mirror of
https://github.com/instructkr/claw-code.git
synced 2026-04-16 21:14:50 +08:00
refresh
This commit is contained in:
Yeachan-Heo
647
ROADMAP.md
647
ROADMAP.md
@@ -88,6 +88,25 @@ Acceptance:
|
||||
- trust prompt state is detectable and emitted
|
||||
- shell misdelivery becomes detectable as a first-class failure state
|
||||
|
||||
### 1.5. First-prompt acceptance SLA
|
||||
After `ready_for_prompt`, expose whether the first task was actually accepted within a bounded window instead of leaving claws in a silent limbo.
|
||||
|
||||
Emit typed signals for:
|
||||
- `prompt.sent`
|
||||
- `prompt.accepted`
|
||||
- `prompt.acceptance_delayed`
|
||||
- `prompt.acceptance_timeout`
|
||||
|
||||
Track at least:
|
||||
- time from `ready_for_prompt` -> first prompt send
|
||||
- time from first prompt send -> `prompt_accepted`
|
||||
- whether acceptance required retry or recovery
|
||||
|
||||
Acceptance:
|
||||
- clawhip can distinguish `worker is ready but idle` from `prompt was sent but not actually accepted`
|
||||
- long silent gaps between ready-state and first-task execution become machine-visible
|
||||
- recovery can trigger on acceptance timeout before humans start scraping panes
|
||||
|
||||
### 2. Trust prompt resolver
|
||||
Add allowlisted auto-trust behavior for known repos/worktrees.
|
||||
|
||||
@@ -109,6 +128,23 @@ Provide machine control above tmux:
|
||||
Acceptance:
|
||||
- a claw can operate a coding worker without raw send-keys as the primary control plane
|
||||
|
||||
### 3.5. Boot preflight / doctor contract
|
||||
Before spawning or prompting a worker, run a machine-readable preflight that reports whether the lane is actually safe to start.
|
||||
|
||||
Preflight should check and emit typed results for:
|
||||
- repo/worktree existence and expected branch
|
||||
- branch freshness vs base branch
|
||||
- trust-gate likelihood / allowlist status
|
||||
- required binaries and control sockets
|
||||
- plugin discovery / allowlist / startup eligibility
|
||||
- MCP config presence and server reachability expectations
|
||||
- last-known failed boot reason, if any
|
||||
|
||||
Acceptance:
|
||||
- claws can fail fast before launching a doomed worker
|
||||
- a blocked start returns a short structured diagnosis instead of forcing pane-scrape triage
|
||||
- clawhip can summarize `why this lane did not even start` without inferring from terminal noise
|
||||
|
||||
## Phase 2 — Event-Native Clawhip Integration
|
||||
|
||||
### 4. Canonical lane event schema
|
||||
@@ -130,6 +166,551 @@ Acceptance:
|
||||
- clawhip consumes typed lane events
|
||||
- Discord summaries are rendered from structured events instead of pane scraping alone
|
||||
|
||||
### 4.5. Session event ordering + terminal-state reconciliation
|
||||
When the same session emits contradictory lifecycle events (`idle`, `error`, `completed`, transport/server-down) in close succession, claw-code must expose a deterministic final truth instead of making downstream claws guess.
|
||||
|
||||
Required behavior:
|
||||
- attach monotonic sequence / causal ordering metadata to session lifecycle events
|
||||
- classify which events are terminal vs advisory
|
||||
- reconcile duplicate or out-of-order terminal events into one canonical lane outcome
|
||||
- distinguish `session terminal state unknown because transport died` from a real `completed`
|
||||
|
||||
Acceptance:
|
||||
- clawhip can survive `completed -> idle -> error -> completed` noise without double-reporting or trusting the wrong final state
|
||||
- server-down after a session event burst surfaces as a typed uncertainty state rather than silently rewriting history
|
||||
- downstream automation has one canonical terminal outcome per lane/session
|
||||
|
||||
### 4.6. Event provenance / environment labeling
|
||||
Every emitted event should say whether it came from a live lane, synthetic test, healthcheck, replay, or system transport layer so claws do not mistake test noise for production truth.
|
||||
|
||||
Required fields:
|
||||
- event source kind (`live_lane`, `test`, `healthcheck`, `replay`, `transport`)
|
||||
- environment / channel label
|
||||
- emitter identity
|
||||
- confidence / trust level for downstream automation
|
||||
|
||||
Acceptance:
|
||||
- clawhip can ignore or down-rank test pings without heuristic text matching
|
||||
- synthetic/system events do not contaminate lane status or trigger false follow-up automation
|
||||
- event streams remain machine-trustworthy even when test traffic shares the same channel
|
||||
|
||||
### 4.7. Session identity completeness at creation time
|
||||
A newly created session should not surface as `(untitled)` or `(unknown)` for fields that orchestrators need immediately.
|
||||
|
||||
Required behavior:
|
||||
- emit stable title, workspace/worktree path, and lane/session purpose at creation time
|
||||
- if any field is not yet known, emit an explicit typed placeholder reason rather than a bare unknown string
|
||||
- reconcile later-enriched metadata back onto the same session identity without creating ambiguity
|
||||
|
||||
Acceptance:
|
||||
- clawhip can route/triage a brand-new session without waiting for follow-up chatter
|
||||
- `(untitled)` / `(unknown)` creation events no longer force humans or bots to guess scope
|
||||
- session creation events are immediately actionable for monitoring and ownership decisions
|
||||
|
||||
### 4.8. Duplicate terminal-event suppression
|
||||
When the same session emits repeated `completed`, `failed`, or other terminal notifications, claw-code should collapse duplicates before they trigger repeated downstream reactions.
|
||||
|
||||
Required behavior:
|
||||
- attach a canonical terminal-event fingerprint per lane/session outcome
|
||||
- suppress or coalesce repeated terminal notifications within a reconciliation window
|
||||
- preserve raw event history for audit while exposing only one actionable terminal outcome downstream
|
||||
- surface when a later duplicate materially differs from the original terminal payload
|
||||
|
||||
Acceptance:
|
||||
- clawhip does not double-report or double-close based on repeated terminal notifications
|
||||
- duplicate `completed` bursts become one actionable finish event, not repeated noise
|
||||
- downstream automation stays idempotent even when the upstream emitter is chatty
|
||||
|
||||
### 4.9. Lane ownership / scope binding
|
||||
Each session and lane event should declare who owns it and what workflow scope it belongs to, so unrelated external/system work does not pollute claw-code follow-up loops.
|
||||
|
||||
Required behavior:
|
||||
- attach owner/assignee identity when known
|
||||
- attach workflow scope (e.g. `claw-code-dogfood`, `external-git-maintenance`, `infra-health`, `manual-operator`)
|
||||
- mark whether the current watcher is expected to act, observe only, or ignore
|
||||
- preserve scope through session restarts, resumes, and late terminal events
|
||||
|
||||
Acceptance:
|
||||
- clawhip can say `out-of-scope external session` without humans adding a prose disclaimer
|
||||
- unrelated session churn does not trigger false claw-code follow-up or blocker reporting
|
||||
- monitoring views can filter to `actionable for this claw` instead of mixing every session on the host
|
||||
|
||||
### 4.10. Nudge acknowledgment / dedupe contract
|
||||
Periodic clawhip nudges should carry enough state for claws to know whether the current prompt is new work, a retry, or an already-acknowledged heartbeat.
|
||||
|
||||
Required behavior:
|
||||
- attach nudge id / cycle id and delivery timestamp
|
||||
- expose whether the current claw has already acknowledged or responded for that cycle
|
||||
- distinguish `new nudge`, `retry nudge`, and `stale duplicate`
|
||||
- allow downstream summaries to bind a reported pinpoint back to the triggering nudge id
|
||||
|
||||
Acceptance:
|
||||
- claws do not keep manufacturing fresh follow-ups just because the same periodic nudge reappeared
|
||||
- clawhip can tell whether silence means `not yet handled` or `already acknowledged in this cycle`
|
||||
- recurring dogfood prompts become idempotent and auditable across retries
|
||||
|
||||
### 4.11. Stable roadmap-id assignment for newly filed pinpoints
|
||||
When a claw records a new pinpoint/follow-up, the roadmap surface should assign or expose a stable tracking id immediately instead of leaving the item as anonymous prose.
|
||||
|
||||
Required behavior:
|
||||
- assign a canonical roadmap id at filing time
|
||||
- expose that id in the structured event/report payload
|
||||
- preserve the same id across later edits, reorderings, and summary compression
|
||||
- distinguish `new roadmap filing` from `update to existing roadmap item`
|
||||
|
||||
Acceptance:
|
||||
- channel updates can reference a newly filed pinpoint by stable id in the same turn
|
||||
- downstream claws do not need heuristic text matching to figure out whether a follow-up is new or already tracked
|
||||
- roadmap-driven dogfood loops stay auditable even as the document is edited repeatedly
|
||||
|
||||
### 4.12. Roadmap item lifecycle state contract
|
||||
Each roadmap pinpoint should carry a machine-readable lifecycle state so claws do not keep rediscovering or re-reporting items that are already active, resolved, or superseded.
|
||||
|
||||
Required behavior:
|
||||
- expose lifecycle state (`filed`, `acknowledged`, `in_progress`, `blocked`, `done`, `superseded`)
|
||||
- attach last state-change timestamp
|
||||
- allow a new report to declare whether it is a first filing, status update, or closure
|
||||
- preserve lineage when one pinpoint supersedes or merges into another
|
||||
|
||||
Acceptance:
|
||||
- clawhip can tell `new gap` from `existing gap still active` without prose interpretation
|
||||
- completed or superseded items stop reappearing as if they were fresh discoveries
|
||||
- roadmap-driven follow-up loops become stateful instead of repeatedly stateless
|
||||
|
||||
### 4.13. Multi-message report atomicity
|
||||
A single dogfood/lane update should be representable as one structured report payload, even if the chat surface ends up rendering it across multiple messages.
|
||||
|
||||
Required behavior:
|
||||
- assign one report id for the whole update
|
||||
- bind `active_sessions`, `exact_pinpoint`, `concrete_delta`, and `blocker` fields to that same report id
|
||||
- expose message-part ordering when the chat transport splits the report
|
||||
- allow downstream consumers to reconstruct one canonical update without scraping adjacent chat messages heuristically
|
||||
|
||||
Acceptance:
|
||||
- clawhip and other claws can parse one logical update even when Discord delivery fragments it into several posts
|
||||
- partial/misordered message bursts do not scramble `pinpoint` vs `delta` vs `blocker`
|
||||
- dogfood reports become machine-reliable summaries instead of fragile chat archaeology
|
||||
|
||||
### 4.14. Cross-claw pinpoint dedupe / merge contract
|
||||
When multiple claws file near-identical pinpoints from the same underlying failure, the roadmap surface should merge or relate them instead of letting duplicate follow-ups accumulate as separate discoveries.
|
||||
|
||||
Required behavior:
|
||||
- compute or expose a similarity/dedupe key for newly filed pinpoints
|
||||
- allow a new filing to link to an existing roadmap item as `same_root_cause`, `related`, or `supersedes`
|
||||
- preserve reporter-specific evidence while collapsing the canonical tracked issue
|
||||
- surface when a later filing is genuinely distinct despite similar wording
|
||||
|
||||
Acceptance:
|
||||
- two claws reporting the same gap do not automatically create two independent roadmap items
|
||||
- roadmap growth reflects real new findings instead of duplicate observer churn
|
||||
- downstream monitoring can see both the canonical item and the supporting duplicate evidence without losing auditability
|
||||
|
||||
### 4.15. Pinpoint evidence attachment contract
|
||||
Each filed pinpoint should carry structured supporting evidence so later implementers do not have to reconstruct why the gap was believed to exist.
|
||||
|
||||
Required behavior:
|
||||
- attach evidence references such as session ids, message ids, commits, logs, stack traces, or file paths
|
||||
- label each attachment by evidence role (`repro`, `symptom`, `root_cause_hint`, `verification`)
|
||||
- preserve bounded previews for human scanning while keeping a canonical reference for machines
|
||||
- allow evidence to be added after filing without changing the pinpoint identity
|
||||
|
||||
Acceptance:
|
||||
- roadmap items stay actionable after chat scrollback or session context is gone
|
||||
- implementation lanes can start from structured evidence instead of rediscovering the original failure
|
||||
- prioritization can weigh pinpoints by evidence quality, not just prose confidence
|
||||
|
||||
### 4.16. Pinpoint priority / severity contract
|
||||
Each filed pinpoint should expose a machine-readable urgency/severity signal so claws can separate immediate execution blockers from lower-priority clawability hardening.
|
||||
|
||||
Required behavior:
|
||||
- attach priority/severity fields (for example `p0`/`p1`/`p2` or `critical`/`high`/`medium`/`low`)
|
||||
- distinguish user-facing breakage, operator-only friction, observability debt, and long-tail hardening
|
||||
- allow priority to change as new evidence lands without changing the pinpoint identity
|
||||
- surface why the priority was assigned (blast radius, reproducibility, automation breakage, merge risk)
|
||||
|
||||
Acceptance:
|
||||
- clawhip can rank fresh pinpoints without relying on prose urgency vibes
|
||||
- implementation queues can pull true blockers ahead of reporting-only niceties
|
||||
- roadmap dogfood stays focused on the most damaging clawability gaps first
|
||||
|
||||
### 4.17. Pinpoint-to-implementation handoff contract
|
||||
A filed pinpoint should be able to turn into an execution lane without a human re-translating the same context by hand.
|
||||
|
||||
Required behavior:
|
||||
- expose a structured handoff packet containing objective, suspected scope, evidence refs, priority, and suggested verification
|
||||
- mark whether the pinpoint is `implementation_ready`, `needs_repro`, or `needs_triage`
|
||||
- preserve the link between the roadmap item and any spawned execution lane/worktree/PR
|
||||
- allow later execution results to update the original pinpoint state instead of forking separate unlinked narratives
|
||||
|
||||
Acceptance:
|
||||
- a claw can pick up a filed pinpoint and start implementation with minimal re-interpretation
|
||||
- roadmap items stop being dead prose and become executable handoff units
|
||||
- follow-up loops can see which pinpoints have already turned into real execution lanes
|
||||
|
||||
### 4.18. Report backpressure / repetitive-summary collapse
|
||||
Periodic dogfood reporting should avoid re-broadcasting the full known gap inventory every cycle when only a small delta changed.
|
||||
|
||||
Required behavior:
|
||||
- distinguish `new since last report` from `still active but unchanged`
|
||||
- emit compact delta-first summaries with an optional expandable full state
|
||||
- track per-channel/reporting cursor so repeated unchanged items collapse automatically
|
||||
- preserve one canonical full snapshot elsewhere for audit/debug without flooding the live channel
|
||||
|
||||
Acceptance:
|
||||
- new signal does not get buried under the same repeated backlog list every cycle
|
||||
- claws and humans can scan the latest update for actual change instead of re-reading the whole inventory
|
||||
- recurring dogfood loops become low-noise without losing auditability
|
||||
|
||||
### 4.19. No-change / no-op acknowledgment contract
|
||||
When a dogfood cycle produces no new pinpoint, no new delta, and no new blocker, claws should be able to acknowledge that cycle explicitly without pretending a fresh finding exists.
|
||||
|
||||
Required behavior:
|
||||
- expose a structured `no_change` / `noop` outcome for a reporting cycle
|
||||
- bind that outcome to the triggering nudge/report id
|
||||
- distinguish `checked and unchanged` from `not yet checked`
|
||||
- preserve the last meaningful pinpoint/delta reference without re-filing it as new work
|
||||
|
||||
Acceptance:
|
||||
- recurring nudges do not force synthetic novelty when the real answer is `nothing changed`
|
||||
- clawhip can tell `handled, no delta` apart from silence or missed handling
|
||||
- dogfood loops become honest and low-noise when the system is stable
|
||||
|
||||
### 4.20. Observation freshness / staleness-age contract
|
||||
Every reported status, pinpoint, or blocker should carry an explicit observation timestamp/age so downstream claws can tell fresh state from stale carry-forward.
|
||||
|
||||
Required behavior:
|
||||
- attach observed-at timestamp and derived age to active-session state, pinpoints, and blockers
|
||||
- distinguish freshly observed facts from carried-forward prior-cycle state
|
||||
- allow freshness TTLs so old observations degrade from `current` to `stale` automatically
|
||||
- surface when a report contains mixed freshness windows across its fields
|
||||
|
||||
Acceptance:
|
||||
- claws do not mistake a 2-hour-old observation for current truth just because it reappeared in the latest report
|
||||
- stale carried-forward state is visible and can be down-ranked or revalidated
|
||||
- dogfood summaries remain trustworthy even when some fields are unchanged across many cycles
|
||||
|
||||
### 4.21. Fact / hypothesis / confidence labeling
|
||||
Dogfood reports should distinguish confirmed observations from inferred root-cause guesses so downstream claws do not treat speculation as settled truth.
|
||||
|
||||
Required behavior:
|
||||
- label each reported claim as `observed_fact`, `inference`, `hypothesis`, or `recommendation`
|
||||
- attach a confidence score or confidence bucket to non-fact claims
|
||||
- preserve which evidence supports each claim
|
||||
- allow a later report to promote a hypothesis into confirmed fact without changing the underlying pinpoint identity
|
||||
|
||||
Acceptance:
|
||||
- claws can tell `we saw X happen` from `we think Y caused it`
|
||||
- speculative root-cause text does not get mistaken for machine-trustworthy state
|
||||
- dogfood summaries stay honest about uncertainty while remaining actionable
|
||||
|
||||
### 4.22. Negative-evidence / searched-and-not-found contract
|
||||
When a dogfood cycle reports that something was not found (no active sessions, no new delta, no repro, no blocker), the report should also say what was checked so absence is machine-meaningful rather than empty prose.
|
||||
|
||||
Required behavior:
|
||||
- attach the checked surfaces/sources for negative findings (sessions, logs, roadmap, state file, channel window, etc.)
|
||||
- distinguish `not observed in checked scope` from `unknown / not checked`
|
||||
- preserve the query/window used for the negative observation when relevant
|
||||
- allow later reports to invalidate an earlier negative finding if the search scope was incomplete
|
||||
|
||||
Acceptance:
|
||||
- `no blocker` and `no new delta` become auditable conclusions rather than unverifiable vibes
|
||||
- downstream claws can tell whether absence means `looked and clean` or `did not inspect`
|
||||
- stable dogfood periods stay trustworthy without overclaiming certainty
|
||||
|
||||
### 4.23. Field-level delta attribution
|
||||
Even in delta-first reporting, claws still need to know exactly which structured fields changed between cycles instead of inferring change from prose.
|
||||
|
||||
Required behavior:
|
||||
- emit field-level change markers for core report fields (`active_sessions`, `pinpoint`, `delta`, `blocker`, lifecycle state, priority, freshness)
|
||||
- distinguish `changed`, `unchanged`, `cleared`, and `carried_forward`
|
||||
- preserve previous value references or hashes when useful for machine comparison
|
||||
- allow one report to contain both changed and unchanged fields without losing per-field status
|
||||
|
||||
Acceptance:
|
||||
- downstream claws can tell precisely what changed this cycle without diffing entire message bodies
|
||||
- delta-first summaries remain compact while still being machine-comparable
|
||||
- recurring reports stop forcing text-level reparse just to answer `what actually changed?`
|
||||
|
||||
### 4.24. Report schema versioning / compatibility contract
|
||||
As structured dogfood reports evolve, the reporting surface needs explicit schema versioning so downstream claws can parse new fields safely without silent breakage.
|
||||
|
||||
Required behavior:
|
||||
- attach schema version to each structured report payload
|
||||
- define additive vs breaking field changes
|
||||
- expose compatibility guidance for consumers that only understand older schemas
|
||||
- preserve a minimal stable core so basic parsing survives partial upgrades
|
||||
|
||||
Acceptance:
|
||||
- downstream claws can reject, warn on, or gracefully degrade unknown schema versions instead of misparsing silently
|
||||
- adding new reporting fields does not randomly break existing automation
|
||||
- dogfood reporting can evolve quickly without losing machine trust
|
||||
|
||||
### 4.25. Consumer capability negotiation for structured reports
|
||||
Schema versioning alone is not enough if different claws consume different subsets of the reporting surface. The producer should know what the consumer can actually understand.
|
||||
|
||||
Required behavior:
|
||||
- let downstream consumers advertise supported schema versions and optional field families/capabilities
|
||||
- allow producers to emit a reduced-compatible payload when a consumer cannot handle richer report fields
|
||||
- surface when a report was downgraded for compatibility vs emitted in full fidelity
|
||||
- preserve one canonical full-fidelity representation for audit/debug even when a downgraded view is delivered
|
||||
|
||||
Acceptance:
|
||||
- claws with older parsers can still consume useful reports without silent field loss being mistaken for absence
|
||||
- richer report evolution does not force every consumer to upgrade in lockstep
|
||||
- reporting remains machine-trustworthy across mixed-version claw fleets
|
||||
|
||||
### 4.26. Self-describing report schema surface
|
||||
Even with versioning and capability negotiation, downstream claws still need a machine-readable way to discover what fields and semantics a report version actually contains.
|
||||
|
||||
Required behavior:
|
||||
- expose a machine-readable schema/field registry for structured report payloads
|
||||
- document field meanings, enums, optionality, and deprecation status in a consumable format
|
||||
- let consumers fetch the schema for a referenced report version/capability set
|
||||
- preserve stable identifiers for fields so docs, code, and live payloads point at the same schema truth
|
||||
|
||||
Acceptance:
|
||||
- new consumers can integrate without reverse-engineering example payloads from chat logs
|
||||
- schema drift becomes detectable against a declared source of truth
|
||||
- structured report evolution stays fast without turning every integration into brittle archaeology
|
||||
|
||||
### 4.27. Audience-specific report projection
|
||||
The same canonical dogfood report should be projectable into different consumer views (clawhip, Jobdori, human operator) without each consumer re-summarizing the full payload from scratch.
|
||||
|
||||
Required behavior:
|
||||
- preserve one canonical structured report payload
|
||||
- support consumer-specific projections/views (for example `delta_brief`, `ops_audit`, `human_readable`, `roadmap_sync`)
|
||||
- let consumers declare preferred projection shape and verbosity
|
||||
- make the projection lineage explicit so a terse view still points back to the canonical report
|
||||
|
||||
Acceptance:
|
||||
- Jobdori/Clawhip/humans do not keep rebroadcasting the same full inventory in slightly different prose
|
||||
- each consumer gets the right level of detail without inventing its own lossy summary layer
|
||||
- reporting noise drops while the underlying truth stays shared and auditable
|
||||
|
||||
### 4.28. Canonical report identity / content-hash anchor
|
||||
Once multiple projections and summaries exist, the system needs a stable identity anchor proving they all came from the same underlying report state.
|
||||
|
||||
Required behavior:
|
||||
- assign a canonical report id plus content hash/fingerprint to the full structured payload
|
||||
- include projection-specific metadata without changing the canonical identity of unchanged underlying content
|
||||
- surface when two projections differ because the source report changed vs because only the rendering changed
|
||||
- allow downstream consumers to detect accidental duplicate sends of the exact same report payload
|
||||
|
||||
Acceptance:
|
||||
- claws can verify that different audience views refer to the same underlying report truth
|
||||
- duplicate projections of identical content do not look like new state changes
|
||||
- report lineage remains auditable even as the same canonical payload is rendered many ways
|
||||
|
||||
### 4.29. Projection invalidation / stale-view cache contract
|
||||
If the canonical report changes, previously emitted audience-specific projections must be identifiable as stale so downstream claws do not keep acting on an old rendered view.
|
||||
|
||||
Required behavior:
|
||||
- bind each projection to the canonical report id + content hash/version it was derived from
|
||||
- mark projections as superseded when the underlying canonical payload changes
|
||||
- expose whether a consumer is viewing the latest compatible projection or a stale cached one
|
||||
- allow cheap regeneration of projections without minting fake new report identities
|
||||
|
||||
Acceptance:
|
||||
- claws do not mistake an old `delta_brief` view for current truth after the canonical report was updated
|
||||
- projection caching reduces noise/compute without increasing stale-action risk
|
||||
- audience-specific views stay safely linked to the freshness of the underlying report
|
||||
|
||||
### 4.30. Projection-time redaction / sensitivity labeling
|
||||
As canonical reports accumulate richer evidence, projections need an explicit policy for what can be shown to which audience without losing machine trust.
|
||||
|
||||
Required behavior:
|
||||
- label report fields/evidence with sensitivity classes (for example `public`, `internal`, `operator_only`, `secret`)
|
||||
- let projections redact, summarize, or hash sensitive fields according to audience policy while preserving the canonical report intact
|
||||
- expose when a projection omitted or transformed data for sensitivity reasons
|
||||
- preserve enough stable identity/provenance that redacted projections can still be correlated with the canonical report
|
||||
|
||||
Acceptance:
|
||||
- richer canonical reports do not force all audience views to leak the same detail level
|
||||
- consumers can tell `field absent because redacted` from `field absent because nonexistent`
|
||||
- audience-specific projections stay safe without turning into unverifiable black boxes
|
||||
|
||||
### 4.31. Redaction provenance / policy traceability
|
||||
When a projection redacts or transforms data, downstream consumers should be able to tell which policy/rule caused it rather than treating redaction as unexplained disappearance.
|
||||
|
||||
Required behavior:
|
||||
- attach redaction reason/policy id to transformed or omitted fields
|
||||
- distinguish policy-based redaction from size truncation, compatibility downgrade, and source absence
|
||||
- preserve auditable linkage from the projection back to the canonical field classification
|
||||
- allow operators to review which projection policy version produced the visible output
|
||||
|
||||
Acceptance:
|
||||
- claws can tell *why* a field was hidden, not just that it vanished
|
||||
- redacted projections remain operationally debuggable instead of opaque
|
||||
- sensitivity controls stay auditable as reporting/projection policy evolves
|
||||
|
||||
### 4.32. Deterministic projection / redaction reproducibility
|
||||
Given the same canonical report, schema version, consumer capability set, and projection policy, the emitted projection should be reproducible byte-for-byte (or canonically equivalent) so audits and diffing do not drift on re-render.
|
||||
|
||||
Required behavior:
|
||||
- make projection/redaction output deterministic for the same inputs
|
||||
- surface which inputs participate in projection identity (schema version, capability set, policy version, canonical content hash)
|
||||
- distinguish content changes from nondeterministic rendering noise
|
||||
- allow canonical equivalence checks even when transport formatting differs
|
||||
|
||||
Acceptance:
|
||||
- re-rendering the same report for the same audience does not create fake deltas
|
||||
- audit/debug workflows can reproduce why a prior projection looked the way it did
|
||||
- projection pipelines stay machine-trustworthy under repeated regeneration
|
||||
|
||||
### 4.33. Projection golden-fixture / regression lock
|
||||
Once structured projections become deterministic, claw-code still needs regression fixtures that lock expected outputs so report rendering changes cannot slip in unnoticed.
|
||||
|
||||
Required behavior:
|
||||
- maintain canonical fixture inputs covering core report shapes, redaction classes, and capability downgrades
|
||||
- snapshot or equivalence-test expected projections for supported audience views
|
||||
- make intentional rendering/schema changes update fixtures explicitly rather than drifting silently
|
||||
- surface which fixture set/version validated a projection pipeline change
|
||||
|
||||
Acceptance:
|
||||
- projection regressions get caught before downstream claws notice broken or drifting output
|
||||
- deterministic rendering claims stay continuously verified, not assumed
|
||||
- report/projection evolution remains fast without sacrificing machine-trustworthy stability
|
||||
|
||||
### 4.34. Downstream consumer conformance test contract
|
||||
Producer-side fixture coverage is not enough if real downstream claws still parse or interpret the reporting contract incorrectly. The ecosystem needs a way to verify consumer behavior against the declared report schema/projection rules.
|
||||
|
||||
Required behavior:
|
||||
- define conformance cases for consumers across schema versions, capability downgrades, redaction states, and no-op cycles
|
||||
- provide a machine-runnable consumer test kit or fixture bundle
|
||||
- distinguish parse success from semantic correctness (for example: correctly handling `redacted` vs `missing`, `stale` vs `current`)
|
||||
- surface which consumer/version last passed the conformance suite
|
||||
|
||||
Acceptance:
|
||||
- report-contract drift is caught at the producer/consumer boundary, not only inside the producer
|
||||
- downstream claws can prove they understand the structured reporting surface they claim to support
|
||||
- mixed claw fleets stay interoperable without relying on optimism or manual spot checks
|
||||
|
||||
### 4.35. Provisional-status dedupe / in-flight acknowledgment suppression
|
||||
When a claw emits temporary status such as `working on it`, `please wait`, or `adding a roadmap gap`, repeated provisional notices should not flood the channel unless something materially changed.
|
||||
|
||||
Required behavior:
|
||||
- fingerprint provisional/in-flight status updates separately from terminal or delta-bearing reports
|
||||
- suppress repeated provisional messages with unchanged meaning inside a short reconciliation window
|
||||
- allow a new provisional update through only when progress state, owner, blocker, or ETA meaningfully changes
|
||||
- preserve raw repeats for audit/debug without exposing each one as a fresh channel event
|
||||
|
||||
Acceptance:
|
||||
- monitoring feeds do not churn on duplicate `please wait` / `working on it` messages
|
||||
- consumers can tell the difference between `still in progress, unchanged` and `new actionable update`
|
||||
- in-flight acknowledgments remain useful without drowning out real state transitions
|
||||
|
||||
### 4.36. Provisional-status escalation timeout
|
||||
If a provisional/in-flight status remains unchanged for too long, the system should stop treating it as harmless noise and promote it back into an actionable stale signal.
|
||||
|
||||
Required behavior:
|
||||
- attach timeout/TTL policy to provisional states
|
||||
- escalate prolonged unchanged provisional status into a typed stale/blocker signal
|
||||
- distinguish `deduped because still fresh` from `deduped too long and now suspicious`
|
||||
- surface which timeout policy triggered the escalation
|
||||
|
||||
Acceptance:
|
||||
- `working on it` does not suppress visibility forever when real progress stalled
|
||||
- consumers can trust provisional dedupe without losing long-stuck work
|
||||
- low-noise monitoring still resurfaces stale in-flight states at the right time
|
||||
|
||||
### 4.37. Policy-blocked action handoff
|
||||
When a requested action is disallowed by branch/merge/release policy (for example direct `main` push), the system should expose a structured refusal plus the next safe execution path instead of leaving only freeform prose.
|
||||
|
||||
Required behavior:
|
||||
- classify policy-blocked requests with a typed reason (`main_push_forbidden`, `release_requires_owner`, etc.)
|
||||
- attach the governing policy source and actor scope when available
|
||||
- emit a safe fallback path (`create branch`, `open PR`, `request owner approval`, etc.)
|
||||
- allow downstream claws/operators to distinguish `blocked by policy` from `blocked by technical failure`
|
||||
|
||||
Acceptance:
|
||||
- policy refusals become machine-actionable instead of dead-end chat text
|
||||
- claws can pivot directly to the safe alternative workflow without re-triaging the same request
|
||||
- monitoring/reporting can separate governance blocks from actual product/runtime defects
|
||||
|
||||
### 4.38. Policy exception / owner-approval token contract
|
||||
For actions that are normally blocked by policy but can be allowed with explicit owner approval, the approval path should be machine-readable instead of relying on ambiguous prose interpretation.
|
||||
|
||||
Required behavior:
|
||||
- represent policy exceptions as typed approval grants or tokens scoped to action/repo/branch/time window
|
||||
- bind the approval to the approving actor identity and policy being overridden
|
||||
- distinguish `no approval`, `approval pending`, `approval granted`, and `approval expired/revoked`
|
||||
- let downstream claws verify an approval artifact before executing the otherwise-blocked action
|
||||
|
||||
Acceptance:
|
||||
- exceptional approvals stop depending on fuzzy chat interpretation
|
||||
- claws can safely execute policy-exception flows without confusing them with ordinary blocked requests
|
||||
- governance stays auditable even when owner-authorized exceptions occur
|
||||
|
||||
### 4.39. Approval-token replay / one-time-use enforcement
|
||||
If policy-exception approvals become machine-readable tokens, they also need replay protection so one explicit exception cannot be silently reused beyond its intended scope.
|
||||
|
||||
Required behavior:
|
||||
- support one-time-use or bounded-use approval grants where appropriate
|
||||
- record token consumption against the exact action/repo/branch/commit scope it authorized
|
||||
- reject replay, scope expansion, or post-expiry reuse with typed policy errors
|
||||
- surface whether an approval was unused, consumed, partially consumed, expired, or revoked
|
||||
|
||||
Acceptance:
|
||||
- one owner-approved exception cannot quietly authorize repeated or broader dangerous actions
|
||||
- claws can distinguish `valid approval present` from `approval already spent`
|
||||
- governance exceptions remain auditable and non-replayable under automation
|
||||
|
||||
### 4.40. Approval-token delegation / execution chain traceability
|
||||
If one actor approves an exception and another claw/bot/session executes it, the system should preserve the delegation chain so policy exceptions remain attributable end-to-end.
|
||||
|
||||
Required behavior:
|
||||
- record approver identity, requesting actor, executing actor, and any intermediate relay/orchestrator hop
|
||||
- preserve the delegation chain on approval verification and token consumption events
|
||||
- distinguish direct self-use from delegated execution
|
||||
- surface when execution occurs through an unexpected or unauthorized delegate
|
||||
|
||||
Acceptance:
|
||||
- policy-exception execution stays attributable even across bot/session hops
|
||||
- audits can answer `who approved`, `who requested`, and `who actually used it`
|
||||
- delegated exception flows remain governable instead of collapsing into generic bot activity
|
||||
|
||||
### 4.41. Token-optimization / repo-scope guidance contract
|
||||
New users hit token burn and context bloat immediately, but the product surface does not clearly explain how repo scope, ignored paths, and working-directory choice affect clawability.
|
||||
|
||||
Required behavior:
|
||||
- explicitly document whether `.clawignore` / `.claudeignore` / `.gitignore` are honored, and how
|
||||
- surface a simple recommendation to start from the smallest useful subdirectory instead of the whole monorepo when possible
|
||||
- provide first-run guidance for excluding heavy/generated directories (`node_modules`, `dist`, `build`, `.next`, coverage, logs, dumps, generated reports`)
|
||||
- make token-saving repo-scope guidance visible in onboarding/help rather than buried in external chat advice
|
||||
|
||||
Acceptance:
|
||||
- new users can answer `how do I stop dragging junk into context?` from product docs/help alone
|
||||
- first-run confusion about ignore files and repo scope drops sharply
|
||||
- clawability improves before users burn tokens on obviously-avoidable junk
|
||||
|
||||
### 4.42. Workspace-scope weight preview / token-risk preflight
|
||||
Before a user starts a session in a repo, claw-code should surface a lightweight estimate of how heavy the current workspace is and why it may be costly.
|
||||
|
||||
Required behavior:
|
||||
- inspect the current working tree for high-risk token sinks (huge directories, generated artifacts, vendored deps, logs, dumps)
|
||||
- summarize likely context-bloat sources before deep indexing or first large prompt flow
|
||||
- recommend safer scope choices (e.g. narrower subdirectory, ignore patterns, cleanup targets)
|
||||
- distinguish `workspace looks clean` from `workspace is likely to burn tokens fast`
|
||||
|
||||
Acceptance:
|
||||
- users get an early warning before accidentally dogfooding the entire junkyard
|
||||
- token-saving guidance becomes situational and concrete, not just generic docs
|
||||
- onboarding catches avoidable repo-scope mistakes before they turn into cost/perf complaints
|
||||
|
||||
### 4.43. Safer-scope quick-apply action
|
||||
After warning that the current workspace is too heavy, claw-code should offer a direct way to adopt the safer scope instead of leaving the user to manually reinterpret the advice.
|
||||
|
||||
Required behavior:
|
||||
- turn scope recommendations into actionable choices (e.g. switch to subdirectory, generate ignore stub, exclude detected heavy paths)
|
||||
- preview what would be included/excluded before applying the change
|
||||
- preserve an easy path back to the original broader scope
|
||||
- distinguish advisory suggestions from user-confirmed scope changes
|
||||
|
||||
Acceptance:
|
||||
- users can go from `this workspace is too heavy` to `use this safer scope` in one step
|
||||
- token-risk preflight becomes operational guidance, not just warning text
|
||||
- first-run users stop getting stuck between diagnosis and manual cleanup
|
||||
|
||||
### 5. Failure taxonomy
|
||||
Normalize failure classes:
|
||||
- `prompt_delivery`
|
||||
@@ -148,6 +729,20 @@ Acceptance:
|
||||
- blockers are machine-classified
|
||||
- dashboards and retry policies can branch on failure type
|
||||
|
||||
### 5.5. Transport outage vs lane failure boundary
|
||||
When the control server or transport goes down, claw-code should distinguish host-level outage from lane-local failure instead of letting all active lanes look broken in the same vague way.
|
||||
|
||||
Required behavior:
|
||||
- emit typed transport outage events separate from lane failure events
|
||||
- annotate impacted lanes with dependency status (`blocked_by_transport`) rather than rewriting them as ordinary lane errors
|
||||
- preserve the last known good lane state before transport loss
|
||||
- surface outage scope (`single session`, `single worker host`, `shared control server`)
|
||||
|
||||
Acceptance:
|
||||
- clawhip can say `server down blocked 3 lanes` instead of pretending 3 independent lane failures happened
|
||||
- recovery policies can restart transport separately from lane-local recovery recipes
|
||||
- postmortems can separate infra blast radius from actual code-lane defects
|
||||
|
||||
### 6. Actionable summary compression
|
||||
Collapse noisy event streams into:
|
||||
- current phase
|
||||
@@ -159,6 +754,23 @@ Acceptance:
|
||||
- channel status updates stay short and machine-grounded
|
||||
- claws stop inferring state from raw build spam
|
||||
|
||||
### 6.5. Blocked-state subphase contract
|
||||
When a lane is `blocked`, also expose the exact subphase where progress stopped, rather than forcing claws to infer from logs.
|
||||
|
||||
Subphases should include at least:
|
||||
- `blocked.trust_prompt`
|
||||
- `blocked.prompt_delivery`
|
||||
- `blocked.plugin_init`
|
||||
- `blocked.mcp_handshake`
|
||||
- `blocked.branch_freshness`
|
||||
- `blocked.test_hang`
|
||||
- `blocked.report_pending`
|
||||
|
||||
Acceptance:
|
||||
- `lane.blocked` carries a stable subphase enum + short human summary
|
||||
- clawhip can say "blocked at MCP handshake" or "blocked waiting for trust clear" without pane scraping
|
||||
- retries can target the correct recovery recipe instead of treating all blocked states the same
|
||||
|
||||
## Phase 3 — Branch/Test Awareness and Auto-Recovery
|
||||
|
||||
### 7. Stale-branch detection before broad verification
|
||||
@@ -182,6 +794,22 @@ Acceptance:
|
||||
- one automatic recovery attempt occurs before escalation
|
||||
- the attempted recovery is itself emitted as structured event data
|
||||
|
||||
### 8.5. Recovery attempt ledger
|
||||
Expose machine-readable recovery progress so claws can see what automatic recovery has already tried, what is still running, and why escalation happened.
|
||||
|
||||
Ledger should include at least:
|
||||
- recovery recipe id
|
||||
- attempt count
|
||||
- current recovery state (`queued`, `running`, `succeeded`, `failed`, `exhausted`)
|
||||
- started/finished timestamps
|
||||
- last failure summary
|
||||
- escalation reason when retries stop
|
||||
|
||||
Acceptance:
|
||||
- clawhip can report `auto-recover tried prompt replay twice, then escalated` without log archaeology
|
||||
- operators can distinguish `no recovery attempted` from `recovery already exhausted`
|
||||
- repeated silent retry loops become visible and auditable
|
||||
|
||||
### 9. Green-ness contract
|
||||
Workers should distinguish:
|
||||
- targeted tests green
|
||||
@@ -249,6 +877,21 @@ Acceptance:
|
||||
- claws can query status directly
|
||||
- human-facing views become a rendering layer, not the source of truth
|
||||
|
||||
### 12.5. Running-state liveness heartbeat
|
||||
When a lane is marked `working` or otherwise in-progress, emit a lightweight liveness heartbeat so claws can tell quiet progress from silent stall.
|
||||
|
||||
Heartbeat should include at least:
|
||||
- current phase/subphase
|
||||
- seconds since last meaningful progress
|
||||
- seconds since last heartbeat
|
||||
- current active step label
|
||||
- whether background work is expected
|
||||
|
||||
Acceptance:
|
||||
- clawhip can distinguish `quiet but alive` from `working state went stale`
|
||||
- stale detection stops depending on raw pane churn alone
|
||||
- long-running compile/test/background steps stay machine-visible without log scraping
|
||||
|
||||
## Phase 5 — Plugin and MCP Lifecycle Maturity
|
||||
|
||||
### 13. First-class plugin/MCP lifecycle contract
|
||||
@@ -428,6 +1071,8 @@ Model name prefix now wins unconditionally over env-var presence. Regression tes
|
||||
|
||||
32. **OpenAI-compatible provider/model-id passthrough is not fully literal** — **verified no-bug on 2026-04-09**: `resolve_model_alias()` only matches bare shorthand aliases (`opus`/`sonnet`/`haiku`) and passes everything else through unchanged, so `openai/gpt-4` reaches the dispatch layer unmodified. `strip_routing_prefix()` at `openai_compat.rs:732` then strips only recognised routing prefixes (`openai`, `xai`, `grok`, `qwen`) so the wire model is the bare backend id. No fix needed. **Original filing below.**
|
||||
|
||||
42. **Hook JSON failure opacity: invalid hook output does not surface the offending payload/context** — dogfooding on 2026-04-13 in the live `clawcode-human` lane repeatedly hit `PreToolUse/PostToolUse/Stop hook returned invalid ... JSON output` while the operator had no immediate visibility into which hook emitted malformed JSON, what raw stdout/stderr came back, or whether the failure was hook-formatting breakage vs prompt-misdelivery fallout. This turns a recoverable hook/schema bug into generic lane fog. **Impact.** Lanes look blocked/noisy, but the event surface is too lossy to classify whether the next action is fix the hook serializer, retry prompt delivery, or ignore a harmless hook-side warning. **Concrete delta landed now.** Recorded as an Immediate Backlog item so the failure is tracked explicitly instead of disappearing into channel scrollback. **Recommended fix shape:** when hook JSON parse fails, emit a typed hook failure event carrying hook phase/name, command/path, exit status, and a redacted raw stdout/stderr preview (bounded + safe), plus a machine class like `hook_invalid_json`. Add regression coverage for malformed-but-nonempty hook output so the surfaced error includes the preview instead of only `invalid ... JSON output`.
|
||||
|
||||
32. **OpenAI-compatible provider/model-id passthrough is not fully literal** — dogfooded 2026-04-08 via live user in #claw-code who confirmed the exact backend model id works outside claw but fails through claw for an OpenAI-compatible endpoint. The gap: `openai/` prefix is correctly used for **transport selection** (pick the OpenAI-compat client) but the **wire model id** — the string placed in `"model": "..."` in the JSON request body — may not be the literal backend model string the user supplied. Two candidate failure modes: **(a)** `resolve_model_alias()` is called on the model string before it reaches the wire — alias expansion designed for Anthropic/known models corrupts a user-supplied backend-specific id; **(b)** the `openai/` routing prefix may not be stripped before `build_chat_completion_request` packages the body, so backends receive `openai/gpt-4` instead of `gpt-4`. **Fix shape:** cleanly separate transport selection from wire model id. Transport selection uses the prefix; wire model id is the user-supplied string minus only the routing prefix — no alias expansion, no prefix leakage. **Trace path for next session:** (1) find where `resolve_model_alias()` is called relative to the OpenAI-compat dispatch path; (2) inspect what `build_chat_completion_request` puts in `"model"` for an `openai/some-backend-id` input. **Source:** live user in #claw-code 2026-04-08, confirmed exact model id works outside claw, fails through claw for OpenAI-compat backend.
|
||||
|
||||
33. **OpenAI `/responses` endpoint rejects claw's tool schema: `object schema missing properties` / `invalid_function_parameters`** — **done at `e7e0fd2` on 2026-04-09**. Added `normalize_object_schema()` in `openai_compat.rs` which recursively walks JSON Schema trees and injects `"properties": {}` and `"additionalProperties": false` on every object-type node (without overwriting existing values). Called from `openai_tool_definition()` so both `/chat/completions` and `/responses` receive strict-validator-safe schemas. 3 unit tests added. All api tests pass. **Original filing below.**
|
||||
@@ -500,6 +1145,8 @@ Model name prefix now wins unconditionally over env-var presence. Regression tes
|
||||
|
||||
63. **Droid session completion semantics broken: code arrives after "status: completed"** — dogfooded 2026-04-12. Ultraclaw droid sessions (use-droid via acpx) report `session.status: completed` before file writes are fully flushed/synced to the working tree. Discovered +410 lines of "late-arriving" droid output that appeared after I had already assessed 8 sessions as "no code produced." This creates false-negative assessments and duplicate work. **Fix shape:** (a) droid agent should only report completion after explicit file-write confirmation (fsync or existence check); (b) or, claw-code should expose a `pending_writes` status that indicates "agent responded, disk flush pending"; (c) lane orchestrators should poll for file changes for N seconds after completion before final assessment. **Blocker:** none. Source: Jobdori ultraclaw dogfood 2026-04-12.
|
||||
|
||||
64. **ACP/Zed editor integration entrypoint is too implicit** — dogfooded 2026-04-13 from a user request for a `-acp` parameter to support ACP protocol integration in editor-first workflows such as Zed. The gap is not generic "please add another integration" churn; it is a **discoverability and launch-contract problem**. Right now the product surface does not make it obvious whether ACP is already supported, how an editor should invoke claw-code, or whether a dedicated flag/mode exists at all. That forces evaluators into repo archaeology instead of giving them a crisp editor-facing invocation contract. **Fix shape:** either (a) add an explicit ACP/editor entrypoint such as `--acp` / `acp serve` with help text that states the contract, or (b) if the protocol path already exists, surface it prominently in CLI help/README with a concrete Zed/editor integration example so users do not have to guess. **Acceptance bar:** an editor-first user can answer "how do I launch claw-code for ACP/Zed?" from `claw --help` or the first screen of docs without reading source. **Blocker:** none; currently recorded as a roadmap follow-up because the repo-local entrypoint was not obvious during dogfood.
|
||||
|
||||
64. **Artifact provenance is post-hoc narration, not structured events** — **done (verified 2026-04-12):** completed lane persistence in `rust/crates/tools/src/lib.rs` now attaches structured `artifactProvenance` metadata to `lane.finished`, including `sourceLanes`, `roadmapIds`, `files`, `diffStat`, `verification`, and `commitSha`, while keeping the existing `lane.commit.created` provenance event intact. Regression coverage locks a successful completion payload that carries roadmap ids, file paths, diff stat, verification states, and commit sha without relying on prose re-parsing. **Original filing below.**
|
||||
|
||||
65. **Backlog-scanning team lanes emit opaque stops, not structured selection outcomes** — **done (verified 2026-04-12):** completed lane persistence in `rust/crates/tools/src/lib.rs` now recognizes backlog-scan selection summaries and records structured `selectionOutcome` metadata on `lane.finished`, including `chosenItems`, `skippedItems`, `action`, and optional `rationale`, while preserving existing non-selection and review-lane behavior. Regression coverage locks the structured backlog-scan payload alongside the earlier quality-floor and review-verdict paths. **Original filing below.**
|
||||
|
||||
Reference in New Issue
Block a user