Files
awoooi/docs/evaluations/dependency_supply_chain_drift_monitor_2026-06-18.json
Your Name f2b7e8d66e
Some checks failed
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m39s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
fix(web): 收斂治理頁繁中文案
2026-06-19 02:59:46 +08:00

496 lines
22 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "dependency_supply_chain_drift_monitor_v1",
"generated_at": "2026-06-18T23:05:00+08:00",
"program_status": {
"overall_completion_percent": 100,
"current_priority": "P2",
"current_task_id": "P2-004",
"next_task_id": "P2-406B",
"read_only_mode": true,
"runtime_authority": "repo_only_dependency_supply_chain_drift_monitor_no_external_lookup_or_write",
"status_note": "P2-004 將既有 Python / JavaScript / Docker / policy / version freshness 快照收斂為依賴與供應鏈漂移監控讀回;本輪只產生 committed snapshot 與 API不啟用外部查詢、排程、升級、Telegram 實發或 production write。"
},
"source_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/evaluations/dependency_upgrade_approval_package_template_2026-06-04.json",
"docs/evaluations/ai_agent_version_freshness_snapshot_2026-06-11.json"
],
"rollups": {
"source_snapshot_count": 6,
"stale_source_snapshot_count": 5,
"monitor_check_count": 7,
"drift_candidate_count": 9,
"action_required_candidate_count": 9,
"owner_action_count": 9,
"blocked_operation_count": 20,
"by_domain": {
"python": 2,
"javascript": 2,
"docker": 3,
"external_source": 1,
"agent_market": 1
},
"action_required_drift_candidate_ids": [
"api_python_manifest_drift",
"python_lockfile_absence",
"apps_web_caret_range_exposure",
"shared_types_publish_boundary",
"docker_base_images_not_digest_pinned",
"api_kubectl_binary_without_checksum_policy",
"docker_build_time_network_fetches_present",
"external_cve_license_registry_lookup_not_approved",
"agent_market_source_lookup_not_approved"
]
},
"source_snapshot_readbacks": [
{
"snapshot_id": "package_supply_chain_inventory",
"source_ref": "docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"source_schema_version": "package_supply_chain_inventory_v1",
"generated_at": "2026-06-04T21:06:22+08:00",
"freshness_status": "stale_action_required",
"evidence_status": "action_required_surfaces_present",
"next_action": "以 repo-only 方式刷新 Python / JS / Docker source rollup未批准前不得查 registry 或升級。"
},
{
"snapshot_id": "javascript_package_inventory",
"source_ref": "docs/evaluations/javascript_package_inventory_2026-06-04.json",
"source_schema_version": "javascript_package_inventory_v1",
"generated_at": "2026-06-04T20:22:00+08:00",
"freshness_status": "stale_action_required",
"evidence_status": "caret_range_and_workspace_boundary_present",
"next_action": "建立高影響前端套件與 workspace publish boundary 批准包;不得寫 pnpm-lock.yaml。"
},
{
"snapshot_id": "docker_build_surface_inventory",
"source_ref": "docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"source_schema_version": "docker_build_surface_inventory_v1",
"generated_at": "2026-06-04T19:23:03+08:00",
"freshness_status": "stale_action_required",
"evidence_status": "digest_and_network_fetch_risk_present",
"next_action": "產生 digest pin、checksum、network source policy 批准包;未批准前不得 build 或 pull image。"
},
{
"snapshot_id": "dependency_risk_policy",
"source_ref": "docs/evaluations/dependency_risk_policy_2026-06-04.json",
"source_schema_version": "dependency_risk_policy_v1",
"generated_at": "2026-06-04T21:40:00+08:00",
"freshness_status": "stale_action_required",
"evidence_status": "policy_defined_no_external_lookup",
"next_action": "將 policy hit 轉成 owner packet 與 Telegram failure-only digest draft不得自動套用。"
},
{
"snapshot_id": "dependency_drift_check_plan",
"source_ref": "docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"source_schema_version": "dependency_drift_check_plan_v1",
"generated_at": "2026-06-04T22:15:00+08:00",
"freshness_status": "stale_action_required",
"evidence_status": "cadence_design_only",
"next_action": "下一輪若要定期化,必須先送 schedule / workflow / external source approval packet。"
},
{
"snapshot_id": "ai_agent_version_freshness_snapshot",
"source_ref": "docs/evaluations/ai_agent_version_freshness_snapshot_2026-06-11.json",
"source_schema_version": "ai_agent_version_freshness_snapshot_v1",
"generated_at": "2026-06-11T22:45:00+08:00",
"freshness_status": "recent_action_required",
"evidence_status": "repo_only_version_sources_present",
"next_action": "把 stale source refs 與 P2-004 drift candidates 串接到 P2-406B / P2-407 報表讀回,不啟用外部 lookup。"
}
],
"monitor_checks": [
{
"check_id": "python_manifest_authority_drift_readback",
"domain": "python",
"owner_agent": "hermes",
"status": "action_required",
"current_signal": "apps/api/pyproject.toml 與 apps/api/requirements.txt 權威性仍未決Dockerfile 目前以 pyproject + uv 為建置來源。",
"evidence_refs": [
"apps/api/pyproject.toml",
"apps/api/requirements.txt",
"apps/api/Dockerfile",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"blocked_now": ["delete requirements", "install packages", "write lockfile"],
"next_action": "prepare_python_manifest_authority_packet"
},
{
"check_id": "python_lockfile_absence_readback",
"domain": "python",
"owner_agent": "openclaw",
"status": "action_required",
"current_signal": "Python manifests 仍無 uv.lock / poetry.lock / constraints authority重現性策略需要人工批准。",
"evidence_refs": [
"apps/api/pyproject.toml",
"packages/lewooogo-data/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"blocked_now": ["generate lockfile", "pin all versions", "upgrade dependencies"],
"next_action": "prepare_python_lockfile_strategy_packet"
},
{
"check_id": "javascript_importer_lockfile_readback",
"domain": "javascript",
"owner_agent": "hermes",
"status": "read_only_passed",
"current_signal": "P1-202 已確認 pnpm importers 與 lockfile specifier 沒有 mismatch仍需處理 high-impact caret range。",
"evidence_refs": [
"package.json",
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"blocked_now": ["pnpm install", "npm audit", "lockfile write"],
"next_action": "prepare_js_high_impact_upgrade_packet"
},
{
"check_id": "javascript_caret_range_exposure_readback",
"domain": "javascript",
"owner_agent": "openclaw",
"status": "action_required",
"current_signal": "apps/web 仍有大量 caret rangeNext / React / Sentry / Playwright 等高影響套件需要升級批准包與 rollback plan。",
"evidence_refs": [
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"blocked_now": ["package upgrade", "lockfile write", "external registry lookup"],
"next_action": "prepare_js_high_impact_upgrade_packet"
},
{
"check_id": "docker_digest_pin_readback",
"domain": "docker",
"owner_agent": "openclaw",
"status": "action_required",
"current_signal": "API / Web Dockerfile 的 base image 與 uv image tag-pinned 但未 digest-pinned。",
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"blocked_now": ["docker build", "image pull", "registry push"],
"next_action": "prepare_docker_digest_pin_packet"
},
{
"check_id": "docker_binary_checksum_readback",
"domain": "docker",
"owner_agent": "hermes",
"status": "action_required",
"current_signal": "API image build 下載 kubectl v1.29.0,但 checksum / signature policy 尚未固定。",
"evidence_refs": [
"apps/api/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"blocked_now": ["curl new binary", "edit Dockerfile", "image rebuild"],
"next_action": "prepare_kubectl_checksum_packet"
},
{
"check_id": "external_source_activation_readback",
"domain": "external_source",
"owner_agent": "nemotron",
"status": "blocked_until_approval",
"current_signal": "OSV / Trivy / Syft / Grype / PyPI / npm / Docker Hub / Agent market primary sources 都仍是候選來源,尚未批准外部查詢。",
"evidence_refs": [
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/evaluations/ai_agent_version_freshness_snapshot_2026-06-11.json"
],
"blocked_now": ["external CVE lookup", "license lookup", "registry lookup", "agent market lookup"],
"next_action": "prepare_external_source_activation_packet"
}
],
"drift_candidates": [
{
"candidate_id": "api_python_manifest_drift",
"domain": "python",
"severity": "high",
"status": "action_required",
"owner_agent": "openclaw",
"summary": "API pyproject 與 legacy requirements 仍未決定權威來源;若直接刪除或改寫會影響 build / local tool / rollback 判斷。",
"evidence_refs": [
"apps/api/pyproject.toml",
"apps/api/requirements.txt",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_python_manifest_authority_packet"
},
{
"candidate_id": "python_lockfile_absence",
"domain": "python",
"severity": "medium",
"status": "action_required",
"owner_agent": "openclaw",
"summary": "Python 依賴仍缺 committed lockfile 或 constraints authority可先產策略批准包不得直接生成。",
"evidence_refs": [
"apps/api/pyproject.toml",
"packages/lewooogo-data/pyproject.toml",
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
],
"next_owner_action": "prepare_python_lockfile_strategy_packet"
},
{
"candidate_id": "apps_web_caret_range_exposure",
"domain": "javascript",
"severity": "medium",
"status": "action_required",
"owner_agent": "openclaw",
"summary": "apps/web 仍有 high-impact caret ranges下一步是升級批准包與 smoke matrix不是直接 pnpm install。",
"evidence_refs": [
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_js_high_impact_upgrade_packet"
},
{
"candidate_id": "shared_types_publish_boundary",
"domain": "javascript",
"severity": "medium",
"status": "action_required",
"owner_agent": "hermes",
"summary": "shared-types 類 workspace 需要 publish / version / compatibility boundary應以批准包定義不由 Agent 自行 publish。",
"evidence_refs": [
"packages/shared-types/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_shared_types_publish_boundary_packet"
},
{
"candidate_id": "docker_base_images_not_digest_pinned",
"domain": "docker",
"severity": "high",
"status": "action_required",
"owner_agent": "openclaw",
"summary": "python:3.11-slim、node:20-alpine、ghcr.io/astral-sh/uv:0.6.9 尚未 digest-pinned需要 digest、rollback 與 rebuild approval。",
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_docker_digest_pin_packet"
},
{
"candidate_id": "api_kubectl_binary_without_checksum_policy",
"domain": "docker",
"severity": "high",
"status": "action_required",
"owner_agent": "hermes",
"summary": "API image build 以 curl 下載 kubectl v1.29.0,但 checksum / signature policy 尚未固定。",
"evidence_refs": [
"apps/api/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_kubectl_checksum_packet"
},
{
"candidate_id": "docker_build_time_network_fetches_present",
"domain": "docker",
"severity": "medium",
"status": "action_required",
"owner_agent": "hermes",
"summary": "API build 的 apt-get / curl 與 Web build 的 corepack / pnpm install 都是 build-time network fetch需要 source policy 與 failure-only digest。",
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"pnpm-lock.yaml",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"next_owner_action": "prepare_build_time_network_source_packet"
},
{
"candidate_id": "external_cve_license_registry_lookup_not_approved",
"domain": "external_source",
"severity": "medium",
"status": "blocked_until_approval",
"owner_agent": "openclaw",
"summary": "CVE、license、PyPI、npm、Docker manifest freshness 尚未批准外部查詢;只能保留 repo-only drift 與批准包。",
"evidence_refs": [
"docs/evaluations/dependency_drift_check_plan_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
],
"next_owner_action": "prepare_external_source_activation_packet"
},
{
"candidate_id": "agent_market_source_lookup_not_approved",
"domain": "agent_market",
"severity": "medium",
"status": "blocked_until_approval",
"owner_agent": "nemotron",
"summary": "主流 AI Agent / SDK / model watch 已納入工作清單,但定期外部 primary-source lookup 尚未批准NemoTron 只能先做 committed snapshot freshness 與離線 scorecard 草案。",
"evidence_refs": [
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
"docs/evaluations/ai_agent_version_freshness_snapshot_2026-06-11.json"
],
"next_owner_action": "prepare_agent_market_source_activation_packet"
}
],
"owner_actions": [
{
"action_id": "prepare_python_manifest_authority_packet",
"priority": "P2",
"owner_agent": "openclaw",
"approval_gate": "human_review_required_before_manifest_delete_or_generation",
"summary": "判定 pyproject / requirements 權威來源、生成或退場策略、rollback 與測試矩陣。",
"blocked_until": "Owner Gate + build/test/smoke plan + rollback owner"
},
{
"action_id": "prepare_python_lockfile_strategy_packet",
"priority": "P2",
"owner_agent": "openclaw",
"approval_gate": "dependency_lock_strategy_approval_required",
"summary": "提出 uv.lock / constraints / no-lock exception 三路策略與風險評分。",
"blocked_until": "Owner Gate + package install approval + rollback plan"
},
{
"action_id": "prepare_js_high_impact_upgrade_packet",
"priority": "P2",
"owner_agent": "openclaw",
"approval_gate": "frontend_high_impact_upgrade_approval_required",
"summary": "針對 Next / React / Sentry / Playwright 等 high-impact 套件產生升級、測試、rollback 與 cache busting 批准包。",
"blocked_until": "Owner Gate + pnpm lockfile write approval + browser smoke matrix"
},
{
"action_id": "prepare_shared_types_publish_boundary_packet",
"priority": "P2",
"owner_agent": "hermes",
"approval_gate": "workspace_publish_boundary_approval_required",
"summary": "定義 shared-types version / publish / consumer compatibility 邊界與不自動 publish 規則。",
"blocked_until": "Owner Gate + package publish policy"
},
{
"action_id": "prepare_docker_digest_pin_packet",
"priority": "P2",
"owner_agent": "openclaw",
"approval_gate": "image_digest_pin_and_rebuild_approval_required",
"summary": "產生 base image digest pin、重建、rollout、rollback 與 registry promotion 批准包。",
"blocked_until": "Owner Gate + docker build/pull/push approval + rollout window"
},
{
"action_id": "prepare_kubectl_checksum_packet",
"priority": "P2",
"owner_agent": "hermes",
"approval_gate": "binary_checksum_policy_approval_required",
"summary": "定義 kubectl binary checksum / signature policy 與替換方案。",
"blocked_until": "Owner Gate + Dockerfile write approval"
},
{
"action_id": "prepare_build_time_network_source_packet",
"priority": "P2",
"owner_agent": "hermes",
"approval_gate": "build_network_source_policy_approval_required",
"summary": "把 apt / curl / corepack / pnpm install 來源與失敗限定 digest policy 固定成批准包。",
"blocked_until": "Owner Gate + workflow and registry policy approval"
},
{
"action_id": "prepare_external_source_activation_packet",
"priority": "P2",
"owner_agent": "openclaw",
"approval_gate": "external_cve_license_registry_lookup_approval_required",
"summary": "列出 OSV / Trivy / Syft / Grype / PyPI / npm / Docker registry lookup 的費用、頻率、rate limit、資料保存與 redaction 條件。",
"blocked_until": "Owner Gate + cost/rate-limit/privacy approval"
},
{
"action_id": "prepare_agent_market_source_activation_packet",
"priority": "P2",
"owner_agent": "nemotron",
"approval_gate": "agent_market_primary_source_lookup_approval_required",
"summary": "把主流 AI Agent / SDK / model watch 來源、scorecard、回放基準與 OpenClaw 替代決策門檻固定成批准包。",
"blocked_until": "Owner Gate + primary-source refresh approval + replay policy"
}
],
"telegram_policy": {
"status": "draft_only_no_send",
"direct_send_allowed": false,
"gateway_queue_write_allowed": false,
"success_quiet": true,
"failure_digest_after_approval": true,
"draft_only_outputs": [
"P2-004 dependency drift action-required digest draft",
"Owner packet summary",
"failure-only schema mismatch digest draft"
]
},
"agent_roles": [
{
"agent_id": "openclaw",
"role": "仲裁 high / critical supply-chain drift、升級風險、費用與 HITL gate不得自行批准套件或 provider 變更。",
"autonomy_level": "L2_approval_package_only",
"approval_gate": "human_review_required_before_any_update_or_external_lookup",
"outputs": [
"risk arbitration",
"owner action packet",
"blocked operation verification"
]
},
{
"agent_id": "hermes",
"role": "彙整 repo-only manifest / lockfile / Dockerfile / committed snapshot 證據,產出報表與 KM 草稿。",
"autonomy_level": "L1_report_only",
"approval_gate": "read_only_repo_monitor_allowed",
"outputs": [
"drift evidence packet",
"report section",
"Telegram digest draft"
]
},
{
"agent_id": "nemotron",
"role": "進行離線長任務比對、版本 / Agent market freshness 草案與 replay scorecard 草案;不得替換 OpenClaw 或接 production route。",
"autonomy_level": "L1_offline_comparison_only",
"approval_gate": "offline_scorecard_only_until_market_lookup_and_replay_gate",
"outputs": [
"agent market source activation packet",
"offline comparison note",
"replay candidate list"
]
}
],
"next_actions": [
{
"task_id": "P2-406B",
"priority": "P2",
"summary": "把 P2-004 drift monitor 與日週月報 / Telegram receipt readback owner review 串接成同一個只讀審核視圖。",
"gate": "Telegram send、Gateway queue write、Bot API、receipt production write 仍必須全部為 0。"
},
{
"task_id": "P2-407",
"priority": "P2",
"summary": "讓 OpenClaw / Hermes / NemoTron 讀取日週月報與 P2-004 drift monitor 後產生 無寫入 分析與建議。",
"gate": "只寫 committed snapshot / 草稿;不得 production optimization write。"
},
{
"task_id": "P2-412",
"priority": "P2",
"summary": "準備外部主流 Agent / SDK / model watch 的 primary-source refresh 批准包。",
"gate": "未批准前不得外部查詢、不得宣稱 latest、不得替換 OpenClaw。"
}
],
"monitor_boundaries": {
"read_only_repo_monitor_allowed": true,
"schedule_activation_allowed": false,
"workflow_write_allowed": false,
"external_cve_lookup_allowed": false,
"external_license_lookup_allowed": false,
"registry_lookup_allowed": false,
"agent_market_external_lookup_allowed": false,
"package_installation_allowed": false,
"package_upgrade_allowed": false,
"lockfile_write_allowed": false,
"docker_build_allowed": false,
"image_pull_allowed": false,
"image_rebuild_allowed": false,
"registry_push_allowed": false,
"pr_creation_allowed": false,
"telegram_send_allowed": false,
"production_write_allowed": false,
"paid_external_service_allowed": false,
"secret_read_allowed": false,
"host_probe_allowed": false,
"npm_audit_allowed": false
}
}