feat(security): automate governance review and access controls

This commit is contained in:
ogt
2026-07-10 18:49:32 +08:00
parent cd12e48505
commit 6b8bd8bb05
26 changed files with 1977 additions and 99 deletions

View File

@@ -1,8 +1,20 @@
# PChome 業績成長自動化作戰系統 — AI 競價情報模組 Single Source of Truth
> **最後更新**: 2026-07-10 (台北時間)
> **狀態**: 🟢 四 AI Agent 自動化閉環已落地LLM 路由紅線升級為 Ollama-first 三主機級聯PChome 後台業績匯入韌性已補強產品定位正名為「PChome 業績成長自動化作戰系統」外部市場來源正規化層、自動同步、作戰清單與價格參考表優先讀取、CSV 備援預檢、前台操作入口、高可見頁面繁中化守門、比價/作戰 UI 工作台化、AI 密集工作台文字密度守門、跨平台來源治理、商品身份 UI 契約、sitewide visual QA runtime readback、external MCP/RAG integration monitoring、PixelRAG RAG candidate replay monitoring、PixelRAG OCR/VLM replay contract monitoring、PixelRAG application portfolio、PChome auto-policy authorization guard monitoring、decision preflight machine evidence monitoring、decision closeout monitoring、authorization issuer gate monitoring、signing decision preflight monitoring、signing decision closeout monitoring、signing issuer guard monitoring、signing issuer closeout monitoring、signing execution preflight monitoring、signing execution closeout monitoring、signed receipt preflight monitoring、signed receipt closeout monitoring、signed receipt evidence intake monitoring、detached verification evidence validation monitoring、verifier receipt closeout monitoring、authorization evidence execution preflight monitoring、authorization evidence execution closeout monitoring、controlled apply final preflight monitoring、controlled dry-run package monitoring 與 controlled dry-run receipt closeout monitoring 已建立GCP embedding 熔斷延後處理、110 proxy rescue 與 direct host health skip 已建立
> **適用版本**: V10.770
> **狀態**: 🟠 Partial。四 Agent、PixelRAG、MCP/RAG registry、PChome controlled-preview families 與多項 smoke/readback 已建立;但 access control、database identity/RBAC、full asset reconciliation、software supply chain、same-run controlled apply、restore drill、internal RAG canary 與 MCP/RAG runtime closure 尚未全部完成。任何局部 receipt 不得代表整體閉環完成。
> **適用版本**: V10.771
---
## 零之負一、資訊安全與治理自動化基準2026-07-10
- ADR-038 採 NIST CSF 2.0 `GOVERN / IDENTIFY / PROTECT / DETECT / RESPOND / RECOVER` 作為 program 結構OWASP ASVS 5.0.0 L2 作為應用基準NIST SSDF SP 800-218 v1.1 作為供應鏈基準。
- `governance/ewoooc_asset_inventory.json` 是 full-asset seed欄位完整不等於 runtime reconciliation 完成。
- `services/http_access_policy_service.py` 統一保護 vendor、import、CI/CD、crawler、category、logs 與 operator surfacespublic exception 必須有明確 transport auth 或 public allowlist。
- `services/security_governance_review_service.py``scripts/ops/report_security_governance_review.py``/api/ai-automation/security-governance-review` 提供 machine-readable checks、completion、release gate 與 ordered work items。
- Gitea CD 必須執行 `report_security_governance_review.py --strict`,且不得解析 GitHub action/source/image。
- production 安全與治理完成度必須分開顯示 program、asset coverage、runtime closure目前結論是 partial不是 complete。
- 目前 ordered P0 以 `docs/guides/ai_automation_mainline_work_items.md` 為準:先關閉 access exposure再做 identity/RBAC、webhook trust、supply chain、asset reconciliation、controlled-apply envelope、internal RAG canary 與 MCP/RAG runtime closure。
---

View File

@@ -5,6 +5,7 @@
- **Deciders**: 統帥
- **Related**: ADR-001三 Agent 分工), ADR-004NemoTron Fallback, ADR-007AI Dual-Write, ADR-011跨專案隔離, ADR-018四 AI Agent 自動化控制面)
- **Note**: [ADR-020](ADR-020-code-review-full-autoheal.md) 局部覆寫本 ADR 對「post-deploy code review pipeline」場景的 L3 HITL 規定 — 該場景改採全自動修復 + Git/CI/CD 回滾安全網。本 ADR 對 schema migration / 流量切換 / customer-facing 廣播 / AIOps prod SSH 等其他 L3 場景仍生效。
- **2026-07-10 Sunset**: [ADR-038](ADR-038-security-governance-automation-control-plane.md) 覆寫 generic owner/manual/HITL terminal gate。low/medium/high 改採 risk-based controlled applycritical break-glass 類型仍保留外部授權。
## Context

View File

@@ -4,6 +4,7 @@
- **Date**: 2026-04-29
- **Deciders**: 統帥
- **Related**: ADR-001, ADR-004, ADR-007, ADR-009, ADR-011, ADR-012, ADR-013
- **2026-07-10 Update**: ADR-038 將 ElephantAlpha 的 generic HITL 改為 risk-based controlled apply只有 critical break-glass 類型維持外部授權。
## Context

View File

@@ -0,0 +1,101 @@
# ADR-038: Security Governance Automation Control Plane
- **Status**: Accepted
- **Date**: 2026-07-10
- **Decider**: Product owner
- **Supersedes**: generic owner/manual/HITL terminal gates in ADR-012 and ADR-018 for low/medium/high risk work
- **Related**: ADR-011, ADR-012, ADR-013, ADR-018, ADR-020, ADR-031, ADR-032, ADR-033
## Context
EwoooC has many AI automation receipts, smoke families and guarded preview stages, but the program still cannot prove a complete information-security and governance loop. Production review found four structural gaps:
1. Sensitive routes evolved blueprint by blueprint instead of behind one deny-by-default policy.
2. Asset, identity, dependency, backup and AI runtime evidence are not reconciled by one control plane.
3. Preview/review stages do not share one `trace_id/run_id/work_item_id` through execution, verifier, rollback and learning.
4. Source/test/UI evidence has repeatedly been reported ahead of production runtime closure.
## Decision
### 1. Control model
Use NIST CSF 2.0 as the program structure:
- GOVERN: policy, ownership, risk, supply chain and measurable targets.
- IDENTIFY: canonical asset graph, dependency inventory and risk assessment.
- PROTECT: identity, authorization, secure defaults, data and platform controls.
- DETECT: fresh logs, metrics, traces, anomaly signals and control drift.
- RESPOND: correlated incident, bounded action, verifier and communication receipts.
- RECOVER: rollback/retry, backup/restore, RPO/RTO and learning writeback.
OWASP ASVS 5.0.0 L2 is the application baseline, with selected L3 controls for operator, webhook, AI execution and admin surfaces. NIST SSDF SP 800-218 v1.1 is the software-supply-chain baseline.
### 2. Source of truth
Completion evidence is ordered:
1. production runtime receipt, independent post-verifier and durable DB receipt;
2. Gitea main/deploy marker/CD run/production readback;
3. committed machine-readable inventory, policy and tests;
4. docs and snapshots;
5. conversation.
Lower evidence cannot promote a higher incomplete layer to completed.
### 3. Controlled apply
Low, medium and high risk work defaults to controlled apply with blast-radius controls. Only critical break-glass classes remain externally gated: plaintext secrets, destructive database/storage operations, host/network cutovers, credentialed offensive scans, paid provider or core runtime replacement without replay/shadow/canary, destructive Git operations and raw secret-volume access.
Every side-effect run must retain one `trace_id/run_id/work_item_id` across:
`sensor -> normalize -> correlate -> decide -> risk/check -> bounded execute -> independent verify -> retry/rollback -> learn/writeback`
Any missing stage produces `partial` or `degraded`, never completed.
### 4. Machine-readable controls
- `governance/ewoooc_asset_inventory.json` is the canonical asset seed and must be reconciled against runtime receipts.
- `services/http_access_policy_service.py` is the central policy for sensitive HTTP surfaces.
- `services/security_governance_review_service.py` produces NIST/OWASP-aligned findings, completion scores and ordered work items.
- `scripts/ops/report_security_governance_review.py --strict` is the source release gate.
- `/api/ai-automation/security-governance-review` is the protected production readback.
### 5. Legacy policy sunset
| Legacy policy | Owner | Expiry | Replacement | Verifier |
|---|---|---|---|---|
| Generic HITL/manual terminal for low/medium/high | product-governance | 2026-07-10 | risk-based controlled apply in ADR-038 | governance review work-item state |
| Shared password treated as complete RBAC | security | 2026-07-31 | database identity + least-privilege role migration | anonymous/role route matrix |
| `actions/checkout@v4` in Gitea CD | delivery | 2026-07-10 | Gitea job-token source checkout | Gitea-only supply-chain gate |
| Backup script treated as recovery completion | resilience | 2026-07-31 | checksum/offsite/isolated restore receipt | RPO/RTO restore verifier |
| Registry or preview readiness treated as runtime completion | AI platform | 2026-07-17 | MCP/RAG live health and internal RAG canary | production smoke/readback |
## Alternatives Considered
- Keep adding domain-specific receipt stages: rejected because it increases surface area without unifying assurance.
- Make every action human-approved: rejected for low/medium/high because it defeats the product's AI automation goal.
- Make every action fully autonomous without independent verification: rejected because it cannot bound production risk.
- Adopt an external governance platform as the source of truth: rejected until internal asset and receipt contracts are stable and exportable.
## Consequences
Positive:
- Security and AI automation use the same measurable closure contract.
- Drift becomes a work item instead of an undocumented manual observation.
- Release gating can block critical source regressions without pretending all runtime debt is complete.
- Product, asset and runtime completion remain separate and honest.
Costs and risks:
- Existing routes and automation lanes require gradual migration.
- Shared identity, webhook secret activation, non-root containers and restore drills need canary rollout.
- The initial asset inventory has complete required fields but runtime reconciliation remains partial.
## Verification
1. `python3 scripts/ops/report_security_governance_review.py --strict` returns exit 0.
2. Anonymous requests to sensitive read/operator surfaces return 401 or login redirect.
3. Gitea workflow contains no external `uses:` action or forbidden GitHub source.
4. Production endpoint reports zero release-blocking source failures.
5. Program, asset and runtime closure percentages are reported separately.

View File

@@ -59,6 +59,7 @@
| [035](ADR-035-cross-platform-market-campaign-intelligence.md) | 跨平台市場活動情報系統 | Accepted | 2026-05-06 |
| [036](ADR-036-fastapi-strangler-not-frontend-prerequisite.md) | FastAPI Strangler Migration不作為前端 V3 前置條件 | Accepted | 2026-05-12 |
| [037](ADR-037-webcrumbs-shared-ui-runtime.md) | Webcrumbs 共用 UI Runtime 接入 | Accepted | 2026-05-31 |
| [038](ADR-038-security-governance-automation-control-plane.md) | 資訊安全與治理自動化控制面NIST CSF / OWASP ASVS / SSDF | Accepted | 2026-07-10 |
## 規範

View File

@@ -1,50 +1,85 @@
# AI Automation Mainline Work Items
> Updated: 2026-07-10
> Scope: EwoooC / MOMO Pro System AI automation, PixelRAG, MCP/RAG, production UX.
> Governance: `global_product_governance_v2` + ADR-038
> Current P0: `SEC-P0-001 deny-by-default access control`
## Source Of Truth
- Production readback stays authoritative after deploy: `/health`, container health, AI automation API readback, and smoke.
- Gitea is the only source-control truth. GitHub remains frozen and must not be used.
- Runtime truth must stay separate from source truth: a green test or registry does not mean MCP/RAG runtime is enabled.
- PixelRAG visual receipts are evidence, not formal price truth. They cannot write `competitor_prices`, `competitor_price_history`, or `ai_insights` without replay and promotion gates.
- Production runtime receipt/post-verifier/durable DB receipt is authoritative.
- Gitea main, deploy marker, CD run and production readback are the only source/deploy truth; GitHub remains frozen.
- Source/test/UI/CD green does not mean runtime closure.
- Completion must report program, asset coverage and runtime closure separately.
- PixelRAG visual evidence cannot write formal prices or `ai_insights` before identity, PromotionGate and internal RAG canary proof.
## P0
## Ordered P0
| Status | Work item | Evidence / next machine action |
|---|---|---|
| Completed | Multi-commerce PixelRAG visual evidence lane for momo, pchome, shopee_tw, coupang_tw, yahoo_shopping_tw, etmall_tw, friday_tw, rakuten_tw | API and CLI can emit expansion plans and marketplace manifests; PChome parser failures can queue manifests. |
| Completed | External MCP/RAG capability inventory absorbed into internal governance readback | `/api/ai-automation/external-mcp-rag-integration` and `scripts/ops/report_external_mcp_rag_integration.py` expose 9 capabilities, absorbed/unresolved counts, and runtime flags. |
| Completed | PixelRAG receipts to internal RAG candidate replay | `/api/ai-automation/pixelrag-rag-candidate-replay` and `scripts/ops/report_pixelrag_rag_candidate_replay.py` read visual capture receipts and platform probe worker receipts, split eligible / blocked / source-contract-fallback candidates, and expose combined OCR/VLM + source-contract next actions before identity matching and PromotionGate knowledge writes. |
| Completed | PixelRAG source-contract replay worker | `/api/ai-automation/pixelrag-source-contract-replay-worker` and `scripts/ops/run_pixelrag_source_contract_replay_worker.py` turn platform probe worker `source_contract_fallback` receipts into replayable source-contract artifact receipts with provenance, public-boundary, no-DB, and blocked-page-not-product-data guards. |
| Completed | PixelRAG marketplace source-contract adapter preflight | `/api/ai-automation/pixelrag-marketplace-source-contract-adapter-preflight` and `scripts/ops/run_pixelrag_marketplace_source_contract_adapter_preflight.py` validate source-contract replay receipts for adapter readiness, canonical offer fields, provenance/rate-limit/public-boundary requirements, and no-write promotion gates. |
| Completed | PixelRAG marketplace adapter dry-run | `/api/ai-automation/pixelrag-marketplace-source-contract-adapter-dry-run` and `scripts/ops/run_pixelrag_marketplace_source_contract_adapter_dry_run.py` turn adapter preflight receipts into deterministic no-write field contracts and offer candidate contracts, with price writes blocked until identity matcher replay and PromotionGate. |
| Completed | PixelRAG marketplace identity matcher replay | `/api/ai-automation/pixelrag-marketplace-identity-matcher-replay` and `scripts/ops/run_pixelrag_marketplace_identity_matcher_replay.py` turn adapter dry-run receipts into deterministic identity candidate contracts and source provenance checks, with price writes blocked until PromotionGate replay. |
| Completed | PixelRAG marketplace PromotionGate replay | `/api/ai-automation/pixelrag-marketplace-promotion-gate-replay` and `scripts/ops/run_pixelrag_marketplace_promotion_gate_replay.py` turn identity matcher receipts into deterministic PromotionGate contracts and embedding-signature readiness, with price writes still blocked. |
| Completed | PixelRAG marketplace embedding signature guard replay | `/api/ai-automation/pixelrag-marketplace-embedding-signature-guard-replay` and `scripts/ops/run_pixelrag_marketplace_embedding_signature_guard_replay.py` turn PromotionGate receipts into deterministic embedding-signature guard contracts and candidate-knowledge readiness, with DB and price writes still blocked. |
| Completed | PixelRAG marketplace candidate knowledge replay | `/api/ai-automation/pixelrag-marketplace-candidate-knowledge-replay` and `scripts/ops/run_pixelrag_marketplace_candidate_knowledge_replay.py` turn embedding-signature guard receipts into deterministic internal RAG candidate preview contracts, with DB, `ai_insights`, and price writes still blocked until canary. |
| Completed | PixelRAG application portfolio and integration lanes | `/api/ai-automation/pixelrag-application-portfolio` and `scripts/ops/report_pixelrag_application_portfolio.py` expose commerce, RAG, UX, ops, marketing, and governance uses with priority, status, next machine action, and forbidden guardrails. |
| Completed | PixelRAG Ollama-first VLM replay worker | `/api/ai-automation/pixelrag-vlm-replay-worker` and `scripts/ops/run_pixelrag_vlm_replay_worker.py` dry-run or execute ready visual receipts against approved Ollama VLM routes, emit evidence-bound artifact receipts, and keep blocked pages out of product data. |
| Completed | PixelRAG VLM route readiness and auto model select | `/api/ai-automation/pixelrag-vlm-route-readiness` and `scripts/ops/report_pixelrag_vlm_route_readiness.py` read approved Ollama `/api/tags`, expose configured/candidate model readiness, and let execute mode avoid missing-model blind generate calls. |
| Completed | PixelRAG platform probe worker | `/api/ai-automation/pixelrag-platform-probe-worker` and `scripts/ops/run_pixelrag_platform_probe_worker.py` turn platform probe plans into dry-run/execute automation: Shopee interstitials go to public empty-context capture when runtime is available, missing Playwright auto-falls back to structured-source/backoff receipt, and Coupang 403/access denied goes to structured-source/backoff artifact receipts. |
| In progress | MCP/RAG runtime health in AI automation smoke | `/api/ai-automation/smoke` and `/api/ai-automation/scheduled-health-summary` include external MCP/RAG integration, PixelRAG RAG candidate replay, PixelRAG OCR/VLM replay contract, PixelRAG VLM route readiness, PixelRAG VLM replay worker, PixelRAG platform probe, PixelRAG platform probe worker, source-contract replay, adapter preflight, adapter dry-run, identity matcher replay, PromotionGate replay, embedding signature guard replay, and candidate knowledge replay families. |
| In progress | Formal production deploy/readback discipline | Every mainline change must update version, push Gitea main/dev, deploy to 188 without touching `momo-db`, and read back `/health` plus new endpoints. |
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---:|---|---|---|---|
| 1 | `SEC-P0-001` | In progress | Deny-by-default route access control | Central policy now protects vendor/import/CI-CD/crawler/category/log/operator and sales-detail surfaces; every anonymous GET is explicitly allowlisted. Exit: anonymous production matrix passes and `/metrics` moves behind edge/internal auth. Next: `verify_production_anonymous_matrix_and_move_metrics_behind_edge_auth`. |
| 2 | `SEC-P0-002` | Not started | Database identity + least-privilege RBAC | Replace shared admin password, default-admin fallback, process-local lockout and spoofable proxy identity. Exit: shadow auth, role matrix, durable audit/lockout, session revocation and canary cutover. |
| 3 | `SEC-P0-003` | In progress | Webhook trust and replay protection | Telegram secret-token verification code exists; production secret activation remains unproven. Exit: secret provisioned outside source, required mode enabled, invalid-secret 401 and authorized callback canary pass. |
| 4 | `SUPPLY-P0-001` | In progress | Gitea-only secure software supply chain | Gitea-native checkout and governance gate added. Exit: exact dependency lock, internal SAST/SCA/secret scan, SBOM, image digest/provenance, vulnerability SLA and production digest readback. |
| 5 | `GOV-P0-001` | In progress | Canonical full asset graph + runtime reconciliation | `governance/ewoooc_asset_inventory.json` seeds hosts, services, data, AI, routes, supply chain, observability and recovery. Exit: same-run probe receipt for every asset; drift auto-creates work items. |
| 6 | `GOV-P0-002` | Not started | Unified controlled-apply envelope | Introduce one `trace_id/run_id/work_item_id` across sensor, identity, SOT diff, decision, risk, dry-run, execution, verifier, rollback/retry and learning acknowledgement. Start with EventRouter + AutoHeal. |
| 7 | `RAG-P0-001` | Not started | Internal RAG candidate canary | V10.770 stops at candidate preview. Exit: bounded pgvector candidate canary, signature/readback/feedback receipt, no price write and no premature `ai_insights` promotion. Next: `run_internal_rag_candidate_canary`. |
| 8 | `MCP-P0-001` | In progress | MCP/RAG production runtime closure | Registry and smoke wiring exist, but runtime flags/ports must be live. Exit: MCP servers healthy, router enabled, RAG enabled, approved caller/tool boundary and production query canary pass. |
| 9 | `SEC-P0-004` | Not started | Security operations lifecycle and metrics | Add durable security incident state and publish MTTA, MTTR, recurrence, false positive, human intervention, verifier pass, rollback and freshness. Exit: detect-to-learn production receipt. |
| 10 | `REL-P0-001` | In progress | Formal deploy and visible proof discipline | Every functional change bumps version, passes Gitea CD, deploys only three app containers, leaves `momo-db` untouched, and reads back `/health`, new APIs and visible UI/security behavior. |
## P1
| Status | Work item | Evidence / next machine action |
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---:|---|---|---|---|
| 11 | `RES-P1-001` | Not started | Backup/offsite/restore automation | Fresh checksum and offsite coverage plus isolated non-destructive restore drill with measured RPO/RTO. |
| 12 | `PLAT-P1-001` | Not started | Non-root container and capability hardening | Shadow non-root image, writable-path inventory, capability drop/read-only filesystem canary, three-app rollout. |
| 13 | `APPSEC-P1-001` | In progress | CSP and DOM/XSS hardening | Security headers are present and CSP is report-only. Collect violations, remove high-risk `innerHTML`/inline sinks, then enforce CSP by canary. |
| 14 | `APPSEC-P1-002` | Not started | Unsafe shared-cache serialization removal | Replace writable pickle caches in dashboard/daily-sales/EDM/sales with constrained JSON or signed schema. |
| 15 | `ARCH-P1-001` | In progress | Split oversized policy/executor/verifier modules | Current top debts include 44k-line PChome mapping and 14k-line smoke service. Split by bounded family and independent tests. |
| 16 | `UX-P1-001` | In progress | Professional full-site UI/UX | Complete first-viewport cockpit, progressive disclosure, text-density reduction, Traditional Chinese product copy, accessibility, loading/error/empty/degraded states and desktop/mobile visual smoke. |
| 17 | `PIXELRAG-P1-001` | Not started | Ollama-first multimodal embedding benchmark | Verify approved visual embedding on GCP-A -> GCP-B -> 111 and design pgvector-compatible visual metadata; FAISS remains disallowed without ADR. |
| 18 | `MARKET-P1-001` | In progress | Marketplace source contracts | Finish stable, public-boundary, provenance and rate-limit contracts for Shopee, Coupang, Yahoo, ETMall, Friday and Rakuten; blocked pages remain non-product data. |
| 19 | `QA-P1-001` | In progress | Deterministic test and CI governance | Current baseline is 1,701 passed / 30 legacy failures / 9 skipped plus one missing report module at collection. Restore or retire the missing contract, remove wall-clock/copy drift, and split deterministic release tests from nightly integration and production canaries. |
## P2
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---:|---|---|---|---|
| 20 | `GOV-P2-001` | Not started | Continuous NIST/ASVS control trend | Persist governance snapshots, compare control/asset/runtime drift and create ordered work items automatically. |
| 21 | `DATA-P2-001` | Not started | Data classification and retention enforcement | Classify business, personal, operational and model data; automate retention, deletion eligibility and audit evidence without destructive default actions. |
| 22 | `CHAOS-P2-001` | Not started | Controlled resilience exercises | Run non-destructive model-host, MCP, queue, Telegram and app-container failure drills with rollback and learning receipts. |
## Completed Foundations
These are reusable foundations, not proof that the full program is complete.
| Status | Capability | Current boundary |
|---|---|---|
| Completed | OCR/VLM replay contract for visual fields | `/api/ai-automation/pixelrag-ocr-vlm-replay` and `scripts/ops/report_pixelrag_ocr_vlm_replay.py` turn saved tiles into no-write field contracts, output schemas, validation rules, and Ollama-first worker actions. |
| Completed | Ollama-first OCR/VLM extraction worker | `run_pixelrag_vlm_replay_worker.py --execute --write-receipt` executes the replay contract against approved Ollama multimodal routes and emits confidence/evidence artifact receipts without writing formal price truth. |
| Not started | Ollama-first multimodal embedding benchmark | Verify local Qwen3-VL or equivalent visual embedding on GCP-A -> GCP-B -> 111 before any visual vector retrieval. |
| Not started | pgvector-compatible visual evidence metadata | Design metadata-first retrieval without FAISS in production unless ADR approves a different store. |
| In progress | Coupang platform probe / structured API strategy | Treat 403 as platform barrier; `run_pixelrag_platform_probe_worker.py --execute --write-receipt` now emits structured-source/backoff receipts without network, DB writes, or product-data promotion. |
| In progress | Marketplace source contracts beyond MOMO/PChome | Source-contract replay receipts now enter marketplace adapter preflight as artifact receipts; next machine action is adapter dry-run for stable Shopee/Coupang/Yahoo/ETMall/friday/Rakuten contracts after provenance, rate-limit, public boundary, and replay evidence. |
| In progress | Professional product website UI/UX text reduction | Continue compact AI surfaces, visual QA, and user-facing copy guardrails; avoid engineering logs or work-session prose in the UI. |
| Completed | Multi-commerce PixelRAG visual evidence for momo, pchome, shopee_tw, coupang_tw, yahoo_shopping_tw, etmall_tw, friday_tw, rakuten_tw | Evidence-only; blocked pages are not product data. |
| Completed | External MCP/RAG capability inventory | Registry/integration readback exists; runtime enablement remains P0. |
| Completed | PixelRAG receipt -> RAG candidate replay | Candidate-only; no formal knowledge or price write. |
| Completed | Source-contract replay worker | Public-boundary artifact receipts only. |
| Completed | Marketplace adapter preflight and dry-run | Deterministic no-write contracts. |
| Completed | Marketplace identity matcher replay | Candidate identity only. |
| Completed | PromotionGate replay | No production write. |
| Completed | Embedding-signature guard replay | Signature readiness only. |
| Completed | Candidate knowledge replay | Internal RAG preview only; canary remains P0. |
| Completed | PixelRAG application portfolio | Commerce/RAG/UX/ops/marketing/governance inventory. |
| Completed | Ollama-first VLM route readiness and replay worker | Evidence-bound artifact output; no direct price write. |
| Completed | Platform probe worker | Shopee/Coupang barriers become structured fallback/backoff receipts. |
## Always Enforced
## Definition Of Done
- Manual review is exception-only for low-risk, machine-verifiable controlled apply.
- Break-glass still applies to secrets, destructive DB actions, force pushes, production provider switchovers, raw runtime volumes, and unverified core model replacement.
- AI automation smoke must expose health honestly: `MCP_ROUTER_ENABLED=false` or `RAG_ENABLED=false` is a runtime gap, not a source-code failure.
A work item can be `Completed` only when the same production run contains:
1. sensor/source receipt;
2. normalized canonical asset identity;
3. source-of-truth diff;
4. AI decision and candidate action;
5. risk/policy decision;
6. check-mode/dry-run receipt;
7. idempotent bounded execution receipt;
8. independent post-verifier and rollback/no-write terminal;
9. incident/Telegram/KM/RAG/MCP/PlayBook durable acknowledgement.
Missing any stage means `partial`, `degraded` or `blocked_with_safe_next_action`.