Files
ewoooc/docs/guides/ai_automation_mainline_work_items.md

15 KiB

AI Automation Mainline Work Items

Updated: 2026-07-15 17:16 Asia/Taipei Governance: global_product_governance_v2 + ADR-038 Current P0: GROWTH-P0-001 comparison coverage truth + autonomous refresh

Source Of Truth

  • Production runtime receipt/post-verifier/durable DB receipt is authoritative.
  • Gitea main, deploy marker, CD run and production readback are the only source/deploy truth; GitHub remains frozen.
  • Source/test/UI/CD green does not mean runtime closure.
  • Completion must report program, asset coverage and runtime closure separately.
  • PixelRAG visual evidence cannot write formal prices or ai_insights before identity, PromotionGate and internal RAG canary proof.

Ordered P0

Order ID Status Work item Exit evidence / next machine action
1 SEC-P0-001 Completed Deny-by-default route access control governance/evidence/SEC-P0-001-20260711T122758Z.json plus the current runtime receipt prove anonymous matrix 8/8 denied, public /metrics 404, exact internal target up, EwoooC product markers present, Prometheus identity preserved and momo-db unchanged.
2 GROWTH-P0-001 In progress (runtime_partial) Comparison coverage truth + autonomous refresh V10.801 is live at exact Gitea object c091c466c203d7e26c8ed576f573e7e930df34d1. Production run 7b3b140c076b43be8c79bd85448fbc49 scanned 20, retained one source-disallowed unit-price as candidate-only, wrote three total-price exact offers after check-mode and read all 3/3 back by exact identity. Yahoo is now active + enabled + write_enabled; fixed cohort 7b74504fcc1e1801c2ca2b42 remains unchanged while production moves to 24 ready + 1 candidate validation + 25 unmatched, 48% count, 57.9% revenue and 2/15 formal platforms. Next: continue the next revenue-weighted batch without relaxing identity/variant/unit gates, and add the next approved structured marketplace adapter.
3 SEC-P0-002 In progress (canary_ready) Database identity + least-privilege RBAC V10.789 is live and governance/auth_identity_runtime_receipt.json verifies required tables, two active admins, durable lockout, session revocation, trusted proxy policy and no-secret mutation audit readiness. Runtime is intentionally hybrid because zero database-admin success receipts have been captured; auto retires shared authority after two durable successes without a manual review gate. Next: capture database-admin login receipts and verify automatic database-only cutover.
4 SEC-P0-003 In progress Webhook trust and replay protection Telegram secret-token verification code exists; production secret activation remains unproven. Exit: secret provisioned outside source, required mode enabled, invalid-secret 401 and authorized callback canary pass.
5 SUPPLY-P0-001 In progress Gitea-only secure software supply chain Gitea-native checkout, secret-safe .dockerignore, commit-bound source receipt and governance gate are active. Exit: exact dependency lock, internal SAST/SCA/secret scan, SBOM, image digest/provenance, vulnerability SLA and production digest readback.
6 GOV-P0-001 In progress Canonical full asset graph + runtime reconciliation governance/ewoooc_asset_inventory.json seeds hosts, services, data, AI, routes, supply chain, observability and recovery. Exit: same-run probe receipt for every asset; drift auto-creates work items.
7 GOV-P0-002 Not started Unified controlled-apply envelope Introduce one trace_id/run_id/work_item_id across sensor, identity, SOT diff, decision, risk, dry-run, execution, verifier, rollback/retry and learning acknowledgement. Start with EventRouter + AutoHeal.
8 RAG-P0-001 Not started Internal RAG candidate canary V10.770 stops at candidate preview. Exit: bounded pgvector candidate canary, signature/readback/feedback receipt, no price write and no premature ai_insights promotion. Next: run_internal_rag_candidate_canary.
9 MCP-P0-001 In progress (federation_source_ready) MCP/RAG production runtime closure V10.796 source adds a strict public aggregate receipt for canonical ewoooc and momo-pro-system identities without opening authenticated internal APIs or exposing endpoint/tool payload data. Exit still requires V10.796 production /health, two fresh AWOOOI durable receipts with fingerprint recompute, live MCP servers/router/RAG, approved caller/tool boundary and production query canary. Current source readiness must not be reported as runtime closure.
10 SEC-P0-004 Not started Security operations lifecycle and metrics Add durable security incident state and publish MTTA, MTTR, recurrence, false positive, human intervention, verifier pass, rollback and freshness. Exit: detect-to-learn production receipt.
11 REL-P0-001 In progress (runtime_verified_cd_degraded) Formal deploy and visible proof discipline Production runtime source object is d74aa60; the corresponding dev runtime merge is c0182b2. Host 110 still exposes only paused vibework-dedicated-runner, with no matching EwoooC runner, so this release has no formal CD execution receipt. Bounded exact-object fallbacks deployed the analytics contract at V10.807; the contract archive SHA-256 is 7c6fc794ac699c6a42f7be8871cbc37f1bb2cfc5c4b7db1598ef8bc6f6d85cca and final label archive SHA-256 is 9829ffb22f9989444eb80996cfa9fd481dd0c579547e6c5c6cd6ba9aea82d2cd, with rollback copies under /home/ollama/momo-deploy-backups/analytics-period-contract-20260715T090919Z-ec40d16 and /home/ollama/momo-deploy-backups/analytics-period-label-20260715T091335Z-d74aa60. Internal/external /health is healthy at V10.807; app-only recreate preserved scheduler, Telegram bot and momo-db ID cd092451cb5fd555d0ffff70642e109f3b742882c418beeab631793d1e9dc55d. Runner recovery remains a release-governance gap and is not replaced by fallback evidence.

GROWTH-P0-001 Fixed Execution Lanes

These lanes are one ordered current P0, not optional side work. They must advance in this order and keep formal-price writes behind verified same-item evidence.

Lane Status Production baseline Next machine action
A. Sales freshness In progress (sla_runtime_closed_source_redundancy_partial) Latest sales date 2026-07-13; before the 2026-07-15 20:00 cutoff, raw lag is 2 but SLA lag is 0, state is grace and decisions remain released. Scheduler receipt 0f24219e0bbb4740b7ad6645e7952296 and explicit canary receipt 6e2df008f65544fe8e557c11ff0dbb93 both persisted completed_no_write; durable decision is no_candidate_fresh_no_write. Live and persisted readiness now agree at Google Drive 1/4; HTTPS, IMAP and local remain disabled. Continue automatic report-arrival reconciliation. At/after 20:00 require 2026-07-14 or automatically block decision use, emit the bounded upstream action and verify the next arrival receipt; keep source redundancy partial until another approved source is live.
B. Verified same-item evidence In progress TOP50 fixed cohort: 24 verified, 1 candidate/source validation, 25 unmatched. Count coverage is 48%; revenue-weighted coverage is NT$204,975 / NT$354,062 = 57.9%. V10.797 outer-pack false exact candidates were quarantined without deletion; V10.798 normalizes nested quantity, V10.799 fixes cohort membership, and V10.801 run 7b3b140c076b43be8c79bd85448fbc49 added three independently verified Yahoo offers without changing fingerprint 7b74504fcc1e1801c2ca2b42. Continue the next revenue-weighted unresolved batch only when source evidence is fresh, preserve deterministic identity/unit/variant gates, and publish count/revenue deltas against the same fingerprint per run.
C. Platform runtime coverage In progress (runtime_canary_activated) V10.801 is live; Yahoo run 7b3b140c076b43be8c79bd85448fbc49 separated one unit-price candidate, wrote/read back three exact offers and atomically enabled the source after exceeding the two-offer threshold. Formal runtime is now 2/15; PixelRAG remains evidence-only. Repeat bounded refresh on schedule, monitor expiry/recurrence/rollback signals, then implement the next approved structured source contract for Shopee, Coupang, ETMall, Friday or Rakuten without treating blocked pages as product data.

Analytics Period-Linkage Closure

This bounded interruption is closed and control returns to GROWTH-P0-001 without changing its lane order.

Completion layer Status Production evidence
Program Completed for the four primary analysis tabs Daily sales, sales analysis, growth analysis and monthly summary now share one canonical day/month/range contract; cross-tab links preserve the selected period.
Asset coverage 4/4 pages and 2/2 sales async APIs verified Daily KPI/calendar/charts/Top 10, growth KPI/series, monthly KPI/tables/charts and sales KPI/charts/YoY/detail table all use the active period. Historical current-snapshot mixing and blank monthly charts are replaced by explicit honest states.
Runtime closure V10.807 production verified 2026-04 daily has 30 labels; growth exposes only 2026-04; monthly reports zero current rows without borrowing another month; sales loads 35,240 April records, renders 25 table rows from a 300-row API result, and aligns YoY to 2025-04-01..04-30 versus 2026-04-01..04-30 at NT$10,635,583 -> NT$16,848,774 (+58.42%). Desktop/mobile overflow is zero and the temporary read-only QA service/tunnel were removed.
Verification Passed with bounded residual Full regression before the final API/schema edge fixes: 2,113 passed / 9 skipped; final analytics scope: 20 passed, JavaScript/Python/Jinja compile checks and diff checks passed. Formal CD remains degraded because no matching runner executed the release.

P1

Order ID Status Work item Exit evidence / next machine action
12 RES-P1-001 Not started Backup/offsite/restore automation Fresh checksum and offsite coverage plus isolated non-destructive restore drill with measured RPO/RTO.
13 PLAT-P1-001 Not started Non-root container and capability hardening Shadow non-root image, writable-path inventory, capability drop/read-only filesystem canary, three-app rollout.
14 APPSEC-P1-001 In progress CSP and DOM/XSS hardening Security headers are present and CSP is report-only. Collect violations, remove high-risk innerHTML/inline sinks, then enforce CSP by canary.
15 APPSEC-P1-002 Not started Unsafe shared-cache serialization removal Replace writable pickle caches in dashboard/daily-sales/EDM/sales with constrained JSON or signed schema.
16 ARCH-P1-001 In progress Split oversized policy/executor/verifier modules Current top debts include 44k-line PChome mapping and 14k-line smoke service. Split by bounded family and independent tests.
17 UX-P1-001 In progress Professional full-site UI/UX V10.807 closes period linkage across all four primary analysis tabs. Desktop/mobile production-code/data smoke has zero horizontal overflow; selected-period labels now appear on weekly trend and action-list sections, current-period empty data is explicit, and stale all-year labels were removed. The broader site-wide first-viewport, progressive-disclosure, accessibility and loading/error/degraded-state audit remains in progress.
18 PIXELRAG-P1-001 Not started Ollama-first multimodal embedding benchmark Verify approved visual embedding on GCP-A -> GCP-B -> 111 and design pgvector-compatible visual metadata; FAISS remains disallowed without ADR.
19 MARKET-P1-001 In progress Marketplace source contracts Yahoo Shopping V10.801 is active in production with public-boundary allowlists, bounded streaming/rate, provenance, current product-detail readback, stock/spec/variant guards, source-specific promotion partition and exact canary activation. Three fresh verified offers drive formal decisions; the deferred unit-price candidate does not. Shopee, Coupang, ETMall, Friday and Rakuten still require equivalent structured contracts, and blocked pages remain non-product data.
20 QA-P1-001 In progress Deterministic test and CI governance Latest broad regression before the final analytics API/schema edge fixes is 2,113 passed / 9 skipped / 0 failed; the final analytics/date-linkage scope is 20 passed. V10.807 production page/API/network and mobile/desktop evidence is verified, but no matching EwoooC runner executed this release, so CI/CD parity is not claimed and exact-object fallback receipts remain separate evidence.

P2

Order ID Status Work item Exit evidence / next machine action
21 GOV-P2-001 Not started Continuous NIST/ASVS control trend Persist governance snapshots, compare control/asset/runtime drift and create ordered work items automatically.
22 DATA-P2-001 Not started Data classification and retention enforcement Classify business, personal, operational and model data; automate retention, deletion eligibility and audit evidence without destructive default actions.
23 CHAOS-P2-001 Not started Controlled resilience exercises Run non-destructive model-host, MCP, queue, Telegram and app-container failure drills with rollback and learning receipts.

Completed Foundations

These are reusable foundations, not proof that the full program is complete.

Status Capability Current boundary
Completed Multi-commerce PixelRAG visual evidence for momo, pchome, shopee_tw, coupang_tw, yahoo_shopping_tw, etmall_tw, friday_tw, rakuten_tw Evidence-only; blocked pages are not product data.
Completed External MCP/RAG capability inventory Registry/integration readback exists; runtime enablement remains P0.
Completed PixelRAG receipt -> RAG candidate replay Candidate-only; no formal knowledge or price write.
Completed Source-contract replay worker Public-boundary artifact receipts only.
Completed Marketplace adapter preflight and dry-run Deterministic no-write contracts.
Completed Marketplace identity matcher replay Candidate identity only.
Completed PromotionGate replay No production write.
Completed Embedding-signature guard replay Signature readiness only.
Completed Candidate knowledge replay Internal RAG preview only; canary remains P0.
Completed PixelRAG application portfolio Commerce/RAG/UX/ops/marketing/governance inventory.
Completed Ollama-first VLM route readiness and replay worker Evidence-bound artifact output; no direct price write.
Completed Platform probe worker Shopee/Coupang barriers become structured fallback/backoff receipts.

Definition Of Done

A work item can be Completed only when the same production run contains:

  1. sensor/source receipt;
  2. normalized canonical asset identity;
  3. source-of-truth diff;
  4. AI decision and candidate action;
  5. risk/policy decision;
  6. check-mode/dry-run receipt;
  7. idempotent bounded execution receipt;
  8. independent post-verifier and rollback/no-write terminal;
  9. incident/Telegram/KM/RAG/MCP/PlayBook durable acknowledgement.

Missing any stage means partial, degraded or blocked_with_safe_next_action.