openclaw/reporting-governance-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: harden auto-next continuity receipt linkage

Browse Source
This commit is contained in:
Eve
2026-04-24 16:38:36 +08:00
parent 8e290a4d9b
commit 82d0d94b5f
6 changed files with 242 additions and 741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scripts/approved_plan_continuity_gate.mjs
View File

@@ -11,6 +11,10 @@ function isObject(value) {
return value != null && typeof value === 'object' && !Array.isArray(value);
}
function normalizeAction(action) {
return JSON.stringify(action ?? null);
}
function hasValidDispatchReceipt(receipt) {
if (!isObject(receipt)) return false;
if (!isNonEmptyString(receipt.planId)) return false;
@@ -20,6 +24,27 @@ function hasValidDispatchReceipt(receipt) {
return true;
}
function receiptMatchesPayload(payload, receipt) {
if (!hasValidDispatchReceipt(receipt)) return false;
const expectedPlanId = payload?.planId;
if (isNonEmptyString(expectedPlanId) && receipt.planId !== expectedPlanId) return false;
const expectedCurrentTask = payload?.currentTask;
if (isNonEmptyString(expectedCurrentTask) && receipt.currentTask !== expectedCurrentTask) return false;
const expectedNextTask = payload?.nextTaskId ?? payload?.nextTaskKey ?? null;
const receiptNextTask = receipt?.nextTaskId ?? receipt?.nextTaskKey ?? null;
if (isNonEmptyString(expectedNextTask) && receiptNextTask !== expectedNextTask) return false;
const expectedNextAction = payload?.nextDerivedAction ?? payload?.derivedAction ?? null;
if (expectedNextAction != null && normalizeAction(receipt.nextDerivedAction) !== normalizeAction(expectedNextAction)) {
return false;
}
return true;
}
function parseArgs(argv) {
let inputPath = null;
let compact = false;
@@ -80,9 +105,9 @@ function evaluateContinuity(payload) {
const sameApprovedPlan = payload?.sameApprovedPlan === true;
const taskBoundaryStop = payload?.taskBoundaryStop === true;
const highRiskStop = payload?.highRiskStop === true;
const hasDispatchReceipt = hasValidDispatchReceipt(payload?.dispatchReceipt ?? null);
const closureState = payload?.replyClosureState ?? null;
const isLegalTerminalState = LEGAL_TERMINAL_STATES.has(closureState);
const hasDispatchReceipt = receiptMatchesPayload(payload, payload?.dispatchReceipt ?? null);
const autoNextObligatory = taskComplete
&& explicitNextTaskKnown
&& sameApprovedPlan
@@ -150,5 +175,4 @@ const response = {
},
};
process.stdout.write(`${JSON.stringify(response)}
`);
process.stdout.write(`${JSON.stringify(response)}\n`);

2
scripts/approved_plan_dispatch_binding.mjs
View File

@@ -81,6 +81,7 @@ function buildReceipt(payload) {
const receipt = {
planId: payload?.planId ?? null,
currentTask: payload?.currentTask ?? null,
nextTaskId: payload?.nextTaskId ?? null,
nextDerivedAction: nextAction,
dispatchedAt: payload?.dispatchedAt ?? null,
dispatchRunId: payload?.dispatchRunId ?? null,
@@ -97,6 +98,7 @@ function validateReceipt(receipt) {
for (const field of [
'planId',
'currentTask',
'nextTaskId',
'nextDerivedAction',
'dispatchedAt',
'dispatchRunId',

375
scripts/test_approved_plan_continuity_gate.mjs
View File

@@ -179,6 +179,7 @@ const tests = [
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9',
@@ -190,31 +191,12 @@ const tests = [
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}
${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output
stdout=${result.stdout}`);
}
if (result.json.ok !== false) {
throw new Error(`expected auto-next continuity failure ok=false, got ${JSON.stringify(result.json)}`);
}
if (result.json.verdict !== 'continuity_failure') {
throw new Error(`expected verdict=continuity_failure, got ${JSON.stringify(result.json.verdict)}`);
}
if (result.json.reason !== 'missing_auto_next_dispatch') {
throw new Error(`expected reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== false) throw new Error(`expected auto-next continuity failure ok=false, got ${JSON.stringify(result.json)}`);
if (result.json.verdict !== 'continuity_failure') throw new Error(`expected verdict=continuity_failure, got ${JSON.stringify(result.json.verdict)}`);
if (result.json.reason !== 'missing_auto_next_dispatch') throw new Error(`expected reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
} finally {
fixture.cleanup();
}
@@ -231,6 +213,7 @@ stdout=${result.stdout}`);
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9b',
derivedAction: {
type: 'message_subagent',
task: 'continue with task-9b',
@@ -242,31 +225,12 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}
${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output
stdout=${result.stdout}`);
}
if (result.json.ok !== false) {
throw new Error(`expected auto-next continuity failure ok=false, got ${JSON.stringify(result.json)}`);
}
if (result.json.verdict !== 'continuity_failure') {
throw new Error(`expected verdict=continuity_failure, got ${JSON.stringify(result.json.verdict)}`);
}
if (result.json.reason !== 'missing_auto_next_dispatch') {
throw new Error(`expected reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== false) throw new Error(`expected auto-next continuity failure ok=false, got ${JSON.stringify(result.json)}`);
if (result.json.verdict !== 'continuity_failure') throw new Error(`expected verdict=continuity_failure, got ${JSON.stringify(result.json.verdict)}`);
if (result.json.reason !== 'missing_auto_next_dispatch') throw new Error(`expected reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
} finally {
fixture.cleanup();
}
@@ -283,6 +247,7 @@ stdout=${result.stdout}`);
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9c',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9c',
@@ -294,23 +259,10 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}
${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output
stdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when highRiskStop=true, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when highRiskStop=true, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
@@ -334,23 +286,10 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}
${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output
stdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected pass when nextTaskKnown=false, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected pass when nextTaskKnown=false, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
@@ -367,6 +306,7 @@ stdout=${result.stdout}`);
nextTaskKnown: true,
sameApprovedPlan: false,
taskBoundaryStop: true,
nextTaskId: 'task-other',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with unrelated task',
@@ -378,23 +318,133 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected pass when sameApprovedPlan=false, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'auto-next obligation: fails when receipt exists but next-task linkage is stale or mismatched',
run() {
const fixture = createFixture({
'input.json': {
planId: 'plan-auto-next-linkage-mismatch',
currentTask: 'task-8f',
taskState: 'complete',
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9f',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9f',
},
replyClosureState: 'completed',
highRiskStop: false,
dispatchReceipt: {
planId: 'plan-auto-next-linkage-mismatch',
currentTask: 'task-8f',
nextTaskId: 'task-10f',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-10f',
},
dispatchedAt: '2026-04-24T16:00:00+08:00',
},
},
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}
${result.stderr || result.stdout}`);
}
try {
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== false) throw new Error(`expected linkage mismatch to fail, got ${JSON.stringify(result.json)}`);
if (result.json.reason !== 'missing_auto_next_dispatch') throw new Error(`expected linkage mismatch reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'auto-next obligation: passes when receipt links to the required next task',
run() {
const fixture = createFixture({
'input.json': {
planId: 'plan-auto-next-linkage-match',
currentTask: 'task-8g',
taskState: 'complete',
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9g',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9g',
},
replyClosureState: 'completed',
highRiskStop: false,
dispatchReceipt: {
planId: 'plan-auto-next-linkage-match',
currentTask: 'task-8g',
nextTaskId: 'task-9g',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9g',
},
dispatchedAt: '2026-04-24T16:05:00+08:00',
},
},
});
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output
stdout=${result.stdout}`);
}
try {
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected linkage-matched receipt to pass, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'auto-next obligation: fails when receipt only proves checkpoint/session metadata without actual dispatch linkage',
run() {
const fixture = createFixture({
'input.json': {
planId: 'plan-auto-next-checkpoint-spoof',
currentTask: 'task-8h',
taskState: 'complete',
nextTaskKnown: true,
sameApprovedPlan: true,
taskBoundaryStop: true,
nextTaskId: 'task-9h',
nextDerivedAction: {
type: 'message_subagent',
task: 'continue with task-9h',
},
replyClosureState: 'completed',
highRiskStop: false,
dispatchReceipt: {
planId: 'plan-auto-next-checkpoint-spoof',
currentTask: 'task-8h',
nextTaskId: 'task-9h',
checkpointPath: 'checkpoints/task-8h.json',
sessionKey: 'task-8h',
dispatchedAt: '2026-04-24T16:10:00+08:00',
},
},
});
if (result.json.ok !== true) {
throw new Error(`expected pass when sameApprovedPlan=false, got ${JSON.stringify(result.json)}`);
}
try {
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== false) throw new Error(`expected checkpoint-only receipt to fail, got ${JSON.stringify(result.json)}`);
if (result.json.reason !== 'missing_auto_next_dispatch') throw new Error(`expected checkpoint-only reason=missing_auto_next_dispatch, got ${JSON.stringify(result.json.reason)}`);
} finally {
fixture.cleanup();
}
@@ -420,35 +470,17 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== false) {
throw new Error(`expected continuity failure ok=false for fake dispatch receipt, got ${JSON.stringify(result.json)}`);
}
if (result.json.verdict !== 'continuity_failure') {
throw new Error(`expected verdict=continuity_failure for fake dispatch receipt, got ${JSON.stringify(result.json.verdict)}`);
}
if (result.json.reason !== 'missing_dispatch_receipt') {
throw new Error(`expected reason=missing_dispatch_receipt for fake dispatch receipt, got ${JSON.stringify(result.json.reason)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== false) throw new Error(`expected continuity failure ok=false for fake dispatch receipt, got ${JSON.stringify(result.json)}`);
if (result.json.verdict !== 'continuity_failure') throw new Error(`expected verdict=continuity_failure for fake dispatch receipt, got ${JSON.stringify(result.json.verdict)}`);
if (result.json.reason !== 'missing_dispatch_receipt') throw new Error(`expected reason=missing_dispatch_receipt for fake dispatch receipt, got ${JSON.stringify(result.json.reason)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'continuity: passes when task is complete, next action is known, and a dispatch receipt already exists',
run() {
@@ -475,27 +507,15 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when dispatch receipt exists, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when dispatch receipt exists, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'continuity: passes when planner returns derivedAction and a bound dispatch receipt already exists',
run() {
@@ -522,27 +542,15 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when derivedAction has bound dispatch receipt, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when derivedAction has bound dispatch receipt, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'continuity: passes when task is complete, next action is known, no dispatch receipt exists, and closure is waiting_user',
run() {
@@ -561,27 +569,15 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when closure is waiting_user, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when closure is waiting_user, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'continuity: passes when task is complete, next action is known, no dispatch receipt exists, and closure is pending_verification',
run() {
@@ -600,27 +596,15 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when closure is pending_verification, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when closure is pending_verification, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}
},
},
{
name: 'continuity: passes when task is complete, next action is known, no dispatch receipt exists, and closure is blocked',
run() {
@@ -639,21 +623,10 @@ stdout=${result.stdout}`);
});
try {
const result = runGate({
args: ['--compact', '--input', fixture.path('input.json')],
});
if (result.status !== 0 && result.status !== null) {
throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
}
if (!result.json || typeof result.json !== 'object') {
throw new Error(`expected JSON output\nstdout=${result.stdout}`);
}
if (result.json.ok !== true) {
throw new Error(`expected continuity pass ok=true when closure is blocked, got ${JSON.stringify(result.json)}`);
}
const result = runGate({ args: ['--compact', '--input', fixture.path('input.json')] });
if (result.status !== 0 && result.status !== null) throw new Error(`expected controlled execution, got status=${result.status}\n${result.stderr || result.stdout}`);
if (!result.json || typeof result.json !== 'object') throw new Error(`expected JSON output\nstdout=${result.stdout}`);
if (result.json.ok !== true) throw new Error(`expected continuity pass ok=true when closure is blocked, got ${JSON.stringify(result.json)}`);
} finally {
fixture.cleanup();
}