wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/evaluations/dependency_drift_check_plan_2026-06-04.json
Your Name cfb866d055
Some checks failed
Ansible Lint / lint (push) Successful in 35s
Details
CD Pipeline / tests (push) Failing after 13s
Details
CD Pipeline / build-and-deploy (push) Has been skipped
Details
CD Pipeline / post-deploy-checks (push) Has been skipped
Details
Code Review / ai-code-review (push) Failing after 11s
Details
feat(governance): add agent market automation surfaces
2026-06-04 21:50:55 +08:00

608 lines
22 KiB
JSON
Raw Permalink Blame History

{
"schema_version": "dependency_drift_check_plan_v1",
"generated_at": "2026-06-04T20:52:25+08:00",
"program_status": {
"overall_completion_percent": 99,
"current_priority": "P1",
"current_task_id": "P1-205",
"next_task_id": "P1-206",
"read_only_mode": true
},
"source_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
"docs/HARD_RULES.md"
],
"rollups": {
"total_cadence_items": 5,
"total_local_checks": 5,
"total_external_source_candidates": 10,
"by_domain": {
"python": 2,
"javascript": 3,
"docker": 3,
"policy": 1,
"cve": 2,
"license": 2,
"agent_market": 4,
"external_sources": 2,
"approval_package": 1
},
"read_only_local_check_ids": [
"python_manifest_drift_local_check",
"javascript_lockfile_drift_local_check",
"dockerfile_surface_drift_local_check",
"dependency_policy_consistency_local_check",
"agent_market_snapshot_freshness_local_check"
],
"approval_required_source_ids": [
"osv_advisory_candidate",
"github_advisory_candidate",
"pypi_registry_candidate",
"npm_registry_candidate",
"docker_hub_manifest_candidate",
"ghcr_manifest_candidate",
"package_license_metadata_candidate",
"deps_dev_license_candidate",
"agent_official_release_candidate",
"agent_benchmark_signal_candidate"
],
"design_only_cadence_ids": [
"daily_repo_drift_readonly",
"weekly_external_source_review",
"weekly_agent_market_watch_review",
"monthly_upgrade_approval_batch",
"failure_only_notification_review"
]
},
"cadence_policy": {
"timezone": "Asia/Taipei",
"items": [
{
"cadence_id": "daily_repo_drift_readonly",
"domain": "javascript",
"frequency": "daily design; activation requires P1-206 approval package or operator approval",
"activation_status": "design_only",
"owner_agent": "hermes",
"allowed_now": [
"read committed JSON snapshots",
"compare repo manifests and lockfiles",
"emit read-only drift report design"
],
"blocked_now": [
"pnpm install",
"npm audit",
"package upgrade",
"lockfile write",
"workflow activation"
],
"planned_output": "future docs/evaluations/dependency_drift_run_YYYY-MM-DD.json",
"failure_notification": "failure-only AwoooP / Telegram event after schedule is explicitly approved"
},
{
"cadence_id": "weekly_external_source_review",
"domain": "external_sources",
"frequency": "weekly design; external calls blocked until source approval",
"activation_status": "blocked_until_approval",
"owner_agent": "openclaw",
"allowed_now": [
"source list review",
"cost and rate-limit analysis",
"approval package preparation"
],
"blocked_now": [
"external CVE lookup",
"external license lookup",
"registry freshness lookup",
"paid API call"
],
"planned_output": "future external-source approval package",
"failure_notification": "only notify when approved source health check fails or data staleness exceeds threshold"
},
{
"cadence_id": "weekly_agent_market_watch_review",
"domain": "agent_market",
"frequency": "weekly design; market lookup remains approval-bound",
"activation_status": "blocked_until_approval",
"owner_agent": "nemotron",
"allowed_now": [
"read existing agent-market snapshots",
"offline comparison against committed evidence",
"prepare source approval package"
],
"blocked_now": [
"SDK installation",
"paid API call",
"shadow/canary",
"production routing",
"unapproved external market lookup"
],
"planned_output": "future agent-market watch source approval package",
"failure_notification": "failure-only AwoooP / Telegram event after approved cadence is active"
},
{
"cadence_id": "monthly_upgrade_approval_batch",
"domain": "approval_package",
"frequency": "monthly design; package generation only after P1-206",
"activation_status": "design_only",
"owner_agent": "openclaw",
"allowed_now": [
"define approval package fields",
"map dependency risk rules to upgrade candidates"
],
"blocked_now": [
"package upgrade",
"lockfile write",
"docker build",
"image rebuild",
"registry push"
],
"planned_output": "future P1-206 approval package template",
"failure_notification": "operator review only when a high/critical candidate cannot be triaged"
},
{
"cadence_id": "failure_only_notification_review",
"domain": "external_sources",
"frequency": "each approved scheduled run",
"activation_status": "design_only",
"owner_agent": "hermes",
"allowed_now": [
"document notification contract",
"define success suppression and failure escalation"
],
"blocked_now": [
"Telegram routing change",
"Alertmanager rule change",
"workflow activation"
],
"planned_output": "future notification contract for scheduled drift checks",
"failure_notification": "success stays quiet; failed run, stale source, rate-limit exhaustion, or schema mismatch notifies AwoooP / Telegram"
}
]
},
"local_check_plan": [
{
"check_id": "python_manifest_drift_local_check",
"domain": "python",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "daily or pre-merge after approval",
"input_refs": [
"apps/api/pyproject.toml",
"apps/api/requirements.txt",
"packages/lewooogo-data/pyproject.toml",
"packages/lewooogo-brain/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"planned_output": "python manifest drift report; no requirements rewrite",
"allowed_now": [
"read manifests",
"compare committed dependency specifiers",
"flag authority drift"
],
"blocked_now": [
"pip install",
"uv sync",
"requirements delete",
"lockfile write",
"docker build"
],
"acceptance_criteria": [
"reports pyproject / requirements drift without modifying either file",
"maps drift to P1-204 severity rules",
"emits approval package requirement for any remediation"
]
},
{
"check_id": "javascript_lockfile_drift_local_check",
"domain": "javascript",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "daily or pre-merge after approval",
"input_refs": [
"package.json",
"apps/web/package.json",
"packages/shared-types/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"planned_output": "pnpm importer specifier drift report; no pnpm install",
"allowed_now": [
"read package manifests",
"read pnpm-lock.yaml",
"compare importer specifiers"
],
"blocked_now": [
"pnpm install",
"pnpm update",
"npm audit",
"lockfile write",
"package publish"
],
"acceptance_criteria": [
"reports missing/mismatch/extra dependencies",
"keeps lockfile untouched",
"flags shared-types publish boundary for approval package"
]
},
{
"check_id": "dockerfile_surface_drift_local_check",
"domain": "docker",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "weekly or Dockerfile-change after approval",
"input_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"planned_output": "Dockerfile surface drift report; no build or pull",
"allowed_now": [
"read Dockerfiles",
"compare FROM and COPY --from references",
"compare build-time network fetch patterns"
],
"blocked_now": [
"docker build",
"image pull",
"image rebuild",
"registry push",
"production routing"
],
"acceptance_criteria": [
"reports base image, digest pin, binary source, network fetch, and healthcheck drift",
"does not contact registries",
"maps remediation to P1-206 approval package"
]
},
{
"check_id": "dependency_policy_consistency_local_check",
"domain": "policy",
"status": "read_only_design",
"owner_agent": "openclaw",
"frequency": "weekly after approval",
"input_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"
],
"planned_output": "policy consistency report for severity rules and next actions",
"allowed_now": [
"read committed policies",
"validate rollups",
"detect stale next_action references"
],
"blocked_now": [
"policy override",
"approval bypass",
"production change"
],
"acceptance_criteria": [
"catches stale P1 task references",
"keeps operation_boundaries false",
"requires OpenClaw/HITL for any gate change"
]
},
{
"check_id": "agent_market_snapshot_freshness_local_check",
"domain": "agent_market",
"status": "read_only_design",
"owner_agent": "nemotron",
"frequency": "weekly after approval",
"input_refs": [
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/agent-market-watch-sources.v1.json",
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md"
],
"planned_output": "agent-market freshness report using committed snapshots only",
"allowed_now": [
"read committed market governance snapshots",
"compare stale source timestamps",
"prepare source approval package"
],
"blocked_now": [
"unapproved external market lookup",
"SDK installation",
"paid API call",
"shadow/canary",
"production routing"
],
"acceptance_criteria": [
"keeps Nemotron at offline expert role until replay evidence improves",
"detects stale market evidence without claiming current market truth",
"routes replacement questions to OpenClaw/HITL approval boundaries"
]
}
],
"external_source_candidates": [
{
"source_id": "osv_advisory_candidate",
"domain": "cve",
"source_type": "public vulnerability advisory API candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache advisory responses per package/version for at least 24h after approval",
"data_retention_policy": "store only package, version, advisory id, severity, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only vulnerability lookup",
"severity mapping to dependency_risk_policy_v1"
],
"blocked_now": [
"external CVE lookup",
"automated remediation",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "github_advisory_candidate",
"domain": "cve",
"source_type": "advisory database candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache advisory ids and affected ranges; avoid repeated queries",
"data_retention_policy": "store minimal advisory metadata and source timestamp",
"permitted_after_approval": [
"cross-check high and critical advisories"
],
"blocked_now": [
"external advisory lookup",
"paid API call",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "pypi_registry_candidate",
"domain": "python_registry",
"source_type": "Python package registry freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package release metadata per package for 24h after approval",
"data_retention_policy": "store package name, current specifier, latest seen version, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only version freshness comparison"
],
"blocked_now": [
"registry lookup",
"pip install",
"uv sync",
"package upgrade"
],
"owner_agent": "hermes",
"evidence_refs": [
"apps/api/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
]
},
{
"source_id": "npm_registry_candidate",
"domain": "javascript_registry",
"source_type": "JavaScript package registry freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package dist-tag and version metadata for 24h after approval",
"data_retention_policy": "store package name, current specifier, lockfile version, latest seen version, and source timestamp",
"permitted_after_approval": [
"read-only package freshness comparison"
],
"blocked_now": [
"registry lookup",
"npm audit",
"pnpm install",
"package upgrade",
"lockfile write"
],
"owner_agent": "hermes",
"evidence_refs": [
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
]
},
{
"source_id": "docker_hub_manifest_candidate",
"domain": "docker_registry",
"source_type": "container image manifest freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "high",
"cache_policy": "cache image tag and digest metadata for 24h after approval; throttle by image",
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only digest freshness comparison"
],
"blocked_now": [
"image pull",
"docker build",
"image rebuild",
"registry push"
],
"owner_agent": "openclaw",
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
]
},
{
"source_id": "ghcr_manifest_candidate",
"domain": "docker_registry",
"source_type": "GHCR image manifest freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "high",
"cache_policy": "cache image tag and digest metadata for 24h after approval; no pull",
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only digest freshness comparison"
],
"blocked_now": [
"image pull",
"docker build",
"image rebuild",
"registry push"
],
"owner_agent": "openclaw",
"evidence_refs": [
"apps/api/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
]
},
{
"source_id": "package_license_metadata_candidate",
"domain": "license",
"source_type": "package metadata license field candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package license metadata for 7 days after approval",
"data_retention_policy": "store package name, version, license expression, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only license metadata comparison"
],
"blocked_now": [
"external license lookup",
"legal conclusion",
"package publish",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"packages/shared-types/package.json"
]
},
{
"source_id": "deps_dev_license_candidate",
"domain": "license",
"source_type": "dependency graph and license metadata candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache normalized dependency/license metadata for 7 days after approval",
"data_retention_policy": "store only package, version, license, dependency path summary, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only transitive license review"
],
"blocked_now": [
"external license lookup",
"legal conclusion",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "agent_official_release_candidate",
"domain": "agent_market",
"source_type": "official release notes, docs, changelog, or repository release candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache source snapshots and version metadata for 7 days after approval",
"data_retention_policy": "store product name, version or release marker, source timestamp, summary, and lookup time",
"permitted_after_approval": [
"read-only AI Agent market version watch",
"candidate emergence detection",
"operator review queue update"
],
"blocked_now": [
"unapproved market lookup",
"SDK installation",
"paid API call",
"shadow/canary",
"production routing"
],
"owner_agent": "nemotron",
"evidence_refs": [
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/agent-market-watch-sources.v1.json"
]
},
{
"source_id": "agent_benchmark_signal_candidate",
"domain": "agent_market",
"source_type": "public benchmark, leaderboard, or evaluation report candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "unknown",
"cache_policy": "cache benchmark snapshot references for 7 days after approval",
"data_retention_policy": "store benchmark name, candidate name, score summary, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only market score evidence refresh",
"OpenClaw replacement evidence queue update"
],
"blocked_now": [
"unapproved market lookup",
"replacement decision",
"shadow/canary",
"production routing"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md",
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json"
]
}
],
"notification_policy": {
"success_notification": "成功檢查預設不即時通知,避免洗版;結果只寫入 committed snapshot 或治理看板。",
"failure_notification": "失敗、schema mismatch、來源過期、rate-limit exhaustion、成本邊界不明或 high/critical policy hit 才通知 AwoooP / Telegram。",
"operator_review_trigger": "任何外部來源啟用、SDK 安裝、付費 API、shadow/canary、生產路由、套件升級、lockfile 寫入或 image rebuild 都必須進人工批准。"
},
"operation_boundaries": {
"read_only_plan_allowed": true,
"schedule_activation_allowed": false,
"workflow_write_allowed": false,
"external_cve_lookup_allowed": false,
"external_license_lookup_allowed": false,
"registry_lookup_allowed": false,
"agent_market_external_lookup_allowed": false,
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"package_installation_allowed": false,
"package_upgrade_allowed": false,
"lockfile_write_allowed": false,
"docker_build_allowed": false,
"image_pull_allowed": false,
"image_rebuild_allowed": false,
"registry_push_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false
},
"approval_boundaries": {
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false,
"destructive_operation_allowed": false
}
}
Reference in New Issue View Git Blame Copy Permalink