docs: close reporting-governance entrypoint semantics gap

2026-05-08 21:35:55 +08:00
parent 6f2ea9b3b3
commit bdd33bd42d
6 changed files with 460 additions and 7 deletions
--- a/docs/specs/reporting-governance-adapter-interface.md
+++ b/docs/specs/reporting-governance-adapter-interface.md
@@ -36,6 +36,7 @@ Without an adapter interface, those runtime pieces remain implementation islands
 For the current mainline slice, the package-owned runtime source of truth is the package adapter surface and package scripts under `plugins/reporting-governance/`.
 Repo-root `scripts/*.mjs` files should be read as compatibility wrappers or operator conveniences unless explicitly stated otherwise.
 When this spec names package entrypoints as `scripts/...`, that path is package-root-relative within `plugins/reporting-governance/`; repo-root wrappers remain the separate compatibility layer.
 ## Scope
--- a/docs/specs/reporting-governance-capability-descriptor.md
+++ b/docs/specs/reporting-governance-capability-descriptor.md
@@ -0,0 +1,412 @@
 # Reporting Governance Capability Descriptor
 ## Purpose
 This document defines the **capability descriptor** for the reporting-governance plugin.
 It turns runtime support from implied prose into a machine-readable contract that can be:
 - validated before deployment
 - checked against deployment profiles
 - attached to audit bundles
 - used by the next implementation stage for evaluator / decision-runner wiring
 This spec is intentionally the next step after:
 - `docs/specs/reporting-governance-adapter-interface.md`
 - `docs/specs/reporting-governance-deployment-model.md`
 - `schemas/reporting-governance/adapter-capabilities.schema.json`
 The adapter-interface spec defines **what adapters must be able to describe**.
 This capability-descriptor spec defines **how one concrete runtime publishes that description as a package artifact**.
 ## Why this exists now
 The current mainline already has:
 - canonical event / evidence / decision / policy-pack contracts
 - deployment profiles
 - a validated watchdog reference runtime composition
 But the plugin still lacks one package-level truth source answering:
 - which runtime surfaces exist in this deployment
 - which enforcement actions are actually available
 - whether the runtime can only queue, can bridge, or can truly ack final delivery
 - which storage and receipt guarantees are real
 Without a capability descriptor, the next evaluator / decision-runner stage would still have to guess runtime powers from docs and scripts.
 ## Scope
 This spec defines:
 1. the package role of a capability descriptor
 2. the minimum descriptor shape
 3. the OpenClaw reference descriptor for the watchdog composition
 4. package-boundary implications for `core/`, `adapters/`, `storage/`, `artifacts/`, and reference implementations
 5. how evaluator / decision-runner should consume descriptor data next
 This spec does **not** define:
 - the policy evaluator itself
 - the deployment-profile schema
 - one mandatory programming language API
 - the full audit export manifest format
 ## Mainline decision
 The reporting-governance plugin now uses this package distinction:
 - **schema**: validation contract for descriptor shape
 - **capability descriptor**: one concrete runtime claim validated by that schema
 - **deployment profile**: requested operating posture
 - **adapter modules**: implementation surfaces that may satisfy some or all requested posture
 In short:
 - profiles express **desired behavior**
 - capability descriptors express **actual runtime power**
 - evaluator / decision-runner must operate from the intersection of both
 ## Package location
 Capability descriptors belong under the plugin package boundary:
 ```text
 plugins/reporting-governance/
  capabilities/
    openclaw-watchdog-reference.json
  examples/
    openclaw-watchdog-reference.descriptor.example.json
 ```
 The canonical validation schema remains under:
 ```text
 schemas/reporting-governance/capability-descriptor.schema.json
 ```
 This keeps the split clear:
 - `schemas/` = canonical validation contracts
 - `plugins/reporting-governance/capabilities/` = package-owned runtime declarations; `runtime.entrypoint: "scripts/..."` is resolved relative to the package root
 - `plugins/reporting-governance/examples/` = copyable reference inputs using the same package-root-relative `scripts/...` semantics
 ## Descriptor responsibilities
 A capability descriptor must answer five questions.
 ### 1. What runtime is this?
 Examples:
 - `openclaw`
 - future host runtimes
 - future embedded or CI-only runtimes
 ### 2. Which adapter surfaces are present?
 Examples:
 - `watchdog`
 - `queue`
 - `dispatcher`
 - `bridge`
 - `sender_binding`
 - `orchestrator`
 ### 3. Which governance actions are truly available?
 Examples:
 - block transition
 - rewrite message
 - annotate placeholder
 - force checkpoint
 - request review
 - downgrade status
 - escalate
 ### 4. What notification truth model is supported?
 At minimum, whether the runtime distinguishes:
 - `prepared`
 - `queued`
 - `dispatched`
 - `pending_external_send`
 - `acked`
 - `blocked`
 ### 5. What persistence and audit guarantees exist?
 Examples:
 - can events be persisted?
 - can receipts be written?
 - can original attempted messages be preserved?
 - can decision outputs be stored yet, or is that still pending the next phase?
 ## Descriptor shape
 The canonical descriptor shape is validated by:
 - `schemas/reporting-governance/capability-descriptor.schema.json`
 The schema reuses the same top-level resource model already established for adapter capabilities:
 - `apiVersion`
 - `kind`
 - `metadata`
 - `runtime`
 - `compatibility`
 - `capabilities`
 - optional `defaults`
 - optional `notes`
 ## OpenClaw reference descriptor
 The first package-mainline descriptor is the **OpenClaw watchdog reference composition**.
 Descriptor identity:
 - runtime: `openclaw`
 - mode: `hybrid`
 - runtime `entrypoint`: `scripts/watchdog_auto_notify_orchestrator.mjs` resolved from `plugins/reporting-governance/` package root
 - surfaces:
  - `watchdog`
  - `queue`
  - `dispatcher`
  - `bridge`
  - `sender_binding`
  - `orchestrator`
  - `scheduler`
  - `storage`
 ### What it must claim
 This reference descriptor should claim support for:
 - watchdog overdue observation
 - canonical watchdog event generation
 - queue-backed operator notices
 - spool/handoff dispatch
 - bridge-supervised sender invocation
 - truthful `acked | blocked | pending_external_send` outcomes
 - persistence of events, evidence, queue items, spool artifacts, and receipts
 ### What it should not overclaim
 At this stage, the reference descriptor should **not** overclaim:
 - full inline hook interception as complete
 - final delivery proof in every deployment
 - fully packaged decision persistence if the evaluator / decision runner is not extracted yet
 - all completion-claim governance paths
 This is why some support levels remain `partial` rather than `full`.
 ## Package boundary decisions
 This spec fixes the package skeleton boundaries needed for the next implementation round.
 ## `src/core/`
 `core/` contains runtime-agnostic governance logic.
 It should own:
 - canonical event normalization
 - evidence building / evidence-reference shaping
 - policy evaluation
 - decision execution planning
 - capability/profile compatibility checks
 It should **not** own:
 - cron installation
 - filesystem-specific queue scanning loops
 - OpenClaw sender invocations
 - repo-local wrapper scripts
 Minimum package direction:
 ```text
 src/core/
  capability-profile-compatibility.mjs
  decision-runner.mjs
  evidence-builder.mjs
  event-normalizer.mjs
  policy-evaluator.mjs
 ```
 ## `src/adapters/`
 `adapters/` contains runtime-facing integration modules.
 It should own:
 - OpenClaw watchdog adapter wrapper
 - queue / dispatcher adapter wrapper
 - bridge adapter wrapper
 - sender-binding adapter wrapper
 - orchestrator adapter wrapper
 It may initially wrap existing repo scripts while package extraction is still in progress.
 It should **not** absorb canonical policy semantics that belong in `core/`.
 Minimum package direction:
 ```text
 src/adapters/
  bridge-adapter.mjs
  dispatcher-adapter.mjs
  orchestrator-adapter.mjs
  sender-binding-adapter.mjs
  watchdog-adapter.mjs
 ```
 ## `src/storage/`
 `storage/` contains package-level readers/writers for durable governance artifacts.
 It should own contracts for:
 - event store
 - evidence store
 - receipt store
 - queue-item store
 - spool-artifact store
 - future decision store
 - future audit export manifest support
 It should not define governance meaning; it only persists governed artifacts.
 Minimum package direction:
 ```text
 src/storage/
  decision-store.mjs
  event-store.mjs
  evidence-store.mjs
  queue-store.mjs
  receipt-store.mjs
  spool-store.mjs
 ```
 ## `artifacts/` boundary
 The plugin package does not need a required checked-in `artifacts/` source directory yet.
 Instead, **artifacts** are the runtime outputs produced by storage contracts and runtime bindings.
 For current OpenClaw reference behavior, the artifact classes are still represented by runtime directories such as:
 - `state/long-task-watchdog/`
 - `state/long-task-watchdog-events/`
 - `state/operator-notify-queue/`
 - `state/operator-notify-dispatch-spool/`
 - `state/operator-notify-bridge-receipts/`
 - `state/operator-notify-sender-attempts/`
 Mainline interpretation:
 - these are **runtime artifact locations**
 - package `src/storage/` should become the code boundary that reads/writes them
 - future audit export bundles should consume these classes through storage abstractions rather than raw script coupling
 ## Reference implementations boundary
 Reference implementations are executable, runtime-specific realizations of the package contracts.
 For this MVP stage, the main reference implementation is the watchdog chain described in:
 - `CODER_WATCHDOG_REPORT.md`
 Within the package skeleton, it belongs under:
 ```text
 plugins/reporting-governance/src/reference/openclaw-watchdog-chain.md
 ```
 and is represented in code-adjacent terms by:
 - `src/adapters/watchdog-adapter.mjs`
 - `src/adapters/dispatcher-adapter.mjs`
 - `src/adapters/bridge-adapter.mjs`
 - `src/adapters/sender-binding-adapter.mjs`
 - `src/adapters/orchestrator-adapter.mjs`
 This means the **watchdog reference runtime composition is categorized as a reference implementation, not as plugin core**.
 That is the key boundary that keeps the next evaluator / decision-runner work clean.
 ## Consumption by evaluator / decision runner
 The next implementation stage should use the capability descriptor in two places.
 ### 1. Preflight compatibility
 Before executing a policy action, the runtime should compare:
 - requested profile behavior
 - policy-required action
 - actual adapter capability support
 Examples:
 - if `force_checkpoint` is requested but only queue/bridge notice is available, downgrade to honest deferred notice + receipt
 - if direct send is requested but only `pending_external_send` is supportable, preserve the weaker truthful state
 ### 2. Action planning
 The decision runner should use capability support to choose execution paths such as:
 - inline block
 - queue-only notice
 - bridge-mediated send
 - status downgrade + review request
 - blocked-with-gap receipt
 This keeps the evaluator portable and avoids encoding OpenClaw-specific assumptions inside `core/`.
 ## Verification expectations
 Capability descriptor work should be verified at minimum by:
 1. schema validation of the descriptor JSON
 2. package skeleton presence checks
 3. consistency review against:
   - adapter-interface spec
   - deployment model
   - roadmap lane terminology
 ## Minimal synchronization with roadmap and deployment model
 This capability-descriptor step advances:
 - roadmap lane 3: package extraction
 - roadmap lane 4: capability/profile/deployment binding
 The deployment model does not need redesign.
 It only needs to recognize that the first concrete package artifact for this lane is now:
 - a package-owned OpenClaw capability descriptor
 - plus the minimal package skeleton that gives it a stable home
 ## Summary
 This spec establishes the reporting-governance capability descriptor as the package-level truth contract between:
 - runtime-specific adapter power
 - deployment-profile intent
 - future evaluator / decision-runner behavior
 It also fixes the package boundaries needed for the next phase:
 - `core/` = runtime-agnostic governance logic
 - `adapters/` = runtime integration surfaces
 - `storage/` = durable artifact I/O contracts
 - runtime `artifacts/` = produced outputs, not core source
 - watchdog chain = reference implementation housed under the package skeleton, not plugin core
--- a/docs/specs/reporting-governance-deployment-model.md
+++ b/docs/specs/reporting-governance-deployment-model.md
@@ -313,6 +313,8 @@ Examples:
 The completed watchdog chain is now treated as the first reference deployment composition.
 For the current mainline slice, the package-owned source of truth is the package entrypoint set under `plugins/reporting-governance/scripts/` together with package profile artifacts under `plugins/reporting-governance/profiles/`.
 Within package-owned artifacts such as capability descriptors, `runtime.entrypoint: "scripts/..."` means package-root-relative to `plugins/reporting-governance/`.
 Within deployment profile artifacts, `spec.bindings.entrypoint` and `spec.bindings.scripts.*` remain repo-root-relative paths like `plugins/reporting-governance/scripts/...`, because they bind the installed package back into a concrete workspace/repo runtime.
 Repo-root `scripts/*.mjs` wrappers and install helpers remain migration/deployment conveniences, not the architectural source of runtime truth.
 ### Reference composition
@@ -331,16 +333,16 @@ watchdog runner
 | Runtime piece | Deployment role |
 | --- | --- |
-| `scripts/long_task_watchdog.mjs` | watchdog adapter executable in the deployed package |
+| package `scripts/long_task_watchdog.mjs` | watchdog adapter executable in the deployed package (`scripts/...` here means package-root-relative inside `plugins/reporting-governance/`) |
 | `state/long-task-watchdog/*.json` | portable runtime-artifact evidence |
 | `state/long-task-watchdog-events/*.json` | portable canonical event artifacts |
 | `state/operator-notify-queue/*.json` | queue-layer audit artifacts and deferred notice obligations |
-| `scripts/operator_notify_dispatcher.mjs` | dispatcher adapter for handoff generation |
+| package `scripts/operator_notify_dispatcher.mjs` | dispatcher adapter for handoff generation |
 | `state/operator-notify-dispatch-spool/*.json` | spool/handoff audit artifacts proving dispatch, not delivery |
-| `scripts/operator_notify_bridge_supervisor.mjs` | bridge adapter for upper-runtime send boundary |
+| package `scripts/operator_notify_bridge_supervisor.mjs` | bridge adapter for upper-runtime send boundary |
-| `scripts/operator_notify_sender_binding.mjs` | sender-binding adapter selectable by deployment profile |
+| package `scripts/operator_notify_sender_binding.mjs` | sender-binding adapter selectable by deployment profile |
 | `state/operator-notify-bridge-receipts/*.json` | portable delivery-state receipts |
-| `scripts/watchdog_auto_notify_orchestrator.mjs` | orchestrator adapter and single deployment entrypoint |
+| package `scripts/watchdog_auto_notify_orchestrator.mjs` | orchestrator adapter and single deployment entrypoint |
 | cron installer / wrapper | runtime binding for scheduled execution |
 ### Mainline conclusion
--- a/plugins/reporting-governance/examples/openclaw-watchdog-reference.descriptor.example.json
+++ b/plugins/reporting-governance/examples/openclaw-watchdog-reference.descriptor.example.json
@@ -19,7 +19,7 @@
      "orchestrator",
      "storage"
    ],
-    "entrypoint": "plugins/reporting-governance/scripts/watchdog_auto_notify_orchestrator.mjs"
+    "entrypoint": "scripts/watchdog_auto_notify_orchestrator.mjs"
  },
  "compatibility": {
    "plugin_spec_versions": [
--- a/plugins/reporting-governance/package.json
+++ b/plugins/reporting-governance/package.json
@@ -27,7 +27,7 @@
    "src/"
  ],
  "scripts": {
-    "test": "node --test test/package-structure.test.mjs test/policy-evaluator.test.mjs test/compatibility-preflight.test.mjs test/profile-artifact.test.mjs test/profile-generator.test.mjs test/decision-runner.test.mjs test/decision-store.test.mjs test/decision-store-runtime.integration.test.mjs test/governance-contract.integration.test.mjs test/watchdog-chain.integration.test.mjs test/orchestrator-execution.test.mjs test/runtime-integrated.integration.test.mjs test/exports-boundary.integration.test.mjs test/packed-consumer-install.smoke.test.mjs",
+    "test": "node --test test/package-structure.test.mjs test/descriptor-entrypoint-resolution.test.mjs test/policy-evaluator.test.mjs test/compatibility-preflight.test.mjs test/profile-artifact.test.mjs test/profile-generator.test.mjs test/decision-runner.test.mjs test/decision-store.test.mjs test/decision-store-runtime.integration.test.mjs test/governance-contract.integration.test.mjs test/watchdog-chain.integration.test.mjs test/orchestrator-execution.test.mjs test/runtime-integrated.integration.test.mjs test/exports-boundary.integration.test.mjs test/packed-consumer-install.smoke.test.mjs",
    "smoke": "node ./scripts/package-smoke.mjs --compact"
  },
  "dependencies": {
--- a/plugins/reporting-governance/test/descriptor-entrypoint-resolution.test.mjs
+++ b/plugins/reporting-governance/test/descriptor-entrypoint-resolution.test.mjs
@@ -0,0 +1,38 @@
 import test from 'node:test';
 import assert from 'node:assert/strict';
 import fs from 'node:fs';
 import path from 'node:path';
 import capabilityDescriptor from '../capabilities/openclaw-watchdog-reference.json' with { type: 'json' };
 import exampleDescriptor from '../examples/openclaw-watchdog-reference.descriptor.example.json' with { type: 'json' };
 import { createDeploymentBindingContract } from '../src/storage/profile-artifact.mjs';
 import profileArtifact from '../profiles/strict-manager-mode.profile.json' with { type: 'json' };
 const packageRoot = path.resolve(import.meta.dirname, '..');
 const repoRoot = path.resolve(packageRoot, '..', '..');
 function resolvePackageEntrypoint(entrypoint) {
  return path.resolve(packageRoot, entrypoint);
 }
 test('capability descriptor and example entrypoint resolve from package root to the package-owned orchestrator', () => {
  const canonicalPath = path.resolve(packageRoot, 'scripts/watchdog_auto_notify_orchestrator.mjs');
  const descriptorEntrypoint = resolvePackageEntrypoint(capabilityDescriptor.runtime.entrypoint);
  const exampleEntrypoint = resolvePackageEntrypoint(exampleDescriptor.runtime.entrypoint);
  assert.equal(capabilityDescriptor.runtime.entrypoint, 'scripts/watchdog_auto_notify_orchestrator.mjs');
  assert.equal(exampleDescriptor.runtime.entrypoint, 'scripts/watchdog_auto_notify_orchestrator.mjs');
  assert.equal(descriptorEntrypoint, canonicalPath);
  assert.equal(exampleEntrypoint, canonicalPath);
  assert.equal(fs.existsSync(canonicalPath), true);
 });
 test('deployment profile binding stays repo-root-relative while targeting the same package-owned orchestrator', () => {
  const binding = createDeploymentBindingContract({ artifact: profileArtifact, repoRootOverride: repoRoot });
  const canonicalPath = path.resolve(packageRoot, 'scripts/watchdog_auto_notify_orchestrator.mjs');
  assert.equal(profileArtifact.spec.bindings.entrypoint, 'plugins/reporting-governance/scripts/watchdog_auto_notify_orchestrator.mjs');
  assert.equal(binding.entrypoint, canonicalPath);
  assert.equal(binding.scripts.orchestrator, canonicalPath);
 });