wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity

feat(governance): 新增操作類別權限模型
All checks were successful
Code Review / ai-code-review (push) Successful in 16s
Details
CD Pipeline / tests (push) Successful in 1m24s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m45s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m46s
Details

Browse Source
This commit is contained in:
Your Name
2026-06-12 15:04:51 +08:00
parent b5112ccf65
commit 7c8bb3645b
14 changed files with 1994 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

543
docs/evaluations/ai_agent_operation_permission_model_2026-06-12.json Normal file
View File

@@ -0,0 +1,543 @@
{
"schema_version": "ai_agent_operation_permission_model_v1",
"generated_at": "2026-06-12T15:40:00+08:00",
"program_status": {
"overall_completion_percent": 97,
"current_priority": "P2",
"current_task_id": "P2-101",
"next_task_id": "P2-102",
"read_only_mode": true,
"runtime_authority": "operation_permission_model_only_no_live_execution_or_send",
"status_note": "P2-101 把 P2-404 shadow/no-write candidate 轉成操作類別權限模型;目前只定義 observe、no-write replay、proposal、人工批准與明確阻擋 lane不啟動 live worker、不寫 Gateway queue、不送 Telegram、不寫 production target。"
},
"source_refs": [
"docs/evaluations/ai_agent_runtime_worker_shadow_gate_2026-06-12.json",
"docs/evaluations/ai_agent_report_runtime_fixture_readback_2026-06-12.json",
"docs/evaluations/ai_agent_report_runtime_dry_run_2026-06-12.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
"docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
],
"operation_permission_truth": {
"permission_model_ready": true,
"operation_category_matrix_ready": true,
"risk_tier_mapping_ready": true,
"agent_responsibility_mapping_ready": true,
"approval_gate_mapping_ready": true,
"manual_sop_lane_ready": true,
"p2_404_shadow_gate_handoff_ready": true,
"runtime_execution_enabled": false,
"gateway_queue_write_enabled": false,
"telegram_send_enabled": false,
"telegram_bot_api_call_enabled": false,
"delivery_receipt_write_enabled": false,
"ai_runtime_worker_enabled": false,
"medium_low_auto_worker_enabled": false,
"post_action_verifier_live_readback_enabled": false,
"production_write_enabled": false,
"secret_value_read_enabled": false,
"paid_provider_call_enabled": false,
"host_or_cluster_command_enabled": false,
"destructive_operation_enabled": false,
"work_window_transcript_display_allowed": false,
"runtime_execution_count_24h": 0,
"gateway_queue_write_count_24h": 0,
"telegram_send_count_24h": 0,
"telegram_bot_api_call_count_24h": 0,
"delivery_receipt_write_count_24h": 0,
"ai_runtime_worker_run_count_24h": 0,
"medium_low_auto_execution_count_24h": 0,
"post_action_verifier_live_readback_count_24h": 0,
"production_write_count_24h": 0,
"secret_value_read_count_24h": 0,
"paid_provider_call_count_24h": 0,
"host_or_cluster_command_count_24h": 0,
"destructive_operation_count_24h": 0,
"truth_note": "P2-101 只建立操作類別與權限 lane所有實際執行、queue write、Telegram send、Bot API、receipt write、worker、verifier live readback、production write、secret / paid provider access 與 destructive action 仍保持 0。"
},
"permission_lanes": [
{
"lane_id": "observe_only",
"display_name": "只讀觀察",
"summary": "可自動讀取 committed snapshot、已允許的 redacted API、健康摘要與證據鏈不得寫入或觸發外部副作用。",
"allowed_outputs": ["證據摘要", "狀態分類", "治理頁顯示"],
"required_gate_before_promotion": "P2-102 dry-run evidence gate",
"live_execution_allowed": false,
"production_write_allowed": false
},
{
"lane_id": "no_write_replay_allowed",
"display_name": "no-write replay",
"summary": "可重放 fixture / shadow artifact 並產生 diff、hash、verifier input不得寫 Gateway queue 或正式資料。",
"allowed_outputs": ["redacted diff", "evidence hash", "queue candidate preview"],
"required_gate_before_promotion": "P2-102 dry-run evidence gate + verifier binding",
"live_execution_allowed": false,
"production_write_allowed": false
},
{
"lane_id": "proposal_only",
"display_name": "提案 / SOP",
"summary": "可產生人工可審核的處置建議、Runbook 草案、rollback 計畫與操作選項;不得自行套用。",
"allowed_outputs": ["人工 SOP", "修復候選", "rollback 草案"],
"required_gate_before_promotion": "owner review + P2-102 dry-run evidence",
"live_execution_allowed": false,
"production_write_allowed": false
},
{
"lane_id": "human_approval_required",
"display_name": "人工批准後才可推進",
"summary": "涉及 queue write、Telegram 實發、verifier live readback、低中風險自動化與任何可能影響外部狀態的操作必須先人工批准並有 verifier / rollback。",
"allowed_outputs": ["批准包", "dry-run hash", "verifier plan"],
"required_gate_before_promotion": "explicit owner approval + rollback owner + post-action verifier",
"live_execution_allowed": false,
"production_write_allowed": false
},
{
"lane_id": "explicitly_blocked",
"display_name": "明確阻擋",
"summary": "secret 明文、付費 provider 擴量、破壞性主機 / 叢集操作與 production config / data write 在本階段全部阻擋,只能降級成提案或證據收集。",
"allowed_outputs": ["阻擋原因", "降級提案", "缺口清單"],
"required_gate_before_promotion": "另行維護窗口、費用 / 依賴 / 資安批准",
"live_execution_allowed": false,
"production_write_allowed": false
}
],
"operation_categories": [
{
"category_id": "observe_inventory_read",
"display_name": "只讀盤點 / 狀態讀取",
"risk_tier": "low",
"permission_lane": "observe_only",
"primary_agent": "hermes",
"allowed_outputs": ["狀態摘要", "freshness 判讀", "缺口清單"],
"blocked_actions": ["production write", "secret value read"],
"required_evidence": ["source ref", "generated_at", "redacted fields"],
"next_gate": "P2-102 dry-run evidence gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:1111111111111111111111111111111111111111111111111111111111111111"
},
{
"category_id": "diagnose_correlate_evidence",
"display_name": "診斷 / 證據關聯",
"risk_tier": "low",
"permission_lane": "observe_only",
"primary_agent": "openclaw",
"allowed_outputs": ["嚴重度判讀", "MCP evidence 摘要", "manual next step"],
"blocked_actions": ["repair execution", "queue write"],
"required_evidence": ["MCP evidence ref", "incident ref", "correlation reason"],
"next_gate": "P2-102 dry-run evidence gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:2222222222222222222222222222222222222222222222222222222222222222"
},
{
"category_id": "report_digest_queue_candidate",
"display_name": "報表 / 戰情室 queue candidate",
"risk_tier": "medium",
"permission_lane": "no_write_replay_allowed",
"primary_agent": "hermes",
"allowed_outputs": ["queue candidate diff", "digest preview", "readback checklist"],
"blocked_actions": ["Gateway queue write", "Telegram sendMessage"],
"required_evidence": ["redacted digest hash", "recipient route ref", "zero-signal classification"],
"next_gate": "gateway_queue_write_permission_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:3333333333333333333333333333333333333333333333333333333333333333"
},
{
"category_id": "shadow_no_write_replay",
"display_name": "shadow / no-write replay",
"risk_tier": "medium",
"permission_lane": "no_write_replay_allowed",
"primary_agent": "nemotron",
"allowed_outputs": ["promotion hash", "verifier fixture", "side-effect report"],
"blocked_actions": ["live worker", "result write"],
"required_evidence": ["fixture id", "replay hash", "side-effect count"],
"next_gate": "P2-102 dry-run evidence gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:4444444444444444444444444444444444444444444444444444444444444444"
},
{
"category_id": "manual_sop_draft",
"display_name": "人工 SOP / 操作選項草案",
"risk_tier": "medium",
"permission_lane": "proposal_only",
"primary_agent": "hermes",
"allowed_outputs": ["人工步驟", "驗證步驟", "rollback 說明"],
"blocked_actions": ["自動執行", "host command"],
"required_evidence": ["owner role", "affected scope", "rollback owner"],
"next_gate": "owner review",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:5555555555555555555555555555555555555555555555555555555555555555"
},
{
"category_id": "repair_candidate_proposal",
"display_name": "修復候選提案",
"risk_tier": "medium",
"permission_lane": "proposal_only",
"primary_agent": "openclaw",
"allowed_outputs": ["修復候選", "風險理由", "dry-run 要求"],
"blocked_actions": ["Ansible apply", "kubectl apply", "service restart"],
"required_evidence": ["MCP evidence", "PlayBook trust", "verifier plan"],
"next_gate": "P2-102 dry-run evidence gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:6666666666666666666666666666666666666666666666666666666666666666"
},
{
"category_id": "low_risk_noop_execution",
"display_name": "低風險 no-op 自動處理",
"risk_tier": "medium",
"permission_lane": "human_approval_required",
"primary_agent": "openclaw",
"allowed_outputs": ["批准包", "no-op plan", "post-action verifier plan"],
"blocked_actions": ["live worker execution"],
"required_evidence": ["explicit approval", "dry-run hash", "replay hash"],
"next_gate": "medium_low_auto_worker_permission_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:7777777777777777777777777777777777777777777777777777777777777777"
},
{
"category_id": "medium_risk_repair_execution",
"display_name": "中風險修復執行",
"risk_tier": "high",
"permission_lane": "human_approval_required",
"primary_agent": "openclaw",
"allowed_outputs": ["批准包", "rollback plan", "維護窗口建議"],
"blocked_actions": ["repair apply", "restart", "config reload"],
"required_evidence": ["owner approval", "rollback owner", "verifier live gate"],
"next_gate": "production_write_permission_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:8888888888888888888888888888888888888888888888888888888888888888"
},
{
"category_id": "post_action_verifier_live_readback",
"display_name": "post-action verifier live readback",
"risk_tier": "high",
"permission_lane": "human_approval_required",
"primary_agent": "nemotron",
"allowed_outputs": ["verifier plan", "expected signal", "failure lane"],
"blocked_actions": ["canonical target readback", "result write"],
"required_evidence": ["allow-list", "redacted output", "failure receipt plan"],
"next_gate": "post_action_verifier_live_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:9999999999999999999999999999999999999999999999999999999999999999"
},
{
"category_id": "telegram_gateway_queue_write",
"display_name": "Telegram Gateway queue write / 實發",
"risk_tier": "high",
"permission_lane": "human_approval_required",
"primary_agent": "hermes",
"allowed_outputs": ["route approval packet", "queue candidate", "delivery verifier plan"],
"blocked_actions": ["Gateway queue write", "Bot API sendMessage"],
"required_evidence": ["SRE route ref", "dedupe key", "delivery receipt plan"],
"next_gate": "telegram_send_permission_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"category_id": "production_config_or_data_write",
"display_name": "production config / data write",
"risk_tier": "critical",
"permission_lane": "explicitly_blocked",
"primary_agent": "openclaw",
"allowed_outputs": ["blocked reason", "owner approval requirements", "dry-run requirement"],
"blocked_actions": ["DB write", "ConfigMap apply", "Nginx reload", "workflow mutation"],
"required_evidence": ["source-of-truth", "rollback ref", "maintenance window"],
"next_gate": "production_write_permission_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
},
{
"category_id": "secret_or_paid_provider_access",
"display_name": "secret value / paid provider access",
"risk_tier": "critical",
"permission_lane": "explicitly_blocked",
"primary_agent": "nemotron",
"allowed_outputs": ["metadata-only checklist", "cost approval packet", "secret name parity"],
"blocked_actions": ["secret value read", "paid API call", "token hash collection"],
"required_evidence": ["費用批准", "redaction policy", "owner response"],
"next_gate": "secret_or_paid_provider_gate",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
},
{
"category_id": "destructive_host_or_cluster_action",
"display_name": "破壞性主機 / 叢集操作",
"risk_tier": "critical",
"permission_lane": "explicitly_blocked",
"primary_agent": "openclaw",
"allowed_outputs": ["break-glass checklist", "rollback owner request", "maintenance window request"],
"blocked_actions": ["ssh write", "sudo", "restart", "reboot", "delete", "active scan"],
"required_evidence": ["維護窗口", "rollback owner", "post-check plan"],
"next_gate": "另行資安 / 維護窗口批准",
"queue_write_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"secret_value_read_allowed": false,
"destructive_action_allowed": false,
"live_execution_allowed": false,
"evidence_hash": "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
}
],
"agent_permission_roles": [
{
"agent_id": "openclaw",
"display_name": "OpenClaw",
"permission_responsibility": "負責 operation category、risk tier、approval lane 與 repair candidate arbitration可產生提案不可自我批准或執行。",
"allowed_lanes": ["observe_only", "proposal_only", "human_approval_required"],
"blocked_now": ["self approval", "production write", "host command", "Telegram direct send"],
"self_approval_allowed": false,
"live_action_count_24h": 0
},
{
"agent_id": "hermes",
"display_name": "Hermes",
"permission_responsibility": "負責 KM / Runbook / 報表 / SRE 戰情室 queue candidate 的整理與草案;不得寫 Gateway queue 或發 Telegram。",
"allowed_lanes": ["observe_only", "no_write_replay_allowed", "proposal_only"],
"blocked_now": ["Gateway queue write", "Telegram send", "production data write"],
"self_approval_allowed": false,
"live_action_count_24h": 0
},
{
"agent_id": "nemotron",
"display_name": "NemoTron",
"permission_responsibility": "負責 no-write replay、verifier fixture、redaction / cost / secret boundary review不得呼叫付費 provider 或讀 secret。",
"allowed_lanes": ["observe_only", "no_write_replay_allowed", "proposal_only"],
"blocked_now": ["paid provider call", "secret value read", "live verifier execution"],
"self_approval_allowed": false,
"live_action_count_24h": 0
}
],
"gate_transitions": [
{
"gate_id": "p2_101_permission_review_gate",
"display_name": "P2-101 permission review gate",
"current_status": "ready_for_review",
"required_before": "所有 P2-404 shadow candidate promotion",
"next_safe_step": "以本模型審查每個 candidate 的 lane 與風險,不啟動 worker。",
"opens_live_execution": false
},
{
"gate_id": "p2_102_dry_run_evidence_gate",
"display_name": "P2-102 dry-run evidence gate",
"current_status": "blocked_until_evidence",
"required_before": "任何可被批准的低 / 中風險 candidate",
"next_safe_step": "每個候選操作都要有 dry-run evidence、hash、side-effect count 與 verifier plan。",
"opens_live_execution": false
},
{
"gate_id": "gateway_queue_write_permission_gate",
"display_name": "Gateway queue write permission gate",
"current_status": "blocked_until_evidence",
"required_before": "任何 Gateway queue write",
"next_safe_step": "先完成 route、dedupe、receipt、failure lane 與人工批准。",
"opens_live_execution": false
},
{
"gate_id": "telegram_send_permission_gate",
"display_name": "Telegram send permission gate",
"current_status": "blocked_until_evidence",
"required_before": "任何 Bot API sendMessage",
"next_safe_step": "先走 Gateway queue + receipt E2E不允許 direct Bot API。",
"opens_live_execution": false
},
{
"gate_id": "medium_low_auto_worker_permission_gate",
"display_name": "中低風險 auto worker permission gate",
"current_status": "blocked_until_evidence",
"required_before": "任何 low / medium risk 自動處理",
"next_safe_step": "需要 operation lane、dry-run、rollback/no-op evidence、post-action verifier 與人工批准。",
"opens_live_execution": false
},
{
"gate_id": "post_action_verifier_live_gate",
"display_name": "post-action verifier live gate",
"current_status": "blocked_until_evidence",
"required_before": "任何 verifier live readback",
"next_safe_step": "先定義 input/output allow-list、redaction、failure receipt 與 result write boundary。",
"opens_live_execution": false
},
{
"gate_id": "production_write_permission_gate",
"display_name": "production write permission gate",
"current_status": "blocked_by_policy",
"required_before": "任何 production config / data write",
"next_safe_step": "另行 owner approval、maintenance window、rollback owner、dry-run、verifier plan。",
"opens_live_execution": false
},
{
"gate_id": "secret_or_paid_provider_gate",
"display_name": "secret / paid provider gate",
"current_status": "blocked_by_policy",
"required_before": "任何 secret 明文、付費 provider 呼叫或費用增加",
"next_safe_step": "只允許 metadata / secret name / cost approval packet不得讀 value 或增加呼叫頻率。",
"opens_live_execution": false
}
],
"operator_decision_templates": [
{
"template_id": "evidence_collect_next_step",
"display_name": "收集證據",
"when_to_use": "分類、監控、MCP evidence 不足或 provider fresh 但未匹配時。",
"human_instruction": "查看來源、補 MCP evidence、確認 incident / run / source refs 是否串上。",
"creates_runtime_action": false,
"requires_human_review": true
},
{
"template_id": "manual_sop_next_step",
"display_name": "產生人工 SOP",
"when_to_use": "AI 選擇不執行修復,或 action candidate 缺少 rollback / verifier。",
"human_instruction": "依 SOP 檢查服務、log、回滾點與驗證項完成後回填 outcome。",
"creates_runtime_action": false,
"requires_human_review": true
},
{
"template_id": "repair_proposal_next_step",
"display_name": "修復提案",
"when_to_use": "OpenClaw 有中低風險候選,但尚未有 dry-run hash 或 verifier plan。",
"human_instruction": "審查 MCP evidence、PlayBook trust、dry-run、rollback owner 與 blast radius。",
"creates_runtime_action": false,
"requires_human_review": true
},
{
"template_id": "queue_candidate_next_step",
"display_name": "戰情室 queue 候選",
"when_to_use": "日週月報、action-required digest 或 failure digest 需要進 SRE 戰情室但尚未准許實發。",
"human_instruction": "確認 route、dedupe、receipt、降噪與內容 redaction再決定是否進下一 gate。",
"creates_runtime_action": false,
"requires_human_review": true
},
{
"template_id": "rollback_or_fix_next_step",
"display_name": "人工修復 / 回滾",
"when_to_use": "處置失敗、verifier degraded、或高風險需要人工處理。",
"human_instruction": "依 rollback owner 與維護窗口處理;禁止由 AI 自行啟動 host / cluster / production write。",
"creates_runtime_action": false,
"requires_human_review": true
}
],
"display_redaction_contract": {
"redaction_required": true,
"raw_prompt_display_allowed": false,
"private_reasoning_display_allowed": false,
"secret_value_display_allowed": false,
"raw_telegram_payload_display_allowed": false,
"work_window_transcript_display_allowed": false,
"allowed_display_fields": [
"category_id",
"display_name",
"risk_tier",
"permission_lane",
"primary_agent",
"allowed_outputs",
"blocked_actions",
"required_evidence",
"next_gate",
"evidence_hash"
],
"blocked_display_fields": [
"raw_prompt",
"chain_of_thought",
"telegram_chat_id",
"telegram_message_id",
"bot_token",
"authorization_header",
"secret_value",
"work_window_transcript"
]
},
"rollups": {
"permission_lane_count": 5,
"operation_category_count": 13,
"observe_only_category_count": 2,
"no_write_replay_allowed_category_count": 2,
"proposal_only_category_count": 2,
"human_approval_required_category_count": 4,
"explicitly_blocked_category_count": 3,
"human_approval_required_category_ids": [
"low_risk_noop_execution",
"medium_risk_repair_execution",
"post_action_verifier_live_readback",
"telegram_gateway_queue_write"
],
"explicitly_blocked_category_ids": [
"destructive_host_or_cluster_action",
"production_config_or_data_write",
"secret_or_paid_provider_access"
],
"agent_role_count": 3,
"gate_transition_count": 8,
"operator_decision_template_count": 5,
"runtime_execution_count": 0,
"gateway_queue_write_count": 0,
"telegram_send_count": 0,
"telegram_bot_api_call_count": 0,
"delivery_receipt_write_count": 0,
"ai_runtime_worker_run_count": 0,
"medium_low_auto_execution_count": 0,
"post_action_verifier_live_readback_count": 0,
"production_write_count": 0,
"secret_value_read_count": 0,
"paid_provider_call_count": 0,
"host_or_cluster_command_count": 0,
"destructive_operation_count": 0
}
}