fix(sentinel): add YAML shortest-path validation

This commit is contained in:
Codex
2026-07-12 17:28:17 +02:00
parent e5c763f5a7
commit 5a99f4efd7
11 changed files with 153 additions and 15 deletions
+8
View File
@@ -192,3 +192,11 @@ Avoid these patterns:
Long-term references should point to this architecture for common YAML-first ops rules, then document only domain-specific ownership and entrypoints. They should not repeat common Secret, exposure, target, redaction or no-hardcoding rules unless a domain adds a stricter constraint.
When a recurring operation becomes stable, update the owning reference document and the relevant skill with the domain entrypoint and decision boundary. Do not document one-off manual recovery as the standard path; manual repair remains recovery evidence until the YAML and CLI path exists.
## Web 哨兵最短变更路径
- 修改 cadence 前,使用 `web-probe sentinel validate --local` 直接读取当前 worktree 的 owning YAML。
- 本地验证必须输出 `configRef``scenarioId``cadence`、渲染后的 Cron 表达式和 `mutation=false`,不得读取远端 authority 来替代未提交 YAML。
- 合并后的观察使用 `web-probe sentinel control-plane status --wait`;该入口只读,等待和轮询预算来自 owning YAML。
- 状态必须同时区分 GitOps 期望和运行时事实,并输出 `desiredSourceCommit``runtimeSourceCommit``desiredSchedule``runtimeSchedule``converging``warning``blocking=false`
- 旧 worktree 的本地渲染值不得作为线上 cadence 对齐门禁;线上期望值来自 GitOps 清单。