wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
e8de19d7d4add9df739289c1fb9a911add35dd67
awoooi/apps/api/src/services/ai_agent_deployment_layout.py
Your Name e427af3cb2
All checks were successful
CD Pipeline / tests (push) Successful in 1m24s
Details
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / build-and-deploy (push) Successful in 6m5s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m37s
Details
feat(governance): 接入三 Agent 佈建布局
2026-06-11 11:27:50 +08:00

136 lines
5.7 KiB
Python
Raw Blame History

"""
AI Agent deployment layout snapshot.
Loads the latest committed, read-only layout for OpenClaw, Hermes, and
NemoTron across hosts, packages, tools, services, projects, web surfaces,
learning loops, and Telegram notification boundaries. This module never
deploys agents, sends Telegram messages, calls providers, or approves writes.
"""
from __future__ import annotations
import json
from pathlib import Path
from typing import Any
from src.services.snapshot_paths import default_evaluations_dir
_DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__))
_SNAPSHOT_PATTERN = "ai_agent_deployment_layout_*.json"
_SCHEMA_VERSION = "ai_agent_deployment_layout_v1"
def load_latest_ai_agent_deployment_layout(
evaluations_dir: Path | None = None,
) -> dict[str, Any]:
"""Load the newest committed AI Agent deployment layout snapshot."""
directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
if not candidates:
raise FileNotFoundError(f"no AI Agent deployment layout snapshots found in {directory}")
latest = candidates[-1]
with latest.open(encoding="utf-8") as handle:
payload = json.load(handle)
if not isinstance(payload, dict):
raise ValueError(f"{latest}: expected JSON object")
_require_schema(payload, _SCHEMA_VERSION, str(latest))
_require_read_only_layout(payload, str(latest))
_require_rollup_consistency(payload, str(latest))
_require_frontend_redaction(payload, str(latest))
_require_target_boundaries(payload, str(latest))
return payload
def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None:
actual = payload.get("schema_version")
if actual != expected:
raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}")
def _require_read_only_layout(payload: dict[str, Any], label: str) -> None:
program_status = payload.get("program_status") or {}
if program_status.get("read_only_mode") is not True:
raise ValueError(f"{label}: program_status.read_only_mode must be true")
if program_status.get("deployment_authority") != "layout_only_no_runtime_deploy":
raise ValueError(f"{label}: deployment_authority must stay layout_only_no_runtime_deploy")
boundaries = payload.get("approval_boundaries") or {}
blocked_flags = {
"sdk_installation_allowed",
"paid_api_call_allowed",
"shadow_or_canary_allowed",
"production_routing_allowed",
"destructive_operation_allowed",
"secret_plaintext_allowed",
"autonomous_host_mutation_allowed",
"telegram_direct_send_allowed",
}
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
if allowed:
raise ValueError(f"{label}: approval boundaries must remain false: {allowed}")
def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
targets = payload.get("deployment_targets") or []
rollups = payload.get("rollups") or {}
if rollups.get("total_targets") != len(targets):
raise ValueError(f"{label}: rollups.total_targets must match deployment_targets")
if rollups.get("by_domain") != _count_by(targets, "domain_id"):
raise ValueError(f"{label}: rollups.by_domain must match deployment_targets")
if rollups.get("by_primary_agent") != _count_by(targets, "primary_agent"):
raise ValueError(f"{label}: rollups.by_primary_agent must match deployment_targets")
if rollups.get("by_deployment_state") != _count_by(targets, "deployment_state"):
raise ValueError(f"{label}: rollups.by_deployment_state must match deployment_targets")
if rollups.get("by_telegram_policy") != _count_by(targets, "telegram_policy"):
raise ValueError(f"{label}: rollups.by_telegram_policy must match deployment_targets")
blocked_target_ids = sorted(
target.get("target_id")
for target in targets
if target.get("deployment_state") == "blocked_by_gate"
or target.get("automation_level") == "blocked"
)
if sorted(rollups.get("blocked_target_ids") or []) != blocked_target_ids:
raise ValueError(f"{label}: rollups.blocked_target_ids must match blocked targets")
def _require_frontend_redaction(payload: dict[str, Any], label: str) -> None:
redaction = ((payload.get("collaboration_contract") or {}).get("frontend_redaction") or {})
if redaction.get("operator_conversation_display_allowed") is not False:
raise ValueError(f"{label}: operator conversation display must stay false")
if redaction.get("agent_private_reasoning_display_allowed") is not False:
raise ValueError(f"{label}: agent private reasoning display must stay false")
def _require_target_boundaries(payload: dict[str, Any], label: str) -> None:
targets = payload.get("deployment_targets") or []
missing = [
target.get("target_id")
for target in targets
if not target.get("approval_gate")
or not target.get("telegram_policy")
or not target.get("communication_channels")
]
if missing:
raise ValueError(f"{label}: deployment targets missing boundary fields: {sorted(missing)}")
invalid_nemotron_runtime = [
target.get("target_id")
for target in targets
if target.get("primary_agent") == "nemotron"
and target.get("automation_level") not in {"observe_only", "blocked"}
]
if invalid_nemotron_runtime:
raise ValueError(f"{label}: Nemotron targets must stay observe_only or blocked")
def _count_by(items: list[dict[str, Any]], key: str) -> dict[str, int]:
counts: dict[str, int] = {}
for item in items:
value = item.get(key)
counts[value] = counts.get(value, 0) + 1
return counts
Reference in New Issue View Git Blame Copy Permalink