From a15f4334f6240547730c506b6c2b21023f60b6d3 Mon Sep 17 00:00:00 2001 From: Atomics-hub Date: Thu, 4 Jun 2026 18:19:37 -0700 Subject: [PATCH] Align safe-agent bridge proof docs --- docs/public-readiness.md | 2 +- docs/v0.2-alpha-release-notes.md | 25 ++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/public-readiness.md b/docs/public-readiness.md index bcf45e8..edd92c5 100644 --- a/docs/public-readiness.md +++ b/docs/public-readiness.md @@ -56,7 +56,7 @@ inventory with paths, byte counts, and SHA-256 hashes for the reviewer handoff. archive, install receipt, verified release manifest, package-check JSON, HTTP/team handoff check JSON, onboarding guide, demo trace, dashboard, durable store, operator handoff, deploy handoff, dashboard handoff, - notification payload, + notification payloads and bridge dry-run reports, systemd/launchd services, Dockerfile/Compose templates, Caddy/nginx reverse-proxy templates, deploy README, dummy env examples, and a JSON evidence report with SHA-256/byte counts for required handoff files. diff --git a/docs/v0.2-alpha-release-notes.md b/docs/v0.2-alpha-release-notes.md index ec43b7f..0aae8d2 100644 --- a/docs/v0.2-alpha-release-notes.md +++ b/docs/v0.2-alpha-release-notes.md @@ -61,8 +61,9 @@ filesystem-shaped workflows. release-manifest binding, install receipt, package lock, launchers, client snippets, deploy templates, and package self-check evidence. The ticket checks store/notification handoff evidence for durable approvals, - Postgres load coverage, Slack/GitHub/email redacted payloads, and local - env-held bridge config. + Postgres load coverage, Slack/GitHub/email redacted payloads, Slack/GitHub/ + email delivery dry-runs, Postgres push dry-run, and local env-held bridge + config. The ticket checks served dashboard runtime evidence for launcher package preflight, loopback/admin-token defaults, bounded request caps, supervisor hardening, redacted probes, and permission-checked review APIs. @@ -97,11 +98,13 @@ filesystem-shaped workflows. recording, fail-closed unauthorized reviewer rejection, and local non-hosted scope. The Claude/Codex/Cursor objective checks packaged client snippets, stdio/TCP/HTTP launchers, Streamable HTTP handoff evidence, and local - non-hosted scope. The deploy/preflight handoff check validates deploy - templates, owner deployment steps, supervisor env examples, secret-reference - placeholders, provider-shaped production refs, supervisor health/readiness/ - metrics probes, non-local bind defaults, no live secret retrieval, and local - non-hosted scope. + non-hosted scope. The safe-agent demo objective checks GitHub/Postgres/Slack/ + filesystem evidence, including local Slack/GitHub/Postgres bridge dry-runs, + allowed filesystem reads, and blocked filesystem patch proof. The deploy/ + preflight handoff check validates deploy templates, owner deployment steps, + supervisor env examples, secret-reference placeholders, provider-shaped + production refs, supervisor health/readiness/metrics probes, non-local bind + defaults, no live secret retrieval, and local non-hosted scope. - Release publication preflight: `release-publication-check` verifies the strict finalization report, production-ready evidence signer, signed-tag evidence, package archive hash, @@ -131,8 +134,8 @@ filesystem-shaped workflows. traffic. - Safe-agent demo packaging that runs without live credentials and proves the GitHub/Postgres/Slack/filesystem workflow through blocked risky actions, - allowed safe actions, redacted trace-inspect evidence, dashboard review, and - store export. + allowed safe actions, local bridge dry-runs, redacted trace-inspect evidence, + dashboard review, and store export. - Packaged operator handoff mode: `agentk-sidecar-ops-handoff` refreshes the packaged safe-agent demo, dashboard, exported store, durable team store, notification payload drafts, @@ -255,8 +258,8 @@ These limits are explicit alpha scope, not hidden caveats: against relocated package, archive, checksum, and install receipt files. These prove GitHub/Postgres/Slack/filesystem safe-agent demo evidence, including blocked filesystem patch proof, reviewer-scoped dashboard review, - durable team-store sync/check, notification outbox handoff, and package - support readiness, not hosted SaaS. + durable team-store sync/check, notification outbox handoff, local bridge + dry-runs, and package support readiness, not hosted SaaS. - `release-publication-check` is a local preflight for a maintainer-operated GitHub release page. It verifies final evidence consistency, but it does not create tags, upload assets, publish a release, or assert that a hosted release