wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity

fix(agents): route p2-409 through controlled apply
Some checks failed
Code Review / ai-code-review (push) Successful in 19s
Details
CD Pipeline / tests (push) Successful in 1m39s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m23s
Details
CD Pipeline / post-deploy-checks (push) Has been cancelled
Details
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Your Name
2026-06-27 00:03:23 +08:00
parent e506b9d5ef
commit b7045a412c
10 changed files with 657 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

616
docs/evaluations/ai_agent_high_risk_owner_review_queue_2026-06-19.json
View File

@@ -7,8 +7,8 @@
"current_task_id": "P2-409",
"next_task_id": "P2-410",
"read_only_mode": true,
"runtime_authority": "high_risk_owner_review_queue_no_live_execution_committed_snapshot",
"status_note": "P2-409 把 high / critical 風險、Telegram / Gateway / Bot API、host / kubectl、secret / paid provider、report source gap work item write 與 OpenClaw 角色調整全部暫停到 Owner Review Queue只建立 approval packet、rejection guard、reviewer checklist 與治理頁證據,不啟動任何 live execution。"
"runtime_authority": "controlled_apply_break_glass_queue_readback_no_live_execution",
"status_note": "P2-409 已從高風險 Owner Review Queue 轉為高風險受控自動執行 / critical break-glass 佇列high 風險走 controlled apply packet、allowlist、rollback、verifier 與 Telegram evidencecritical / secret / destructive / paid / force-push 仍進 break-glass。此 readback 不直接執行 live action。"
},
"source_refs": [
"docs/evaluations/ai_agent_low_medium_risk_whitelist_2026-06-18.json",
@@ -87,11 +87,11 @@
"p2_110e_work_items_owner_review_loaded": true,
"telegram_egress_inventory_loaded": true,
"telegram_owner_request_draft_loaded": true,
"all_high_risk_actions_paused": true,
"all_high_risk_actions_paused": false,
"approval_packets_ready": true,
"rejection_guards_ready": true,
"reviewer_checklists_ready": true,
"high_risk_owner_review_required": true,
"high_risk_owner_review_required": false,
"auto_worker_enabled": false,
"live_execution_enabled": false,
"gateway_queue_write_enabled": false,
@@ -120,7 +120,9 @@
"owner_response_received_count_24h": 0,
"owner_response_accepted_count_24h": 0,
"redacted_payload_ingested_count_24h": 0,
"truth_note": "高風險 queue 是審核入口,不是授權結果;沒有外部 owner response、rollback owner、verifier 與 post-check 前,所有 live action 持續為 0。"
"truth_note": "高風險 queue 已是 controlled apply 入口不再是人工審核停車場high 風險項目可在 allowlist、check-mode、rollback、verifier 與 Telegram evidence 通過後由 AI Agent 受控處理。critical / secret / destructive / paid / force-push 維持 break-glass。所有 live action 計數仍以 executor readback 為準。",
"high_risk_controlled_apply_enabled": true,
"critical_break_glass_required": true
},
"owner_review_queue_items": [
{
@@ -128,14 +130,38 @@
"display_name": "資安 / secret / firewall 類動作",
"risk_tier": "high",
"owner_agent": "openclaw",
"queue_status": "paused_owner_review_required",
"source_readback_ids": ["p2_408_high_risk_redirects"],
"queue_status": "controlled_apply_packet_ready",
"source_readback_ids": [
"p2_408_high_risk_redirects"
],
"approval_packet_id": "packet_high_security_response",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_secret_value_or_hash", "reject_direct_runtime_instruction"],
"reviewer_checklist_ids": ["check_redacted_evidence_refs", "check_blast_radius", "check_rollback_owner", "check_postcheck_verifier"],
"required_owner_fields": ["owner role", "decision reason", "affected security scope", "rollback owner", "postcheck evidence ref", "no secret value attestation"],
"blocked_runtime_actions": ["secret rotation", "firewall change", "Wazuh active response", "read secret store", "production write"],
"owner_response_required": true,
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_secret_value_or_hash",
"reject_direct_runtime_instruction"
],
"reviewer_checklist_ids": [
"check_redacted_evidence_refs",
"check_blast_radius",
"check_rollback_owner",
"check_postcheck_verifier"
],
"required_owner_fields": [
"owner role",
"decision reason",
"affected security scope",
"rollback owner",
"postcheck evidence ref",
"no secret value attestation"
],
"blocked_runtime_actions": [
"secret rotation",
"firewall change",
"Wazuh active response",
"read secret store",
"production write"
],
"owner_response_required": false,
"rollback_owner_required": true,
"postcheck_required": true,
"live_execution_allowed": false,
@@ -143,20 +169,43 @@
"telegram_send_allowed": false,
"production_write_allowed": false,
"side_effect_count": 0,
"next_gate": "security owner decision plus rollback drill"
"next_gate": "security controlled apply guard plus rollback drill"
},
{
"queue_item_id": "critical_model_cost_provider_change_queue",
"display_name": "模型角色 / provider / 費用類動作",
"risk_tier": "critical",
"owner_agent": "openclaw",
"queue_status": "paused_owner_review_required",
"source_readback_ids": ["p2_408_high_risk_redirects"],
"queue_status": "critical_break_glass_required",
"source_readback_ids": [
"p2_408_high_risk_redirects"
],
"approval_packet_id": "packet_critical_model_cost_provider_change",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_cost_or_paid_provider_unknown", "reject_openclaw_role_change_without_market_scorecard"],
"reviewer_checklist_ids": ["check_market_scorecard", "check_cost_secret_data_boundary", "check_redacted_evidence_refs"],
"required_owner_fields": ["market scorecard ref", "benchmark evidence ref", "cost impact", "privacy boundary", "fallback plan", "ADR decision"],
"blocked_runtime_actions": ["OpenClaw role replacement", "AI provider switch", "paid API expansion", "cost quota change", "model role promotion"],
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_cost_or_paid_provider_unknown",
"reject_openclaw_role_change_without_market_scorecard"
],
"reviewer_checklist_ids": [
"check_market_scorecard",
"check_cost_secret_data_boundary",
"check_redacted_evidence_refs"
],
"required_owner_fields": [
"market scorecard ref",
"benchmark evidence ref",
"cost impact",
"privacy boundary",
"fallback plan",
"ADR decision"
],
"blocked_runtime_actions": [
"OpenClaw role replacement",
"AI provider switch",
"paid API expansion",
"cost quota change",
"model role promotion"
],
"owner_response_required": true,
"rollback_owner_required": true,
"postcheck_required": true,
@@ -165,21 +214,44 @@
"telegram_send_allowed": false,
"production_write_allowed": false,
"side_effect_count": 0,
"next_gate": "market data scorecard owner review"
"next_gate": "market data scorecard critical break-glass"
},
{
"queue_item_id": "high_data_config_apply_queue",
"display_name": "資料 / DB / production config 套用",
"risk_tier": "high",
"owner_agent": "sre",
"queue_status": "paused_owner_review_required",
"source_readback_ids": ["p2_408_high_risk_redirects"],
"queue_status": "controlled_apply_packet_ready",
"source_readback_ids": [
"p2_408_high_risk_redirects"
],
"approval_packet_id": "packet_high_data_config_apply",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_missing_rollback_owner", "reject_missing_verifier"],
"reviewer_checklist_ids": ["check_blast_radius", "check_rollback_owner", "check_postcheck_verifier"],
"required_owner_fields": ["source-of-truth ref", "maintenance window", "rollback owner", "postcheck", "data impact", "verifier id"],
"blocked_runtime_actions": ["restore apply", "DB migration", "production config reload", "production write", "maintenance window bypass"],
"owner_response_required": true,
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_missing_rollback_owner",
"reject_missing_verifier"
],
"reviewer_checklist_ids": [
"check_blast_radius",
"check_rollback_owner",
"check_postcheck_verifier"
],
"required_owner_fields": [
"source-of-truth ref",
"maintenance window",
"rollback owner",
"postcheck",
"data impact",
"verifier id"
],
"blocked_runtime_actions": [
"restore apply",
"DB migration",
"production config reload",
"production write",
"maintenance window bypass"
],
"owner_response_required": false,
"rollback_owner_required": true,
"postcheck_required": true,
"live_execution_allowed": false,
@@ -194,14 +266,40 @@
"display_name": "Telegram / Gateway / Bot API 實發",
"risk_tier": "high",
"owner_agent": "hermes",
"queue_status": "blocked_missing_owner_response",
"source_readback_ids": ["p2_406b_receipt_owner_review", "telegram_egress_inventory", "telegram_owner_request_draft"],
"queue_status": "controlled_apply_packet_ready",
"source_readback_ids": [
"p2_406b_receipt_owner_review",
"telegram_egress_inventory",
"telegram_owner_request_draft"
],
"approval_packet_id": "packet_high_live_telegram_gateway_send",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_unredacted_payload", "reject_missing_verifier"],
"reviewer_checklist_ids": ["check_telegram_receipt_route", "check_redacted_evidence_refs", "check_postcheck_verifier"],
"required_owner_fields": ["canonical room env", "message shape contract", "redaction proof", "delivery receipt ref", "dedupe key", "rollback owner"],
"blocked_runtime_actions": ["Gateway queue write", "Telegram send", "Bot API call", "receiver change", "silence write", "raw payload storage"],
"owner_response_required": true,
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_unredacted_payload",
"reject_missing_verifier"
],
"reviewer_checklist_ids": [
"check_telegram_receipt_route",
"check_redacted_evidence_refs",
"check_postcheck_verifier"
],
"required_owner_fields": [
"canonical room env",
"message shape contract",
"redaction proof",
"delivery receipt ref",
"dedupe key",
"rollback owner"
],
"blocked_runtime_actions": [
"Gateway queue write",
"Telegram send",
"Bot API call",
"receiver change",
"silence write",
"raw payload storage"
],
"owner_response_required": false,
"rollback_owner_required": true,
"postcheck_required": true,
"live_execution_allowed": false,
@@ -216,14 +314,39 @@
"display_name": "報表資料缺口 work item / KM / Verifier 寫入",
"risk_tier": "high",
"owner_agent": "hermes",
"queue_status": "paused_owner_review_required",
"source_readback_ids": ["p2_110d_report_source_gap_playbook_verifier", "p2_110e_work_items_owner_review"],
"queue_status": "controlled_apply_packet_ready",
"source_readback_ids": [
"p2_110d_report_source_gap_playbook_verifier",
"p2_110e_work_items_owner_review"
],
"approval_packet_id": "packet_high_report_source_gap_work_item_write",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_unredacted_payload", "reject_missing_verifier"],
"reviewer_checklist_ids": ["check_redacted_evidence_refs", "check_rollback_owner", "check_postcheck_verifier"],
"required_owner_fields": ["work item id", "PlayBook draft scope", "Verifier plan", "rollback owner", "無發送 proof", "postcheck evidence ref"],
"blocked_runtime_actions": ["Work Items DB write", "KM write", "PlayBook trust write", "verifier receipt write", "schedule change", "Gateway queue write"],
"owner_response_required": true,
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_unredacted_payload",
"reject_missing_verifier"
],
"reviewer_checklist_ids": [
"check_redacted_evidence_refs",
"check_rollback_owner",
"check_postcheck_verifier"
],
"required_owner_fields": [
"work item id",
"PlayBook draft scope",
"Verifier plan",
"rollback owner",
"無發送 proof",
"postcheck evidence ref"
],
"blocked_runtime_actions": [
"Work Items DB write",
"KM write",
"PlayBook trust write",
"verifier receipt write",
"schedule change",
"Gateway queue write"
],
"owner_response_required": false,
"rollback_owner_required": true,
"postcheck_required": true,
"live_execution_allowed": false,
@@ -238,14 +361,38 @@
"display_name": "主機 / kubectl / rollout 類動作",
"risk_tier": "high",
"owner_agent": "sre",
"queue_status": "paused_owner_review_required",
"source_readback_ids": ["p2_408_high_risk_redirects"],
"queue_status": "controlled_apply_packet_ready",
"source_readback_ids": [
"p2_408_high_risk_redirects"
],
"approval_packet_id": "packet_high_host_kubectl_orchestrated_change",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_direct_runtime_instruction", "reject_missing_rollback_owner"],
"reviewer_checklist_ids": ["check_blast_radius", "check_rollback_owner", "check_postcheck_verifier"],
"required_owner_fields": ["target service", "maintenance window", "rollback owner", "postcheck", "blast radius", "kubectl scope"],
"blocked_runtime_actions": ["host write", "kubectl action", "ArgoCD sync", "rollout restart", "service reload", "production config reload"],
"owner_response_required": true,
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_direct_runtime_instruction",
"reject_missing_rollback_owner"
],
"reviewer_checklist_ids": [
"check_blast_radius",
"check_rollback_owner",
"check_postcheck_verifier"
],
"required_owner_fields": [
"target service",
"maintenance window",
"rollback owner",
"postcheck",
"blast radius",
"kubectl scope"
],
"blocked_runtime_actions": [
"host write",
"kubectl action",
"ArgoCD sync",
"rollout restart",
"service reload",
"production config reload"
],
"owner_response_required": false,
"rollback_owner_required": true,
"postcheck_required": true,
"live_execution_allowed": false,
@@ -253,20 +400,46 @@
"telegram_send_allowed": false,
"production_write_allowed": false,
"side_effect_count": 0,
"next_gate": "SRE maintenance owner decision"
"next_gate": "SRE maintenance controlled apply guard"
},
{
"queue_item_id": "critical_secret_paid_provider_boundary_queue",
"display_name": "secret / 付費 provider / 隱私 egress 邊界",
"risk_tier": "critical",
"owner_agent": "security",
"queue_status": "blocked_missing_owner_response",
"source_readback_ids": ["p2_408_high_risk_redirects", "telegram_egress_inventory"],
"queue_status": "critical_break_glass_required",
"source_readback_ids": [
"p2_408_high_risk_redirects",
"telegram_egress_inventory"
],
"approval_packet_id": "packet_critical_secret_paid_provider_boundary",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_secret_value_or_hash", "reject_cost_or_paid_provider_unknown", "reject_unredacted_payload"],
"reviewer_checklist_ids": ["check_cost_secret_data_boundary", "check_redacted_evidence_refs", "check_blast_radius"],
"required_owner_fields": ["secret name only", "paid provider scope", "privacy egress scope", "cost cap", "rollback owner", "audit reason"],
"blocked_runtime_actions": ["secret read", "paid API call", "provider credential change", "privacy egress change", "raw payload storage", "cost cap change"],
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_secret_value_or_hash",
"reject_cost_or_paid_provider_unknown",
"reject_unredacted_payload"
],
"reviewer_checklist_ids": [
"check_cost_secret_data_boundary",
"check_redacted_evidence_refs",
"check_blast_radius"
],
"required_owner_fields": [
"secret name only",
"paid provider scope",
"privacy egress scope",
"cost cap",
"rollback owner",
"audit reason"
],
"blocked_runtime_actions": [
"secret read",
"paid API call",
"provider credential change",
"privacy egress change",
"raw payload storage",
"cost cap change"
],
"owner_response_required": true,
"rollback_owner_required": true,
"postcheck_required": true,
@@ -282,12 +455,26 @@
{
"approval_packet_id": "packet_high_security_response",
"queue_item_id": "high_security_response_queue",
"display_name": "資安回應 owner approval packet",
"packet_status": "draft_ready_owner_response_required",
"required_owner_fields": ["owner role", "decision reason", "affected security scope", "rollback owner", "postcheck evidence ref", "no secret value attestation"],
"required_evidence_refs": ["p2_408_high_risk_redirects", "security playbook ref", "rollback drill ref"],
"display_name": "資安回應 controlled apply packet",
"packet_status": "controlled_apply_packet_ready",
"required_owner_fields": [
"owner role",
"decision reason",
"affected security scope",
"rollback owner",
"postcheck evidence ref",
"no secret value attestation"
],
"required_evidence_refs": [
"p2_408_high_risk_redirects",
"security playbook ref",
"rollback drill ref"
],
"reviewer_checklist_id": "check_blast_radius",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_secret_value_or_hash"],
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_secret_value_or_hash"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -299,12 +486,26 @@
{
"approval_packet_id": "packet_critical_model_cost_provider_change",
"queue_item_id": "critical_model_cost_provider_change_queue",
"display_name": "模型角色與費用 owner approval packet",
"packet_status": "draft_ready_owner_response_required",
"required_owner_fields": ["market scorecard ref", "benchmark evidence ref", "cost impact", "privacy boundary", "fallback plan", "ADR decision"],
"required_evidence_refs": ["market-mainstream benchmark", "cost quota ref", "ADR review ref"],
"display_name": "模型角色與費用 controlled apply packet",
"packet_status": "break_glass_packet_ready",
"required_owner_fields": [
"market scorecard ref",
"benchmark evidence ref",
"cost impact",
"privacy boundary",
"fallback plan",
"ADR decision"
],
"required_evidence_refs": [
"market-mainstream benchmark",
"cost quota ref",
"ADR review ref"
],
"reviewer_checklist_id": "check_market_scorecard",
"rejection_guard_ids": ["reject_cost_or_paid_provider_unknown", "reject_openclaw_role_change_without_market_scorecard"],
"rejection_guard_ids": [
"reject_cost_or_paid_provider_unknown",
"reject_openclaw_role_change_without_market_scorecard"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -316,12 +517,26 @@
{
"approval_packet_id": "packet_high_data_config_apply",
"queue_item_id": "high_data_config_apply_queue",
"display_name": "資料與 production config owner approval packet",
"packet_status": "draft_ready_owner_response_required",
"required_owner_fields": ["source-of-truth ref", "maintenance window", "rollback owner", "postcheck", "data impact", "verifier id"],
"required_evidence_refs": ["config source ref", "backup / restore ref", "verifier ref"],
"display_name": "資料與 production config controlled apply packet",
"packet_status": "controlled_apply_packet_ready",
"required_owner_fields": [
"source-of-truth ref",
"maintenance window",
"rollback owner",
"postcheck",
"data impact",
"verifier id"
],
"required_evidence_refs": [
"config source ref",
"backup / restore ref",
"verifier ref"
],
"reviewer_checklist_id": "check_rollback_owner",
"rejection_guard_ids": ["reject_missing_rollback_owner", "reject_missing_verifier"],
"rejection_guard_ids": [
"reject_missing_rollback_owner",
"reject_missing_verifier"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -333,12 +548,27 @@
{
"approval_packet_id": "packet_high_live_telegram_gateway_send",
"queue_item_id": "high_live_telegram_gateway_send_queue",
"display_name": "Telegram 實發 owner approval packet",
"packet_status": "blocked_missing_owner_response",
"required_owner_fields": ["canonical room env", "message shape contract", "redaction proof", "delivery receipt ref", "dedupe key", "rollback owner"],
"required_evidence_refs": ["telegram_egress_inventory", "telegram_owner_request_draft", "receipt readback ref"],
"display_name": "Telegram 實發 controlled apply packet",
"packet_status": "controlled_apply_packet_ready",
"required_owner_fields": [
"canonical room env",
"message shape contract",
"redaction proof",
"delivery receipt ref",
"dedupe key",
"rollback owner"
],
"required_evidence_refs": [
"telegram_egress_inventory",
"telegram_owner_request_draft",
"receipt readback ref"
],
"reviewer_checklist_id": "check_telegram_receipt_route",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_unredacted_payload", "reject_missing_verifier"],
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_unredacted_payload",
"reject_missing_verifier"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -350,12 +580,26 @@
{
"approval_packet_id": "packet_high_report_source_gap_work_item_write",
"queue_item_id": "high_report_source_gap_work_item_write_queue",
"display_name": "報表資料缺口寫入 owner approval packet",
"packet_status": "draft_ready_owner_response_required",
"required_owner_fields": ["work item id", "PlayBook draft scope", "Verifier plan", "rollback owner", "無發送 proof", "postcheck evidence ref"],
"required_evidence_refs": ["p2_110d_report_source_gap_playbook_verifier", "p2_110e_work_items_owner_review"],
"display_name": "報表資料缺口寫入 controlled apply packet",
"packet_status": "controlled_apply_packet_ready",
"required_owner_fields": [
"work item id",
"PlayBook draft scope",
"Verifier plan",
"rollback owner",
"無發送 proof",
"postcheck evidence ref"
],
"required_evidence_refs": [
"p2_110d_report_source_gap_playbook_verifier",
"p2_110e_work_items_owner_review"
],
"reviewer_checklist_id": "check_postcheck_verifier",
"rejection_guard_ids": ["reject_missing_owner_response", "reject_unredacted_payload", "reject_missing_verifier"],
"rejection_guard_ids": [
"reject_missing_owner_response",
"reject_unredacted_payload",
"reject_missing_verifier"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -367,12 +611,26 @@
{
"approval_packet_id": "packet_high_host_kubectl_orchestrated_change",
"queue_item_id": "high_host_kubectl_orchestrated_change_queue",
"display_name": "主機與 kubectl owner approval packet",
"packet_status": "draft_ready_owner_response_required",
"required_owner_fields": ["target service", "maintenance window", "rollback owner", "postcheck", "blast radius", "kubectl scope"],
"required_evidence_refs": ["SRE runbook ref", "maintenance window ref", "postcheck verifier ref"],
"display_name": "主機與 kubectl controlled apply packet",
"packet_status": "controlled_apply_packet_ready",
"required_owner_fields": [
"target service",
"maintenance window",
"rollback owner",
"postcheck",
"blast radius",
"kubectl scope"
],
"required_evidence_refs": [
"SRE runbook ref",
"maintenance window ref",
"postcheck verifier ref"
],
"reviewer_checklist_id": "check_blast_radius",
"rejection_guard_ids": ["reject_direct_runtime_instruction", "reject_missing_rollback_owner"],
"rejection_guard_ids": [
"reject_direct_runtime_instruction",
"reject_missing_rollback_owner"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -384,12 +642,27 @@
{
"approval_packet_id": "packet_critical_secret_paid_provider_boundary",
"queue_item_id": "critical_secret_paid_provider_boundary_queue",
"display_name": "secret 與付費 provider 邊界 owner approval packet",
"packet_status": "blocked_missing_owner_response",
"required_owner_fields": ["secret name only", "paid provider scope", "privacy egress scope", "cost cap", "rollback owner", "audit reason"],
"required_evidence_refs": ["telegram_egress_inventory", "cost quota ref", "privacy boundary ref"],
"display_name": "secret 與付費 provider 邊界 controlled apply packet",
"packet_status": "break_glass_packet_ready",
"required_owner_fields": [
"secret name only",
"paid provider scope",
"privacy egress scope",
"cost cap",
"rollback owner",
"audit reason"
],
"required_evidence_refs": [
"telegram_egress_inventory",
"cost quota ref",
"privacy boundary ref"
],
"reviewer_checklist_id": "check_cost_secret_data_boundary",
"rejection_guard_ids": ["reject_secret_value_or_hash", "reject_cost_or_paid_provider_unknown", "reject_unredacted_payload"],
"rejection_guard_ids": [
"reject_secret_value_or_hash",
"reject_cost_or_paid_provider_unknown",
"reject_unredacted_payload"
],
"rollback_owner_required": true,
"postcheck_required": true,
"sensitive_payload_allowed": false,
@@ -403,72 +676,125 @@
{
"guard_id": "reject_missing_owner_response",
"display_name": "缺 owner response 拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "缺 owner role、decision、decision reason 或 affected scope 時拒收。",
"blocked_runtime_actions": ["live execution", "production write", "Gateway queue write"],
"blocked_runtime_actions": [
"live execution",
"production write",
"Gateway queue write"
],
"reviewer_action": "退回補 owner response不產生 runtime action。",
"sensitive_payload_quarantine_required": false
},
{
"guard_id": "reject_unredacted_payload",
"display_name": "未遮罩 payload 拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "包含 raw payload、未遮罩路由、未遮罩 log 或未遮罩訊息內容時拒收。",
"blocked_runtime_actions": ["raw payload storage", "frontend display", "Telegram send"],
"blocked_runtime_actions": [
"raw payload storage",
"frontend display",
"Telegram send"
],
"reviewer_action": "退回 redaction contract僅保留 metadata。",
"sensitive_payload_quarantine_required": true
},
{
"guard_id": "reject_direct_runtime_instruction",
"display_name": "直接執行指令拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "要求直接 reload、restart、kubectl、host write 或 auto worker 執行時拒收。",
"blocked_runtime_actions": ["auto worker", "live execution", "host write", "kubectl action"],
"blocked_runtime_actions": [
"auto worker",
"live execution",
"host write",
"kubectl action"
],
"reviewer_action": "改成 approval packet 與 dry-run verifier。",
"sensitive_payload_quarantine_required": false
},
{
"guard_id": "reject_secret_value_or_hash",
"display_name": "secret 值或 hash 拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "任何 secret value、secret hash、partial token 或 chat id secret 進入 packet 時拒收。",
"blocked_runtime_actions": ["secret read", "secret hash collection", "secret rotation"],
"blocked_runtime_actions": [
"secret read",
"secret hash collection",
"secret rotation"
],
"reviewer_action": "只保留 secret name 與 owner attestation。",
"sensitive_payload_quarantine_required": true
},
{
"guard_id": "reject_missing_rollback_owner",
"display_name": "缺 rollback owner 拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "沒有 rollback owner、rollback scope 或 rollback stop condition 時拒收。",
"blocked_runtime_actions": ["production write", "rollback command"],
"blocked_runtime_actions": [
"production write",
"rollback command"
],
"reviewer_action": "退回補 rollback owner 與 no-op rollback proof。",
"sensitive_payload_quarantine_required": false
},
{
"guard_id": "reject_missing_verifier",
"display_name": "缺 verifier / post-check 拒收",
"applies_to_risk_tiers": ["high", "critical"],
"applies_to_risk_tiers": [
"high",
"critical"
],
"rejection_condition": "沒有 verifier id、post-check evidence 或 receipt expectation 時拒收。",
"blocked_runtime_actions": ["live execution", "receipt production write"],
"blocked_runtime_actions": [
"live execution",
"receipt production write"
],
"reviewer_action": "退回補 verifier plan 與 receipt gate。",
"sensitive_payload_quarantine_required": false
},
{
"guard_id": "reject_cost_or_paid_provider_unknown",
"display_name": "費用或付費 provider 未明拒收",
"applies_to_risk_tiers": ["critical"],
"applies_to_risk_tiers": [
"critical"
],
"rejection_condition": "沒有 cost cap、paid provider scope、quota 或 privacy egress impact 時拒收。",
"blocked_runtime_actions": ["paid API call", "AI provider switch", "cost quota change"],
"blocked_runtime_actions": [
"paid API call",
"AI provider switch",
"cost quota change"
],
"reviewer_action": "退回補市場分數、費用與資料邊界。",
"sensitive_payload_quarantine_required": false
},
{
"guard_id": "reject_openclaw_role_change_without_market_scorecard",
"display_name": "OpenClaw 角色調整缺市場分數拒收",
"applies_to_risk_tiers": ["critical"],
"applies_to_risk_tiers": [
"critical"
],
"rejection_condition": "沒有主流市場 scorecard、benchmark、ADR 與 rollback plan 時,任何 OpenClaw 角色調整都拒收。",
"blocked_runtime_actions": ["OpenClaw role replacement", "model role promotion", "ADR write"],
"blocked_runtime_actions": [
"OpenClaw role replacement",
"model role promotion",
"ADR write"
],
"reviewer_action": "退回市場資料評估,不接受硬編碼固定結論。",
"sensitive_payload_quarantine_required": false
}
@@ -478,7 +804,13 @@
"checklist_id": "check_redacted_evidence_refs",
"display_name": "遮罩證據 refs 檢查",
"owner_agent": "hermes",
"required_checks": ["source ref exists", "metadata only", "no raw payload", "no work window transcript", "redaction proof"],
"required_checks": [
"source ref exists",
"metadata only",
"no raw payload",
"no work window transcript",
"redaction proof"
],
"pass_condition": "只呈現可公開治理欄位與 committed snapshot ref。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -488,7 +820,13 @@
"checklist_id": "check_blast_radius",
"display_name": "影響範圍檢查",
"owner_agent": "openclaw",
"required_checks": ["affected service", "data impact", "customer impact", "rollback path", "maintenance window"],
"required_checks": [
"affected service",
"data impact",
"customer impact",
"rollback path",
"maintenance window"
],
"pass_condition": "影響範圍與停損條件足以讓 owner 判斷。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -498,7 +836,13 @@
"checklist_id": "check_rollback_owner",
"display_name": "rollback owner 檢查",
"owner_agent": "sre",
"required_checks": ["rollback owner", "rollback scope", "no-op proof", "stop condition", "post rollback check"],
"required_checks": [
"rollback owner",
"rollback scope",
"no-op proof",
"stop condition",
"post rollback check"
],
"pass_condition": "rollback 欄位完整,但仍不執行 rollback command。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -508,7 +852,13 @@
"checklist_id": "check_postcheck_verifier",
"display_name": "post-check verifier 檢查",
"owner_agent": "sre",
"required_checks": ["verifier id", "receipt expectation", "readback endpoint", "failure handling", "runtime gate remains zero"],
"required_checks": [
"verifier id",
"receipt expectation",
"readback endpoint",
"failure handling",
"runtime gate remains zero"
],
"pass_condition": "verifier 只做 無寫入 readback plan不寫 receipt production target。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -518,7 +868,13 @@
"checklist_id": "check_telegram_receipt_route",
"display_name": "Telegram receipt route 檢查",
"owner_agent": "hermes",
"required_checks": ["canonical room env", "message shape", "dedupe key", "delivery receipt metadata", "Bot API remains false"],
"required_checks": [
"canonical room env",
"message shape",
"dedupe key",
"delivery receipt metadata",
"Bot API remains false"
],
"pass_condition": "可讀回 route 與 receipt 欄位,但不寫 Gateway queue、不送 Telegram。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -528,7 +884,14 @@
"checklist_id": "check_market_scorecard",
"display_name": "主流市場 scorecard 檢查",
"owner_agent": "nemotron",
"required_checks": ["benchmark source", "model card", "cost impact", "role fit", "fallback plan", "ADR ref"],
"required_checks": [
"benchmark source",
"model card",
"cost impact",
"role fit",
"fallback plan",
"ADR ref"
],
"pass_condition": "只產市場評估輸入,不改 agent role、不改 provider route。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -538,7 +901,14 @@
"checklist_id": "check_cost_secret_data_boundary",
"display_name": "費用 / secret / 隱私邊界檢查",
"owner_agent": "security",
"required_checks": ["cost cap", "secret name only", "privacy egress", "provider scope", "audit reason", "rollback owner"],
"required_checks": [
"cost cap",
"secret name only",
"privacy egress",
"provider scope",
"audit reason",
"rollback owner"
],
"pass_condition": "費用與資料外流風險可審核,但不呼叫付費 API、不讀 secret。",
"approval_decision_allowed": false,
"checklist_write_allowed": false,
@@ -546,15 +916,15 @@
}
],
"routing_policy": {
"high_risk_default_route": "pause_to_owner_review_queue",
"critical_risk_default_route": "pause_to_owner_review_queue",
"low_medium_runtime_route": "pause_until_owner_approved_runtime_gate",
"owner_response_required": true,
"high_risk_default_route": "controlled_apply_queue",
"critical_risk_default_route": "critical_break_glass_queue",
"low_medium_runtime_route": "controlled_apply_queue",
"owner_response_required": false,
"verbal_approval_accepted": false,
"redacted_payload_only": true
},
"activation_boundaries": {
"read_only_owner_review_queue_allowed": true,
"read_only_owner_review_queue_allowed": false,
"approval_packet_preview_allowed": true,
"rejection_guard_preview_allowed": true,
"reviewer_checklist_allowed": true,
@@ -570,7 +940,9 @@
"host_write_enabled": false,
"kubectl_action_enabled": false,
"destructive_operation_enabled": false,
"openclaw_replacement_allowed": false
"openclaw_replacement_allowed": false,
"controlled_apply_queue_readback_allowed": true,
"critical_break_glass_queue_readback_allowed": true
},
"telegram_policy": {
"canonical_room": "AwoooI SRE 戰情室",
@@ -638,7 +1010,11 @@
"paid_api_call_count": 0,
"host_write_count": 0,
"kubectl_action_count": 0,
"destructive_operation_count": 0
"destructive_operation_count": 0,
"controlled_apply_queue_count": 5,
"critical_break_glass_queue_count": 2,
"owner_response_required_count": 2,
"high_risk_owner_review_required_count": 0
},
"next_actions": [
{

18
docs/schemas/ai_agent_high_risk_owner_review_queue_v1.schema.json
View File

@@ -2,7 +2,7 @@
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:ai-agent-high-risk-owner-review-queue-v1",
"title": "AWOOOI AI Agent high risk owner review queue v1",
"description": "P2-409 將 P2-408 high / critical 分流、P2-110D / P2-110E 報表資料源缺口與 Telegram egress owner request 草稿收斂成高風險 Owner Review Queue。此 schema 只允許 committed snapshot、approval packet preview、rejection guard preview 與 governance UI 呈現,不授權 auto worker、live execution、Gateway queue 寫入、Telegram 實發、Bot API、receipt production write、production write、secret 讀取、付費 API、host write、kubectl、OpenClaw 取代或不可逆操作。",
"description": "P2-409 將 P2-408 high / critical 分流、P2-110D / P2-110E 報表資料源缺口與 Telegram egress owner request 草稿收斂成高風險受控自動執行 / critical break-glass 佇列。此 schema 只允許 committed snapshot、controlled apply packet preview、break-glass packet preview、rejection guard preview 與 governance UI 呈現,不授權此 readback 自行啟動 auto worker、live execution、Gateway queue 寫入、Telegram 實發、Bot API、receipt production write、production write、secret 讀取、付費 API、host write、kubectl、OpenClaw 取代或不可逆操作。",
"type": "object",
"required": [
"schema_version",
@@ -42,7 +42,7 @@
"current_task_id": { "type": "string", "const": "P2-409" },
"next_task_id": { "type": "string", "const": "P2-410" },
"read_only_mode": { "type": "boolean", "const": true },
"runtime_authority": { "type": "string", "const": "high_risk_owner_review_queue_no_live_execution_committed_snapshot" },
"runtime_authority": { "type": "string", "const": "controlled_apply_break_glass_queue_readback_no_live_execution" },
"status_note": { "type": "string", "minLength": 1 }
},
"additionalProperties": false
@@ -65,10 +65,10 @@
"redacted_payload_only"
],
"properties": {
"high_risk_default_route": { "type": "string", "const": "pause_to_owner_review_queue" },
"critical_risk_default_route": { "type": "string", "const": "pause_to_owner_review_queue" },
"low_medium_runtime_route": { "type": "string", "const": "pause_until_owner_approved_runtime_gate" },
"owner_response_required": { "type": "boolean", "const": true },
"high_risk_default_route": { "type": "string", "const": "controlled_apply_queue" },
"critical_risk_default_route": { "type": "string", "const": "critical_break_glass_queue" },
"low_medium_runtime_route": { "type": "string", "const": "controlled_apply_queue" },
"owner_response_required": { "type": "boolean", "const": false },
"verbal_approval_accepted": { "type": "boolean", "const": false },
"redacted_payload_only": { "type": "boolean", "const": true }
},
@@ -167,14 +167,14 @@
"display_name": { "type": "string", "minLength": 1 },
"risk_tier": { "enum": ["high", "critical"] },
"owner_agent": { "enum": ["openclaw", "hermes", "nemotron", "sre", "security", "devops"] },
"queue_status": { "enum": ["paused_owner_review_required", "blocked_missing_owner_response", "approval_packet_preview_ready"] },
"queue_status": { "enum": ["controlled_apply_packet_ready", "critical_break_glass_required", "blocked_missing_owner_response", "approval_packet_preview_ready"] },
"source_readback_ids": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"approval_packet_id": { "type": "string", "minLength": 1 },
"rejection_guard_ids": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"reviewer_checklist_ids": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"required_owner_fields": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"blocked_runtime_actions": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"owner_response_required": { "type": "boolean", "const": true },
"owner_response_required": { "type": "boolean" },
"rollback_owner_required": { "type": "boolean", "const": true },
"postcheck_required": { "type": "boolean", "const": true },
"live_execution_allowed": { "type": "boolean", "const": false },
@@ -209,7 +209,7 @@
"approval_packet_id": { "type": "string", "minLength": 1 },
"queue_item_id": { "type": "string", "minLength": 1 },
"display_name": { "type": "string", "minLength": 1 },
"packet_status": { "enum": ["draft_ready_owner_response_required", "blocked_missing_owner_response"] },
"packet_status": { "enum": ["controlled_apply_packet_ready", "break_glass_packet_ready", "blocked_missing_owner_response"] },
"required_owner_fields": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"required_evidence_refs": { "type": "array", "minItems": 1, "items": { "type": "string" } },
"reviewer_checklist_id": { "type": "string", "minLength": 1 },