608 lines
22 KiB
JSON
608 lines
22 KiB
JSON
{
|
||
"schema_version": "dependency_drift_check_plan_v1",
|
||
"generated_at": "2026-06-04T20:52:25+08:00",
|
||
"program_status": {
|
||
"overall_completion_percent": 99,
|
||
"current_priority": "P1",
|
||
"current_task_id": "P1-205",
|
||
"next_task_id": "P1-206",
|
||
"read_only_mode": true
|
||
},
|
||
"source_refs": [
|
||
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
|
||
"docs/evaluations/javascript_package_inventory_2026-06-04.json",
|
||
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json",
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
|
||
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
|
||
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md",
|
||
"docs/HARD_RULES.md"
|
||
],
|
||
"rollups": {
|
||
"total_cadence_items": 5,
|
||
"total_local_checks": 5,
|
||
"total_external_source_candidates": 10,
|
||
"by_domain": {
|
||
"python": 2,
|
||
"javascript": 3,
|
||
"docker": 3,
|
||
"policy": 1,
|
||
"cve": 2,
|
||
"license": 2,
|
||
"agent_market": 4,
|
||
"external_sources": 2,
|
||
"approval_package": 1
|
||
},
|
||
"read_only_local_check_ids": [
|
||
"python_manifest_drift_local_check",
|
||
"javascript_lockfile_drift_local_check",
|
||
"dockerfile_surface_drift_local_check",
|
||
"dependency_policy_consistency_local_check",
|
||
"agent_market_snapshot_freshness_local_check"
|
||
],
|
||
"approval_required_source_ids": [
|
||
"osv_advisory_candidate",
|
||
"github_advisory_candidate",
|
||
"pypi_registry_candidate",
|
||
"npm_registry_candidate",
|
||
"docker_hub_manifest_candidate",
|
||
"ghcr_manifest_candidate",
|
||
"package_license_metadata_candidate",
|
||
"deps_dev_license_candidate",
|
||
"agent_official_release_candidate",
|
||
"agent_benchmark_signal_candidate"
|
||
],
|
||
"design_only_cadence_ids": [
|
||
"daily_repo_drift_readonly",
|
||
"weekly_external_source_review",
|
||
"weekly_agent_market_watch_review",
|
||
"monthly_upgrade_approval_batch",
|
||
"failure_only_notification_review"
|
||
]
|
||
},
|
||
"cadence_policy": {
|
||
"timezone": "Asia/Taipei",
|
||
"items": [
|
||
{
|
||
"cadence_id": "daily_repo_drift_readonly",
|
||
"domain": "javascript",
|
||
"frequency": "daily design; activation requires P1-206 approval package or operator approval",
|
||
"activation_status": "design_only",
|
||
"owner_agent": "hermes",
|
||
"allowed_now": [
|
||
"read committed JSON snapshots",
|
||
"compare repo manifests and lockfiles",
|
||
"emit read-only drift report design"
|
||
],
|
||
"blocked_now": [
|
||
"pnpm install",
|
||
"npm audit",
|
||
"package upgrade",
|
||
"lockfile write",
|
||
"workflow activation"
|
||
],
|
||
"planned_output": "future docs/evaluations/dependency_drift_run_YYYY-MM-DD.json",
|
||
"failure_notification": "failure-only AwoooP / Telegram event after schedule is explicitly approved"
|
||
},
|
||
{
|
||
"cadence_id": "weekly_external_source_review",
|
||
"domain": "external_sources",
|
||
"frequency": "weekly design; external calls blocked until source approval",
|
||
"activation_status": "blocked_until_approval",
|
||
"owner_agent": "openclaw",
|
||
"allowed_now": [
|
||
"source list review",
|
||
"cost and rate-limit analysis",
|
||
"approval package preparation"
|
||
],
|
||
"blocked_now": [
|
||
"external CVE lookup",
|
||
"external license lookup",
|
||
"registry freshness lookup",
|
||
"paid API call"
|
||
],
|
||
"planned_output": "future external-source approval package",
|
||
"failure_notification": "only notify when approved source health check fails or data staleness exceeds threshold"
|
||
},
|
||
{
|
||
"cadence_id": "weekly_agent_market_watch_review",
|
||
"domain": "agent_market",
|
||
"frequency": "weekly design; market lookup remains approval-bound",
|
||
"activation_status": "blocked_until_approval",
|
||
"owner_agent": "nemotron",
|
||
"allowed_now": [
|
||
"read existing agent-market snapshots",
|
||
"offline comparison against committed evidence",
|
||
"prepare source approval package"
|
||
],
|
||
"blocked_now": [
|
||
"SDK installation",
|
||
"paid API call",
|
||
"shadow/canary",
|
||
"production routing",
|
||
"unapproved external market lookup"
|
||
],
|
||
"planned_output": "future agent-market watch source approval package",
|
||
"failure_notification": "failure-only AwoooP / Telegram event after approved cadence is active"
|
||
},
|
||
{
|
||
"cadence_id": "monthly_upgrade_approval_batch",
|
||
"domain": "approval_package",
|
||
"frequency": "monthly design; package generation only after P1-206",
|
||
"activation_status": "design_only",
|
||
"owner_agent": "openclaw",
|
||
"allowed_now": [
|
||
"define approval package fields",
|
||
"map dependency risk rules to upgrade candidates"
|
||
],
|
||
"blocked_now": [
|
||
"package upgrade",
|
||
"lockfile write",
|
||
"docker build",
|
||
"image rebuild",
|
||
"registry push"
|
||
],
|
||
"planned_output": "future P1-206 approval package template",
|
||
"failure_notification": "operator review only when a high/critical candidate cannot be triaged"
|
||
},
|
||
{
|
||
"cadence_id": "failure_only_notification_review",
|
||
"domain": "external_sources",
|
||
"frequency": "each approved scheduled run",
|
||
"activation_status": "design_only",
|
||
"owner_agent": "hermes",
|
||
"allowed_now": [
|
||
"document notification contract",
|
||
"define success suppression and failure escalation"
|
||
],
|
||
"blocked_now": [
|
||
"Telegram routing change",
|
||
"Alertmanager rule change",
|
||
"workflow activation"
|
||
],
|
||
"planned_output": "future notification contract for scheduled drift checks",
|
||
"failure_notification": "success stays quiet; failed run, stale source, rate-limit exhaustion, or schema mismatch notifies AwoooP / Telegram"
|
||
}
|
||
]
|
||
},
|
||
"local_check_plan": [
|
||
{
|
||
"check_id": "python_manifest_drift_local_check",
|
||
"domain": "python",
|
||
"status": "read_only_design",
|
||
"owner_agent": "hermes",
|
||
"frequency": "daily or pre-merge after approval",
|
||
"input_refs": [
|
||
"apps/api/pyproject.toml",
|
||
"apps/api/requirements.txt",
|
||
"packages/lewooogo-data/pyproject.toml",
|
||
"packages/lewooogo-brain/pyproject.toml",
|
||
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
|
||
],
|
||
"planned_output": "python manifest drift report; no requirements rewrite",
|
||
"allowed_now": [
|
||
"read manifests",
|
||
"compare committed dependency specifiers",
|
||
"flag authority drift"
|
||
],
|
||
"blocked_now": [
|
||
"pip install",
|
||
"uv sync",
|
||
"requirements delete",
|
||
"lockfile write",
|
||
"docker build"
|
||
],
|
||
"acceptance_criteria": [
|
||
"reports pyproject / requirements drift without modifying either file",
|
||
"maps drift to P1-204 severity rules",
|
||
"emits approval package requirement for any remediation"
|
||
]
|
||
},
|
||
{
|
||
"check_id": "javascript_lockfile_drift_local_check",
|
||
"domain": "javascript",
|
||
"status": "read_only_design",
|
||
"owner_agent": "hermes",
|
||
"frequency": "daily or pre-merge after approval",
|
||
"input_refs": [
|
||
"package.json",
|
||
"apps/web/package.json",
|
||
"packages/shared-types/package.json",
|
||
"pnpm-lock.yaml",
|
||
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
|
||
],
|
||
"planned_output": "pnpm importer specifier drift report; no pnpm install",
|
||
"allowed_now": [
|
||
"read package manifests",
|
||
"read pnpm-lock.yaml",
|
||
"compare importer specifiers"
|
||
],
|
||
"blocked_now": [
|
||
"pnpm install",
|
||
"pnpm update",
|
||
"npm audit",
|
||
"lockfile write",
|
||
"package publish"
|
||
],
|
||
"acceptance_criteria": [
|
||
"reports missing/mismatch/extra dependencies",
|
||
"keeps lockfile untouched",
|
||
"flags shared-types publish boundary for approval package"
|
||
]
|
||
},
|
||
{
|
||
"check_id": "dockerfile_surface_drift_local_check",
|
||
"domain": "docker",
|
||
"status": "read_only_design",
|
||
"owner_agent": "hermes",
|
||
"frequency": "weekly or Dockerfile-change after approval",
|
||
"input_refs": [
|
||
"apps/api/Dockerfile",
|
||
"apps/web/Dockerfile",
|
||
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
|
||
],
|
||
"planned_output": "Dockerfile surface drift report; no build or pull",
|
||
"allowed_now": [
|
||
"read Dockerfiles",
|
||
"compare FROM and COPY --from references",
|
||
"compare build-time network fetch patterns"
|
||
],
|
||
"blocked_now": [
|
||
"docker build",
|
||
"image pull",
|
||
"image rebuild",
|
||
"registry push",
|
||
"production routing"
|
||
],
|
||
"acceptance_criteria": [
|
||
"reports base image, digest pin, binary source, network fetch, and healthcheck drift",
|
||
"does not contact registries",
|
||
"maps remediation to P1-206 approval package"
|
||
]
|
||
},
|
||
{
|
||
"check_id": "dependency_policy_consistency_local_check",
|
||
"domain": "policy",
|
||
"status": "read_only_design",
|
||
"owner_agent": "openclaw",
|
||
"frequency": "weekly after approval",
|
||
"input_refs": [
|
||
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json",
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
|
||
"docs/ai/AI_AGENT_AUTOMATION_WORKLIST_2026-06-04.md"
|
||
],
|
||
"planned_output": "policy consistency report for severity rules and next actions",
|
||
"allowed_now": [
|
||
"read committed policies",
|
||
"validate rollups",
|
||
"detect stale next_action references"
|
||
],
|
||
"blocked_now": [
|
||
"policy override",
|
||
"approval bypass",
|
||
"production change"
|
||
],
|
||
"acceptance_criteria": [
|
||
"catches stale P1 task references",
|
||
"keeps operation_boundaries false",
|
||
"requires OpenClaw/HITL for any gate change"
|
||
]
|
||
},
|
||
{
|
||
"check_id": "agent_market_snapshot_freshness_local_check",
|
||
"domain": "agent_market",
|
||
"status": "read_only_design",
|
||
"owner_agent": "nemotron",
|
||
"frequency": "weekly after approval",
|
||
"input_refs": [
|
||
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
|
||
"docs/ai/agent-market-watch-sources.v1.json",
|
||
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md"
|
||
],
|
||
"planned_output": "agent-market freshness report using committed snapshots only",
|
||
"allowed_now": [
|
||
"read committed market governance snapshots",
|
||
"compare stale source timestamps",
|
||
"prepare source approval package"
|
||
],
|
||
"blocked_now": [
|
||
"unapproved external market lookup",
|
||
"SDK installation",
|
||
"paid API call",
|
||
"shadow/canary",
|
||
"production routing"
|
||
],
|
||
"acceptance_criteria": [
|
||
"keeps Nemotron at offline expert role until replay evidence improves",
|
||
"detects stale market evidence without claiming current market truth",
|
||
"routes replacement questions to OpenClaw/HITL approval boundaries"
|
||
]
|
||
}
|
||
],
|
||
"external_source_candidates": [
|
||
{
|
||
"source_id": "osv_advisory_candidate",
|
||
"domain": "cve",
|
||
"source_type": "public vulnerability advisory API candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "free_public_candidate",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache advisory responses per package/version for at least 24h after approval",
|
||
"data_retention_policy": "store only package, version, advisory id, severity, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only vulnerability lookup",
|
||
"severity mapping to dependency_risk_policy_v1"
|
||
],
|
||
"blocked_now": [
|
||
"external CVE lookup",
|
||
"automated remediation",
|
||
"package upgrade"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "github_advisory_candidate",
|
||
"domain": "cve",
|
||
"source_type": "advisory database candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "unknown_until_review",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache advisory ids and affected ranges; avoid repeated queries",
|
||
"data_retention_policy": "store minimal advisory metadata and source timestamp",
|
||
"permitted_after_approval": [
|
||
"cross-check high and critical advisories"
|
||
],
|
||
"blocked_now": [
|
||
"external advisory lookup",
|
||
"paid API call",
|
||
"package upgrade"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "pypi_registry_candidate",
|
||
"domain": "python_registry",
|
||
"source_type": "Python package registry freshness candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "free_public_candidate",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache package release metadata per package for 24h after approval",
|
||
"data_retention_policy": "store package name, current specifier, latest seen version, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only version freshness comparison"
|
||
],
|
||
"blocked_now": [
|
||
"registry lookup",
|
||
"pip install",
|
||
"uv sync",
|
||
"package upgrade"
|
||
],
|
||
"owner_agent": "hermes",
|
||
"evidence_refs": [
|
||
"apps/api/pyproject.toml",
|
||
"docs/evaluations/package_supply_chain_inventory_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "npm_registry_candidate",
|
||
"domain": "javascript_registry",
|
||
"source_type": "JavaScript package registry freshness candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "free_public_candidate",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache package dist-tag and version metadata for 24h after approval",
|
||
"data_retention_policy": "store package name, current specifier, lockfile version, latest seen version, and source timestamp",
|
||
"permitted_after_approval": [
|
||
"read-only package freshness comparison"
|
||
],
|
||
"blocked_now": [
|
||
"registry lookup",
|
||
"npm audit",
|
||
"pnpm install",
|
||
"package upgrade",
|
||
"lockfile write"
|
||
],
|
||
"owner_agent": "hermes",
|
||
"evidence_refs": [
|
||
"apps/web/package.json",
|
||
"pnpm-lock.yaml",
|
||
"docs/evaluations/javascript_package_inventory_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "docker_hub_manifest_candidate",
|
||
"domain": "docker_registry",
|
||
"source_type": "container image manifest freshness candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "free_public_candidate",
|
||
"rate_limit_risk": "high",
|
||
"cache_policy": "cache image tag and digest metadata for 24h after approval; throttle by image",
|
||
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only digest freshness comparison"
|
||
],
|
||
"blocked_now": [
|
||
"image pull",
|
||
"docker build",
|
||
"image rebuild",
|
||
"registry push"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"apps/api/Dockerfile",
|
||
"apps/web/Dockerfile",
|
||
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "ghcr_manifest_candidate",
|
||
"domain": "docker_registry",
|
||
"source_type": "GHCR image manifest freshness candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "unknown_until_review",
|
||
"rate_limit_risk": "high",
|
||
"cache_policy": "cache image tag and digest metadata for 24h after approval; no pull",
|
||
"data_retention_policy": "store image ref, tag, digest, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only digest freshness comparison"
|
||
],
|
||
"blocked_now": [
|
||
"image pull",
|
||
"docker build",
|
||
"image rebuild",
|
||
"registry push"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"apps/api/Dockerfile",
|
||
"docs/evaluations/docker_build_surface_inventory_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "package_license_metadata_candidate",
|
||
"domain": "license",
|
||
"source_type": "package metadata license field candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "free_public_candidate",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache package license metadata for 7 days after approval",
|
||
"data_retention_policy": "store package name, version, license expression, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only license metadata comparison"
|
||
],
|
||
"blocked_now": [
|
||
"external license lookup",
|
||
"legal conclusion",
|
||
"package publish",
|
||
"package upgrade"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json",
|
||
"packages/shared-types/package.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "deps_dev_license_candidate",
|
||
"domain": "license",
|
||
"source_type": "dependency graph and license metadata candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "unknown_until_review",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache normalized dependency/license metadata for 7 days after approval",
|
||
"data_retention_policy": "store only package, version, license, dependency path summary, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only transitive license review"
|
||
],
|
||
"blocked_now": [
|
||
"external license lookup",
|
||
"legal conclusion",
|
||
"package upgrade"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"docs/evaluations/dependency_risk_policy_2026-06-04.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "agent_official_release_candidate",
|
||
"domain": "agent_market",
|
||
"source_type": "official release notes, docs, changelog, or repository release candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "unknown_until_review",
|
||
"rate_limit_risk": "medium",
|
||
"cache_policy": "cache source snapshots and version metadata for 7 days after approval",
|
||
"data_retention_policy": "store product name, version or release marker, source timestamp, summary, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only AI Agent market version watch",
|
||
"candidate emergence detection",
|
||
"operator review queue update"
|
||
],
|
||
"blocked_now": [
|
||
"unapproved market lookup",
|
||
"SDK installation",
|
||
"paid API call",
|
||
"shadow/canary",
|
||
"production routing"
|
||
],
|
||
"owner_agent": "nemotron",
|
||
"evidence_refs": [
|
||
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json",
|
||
"docs/ai/agent-market-watch-sources.v1.json"
|
||
]
|
||
},
|
||
{
|
||
"source_id": "agent_benchmark_signal_candidate",
|
||
"domain": "agent_market",
|
||
"source_type": "public benchmark, leaderboard, or evaluation report candidate",
|
||
"approval_status": "approval_required",
|
||
"auth_required": false,
|
||
"cost_profile": "unknown_until_review",
|
||
"rate_limit_risk": "unknown",
|
||
"cache_policy": "cache benchmark snapshot references for 7 days after approval",
|
||
"data_retention_policy": "store benchmark name, candidate name, score summary, source timestamp, and lookup time",
|
||
"permitted_after_approval": [
|
||
"read-only market score evidence refresh",
|
||
"OpenClaw replacement evidence queue update"
|
||
],
|
||
"blocked_now": [
|
||
"unapproved market lookup",
|
||
"replacement decision",
|
||
"shadow/canary",
|
||
"production routing"
|
||
],
|
||
"owner_agent": "openclaw",
|
||
"evidence_refs": [
|
||
"docs/runbooks/OPENCLAW-REPLACEMENT-EVALUATION.md",
|
||
"docs/evaluations/agent_market_governance_snapshot_2026-06-04.json"
|
||
]
|
||
}
|
||
],
|
||
"notification_policy": {
|
||
"success_notification": "成功檢查預設不即時通知,避免洗版;結果只寫入 committed snapshot 或治理看板。",
|
||
"failure_notification": "失敗、schema mismatch、來源過期、rate-limit exhaustion、成本邊界不明或 high/critical policy hit 才通知 AwoooP / Telegram。",
|
||
"operator_review_trigger": "任何外部來源啟用、SDK 安裝、付費 API、shadow/canary、生產路由、套件升級、lockfile 寫入或 image rebuild 都必須進人工批准。"
|
||
},
|
||
"operation_boundaries": {
|
||
"read_only_plan_allowed": true,
|
||
"schedule_activation_allowed": false,
|
||
"workflow_write_allowed": false,
|
||
"external_cve_lookup_allowed": false,
|
||
"external_license_lookup_allowed": false,
|
||
"registry_lookup_allowed": false,
|
||
"agent_market_external_lookup_allowed": false,
|
||
"sdk_installation_allowed": false,
|
||
"paid_api_call_allowed": false,
|
||
"package_installation_allowed": false,
|
||
"package_upgrade_allowed": false,
|
||
"lockfile_write_allowed": false,
|
||
"docker_build_allowed": false,
|
||
"image_pull_allowed": false,
|
||
"image_rebuild_allowed": false,
|
||
"registry_push_allowed": false,
|
||
"shadow_or_canary_allowed": false,
|
||
"production_routing_allowed": false
|
||
},
|
||
"approval_boundaries": {
|
||
"sdk_installation_allowed": false,
|
||
"paid_api_call_allowed": false,
|
||
"shadow_or_canary_allowed": false,
|
||
"production_routing_allowed": false,
|
||
"destructive_operation_allowed": false
|
||
}
|
||
}
|