Fire inbox + email notification.  Same kind/audience the MCP
+    # path uses (`mcp/server.py:1295-1306`) — we want both author
+    # types to flow through identical notification preferences.
+    try:
+        from app.api.notifications import create_notification
+
+        notif_severity = (
+            "critical" if body.severity in ("high", "critical") else "warning"
+        )
+        create_notification(
+            org_id=user.org_id,
+            kind="incident_created",
+            title=f"Incident #{incident.id}: {incident.title}",
+            body=f"[{body.severity.upper()}] {incident.summary}",
+            severity=notif_severity,
+            audience="all",
+            link=f"/incidents/{incident.id}",
+            camera_id=body.camera_id,
+            meta={"incident_id": incident.id, "severity": body.severity},
+            db=db,
+        )
+    except Exception:  # noqa: BLE001
+        # Notification failure must NEVER fail incident creation —
+        # the row is already committed and the operator clicked
+        # submit.  Log and move on; an admin can retry the notify
+        # path manually if needed.
+        logger.exception(
+            "[create_incident] notification emit failed for incident=%s",
+            incident.id,
+        )
+
+    return incident.to_dict(include_evidence=True)
+
+
 # ---------------------------------------------------------------------------
 # List + counts
 # ---------------------------------------------------------------------------

frontend/src/App.jsx

@@ -17,6 +17,7 @@ const AdminPage = lazy(() => import("./pages/AdminPage.jsx"))
 const TestHlsPage = lazy(() => import("./pages/TestHlsPage.jsx"))
 const PricingPage = lazy(() => import("./pages/PricingPage.jsx"))
 const McpPage = lazy(() => import("./pages/McpPage.jsx"))
+const IncidentsPage = lazy(() => import("./pages/IncidentsPage.jsx"))
 const SentinelPage = lazy(() => import("./pages/SentinelPage.jsx"))
 const LegalPage = lazy(() => import("./pages/LegalPage.jsx"))
 const SecurityPage = lazy(() => import("./pages/SecurityPage.jsx"))
@@ -176,6 +177,26 @@ function App() {
               </RequireAdmin>
             }
           />
+          {/* /incidents and /incidents/:incidentId share the same page;
+              the page reads useParams().incidentId to open the report
+              modal on mount when present.  Lets notification deep-links
+              and the SentinelPage RunDetailDrawer link both resolve. */}
+          <Route
+            path="/incidents"
+            element={
+              <RequireAdmin>
+                <IncidentsPage />
+              </RequireAdmin>
+            }
+          />
+          <Route
+            path="/incidents/:incidentId"
+            element={
+              <RequireAdmin>
+                <IncidentsPage />
+              </RequireAdmin>
+            }
+          />
         </Route>
         </Routes>
       </Suspense>

frontend/src/components/AppSidebar.jsx

@@ -34,6 +34,7 @@ function AppSidebar({ open, onClose }) {
       ...(hasAdminFeature ? {} : { locked: true, badge: "PRO", badgeClass: "nav-pro-badge" }),
     },
     { to: "/mcp", label: "MCP" },
+    isAdmin && { to: "/incidents", label: "Incidents" },
     { to: "/sentinel", label: "Sentinel" },
     { to: "/docs", label: "Help" },
     { to: "/pricing", label: "Pricing" },

frontend/src/components/NewIncidentModal.jsx

@@ -0,0 +1,184 @@
+import { useEffect, useState } from "react"
+import { useAuth } from "@clerk/clerk-react"
+
+import { createIncident, getCameras } from "../services/api"
+import { useToasts } from "../hooks/useToasts.jsx"
+
+const SEVERITY_OPTIONS = [
+  { value: "low", label: "Low" },
+  { value: "medium", label: "Medium" },
+  { value: "high", label: "High" },
+  { value: "critical", label: "Critical" },
+]
+
+/**
+ * Operator-filed incident creation form.  Mirrors the MCP
+ * `create_incident` tool's input shape so the resulting row renders
+ * identically in the existing IncidentReportModal — title, summary,
+ * severity (default medium), optional camera_id.
+ *
+ * On success: calls onCreated(incident) so the parent can refresh
+ * the list AND open the just-created incident in the report modal
+ * for follow-up edits (writing the long-form report, attaching
+ * evidence later, etc).
+ */
+export default function NewIncidentModal({ onClose, onCreated }) {
+  const { getToken } = useAuth()
+  const { showToast } = useToasts()
+
+  const [title, setTitle] = useState("")
+  const [summary, setSummary] = useState("")
+  const [severity, setSeverity] = useState("medium")
+  const [cameraId, setCameraId] = useState("")
+  const [cameras, setCameras] = useState([])
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState(null)
+
+  // Load cameras for the dropdown.  Failing soft is fine — operator
+  // can still file an incident with no camera attached, the field is
+  // optional.
+  useEffect(() => {
+    let cancelled = false
+    getCameras(getToken)
+      .then((data) => {
+        if (!cancelled) setCameras(Array.isArray(data) ? data : [])
+      })
+      .catch(() => {
+        if (!cancelled) setCameras([])
+      })
+    return () => {
+      cancelled = true
+    }
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [])
+
+  const submit = async (event) => {
+    event.preventDefault()
+    if (submitting) return
+
+    const trimmedTitle = title.trim()
+    const trimmedSummary = summary.trim()
+    if (!trimmedTitle) {
+      setError("Title is required.")
+      return
+    }
+    if (!trimmedSummary) {
+      setError("Summary is required.")
+      return
+    }
+
+    setError(null)
+    setSubmitting(true)
+    try {
+      const created = await createIncident(getToken, {
+        title: trimmedTitle,
+        summary: trimmedSummary,
+        severity,
+        camera_id: cameraId || null,
+      })
+      showToast("Incident filed", "success")
+      onCreated(created)
+    } catch (err) {
+      setError(err?.message || "Failed to create incident")
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  return (
+    <div className="modal-overlay" onClick={onClose}>
+      <div
+        className="modal-content new-incident-modal"
+        onClick={(e) => e.stopPropagation()}
+      >
+        <div className="modal-header">
+          <h2>File a new incident</h2>
+          <button className="modal-close" onClick={onClose} aria-label="Close">
+            &times;
+          </button>
+        </div>
+
+        <form className="modal-body" onSubmit={submit}>
+          <div className="new-incident-field">
+            <label htmlFor="new-incident-title">Title</label>
+            <input
+              id="new-incident-title"
+              type="text"
+              value={title}
+              onChange={(e) => setTitle(e.target.value)}
+              placeholder="Short headline (e.g. 'Front gate left open overnight')"
+              maxLength={200}
+              required
+              autoFocus
+            />
+          </div>
+
+          <div className="new-incident-field">
+            <label htmlFor="new-incident-summary">Summary</label>
+            <textarea
+              id="new-incident-summary"
+              value={summary}
+              onChange={(e) => setSummary(e.target.value)}
+              placeholder="One or two sentences describing what was observed."
+              rows={4}
+              required
+            />
+          </div>
+
+          <div className="new-incident-row">
+            <div className="new-incident-field">
+              <label htmlFor="new-incident-severity">Severity</label>
+              <select
+                id="new-incident-severity"
+                value={severity}
+                onChange={(e) => setSeverity(e.target.value)}
+              >
+                {SEVERITY_OPTIONS.map((opt) => (
+                  <option key={opt.value} value={opt.value}>
+                    {opt.label}
+                  </option>
+                ))}
+              </select>
+            </div>
+
+            <div className="new-incident-field">
+              <label htmlFor="new-incident-camera">Camera (optional)</label>
+              <select
+                id="new-incident-camera"
+                value={cameraId}
+                onChange={(e) => setCameraId(e.target.value)}
+              >
+                <option value="">— None —</option>
+                {cameras.map((c) => (
+                  <option key={c.camera_id} value={c.camera_id}>
+                    {c.name || c.camera_id}
+                  </option>
+                ))}
+              </select>
+            </div>
+          </div>
+
+          {error && <div className="new-incident-error">{error}</div>}
+
+          <div className="modal-actions">
+            <button
+              type="button"
+              className="btn btn-secondary"
+              onClick={onClose}
+              disabled={submitting}
+            >
+              Cancel
+            </button>
+            <button
+              type="submit"
+              className="btn btn-primary"
+              disabled={submitting}
+            >
+              {submitting ? "Filing…" : "File incident"}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+  )
+}