14 KiB
14 KiB
AI Automation Mainline Work Items
Updated: 2026-07-15 13:40 Asia/Taipei Governance:
global_product_governance_v2+ ADR-038 Current P0:GROWTH-P0-001 comparison coverage truth + autonomous refresh
Source Of Truth
- Production runtime receipt/post-verifier/durable DB receipt is authoritative.
- Gitea main, deploy marker, CD run and production readback are the only source/deploy truth; GitHub remains frozen.
- Source/test/UI/CD green does not mean runtime closure.
- Completion must report program, asset coverage and runtime closure separately.
- PixelRAG visual evidence cannot write formal prices or
ai_insightsbefore identity, PromotionGate and internal RAG canary proof.
Ordered P0
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---|---|---|---|---|
| 1 | SEC-P0-001 |
Completed | Deny-by-default route access control | governance/evidence/SEC-P0-001-20260711T122758Z.json plus the current runtime receipt prove anonymous matrix 8/8 denied, public /metrics 404, exact internal target up, EwoooC product markers present, Prometheus identity preserved and momo-db unchanged. |
| 2 | GROWTH-P0-001 |
In progress (runtime_partial) |
Comparison coverage truth + autonomous refresh | V10.801 is live at exact Gitea object c091c466c203d7e26c8ed576f573e7e930df34d1. Production run 7b3b140c076b43be8c79bd85448fbc49 scanned 20, retained one source-disallowed unit-price as candidate-only, wrote three total-price exact offers after check-mode and read all 3/3 back by exact identity. Yahoo is now active + enabled + write_enabled; fixed cohort 7b74504fcc1e1801c2ca2b42 remains unchanged while production moves to 24 ready + 1 candidate validation + 25 unmatched, 48% count, 57.9% revenue and 2/15 formal platforms. Next: continue the next revenue-weighted batch without relaxing identity/variant/unit gates, and add the next approved structured marketplace adapter. |
| 3 | SEC-P0-002 |
In progress (canary_ready) |
Database identity + least-privilege RBAC | V10.789 is live and governance/auth_identity_runtime_receipt.json verifies required tables, two active admins, durable lockout, session revocation, trusted proxy policy and no-secret mutation audit readiness. Runtime is intentionally hybrid because zero database-admin success receipts have been captured; auto retires shared authority after two durable successes without a manual review gate. Next: capture database-admin login receipts and verify automatic database-only cutover. |
| 4 | SEC-P0-003 |
In progress | Webhook trust and replay protection | Telegram secret-token verification code exists; production secret activation remains unproven. Exit: secret provisioned outside source, required mode enabled, invalid-secret 401 and authorized callback canary pass. |
| 5 | SUPPLY-P0-001 |
In progress | Gitea-only secure software supply chain | Gitea-native checkout, secret-safe .dockerignore, commit-bound source receipt and governance gate are active. Exit: exact dependency lock, internal SAST/SCA/secret scan, SBOM, image digest/provenance, vulnerability SLA and production digest readback. |
| 6 | GOV-P0-001 |
In progress | Canonical full asset graph + runtime reconciliation | governance/ewoooc_asset_inventory.json seeds hosts, services, data, AI, routes, supply chain, observability and recovery. Exit: same-run probe receipt for every asset; drift auto-creates work items. |
| 7 | GOV-P0-002 |
Not started | Unified controlled-apply envelope | Introduce one trace_id/run_id/work_item_id across sensor, identity, SOT diff, decision, risk, dry-run, execution, verifier, rollback/retry and learning acknowledgement. Start with EventRouter + AutoHeal. |
| 8 | RAG-P0-001 |
Not started | Internal RAG candidate canary | V10.770 stops at candidate preview. Exit: bounded pgvector candidate canary, signature/readback/feedback receipt, no price write and no premature ai_insights promotion. Next: run_internal_rag_candidate_canary. |
| 9 | MCP-P0-001 |
In progress (federation_source_ready) |
MCP/RAG production runtime closure | V10.796 source adds a strict public aggregate receipt for canonical ewoooc and momo-pro-system identities without opening authenticated internal APIs or exposing endpoint/tool payload data. Exit still requires V10.796 production /health, two fresh AWOOOI durable receipts with fingerprint recompute, live MCP servers/router/RAG, approved caller/tool boundary and production query canary. Current source readiness must not be reported as runtime closure. |
| 10 | SEC-P0-004 |
Not started | Security operations lifecycle and metrics | Add durable security incident state and publish MTTA, MTTR, recurrence, false positive, human intervention, verifier pass, rollback and freshness. Exit: detect-to-learn production receipt. |
| 11 | REL-P0-001 |
In progress (runtime_verified_cd_degraded) |
Formal deploy and visible proof discipline | Gitea main is c091c466c203d7e26c8ed576f573e7e930df34d1; Action #1133 is waiting because no matching ewoooc-host runner is online and therefore provides no CD execution evidence. A bounded exact-object fallback deployed V10.801 from archive SHA-256 1f21a9c823fd76dd32c622d227eca47022ec101d0863b516e34cc1bbbe29f2c8; host/container hashes, structured health, canary, DB/growth readback and visible receipts are under /home/ollama/momo-deploy-backups/ewoooc-20260715T051727Z-c091c46/. Internal/external /health is healthy at V10.801, three application containers are healthy, and momo-db remains unchanged at cd092451cb5fd555d0ffff70642e109f3b742882c418beeab631793d1e9dc55d. Desktop 1280x720 and mobile 390x844 production-code/data render smoke both show 24/50 without horizontal overflow; formal network login remains enforced. Runner recovery remains a release-governance gap and is not replaced by fallback evidence. |
GROWTH-P0-001 Fixed Execution Lanes
These lanes are one ordered current P0, not optional side work. They must advance in this order and keep formal-price writes behind verified same-item evidence.
| Lane | Status | Production baseline | Next machine action |
|---|---|---|---|
| A. Sales freshness | In progress (sla_runtime_closed_source_redundancy_partial) |
Latest sales date 2026-07-13; before the 2026-07-15 20:00 cutoff, raw lag is 2 but SLA lag is 0, state is grace and decisions remain released. Scheduler receipt 0f24219e0bbb4740b7ad6645e7952296 and explicit canary receipt 6e2df008f65544fe8e557c11ff0dbb93 both persisted completed_no_write; durable decision is no_candidate_fresh_no_write. Live and persisted readiness now agree at Google Drive 1/4; HTTPS, IMAP and local remain disabled. |
Continue automatic report-arrival reconciliation. At/after 20:00 require 2026-07-14 or automatically block decision use, emit the bounded upstream action and verify the next arrival receipt; keep source redundancy partial until another approved source is live. |
| B. Verified same-item evidence | In progress | TOP50 fixed cohort: 24 verified, 1 candidate/source validation, 25 unmatched. Count coverage is 48%; revenue-weighted coverage is NT$204,975 / NT$354,062 = 57.9%. V10.797 outer-pack false exact candidates were quarantined without deletion; V10.798 normalizes nested quantity, V10.799 fixes cohort membership, and V10.801 run 7b3b140c076b43be8c79bd85448fbc49 added three independently verified Yahoo offers without changing fingerprint 7b74504fcc1e1801c2ca2b42. |
Continue the next revenue-weighted unresolved batch only when source evidence is fresh, preserve deterministic identity/unit/variant gates, and publish count/revenue deltas against the same fingerprint per run. |
| C. Platform runtime coverage | In progress (runtime_canary_activated) |
V10.801 is live; Yahoo run 7b3b140c076b43be8c79bd85448fbc49 separated one unit-price candidate, wrote/read back three exact offers and atomically enabled the source after exceeding the two-offer threshold. Formal runtime is now 2/15; PixelRAG remains evidence-only. |
Repeat bounded refresh on schedule, monitor expiry/recurrence/rollback signals, then implement the next approved structured source contract for Shopee, Coupang, ETMall, Friday or Rakuten without treating blocked pages as product data. |
P1
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---|---|---|---|---|
| 12 | RES-P1-001 |
Not started | Backup/offsite/restore automation | Fresh checksum and offsite coverage plus isolated non-destructive restore drill with measured RPO/RTO. |
| 13 | PLAT-P1-001 |
Not started | Non-root container and capability hardening | Shadow non-root image, writable-path inventory, capability drop/read-only filesystem canary, three-app rollout. |
| 14 | APPSEC-P1-001 |
In progress | CSP and DOM/XSS hardening | Security headers are present and CSP is report-only. Collect violations, remove high-risk innerHTML/inline sinks, then enforce CSP by canary. |
| 15 | APPSEC-P1-002 |
Not started | Unsafe shared-cache serialization removal | Replace writable pickle caches in dashboard/daily-sales/EDM/sales with constrained JSON or signed schema. |
| 16 | ARCH-P1-001 |
In progress | Split oversized policy/executor/verifier modules | Current top debts include 44k-line PChome mapping and 14k-line smoke service. Split by bounded family and independent tests. |
| 17 | UX-P1-001 |
In progress | Professional full-site UI/UX | V10.801 first viewport now shows 24/50 = 48%, 活躍商品 32/1,853, and formal platform 2/15 instead of the old unqualified 10% card. A production-code/data isolated read-only render smoke passed at 1280x720 and 390x844 with no horizontal overflow; the temporary process/tunnel was closed and production network login stayed enforced. Continue the same first-viewport, progressive-disclosure, accessibility and loading/error/degraded-state coverage across every remaining primary page. |
| 18 | PIXELRAG-P1-001 |
Not started | Ollama-first multimodal embedding benchmark | Verify approved visual embedding on GCP-A -> GCP-B -> 111 and design pgvector-compatible visual metadata; FAISS remains disallowed without ADR. |
| 19 | MARKET-P1-001 |
In progress | Marketplace source contracts | Yahoo Shopping V10.801 is active in production with public-boundary allowlists, bounded streaming/rate, provenance, current product-detail readback, stock/spec/variant guards, source-specific promotion partition and exact canary activation. Three fresh verified offers drive formal decisions; the deferred unit-price candidate does not. Shopee, Coupang, ETMall, Friday and Rakuten still require equivalent structured contracts, and blocked pages remain non-product data. |
| 20 | QA-P1-001 |
In progress | Deterministic test and CI governance | V10.801 workstation source baseline is 2,106 passed / 9 skipped / 0 failed; focused promotion-policy/Yahoo/source-readiness/same-item scope is 63 passed. Production host/container hashes, internal/external health, scheduler registration, 3/3 exact DB readback, source activation, fixed cohort and desktop/mobile visible smoke are verified. Action #1133 remains waiting without runner execution, so CI/CD parity is not claimed; exact fallback receipts remain separate evidence. |
P2
| Order | ID | Status | Work item | Exit evidence / next machine action |
|---|---|---|---|---|
| 21 | GOV-P2-001 |
Not started | Continuous NIST/ASVS control trend | Persist governance snapshots, compare control/asset/runtime drift and create ordered work items automatically. |
| 22 | DATA-P2-001 |
Not started | Data classification and retention enforcement | Classify business, personal, operational and model data; automate retention, deletion eligibility and audit evidence without destructive default actions. |
| 23 | CHAOS-P2-001 |
Not started | Controlled resilience exercises | Run non-destructive model-host, MCP, queue, Telegram and app-container failure drills with rollback and learning receipts. |
Completed Foundations
These are reusable foundations, not proof that the full program is complete.
| Status | Capability | Current boundary |
|---|---|---|
| Completed | Multi-commerce PixelRAG visual evidence for momo, pchome, shopee_tw, coupang_tw, yahoo_shopping_tw, etmall_tw, friday_tw, rakuten_tw | Evidence-only; blocked pages are not product data. |
| Completed | External MCP/RAG capability inventory | Registry/integration readback exists; runtime enablement remains P0. |
| Completed | PixelRAG receipt -> RAG candidate replay | Candidate-only; no formal knowledge or price write. |
| Completed | Source-contract replay worker | Public-boundary artifact receipts only. |
| Completed | Marketplace adapter preflight and dry-run | Deterministic no-write contracts. |
| Completed | Marketplace identity matcher replay | Candidate identity only. |
| Completed | PromotionGate replay | No production write. |
| Completed | Embedding-signature guard replay | Signature readiness only. |
| Completed | Candidate knowledge replay | Internal RAG preview only; canary remains P0. |
| Completed | PixelRAG application portfolio | Commerce/RAG/UX/ops/marketing/governance inventory. |
| Completed | Ollama-first VLM route readiness and replay worker | Evidence-bound artifact output; no direct price write. |
| Completed | Platform probe worker | Shopee/Coupang barriers become structured fallback/backoff receipts. |
Definition Of Done
A work item can be Completed only when the same production run contains:
- sensor/source receipt;
- normalized canonical asset identity;
- source-of-truth diff;
- AI decision and candidate action;
- risk/policy decision;
- check-mode/dry-run receipt;
- idempotent bounded execution receipt;
- independent post-verifier and rollback/no-write terminal;
- incident/Telegram/KM/RAG/MCP/PlayBook durable acknowledgement.
Missing any stage means partial, degraded or blocked_with_safe_next_action.