feat(autoheal): deploy drift probe from Iskra #142 #65

New issue

Closed

opened 2026-05-28 21:44:06 +02:00 by codex · 1 comment

codex commented 2026-05-28 21:44:06 +02:00

Collaborator

Copy link

Purpose

Extract the useful product/design value from pdurlej/iskra-openclaw#142 without turning Iskra into two competing deploy systems.

Source context: pdurlej/iskra-openclaw#142 proposed a fast incremental iskra-deploy wrapper with plan/sync/smoke, sidecar manifest, remote lock, backup, and post-deploy evidence. The operator decision on 2026-05-28: do not merge it as a second deployer; move the reusable knowledge into Patchwarden / supervised auto-heal.

Product value to keep

Patchwarden should be able to support this lane:

incident/probe -> remediation proposal -> deploy drift plan -> explicit operator acceptance -> allowlisted apply -> postcheck -> dashboard

The useful #142 concepts are:

• local/remote deploy drift detection,
• manifest-based changed-file summary,
• operator-readable deploy plan before touching production,
• lock semantics to avoid concurrent repair/deploy actions,
• backup/rollback metadata before allowed mutation,
• smoke/postcheck evidence after mutation,
• append-only receipt fields for later agent/operator audit.

Do not copy from #142 as-is

Do not make Patchwarden a second production deployer.

Out of scope for the first slice:

• full sync/apply,
• direct root SCP deployment path,
• replacing scripts/iskra-openclaw-deploy.sh,
• automatic production mutation,
• hidden gateway/systemd restart,
• auto-heal without explicit operator acceptance.

Proposed first slice

Add a Patchwarden/auto-heal design and read-only probe shape for deploy drift:

1. Define a deploy_drift_probe or equivalent finding type.
2. Produce a plan object that can say: changed files, expected target paths, risk class, recommended executor, required postchecks.
3. Keep default mode read-only/proposal-only.
4. Make it compatible with Iskra's existing supervised auto-heal contracts rather than creating a new deploy authority.

Acceptance

• #142 is explicitly referenced as superseded source material, not merged implementation.
• Patchwarden has a documented deploy-drift/repair planning lane.
• The first implementation, if any, is read-only/proposal-only.
• Any future apply path is allowlisted, receipt-backed, and requires explicit operator acceptance.
• Existing canonical deploy runbook remains canonical until separately changed.

Non-goals

• Building a general CI/CD deployer.
• Making Patchwarden mutate production by default.
• Reintroducing root-SCP fast deploy as an implicit shortcut.
• Replacing Iskra's current deploy runbook in this issue.

Refs: pdurlej/iskra-openclaw#142

## Purpose Extract the useful product/design value from `pdurlej/iskra-openclaw#142` without turning Iskra into two competing deploy systems. Source context: `pdurlej/iskra-openclaw#142` proposed a fast incremental `iskra-deploy` wrapper with plan/sync/smoke, sidecar manifest, remote lock, backup, and post-deploy evidence. The operator decision on 2026-05-28: do not merge it as a second deployer; move the reusable knowledge into Patchwarden / supervised auto-heal. ## Product value to keep Patchwarden should be able to support this lane: `incident/probe -> remediation proposal -> deploy drift plan -> explicit operator acceptance -> allowlisted apply -> postcheck -> dashboard` The useful #142 concepts are: - local/remote deploy drift detection, - manifest-based changed-file summary, - operator-readable deploy plan before touching production, - lock semantics to avoid concurrent repair/deploy actions, - backup/rollback metadata before allowed mutation, - smoke/postcheck evidence after mutation, - append-only receipt fields for later agent/operator audit. ## Do not copy from #142 as-is Do not make Patchwarden a second production deployer. Out of scope for the first slice: - full `sync/apply`, - direct root SCP deployment path, - replacing `scripts/iskra-openclaw-deploy.sh`, - automatic production mutation, - hidden gateway/systemd restart, - auto-heal without explicit operator acceptance. ## Proposed first slice Add a Patchwarden/auto-heal design and read-only probe shape for deploy drift: 1. Define a `deploy_drift_probe` or equivalent finding type. 2. Produce a plan object that can say: changed files, expected target paths, risk class, recommended executor, required postchecks. 3. Keep default mode read-only/proposal-only. 4. Make it compatible with Iskra's existing supervised auto-heal contracts rather than creating a new deploy authority. ## Acceptance - #142 is explicitly referenced as superseded source material, not merged implementation. - Patchwarden has a documented deploy-drift/repair planning lane. - The first implementation, if any, is read-only/proposal-only. - Any future apply path is allowlisted, receipt-backed, and requires explicit operator acceptance. - Existing canonical deploy runbook remains canonical until separately changed. ## Non-goals - Building a general CI/CD deployer. - Making Patchwarden mutate production by default. - Reintroducing root-SCP fast deploy as an implicit shortcut. - Replacing Iskra's current deploy runbook in this issue. Refs: pdurlej/iskra-openclaw#142

codex referenced this issue 2026-06-07 17:33:11 +02:00

feat(openclaw): supervised runtime repair gate for Iskra auto-heal #68

codex commented 2026-06-07 17:33:12 +02:00

Author

Collaborator

Copy link

Context from pdurlej/iskra-openclaw#27 migration:

This issue remains useful as the deploy drift probe slice. The broader supervised OpenClaw runtime repair gate now lives in Patchwarden issue #68:

#68

Boundary: #65 should stay focused on deploy drift evidence/plan shape. It should not become a second deployer and should not perform production mutation.

Context from `pdurlej/iskra-openclaw#27` migration: This issue remains useful as the **deploy drift probe slice**. The broader supervised OpenClaw runtime repair gate now lives in Patchwarden issue #68: https://git.pdurlej.com/pdurlej/patchwarden/issues/68 Boundary: #65 should stay focused on deploy drift evidence/plan shape. It should not become a second deployer and should not perform production mutation.

claude referenced this issue from a commit 2026-06-08 18:04:13 +02:00

feat(autoheal): runtime-repair evidence evaluator (#68 first slice, refs #65)

claude referenced this issue 2026-06-08 18:04:35 +02:00

feat(autoheal): runtime-repair evidence evaluator (#68 first slice, refs #65) #70

pdurlej referenced this issue from a commit 2026-06-08 18:14:48 +02:00

Merge pull request 'feat(autoheal): runtime-repair evidence evaluator (#68 first slice, refs #65)' (#70) from claude/autoheal-runtime-repair-evaluator into main

claude referenced this issue from a commit 2026-06-08 18:38:20 +02:00

docs(autoheal): roadmap sequencing slices A–E + apply-path boundary

claude referenced this issue 2026-06-08 18:38:37 +02:00

docs(autoheal): roadmap — sequencing slices A–E + apply-path boundary #75

claude referenced this issue from a commit 2026-06-08 19:39:00 +02:00

feat(autoheal): deploy_drift_probe plan-object (slice A, closes #65)

claude referenced this issue from a pull request that will close it, 2026-06-08 19:39:25 +02:00

feat(autoheal): deploy_drift_probe plan-object (slice A, closes #65) #77

pdurlej closed this issue 2026-06-08 19:54:24 +02:00

pdurlej referenced this issue from a commit 2026-06-08 19:54:25 +02:00

Merge pull request 'feat(autoheal): deploy_drift_probe plan-object (slice A, closes #65)' (#77) from gemini/autoheal-slice-A into main

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

codex/operator-status-layer-catalogs

codex/cli-external-contracts-registration

codex/cli-policy-check-registration

codex/cli-module-registration

claude/decisions-d29-modular-monolith

codex/platform-adr0002-canary-policy

codex/platform-vistula-label-policy

codex/pr-sanity-automerge-eligibility

codex/pr-sanity-approval-handoff

codex/status-after-iskra-507

codex/dogfood-status-wedge

codex/controller-comment-renderer

codex/pr-sanity-comment-renderer

codex/dogfood-approval-handoff-order

codex/status-dogfood-queue-endpoint

codex/dogfood-loop-queue

codex/dogfood-loop-controller-plan

codex/dogfood-loop-verdict

codex/artifact-index-root-labels

codex/status-workflow-artifact-index

codex/status-workflow-operator-artifacts

codex/status-drift-artifact-root-manifest

codex/fallow-artifact-root-manifest

codex/patchwarden-contract-artifact-manifest

codex/patchwarden-contract-pr-concurrency

codex/patchwarden-self-vistula-policy

codex/patchwarden-self-contract-pr

codex/artifact-root-manifest-plan

codex/status-serve-root-manifest-endpoint

codex/status-serve-freshness-endpoint

codex/artifact-index-freshness-check

codex/artifact-root-manifest-check

codex/artifact-root-handoff

codex/artifact-root-manifest

codex/local-artifact-index

codex/status-artifact-drilldowns

codex/status-dashboard-server

codex/status-drift-workflow

codex/status-drift-check

codex/evidence-bundle-action-receipt

codex/require-live-merge-receipts

codex/follow-up-action-receipt

codex/redrive-attempt-budget

codex/trust-state-action-receipt

codex/post-merge-feedback-controller-receipts

codex/controller-dry-run-receipt

codex/controller-dry-run-rehearsal

codex/merge-frontier-dry-run

codex/executor-action-receipt

codex/controller-bundle-staged-action

codex/controller-bundle-review-publication

codex/controller-review-publication-plan

codex/merge-frontier-decision-gate

codex/controller-actuation-bundle

codex/merge-actuation-preflight

codex/repair-packet-job-plan

codex/evidence-request-plan

codex/simplicity-review-lane

codex/ponytail-simplicity-decision

codex/structural-code-artifact-gate

codex/status-nullsec-ledger-sync

claude/autoheal-evidence-bundle-spec

claude/security-hardening-wave

claude/decisions-d22-v4-reconcile

codex/contract-pr-current-statuses

claude/docs-wave-evidence-confirmed

claude/feat-cloud-ollama-auth

claude/patchwarden-pyfallow-integration-plan

claude/patchwarden-dogfood-actual-vs-mental-model

claude/patchwarden-decisions-d21-m2-amendment

claude/patchwarden-dogfood-known-limits

claude/patchwarden-d20-architectural-lint

claude/patchwarden-resolver-soft-fail-detection

claude/patchwarden-crosscheck-snapshot-2026-05-27

claude/patchwarden-boring-pr-lifecycle-fixture

claude/patchwarden-platform-dogfood-playbook

claude/patchwarden-post-findings-execute

claude/patchwarden-review-run-invokes-ollama

claude/patchwarden-ollama-client

claude/patchwarden-render-review-prompt

claude/patchwarden-offline-pipeline-metadata

codex/reviewer-lane-config

claude/patchwarden-cloud-review-policy

claude/patchwarden-hybrid-review-authority

claude/patchwarden-decisions-batch

claude/patchwarden-external-framing

claude/patchwarden-tactical-updates

claude/patchwarden-decisions-d13-d14

claude/patchwarden-product-readme-m1-close-prep

claude/patchwarden-roadmap-update

codex/patchwarden-pipeline-policy-bundle

codex/patchwarden-policy-bundle

codex/patchwarden-pipeline

codex/patchwarden-forgejo-client

codex/patchwarden-dev-extras-fail-closed-docs

codex/patchwarden-findings-comments-dry-run

codex/patchwarden-v0-resolve-findings

codex/patchwarden-v0-review-run

codex/patchwarden-v0-pr-check

codex/patchwarden-v0-issue-check

codex/patchwarden-v0-schemas

codex/patchwarden-v0-foundation

claude/docs/cousin-onboarding-pointer

No results found.

Labels

Clear labels   

agent/claude-code

Vistula actor: Claude Code.

  

agent/codex

Vistula actor: Codex.

  

agent/gemini

Vistula actor: Gemini (incl. Claude Opus via Antigravity that commits under the `gemini` identity).

  

agent/hermes

Vistula actor: Hermes Upstream.

  

agent/iskra

Vistula actor: Iskra.

  

agent/ollama

Vistula actor: Ollama or compatible model.

  

agent/patchwarden

Vistula actor: Patchwarden.

  

area:business-model

Pricing, unit economics, revenue, TAM/SAM/SOM

  

area:competitive

Competitive landscape, positioning, category

  

area:discovery

Customer discovery, JTBD, interviews

  

area:forgejo

Forgejo API, workflow, or event integration.

  

area:metrics

KPI tree, OKRs, outcomes, kill criteria

  

area:product-strategy

Vision, strategy, principles — top-level direction

  

area:v0-core

Patchwarden v0 core CLI / policy / artifacts.

  

cagan-grade-approved

Artifact passed operator quality-bar review and is canonical. Set on close per Cagan Package status flow.

  

client:platform

pdurlej/platform first-client integration.

  

dependency/blocked

Vistula dependency state: blocked.

  

dependency/blocks-others

Vistula dependency state: blocks other work.

  

dependency/cross-repo

Vistula dependency scope: cross-repository.

  

dependency/needs-confirmation

Vistula dependency state: needs confirmation.

  

domain:agents

Agent identity, delegation, subagents, routing, or workflows.

  

domain:ci

CI, checks, Actions, runners, or release automation.

  

domain:docs

Documentation, packets, practices, or source-of-truth text.

  

domain:forgejo

Forgejo issues, PRs, labels, repo settings, or identity.

  

domain:infra

Infrastructure, storage, backup, DNS, network, or host substrate.

  

domain:memory

Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  

domain:runtime

Runtime services, deploys, daemons, timers, or live behavior.

  

domain:signal

Signal UX, delivery, context, or outbound behavior.

  

domain:ux

Product UX, operator experience, or conversation ergonomics.

  

flow/architecture

Vistula lifecycle: architecture phase in progress.

  

flow/blocked

Vistula lifecycle: blocked on dependency or decision.

  

flow/deployed

Vistula lifecycle: deployed to runtime where applicable.

  

flow/done

Vistula lifecycle: work merged or otherwise done.

  

flow/implementation

Vistula lifecycle: implementation phase in progress.

  

flow/intake

Vistula lifecycle: incoming signal not refined yet.

  

flow/maintained

Vistula lifecycle: maintained/steady state.

  

flow/observed

Vistula lifecycle: observed after delivery.

  

flow/ready

Vistula lifecycle: ready for architecture or implementation.

  

flow/refining

Vistula lifecycle: Hermes/spec refinement in progress.

  

flow/retired

Vistula lifecycle: retired or intentionally closed.

  

flow/review

Vistula lifecycle: review phase in progress.

  

judge/codex-candidate

Candidate for Codex implementation.

  

judge/hermes-candidate

Candidate for Hermes discovery/research.

  

judge/low-confidence

Judgment confidence is low.

  

judge/needs-refinement

Needs clearer evidence or scope.

  

judge/operator-needed

Needs Piotr decision or input.

  

judge/p0

Urgent, operator attention or unblock now.

  

judge/p1

High value, schedule soon.

  

judge/p2

Useful, normal queue.

  

judge/p3

Low priority, keep but do not chase.

  

judge/park

Parked from current attention.

  

judge/patchwarden-candidate

Needs Patchwarden merge-safety attention.

  

judge/stale-priority

Existing priority judgment appears stale.

  

kind/adr

Vistula work kind: architecture decision record.

  

kind/bug

Vistula work kind: bug fix.

  

kind/chore

Vistula work kind: chore.

  

kind/feature

Vistula work kind: feature.

  

kind/infra

Vistula work kind: infrastructure.

  

kind/ops

Vistula work kind: operations.

  

kind/refactor

Vistula work kind: refactor.

  

kind/research

Vistula work kind: research/discovery.

  

kind:artifact

Cagan-grade product artifact (one of 11 in v1.0 package)

  

kind:decision

Operator decision point requiring explicit choice

  

kind:dogfood

Platform-first dogfood / calibration task.

  

kind:epic

Multi-issue epic with checklist of children

  

kind:implementation

Implementation task for Patchwarden v0.

  

kind:research

Discovery or competitive research deliverable

  

merge/auto

Vistula merge mode: automated merge.

  

merge/manual

Vistula merge mode: manual merge.

  

merge/manual-dependency-conflict

Manual merge reason: dependency conflict.

  

merge/manual-failing-tests

Manual merge reason: failing tests.

  

merge/manual-merge-conflict

Manual merge reason: merge conflict.

  

merge/manual-missing-review

Manual merge reason: missing review.

  

merge/manual-operator-preference

Manual merge reason: operator preference.

  

merge/manual-red-zone

Manual merge reason: red-zone risk.

  

merge/manual-security-sensitive

Manual merge reason: security-sensitive work.

  

merge/manual-unclear-scope

Manual merge reason: unclear scope.

  

merge/manual-unknown

Manual merge reason: unknown.

  

mode:operator-only

Apply step requires explicit operator approval.

  

mode:patchwarden-iskra-approved

Work eligible for Patchwarden/Iskra approval inside repo policy.

  

mode:safe-auto

Low-risk work eligible for lightweight autonomous handling.

  

observed/erroring

Vistula observation: erroring.

  

observed/needs-followup

Vistula observation: needs follow-up.

  

observed/pending

Vistula observation: pending.

  

observed/retire-candidate

Vistula observation: retire candidate.

  

observed/unused

Vistula observation: unused.

  

observed/used

Vistula observation: used.

  

priority:p0

Immediate safety, uptime, data, or operator-blocking issue.

  

priority:p1

Important active work; should be pulled soon.

  

priority:p2

Useful normal-priority work.

  

priority:p3

Opportunistic cleanup, research, or backlog work.

  

ready-for-agent

Atomic enough for a cousin agent to pick up.

  

review:claude-reviewed

Reviewed by Claude-family agent.

  

review:codex-reviewed

Reviewed by Codex-family agent.

  

review:dziadek-reviewed

Reviewed by Dziadek pinch-point reviewer.

  

review:needs-human

Needs human review before merge or apply.

  

safety:external-write

May write to external systems, users, rooms, repos, or services.

  

safety:no-prod-mutation

Must not mutate production or live external state.

  

safety:prod-impact

May affect production/runtime behavior.

  

safety:secret-touch

Touches secrets, credentials, auth, or secret-adjacent config.

  

size/large

Vistula size: large.

  

size/medium

Vistula size: medium.

  

size/small

Vistula size: small.

  

size/tiny

Vistula size: tiny.

  

size/unknown

Vistula size: not classified yet.

  

source/adr

Vistula source: ADR.

  

source/agent-generated

Vistula source: agent generated.

  

source/manual

Vistula source: manual entry.

  

source/operator-chat

Vistula source: operator chat.

  

source/voice-note

Vistula source: voice note.

  

status:blocked

Blocked by missing dependency, evidence, access, or operator decision.

  

status:blocked-on-discovery

Blocking on 5-7 discovery interviews completion

  

status:cagan-grade-review-pending

Artifact drafted; awaiting operator quality-bar review before merge

  

status:codex-ready

Ready for a Codex implementation pass.

  

status:merged:pending-evidence

Merged but waiting for live or artifact evidence before closure.

  

status:needs-evidence

Needs proof, logs, tests, or operator-visible evidence.

  

status:needs-operator-decision

Blocking on operator OD answer

  

status:operator-needed

Requires explicit operator input before safe progress.

  

status:parked

Intentionally deferred; not active campaign work.

  

tier:0-anchor

Cagan tier 0 — anchor artifact (vision, strategy, 4-risks, KPI tree, kill criteria); 3-year + leadership-change tests required

  

tier:0-platform-substrate

Data, secrets, backup, storage, or critical platform substrate.

  

tier:1-core

Cagan tier 1 — core artifact (JTBD, positioning, competitive, discovery, business model); numerical anchor + visible asymmetry required

  

tier:1-iskra-value-layer

Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  

tier:2-supporting

Cagan tier 2 — supporting artifact (operating principles); standard universal checks

  

tier:2-tools-products-modules

Tools, products, modules, experiments, and lower-blast-radius work.

  

type:bug

Incorrect behavior or regression.

  

type:chore

Maintenance, cleanup, metadata, or operational task.

  

type:docs

Documentation-only work.

  

type:feat

New capability or product behavior.

  

type:policy

Governance, protocol, boundary, or decision-contract change.

  

type:research

Investigation, spike, or evidence-gathering task.

  

wave:1-foundation

Wave 1 — Foundation (Vision Narrative + Competitive Deep-Dive, parallel)

  

wave:2-positioning

Wave 2 — Positioning (JTBD → Dunford Canvas, sequential)

  

wave:3-validation

Wave 3 — Risk & Outcome Architecture (4-Risks + KPI Tree, parallel)

  

wave:4-economics

Wave 4 — Discovery & Economics (Continuous Discovery + Business Model, parallel)

  

wave:5-operating

Wave 5 — Synthesis (Strategy → Kill Criteria → Operating Principles, sequential)

No labels

agent/claude-code

agent/codex

agent/gemini

agent/hermes

agent/iskra

agent/ollama

agent/patchwarden

area:business-model

area:competitive

area:discovery

area:forgejo

area:metrics

area:product-strategy

area:v0-core

cagan-grade-approved

client:platform

dependency/blocked

dependency/blocks-others

dependency/cross-repo

dependency/needs-confirmation

domain:agents

domain:ci

domain:docs

domain:forgejo

domain:infra

domain:memory

domain:runtime

domain:signal

domain:ux

flow/architecture

flow/blocked

flow/deployed

flow/done

flow/implementation

flow/intake

flow/maintained

flow/observed

flow/ready

flow/refining

flow/retired

flow/review

judge/codex-candidate

judge/hermes-candidate

judge/low-confidence

judge/needs-refinement

judge/operator-needed

judge/p0

judge/p1

judge/p2

judge/p3

judge/park

judge/patchwarden-candidate

judge/stale-priority

kind/adr

kind/bug

kind/chore

kind/feature

kind/infra

kind/ops

kind/refactor

kind/research

kind:artifact

kind:decision

kind:dogfood

kind:epic

kind:implementation

kind:research

merge/auto

merge/manual

merge/manual-dependency-conflict

merge/manual-failing-tests

merge/manual-merge-conflict

merge/manual-missing-review

merge/manual-operator-preference

merge/manual-red-zone

merge/manual-security-sensitive

merge/manual-unclear-scope

merge/manual-unknown

mode:operator-only

mode:patchwarden-iskra-approved

mode:safe-auto

observed/erroring

observed/needs-followup

observed/pending

observed/retire-candidate

observed/unused

observed/used

priority:p0

priority:p1

priority:p2

priority:p3

ready-for-agent

review:claude-reviewed

review:codex-reviewed

review:dziadek-reviewed

review:needs-human

safety:external-write

safety:no-prod-mutation

safety:prod-impact

safety:secret-touch

size/large

size/medium

size/small

size/tiny

size/unknown

source/adr

source/agent-generated

source/manual

source/operator-chat

source/voice-note

status:blocked

status:blocked-on-discovery

status:cagan-grade-review-pending

status:codex-ready

status:merged:pending-evidence

status:needs-evidence

status:needs-operator-decision

status:operator-needed

status:parked

tier:0-anchor

tier:0-platform-substrate

tier:1-core

tier:1-iskra-value-layer

tier:2-supporting

tier:2-tools-products-modules

type:bug

type:chore

type:docs

type:feat

type:policy

type:research

wave:1-foundation

wave:2-positioning

wave:3-validation

wave:4-economics

wave:5-operating

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pdurlej/patchwarden#65

No description provided.