Skip to content

docs(overseer): document goal-board health — self-heal + escalate (#2609/#2616)#2620

Merged
rysweet merged 8 commits into
mainfrom
feat/issue-2609-enhance-the-overseer-to-observe-goal-board-health
Jul 6, 2026
Merged

docs(overseer): document goal-board health — self-heal + escalate (#2609/#2616)#2620
rysweet merged 8 commits into
mainfrom
feat/issue-2609-enhance-the-overseer-to-observe-goal-board-health

Conversation

@rysweet

@rysweet rysweet commented Jul 5, 2026

Copy link
Copy Markdown
Owner

What

Enhances the Overseer goal-board health capability (feature #2616 / 965c859f, already on main) with two follow-up layers:

  1. Documentation — the feature merged code-only, with no user-facing docs (unlike its siblings feat(overseer): add the Simard Whisperer — advisory OODA steering (#2605) #2611 Whisperer and feat(journal): Simard's daily journal — narrative diary in cognitive memory, dashboard tab + TUI pane (#2606) #2618 Journal). This fills that gap with concept + howto + reference pages.
  2. Code hardening (follow-up commits) — security, perf, and refactor refinements to the observe → self-heal → escalate path, chiefly SMTP hardening of the NotifyOperator email channel that carries genuine "needs human review" escalations.

Every symbol described is grounded in the merged code under src/overseer/.

Why

In production the OODA no-progress safeguard hard-blocked the standing research goal ("needs human review") and nothing surfaced it — the Overseer's ObservedState had no goal-board field, so the marker reached no human. #2616 closed that gap (observe Blocked goals → self-heal false-parked perpetual goals, escalate genuine blocks). Its behaviour was undocumented; operators had no reference for SIMARD_OVERSEER_GOAL_HEALTH, the overseer::goal_health traces, or the escalation notifications. The follow-up code commits harden the escalation email path (which reaches a human) against header/body injection and mailbox corruption.

Documentation changes

  • Conceptdocs/concepts/overseer-goal-board-health.md: the silent-failure gap fix(ooda): exempt standing/perpetual goals from the no-progress hard-block (#2589) #2609 left, the observe→signal→decide→act flow, self-heal vs escalate routing, guardrails (dedup, fail-closed identity, opt-out), invariants.
  • How-todocs/howto/configure-overseer-goal-board-health.md: SIMARD_OVERSEER_GOAL_HEALTH, reading the overseer::goal_health traces / tick counters / activity feed / goal-blocked notifications, and verifying with tests_goal_health.
  • Referencedocs/reference/overseer-goal-board-health-api.md: the exact additive surface (BlockedGoal, blocked_goals_from_board, Signal::GoalBlocked, decide_blocked_goal, Intervention::{UnblockGoal,EscalateBlockedGoal}, ActOutcome variants, OperatorNotification::goal_blocked + OperatorNotifier, goal_health_enabled, the extended OverseerTickReport/OverseerTotals, and wiring). Synced with observe_board.
  • Discoverabilitymkdocs.yml nav entries; an index.md highlight; cross-links from the fix(ooda): exempt standing/perpetual goals from the no-progress hard-block (#2589) #2609 perpetual-goal concept and the overseer-activity-feed reference.

Code changes (follow-up commits, additive)

  • src/overseer/notify.rs — SMTP hardening of the escalate NotifyOperator email path: sanitize headers against CRLF injection, dot-stuff the message body, and byte-bound headers. This is the channel that carries "needs human review" to a human, so it must not be corruptible by an attacker-influenced goal id/reason.
  • src/overseer/mod.rs — observe the goal board once per tick (was twice) for perf; dedupe the goal-health suppress arms into one helper (refactor, no behaviour change).
  • src/overseer/capabilities.rs / src/overseer/wiring.rs — the observe_board API (blocked_goals, in_flight) and its wiring.

Step 13: Local Testing Results

Detected toolchains:

  • Rust / CargoCargo.toml at repo root (name = "simard", edition = "2024", default-run = "simard"), Cargo.lock present. All changed source files are src/overseer/*.rs; the user/consumer boundary is the simard CLI (src/operator_cli/goal.rs, which honours SIMARD_STATE_ROOT) plus the Overseer OODA library. No Node/Python/Go manifests are involved. Per the qa-team skill's repo-type table, a Cargo.toml root ⇒ native cargo test, not the gadugi framework.

Chosen validation strategy:

  • Drive the real simard goal CLI against an isolated SIMARD_STATE_ROOT temp dir (never ~/.simard, live daemon untouched) to reproduce the exact production false-park and exercise the self-heal's reused goal unblock operation from a user's perspective (Scenario 1), and run the injected-fake goal-health integration suite that exercises sensor → GoalBlocked signal → GoalHygiene problem → self-heal/escalate with fakes for goal-store/notify/whisper/clock/identity and no network (Scenario 2). Regression: full overseer:: and operator_cli::tests_goal suites; cargo fmt --check + cargo clippy --all-targets -- -D warnings clean.

Scenario 1 — CLI end-to-end: standing goal false-parked by OODA safeguard, then cleared via goal unblock (the exact op the self-heal reuses)

Command: SIMARD_STATE_ROOT=$(mktemp -d) simard goal add 3 --standing "Standing research goal"; simard goal list; <inject "🔒 [OODA-SAFEGUARD] … needs human review" Blocked marker>; simard goal list; simard goal unblock standing-research-goal; simard goal list
Result: PASS
Output (key lines):

[simard] goal add: 'standing-research-goal' added at p3 -> repo Simard (daemon) [standing/perpetual]
# after injecting the safeguard false-park, `goal list` surfaces it:
standing-research-goal  p3  blocked: 🔒 [OODA-SAFEGUARD] OODA goal made no shippable progress for 5 consecutive no-action cycles; needs human review  -  [standing] Standing research goal
# `goal unblock` — the operation the Overseer self-heal reuses:
[simard] goal unblock: 'standing-research-goal' restored to NotStarted (was: blocked: 🔒 [OODA-SAFEGUARD] … needs human review)
# final `goal list` — reactivated:
standing-research-goal  p3  not-started  -  [standing] Standing research goal

Scenario 2 — Injected-fake goal-health integration suite (observe → signal → self-heal + escalate, guardrails, failure isolation)

Command: cargo test --lib overseer::tests_goal_health
Result: PASS
Output (key lines):

running 11 tests
test overseer::tests_goal_health::blocked_goals_projection_surfaces_perpetual_and_needs_review_goals ... ok
test overseer::tests_goal_health::run_cycle_populates_observed_blocked_goals_and_emits_signals ... ok
test overseer::tests_goal_health::goal_blocked_signal_maps_to_a_goal_hygiene_problem ... ok
test overseer::tests_goal_health::perpetual_no_progress_goal_is_unblocked_once_and_not_escalated ... ok
test overseer::tests_goal_health::needs_review_goal_escalates_to_operator_on_both_channels ... ok
test overseer::tests_goal_health::self_heal_and_escalate_fail_closed_without_a_distinct_identity ... ok
test overseer::tests_goal_health::disabled_goal_health_holds_both_actions ... ok
test overseer::tests_goal_health::goal_health_enable_flag_is_opt_out_and_off_when_overseer_off ... ok
test overseer::tests_goal_health::a_failing_unblock_is_isolated_and_the_tick_survives ... ok
test overseer::tests_goal_health::decide_routes_a_blocked_goal_by_shape ... ok
test overseer::tests_goal_health::goal_health_interventions_are_routine_and_admitted_by_default_gate ... ok
test result: ok. 11 passed; 0 failed; 0 ignored; 0 measured; 7203 filtered out

Verification

  • Outside-in CLI + integration — both Step 13 scenarios PASS (above).
  • Regressioncargo test --lib overseer::195 passed / 0 failed; cargo test --lib operator_cli::tests_goal28 passed / 0 failed.
  • Lint/formatcargo fmt --check clean; cargo clippy --all-targets -- -D warnings → exit 0.
  • Pre-push gates (no --no-verify) — Rust-only gate, cargo fmt --all -- --check, cargo test --release --lib race subset, and cargo clippy --all-targets --all-features --locked -- -D warnings all Passed on push.
  • scripts/verify-docs.sh17/17 pass; mkdocs build --strict clean (0 broken links / anchors / orphaned nav pages).

Deploy note

No redeploy performed by this PR. The operator redeploys the Overseer daemon after merge (~/.simard and the live daemon were left untouched during development and testing).

Relates to #2609; extends #2616. Merged per policy: no git --no-verify, no gh pr merge --admin.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

rysweet and others added 8 commits July 5, 2026 20:25
/#2616)

The goal-board health feature (self-heal false-parked perpetual goals,
escalate genuine "needs human review" blocks) merged in #2616 code-only,
with no user-facing documentation — unlike its sibling Overseer features
(#2611 Whisperer, #2618 Journal), each of which shipped concept + howto +
reference docs. This is the missing documentation, grounded in the merged
implementation in src/overseer/ and following the repo's Diátaxis structure.

Adds (docs-only):
- concepts/overseer-goal-board-health.md — the why: the silent-failure gap
  #2609 left, the observe→signal→decide→act flow, self-heal vs escalate
  routing, guardrails (dedup, fail-closed identity, opt-out), invariants.
- howto/configure-overseer-goal-board-health.md — SIMARD_OVERSEER_GOAL_HEALTH,
  reading the overseer::goal_health traces / tick counters / activity feed /
  goal-blocked notifications, and verifying with tests_goal_health.
- reference/overseer-goal-board-health-api.md — the exact additive surface:
  BlockedGoal, blocked_goals_from_board, Signal::GoalBlocked, decide_blocked_goal,
  Intervention::{UnblockGoal,EscalateBlockedGoal}, ActOutcome variants,
  OperatorNotification::goal_blocked + OperatorNotifier, goal_health_enabled,
  the extended OverseerTickReport / OverseerTotals, and wiring.
- mkdocs.yml nav entries; an index.md highlight; cross-links from the #2609
  perpetual-goal concept and the overseer-activity-feed reference.

Verified: scripts/verify-docs.sh (16/16) and mkdocs build --strict both pass;
change is docs-only.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The goal-board health API reference stated the test suite in
src/overseer/tests_goal_health.rs contained 10 tests in two places
(the change map and the test-coverage header), but the suite actually
has 11 #[test] functions — the list itself enumerates all 11. Correct
both counts so the reference matches the merged implementation.

Docs-only refinement of #2609/#2616; verified with scripts/verify-docs.sh
(17/17) and mkdocs build --strict.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…2609)

Step 9 (refactor & simplify) of the goal-board-health work. The two acting
paths — act_unblock_goal (self-heal) and act_escalate_blocked_goal — each
carried identical SuppressDuplicate / SuppressCapReached match arms: the same
tracing::debug! shape and the same GoalHealthSuppressed{reason} construction,
differing only by the action label. Extract that shared tail into one private
Overseer::goal_health_suppressed(action, goal_id, decision) helper; each act
path now handles Deliver inline and routes every non-Deliver decision through
the single helper.

Behavior-preserving: the emitted reason ("duplicate" / "cap_reached") and the
resulting ActOutcome are unchanged; only the two duplicated debug messages
collapse into one generic message that keeps the structured action/reason
fields. No public API, signal, intervention, or gate semantics change.

Verified: cargo fmt --check, cargo clippy --lib --no-deps -D warnings,
overseer lib tests (187 passed incl. all 11 tests_goal_health), and the
overseer_activity integration test (19 passed). Net -21 lines.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Step 9b performance optimization for the goal-board-health OODA loop
added in #2616.

The acting Overseer's Observe/Orient pass read Simard's goal board
snapshot TWICE every tick: run_cycle() called GoalCurator::blocked_goals()
(added by #2616) immediately before the pre-existing in_flight(), and each
BoardGoalCurator method independently ran load_goal_board() -> a
search_facts("goal-board:snapshot", 64, ..) query plus a full
serde_json::from_str::<GoalBoard> deserialize of the same snapshot.

Add GoalCurator::observe_board() returning both projections
(blocked_goals, in_flight) from a single read:
- default impl composes the two existing methods, so fakes that do not
  model a shared board need no change;
- BoardGoalCurator overrides it to load() once and project both via the
  existing pure blocked_goals_from_board / in_flight_from_board;
- run_cycle() uses it, halving per-tick board reads + deserializes from 2
  to 1. A board-read failure still degrades BOTH to empty (unwrap_or_default
  on the pair), preserving the never-abort contract.

Additive and behavior-preserving; reuses the shipped projections and the
GoalCurator seam. All 189 overseer tests pass (incl. the 11 goal-health
tests and run_cycle_populates_observed_blocked_goals); clippy clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
)

The perf commit changed run_cycle to enrich via GoalCurator::observe_board()
(one board read projecting both blocked_goals + in_flight), but the reference
doc still described the old blocked_goals() read path and omitted the new
trait method. Update the change map, the ObservedState.blocked_goals read-path
note, and the GoalCurator method list so the reference matches the code.

Verified: cargo test --lib overseer:: (187 pass), cargo clippy --lib clean,
mkdocs build --strict clean (new anchor link resolves).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Step 10b security review remediation (SR-5, High, CWE-93).

The goal-blocked escalation path added in #2616 was the first to route
board-derived content (a goal_id, via the notification headline/subject)
into an email. smtp_send_plaintext() wrote the Subject, From and recipient
fields raw into the SMTP DATA headers and the MAIL FROM / RCPT TO envelope,
while only the body was CRLF-normalized. A goal_id (or from/to) carrying
CR/LF could therefore terminate the header/command line and smuggle
arbitrary email headers, an injected body, or an SMTP verb.

Fix: sanitize_header_value() strips CR/LF and other control characters
(replacing with a space) and length-bounds every header- and envelope-bound
field at the single transport choke point, so all callers are covered
regardless of how the field was built. Body CRLF normalization is unchanged
(multi-line bodies are legitimate).

Adds 4 regression tests: CRLF header injection, SMTP command injection,
length bounding, and benign-input preservation.

Verified: cargo fmt clean; clippy --lib -D warnings clean;
193/193 overseer tests pass (14/14 notify, incl. 4 new).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Review feedback on the SMTP hardening: the header/envelope fix sanitized
`from`, recipients and `subject` but left two gaps in the same CWE-93
threat model.

- Dot-stuff the DATA body (RFC 5321 §4.5.2). The body was CRLF-normalized
  but not dot-stuffed, so board-derived content carried into it (a goal id
  or free-form block `reason`) containing a lone "." line could prematurely
  close the DATA section and let the server interpret trailing bytes as SMTP
  commands — the exact injection class the header fix targets, still open via
  the body vector. `dot_stuff_body` escapes any line beginning with "."; the
  receiving MTA strips the added dot so benign multi-line content round-trips.

- Bound `sanitize_header_value` by bytes, not chars. The old `.take(512)`
  char cap let multi-byte UTF-8 exceed the RFC 5322 998-octet line limit the
  doc-comment claimed to stay under. Now accumulates whole chars up to a
  512-byte budget without splitting a codepoint.

Adds 4 unit tests (lone-dot / leading-dot escaping, benign multi-line +
CRLF normalization, multi-byte byte-bounding). overseer suite 193 -> 197,
clippy --all-targets clean, fmt clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ocked/par

Implements issue #2609

Changes:
- Implementation as per design specification
- Tests added for new functionality
- Documentation updated

Closes #2609
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

📊 Coverage Summary

Generated by cargo llvm-cov --workspace --summary-only (nightly, excluding test files)

Module Lines Covered Coverage
Total 136776 113253 82.8%

Coverage data from CI run. Test files matching tests?/ are excluded from line counts.

@rysweet rysweet merged commit 9e0eaba into main Jul 6, 2026
17 checks passed
@rysweet rysweet deleted the feat/issue-2609-enhance-the-overseer-to-observe-goal-board-health branch July 6, 2026 03:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant