Files
awoooi/docs/evaluations/dependency_drift_check_plan_2026-06-04.json
Your Name cfb866d055
Some checks failed
Ansible Lint / lint (push) Successful in 35s
CD Pipeline / tests (push) Failing after 13s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Code Review / ai-code-review (push) Failing after 11s
feat(governance): add agent market automation surfaces
2026-06-04 21:50:55 +08:00

608 lines
22 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "dependency_drift_check_plan_v1",
"generated_at": "2026-06-04T20:52:25+08:00",
"program_status": {
"overall_completion_percent": 99,
"current_priority": "P1",
"current_task_id": "P1-205",
"next_task_id": "P1-206",
"read_only_mode": true
},
"source_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
"docs/HARD_RULES.md"
],
"rollups": {
"total_cadence_items": 5,
"total_local_checks": 5,
"total_external_source_candidates": 10,
"by_domain": {
"python": 2,
"javascript": 3,
"docker": 3,
"policy": 1,
"cve": 2,
"license": 2,
"agent_market": 4,
"external_sources": 2,
"approval_package": 1
},
"read_only_local_check_ids": [
"python_manifest_drift_local_check",
"javascript_lockfile_drift_local_check",
"dockerfile_surface_drift_local_check",
"dependency_policy_consistency_local_check",
"agent_market_snapshot_freshness_local_check"
],
"approval_required_source_ids": [
"osv_advisory_candidate",
"github_advisory_candidate",
"pypi_registry_candidate",
"npm_registry_candidate",
"docker_hub_manifest_candidate",
"ghcr_manifest_candidate",
"package_license_metadata_candidate",
"deps_dev_license_candidate",
"agent_official_release_candidate",
"agent_benchmark_signal_candidate"
],
"design_only_cadence_ids": [
"daily_repo_drift_readonly",
"weekly_external_source_review",
"weekly_agent_market_watch_review",
"monthly_upgrade_approval_batch",
"failure_only_notification_review"
]
},
"cadence_policy": {
"timezone": "Asia/Taipei",
"items": [
{
"cadence_id": "daily_repo_drift_readonly",
"domain": "javascript",
"frequency": "daily design; activation requires P1-206 approval package or operator approval",
"activation_status": "design_only",
"owner_agent": "hermes",
"allowed_now": [
"read committed JSON snapshots",
"compare repo manifests and lockfiles",
"emit read-only drift report design"
],
"blocked_now": [
"pnpm install",
"npm audit",
"package upgrade",
"lockfile write",
"workflow activation"
],
"planned_output": "future docs/evaluations/dependency_drift_run_YYYY-MM-DD.json",
"failure_notification": "failure-only AwoooP / Telegram event after schedule is explicitly approved"
},
{
"cadence_id": "weekly_external_source_review",
"domain": "external_sources",
"frequency": "weekly design; external calls blocked until source approval",
"activation_status": "blocked_until_approval",
"owner_agent": "openclaw",
"allowed_now": [
"source list review",
"cost and rate-limit analysis",
"approval package preparation"
],
"blocked_now": [
"external CVE lookup",
"external license lookup",
"registry freshness lookup",
"paid API call"
],
"planned_output": "future external-source approval package",
"failure_notification": "only notify when approved source health check fails or data staleness exceeds threshold"
},
{
"cadence_id": "weekly_agent_market_watch_review",
"domain": "agent_market",
"frequency": "weekly design; market lookup remains approval-bound",
"activation_status": "blocked_until_approval",
"owner_agent": "nemotron",
"allowed_now": [
"read existing agent-market snapshots",
"offline comparison against committed evidence",
"prepare source approval package"
],
"blocked_now": [
"SDK installation",
"paid API call",
"shadow/canary",
"production routing",
"unapproved external market lookup"
],
"planned_output": "future agent-market watch source approval package",
"failure_notification": "failure-only AwoooP / Telegram event after approved cadence is active"
},
{
"cadence_id": "monthly_upgrade_approval_batch",
"domain": "approval_package",
"frequency": "monthly design; package generation only after P1-206",
"activation_status": "design_only",
"owner_agent": "openclaw",
"allowed_now": [
"define approval package fields",
"map dependency risk rules to upgrade candidates"
],
"blocked_now": [
"package upgrade",
"lockfile write",
"docker build",
"image rebuild",
"registry push"
],
"planned_output": "future P1-206 approval package template",
"failure_notification": "operator review only when a high/critical candidate cannot be triaged"
},
{
"cadence_id": "failure_only_notification_review",
"domain": "external_sources",
"frequency": "each approved scheduled run",
"activation_status": "design_only",
"owner_agent": "hermes",
"allowed_now": [
"document notification contract",
"define success suppression and failure escalation"
],
"blocked_now": [
"Telegram routing change",
"Alertmanager rule change",
"workflow activation"
],
"planned_output": "future notification contract for scheduled drift checks",
"failure_notification": "success stays quiet; failed run, stale source, rate-limit exhaustion, or schema mismatch notifies AwoooP / Telegram"
}
]
},
"local_check_plan": [
{
"check_id": "python_manifest_drift_local_check",
"domain": "python",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "daily or pre-merge after approval",
"input_refs": [
"apps/api/pyproject.toml",
"apps/api/requirements.txt",
"packages/lewooogo-data/pyproject.toml",
"packages/lewooogo-brain/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
],
"planned_output": "python manifest drift report; no requirements rewrite",
"allowed_now": [
"read manifests",
"compare committed dependency specifiers",
"flag authority drift"
],
"blocked_now": [
"pip install",
"uv sync",
"requirements delete",
"lockfile write",
"docker build"
],
"acceptance_criteria": [
"reports pyproject / requirements drift without modifying either file",
"maps drift to P1-204 severity rules",
"emits approval package requirement for any remediation"
]
},
{
"check_id": "javascript_lockfile_drift_local_check",
"domain": "javascript",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "daily or pre-merge after approval",
"input_refs": [
"package.json",
"apps/web/package.json",
"packages/shared-types/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
],
"planned_output": "pnpm importer specifier drift report; no pnpm install",
"allowed_now": [
"read package manifests",
"read pnpm-lock.yaml",
"compare importer specifiers"
],
"blocked_now": [
"pnpm install",
"pnpm update",
"npm audit",
"lockfile write",
"package publish"
],
"acceptance_criteria": [
"reports missing/mismatch/extra dependencies",
"keeps lockfile untouched",
"flags shared-types publish boundary for approval package"
]
},
{
"check_id": "dockerfile_surface_drift_local_check",
"domain": "docker",
"status": "read_only_design",
"owner_agent": "hermes",
"frequency": "weekly or Dockerfile-change after approval",
"input_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
],
"planned_output": "Dockerfile surface drift report; no build or pull",
"allowed_now": [
"read Dockerfiles",
"compare FROM and COPY --from references",
"compare build-time network fetch patterns"
],
"blocked_now": [
"docker build",
"image pull",
"image rebuild",
"registry push",
"production routing"
],
"acceptance_criteria": [
"reports base image, digest pin, binary source, network fetch, and healthcheck drift",
"does not contact registries",
"maps remediation to P1-206 approval package"
]
},
{
"check_id": "dependency_policy_consistency_local_check",
"domain": "policy",
"status": "read_only_design",
"owner_agent": "openclaw",
"frequency": "weekly after approval",
"input_refs": [
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"
],
"planned_output": "policy consistency report for severity rules and next actions",
"allowed_now": [
"read committed policies",
"validate rollups",
"detect stale next_action references"
],
"blocked_now": [
"policy override",
"approval bypass",
"production change"
],
"acceptance_criteria": [
"catches stale P1 task references",
"keeps operation_boundaries false",
"requires OpenClaw/HITL for any gate change"
]
},
{
"check_id": "agent_market_snapshot_freshness_local_check",
"domain": "agent_market",
"status": "read_only_design",
"owner_agent": "nemotron",
"frequency": "weekly after approval",
"input_refs": [
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/agent-market-watch-sources.v1.json",
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md"
],
"planned_output": "agent-market freshness report using committed snapshots only",
"allowed_now": [
"read committed market governance snapshots",
"compare stale source timestamps",
"prepare source approval package"
],
"blocked_now": [
"unapproved external market lookup",
"SDK installation",
"paid API call",
"shadow/canary",
"production routing"
],
"acceptance_criteria": [
"keeps Nemotron at offline expert role until replay evidence improves",
"detects stale market evidence without claiming current market truth",
"routes replacement questions to OpenClaw/HITL approval boundaries"
]
}
],
"external_source_candidates": [
{
"source_id": "osv_advisory_candidate",
"domain": "cve",
"source_type": "public vulnerability advisory API candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache advisory responses per package/version for at least 24h after approval",
"data_retention_policy": "store only package, version, advisory id, severity, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only vulnerability lookup",
"severity mapping to dependency_risk_policy_v1"
],
"blocked_now": [
"external CVE lookup",
"automated remediation",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "github_advisory_candidate",
"domain": "cve",
"source_type": "advisory database candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache advisory ids and affected ranges; avoid repeated queries",
"data_retention_policy": "store minimal advisory metadata and source timestamp",
"permitted_after_approval": [
"cross-check high and critical advisories"
],
"blocked_now": [
"external advisory lookup",
"paid API call",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "pypi_registry_candidate",
"domain": "python_registry",
"source_type": "Python package registry freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package release metadata per package for 24h after approval",
"data_retention_policy": "store package name, current specifier, latest seen version, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only version freshness comparison"
],
"blocked_now": [
"registry lookup",
"pip install",
"uv sync",
"package upgrade"
],
"owner_agent": "hermes",
"evidence_refs": [
"apps/api/pyproject.toml",
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
]
},
{
"source_id": "npm_registry_candidate",
"domain": "javascript_registry",
"source_type": "JavaScript package registry freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package dist-tag and version metadata for 24h after approval",
"data_retention_policy": "store package name, current specifier, lockfile version, latest seen version, and source timestamp",
"permitted_after_approval": [
"read-only package freshness comparison"
],
"blocked_now": [
"registry lookup",
"npm audit",
"pnpm install",
"package upgrade",
"lockfile write"
],
"owner_agent": "hermes",
"evidence_refs": [
"apps/web/package.json",
"pnpm-lock.yaml",
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
]
},
{
"source_id": "docker_hub_manifest_candidate",
"domain": "docker_registry",
"source_type": "container image manifest freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "high",
"cache_policy": "cache image tag and digest metadata for 24h after approval; throttle by image",
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only digest freshness comparison"
],
"blocked_now": [
"image pull",
"docker build",
"image rebuild",
"registry push"
],
"owner_agent": "openclaw",
"evidence_refs": [
"apps/api/Dockerfile",
"apps/web/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
]
},
{
"source_id": "ghcr_manifest_candidate",
"domain": "docker_registry",
"source_type": "GHCR image manifest freshness candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "high",
"cache_policy": "cache image tag and digest metadata for 24h after approval; no pull",
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only digest freshness comparison"
],
"blocked_now": [
"image pull",
"docker build",
"image rebuild",
"registry push"
],
"owner_agent": "openclaw",
"evidence_refs": [
"apps/api/Dockerfile",
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
]
},
{
"source_id": "package_license_metadata_candidate",
"domain": "license",
"source_type": "package metadata license field candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "free_public_candidate",
"rate_limit_risk": "medium",
"cache_policy": "cache package license metadata for 7 days after approval",
"data_retention_policy": "store package name, version, license expression, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only license metadata comparison"
],
"blocked_now": [
"external license lookup",
"legal conclusion",
"package publish",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
"packages/shared-types/package.json"
]
},
{
"source_id": "deps_dev_license_candidate",
"domain": "license",
"source_type": "dependency graph and license metadata candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache normalized dependency/license metadata for 7 days after approval",
"data_retention_policy": "store only package, version, license, dependency path summary, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only transitive license review"
],
"blocked_now": [
"external license lookup",
"legal conclusion",
"package upgrade"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
]
},
{
"source_id": "agent_official_release_candidate",
"domain": "agent_market",
"source_type": "official release notes, docs, changelog, or repository release candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "medium",
"cache_policy": "cache source snapshots and version metadata for 7 days after approval",
"data_retention_policy": "store product name, version or release marker, source timestamp, summary, and lookup time",
"permitted_after_approval": [
"read-only AI Agent market version watch",
"candidate emergence detection",
"operator review queue update"
],
"blocked_now": [
"unapproved market lookup",
"SDK installation",
"paid API call",
"shadow/canary",
"production routing"
],
"owner_agent": "nemotron",
"evidence_refs": [
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
"docs/ai/agent-market-watch-sources.v1.json"
]
},
{
"source_id": "agent_benchmark_signal_candidate",
"domain": "agent_market",
"source_type": "public benchmark, leaderboard, or evaluation report candidate",
"approval_status": "approval_required",
"auth_required": false,
"cost_profile": "unknown_until_review",
"rate_limit_risk": "unknown",
"cache_policy": "cache benchmark snapshot references for 7 days after approval",
"data_retention_policy": "store benchmark name, candidate name, score summary, source timestamp, and lookup time",
"permitted_after_approval": [
"read-only market score evidence refresh",
"OpenClaw replacement evidence queue update"
],
"blocked_now": [
"unapproved market lookup",
"replacement decision",
"shadow/canary",
"production routing"
],
"owner_agent": "openclaw",
"evidence_refs": [
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md",
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json"
]
}
],
"notification_policy": {
"success_notification": " committed snapshot ",
"failure_notification": "schema mismatchrate-limit exhaustion high/critical policy hit AwoooP / Telegram",
"operator_review_trigger": "SDK APIshadow/canarylockfile image rebuild "
},
"operation_boundaries": {
"read_only_plan_allowed": true,
"schedule_activation_allowed": false,
"workflow_write_allowed": false,
"external_cve_lookup_allowed": false,
"external_license_lookup_allowed": false,
"registry_lookup_allowed": false,
"agent_market_external_lookup_allowed": false,
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"package_installation_allowed": false,
"package_upgrade_allowed": false,
"lockfile_write_allowed": false,
"docker_build_allowed": false,
"image_pull_allowed": false,
"image_rebuild_allowed": false,
"registry_push_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false
},
"approval_boundaries": {
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false,
"destructive_operation_allowed": false
}
}