diff --git a/docs/guides/ai_automation_mainline_work_items.md b/docs/guides/ai_automation_mainline_work_items.md index 7433438..3250959 100644 --- a/docs/guides/ai_automation_mainline_work_items.md +++ b/docs/guides/ai_automation_mainline_work_items.md @@ -1,6 +1,6 @@ # AI Automation Mainline Work Items -> Updated: 2026-07-14 +> Updated: 2026-07-14 16:40 Asia/Taipei > Governance: `global_product_governance_v2` + ADR-038 > Current P0: `GROWTH-P0-001 comparison coverage truth + autonomous refresh` @@ -17,8 +17,8 @@ | Order | ID | Status | Work item | Exit evidence / next machine action | |---:|---|---|---|---| | 1 | `SEC-P0-001` | Completed | Deny-by-default route access control | `governance/evidence/SEC-P0-001-20260711T122758Z.json` plus the current runtime receipt prove anonymous matrix 8/8 denied, public `/metrics` 404, exact internal target up, EwoooC product markers present, Prometheus identity preserved and `momo-db` unchanged. | -| 2 | `GROWTH-P0-001` | In progress | Comparison coverage truth + autonomous refresh | V10.789 source replaces the ambiguous percentage with numerator/denominator scopes for TOP opportunities, active seven-day catalog and registered runtime platforms; ready/candidate/unmatched states are mutually exclusive, stale sales block operational decisions, and a non-overlapping watchdog runs authorized sales acquisition before bounded comparison backfill. Exit: production API contract readback, newer scheduler receipts, desktop/mobile visible proof and unchanged `momo-db` identity. | -| 3 | `SEC-P0-002` | In progress | Database identity + least-privilege RBAC | V10.789 release source connects `users/login_history/user_permissions` to login and role enforcement, adds durable lockout, identity-version session revocation, trusted-proxy CIDRs, and same-transaction no-secret audits for account/password/permission mutations. `auto` promotes from hybrid to database-only after two durable successful database logins by an active admin; no manual review gate. Next: deploy, write the runtime receipt, capture database-admin login receipts and verify automatic shared-authority retirement. | +| 2 | `GROWTH-P0-001` | In progress (`partial`) | Comparison coverage truth + autonomous refresh | V10.789 is live. Production contract `pchome_comparison_coverage_v2` reads TOP 50 as `5 ready + 4 candidate validation + 41 unmatched = 50`; active seven-day catalog is `23/1,938` and registered platform runtime is `1/15`. Sales are 20 days stale, so operational decisions remain paused. The watchdog completed authorized acquisition and bounded backfill with durable receipts; no unreliable candidate was promoted. Receipt: `governance/pchome_comparison_coverage_runtime_receipt.json`. Next: execute lanes A -> B -> C below until freshness and verified coverage gates close. | +| 3 | `SEC-P0-002` | In progress (`canary_ready`) | Database identity + least-privilege RBAC | V10.789 is live and `governance/auth_identity_runtime_receipt.json` verifies required tables, two active admins, durable lockout, session revocation, trusted proxy policy and no-secret mutation audit readiness. Runtime is intentionally hybrid because zero database-admin success receipts have been captured; `auto` retires shared authority after two durable successes without a manual review gate. Next: capture database-admin login receipts and verify automatic database-only cutover. | | 4 | `SEC-P0-003` | In progress | Webhook trust and replay protection | Telegram secret-token verification code exists; production secret activation remains unproven. Exit: secret provisioned outside source, required mode enabled, invalid-secret 401 and authorized callback canary pass. | | 5 | `SUPPLY-P0-001` | In progress | Gitea-only secure software supply chain | Gitea-native checkout, secret-safe `.dockerignore`, commit-bound source receipt and governance gate are active. Exit: exact dependency lock, internal SAST/SCA/secret scan, SBOM, image digest/provenance, vulnerability SLA and production digest readback. | | 6 | `GOV-P0-001` | In progress | Canonical full asset graph + runtime reconciliation | `governance/ewoooc_asset_inventory.json` seeds hosts, services, data, AI, routes, supply chain, observability and recovery. Exit: same-run probe receipt for every asset; drift auto-creates work items. | @@ -26,7 +26,17 @@ | 8 | `RAG-P0-001` | Not started | Internal RAG candidate canary | V10.770 stops at candidate preview. Exit: bounded pgvector candidate canary, signature/readback/feedback receipt, no price write and no premature `ai_insights` promotion. Next: `run_internal_rag_candidate_canary`. | | 9 | `MCP-P0-001` | In progress | MCP/RAG production runtime closure | Registry and smoke wiring exist, but runtime flags/ports must be live. Exit: MCP servers healthy, router enabled, RAG enabled, approved caller/tool boundary and production query canary pass. | | 10 | `SEC-P0-004` | Not started | Security operations lifecycle and metrics | Add durable security incident state and publish MTTA, MTTR, recurrence, false positive, human intervention, verifier pass, rollback and freshness. Exit: detect-to-learn production receipt. | -| 11 | `REL-P0-001` | In progress | Formal deploy and visible proof discipline | Production remains V10.787 while V10.789 identity and comparison-coverage source is under verification; SEC-P0-001 stays closed with `momo-db` unchanged. Gitea CD #1120 remains waiting because no `ewoooc-host` runner is online. Exit: deploy V10.789 through the bounded fallback, preserve the DB identity, and retain CD/runtime/visible proof separately. | +| 11 | `REL-P0-001` | In progress | Formal deploy and visible proof discipline | Gitea main is `69448663a0b850b88c2af83e668303e035f3f9d6`; dev carries the same change as `4bfb9db`. Actions #1121 is queued because no `ewoooc-host` runner is online, so the bounded fallback deployed V10.789 with exact-file SHA verification, rollback image, three-app recreation and post-verifier. Production health is green and `momo-db` stayed `cd092451cb5fd555d0ffff70642e109f3b742882c418beeab631793d1e9dc55d`. Next: restore the dedicated runner and make compose-only environment changes use a bounded sync/recreate path instead of an unnecessary no-cache dependency rebuild. | + +### GROWTH-P0-001 Fixed Execution Lanes + +These lanes are one ordered current P0, not optional side work. They must advance in this order and keep formal-price writes behind verified same-item evidence. + +| Lane | Status | Production baseline | Next machine action | +|---|---|---|---| +| A. Sales freshness | Blocked with safe next action | Latest sales date `2026-06-24`, age 20 days; authorized Google Drive acquisition found zero new Excel files and persisted receipt `99ea059df27d4fd1b31d3edccf1e02dc`. | Retry all authorized source adapters every 30 minutes, reconcile source inventory/freshness, import transactionally when a newer file appears, and independently verify the resulting snapshot date. | +| B. Verified same-item evidence | In progress | TOP 50: `5` verified, `4` candidate/source validation, `41` unmatched. Active seven-day catalog: `23/1,938` mapped (`1.19%`). The first bounded MOMO catch-up scanned 7 products and correctly wrote 0 unverified offers. | Prioritize unmatched products by revenue contribution, replay deterministic identity and unit/variant checks across approved sources, promote only independently verified same-item evidence, and publish coverage delta per run. | +| C. Platform runtime coverage | In progress | `1/15` registered external sources currently contributes formal runtime data (`6.7%`). PixelRAG remains evidence-only. | Activate approved structured adapters in source-contract order, use PixelRAG/OCR/VLM only to generate replayable candidates, classify anti-bot pages as blocked evidence, and require provenance/freshness/verifier receipts before formal price promotion. | ## P1