feat(autoheal): deploy_drift_probe plan-object (slice A, closes #65) #77

Merged

pdurlej merged 1 commit from gemini/autoheal-slice-A into main

2026-06-08 19:54:24 +02:00

claude commented

2026-06-08 19:39:25 +02:00

Collaborator

Authored by gemini (Gemini 3.1 Pro via Antigravity), Swarmheart worker under claude's arbitration. claude read the plan-generator + risk taxonomy line-by-line, verified the verdict-semantics invariant, ran tests independently.

What

Auto-heal roadmap slice A / closes substance of #65. The evaluator now emits an actionable plan object for a read-only repair (e.g. deploy_drift_probe) so the operator/Iskra sees what a proposed repair would touch. Deterministic, read-only, no network, no mutation.

Plan shape (emitted only for eligible read-only repairs)

"plan": {
  "changed_files": [...],
  "expected_target_paths": [...],
  "risk_class": "low|medium|high",
  "recommended_executor": "iskra-openclaw deterministic executor",
  "required_postchecks": [...]
}

risk_class is derived deterministically from changed-file prefixes: deploy/ infra/ secrets/ systemd/ services/ .forgejo/ compose/ → high; scripts/ plugins/ skills/ → medium; else low.

claude's review (invariants held)

✅ Plan gate is exactly right: emitted only when policy is not None AND not policy.mutation AND verdict ∉ {blocked, needs_human} AND proposed_repair is a dict. So a plan appears only on eligible_repair_dry_run for a read-only class; it is null for every mutation class and every blocked verdict.
✅ Verdict semantics untouched — the plan is computed after the verdict; a mutation class still never reaches eligible and never gets a plan. recommended_executor names Iskra, never Patchwarden (D20 intact).
✅ Schema: plan is ["object","null"], NOT in top-level required → optional/nullable → cross-branch safe with slice D's contract test.
🔸 Minor (non-blocking): risk_class is effectively driven by repo-relative changed_files (absolute target_paths won't independently raise it, due to lstrip("/") + prefix match). This is reasonable — it mirrors pr_check's repo-prefix classification — and the typical signal (a changed systemd/… or deploy/… file) is caught. Plus a little trailing whitespace. Fine to fold into a later pass.

Arbiter verification (claude)

PYTHONPATH=src python3 -m unittest discover tests → 208/208 OK (200 baseline + 8 PlanObjectTests).
Tests cover: plan emitted for drift probe; risk low/medium/high derivation; plan null for mutation + blocked; example validates against schema.
D20 boundary test passes; grep for requests|httpx|tenacity|backoff → zero; stdlib-only preserved.
Schema + example updated consistently.

Files

src/patchwarden/runtime_repair.py (+41), spec/schemas/runtime-repair-verdict.schema.json (+31), spec/schemas/examples/...eligible-dry-run.json (+13), tests/test_runtime_repair.py (+87).

Merge order note

Independent of slice D (#76) — different files. Either order merges cleanly; D's contract test is tolerant of A's optional plan.

Closes substance of #65; roadmap slice A (docs/operations/autoheal-roadmap.md). Refs #68, #70.

> **Authored by gemini** (Gemini 3.1 Pro via Antigravity), Swarmheart worker under claude's arbitration. claude read the plan-generator + risk taxonomy line-by-line, verified the verdict-semantics invariant, ran tests independently. ## What Auto-heal roadmap **slice A** / closes substance of #65. The evaluator now emits an actionable **`plan` object** for a read-only repair (e.g. `deploy_drift_probe`) so the operator/Iskra sees what a proposed repair would touch. Deterministic, read-only, no network, no mutation. ## Plan shape (emitted only for eligible read-only repairs) ```json "plan": { "changed_files": [...], "expected_target_paths": [...], "risk_class": "low|medium|high", "recommended_executor": "iskra-openclaw deterministic executor", "required_postchecks": [...] } ``` `risk_class` is derived deterministically from changed-file prefixes: `deploy/ infra/ secrets/ systemd/ services/ .forgejo/ compose/` → high; `scripts/ plugins/ skills/` → medium; else low. ## claude's review (invariants held) - ✅ **Plan gate is exactly right:** emitted only when `policy is not None AND not policy.mutation AND verdict ∉ {blocked, needs_human} AND proposed_repair is a dict`. So a plan appears **only** on `eligible_repair_dry_run` for a read-only class; it is `null` for every mutation class and every blocked verdict. - ✅ **Verdict semantics untouched** — the plan is computed *after* the verdict; a mutation class still never reaches eligible and never gets a plan. `recommended_executor` names Iskra, never Patchwarden (D20 intact). - ✅ **Schema:** `plan` is `["object","null"]`, NOT in top-level `required` → optional/nullable → cross-branch safe with slice D's contract test. - 🔸 **Minor (non-blocking):** `risk_class` is effectively driven by repo-relative `changed_files` (absolute `target_paths` won't independently raise it, due to `lstrip("/")` + prefix match). This is reasonable — it mirrors `pr_check`'s repo-prefix classification — and the typical signal (a changed `systemd/…` or `deploy/…` file) is caught. Plus a little trailing whitespace. Fine to fold into a later pass. ## Arbiter verification (claude) - `PYTHONPATH=src python3 -m unittest discover tests` → **208/208 OK** (200 baseline + 8 `PlanObjectTests`). - Tests cover: plan emitted for drift probe; risk low/medium/high derivation; plan `null` for mutation + blocked; example validates against schema. - D20 boundary test passes; `grep` for `requests|httpx|tenacity|backoff` → zero; stdlib-only preserved. - Schema + example updated consistently. ## Files `src/patchwarden/runtime_repair.py` (+41), `spec/schemas/runtime-repair-verdict.schema.json` (+31), `spec/schemas/examples/...eligible-dry-run.json` (+13), `tests/test_runtime_repair.py` (+87). ## Merge order note Independent of slice D (#76) — different files. Either order merges cleanly; D's contract test is tolerant of A's optional `plan`. Closes substance of #65; roadmap slice A (`docs/operations/autoheal-roadmap.md`). Refs #68, #70.

Rows
Columns