{ "schema_version": "dependency_upgrade_approval_package_template_v1", "generated_at": "2026-06-04T21:06:22+08:00", "program_status": { "overall_completion_percent": 100, "current_priority": "P1", "current_task_id": "P1-206", "next_task_id": "P1-103", "read_only_mode": true }, "source_refs": [ "docs/evaluations/package_supply_chain_inventory_2026-06-04.json", "docs/evaluations/javascript_package_inventory_2026-06-04.json", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json", "docs/evaluations/dependency_risk_policy_2026-06-04.json", "docs/evaluations/dependency_drift_check_plan_2026-06-04.json", "docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md", "docs/HARD_RULES.md" ], "rollups": { "total_templates": 8, "by_domain": { "python": 2, "javascript": 2, "docker": 3, "external_sources": 1 }, "template_ready_ids": [ "python_manifest_authority_package", "python_lock_constraints_package", "javascript_high_impact_upgrade_package", "shared_types_publish_boundary_package", "docker_base_digest_pin_package", "docker_binary_checksum_package", "docker_build_network_source_package", "external_source_activation_package" ], "hitl_required_template_ids": [ "python_manifest_authority_package", "python_lock_constraints_package", "javascript_high_impact_upgrade_package", "shared_types_publish_boundary_package", "docker_base_digest_pin_package", "docker_binary_checksum_package", "docker_build_network_source_package", "external_source_activation_package" ] }, "approval_fields": [ { "field_id": "evidence_refs", "required": true, "description": "列出 committed snapshots、manifest、Dockerfile、lockfile、market evidence 或 source approval evidence。" }, { "field_id": "current_state", "required": true, "description": "描述目前版本、specifier、digest、license、publish boundary 或 source status。" }, { "field_id": "proposed_change", "required": true, "description": "描述提議修改;模板本身不得修改任何檔案或啟用來源。" }, { "field_id": "risk_severity_mapping", "required": true, "description": "對應 dependency_risk_policy_v1 的 critical/high/medium/low 規則。" }, { "field_id": "blast_radius", "required": true, "description": "列出受影響服務、runtime、build、publish、registry、AI Agent 或 production surface。" }, { "field_id": "rollback_plan", "required": true, "description": "列出 rollback 指令、artifact、舊版本、舊 digest、舊 manifest 與回復驗證。" }, { "field_id": "tests_required", "required": true, "description": "列出 unit、schema、typecheck、smoke、browser、image scan 或 replay gates。" }, { "field_id": "manual_approval", "required": true, "description": "列出 OpenClaw 仲裁、HITL、費用、資料邊界、legal / owner review 與到期時間。" } ], "package_templates": [ { "template_id": "python_manifest_authority_package", "domain": "python", "status": "template_ready", "owner_agent": "openclaw", "purpose": "決定 apps/api pyproject.toml、requirements.txt 與 Dockerfile install source 的權威關係。", "required_evidence": [ "apps/api/pyproject.toml", "apps/api/requirements.txt", "apps/api/Dockerfile", "docs/evaluations/package_supply_chain_inventory_2026-06-04.json" ], "required_decisions": [ "pyproject 是否為唯一 runtime authority", "requirements 是否保留、生成或廢止", "Dockerfile install source 是否需要調整" ], "required_tests": [ "Python dependency inventory tests", "API unit tests", "Dockerfile build policy review before any build" ], "rollback_requirements": [ "保留原 requirements / pyproject refs", "列出 revert patch 與 dependency source 回復方式" ], "manual_approvals": [ "OpenClaw arbitration", "HITL approval" ], "prohibited_without_approval": [ "requirements delete", "manifest write", "package install", "package upgrade", "docker build" ], "evidence_refs": [ "docs/evaluations/dependency_risk_policy_2026-06-04.json", "docs/evaluations/dependency_drift_check_plan_2026-06-04.json" ] }, { "template_id": "python_lock_constraints_package", "domain": "python", "status": "template_ready", "owner_agent": "hermes", "purpose": "評估 Python lockfile / constraints policy,不直接生成 lockfile。", "required_evidence": [ "apps/api/pyproject.toml", "packages/lewooogo-data/pyproject.toml", "packages/lewooogo-brain/pyproject.toml", "docs/evaluations/package_supply_chain_inventory_2026-06-04.json" ], "required_decisions": [ "是否採用 uv.lock、constraints file 或維持 range constraints", "哪些 runtime surface 必須 reproducible", "lockfile 更新頻率與 owner" ], "required_tests": [ "package supply-chain inventory tests", "schema validation", "API smoke after approved change" ], "rollback_requirements": [ "列出回復舊 constraints / no-lock 狀態的 patch", "列出 dependency resolution rollback evidence" ], "manual_approvals": [ "OpenClaw arbitration", "HITL approval" ], "prohibited_without_approval": [ "lockfile write", "uv sync", "package install", "package upgrade" ], "evidence_refs": [ "docs/evaluations/dependency_risk_policy_2026-06-04.json" ] }, { "template_id": "javascript_high_impact_upgrade_package", "domain": "javascript", "status": "template_ready", "owner_agent": "openclaw", "purpose": "處理 Next / React / Sentry / Playwright / visualization 等高影響套件升級候選。", "required_evidence": [ "apps/web/package.json", "pnpm-lock.yaml", "docs/evaluations/javascript_package_inventory_2026-06-04.json", "docs/evaluations/dependency_drift_check_plan_2026-06-04.json" ], "required_decisions": [ "升級是否由 CVE、freshness、compatibility 或 product need 觸發", "是否允許 lockfile rewrite", "是否需要 staged browser smoke" ], "required_tests": [ "pnpm typecheck", "targeted frontend tests", "desktop and mobile browser smoke", "schema validation for 產生於 snapshots" ], "rollback_requirements": [ "保留舊 package.json / pnpm-lock.yaml refs", "列出 revert patch 與 browser smoke rollback gate" ], "manual_approvals": [ "OpenClaw arbitration", "HITL approval" ], "prohibited_without_approval": [ "pnpm install", "pnpm update", "npm audit", "lockfile write", "package upgrade" ], "evidence_refs": [ "docs/evaluations/javascript_package_inventory_2026-06-04.json", "docs/evaluations/dependency_risk_policy_2026-06-04.json" ] }, { "template_id": "shared_types_publish_boundary_package", "domain": "javascript", "status": "template_ready", "owner_agent": "openclaw", "purpose": "確認 @awoooi/shared-types publishConfig access=public 是否為刻意 contract。", "required_evidence": [ "packages/shared-types/package.json", "docs/evaluations/javascript_package_inventory_2026-06-04.json" ], "required_decisions": [ "package 是否應維持 public publish boundary", "是否改 private=true", "是否需要 package owner / consumer review" ], "required_tests": [ "workspace dependency inventory", "typecheck", "consumer compatibility review" ], "rollback_requirements": [ "列出 publish metadata revert patch", "列出 package consumer impact rollback" ], "manual_approvals": [ "OpenClaw arbitration", "package owner review", "HITL approval" ], "prohibited_without_approval": [ "package publish", "package metadata change", "lockfile write" ], "evidence_refs": [ "docs/evaluations/dependency_risk_policy_2026-06-04.json" ] }, { "template_id": "docker_base_digest_pin_package", "domain": "docker", "status": "template_ready", "owner_agent": "openclaw", "purpose": "為 python:3.11-slim、node:20-alpine、ghcr.io/astral-sh/uv:0.6.9 建立 digest pin 批准包。", "required_evidence": [ "apps/api/Dockerfile", "apps/web/Dockerfile", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json" ], "required_decisions": [ "是否啟用 registry manifest lookup", "digest pin source 與 cache policy", "image rebuild 與 rollback gate" ], "required_tests": [ "Dockerfile surface inventory", "image rebuild approval checklist", "post-build smoke plan before any build" ], "rollback_requirements": [ "列出舊 tag refs 與 digest revert", "列出 image rollback target 與 deployment rollback plan" ], "manual_approvals": [ "OpenClaw arbitration", "registry/source approval", "HITL approval" ], "prohibited_without_approval": [ "image pull", "docker build", "image rebuild", "registry push", "production routing" ], "evidence_refs": [ "docs/evaluations/docker_build_surface_inventory_2026-06-04.json", "docs/evaluations/dependency_drift_check_plan_2026-06-04.json" ] }, { "template_id": "docker_binary_checksum_package", "domain": "docker", "status": "template_ready", "owner_agent": "openclaw", "purpose": "為 API Dockerfile 下載 kubectl v1.29.0 的 checksum / signature policy 建立批准包。", "required_evidence": [ "apps/api/Dockerfile", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json" ], "required_decisions": [ "checksum / signature source", "是否替換下載方式", "失敗時是否阻擋 build" ], "required_tests": [ "Dockerfile surface inventory", "checksum verification dry-run design", "API image smoke plan before approved build" ], "rollback_requirements": [ "保留舊 kubectl source refs", "列出 checksum policy revert patch" ], "manual_approvals": [ "OpenClaw arbitration", "HITL approval" ], "prohibited_without_approval": [ "Dockerfile write", "docker build", "image rebuild", "registry push" ], "evidence_refs": [ "docs/evaluations/dependency_risk_policy_2026-06-04.json" ] }, { "template_id": "docker_build_network_source_package", "domain": "docker", "status": "template_ready", "owner_agent": "hermes", "purpose": "為 apt-get、curl、corepack prepare、pnpm install 等 build-time network source 建立白名單 / cache / failure policy 批准包。", "required_evidence": [ "apps/api/Dockerfile", "apps/web/Dockerfile", "pnpm-lock.yaml", "docs/evaluations/docker_build_surface_inventory_2026-06-04.json" ], "required_decisions": [ "允許的 build-time network source", "cache / mirror strategy", "failure-only notification threshold" ], "required_tests": [ "Dockerfile inventory", "network source policy validation", "post-build smoke plan before approved build" ], "rollback_requirements": [ "列出回復原 Dockerfile network fetch path 的 patch", "列出 cache / mirror rollback" ], "manual_approvals": [ "OpenClaw arbitration", "HITL approval" ], "prohibited_without_approval": [ "Dockerfile write", "docker build", "image rebuild", "registry push" ], "evidence_refs": [ "docs/evaluations/dependency_drift_check_plan_2026-06-04.json" ] }, { "template_id": "external_source_activation_package", "domain": "external_sources", "status": "template_ready", "owner_agent": "openclaw", "purpose": "啟用 CVE、license、registry freshness 或 AI Agent market source 前的統一批准包。", "required_evidence": [ "docs/evaluations/dependency_drift_check_plan_2026-06-04.json", "docs/evaluations/agent_market_governance_snapshot_2026-06-04.json", "docs/ai/agent-market-watch-sources.v1.json" ], "required_decisions": [ "來源是否允許", "是否有費用、auth、rate limit、資料保留或 cache 風險", "Nemotron 是否只做離線比較並保持非裁決角色" ], "required_tests": [ "source response schema validation plan", "failure-only notification contract", "no SDK install / no paid API check" ], "rollback_requirements": [ "可一鍵停用來源", "清楚列出 cache 清理與資料保留停止方式" ], "manual_approvals": [ "OpenClaw arbitration", "cost/data-boundary approval if applicable", "HITL approval" ], "prohibited_without_approval": [ "external CVE lookup", "external license lookup", "registry lookup", "Agent market external lookup", "SDK installation", "paid API call", "shadow/canary", "production routing" ], "evidence_refs": [ "docs/evaluations/dependency_drift_check_plan_2026-06-04.json", "docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md" ] } ], "decision_gate_contract": { "openclaw_role": "仲裁風險、controlled package 完整性與是否可進 allowlist apply;secret、paid provider、destructive、force-push 與 critical 才 break-glass。", "hermes_role": "彙整 manifest、lockfile、Dockerfile、test plan、rollback 與文件證據。", "nemotron_role": "僅提供離線比較、source freshness 與專家建議;不得替代 OpenClaw 裁決或進入生產路由。", "hitl_required": true, "expires_after": "批准包產生後 7 天或任何 source / manifest / Dockerfile 變更後失效。" }, "operation_boundaries": { "read_only_template_allowed": true, "external_source_activation_allowed": false, "sdk_installation_allowed": false, "paid_api_call_allowed": false, "package_installation_allowed": false, "package_upgrade_allowed": false, "lockfile_write_allowed": false, "manifest_write_allowed": false, "dockerfile_write_allowed": false, "docker_build_allowed": false, "image_pull_allowed": false, "image_rebuild_allowed": false, "registry_push_allowed": false, "package_publish_allowed": false, "shadow_or_canary_allowed": false, "production_routing_allowed": false }, "approval_boundaries": { "sdk_installation_allowed": false, "paid_api_call_allowed": false, "shadow_or_canary_allowed": false, "production_routing_allowed": false, "destructive_operation_allowed": false } }