wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/evaluations/dependency_upgrade_approval_package_template_2026-06-04.json
Your Name cfb866d055
Some checks failed
Ansible Lint / lint (push) Successful in 35s
Details
CD Pipeline / tests (push) Failing after 13s
Details
CD Pipeline / build-and-deploy (push) Has been skipped
Details
CD Pipeline / post-deploy-checks (push) Has been skipped
Details
Code Review / ai-code-review (push) Failing after 11s
Details
feat(governance): add agent market automation surfaces
2026-06-04 21:50:55 +08:00

454 lines
16 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "dependency_upgrade_approval_package_template_v1",
"generated_at": "2026-06-04T21:06:22+08:00",
"program_status": {
"overall_completion_percent": 100,
"current_priority": "P1",
"current_task_id": "P1-206",
"next_task_id": "P1-103",
"read_only_mode": true
},
"source_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
"docs/HARD_RULES.md"
],
"rollups": {
"total_templates": 8,
"by_domain": {
"python": 2,
"javascript": 2,
"docker": 3,
"external_sources": 1
},
"template_ready_ids": [
"python_manifest_authority_package",
"python_lock_constraints_package",
"javascript_high_impact_upgrade_package",
"shared_types_publish_boundary_package",
"docker_base_digest_pin_package",
"docker_binary_checksum_package",
"docker_build_network_source_package",
"external_source_activation_package"
],
"hitl_required_template_ids": [
"python_manifest_authority_package",
"python_lock_constraints_package",
"javascript_high_impact_upgrade_package",
"shared_types_publish_boundary_package",
"docker_base_digest_pin_package",
"docker_binary_checksum_package",
"docker_build_network_source_package",
"external_source_activation_package"
]
},
"approval_fields": [
{
"field_id": "evidence_refs",
"required": true,
"description": "列出 committed snapshots、manifest、Dockerfile、lockfile、market evidence 或 source approval evidence。"
},
{
"field_id": "current_state",
"required": true,
"description": "描述目前版本、specifier、digest、license、publish boundary 或 source status。"
},
{
"field_id": "proposed_change",
"required": true,
"description": "描述提議修改;模板本身不得修改任何檔案或啟用來源。"
},
{
"field_id": "risk_severity_mapping",
"required": true,
"description": "對應 dependency_risk_policy_v1 的 critical/high/medium/low 規則。"
},
{
"field_id": "blast_radius",
"required": true,
"description": "列出受影響服務、runtime、build、publish、registry、AI Agent 或 production surface。"
},
{
"field_id": "rollback_plan",
"required": true,
"description": "列出 rollback 指令、artifact、舊版本、舊 digest、舊 manifest 與回復驗證。"
},
{
"field_id": "tests_required",
"required": true,
"description": "列出 unit、schema、typecheck、smoke、browser、image scan 或 replay gates。"
},
{
"field_id": "manual_approval",
"required": true,
"description": "列出 OpenClaw 仲裁、HITL、費用、資料邊界、legal / owner review 與到期時間。"
}
],
"package_templates": [
{
"template_id": "python_manifest_authority_package",
"domain": "python",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "決定 apps/api pyproject.toml、requirements.txt 與 Dockerfile install source 的權威關係。",
"required_evidence": [
"apps/api/pyproject.toml",
"apps/api/requirements.txt",
"apps/api/Dockerfile",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"required_decisions": [
"pyproject 是否為唯一 runtime authority",
"requirements 是否保留、生成或廢止",
"Dockerfile install source 是否需要調整"
],
"required_tests": [
"Python dependency inventory tests",
"API unit tests",
"Dockerfile build policy review before any build"
],
"rollback_requirements": [
"保留原 requirements / pyproject refs",
"列出 revert patch 與 dependency source 回復方式"
],
"manual_approvals": [
"OpenClaw arbitration",
"HITL approval"
],
"prohibited_without_approval": [
"requirements delete",
"manifest write",
"package install",
"package upgrade",
"docker build"
],
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json"
]
},
{
"template_id": "python_lock_constraints_package",
"domain": "python",
"status": "template_ready",
"owner_agent": "hermes",
"purpose": "評估 Python lockfile / constraints policy不直接生成 lockfile。",
"required_evidence": [
"apps/api/pyproject.toml",
"packages/lewooogo-data/pyproject.toml",
"packages/lewooogo-brain/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"required_decisions": [
"是否採用 uv.lock、constraints file 或維持 range constraints",
"哪些 runtime surface 必須 reproducible",
"lockfile 更新頻率與 owner"
],
"required_tests": [
"package supply-chain inventory tests",
"schema validation",
"API smoke after approved change"
],
"rollback_requirements": [
"列出回復舊 constraints / no-lock 狀態的 patch",
"列出 dependency resolution rollback evidence"
],
"manual_approvals": [
"OpenClaw arbitration",
"HITL approval"
],
"prohibited_without_approval": [
"lockfile write",
"uv sync",
"package install",
"package upgrade"
],
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"template_id": "javascript_high_impact_upgrade_package",
"domain": "javascript",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "處理 Next / React / Sentry / Playwright / visualization 等高影響套件升級候選。",
"required_evidence": [
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json"
],
"required_decisions": [
"升級是否由 CVE、freshness、compatibility 或 product need 觸發",
"是否允許 lockfile rewrite",
"是否需要 staged browser smoke"
],
"required_tests": [
"pnpm typecheck",
"targeted frontend tests",
"desktop and mobile browser smoke",
"schema validation for generated snapshots"
],
"rollback_requirements": [
"保留舊 package.json / pnpm-lock.yaml refs",
"列出 revert patch 與 browser smoke rollback gate"
],
"manual_approvals": [
"OpenClaw arbitration",
"HITL approval"
],
"prohibited_without_approval": [
"pnpm install",
"pnpm update",
"npm audit",
"lockfile write",
"package upgrade"
],
"evidence_refs": [
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"template_id": "shared_types_publish_boundary_package",
"domain": "javascript",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "確認 @awoooi/shared-types publishConfig access=public 是否為刻意 contract。",
"required_evidence": [
"packages/shared-types/package.json",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"required_decisions": [
"package 是否應維持 public publish boundary",
"是否改 private=true",
"是否需要 package owner / consumer review"
],
"required_tests": [
"workspace dependency inventory",
"typecheck",
"consumer compatibility review"
],
"rollback_requirements": [
"列出 publish metadata revert patch",
"列出 package consumer impact rollback"
],
"manual_approvals": [
"OpenClaw arbitration",
"package owner review",
"HITL approval"
],
"prohibited_without_approval": [
"package publish",
"package metadata change",
"lockfile write"
],
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"template_id": "docker_base_digest_pin_package",
"domain": "docker",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "為 python:3.11-slim、node:20-alpine、ghcr.io/astral-sh/uv:0.6.9 建立 digest pin 批准包。",
"required_evidence": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"required_decisions": [
"是否啟用 registry manifest lookup",
"digest pin source 與 cache policy",
"image rebuild 與 rollback gate"
],
"required_tests": [
"Dockerfile surface inventory",
"image rebuild approval checklist",
"post-build smoke plan before any build"
],
"rollback_requirements": [
"列出舊 tag refs 與 digest revert",
"列出 image rollback target 與 deployment rollback plan"
],
"manual_approvals": [
"OpenClaw arbitration",
"registry/source approval",
"HITL approval"
],
"prohibited_without_approval": [
"image pull",
"docker build",
"image rebuild",
"registry push",
"production routing"
],
"evidence_refs": [
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json"
]
},
{
"template_id": "docker_binary_checksum_package",
"domain": "docker",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "為 API Dockerfile 下載 kubectl v1.29.0 的 checksum / signature policy 建立批准包。",
"required_evidence": [
"apps/api/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"required_decisions": [
"checksum / signature source",
"是否替換下載方式",
"失敗時是否阻擋 build"
],
"required_tests": [
"Dockerfile surface inventory",
"checksum verification dry-run design",
"API image smoke plan before approved build"
],
"rollback_requirements": [
"保留舊 kubectl source refs",
"列出 checksum policy revert patch"
],
"manual_approvals": [
"OpenClaw arbitration",
"HITL approval"
],
"prohibited_without_approval": [
"Dockerfile write",
"docker build",
"image rebuild",
"registry push"
],
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"template_id": "docker_build_network_source_package",
"domain": "docker",
"status": "template_ready",
"owner_agent": "hermes",
"purpose": "為 apt-get、curl、corepack prepare、pnpm install 等 build-time network source 建立白名單 / cache / failure policy 批准包。",
"required_evidence": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"pnpm-lock.yaml",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"required_decisions": [
"允許的 build-time network source",
"cache / mirror strategy",
"failure-only notification threshold"
],
"required_tests": [
"Dockerfile inventory",
"network source policy validation",
"post-build smoke plan before approved build"
],
"rollback_requirements": [
"列出回復原 Dockerfile network fetch path 的 patch",
"列出 cache / mirror rollback"
],
"manual_approvals": [
"OpenClaw arbitration",
"HITL approval"
],
"prohibited_without_approval": [
"Dockerfile write",
"docker build",
"image rebuild",
"registry push"
],
"evidence_refs": [
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json"
]
},
{
"template_id": "external_source_activation_package",
"domain": "external_sources",
"status": "template_ready",
"owner_agent": "openclaw",
"purpose": "啟用 CVE、license、registry freshness 或 AI Agent market source 前的統一批准包。",
"required_evidence": [
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/agent-market-watch-sources.v1.json"
],
"required_decisions": [
"來源是否允許",
"是否有費用、auth、rate limit、資料保留或 cache 風險",
"Nemotron 是否只做離線比較並保持非裁決角色"
],
"required_tests": [
"source response schema validation plan",
"failure-only notification contract",
"no SDK install / no paid API check"
],
"rollback_requirements": [
"可一鍵停用來源",
"清楚列出 cache 清理與資料保留停止方式"
],
"manual_approvals": [
"OpenClaw arbitration",
"cost/data-boundary approval if applicable",
"HITL approval"
],
"prohibited_without_approval": [
"external CVE lookup",
"external license lookup",
"registry lookup",
"Agent market external lookup",
"SDK installation",
"paid API call",
"shadow/canary",
"production routing"
],
"evidence_refs": [
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md"
]
}
],
"decision_gate_contract": {
"openclaw_role": "仲裁風險、批准包完整性與是否可進 HITL不得自動執行修復。",
"hermes_role": "彙整 manifest、lockfile、Dockerfile、test plan、rollback 與文件證據。",
"nemotron_role": "僅提供離線比較、source freshness 與專家建議;不得替代 OpenClaw 裁決或進入生產路由。",
"hitl_required": true,
"expires_after": "批准包產生後 7 天或任何 source / manifest / Dockerfile 變更後失效。"
},
"operation_boundaries": {
"read_only_template_allowed": true,
"external_source_activation_allowed": false,
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"package_installation_allowed": false,
"package_upgrade_allowed": false,
"lockfile_write_allowed": false,
"manifest_write_allowed": false,
"dockerfile_write_allowed": false,
"docker_build_allowed": false,
"image_pull_allowed": false,
"image_rebuild_allowed": false,
"registry_push_allowed": false,
"package_publish_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false
},
"approval_boundaries": {
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false,
"destructive_operation_allowed": false
}
}
Reference in New Issue View Git Blame Copy Permalink