Harden release gates for channels, recovery, and policy review#163
Merged
Harden release gates for channels, recovery, and policy review#163
Conversation
jsugg
force-pushed
the
fix/release-readiness-gates
branch
2 times, most recently
from
ea09789 to
a164cac
Compare
This hardens launch-readiness evidence by running two semantic checks in the existing security workflow: channels contract parity and a disposable backup/verify/restore smoke cycle. The helper CLI and tests were extended to keep the workflow thin and to lock behavior with unit+contract coverage. Constraint: Workflow contract forbids shell blobs and heredoc Python in YAML Rejected: Add checks as inline multi-command shell blocks | violates workflow-thin contract and is harder to test Rejected: Keep checks as documentation-only evidence | does not produce executable CI proof Confidence: high Scope-risk: moderate Reversibility: clean Directive: Keep new security workflow checks routed through tests/scripts/security_workflow.py rather than embedding ad-hoc shell logic Tested: ruff targeted checks; pyright; mypy; pytest tests/suites/unit/ci/test_security_workflow.py tests/suites/contracts/repo/test_ci_workflow_surfaces.py Not-tested: Full GitHub Actions matrix execution (deferred to PR checks)
This converts the production readiness checklist into an explicit launch gate with concrete verification commands and an out-of-scope note for host-only doctor shortcuts. A docs parity contract test now locks those required commands so checklist drift is caught in CI. Constraint: Checklist guidance must match actual CLI command surfaces in source code Rejected: Keep checklist as high-level bullets without executable commands | too ambiguous for launch evidence collection Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep checklist command examples aligned with real CLI argument contracts (especially recovery restore positional destination) Tested: ruff check tests/suites/contracts/repo/test_docs_parity.py; pytest tests/suites/contracts/repo/test_docs_parity.py tests/suites/contracts/repo/test_ci_workflow_surfaces.py tests/suites/unit/ci/test_security_workflow.py Not-tested: Full CI matrix rerun (deferred to PR checks)
The source docs were expanded to add executable launch checks, so the packaged runtime doc copies are updated to preserve source-vs-packaged parity contracts used in CI and release verification. Constraint: Packaged runtime assets must byte-match source docs for parity contracts Rejected: Leave packaged docs stale and rely on source docs only | breaks packaged-runtime contract tests Confidence: high Scope-risk: narrow Reversibility: clean Directive: Whenever platform/docs docs change, mirror updates under src/clawops/assets/platform/docs in the same change Tested: pytest tests/suites/contracts/repo/test_packaged_runtime_assets.py tests/suites/contracts/repo/test_docs_parity.py Not-tested: Full compatibility matrix rerun (deferred to PR checks)
Normalize op-journal and review packet artifacts to owner-only modes on supported POSIX hosts, and surface the security-policy docs in the operator entrypoint list so the launch-readiness lane is easier to verify. Constraint: RC8 task 2 is limited to security/policy/host/degradation hardening with no .omx artifact changes Rejected: Leave filesystem hardening as documentation only | approval packets and journal state should default closed on disk Directive: Keep platform/docs and src/clawops/assets/platform/docs mirrored whenever operator-facing policy docs change Confidence: high Scope-risk: narrow Tested: uv run --project . pytest -q tests/suites/unit/clawops/test_op_journal.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/contracts/repo/test_docs_parity.py Tested: uv run --project . ruff check src/clawops/op_journal.py src/clawops/approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/contracts/repo/test_docs_parity.py Tested: uv run --project . pyright src/clawops/op_journal.py src/clawops/approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/contracts/repo/test_docs_parity.py Tested: uv run --project . python -m compileall -q src tests Not-tested: make typecheck / full-project mypy did not complete within this worker session
Constraint: RC8 task 1 is limited to docs and contract coverage; no .omx artifacts Directive: Keep README launch entrypoints and CI/security workflow docs aligned with the repo contract tests Confidence: high Scope-risk: narrow Tested: uv run --locked pytest -q tests/suites/contracts/repo/test_docs_parity.py Tested: uv run ruff check tests/suites/contracts/repo/test_docs_parity.py Tested: uv run pyright Tested: uv run python -m compileall -q src tests Not-tested: uv run mypy remained slow/non-terminating in this worker session
The source CI/security doc gained additional fresh-host workflow context in the launch-readiness documentation pass, so the packaged asset copy must mirror it byte-for-byte to keep packaged-runtime parity checks green. Constraint: Packaged platform docs must stay byte-identical to platform/docs counterparts Rejected: Leave packaged copy stale and rely on source docs at runtime | breaks packaged-runtime parity contract Confidence: high Scope-risk: narrow Reversibility: clean Directive: Mirror every source doc edit under src/clawops/assets/platform/docs in the same patch Tested: uv run --project . pytest -q tests/suites/contracts/repo/test_packaged_runtime_assets.py tests/suites/contracts/repo/test_docs_parity.py tests/suites/contracts/repo/test_ci_workflow_surfaces.py tests/suites/unit/ci/test_security_workflow.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py Tested: uv run --project . pyright src/clawops/approval_dispatch.py src/clawops/op_journal.py tests/scripts/security_workflow.py tests/utils/helpers/_ci_workflows/security.py tests/utils/helpers/ci_workflows.py tests/suites/unit/ci/test_security_workflow.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py Tested: uv run --project . mypy src/clawops/approval_dispatch.py src/clawops/op_journal.py tests/scripts/security_workflow.py tests/utils/helpers/_ci_workflows/security.py tests/utils/helpers/ci_workflows.py tests/suites/unit/ci/test_security_workflow.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py Tested: uv run --project . ruff check src/clawops/approval_dispatch.py src/clawops/op_journal.py tests/scripts/security_workflow.py tests/utils/helpers/_ci_workflows/security.py tests/utils/helpers/ci_workflows.py tests/suites/unit/ci/test_security_workflow.py tests/suites/unit/clawops/test_approval_dispatch.py tests/suites/unit/clawops/test_op_journal.py tests/suites/contracts/repo/test_ci_workflow_surfaces.py tests/suites/contracts/repo/test_docs_parity.py Tested: uv run --project . python -m compileall -q src tests
The security lane recovery smoke failed in CI because OpenClaw CLI verification rejected the disposable archive format. The helper now forces the strongclaw_recovery tar fallback path during the smoke cycle so backup/verify/restore evidence remains stable across runner environments, and unit coverage now locks that behavior. Constraint: Recovery smoke must run in generic CI runners where OpenClaw CLI behavior can differ from fallback tar semantics Rejected: Require OpenClaw-manifest-complete backup fixtures in the smoke helper | adds brittle environment coupling to a lightweight gate Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep recovery smoke self-contained and environment-agnostic; do not depend on host OpenClaw backup manifest conventions Tested: uv run --project . ruff check tests/utils/helpers/_ci_workflows/security.py tests/suites/unit/ci/test_security_workflow.py Tested: uv run --project . pyright tests/utils/helpers/_ci_workflows/security.py tests/suites/unit/ci/test_security_workflow.py Tested: uv run --project . mypy tests/utils/helpers/_ci_workflows/security.py tests/suites/unit/ci/test_security_workflow.py Tested: uv run --project . pytest -q tests/suites/unit/ci/test_security_workflow.py tests/suites/contracts/repo/test_ci_workflow_surfaces.py Tested: uv run --project . python3 ./tests/scripts/security_workflow.py run-recovery-smoke --tmp-root /tmp
The security workflow invoked tests/scripts/security_workflow.py with the host python interpreter, which bypassed the uv-managed environment and caused dependency/import failures in CI. Scripted security checks now run through uv so channel verification, recovery smoke, and SARIF fallback generation execute with the same project runtime contract as local verification. Constraint: Workflow helper scripts import project modules that depend on uv-managed environment packages Rejected: Keep plain python3 invocations and trim helper imports | hides environment drift and weakens workflow-thin helper reuse Confidence: high Scope-risk: narrow Reversibility: clean Directive: Any tests/scripts helper that imports project modules must run via uv in GitHub Actions Tested: uv run --project . pytest -q tests/suites/contracts/repo/test_ci_workflow_surfaces.py tests/suites/unit/ci/test_security_workflow.py Tested: actionlint .github/workflows/security.yml
jsugg
force-pushed
the
fix/release-readiness-gates
branch
from
a164cac to
bb4a04a
Compare
jsugg
added a commit
that referenced
this pull request
Apr 2, 2026
Harden release gates for channels, recovery, and policy review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This updates launch-facing operational gates so release evidence is executable and policy controls are enforceable by default.
Changes
verify-channels-contract)run-recovery-smoke)