Beaver/beaver_project
6
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: 支持多语言提示词本地化和界面优化

Browse Source 
- 添加 prompt_locale 参数支持简体中文、繁体中文和英文提示词本地化
- 移除内置 agents 配置以简化系统架构
- 更新 ContextBuilder 使用动态提示词模板而非硬编码内容
- 在 AgentLoop、Web 接口和 AgentService 中传递 locale 参数
- 添加输出语言指令确保用户界面内容按指定语言生成
- 扩展前端 LanguageSwitcher 组件支持三种语言选项
- 优化 Header 和侧边栏组件的响应式布局和文本截断处理
- 更新测试用例验证不同语言环境下的提示词正确性
This commit is contained in:
steven_li
2026-06-10 16:11:05 +08:00
parent 9cc3334ea7
commit fc9fd93c36
51 changed files with 7493 additions and 619 deletions
Download Patch File Download Diff File Expand all files Collapse all files

592
docs/presentations/skill-replay-eval/index.html
View File

@ -3,7 +3,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Beaver Skill Replay Eval · 技术方案介绍</title>
<title>Beaver Agent Sandbox · 客户方案介绍</title>
<link rel="stylesheet" href="assets/fonts.css">
<link rel="stylesheet" href="assets/base.css">
<link rel="stylesheet" href="assets/animations/animations.css">
@ -13,383 +13,271 @@
<div class="deck">
<section class="slide" data-title="Cover">
<p class="kicker">Beaver Project / Skill Learning</p>
<h1 class="h1">Skill Replay Eval<br><span class="gradient-text">文本评分到行为证据</span></h1>
<p class="lede">让技能草稿评估真正覆盖任务执行、工具调用、副作用和草稿保真,而不是只看生成文本是否“像一个好技能”</p>
<p class="kicker">Beaver Agent Sandbox</p>
<h1 class="h1">企业级智能体沙盒<br><span class="gradient-text"> AI 对话到可交付任务</span></h1>
<p class="lede">为企业提供可私有部署、可追踪、可验收、可复用的 AI Agent 工作台,让智能体真正进入业务流程,而不只是停留在聊天窗口</p>
<div class="speaker">
<div class="av"></div>
<div><b>Beaver 技能学习评估方案</b><span>技术分享 · 架构设计 · UI 与测试路线</span></div>
<div><b>Beaver 客户方案介绍</b><span>产品展示 · 商业价值 · 落地路径</span></div>
</div>
<div class="deck-footer"><span>skill-replay-eval-design.md</span><span class="slide-number" data-current="1" data-total="13"></span></div>
<div class="deck-footer"><span>Agent Sandbox for enterprise teams</span><span class="slide-number" data-current="1" data-total="13"></span></div>
<aside class="notes">
这一页先建立主题。我们不是在做一个更复杂的“打分器”,而是在把技能评估从静态文本判断,推进到真实任务行为判断。核心信息有三层:第一,技能草稿要在历史任务中复跑;第二,所有工具都要被纳入覆盖,只是安全工具真实执行,危险工具用替身判断;第三,修改已有技能时必须保留原有关键内容,不能因为重新生成而把重要说明丢掉
开场不要先讲技术而是讲客户能听懂的定位Beaver 是一个企业级智能体沙盒。它的价值不是“又一个聊天机器人”,而是把 AI 从问答推进到任务执行、过程追踪、结果验收和经验复用。客户最关心的是能不能落地到真实工作、能不能管控风险、能不能把成功经验变成组织资产
</aside>
</section>
<section class="slide" data-title="Project Context">
<p class="kicker">system context</p>
<h2 class="h2">Beaver 是多实例 AI 工作台Skill Replay Eval 位于单实例技能学习链路</h2>
<div class="flow mt-l">
<div class="flow-step"><span class="n">01</span><h4>auth-portal</h4><p>用户注册、登录和模型配置引导入口。</p></div>
<div class="flow-step"><span class="n">02</span><h4>authz-service</h4><p>账号、后端身份和内部授权编排。</p></div>
<div class="flow-step"><span class="n">03</span><h4>deploy-control</h4><p>创建、配置和管理独立 app-instance 容器。</p></div>
<div class="flow-step"><span class="n">04</span><h4>router-proxy</h4><p>按实例域名把外部流量转发到对应容器。</p></div>
<div class="flow-step card-accent"><span class="n">05</span><h4>app-instance</h4><p>单用户工作台包含前端、后端、workspace 和 skills。</p></div>
</div>
<section class="slide" data-title="Customer Problem">
<p class="kicker">why now</p>
<h2 class="h2">大多数企业 AI 试点卡在“能聊”,但离“能交付”还差一层操作系统</h2>
<div class="grid g3 mt-l">
<div class="card card-accent"><h4>技能页</h4><p class="dim">处理 published skills、candidates、draft review。</p></div>
<div class="card card-accent"><h4>学习管线</h4><p class="dim">从历史任务发现候选,合成草稿,再进行安全和评估门禁。</p></div>
<div class="card card-accent"><h4>本方案</h4><p class="dim">增强草稿评估,给发布前审查提供可追溯证据。</p></div>
</div>
<div class="deck-footer"><span>project boundary: app-instance/backend + app-instance/frontend</span><span class="slide-number" data-current="2" data-total="13"></span></div>
<aside class="notes">
先把项目放在整体架构里。Beaver 的外层是多实例部署系统,用户最终进入自己的 app-instance。技能学习、草稿评审、发布门禁都发生在 app-instance 内。也就是说 Replay Eval 不是登录系统或部署控制面功能,它服务的是单用户实例里的技能生命周期:发现候选,生成草稿,评估草稿,人工审核,然后发布为新的技能版本。
</aside>
</section>
<section class="slide" data-title="Current Gap">
<p class="kicker">current_state.py</p>
<h2 class="h2">旧评估的问题:它在评“草稿文本”,不是评“任务结果”。</h2>
<div class="compare mt-l">
<div class="side">
<span class="tag bad">heuristic-only</span>
<h3 class="mt-m">现状</h3>
<ul class="clean mt-m">
<li>只从 candidate.source_run_ids 构造轻量报告。</li>
<li>历史 run 使用 validation_result.score 或 success fallback。</li>
<li>候选得分主要估算自 draft text。</li>
<li>不复跑任务,不执行工具,不比较旧技能和新草稿行为。</li>
</ul>
</div>
<div class="side candidate">
<span class="tag good">behavior evidence</span>
<h3 class="mt-m">目标</h3>
<ul class="clean mt-m">
<li>用历史任务作为 eval cases运行 baseline 与 candidate 两个 arm。</li>
<li>安全工具真实执行,危险或不可用工具进入 surrogate 判断。</li>
<li>报告分开披露执行覆盖、替身覆盖、阻塞覆盖和置信度。</li>
<li>修订和合并草稿必须证明没有无理由丢失原技能内容。</li>
</ul>
</div>
</div>
<div class="deck-footer"><span>risk: high-looking score can still hide tool regressions</span><span class="slide-number" data-current="3" data-total="13"></span></div>
<aside class="notes">
这一页强调为什么要改。旧逻辑并非没有价值,它能快速给一个草稿粗略打分。但它无法回答发布前最关键的问题:这个技能真的会让任务做得更好吗?会不会漏掉工具调用?会不会多做一次危险操作?会不会把原技能里的安全说明删了?所以新方案的目标不是替换所有历史字段,而是在兼容旧 UI 的基础上新增 replay 证据。
</aside>
</section>
<section class="slide" data-title="Eval Model">
<p class="kicker">evaluation_model</p>
<h2 class="h2">核心模型:历史 case 选择 + 双臂 replay。</h2>
<div class="split mt-l">
<div class="card">
<h3>Case selection</h3>
<div class="matrix mt-m">
<div class="head">候选类型</div><div class="head">选择来源</div><div class="head">优先级</div><div class="head">规模</div>
<div class="rowhead">new_skill</div><div>source runs + 相似主题 accepted runs</div><div>相似任务主题</div><div>最多 10 个</div>
<div class="rowhead">revise_skill</div><div>激活目标 skill/version 的 accepted runs</div><div>近期优先,再按任务分散</div><div>最多 10 个</div>
<div class="rowhead">merge_skills</div><div>相关 skills 共同激活的 accepted runs</div><div>共同出现证据</div><div>最多 10 个</div>
</div>
</div>
<div class="card">
<h3>Two arms</h3>
<div class="pipeline mt-m">
<div class="phase"><span class="tag">same task</span><h3>输入一致</h3><p class="dim">同一任务文本、同一历史上下文、同一模型设置、同一最大工具迭代数。</p></div>
<div class="phase"><span class="tag warn">baseline</span><h3>旧行为</h3><p class="dim">new_skill 无技能revise_skill 用旧技能merge_skills 用旧相关技能。</p></div>
<div class="phase"><span class="tag good">candidate</span><h3>新草稿</h3><p class="dim">将 draft skill 作为 pinned draft guidance 注入,并记录行为差异。</p></div>
</div>
</div>
</div>
<div class="deck-footer"><span>same inputs, different skill guidance, comparable outputs</span><span class="slide-number" data-current="4" data-total="13"></span></div>
<aside class="notes">
新评估的基本单元是 historical case。每个 case 都跑两个 armbaseline 代表当前已有能力candidate 代表注入草稿后的能力。为了让对比有意义,两个 arm 除了技能引导不同以外,其他条件都尽量一致。这样我们评估的不是模型随机性,也不是不同上下文造成的差异,而是草稿技能本身对任务行为的影响。
</aside>
</section>
<section class="slide" data-title="Tool Modes">
<p class="kicker">tool_policy</p>
<h2 class="h2">所有工具都被覆盖,只是进入不同执行模式。</h2>
<div class="metric-grid mt-l">
<div class="metric"><span>mode</span><b>executed</b><p class="dim">能安全隔离的工具,在 replay 环境中真实执行。</p></div>
<div class="metric"><span>mode</span><b>surrogate</b><p class="dim">不能安全执行,但记录 intended call由 LLM 替身判断效果。</p></div>
<div class="metric"><span>mode</span><b>blocked</b><p class="dim">既不能执行,也无法可靠判断,明确降低置信度。</p></div>
<div class="metric"><span>report</span><b>coverage</b><p class="dim">执行、替身、阻塞覆盖率分开披露。</p></div>
</div>
<div class="matrix mt-l">
<div class="head">工具类型</div><div class="head">默认模式</div><div class="head">原因</div><div class="head">例子</div>
<div class="rowhead">workspace read/write</div><div><span class="tag good">executed</span></div><div>可在临时 workspace clone 中执行</div><div>读写代码、生成文件、测试 artifact</div>
<div class="rowhead">web/search read</div><div><span class="tag good">executed</span></div><div>只读且可缓存输出</div><div>搜索、打开网页、读取公开文档</div>
<div class="rowhead">external write</div><div><span class="tag warn">surrogate</span></div><div>默认不能写生产第三方系统</div><div>邮件、日历、消息发送</div>
<div class="rowhead">destructive action</div><div><span class="tag bad">surrogate / blocked</span></div><div>删除、支付、权限变更不可自动执行</div><div>不可逆外部写入</div>
</div>
<div class="deck-footer"><span>principle: include third-party tools without production side effects</span><span class="slide-number" data-current="5" data-total="13"></span></div>
<aside class="notes">
一个重要原则是“不要忽略工具”。如果只评估安全工具,那第三方连接器、发送类工具和破坏性工具就会从报告里消失,风险反而被掩盖。这里的做法是:能隔离的就真实执行;不能隔离的就记录意图,并用替身评估它是否正确、完整、必要、有无风险;如果替身也无法判断,就明确标记 blocked让报告和发布门禁知道置信度不足。
</aside>
</section>
<section class="slide" data-title="Replay Environment">
<p class="kicker">replay_environment</p>
<h2 class="h2">隔离 replay 环境:让任务复跑有证据,但不污染真实世界。</h2>
<div class="split mt-l">
<div>
<p class="lede">每个 case、每个 arm 都创建独立状态。runner 负责执行、拦截、记录,评估器在 runner 外部读取 artifacts 和 side effects。</p>
<div class="grid g2 mt-l">
<div class="panel"><span class="tag">session</span><h4 class="mt-s">Temporary session id</h4><p class="dim">避免污染真实会话状态。</p></div>
<div class="panel"><span class="tag">workspace</span><h4 class="mt-s">Temporary workspace root</h4><p class="dim">文件读写落在临时 clone。</p></div>
<div class="panel"><span class="tag">trace</span><h4 class="mt-s">Tool call trace</h4><p class="dim">记录调用、参数、模式和理由。</p></div>
<div class="panel"><span class="tag">journal</span><h4 class="mt-s">Side-effect journal</h4><p class="dim">外部写入不落生产,只留证据。</p></div>
</div>
</div>
<div class="terminal">
<div class="bar"><span class="dot"></span><span class="dot"></span><span class="dot"></span><span>replay_case.json</span></div>
<pre>{
<span class="str">"case_id"</span>: <span class="str">"run-accepted-042"</span>,
<span class="str">"arm"</span>: <span class="str">"candidate"</span>,
<span class="str">"workspace_root"</span>: <span class="str">"/tmp/beaver-replay/..."</span>,
<span class="str">"tool_calls"</span>: [
{ <span class="str">"tool"</span>: <span class="str">"filesystem.write"</span>,
<span class="str">"mode"</span>: <span class="str">"executed"</span> },
{ <span class="str">"tool"</span>: <span class="str">"outlook.send_mail"</span>,
<span class="str">"mode"</span>: <span class="str">"surrogate"</span> }
],
<span class="str">"artifacts"</span>: [<span class="str">"draft.md"</span>],
<span class="str">"side_effects"</span>: [<span class="str">"intended_email"</span>]
}</pre>
</div>
</div>
<div class="deck-footer"><span>pattern: OfficeBench-style isolated testbed, adapted to Beaver skills</span><span class="slide-number" data-current="6" data-total="13"></span></div>
<aside class="notes">
这里可以用一句话概括runner 是沙盒执行器evaluator 是证据裁判。我们不让 replay 直接写用户 workspace、用户文件、长期 memory、第三方账号或外部系统。每个 arm 有自己的临时 workspace、工具 trace、输出 artifacts 和 side-effect journal。这个形状借鉴了 OfficeBench MCP 的思路,但不绑定固定 benchmark 函数,而是服务 Beaver 的历史任务。
</aside>
</section>
<section class="slide" data-title="Surrogate Evaluation">
<p class="kicker">surrogate_evaluator</p>
<h2 class="h2">替身评估不是跳过工具,而是评估 intended effect。</h2>
<div class="split mt-l">
<div class="card">
<h3>输入 payload</h3>
<ul class="clean mt-m">
<li>工具名称和 schema。</li>
<li>候选 arm 计划调用的 arguments。</li>
<li>工具被分类为 surrogate 的原因。</li>
<li>历史 accepted evidence 和任务预期副作用。</li>
<li>assistant 在调用前后的 rationale。</li>
</ul>
</div>
<div class="card card-accent">
<h3>判断维度</h3>
<ul class="clean mt-m">
<li>调用是否满足任务目标。</li>
<li>参数是否完整、正确、可执行。</li>
<li>是否遗漏、重复或不必要。</li>
<li>是否有越权、危险或不可逆风险。</li>
<li>candidate 相比 baseline 是否真实改善。</li>
</ul>
</div>
</div>
<div class="terminal mt-l">
<div class="bar"><span class="dot"></span><span class="dot"></span><span class="dot"></span><span>surrogate_score.py</span></div>
<pre>candidate_score = quality(intended_effect, arguments, evidence)
risk_penalty = risk(missing_args, duplicated_calls, unsafe_scope)
confidence = lower_than_real_execution
case_score = candidate_score - risk_penalty</pre>
</div>
<div class="deck-footer"><span>surrogate contributes to score, but lowers confidence</span><span class="slide-number" data-current="7" data-total="13"></span></div>
<aside class="notes">
替身评估要避免两个误解。第一,它不是把危险工具当作成功,而是把“模型打算怎么调用工具”拿出来审。第二,它的置信度天然低于真实执行。比如发送邮件不能真的发,但我们可以判断收件人、主题、正文、附件、发送时机是否符合任务,也能判断是否重复发送、是否包含敏感信息、是否越权。这些判断会进入分数,但会降低 confidence。
</aside>
</section>
<section class="slide" data-title="Scoring And Gates">
<p class="kicker">report_and_gates</p>
<h2 class="h2">报告兼容旧 UI同时新增 replay 证据和发布门禁信号。</h2>
<div class="metric-grid mt-l">
<div class="metric"><span>legacy</span><b>passed</b><p class="dim">保留 passed、score_delta、cases、status 等旧字段。</p></div>
<div class="metric"><span>coverage</span><b>3 modes</b><p class="dim">execution、surrogate、blocked coverage。</p></div>
<div class="metric"><span>quality</span><b>delta</b><p class="dim">baseline mean、candidate mean、improved/regression count。</p></div>
<div class="metric"><span>trust</span><b>confidence</b><p class="dim">低置信度不能自动等同可发布。</p></div>
</div>
<div class="split mt-l">
<div class="terminal">
<div class="bar"><span class="dot"></span><span class="dot"></span><span class="dot"></span><span>SkillDraftEvalReport</span></div>
<pre>{
<span class="str">"eval_version"</span>: <span class="str">"replay-v1"</span>,
<span class="str">"mode"</span>: <span class="str">"replay"</span>,
<span class="str">"execution_coverage"</span>: <span class="num">0.58</span>,
<span class="str">"surrogate_coverage"</span>: <span class="num">0.33</span>,
<span class="str">"blocked_coverage"</span>: <span class="num">0.09</span>,
<span class="str">"confidence"</span>: <span class="str">"medium"</span>,
<span class="str">"case_reports"</span>: [...],
<span class="str">"tool_mode_summary"</span>: {...}
}</pre>
</div>
<div class="card card-accent">
<h3>Publish gate logic</h3>
<ul class="clean mt-m">
<li>高分但低置信度,进入更强人工 review。</li>
<li>重要工具全部 blocked不允许自动 pass。</li>
<li>部分 case 失败status = partial降低 confidence。</li>
<li>replay 基础设施失败status = replay_error。</li>
<li>provider 不可用时保留 skipped-provider 行为,但标明没有 replay evidence。</li>
</ul>
</div>
</div>
<div class="deck-footer"><span>score answers quality, confidence answers how much we can trust it</span><span class="slide-number" data-current="8" data-total="13"></span></div>
<aside class="notes">
报告设计的关键是兼容而不是推倒重来。旧字段继续保留,这样 UI 和存储不会被迫一次性迁移。新字段回答三个问题:我们执行了多少工具?多少工具只能替身判断?多少工具被阻塞?最后 confidence 会参与发布门禁。也就是说,一个草稿即使分数看起来不错,如果证据主要来自替身,或者关键工具全 blocked也不应该自动放行。
</aside>
</section>
<section class="slide" data-title="Draft Preservation">
<p class="kicker">preservation_contract</p>
<h2 class="h2">修订草稿必须保留原技能内容,除非明确说明改变理由。</h2>
<div class="split mt-l">
<div class="card">
<h3>为什么需要</h3>
<p class="lede mt-m">现有 synthesizer 对 revision 和 merge 只拿到候选理由、相关技能名、工具名、任务摘要和 session excerpts没有完整 base skill body。</p>
<div class="panel mt-m"><span class="tag bad">failure mode</span><p class="dim mt-s">重新生成看起来更整洁,但可能丢掉原技能里的安全边界、工具约束、工作流顺序和异常处理。</p></div>
</div>
<div class="card card-accent">
<h3>新合同</h3>
<ul class="clean mt-m">
<li>向 synthesis prompt 传入 base skill name、version、完整 frontmatter 和完整 content。</li>
<li>要求模型默认保留现有指令,只有在明确理由下才改变。</li>
<li>输出 preserved_sections、changed_sections、dropped_sections、change_reason。</li>
<li>preservation checker 比较 base 和 draft未解释的关键丢失会标记风险。</li>
</ul>
</div>
</div>
<div class="deck-footer"><span>revision is an edit contract, not a fresh rewrite</span><span class="slide-number" data-current="9" data-total="13"></span></div>
<aside class="notes">
这一页是第二条主线草稿保真。Replay 评估解决“行为是否更好”preservation 解决“原来重要的东西有没有丢”。对于修订和合并技能,模型必须看到完整 base skill不能只看摘要。生成结果也不只是一个新 body还要解释保留了什么、改了什么、删了什么以及为什么删。这样评审者能判断这是合理修订还是无意丢失。
</aside>
</section>
<section class="slide" data-title="Implementation">
<p class="kicker">implementation_plan</p>
<h2 class="h2">实现路径:扩展现有技能学习管线,新增小模块而不是重写系统。</h2>
<div class="pipeline mt-l">
<div class="phase card-accent">
<span class="tag">backend model</span>
<h3>数据层兼容</h3>
<ul class="clean">
<li>扩展 SkillDraftEvalReport。</li>
<li>新增 replay 字段默认值。</li>
<li>保留旧 payload 读取能力。</li>
</ul>
</div>
<div class="phase card-accent">
<span class="tag">learning helpers</span>
<h3>评估能力拆分</h3>
<ul class="clean">
<li>case_selection.py</li>
<li>preservation.py</li>
<li>replay.py</li>
<li>surrogate.py</li>
</ul>
</div>
<div class="phase card-accent">
<span class="tag">pipeline + ui</span>
<h3>接入和展示</h3>
<ul class="clean">
<li>eval.py 编排 replay。</li>
<li>pipeline.py 更新发布门禁。</li>
<li>loop.py 支持 replay executor override。</li>
<li>Skills UI 展示 coverage、case 和 preservation。</li>
</ul>
</div>
</div>
<div class="terminal mt-l">
<div class="bar"><span class="dot"></span><span class="dot"></span><span class="dot"></span><span>target files</span></div>
<pre>app-instance/backend/beaver/skills/learning/
case_selection.py
preservation.py
replay.py
surrogate.py
eval.py
synthesizer.py
pipeline.py
app-instance/frontend/app/(app)/skills/page.tsx
app-instance/frontend/types/index.ts</pre>
</div>
<div class="deck-footer"><span>architecture: focused helpers under existing SkillLearningPipelineService.evaluate_draft()</span><span class="slide-number" data-current="10" data-total="13"></span></div>
<aside class="notes">
实现策略很保守:扩展现有技能学习管线,而不是引入一套平行系统。数据模型先兼容扩展,然后把 case selection、preservation、replay、surrogate 拆成小模块。eval.py 负责 orchestratepipeline.py 负责发布门禁loop.py 给 replay executor 一个注入点。前端只是在草稿评审页增加证据展示,并保留已有摘要入口。
</aside>
</section>
<section class="slide" data-title="UI">
<p class="kicker">skills_review_ui</p>
<h2 class="h2">评审页先给结论,再让审核者展开证据。</h2>
<div class="split mt-l">
<div class="card card-accent">
<h3>Concise summary</h3>
<div class="metric-grid mt-m" style="grid-template-columns: repeat(2, 1fr);">
<div class="metric"><span>pass</span><b>failed</b><p class="dim">发布门禁结论。</p></div>
<div class="metric"><span>delta</span><b>+0.18</b><p class="dim">candidate - baseline。</p></div>
<div class="metric"><span>exec</span><b>58%</b><p class="dim">真实执行覆盖。</p></div>
<div class="metric"><span>conf</span><b>medium</b><p class="dim">证据可信度。</p></div>
</div>
</div>
<div class="card">
<h3>Detailed evidence</h3>
<ul class="clean mt-m">
<li>Replay cases每个历史任务的 baseline/candidate 分数。</li>
<li>Tool calls by modeexecuted、surrogate、blocked 分类和理由。</li>
<li>Artifacts and side effects产物和副作用 journal。</li>
<li>Preservation report修订草稿的保留、变更、删除风险。</li>
<li>Raw eval payload保留完整 JSON 供深度排查。</li>
</ul>
</div>
<div class="card card-accent"><h4>结果不可验收</h4><p class="dim">模型回答看起来合理,但缺少任务状态、修改闭环、产物管理和用户确认。</p><span class="tag bad mt-s">chat-only</span></div>
<div class="card card-accent"><h4>过程不可审计</h4><p class="dim">工具用了什么、文件改了什么、依据来自哪里,常常没有清晰证据链。</p><span class="tag warn mt-s">black box</span></div>
<div class="card card-accent"><h4>经验不可复用</h4><p class="dim">一次成功交付没有沉淀成团队方法,下一次仍然依赖人工提示和临场判断。</p><span class="tag mt-s">one-off</span></div>
</div>
<div class="panel mt-l">
<span class="tag good">UX principle</span>
<p class="lede mt-s">用户不需要预先配置每个工具的策略。系统在报告里解释覆盖、阻塞和不确定性,让审核者知道该相信多少</p>
<span class="tag good">Beaver 的切入点</span>
<p class="lede mt-s">把智能体运行所需的任务、工具、文件、记忆、技能、验收和多实例部署统一到一个可控沙盒里</p>
</div>
<div class="deck-footer"><span>page: app-instance/frontend/app/(app)/skills/page.tsx</span><span class="slide-number" data-current="11" data-total="13"></span></div>
<div class="deck-footer"><span>customer pain: execution, control, reuse</span><span class="slide-number" data-current="2" data-total="13"></span></div>
<aside class="notes">
UI 的目标不是把评审页变复杂,而是让复杂证据有层次。最上面仍然是 pass/fail、baseline mean、candidate mean、delta、coverage、confidence。审核者需要细看时才展开 replay cases、工具模式、阻塞理由、artifacts、副作用和 preservation report。普通使用者不需要理解每个工具策略系统在评估后解释不确定性
这一页用客户语言讲痛点。企业不是没有模型也不是不能接一个聊天入口。真正的问题是回答之后谁来确认执行过程能不能追溯文件和工具调用有没有边界成功经验能不能变成下次自动调用的方法Beaver 的价值就是补上这层“智能体操作系统”
</aside>
</section>
<section class="slide" data-title="Testing And Next Steps">
<p class="kicker">testing_strategy</p>
<h2 class="h2">交付标准:覆盖决策逻辑与真实工具形态</h2>
<section class="slide" data-title="Product Positioning">
<p class="kicker">positioning</p>
<h2 class="h2">Beaver 的定位:企业 AI Agent 的执行与治理平台</h2>
<div class="flow mt-l">
<div class="flow-step"><span class="n">01</span><h4>识别</h4><p>判断用户是在普通对话,还是在交办需要持续完成的任务。</p></div>
<div class="flow-step"><span class="n">02</span><h4>执行</h4><p>按任务选择模型、技能和工具,处理文件、搜索、终端或外部连接器。</p></div>
<div class="flow-step"><span class="n">03</span><h4>追踪</h4><p>记录过程、工具调用、子任务、产物、通知和执行证据。</p></div>
<div class="flow-step"><span class="n">04</span><h4>验收</h4><p>支持满意、修改、放弃,让用户反馈成为质量闭环。</p></div>
<div class="flow-step card-accent"><span class="n">05</span><h4>沉淀</h4><p>把被认可的工作方法转为技能和长期记忆,形成组织资产。</p></div>
</div>
<div class="metric-grid mt-l">
<div class="metric"><span>deployment</span><b>多实例</b><p class="dim">每个用户/团队可拥有独立 app-instance。</p></div>
<div class="metric"><span>workspace</span><b>沙盒</b><p class="dim">文件、配置和运行数据在实例边界内管理。</p></div>
<div class="metric"><span>control</span><b>验收</b><p class="dim">AI 产出以用户是否认可作为闭环信号。</p></div>
<div class="metric"><span>growth</span><b>技能库</b><p class="dim">成功任务经验可持续复用。</p></div>
</div>
<div class="deck-footer"><span>not a chatbot, an agent execution layer</span><span class="slide-number" data-current="3" data-total="13"></span></div>
<aside class="notes">
这里要把产品定位说清楚Beaver 不是单纯的聊天前端,也不是一个模型代理。它是一层智能体执行与治理平台。用户一句话进来,系统能判断是否进入任务模式,随后执行、追踪、验收,并把成功经验沉淀为长期能力。这就是客户购买的核心价值。
</aside>
</section>
<section class="slide" data-title="Product Modules">
<p class="kicker">product modules</p>
<h2 class="h2">一套完整工作台:从日常协作到工具治理都在同一界面。</h2>
<div class="roadmap mt-l">
<div class="item"><span>01</span><b>模型兼容</b><p>旧 payload 可读,新 replay 字段可写UI 不被旧数据破坏</p></div>
<div class="item"><span>02</span><b>核心逻辑</b><p>case selection、arm construction、tool mode aggregation、surrogate payload</p></div>
<div class="item"><span>03</span><b>保真检查</b><p>base section 保留、删除风险、publish gate 对 preservation risk 的处理</p></div>
<div class="item"><span>04</span><b>混合工具</b><p>安全文件写真实执行,外部写入被拦截为 surrogate生成可审计报告</p></div>
<div class="item"><span>01</span><b>对话工作台</b><p>会话、附件、Agent 运行过程、当前任务进度和验收操作</p></div>
<div class="item"><span>02</span><b>任务中心</b><p>普通任务、定时任务、任务详情、时间线和结果验收</p></div>
<div class="item"><span>03</span><b>文件空间</b><p>上传、目录管理、Markdown/文本/图片预览、下载和删除</p></div>
<div class="item"><span>04</span><b>技能与市场</b><p>企业技能库、草稿评审、发布门禁和技能安装</p></div>
</div>
<div class="roadmap mt-m">
<div class="item"><span>05</span><b>工具管理</b><p>MCP 工具配置、工具详情、测试、编辑和删除。</p></div>
<div class="item"><span>06</span><b>通知与定时</b><p>周期任务、主动提醒、运行记录和后续修改。</p></div>
<div class="item"><span>07</span><b>连接器</b><p>Outlook 等外部系统接入,承接邮件、日历和业务入口。</p></div>
<div class="item"><span>08</span><b>配置中心</b><p>模型供应商、Agent profile、通道、系统状态和运行参数。</p></div>
</div>
<div class="deck-footer"><span>customer-facing workspace, admin-facing control</span><span class="slide-number" data-current="4" data-total="13"></span></div>
<aside class="notes">
这一页适合给客户展示产品范围。Beaver 不是单点工具,而是一套工作台。对普通用户来说,有对话、任务、文件和通知。对管理员或实施团队来说,有技能、工具、连接器、模型配置和系统状态。这样客户能看到它不是 demo而是可以承载真实使用流程的产品。
</aside>
</section>
<section class="slide" data-title="Business Scenarios">
<p class="kicker">use cases</p>
<h2 class="h2">典型客户场景:高频、跨工具、需要留痕的知识工作。</h2>
<div class="grid g3 mt-l">
<div class="card card-accent"><h4>项目交付助手</h4><p class="dim">梳理需求、拆任务、生成方案、跟踪修改意见,把交付过程沉淀为可复用模板。</p></div>
<div class="card card-accent"><h4>运营与周报自动化</h4><p class="dim">定时触发数据整理、状态汇总、风险提醒和通知推送,减少重复人工跟进。</p></div>
<div class="card card-accent"><h4>企业知识与文件处理</h4><p class="dim">围绕 workspace 文件、历史任务和业务知识进行整理、摘要、审查和产物生成。</p></div>
<div class="card card-accent"><h4>研发与技术支持</h4><p class="dim">分析代码、执行命令、读取日志、记录证据,为工程团队提供可追溯协作。</p></div>
<div class="card card-accent"><h4>销售与客户成功</h4><p class="dim">沉淀客户上下文、准备沟通材料、跟踪待办,并与邮件日历等连接器协同。</p></div>
<div class="card card-accent"><h4>内部 AI 能力平台</h4><p class="dim">让不同团队共用安全边界、工具管理、技能市场和多模型供应商策略。</p></div>
</div>
<div class="deck-footer"><span>best fit: repeatable workflows with review requirements</span><span class="slide-number" data-current="5" data-total="13"></span></div>
<aside class="notes">
这里不要讲单一行业,而是讲适合 Beaver 的任务类型:高频、跨工具、需要留痕、结果需要验收。客户会自然映射到自己的场景,比如项目管理、运营报告、技术支持、知识库维护、客户成功和内部 AI 平台。关键是让客户看到 Beaver 能进入真实工作流。
</aside>
</section>
<section class="slide" data-title="Comparison">
<p class="kicker">competitive edge</p>
<h2 class="h2">优势对比Beaver 补齐聊天、RPA 和通用 Agent 框架之间的空白。</h2>
<div class="matrix mt-l">
<div class="head">能力维度</div><div class="head">普通 AI 聊天</div><div class="head">传统自动化/RPA</div><div class="head">Beaver Agent Sandbox</div>
<div class="rowhead">任务生命周期</div><div>以消息为中心</div><div>以固定流程为中心</div><div><span class="tag good">识别、执行、验收、复用闭环</span></div>
<div class="rowhead">工具与文件</div><div>通常只生成建议</div><div>能执行但流程僵硬</div><div><span class="tag good">技能指导工具调用,过程留痕</span></div>
<div class="rowhead">用户控制</div><div>缺少明确交付确认</div><div>改流程成本较高</div><div><span class="tag good">满意、修改、放弃进入任务状态</span></div>
<div class="rowhead">经验沉淀</div><div>依赖聊天记录</div><div>依赖人工维护脚本</div><div><span class="tag good">成功任务转技能和长期记忆</span></div>
<div class="rowhead">部署边界</div><div>SaaS 居多</div><div>企业内复杂集成</div><div><span class="tag good">Docker 多实例沙盒,适配私有部署</span></div>
</div>
<div class="deck-footer"><span>differentiation: task closure + evidence + reusable skills</span><span class="slide-number" data-current="6" data-total="13"></span></div>
<aside class="notes">
这一页是客户很关心的“为什么不是已有方案”。普通聊天工具擅长生成内容但缺少任务闭环和治理。RPA 能执行,但通常流程固定、维护成本高。通用 Agent 框架适合开发者搭系统但客户还需要完整工作台、验收和管理界面。Beaver 的差异化在于把执行、证据、验收和经验沉淀做成一套产品。
</aside>
</section>
<section class="slide" data-title="Architecture For Customers">
<p class="kicker">deployment model</p>
<h2 class="h2">客户可理解的部署模型:入口统一,实例隔离,数据边界清晰。</h2>
<div class="flow mt-l">
<div class="flow-step"><span class="n">01</span><h4>认证门户</h4><p>用户注册、登录、进入模型配置引导。</p></div>
<div class="flow-step"><span class="n">02</span><h4>授权服务</h4><p>管理账号、内部身份和 backend 注册。</p></div>
<div class="flow-step"><span class="n">03</span><h4>部署控制</h4><p>为用户创建独立 app-instance 容器。</p></div>
<div class="flow-step"><span class="n">04</span><h4>统一代理</h4><p>按实例域名把流量分发到对应容器。</p></div>
<div class="flow-step card-accent"><span class="n">05</span><h4>用户实例</h4><p>前端、后端、workspace、文件、技能和配置在实例内运行。</p></div>
</div>
<div class="grid g3 mt-l">
<div class="card card-accent"><h4>私有化友好</h4><p class="dim">最小部署基于 Linux/WSL2 + Docker可放在企业自有环境或云主机。</p></div>
<div class="card card-accent"><h4>实例级隔离</h4><p class="dim">每个 app-instance 有自己的 workspace、配置和运行数据边界。</p></div>
<div class="card card-accent"><h4>供应商灵活</h4><p class="dim">模型 provider 可配置,支持后续成本、速度和质量策略。</p></div>
</div>
<div class="deck-footer"><span>deployment: auth portal + deploy control + routed app instances</span><span class="slide-number" data-current="7" data-total="13"></span></div>
<aside class="notes">
客户介绍中不需要展开所有代码细节但要说明架构可信。Beaver 的多实例模式是用户从认证门户进入授权服务和部署控制创建独立实例路由代理按域名分发流量。每个用户实例里有自己的前端、后端、workspace、技能和配置。客户能理解这是一个有边界的沙盒而不是所有人混在一个共享会话里。
</aside>
</section>
<section class="slide" data-title="Trust And Governance">
<p class="kicker">trust and control</p>
<h2 class="h2">企业需要的不只是智能,还要可控、可解释、可治理。</h2>
<div class="metric-grid mt-l">
<div class="metric"><span>trace</span><b>证据链</b><p class="dim">任务、工具调用、产物和结果进入时间线。</p></div>
<div class="metric"><span>review</span><b>验收</b><p class="dim">用户可接受、要求修改或放弃任务。</p></div>
<div class="metric"><span>boundary</span><b>沙盒</b><p class="dim">文件与配置在实例边界内管理。</p></div>
<div class="metric"><span>admin</span><b>工具治理</b><p class="dim">MCP 工具可测试、编辑、启停和审查。</p></div>
</div>
<div class="split mt-l">
<div class="card card-accent"><h3>Unit tests</h3><p class="dim">历史 case 选择、双臂构造、工具模式分类、替身评分 payload、保真检查、低置信发布门禁。</p></div>
<div class="card card-accent"><h3>Integration-style tests</h3><p class="dim">stub filesystem write、stub external write、candidate 同时改善真实 artifact 和 surrogate side effect。</p></div>
<div class="card card-accent">
<h3>对业务负责人</h3>
<ul class="clean mt-m">
<li>每个 AI 任务都有状态和产物。</li>
<li>结果不是默认正确,需要用户确认。</li>
<li>成功经验可沉淀为团队可复用能力。</li>
</ul>
</div>
<div class="card card-accent">
<h3>对 IT / 安全团队</h3>
<ul class="clean mt-m">
<li>部署控制面不直接暴露公网。</li>
<li>实例有独立 workspace 和配置边界。</li>
<li>工具、模型和连接器可按企业策略逐步接入。</li>
</ul>
</div>
</div>
<div class="deck-footer"><span>next: implement tasks 1-12 from the current plan</span><span class="slide-number" data-current="12" data-total="13"></span></div>
<div class="deck-footer"><span>governance: evidence, acceptance, isolation, admin controls</span><span class="slide-number" data-current="8" data-total="13"></span></div>
<aside class="notes">
这一页收束到交付标准。测试不只测 happy path而是围绕风险边界模型兼容、case 选择、双臂构造、工具模式聚合、替身 payload、保真检查、发布门禁以及混合工具场景。我们需要证明这套评估不仅能生成报告而且能正确处理安全工具、外部写入和低置信度边界
这一页强调企业采购最关心的风险问题。业务负责人关心能不能交付IT 和安全团队关心能不能管控。Beaver 的回答是:任务有证据链,结果有验收,实例有边界,工具和连接器可治理。这样客户会觉得它不是一个不受控的 AI 黑盒,而是一个可纳入企业管理的系统
</aside>
</section>
<section class="slide center tc" data-title="Questions">
<div>
<div class="center-mark">Q</div>
<h2 class="h2 mt-m">Questions</h2>
<p class="lede" style="margin-left:auto;margin-right:auto;">技能发布前,不只要看草稿写得好不好,还要看它在历史任务里做了什么、没做什么、敢不敢相信。</p>
<div class="row mt-l" style="justify-content:center">
<span class="tag good">behavior evidence</span>
<span class="tag">tool coverage</span>
<span class="tag warn">confidence gates</span>
<span class="tag">draft preservation</span>
<section class="slide" data-title="Learning Loop">
<p class="kicker">learning moat</p>
<h2 class="h2">长期优势:越用越会做,把企业经验变成智能体资产。</h2>
<div class="pipeline mt-l">
<div class="phase card-accent"><span class="tag">memory</span><h3>长期记忆</h3><p class="dim">沉淀用户偏好、组织知识、历史任务、文件产物和工具经验。</p></div>
<div class="phase card-accent"><span class="tag">skills</span><h3>技能库</h3><p class="dim">把被认可的任务方法转为技能候选、草稿、审核和发布。</p></div>
<div class="phase card-accent"><span class="tag">marketplace</span><h3>市场与分发</h3><p class="dim">让团队安装、复用和管理已验证的技能与工具能力。</p></div>
</div>
<div class="panel mt-l">
<span class="tag good">客户价值</span>
<p class="lede mt-s">第一次交付依赖人工指导,第二次开始复用技能和记忆,长期形成企业自己的 AI 工作方法库。</p>
</div>
<div class="deck-footer"><span>compounding advantage: accepted work becomes reusable capability</span><span class="slide-number" data-current="9" data-total="13"></span></div>
<aside class="notes">
客户会问:这个系统的长期壁垒是什么?答案是学习闭环。普通工具每次都从头开始,而 Beaver 会把被用户认可的任务经验沉淀为技能,把稳定信息沉淀为记忆。后续类似任务可以自动激活已有方法。这让企业的 AI 能力随着使用增加,而不是永远停留在通用模型层。
</aside>
</section>
<section class="slide" data-title="Readiness">
<p class="kicker">current readiness</p>
<h2 class="h2">当前已具备的可展示能力,足够支撑客户试点。</h2>
<div class="matrix mt-l">
<div class="head">能力</div><div class="head">当前状态</div><div class="head">客户看到什么</div><div class="head">商业价值</div>
<div class="rowhead">任务执行闭环</div><div><span class="tag good">已完成</span></div><div>任务列表、详情、时间线、验收操作</div><div>从回答变成可交付结果</div>
<div class="rowhead">工具与证据</div><div><span class="tag good">已具备</span></div><div>文件、终端、网页、技能、定时任务等工具调用记录</div><div>可审计、可复盘</div>
<div class="rowhead">多智能体协作</div><div><span class="tag good">已具备</span></div><div>复杂任务拆分、子任务结果汇总</div><div>处理多阶段复杂工作</div>
<div class="rowhead">技能沉淀</div><div><span class="tag good">已具备</span></div><div>候选、草稿、评审、发布链路</div><div>形成企业技能库</div>
<div class="rowhead">长期记忆</div><div><span class="tag warn">底层已完成,待产品化接入</span></div><div>后续展示记忆管理台和检索轨迹</div><div>越用越懂业务</div>
</div>
<div class="deck-footer"><span>pilot-ready modules plus roadmap for memory/productization</span><span class="slide-number" data-current="10" data-total="13"></span></div>
<aside class="notes">
这一页要避免过度承诺,同时告诉客户可以试点。任务闭环、工具调用、证据留存、多智能体、技能沉淀这些已经具备展示基础。长期记忆底层能力已经完成,但仍需要接入主产品链路和 UI因此对客户可以讲成下一阶段重点。这样既展示实力也保持可信边界。
</aside>
</section>
<section class="slide" data-title="Business Value">
<p class="kicker">business value</p>
<h2 class="h2">客户收益:更快交付、更低风险、更强复用。</h2>
<div class="metric-grid mt-l">
<div class="metric"><span>speed</span><b>交付提速</b><p class="dim">将多步骤知识工作从人工串联变成 AI 协作执行。</p></div>
<div class="metric"><span>quality</span><b>过程透明</b><p class="dim">任务时间线和证据链降低黑盒风险。</p></div>
<div class="metric"><span>reuse</span><b>经验复用</b><p class="dim">技能和记忆让团队避免重复提示和重复摸索。</p></div>
<div class="metric"><span>control</span><b>成本可控</b><p class="dim">模型供应商可配置,为后续质量/成本路由打基础。</p></div>
</div>
<div class="split mt-l">
<div class="card card-accent">
<h3>适合先做试点的部门</h3>
<ul class="clean mt-m">
<li>需要频繁生成和修改交付物的项目团队。</li>
<li>重复处理文件、报告和知识资料的运营团队。</li>
<li>需要审计工具调用和任务证据的技术团队。</li>
</ul>
</div>
<div class="card card-accent">
<h3>成功指标建议</h3>
<ul class="clean mt-m">
<li>任务交付时间下降。</li>
<li>重复工作模板化比例提升。</li>
<li>人工修改轮次下降。</li>
<li>可追溯任务报告覆盖率提升。</li>
</ul>
</div>
</div>
<div class="deck-footer"><span>Beaver Skill Replay Eval</span><span class="slide-number" data-current="13" data-total="13"></span></div>
<div class="deck-footer"><span>value: speed, governance, reuse, model flexibility</span><span class="slide-number" data-current="11" data-total="13"></span></div>
<aside class="notes">
最后一页只留核心判断方便收尾和进入问答。可以用一句话结束Replay Eval 让技能发布从“相信生成结果”变成“审查行为证据”。然后邀请大家针对工具策略、隔离环境、替身判断、发布门禁或 UI 展示提问
这里把商业价值说得具体一点。不要只说提升效率而要拆成可衡量指标任务交付时间、重复工作模板化比例、修改轮次、可追溯报告覆盖率。客户如果要做试点也需要这些指标判断是否成功。Beaver 的核心收益是更快交付、更低风险、更强复用
</aside>
</section>
<section class="slide" data-title="Pilot Plan">
<p class="kicker">pilot plan</p>
<h2 class="h2">建议落地方式先选高价值场景4 步完成客户试点。</h2>
<div class="roadmap mt-l">
<div class="item"><span>01</span><b>场景选择</b><p>选择一个高频、跨工具、需要验收的部门流程,例如周报、方案交付或文件处理。</p></div>
<div class="item"><span>02</span><b>私有部署</b><p>在客户环境部署 Beaver配置模型 provider、用户入口和实例域名。</p></div>
<div class="item"><span>03</span><b>工具接入</b><p>接入文件、搜索、邮件日历、MCP 工具或企业内部系统。</p></div>
<div class="item"><span>04</span><b>技能沉淀</b><p>把试点成功流程整理成技能,建立可复用的企业 Agent 模板。</p></div>
</div>
<div class="panel mt-l">
<span class="tag warn">推荐节奏</span>
<p class="lede mt-s">第一阶段先做 2-4 周试点,验证一个部门流程;第二阶段扩展连接器、权限策略和技能市场;第三阶段接入长期记忆管理。</p>
</div>
<div class="deck-footer"><span>pilot path: scenario, deploy, integrate, reuse</span><span class="slide-number" data-current="12" data-total="13"></span></div>
<aside class="notes">
客户方案要给落地路径。建议不要一开始全公司铺开而是先挑一个高价值流程2 到 4 周试点。先部署系统和模型,接入必要工具,再把成功流程沉淀成技能。试点成功后再扩展连接器、权限策略、市场和长期记忆管理。这样客户知道下一步怎么做。
</aside>
</section>
<section class="slide center tc" data-title="Closing">
<div>
<div class="center-mark">B</div>
<h2 class="h2 mt-m">Beaver Agent Sandbox</h2>
<p class="lede" style="margin-left:auto;margin-right:auto;">把企业 AI 从“会回答”升级为“能执行、可验收、可追踪、会复用”的智能体工作台。</p>
<div class="row mt-l" style="justify-content:center">
<span class="tag good">任务闭环</span>
<span class="tag">过程证据</span>
<span class="tag warn">私有沙盒</span>
<span class="tag">技能沉淀</span>
</div>
</div>
<div class="deck-footer"><span>Commercial proposal deck</span><span class="slide-number" data-current="13" data-total="13"></span></div>
<aside class="notes">
最后一页用于收束。可以把一句话再重复一遍Beaver 让企业 AI 不止停留在回答,而是进入可执行任务、可验收结果、可追踪证据和可复用经验。随后进入客户问题讨论:他们最想先试点哪个场景、已有模型和工具是什么、部署环境有什么约束。
</aside>
</section>

11
docs/product-discovery/README.md Normal file
View File

@ -0,0 +1,11 @@
# Product Discovery
Product discovery artifacts for Beaver.
## Main Product
- [Beaver Agent Sandbox](./beaver/README.md)
## Feature-Level Discovery
- [Skill Replay Eval](./skill-replay-eval/README.md)

489
docs/product-discovery/beaver/PRD-beaver-agent-sandbox.md Normal file
View File

@ -0,0 +1,489 @@
# PRD: Beaver Agent Sandbox
Date: 2026-06-09
Status: Product discovery draft for whole Beaver product
## 1. Summary
Beaver Agent Sandbox is a private-deployable workspace for enterprise Agent work. It lets users move from chat to managed tasks, execute work with files and tools, track evidence, accept or revise outputs, and turn successful work into reusable skills and memory.
The first product goal is to prove that Beaver can help a pilot team complete repeatable knowledge work with more control, traceability, and reuse than chat-only AI tools.
## 2. Contacts
| Role | Owner | Comment |
| --- | --- | --- |
| Product owner | TBD | Owns positioning, roadmap, pilot metrics, research |
| Engineering owner | TBD | Owns platform architecture and implementation quality |
| Design owner | TBD | Owns workspace, task, review, admin, and onboarding UX |
| Deployment owner | TBD | Owns Docker deployment, routing, instance lifecycle |
| Security/review owner | TBD | Owns tool policy, data boundaries, connector safety |
| Pilot owner | TBD | Owns customer/team selection and feedback loop |
## 3. Background
Most enterprise AI experiments start with chat. Chat is useful, but it is weak at real work:
- There is no durable task lifecycle.
- It is hard to see what happened.
- File and tool work is scattered.
- Results are not formally accepted or rejected.
- Successful workflows are not turned into reusable team capability.
- Admins cannot easily control deployment, tools, memory, and connectors.
Beaver addresses this gap by acting as an Agent execution and governance layer. It combines a user workspace, task runtime, evidence timeline, file and tool operations, skill learning, scheduled work, connectors, and private multi-instance deployment.
Why now:
- Teams are moving from AI demos to operational AI workflows.
- Enterprise buyers need governance, not only model access.
- Beaver already has enough implementation to support pilot workflows.
- The next step is product packaging, validation, and operational hardening.
## 4. Objective
### Objective
Prove Beaver can deliver trusted, repeatable Agent work for pilot teams.
### Key Results
| Key Result | Target |
| --- | --- |
| Time to first accepted task | Pilot user reaches first accepted task within first session |
| Accepted Agent Workflows | >=30 accepted tasks across pilot team within 30 days |
| Acceptance Rate | >=60% of completed task runs accepted |
| Evidence Coverage | >=90% of task runs show useful timeline/tool/artifact evidence |
| Skill Reuse | >=5 reusable skills created, >=3 reused at least twice |
| Deployment Repeatability | Fresh pilot deployment under 2 hours with documented steps |
| Critical Incidents | 0 control-plane exposure, data leakage, or unintended external-write incidents |
## 5. Market Segments
### Primary Segment: Enterprise Teams Doing Repeatable Knowledge Work
Examples:
- Project delivery teams.
- Operations teams.
- Internal strategy/research teams.
- Technical support and engineering teams.
- Customer success and sales operations teams.
Their work is a good fit when it is:
- Repeated often.
- Multi-step.
- File-heavy.
- Tool-heavy.
- Needs review or approval.
- Benefits from a traceable process.
### Buyer Segment: AI Platform Owner / IT Leader
They need to provide AI capability without losing control over deployment, data, tools, and governance.
### Admin Segment: Operator / Implementation Owner
They set up Beaver, manage model providers, monitor health, handle connectors, and support users.
### Maintainer Segment: Skill Owner
They curate reusable skills and make sure published skills are safe, useful, and reviewable.
## 6. Value Propositions
### For Workflow Teams
Beaver turns AI conversations into managed work. A request can become a task, produce artifacts, show evidence, and continue through revision until accepted.
### For Platform Owners
Beaver offers a private Agent sandbox with instance boundaries, tool governance, skills, and operational controls.
### For Admins
Beaver makes onboarding and operations more repeatable through auth portal, deploy control, routing, settings, status, and logs.
### For Skill Maintainers
Beaver turns accepted work into reusable skills through candidate, draft, safety/eval, review, and publish flow.
### For End Users
Beaver gives one place to chat, upload files, run tasks, preview outputs, review results, and reuse proven methods.
## 7. Solution
### 7.1 User Experience
#### First-Run Experience
```text
User registers
-> app instance is created
-> user configures model provider
-> user enters Beaver workspace
-> user starts from a workflow template or chat
-> Beaver creates or continues a task
-> user accepts or revises the result
```
Requirements:
- Registration and instance provisioning must show clear progress and errors.
- Provider setup must be understandable and recoverable.
- If provider setup is skipped, the app must clearly explain why Agent calls cannot run.
#### Daily User Workspace
Primary screens:
- Chat workbench.
- Task list and task details.
- Files.
- Notifications and scheduled work.
- Skills and marketplace.
- Tool management.
- Settings/status/logs.
Core user loop:
```text
Ask
-> execute
-> inspect evidence
-> accept/revise
-> reuse
```
#### Admin Experience
Admin needs:
- See instance health.
- Configure providers.
- Configure channels/connectors.
- Restart safely.
- Inspect logs.
- Manage tools and skills.
- Understand failures.
### 7.2 Key Features
#### Authentication And Instance Provisioning
Requirements:
- Users register or log in through auth portal.
- Registration triggers an app-instance container.
- Router maps instance host to container.
- Provider onboarding can configure model provider after instance creation.
Acceptance criteria:
- New user can reach a working instance.
- Failed provisioning shows a recoverable error.
- `deploy-control` and `authz-service` are not public surfaces.
#### Chat Workbench
Requirements:
- Users can create/select sessions.
- Users can send text and attachments.
- Users can see Assistant messages, task cards, Agent run progress, and acceptance controls.
- Users can jump from chat to task detail.
Acceptance criteria:
- User can complete one full chat-to-task-to-accept flow.
- Attachments can be uploaded and used.
- Current task status is visible.
#### Task Lifecycle
Requirements:
- System can distinguish ordinary chat from task requests.
- Task can be created, run, continued, revised, accepted, abandoned, or deleted.
- Task detail shows timeline, runs, tools, artifacts, result, and acceptance controls.
Acceptance criteria:
- Task list and detail remain useful on mobile and desktop.
- Acceptance actions are persisted.
- Revision feedback continues the same task context.
#### Agent Team Execution
Requirements:
- Complex tasks can be planned as sequence, parallel, or DAG execution.
- Subtasks can bind skills or ephemeral guidance.
- Main Agent synthesizes final answer from evidence.
Acceptance criteria:
- Subtask results are visible and debuggable.
- Failed team execution is shown without hiding partial evidence.
#### Files Workspace
Requirements:
- Users can upload, create folders, browse, preview, download, and delete files.
- Workspace roots stay understandable.
- File operations are safe within instance boundaries.
Acceptance criteria:
- Root and nested directories work.
- Text/Markdown/image preview works.
- Long file names do not break layout.
#### Tools And MCP
Requirements:
- Admins can view, test, add, edit, delete, and refresh tools where supported.
- Agent runtime can expose tools based on task and skill context.
- Tool calls are recorded as evidence.
Acceptance criteria:
- Tool detail and test flows work.
- Dangerous tools are governed by policy before broad rollout.
#### Skills And Marketplace
Requirements:
- Published skills can be listed, inspected, installed, uploaded, disabled, rolled back, or deleted where supported.
- Accepted work can create skill candidates.
- Candidates can become drafts.
- Drafts require safety/eval/review gates before publish.
- Marketplace supports discovery and install.
Acceptance criteria:
- Candidate and draft flows do not reset UI state unexpectedly.
- Publish requires review gates.
- Published skill can be reused by later tasks.
#### Memory
Requirements:
- Beaver can store long-term preferences, business knowledge, historical task learning, file/artifact memory, tool experience, and reusable workflows.
- Before broad product use, users/admins need memory inspect/edit/delete/freeze controls.
Acceptance criteria for Memory Control Center MVP:
- User can see what is remembered.
- User can see source and last-used context.
- User can edit, delete, or freeze memory.
- Task detail can show when memory affected execution.
#### Scheduled Work And Notifications
Requirements:
- Users can create scheduled jobs.
- Scheduled runs can produce notifications or tasks.
- Users can review, revise, or accept scheduled outputs.
Acceptance criteria:
- Scheduled job can be created, toggled, run now, deleted.
- Scheduled output can enter normal task review flow.
#### Connectors
Requirements:
- Beaver can connect to external systems such as Outlook and selected IM/channel connectors.
- Connector status, setup, errors, and reconnect path must be visible.
- External writes require clear policy and safety boundary.
Acceptance criteria:
- Pilot-safe connector list is documented.
- External connector callbacks route correctly in multi-instance deployment.
- Failed connector auth or setup is recoverable.
#### Settings, Status, Logs
Requirements:
- Users/admins can configure provider, Agent settings, channels, and runtime.
- Status page shows current app health.
- Logs help operators diagnose failures.
- Restart is confirmed before execution.
Acceptance criteria:
- Provider save flow works.
- Runtime restart flow is protected by confirmation.
- Long config values do not break UI.
### 7.3 Technology
Frontend:
- Next.js app inside `app-instance/frontend`.
- App shell with chat, tasks, files, skills, marketplace, tools, connectors, settings, status, logs.
Backend:
- Python Beaver backend inside `app-instance/backend`.
- Unified `beaver.engine` for Agent runtime.
- `beaver.coordinator` for multi-agent execution.
- `beaver.services` for task, cron, process, and application orchestration.
- `beaver.tools` for built-in/MCP tool execution.
- `beaver.skills` for skill loading, learning, review, publishing.
- `beaver.memory` for run memory, skills memory, long-term memory foundation.
- `beaver.interfaces` for web, MCP, channels, CLI/gateway surfaces.
Deployment:
- `auth-portal`.
- `authz-service`.
- `deploy-control`.
- `router-proxy`.
- `app-instance`.
- Docker network and per-instance mounted runtime directories.
### 7.4 Data And Evidence
Important product data:
- Users and auth handoff.
- Instance registry.
- Provider configuration.
- Conversations and messages.
- Tasks, task runs, run events, timeline events.
- Tool calls and results.
- Files and artifacts.
- Skill receipts, candidates, drafts, safety/eval reports, reviews, published versions.
- Memory records.
- Scheduled jobs and scheduled runs.
- Connector state and events.
Evidence principle:
Every meaningful Agent action should become explainable later.
### 7.5 Assumptions
- The best first customers are teams with repeatable knowledge workflows.
- Task acceptance is the right primary quality signal.
- Private deployment is a benefit, not a barrier, for early enterprise pilots.
- Teams will value skill/memory reuse after enough accepted tasks.
- Admins can operate a Docker-based deployment with a clear runbook.
- Memory must be controllable before it can be trusted.
### 7.6 Non-Goals For First Pilot
- Broad public SaaS launch.
- Full multi-tenant organization management.
- Fully autonomous skill publishing.
- Production external writes without clear review.
- Complete enterprise RBAC.
- Unlimited connector support.
- Perfect long-term memory automation.
- Replacing human review for high-risk work.
## 8. Release
### Release 0: Internal Demo Readiness
Scope:
- Clean local deployment.
- Auth portal registration/login.
- Provider onboarding.
- Chat-to-task demo.
- Task detail evidence.
- File upload/preview.
- Skills and marketplace demo.
- Settings/status/logs.
Exit criteria:
- Demo flow works on fresh environment.
- Known limitations are documented.
- No critical security/deployment issue.
### Release 1: Pilot Workflow Release
Scope:
- 2-3 packaged workflows.
- Task acceptance and evidence as main flow.
- Files and selected tools.
- Basic scheduled workflow.
- One pilot-safe connector if stable.
- Skill candidate/draft/review/publish.
- Deployment runbook and support checklist.
Exit criteria:
- Pilot team reaches >=30 accepted tasks in 30 days.
- >=5 reusable skills created.
- 0 critical incidents.
- Deployment under 2 hours on fresh host.
### Release 2: Governance And Reuse Release
Scope:
- Evidence narrative.
- Memory Control Center.
- Skill replay/eval governance.
- Admin health console.
- Connector policy hardening.
- Pilot scorecard.
Exit criteria:
- Reviewers understand evidence.
- Users can inspect and control memory.
- Admins can diagnose provider/connector/runtime issues.
- Skill reuse is visible in metrics.
### Release 3: Expansion Release
Scope:
- Team/workspace concepts if validated.
- More connectors.
- Audit export.
- Cross-instance analytics.
- Policy profiles.
- Instance lifecycle automation.
Exit criteria:
- Multiple teams can run without high support load.
- Governance story supports enterprise buying process.
## Open Questions
- Is the first paying segment project teams, operations teams, engineering/support, or internal AI platform teams?
- Should Beaver optimize for single-user instances first or team workspaces sooner?
- Which connector is the safest and most valuable pilot connector?
- What exact tool policy should apply in customer pilots?
- What memory behavior should be on by default?
- How much raw evidence should normal users see versus admins?
- What is the backup/restore SLA for app instances?
## Success Review Checklist
- Can a new user get to first accepted task quickly?
- Can a reviewer understand what the Agent did?
- Can an admin recover from provider or connector errors?
- Can a successful task become a reusable skill?
- Can a pilot owner prove value with metrics?
- Can security explain the deployment and tool boundaries?

30
docs/product-discovery/beaver/README.md Normal file
View File

@ -0,0 +1,30 @@
# Beaver Product Discovery
This folder covers Beaver as the whole product, not only one feature.
Beaver is an enterprise Agent sandbox and execution platform. It combines private deployment, per-user app instances, chat-to-task execution, task evidence, user acceptance, files, tools, skills, memory, connectors, scheduled work, and governance.
## Documents
- [Business Strategy HTML](./index.html): business-style product discovery, strategy canvas, target users, segmentation, and competitors.
- [Product PRD HTML](./product-prd.html): product PRD, outcome roadmap, module job stories, WWA backlog items, and test scenarios.
- [Product Discovery Report](./product-discovery-report.md): product understanding, users, JTBD, opportunities, assumptions, experiments, priorities, metrics, and 30/90 day recommendations.
- [Product Architecture Brief](./product-architecture-brief.md): product-facing architecture across auth, deployment control, routing, app instances, frontend, backend, Agent runtime, tools, skills, memory, files, connectors, and operations.
- [PRD](./PRD-beaver-agent-sandbox.md): full-product PRD for the Beaver Agent Sandbox.
- [Validation Plan](./validation-plan.md): customer, product, technical, security, usability, and business validation plan.
- [Launch And Maintenance Runbook](./launch-maintenance-runbook.md): launch phases, readiness checks, monitoring, incident response, maintenance cadence, and rollback.
## Source Material
- [Project README](../../../README.md)
- [Deployment Guide](../../../部署指南.md)
- [Domain Guide](../../../域名配置指引.md)
- [App Instance README](../../../app-instance/README.md)
- [Backend README](../../../app-instance/backend/README.md)
- [Recent Backend Features](../../../projcet_review/backend_recent_completed_features.md)
- [UI/UX Page Docs](../../ui-ux/README.md)
- [Customer Presentation](../../presentations/skill-replay-eval/index.html)
## Related Feature Discovery
- [Skill Replay Eval Discovery](../skill-replay-eval/README.md)

1277
docs/product-discovery/beaver/index.html Normal file
View File

File diff suppressed because it is too large Load Diff

455
docs/product-discovery/beaver/launch-maintenance-runbook.md Normal file
View File

@ -0,0 +1,455 @@
# Beaver Launch And Maintenance Runbook
Date: 2026-06-09
Scope: whole Beaver product.
## 1. Launch Principle
Launch Beaver through controlled pilots before broad rollout.
The product has a wide operational surface: auth, deployment control, routing, per-instance app containers, model providers, Agent runtime, tools, files, skills, memory, scheduled work, and connectors. A successful launch depends as much on reliability and trust as on feature completeness.
## 2. Launch Roles
| Role | Responsibility |
| --- | --- |
| Launch owner | Owns readiness, go/no-go, rollout phases |
| Deployment owner | Owns Docker images, network, router, instance lifecycle |
| Backend owner | Owns Agent runtime, tasks, tools, skills, cron, APIs |
| Frontend owner | Owns user-facing flows and UI verification |
| Security owner | Owns control-plane exposure, data boundaries, tool/connector policy |
| Pilot owner | Owns user onboarding, workflow selection, feedback, metrics |
| Support owner | Owns incident triage, runbook updates, user support |
## 3. Launch Phases
### Phase 0: Local Internal Readiness
Audience: builders and internal testers.
Goals:
- Full local deployment works.
- Core demo flows are stable.
- Known risks are documented.
Required flows:
- Register/login.
- Provider onboarding.
- First chat response.
- Chat-to-task.
- Task acceptance/revision.
- File upload/preview/download/delete.
- Skill list/candidate/draft/review.
- Settings/status/restart.
Exit criteria:
- Fresh deployment run completed from docs.
- No P0 or launch-blocking P1 issues.
- Demo script works end to end.
### Phase 1: Controlled Pilot
Audience: one internal team or one trusted customer team.
Goals:
- Validate real workflow value.
- Validate deployment and support process.
- Validate trust, evidence, and governance story.
Constraints:
- Narrow workflow scope.
- Narrow connector scope.
- Conservative tool policy.
- Human review for skill publishing.
- No opaque memory use for sensitive data.
Exit criteria:
- >=30 accepted tasks in 30 days.
- >=2 recurring workflows.
- 0 critical incidents.
- Deployment/support issues documented and reduced.
### Phase 2: Expanded Pilot
Audience: more users in same team or a second pilot team.
Goals:
- Test repeatability across workflows.
- Introduce Memory Control Center or stricter memory policy if ready.
- Strengthen skill reuse and scheduled work.
Exit criteria:
- Skill reuse becomes visible.
- Admin can operate without developer pairing for common tasks.
- Evidence and report quality are accepted by workflow owner.
### Phase 3: Production Candidate
Audience: broader customer or department rollout.
Goals:
- Stabilized deployment.
- Health monitoring.
- Incident response.
- Backup/restore process.
- Policy profiles.
Exit criteria:
- Launch owner, security owner, and deployment owner approve.
- Support process has clear ownership.
- Rollback and restore are rehearsed.
## 4. Pre-Launch Checklist
### Deployment
- [ ] Images build successfully.
- [ ] Docker network exists.
- [ ] Router proxy starts.
- [ ] AuthZ service starts.
- [ ] Deploy control starts.
- [ ] Auth portal starts.
- [ ] App instance can be created.
- [ ] App instance route works through router proxy.
- [ ] Provider config can be written and instance restarted.
- [ ] Runtime directories are persistent.
- [ ] Public exposure limited to intended services.
### Product Flows
- [ ] Register/login works.
- [ ] Provider onboarding works.
- [ ] Chat workbench loads.
- [ ] Task creation works.
- [ ] Task detail timeline works.
- [ ] Acceptance/revision/abandon works.
- [ ] Files page works.
- [ ] Tools page works for pilot tools.
- [ ] Skills page works.
- [ ] Marketplace install works if included.
- [ ] Cron/scheduled flow works if included.
- [ ] Connector flow works if included.
- [ ] Settings/status/logs work.
### Governance
- [ ] Tool policy for pilot is documented.
- [ ] Connector side effects are understood.
- [ ] Skill publish gates are documented.
- [ ] Memory behavior is documented.
- [ ] Data retention expectations are documented.
- [ ] User-facing limitations are documented.
### Support
- [ ] Pilot support channel exists.
- [ ] Incident owner assigned.
- [ ] Logs and health checks are accessible.
- [ ] Backup/restore expectations are clear.
- [ ] Known issues list exists.
## 5. Monitoring
### Product Metrics
| Metric | Owner | Cadence |
| --- | --- | --- |
| Accepted tasks | Pilot owner | Weekly |
| Acceptance rate | Product owner | Weekly |
| Revision rate | Product owner | Weekly |
| Active workflows | Pilot owner | Weekly |
| Skill candidates and reuse | Product owner | Weekly |
| Scheduled run success | Backend owner | Weekly |
| Time to first accepted task | Product/design | Per onboarding |
### Operational Metrics
| Metric | Owner | Alert |
| --- | --- | --- |
| Instance creation failures | Deployment owner | >10% during pilot |
| Router route failures | Deployment owner | Any repeated failure |
| Provider setup failures | Support owner | >20% of onboarded users |
| Task run failures | Backend owner | >20% for 2 days |
| WebSocket/runtime disconnects | Backend/frontend | Repeated user-visible failures |
| File operation failures | Backend owner | Any permission/path issue |
| Tool execution failures | Backend owner | Repeated by tool category |
| Cron failures | Backend owner | Any critical scheduled workflow missed |
| Connector failures | Integration owner | Failed auth or unintended write |
### Security Metrics
| Metric | Alert |
| --- | --- |
| Control-plane public exposure | Immediate P0 |
| Cross-instance data access | Immediate P0 |
| Unintended external write | Immediate P0 |
| Credential leak in logs/report | Immediate P0 |
| Unsafe skill publish | P1, or P0 if external action risk |
## 6. Health Checks
### Control Plane
- Auth portal reachable.
- AuthZ service reachable internally.
- Deploy control reachable internally with token.
- Router proxy has generated routes.
- Instance registry is readable and consistent.
### App Instance
- Frontend loads.
- Backend `/api/status` responds.
- WebSocket works.
- Provider config present.
- Workspace path mounted.
- Initial skills present.
- Logs accessible.
### Product Runtime
- Chat request succeeds.
- Task run succeeds.
- File API succeeds.
- Tool registry loads.
- Skills list loads.
- Cron scheduler active if enabled.
- Connector status loads if enabled.
## 7. Incident Response
### P0: Control Plane Exposed
Examples:
- `deploy-control` accessible from public internet.
- `authz-service` accessible from public internet.
- Internal token leaked.
Actions:
1. Remove public route/firewall exposure.
2. Rotate affected tokens.
3. Review access logs.
4. Confirm no unauthorized instance operations.
5. Update deployment checklist.
### P0: Cross-Instance Data Leak
Examples:
- Instance A reads Instance B workspace.
- Router sends user to wrong instance.
- Shared connector callback writes to wrong instance.
Actions:
1. Disable affected route or instance.
2. Preserve logs and registry.
3. Identify path/host/callback mapping failure.
4. Patch and add regression test.
5. Notify affected stakeholders.
### P0: Unintended External Action
Examples:
- Email or IM message sent unexpectedly.
- Calendar invite created unexpectedly.
- External system updated without user intent.
Actions:
1. Disable connector or tool.
2. Preserve task/tool evidence.
3. Identify initiating task, tool, arguments, user, connector account.
4. Patch policy or confirmation gate.
5. Add test case and update pilot policy.
### P1: New User Cannot Reach Instance
Actions:
1. Check auth portal logs.
2. Check authz register flow.
3. Check deploy-control register/configure flow.
4. Check instance registry.
5. Check router route generation.
6. Check container state and app logs.
### P1: Provider Config Broken
Actions:
1. Check settings/status.
2. Confirm config path and provider fields.
3. Test provider credentials.
4. Restart instance if config was changed.
5. Improve onboarding copy if user error.
### P1: Task Runtime Failing
Actions:
1. Check backend logs.
2. Check provider availability.
3. Check tool registry.
4. Check task event timeline.
5. Reproduce with minimal chat request.
6. Mark affected pilot workflow as paused if repeated.
### P2: UI Flow Confusing
Actions:
1. Record screen and user quote.
2. Add to UX issue list.
3. Determine whether it blocks pilot success.
4. Fix copy/layout if low effort.
## 8. Maintenance Cadence
### Daily During Pilot
- Check critical incidents.
- Check instance health.
- Check failed task runs.
- Check support channel.
- Review provider/connector errors.
### Weekly
- Review accepted tasks and acceptance rate.
- Review workflow success/failure.
- Review skill candidates and reuse.
- Review deployment issues.
- Review security/tool/connector events.
- Update known issues and runbook.
### Monthly
- Rehearse fresh deployment.
- Review backup/restore approach.
- Review memory and skill governance.
- Review connector roadmap.
- Review pilot ROI and expansion decision.
### Quarterly
- Revisit product positioning.
- Revisit architecture scaling assumptions.
- Decide team workspace / RBAC roadmap.
- Review security model and policy profiles.
## 9. Backup And Restore
Minimum data to preserve:
- `authz-service/runtime/data`
- `app-instance/runtime/instances`
- `app-instance/runtime/registry`
- `router-proxy/runtime/conf.d`
Per instance:
- `beaver-home/config.json`
- `beaver-home/web_auth_users.json`
- `beaver-home/workspace/`
- skill and runtime state under instance data.
Pilot requirements:
- Document manual backup command.
- Document manual restore procedure.
- Test restore for at least one non-production instance before expanded pilot.
## 10. Change Management
Before changing any of these, require launch owner review:
- Routing/proxy config.
- AuthZ issuer/internal URL.
- Deploy token names or values.
- Instance registry format.
- Workspace mount paths.
- Provider config schema.
- Tool execution policy.
- Connector callback routing.
- Skill publish gates.
- Memory default behavior.
## 11. Rollback
Rollback options:
- Roll back frontend/backend image for app instances.
- Disable specific connector.
- Disable scheduled job execution.
- Disable skill learning worker.
- Disable skill publish.
- Fall back to chat-only mode for affected workflow.
- Remove public route to affected instance.
- Restore instance data from backup.
Rollback triggers:
- P0 incident.
- Repeated instance creation failure.
- Repeated task runtime failure blocking pilot work.
- Provider config issue affecting most users.
- Connector side-effect risk.
- UI issue blocking first accepted task.
## 12. Launch Communication
### Internal
Beaver is launching as a controlled Agent execution pilot. The launch goal is not maximum feature breadth. The goal is to prove repeatable AI-assisted work with task acceptance, evidence, and reuse.
### Pilot Users
Use Beaver for selected workflows where you need a concrete output. Review each result. Accept it if usable, request revision if it is close, or abandon it if it is not worth continuing. Your feedback is the signal that helps Beaver improve and reuse work.
### Admins
Treat Beaver as an app platform with a control plane and per-instance runtime. Keep deploy-control and authz private. Monitor instance health, provider config, tool behavior, and connector side effects.
## 13. Known Limitations To Disclose
- Memory is not yet fully productized with user controls.
- Connector maturity varies by provider.
- The first pilot should use a narrow set of workflows.
- Some operations may still require engineering support.
- Skill learning needs human review before publish.
- Multi-user organization features are not the first pilot focus.
## 14. Go / No-Go Criteria
Go if:
- Fresh deployment works.
- First accepted task flow works.
- Evidence timeline is readable enough for pilot.
- Tool and connector policy is documented.
- Support owner is assigned.
- No critical security issue is open.
No-go if:
- Control-plane exposure risk is unresolved.
- Cross-instance isolation is unverified.
- Provider onboarding fails for most users.
- Task runtime is unreliable.
- Pilot workflow is not defined.
- No one owns incidents or support.

439
docs/product-discovery/beaver/product-architecture-brief.md Normal file
View File

@ -0,0 +1,439 @@
# Beaver Product Architecture Brief
Date: 2026-06-09
Audience: product, engineering, delivery, security, and pilot stakeholders.
## 1. Architecture Summary
Beaver is built as a private-deployable, multi-instance Agent workspace.
At the top level, it has five deployment components:
```text
Browser
-> auth-portal
-> authz-service
-> deploy-control
-> router-proxy
-> app-instance
```
Each `app-instance` contains the user-facing product:
```text
app-instance container
-> Nginx
-> Next.js frontend
-> Beaver backend
-> mounted beaver-home
-> config
-> workspace
-> skills
-> runtime data
```
The key product architecture choice is instance-level sandboxing. Each user or team can receive a separate app instance with its own config, workspace, files, skills, and runtime data.
## 2. Product-Level System Map
```text
Auth and onboarding
auth-portal
-> register/login
-> model provider onboarding
authz-service
-> account and backend identity
deploy-control
-> create/configure/remove app-instance
router-proxy
-> route instance host to app-instance container
User workspace
app-instance/frontend
-> chat workbench
-> tasks
-> files
-> skills
-> marketplace
-> MCP/tools
-> notifications/cron
-> connectors
-> settings/status/logs
Agent runtime
app-instance/backend
-> interfaces
-> services
-> engine
-> coordinator
-> tools
-> skills
-> memory
-> integrations
```
## 3. Deployment Components
### Auth Portal
Responsibility:
- User login and registration entry.
- Provider onboarding after registration.
- Handoff into the user app instance.
Product value:
- Gives non-technical users a clean entry point.
- Separates account onboarding from the per-instance app.
Key risk:
- Provider configuration must be understandable and recoverable for non-engineer users.
### AuthZ Service
Responsibility:
- Account and backend identity orchestration.
- Internal token-protected coordination.
Product value:
- Centralizes identity relationships between portal and app backends.
Key risk:
- Misconfigured issuer/internal URL can break new app instances.
### Deploy Control
Responsibility:
- Create, configure, and manage app instances.
- Call `app-instance/create-instance.sh`.
- Write provider config and restart instance when needed.
Product value:
- Makes private instance provisioning repeatable.
Key risk:
- Must not be exposed publicly.
- Needs health checks and lifecycle operations for pilot scale.
### Router Proxy
Responsibility:
- Route hostnames to the correct app instance container.
Product value:
- Lets each instance have a stable public URL.
Key risk:
- Domain, wildcard DNS, HTTPS, and route reload errors can block access.
### App Instance
Responsibility:
- The user-facing Beaver workspace.
- Runs frontend, backend, and Nginx in one container.
- Mounts the instance's `beaver-home` as config and workspace boundary.
Product value:
- Provides practical sandboxing for early private deployments.
Key risk:
- Instance lifecycle, backup, restore, and resource limits need productized operations.
## 4. App Instance Product Modules
### Frontend Modules
| Module | Route | Product Job |
| --- | --- | --- |
| Chat workbench | `/` | Main workspace for conversation, attachments, task cards, and acceptance |
| Tasks | `/tasks`, `/tasks/[taskId]` | Track ordinary and scheduled task lifecycle, timeline, evidence, artifacts |
| Notifications | `/notifications` | Review proactive or scheduled outputs |
| Cron | `/cron` | Manage scheduled jobs |
| Files | `/files` | Browse, upload, preview, download, delete workspace files |
| Skills | `/skills` | Manage published skills, candidates, drafts, safety/eval, review, publish |
| Marketplace | `/marketplace` | Discover and install skills |
| MCP/tools | `/mcp` | Manage tool servers, tool details, test, add, edit, delete |
| Agents | `/agents` | Manage Agent definitions and roles |
| Outlook/connectors | `/outlook`, settings connector panels | Connect external systems |
| Settings/status/logs | `/settings`, `/status`, `/logs` | Configure providers, runtime, channels, health, and debugging |
### Backend Modules
| Module | Responsibility |
| --- | --- |
| `foundation` | Shared config, errors, events, utilities, base models |
| `engine` | Unified Agent runtime used by main Agent and sub-agents |
| `coordinator` | Multi-agent sequence/parallel/DAG execution |
| `tools` | Built-in and MCP tool registration/execution |
| `skills` | Skill loading, resolution, drafts, learning, review, publish |
| `memory` | Long-term memory and run/skill stores |
| `permissions` | Governance and policy surface |
| `services` | Application orchestration, tasks, cron, process projection |
| `interfaces` | Web, CLI, Gateway, channels, MCP servers |
| `integrations` | AuthZ, MCP, external protocols, connector clients |
## 5. Core Product Flows
### Flow A: New User Registration And First Workspace
```text
Browser
-> auth-portal register
-> authz-service /portal/register
-> deploy-control /api/instances/register
-> create app-instance container
-> app-instance backend registers user/backend
-> provider onboarding
-> deploy-control configures provider
-> user enters app-instance URL
```
Product requirements:
- Clear success/failure state during provisioning.
- Provider setup can be skipped but instance must explain missing model config later.
- Internal control-plane endpoints stay private.
### Flow B: Chat To Managed Task
```text
User message
-> chat workbench
-> backend task router
-> ordinary chat or task mode
-> task created
-> Agent execution
-> tool calls and artifacts
-> task timeline
-> user accepts / asks revision / abandons
```
Product requirements:
- The user must understand when a message became a task.
- The task must be recoverable from chat, task list, and details page.
- Acceptance feedback must influence future learning.
### Flow C: Complex Task With Agent Team
```text
Task request
-> TaskExecutionPlanner
-> ExecutionGraph
-> sequence / parallel / DAG nodes
-> TaskSkillResolver binds skills or ephemeral guidance
-> LocalAgentRunner executes nodes
-> main Agent synthesizes final answer
-> evidence saved
```
Product requirements:
- Team execution should be visible without overwhelming users.
- Failed subtasks should be diagnosable.
- Final synthesis should cite or summarize subtask evidence.
### Flow D: Skill Learning Loop
```text
Accepted task
-> skill learning candidate
-> draft synthesis
-> safety report
-> eval report
-> human review
-> publish
-> future skill retrieval
```
Product requirements:
- Only accepted or otherwise high-signal work should become skill candidates.
- Publishing requires review and gates.
- Skill quality must be traceable over versions.
### Flow E: File And Tool Work
```text
User uploads file or Agent needs file/tool
-> workspace file API or tool registry
-> Agent tool execution
-> result returned to context
-> event/evidence saved
-> artifact available in task or files
```
Product requirements:
- User-visible file roots must stay simple.
- Tool calls must be recorded.
- Dangerous tools need policy and review.
### Flow F: Scheduled Work And Notifications
```text
User creates scheduled job
-> cron service stores job
-> scheduled run triggers task/notification
-> user reviews output
-> output can become normal task continuation
```
Product requirements:
- Scheduled outputs need the same acceptance path as manual tasks.
- Failed scheduled runs need alerts and retry/recovery.
### Flow G: External Connectors
```text
Connector setup
-> channel/connector config
-> sidecar or external provider
-> inbound event or outbound action
-> Beaver task/runtime
-> response or notification
```
Product requirements:
- External writes need clear user/admin control.
- Connector onboarding must show state, errors, and reconnect steps.
- Multi-instance callback routing must be explicit.
## 6. Governance Boundaries
### Instance Boundary
Each app instance owns:
- `config.json`
- `web_auth_users.json`
- `workspace/`
- skills and runtime state
- provider configuration
Risk:
- Cross-instance leakage would be a critical incident.
### Control Plane Boundary
Public exposure should be limited to:
- Auth portal.
- Router proxy for app instances.
Do not expose:
- `deploy-control`.
- `authz-service`.
### Tool Boundary
Tools are the action surface. Policy should distinguish:
- Read-only tools.
- Workspace-scoped write tools.
- External write tools.
- Destructive tools.
- Credential/permission/payment tools.
### Skill Boundary
Skills guide Agent behavior and tool use. Publishing a bad skill can create repeated bad behavior. Skill publishing therefore needs:
- Candidate quality signal.
- Safety report.
- Eval/replay evidence where possible.
- Human review.
- Version rollback.
### Memory Boundary
Memory creates long-term product value but also trust risk. Productization should include:
- Source.
- Confidence.
- Last used.
- Edit/delete/freeze controls.
- Task evidence showing when memory was used.
## 7. Architecture Maturity
| Area | Maturity | Notes |
| --- | --- | --- |
| Multi-instance deployment | Pilot-ready | Needs lifecycle and health automation |
| Chat workbench | Pilot-ready | UI docs show tested states |
| Task lifecycle | Strong | Core product loop exists |
| Task evidence | Strong foundation | Needs narrative/summary layer |
| Agent team | Functional | Needs product explanation and failure UX |
| Files | Pilot-ready | UI docs show tested workflows |
| Tools/MCP | Functional | Needs policy hardening and admin clarity |
| Skills | Functional | Needs stronger quality gates and reuse metrics |
| Memory | Backend foundation | Needs visible product controls |
| Scheduled work | Basic product capability | Needs stability and clearer run handling |
| Connectors | Mixed maturity | Need pilot-safe connector list |
| Operations | Basic | Needs health console, backup/restore, runbook |
## 8. Architecture Risks
| Risk | Severity | Mitigation |
| --- | --- | --- |
| Control-plane service exposed publicly | Critical | Deployment checks and docs; firewall/proxy validation |
| Instance data leakage | Critical | Path isolation tests, authz tests, MinIO/user-files policy checks |
| Tool side effects without review | High | Tool policy profiles, evidence logs, connector sandbox |
| Provider misconfiguration blocks first use | High | Onboarding checks and settings diagnostics |
| Product surface becomes hard to operate | High | Admin health console and staged pilot scope |
| Memory trust gap | High | Memory control center before broad memory activation |
| Skill quality drift | High | Safety/eval/replay and publish gates |
## 9. Recommended Architecture Roadmap
### Next 30 Days
- Rehearse clean deployment and record missing steps.
- Add pilot health checklist for auth portal, authz, deploy control, router, and app instance.
- Define pilot-safe tools and connectors.
- Add task evidence narrative summary.
- Track accepted task, skill candidate, and skill reuse events.
### Next 90 Days
- Memory Control Center MVP.
- Admin Health Console MVP.
- Instance suspend/resume/backup/restore runbook or tooling.
- Connector sandboxing and side-effect policy.
- Skill replay/eval as part of skill governance.
- Organization/team-level roadmap decision.
## 10. Product Architecture Principle
Beaver should keep its product architecture centered on controlled Agent work:
```text
private workspace
+ task lifecycle
+ tool/file execution
+ evidence
+ acceptance
+ skill/memory reuse
+ operational governance
```
New features should strengthen this loop. Features that do not improve execution, evidence, acceptance, reuse, or governance should be treated as secondary until the pilot motion is proven.

494
docs/product-discovery/beaver/product-discovery-report.md Normal file
View File

@ -0,0 +1,494 @@
# Beaver Product Discovery Report
Date: 2026-06-09
Product stage: existing product
Scope: the whole Beaver product, including deployment, runtime, UI, Agent execution, tasks, files, tools, skills, memory, connectors, scheduled work, governance, validation, launch, and maintenance.
## Executive Summary
Beaver is an enterprise Agent sandbox and execution platform. Its product promise is to move AI from "chat that gives answers" to "controlled Agent work that creates deliverables, records evidence, asks for acceptance, and turns accepted work into reusable capability."
The strongest product wedge is not another chatbot UI. It is the full execution loop:
```text
user request
-> task recognition
-> Agent/team execution
-> tool and file work
-> evidence timeline
-> user acceptance or revision
-> skill and memory learning
-> future reuse
```
The current codebase already supports major parts of this loop: multi-instance Docker deployment, auth portal, app instances, chat workbench, task center, task details, user acceptance, files, tools, skills, skill learning, marketplace, settings, connectors, scheduled jobs, and backend Agent team orchestration. The next product challenge is packaging these capabilities into a clear buyer story, validating the highest-value use cases, hardening operational reliability, and making governance understandable to non-engineer stakeholders.
Recommended product strategy:
1. Position Beaver as "enterprise Agent execution and governance," not as a general AI chat app.
2. Focus first on repeatable knowledge work that is high-frequency, cross-tool, evidence-sensitive, and review-heavy.
3. Treat task acceptance, evidence, skills, and memory as the core product loop.
4. Productize deployment and operations enough for pilots before broad feature expansion.
5. Validate value through real workflows, not opinions about AI.
## Product Summary
### Product Description
Beaver is a private-deployable Agent workspace for teams that need AI to perform work, not only answer questions. A user can chat, upload files, trigger tasks, review execution evidence, accept or revise results, manage tools, install or publish skills, configure model providers, connect external systems, and run scheduled work.
### Target Users
| Segment | Primary Need | Why Beaver Fits |
| --- | --- | --- |
| Enterprise AI platform owner | Provide controlled Agent capability to teams | Private deployment, per-instance boundaries, tools, skills, governance |
| Knowledge workflow team | Finish recurring multi-step work faster | Task execution, files, tools, acceptance, scheduled work |
| Project / delivery team | Produce and revise deliverables with traceability | Task timeline, artifacts, evidence, revision loop |
| Engineering / support team | Use AI with files, commands, logs, and review | Tool execution, task evidence, multi-agent planning |
| Operations / admin | Configure models, users, connectors, and instances | Auth portal, deploy control, settings, status, logs |
| Skill owner / reviewer | Turn successful work into reusable methods | Skill candidates, drafts, safety/eval reports, review, publish |
### Current Feature Map
| Domain | Current State | Product Meaning |
| --- | --- | --- |
| Auth and onboarding | Auth portal, register/login, model provider onboarding | Users can enter a controlled workspace |
| Multi-instance deployment | Deploy control creates isolated app-instance containers; router proxy routes by host | Enables per-user or per-team sandboxing |
| Chat workbench | Conversations, attachments, task cards, current task progress, acceptance controls | Main user workspace |
| Task runtime | Auto task recognition, task creation, runs, timeline, status, acceptance | Converts chat into managed work |
| Agent execution | Unified engine, main agent, sub-agent/team execution, sequence/parallel/DAG coordinator | Handles complex work beyond one response |
| Tools | Built-in tools, MCP tools, tool management UI | Lets Agents act on files, web, terminal, integrations |
| Files | Workspace file browser, upload, preview, download, delete | Gives AI and users a shared working surface |
| Skills | Published skills, candidates, drafts, safety/eval, review, publish | Turns accepted work into reusable methods |
| Marketplace | Skill discovery/install flow | Foundation for capability distribution |
| Memory | Backend long-term memory foundation exists, product integration still incomplete | Future compounding personalization and organization knowledge |
| Scheduled work | Cron jobs, notifications, scheduled task flows | Moves from reactive chat to proactive work |
| Connectors | Outlook and external connector architecture; Feishu/Weixin-related sidecar paths | Brings Agent into real business channels |
| Settings/status/logs | Provider config, agent config, channel config, runtime status, restart | Admin control and troubleshooting |
### Current Value Proposition
For enterprise teams:
> Beaver provides a private Agent workspace where AI work is executed, tracked, reviewed, and reused. It gives teams the speed of AI assistance with the control needed for real business workflows.
For product pilots:
> Beaver is strongest when a team has recurring knowledge work that crosses files, tools, systems, and reviews.
### Current Challenges
| Challenge | Why It Matters |
| --- | --- |
| Product breadth is large | Buyers may not understand what to adopt first |
| Memory is partly backend-ready but not fully productized | "越用越懂" story needs visible control |
| Connector maturity varies by channel | Customer demos must avoid overpromising |
| Multi-instance deployment is powerful but operationally sensitive | Pilot success depends on stable setup and clear runbooks |
| Skill learning needs strong governance | Reuse can become risk if publishing is weak |
| Metrics are not yet productized | Hard to prove pilot value without baseline and target |
| Customer research is not yet captured | Current roadmap is inferred from implementation and product judgment |
## User Segments
### Segment 1: Enterprise AI Platform Owner
They need to safely introduce Agent capability into an organization. Their concern is not whether an LLM can answer a question; it is whether teams can use it without losing control of data, tools, cost, and quality.
### Segment 2: Workflow Owner
They own a recurring process such as weekly reporting, project status, proposal drafting, research, operations follow-up, support triage, or document review. They want less manual coordination and more repeatable output.
### Segment 3: Individual Knowledge Worker
They want one workspace where they can chat, upload files, run tools, generate artifacts, and continue a task until the output is usable.
### Segment 4: Admin / Operator
They need to create instances, configure models, monitor status, debug logs, manage connectors, and keep deployment safe.
### Segment 5: Skill Maintainer
They curate reusable skills, review drafts, evaluate safety, publish stable versions, and prevent low-quality automation from spreading.
## JTBD
| User | Job Story | Current Alternative | Beaver Outcome |
| --- | --- | --- | --- |
| Platform owner | When teams ask for AI tools, I want a controlled Agent workspace so they can experiment without unmanaged SaaS sprawl | ChatGPT accounts, custom scripts, internal demos | Private, governed Agent workspace |
| Workflow owner | When a recurring process takes many manual steps, I want AI to execute and track it so my team can review the result | Manual docs, spreadsheets, Slack/email coordination | Task with timeline, artifacts, acceptance |
| Knowledge worker | When I ask AI to produce something, I want to revise and accept it as work, not just receive a message | Chat thread and copy/paste | Task lifecycle and deliverable loop |
| Admin | When a user registers, I want a workspace created and routed automatically so onboarding is repeatable | Manual container setup | Auth portal + deploy control + router proxy |
| Skill maintainer | When a task succeeds, I want to turn its method into a reusable skill so future tasks improve | Prompt docs, tribal knowledge | Skill candidate/draft/review/publish |
| Security reviewer | When Agents use tools, I want evidence and boundaries so I can audit behavior | Opaque model/tool calls | Tool traces, task evidence, instance sandbox |
## Opportunity Areas
Opportunity scores are qualitative estimates from current docs and product context. They need validation with customer interviews and pilot data.
| Opportunity | Importance | Current Satisfaction | Opportunity Score | Notes |
| --- | ---: | ---: | ---: | --- |
| I need AI outputs to become reviewable tasks, not loose chat replies | 0.95 | 0.30 | 0.67 | Core wedge |
| I need evidence of what the Agent did | 0.90 | 0.35 | 0.59 | Governance driver |
| I need repeatable workflows to become reusable skills | 0.85 | 0.40 | 0.51 | Learning moat |
| I need private deployment and instance boundaries | 0.90 | 0.45 | 0.50 | Enterprise adoption |
| I need AI to work across files, tools, and external systems | 0.85 | 0.45 | 0.47 | Workflow depth |
| I need proactive scheduled work, not only reactive chat | 0.70 | 0.45 | 0.39 | Expansion opportunity |
| I need memory that I can inspect and control | 0.80 | 0.25 | 0.60 | High future leverage |
Top opportunities:
1. Make AI work reviewable and acceptable.
2. Make process evidence and governance visible.
3. Turn accepted work into reusable skills and memory.
## Product Positioning
Recommended primary positioning:
> Beaver is an enterprise Agent execution and governance platform for repeatable knowledge work.
Supporting message:
> It gives teams a private Agent sandbox where AI can use tools, manage files, execute tasks, record evidence, ask for acceptance, and learn reusable skills from approved work.
Avoid positioning Beaver as:
- A generic chatbot.
- A pure model gateway.
- A standalone RPA replacement.
- A developer-only Agent framework.
- A marketplace-only skill product.
## Competitive Frame
| Category | Strength | Gap Beaver Addresses |
| --- | --- | --- |
| AI chat apps | Fast answers and content generation | Weak task lifecycle, evidence, acceptance, and reuse |
| RPA / automation | Repeatable process execution | Rigid flows, harder natural-language adaptation |
| Agent frameworks | Developer flexibility | Missing complete user workspace and governance surface |
| Internal scripts | Fast local automation | Poor product UX, auditability, onboarding, and scaling |
| Enterprise AI platforms | Governance and admin | Often weak on task-level execution and skill learning loop |
## Product Ideas
Generated from PM, design, and engineering perspectives.
### PM Ideas
1. Pilot Workflow Templates: package 3-5 high-value workflows such as weekly report, project brief, support triage, document review.
2. Team Workspace Mode: group multiple users under one organization workspace with shared skills and controlled memory.
3. Governance Scorecard: show evidence coverage, accepted tasks, skill reuse, failed runs, and tool risk.
4. Skill Quality Lifecycle: strengthen candidate -> draft -> safety -> eval -> review -> publish -> version rollback.
5. ROI Dashboard: measure time saved, accepted tasks, revision rounds, reusable skill adoption.
### Design Ideas
1. Work Inbox: unify tasks, scheduled runs, notifications, and pending reviews.
2. Task Evidence Narrative: convert raw events into readable "what happened" timeline.
3. Memory Control Center: show what Beaver remembers, why, source, confidence, and edit/delete controls.
4. First-Run Product Tour: guide a new user from provider setup to first accepted task.
5. Admin Health Console: one page for instance, provider, connector, queue, and runtime health.
### Engineering Ideas
1. Tenant/Workspace Policy Profiles: control allowed tools, connectors, memory behavior, and publish gates per deployment.
2. Connector Sandbox Layer: test external channel actions without touching production systems.
3. Unified Evidence Schema: normalize task, tool, artifact, skill, memory, and connector events.
4. Replay-Based Skill Evaluation: evaluate skill drafts against historical accepted runs.
5. Instance Lifecycle Automation: suspend, resume, backup, restore, rotate secrets, inspect health.
Top 5 product ideas to pursue:
| Rank | Idea | Why Selected | Assumptions |
| ---: | --- | --- | --- |
| 1 | Pilot Workflow Templates | Gives customers a concrete starting point | Initial buyers share common workflows |
| 2 | Task Evidence Narrative | Makes governance understandable | Reviewers value readable evidence |
| 3 | Memory Control Center | Unlocks long-term differentiation | Users trust memory if they can inspect/control it |
| 4 | Governance Scorecard | Helps buyers justify adoption | Platform owners need measurable proof |
| 5 | Instance Lifecycle Automation | Reduces pilot operational risk | Deployments will grow beyond a few instances |
## Key Assumptions
| Assumption | Category | Impact | Uncertainty |
| --- | --- | ---: | ---: |
| Enterprise teams feel enough pain with chat-only AI to adopt an Agent workspace | Value | High | Medium |
| Task acceptance is a meaningful quality signal | Value | High | Medium |
| Users will tolerate a task workflow instead of expecting instant chat only | Usability | High | Medium |
| Per-instance deployment is operationally acceptable for early customers | Feasibility | High | Medium |
| Workflow owners can identify repeatable tasks worth piloting | Value | High | Low |
| Skill reuse creates visible productivity gains | Business Viability | High | High |
| Memory control is required before customers trust long-term memory | Trust | High | Medium |
| Connectors are necessary for customer stickiness | Value | Medium | Medium |
| Admins can manage model provider configuration without heavy support | Usability | Medium | Medium |
| The team can maintain broad product surface without quality drift | Team Capability | High | High |
## Prioritized Assumptions
### P0 Validate Immediately
| Assumption | Why It Matters | What Could Go Wrong | Validation |
| --- | --- | --- | --- |
| Customers prefer task-based AI execution over chat-only for real work | Core product wedge | Users see tasks as overhead | Run 3 workflow pilots and compare chat-only vs task loop |
| Evidence timeline increases trust | Governance story depends on it | Evidence is too technical or noisy | Reviewer usability test with task timelines |
| Private multi-instance deployment is acceptable | Adoption depends on ops fit | Setup too fragile or expensive | Deploy pilot on fresh Linux host and measure time/errors |
| Accepted tasks can generate reusable skills that users value | Learning loop depends on this | Skills are low quality or unused | Track reuse of skills from accepted pilot tasks |
### P1 Important
| Assumption | Why It Matters | Validation |
| --- | --- | --- |
| Memory control center is required before broad rollout | Trust and differentiation | Interview pilot admins and users |
| Connectors drive retention | External systems make workflows real | Compare pilot workflows with and without Outlook/IM connectors |
| Scheduled work creates high-value usage | Moves Beaver from reactive to proactive | Test weekly report and reminder workflows |
| Marketplace/skill distribution is a buyer requirement | Scaling reuse across teams | Ask platform owners during procurement |
### P2 Later
| Assumption | Why It Matters | Validation |
| --- | --- | --- |
| Multi-user team workspace is required for first paid pilots | Could reshape architecture | Validate with buyer interviews |
| Fine-grained per-tool policies are needed in UI | Admin complexity | Observe support requests |
| Cross-instance organization analytics is needed early | Enterprise reporting | Validate after 2-3 pilots |
## Opportunity Solution Tree
Desired outcome:
> Within 90 days, prove that a pilot team can complete repeatable AI-assisted work with acceptance, evidence, and reuse: at least 30 accepted tasks, 5 reusable skills, 2 recurring workflows, and 0 critical deployment/security incidents.
```text
Outcome: Trusted repeatable Agent work in pilot teams
Opportunity 1: I need AI outputs to become reviewable deliverables.
Solution 1.1: Task lifecycle with acceptance and revision.
Experiment: Run a project brief workflow and measure accepted output rate.
Solution 1.2: Task details page with evidence narrative.
Experiment: Ask reviewers to reconstruct what happened from timeline.
Solution 1.3: Work Inbox for pending reviews and scheduled outputs.
Experiment: Fake-door navigation item and measure clicks/asks.
Opportunity 2: I need confidence that Agent tool use is controlled.
Solution 2.1: Tool traces and artifact timeline.
Experiment: Security review of 5 real tasks.
Solution 2.2: Admin health and policy console.
Experiment: Operator performs setup/debug checklist on fresh instance.
Solution 2.3: Connector sandbox and side-effect journals.
Experiment: Test external send/reply flows in sandbox mode.
Opportunity 3: I need successful work to become reusable.
Solution 3.1: Skill candidate -> draft -> review -> publish.
Experiment: Convert 5 accepted tasks into skills and track reuse.
Solution 3.2: Memory Control Center.
Experiment: Prototype memory review UI and test trust/comprehension.
Solution 3.3: Pilot workflow templates.
Experiment: Package 3 templates and measure first-task success rate.
```
## Validation Experiments
| Assumption | Hypothesis | Experiment | Duration | Success Criteria |
| --- | --- | --- | --- | --- |
| Task loop beats chat-only | Users complete more usable work with task acceptance than plain chat | Same workflow performed in chat-only and Beaver task loop | 1 week | Beaver output accepted in fewer revision rounds |
| Evidence creates trust | Reviewers can understand and audit what happened | Give 5 timelines to reviewers | 2 days | >=80% identify tools, artifacts, result, and risk |
| Deployment is pilot-ready | Fresh host setup is repeatable | Deploy on clean Linux/WSL2 machine using docs | 1 day | Setup under 2 hours with no undocumented step |
| Skills create reuse | Accepted tasks can become useful skills | Convert 5 pilot tasks into skills | 2 weeks | 3 skills reused at least twice |
| Memory needs control UI | Users trust memory more with inspect/edit/delete | Clickable prototype or simple page | 3 days | >=80% say they would enable memory with controls |
| Scheduled work matters | Recurring workflows create repeat usage | Weekly report or reminder pilot | 2-4 weeks | At least 2 recurring jobs run and get accepted outputs |
## Feature Prioritization
### Must Have
| Feature | Impact | Effort | Risk | Reason |
| --- | --- | --- | --- | --- |
| Auth portal and instance onboarding | High | High | Medium | Required for any user to start |
| Provider configuration flow | High | Medium | Medium | Model access is prerequisite |
| Chat workbench | High | High | Medium | Primary user surface |
| Task lifecycle and acceptance | High | High | Medium | Core differentiation |
| Task timeline/evidence | High | High | Medium | Governance and review |
| Files workspace | High | Medium | Medium | Most real workflows need files |
| Tool management | High | Medium | High | Agents need controlled action surface |
| Skills review/publish | High | High | High | Reuse loop |
| Settings/status/logs | High | Medium | Medium | Operational support |
| Basic deployment guide/runbook | High | Medium | Medium | Pilot readiness |
### Should Have
| Feature | Impact | Effort | Risk | Reason |
| --- | --- | --- | --- | --- |
| Pilot workflow templates | High | Medium | Low | Creates adoption path |
| Evidence narrative layer | High | Medium | Medium | Makes audit readable |
| Memory Control Center | High | High | Medium | Unlocks long-term trust |
| Skill replay/eval hardening | High | High | High | Makes learning safer |
| Scheduled workflow polish | Medium | Medium | Medium | Supports proactive use cases |
| Connector onboarding polish | Medium | High | High | Needed for real systems |
| Admin health console | Medium | Medium | Medium | Reduces support load |
### Could Have
| Feature | Reason |
| --- | --- |
| Multi-user organization workspace | Valuable, but changes scope and permissions |
| Cross-instance analytics | Useful after multiple deployments |
| Fine-grained policy UI | Need policy demand before UI complexity |
| Audit export | Strong sales support, not first pilot blocker |
| Cost/quality model router | Useful after usage volume grows |
### Not Yet
| Feature | Reason |
| --- | --- |
| Broad public SaaS launch | Product and ops need pilot hardening first |
| Fully autonomous publish of skills | Human review should remain mandatory |
| Production writes through connectors without review | Trust risk |
| Complex enterprise RBAC before pilot validation | May overbuild before segment clarity |
## Metrics Dashboard
### North Star Metric
Accepted Agent Workflows:
> Number of AI-assisted tasks or scheduled workflows accepted by users per active pilot team per week.
Why this metric: it captures real delivered value better than messages sent, tokens used, or model calls.
### Input Metrics
| Metric | Definition | Target For Pilot |
| --- | --- | --- |
| Task Creation Rate | Tasks created / active users / week | Increasing weekly |
| Acceptance Rate | Accepted task runs / completed task runs | >=60% in pilot |
| Revision Rate | Runs needing revision / completed runs | Track down over time |
| Evidence Coverage | Task runs with timeline/tool/artifact evidence / task runs | >=90% |
| Skill Candidate Rate | Accepted tasks producing candidates / accepted tasks | >=20% after week 2 |
| Skill Reuse Rate | Runs activating published pilot skills / task runs | >=15% after skills exist |
| Scheduled Success Rate | Accepted scheduled outputs / scheduled runs | >=50% for selected workflows |
| Deployment Success Time | Fresh deployment time to first working user | <2 hours for pilot |
### Guardrail Metrics
| Metric | Alert |
| --- | --- |
| Critical tool/security incident | Any occurrence |
| Instance creation failure rate | >10% in pilot |
| Provider configuration failure rate | >20% |
| Task run failure rate | >20% for 2 consecutive days |
| Connector side-effect incident | Any unintended external write |
| User file permission/storage incident | Any cross-user or cross-instance leak |
| p95 task completion latency | Exceeds pilot workflow tolerance |
### Business Metrics
- Pilot activation: teams reaching first accepted task.
- Time to first accepted task.
- Weekly active task users.
- Repeated workflow count.
- Skill reuse per team.
- Customer-reported time saved.
- Pilot conversion intent.
## Customer Research Plan
No direct interview transcripts were provided. Research should start immediately before locking roadmap.
### Participants
- 5 knowledge workers with recurring document/report/research workflows.
- 3 workflow owners or team leads.
- 3 enterprise AI platform/admin stakeholders.
- 2 security or IT reviewers.
- 2 engineers/operators who would deploy and maintain Beaver.
### Questions
- What recurring work is painful enough to delegate to an Agent?
- What would make an AI output "acceptable" instead of just "interesting"?
- What evidence do you need to trust Agent work?
- What systems must the Agent connect to for the workflow to matter?
- What would make you stop a pilot?
- What memory or reuse behavior feels helpful vs risky?
- What does a successful 30-day pilot need to prove?
## Interview Guide
### Opening
We are studying how teams move AI from chat into real work. We are not asking whether you like an idea. We want examples of work you recently did.
### Current Behavior
- Walk me through the last time you used AI for a real work deliverable.
- What happened after the AI gave an answer?
- What did you copy, edit, verify, or redo manually?
- Who reviewed the result?
### Pain
- What was the slowest or most annoying part?
- What made the output hard to trust?
- What tools or files were involved?
- What evidence did you need but did not have?
### Reuse
- Have you repeated a similar workflow since then?
- Did you reuse prompts, templates, scripts, or notes?
- What would make that reuse safe for a team?
### Governance
- What AI actions would need approval?
- What data or tools should be off limits?
- Who needs to see the history of what happened?
### Pilot
- Which one workflow would you test first?
- What result would make you expand usage?
- What failure would make you stop?
## Recommended Next 30 Days
1. Pick 2-3 pilot workflows: project brief, weekly report, document review, support triage, or file processing.
2. Run fresh deployment rehearsal from README/deployment guide and record gaps.
3. Define pilot metrics and instrument accepted tasks, revisions, skill candidates, skill reuse, and run failures.
4. Create a task evidence narrative prototype on top of existing timeline data.
5. Package pilot workflow templates as skills or documented demos.
6. Validate provider onboarding with 3 non-engineer users.
7. Run security review for file boundaries, tool execution, connectors, and deploy-control exposure.
8. Decide which connector(s) are pilot-safe.
## Recommended Next 90 Days
1. Complete Memory Control Center MVP.
2. Harden skill learning with replay/eval and publish gates.
3. Add Admin Health Console for provider, instance, connector, task queue, and runtime status.
4. Improve instance lifecycle: suspend, resume, backup, restore, rotate secrets.
5. Add customer-facing pilot scorecard.
6. Formalize tool/connector policy profiles.
7. Expand pilot from one workflow to one department.
8. Build audit export after evidence narrative stabilizes.
## Biggest Risks
| Risk | Severity | Mitigation |
| --- | --- | --- |
| Product appears too broad and hard to adopt | High | Lead with pilot workflows and task loop |
| Deployment complexity blocks pilots | High | Rehearsed runbook, health checks, support checklist |
| Agent actions cause unintended side effects | Critical | Conservative tool policy, explicit connector sandboxing, evidence logs |
| Task evidence is too technical | High | Evidence narrative and reviewer testing |
| Skill learning publishes poor methods | High | Human review, safety/eval, replay validation |
| Memory feels creepy or uncontrollable | High | Memory control UI before broad enablement |
| Team spreads effort across too many modules | High | Prioritize task loop, evidence, skills, deployment reliability |
## Recommended Immediate Actions
1. Reframe all main product docs around Beaver as an Agent execution and governance platform.
2. Treat Skill Replay Eval as a subfeature under the skill governance loop.
3. Build the next roadmap around pilot workflows, not isolated modules.
4. Make accepted tasks the main success metric.
5. Productize memory and evidence before adding many new connectors.
6. Prove deployment repeatability before selling broad private deployments.

1449
docs/product-discovery/beaver/product-prd.html Normal file
View File

File diff suppressed because it is too large Load Diff

378
docs/product-discovery/beaver/validation-plan.md Normal file
View File

@ -0,0 +1,378 @@
# Beaver Validation Plan
Date: 2026-06-09
Purpose: validate Beaver as a whole product before broader rollout.
## 1. Validation Strategy
Beaver should be validated through real workflows, not through opinions about AI.
The validation sequence:
```text
customer problem
-> workflow fit
-> first-run onboarding
-> task execution
-> evidence comprehension
-> acceptance/revision
-> skill reuse
-> deployment and operations
-> security/governance
```
## 2. Validation Questions
### Product Value
- Does Beaver solve a painful enough workflow problem?
- Does task acceptance make AI work feel more reliable?
- Do users complete more usable work than with chat-only AI?
- Does skill reuse save time after repeated workflows?
### Usability
- Can users understand when chat becomes a task?
- Can users find task evidence and artifacts?
- Can users accept, revise, or abandon without confusion?
- Can admins configure providers and connectors without engineering help?
### Technical Feasibility
- Can fresh deployments be created repeatably?
- Can app instances stay isolated?
- Can Agent tasks run reliably with files, tools, skills, and scheduled jobs?
- Can failures be diagnosed from status/logs/events?
### Governance And Security
- Are control-plane services private?
- Are file and workspace boundaries enforced?
- Are tool calls recorded and reviewable?
- Are external connector writes controlled?
- Is memory inspectable and controllable before broad use?
### Business Viability
- Does a pilot team have enough recurring workflows?
- Can the product produce measurable weekly value?
- Can an admin operate it with acceptable support load?
- Can the buyer justify expansion?
## 3. Pilot Workflow Candidates
| Workflow | Why It Fits | Required Capabilities | Success Signal |
| --- | --- | --- | --- |
| Weekly project report | Recurring, evidence-sensitive, review-heavy | scheduled work, files, task acceptance, artifacts | Report accepted weekly |
| Project brief / proposal | Multi-step, document-heavy, revision-heavy | chat, files, tools, task timeline, revisions | Brief accepted after fewer rounds |
| Document review | Clear deliverable and evidence need | files, task timeline, artifacts, acceptance | Review output accepted |
| Support triage | Tool/context-heavy and repeatable | tasks, tools, memory, maybe connector | Triage summary accepted |
| Research synthesis | Agent team fit, artifact-heavy | multi-agent, web/search, files, evidence | Synthesis accepted and reused |
Recommended first pilot:
1. Project brief or document review for manual task loop.
2. Weekly project report for scheduled workflow.
3. Skill reuse from the accepted outputs.
## 4. Customer Discovery Validation
### Participants
- 5 end users.
- 3 workflow owners.
- 3 admins/platform owners.
- 2 security reviewers.
- 2 operators/engineers.
### Method
- 45-minute interviews using past-behavior questions.
- 60-minute workflow walkthrough with Beaver.
- Follow-up after one week of usage.
### Evidence To Collect
- Current workflow steps.
- Time spent today.
- Existing tools/files/systems involved.
- Review/approval requirements.
- Trust blockers.
- Repeat frequency.
- What would count as a successful pilot.
### Pass Criteria
- At least 3 workflows are repeated weekly or more.
- At least 2 workflows involve files or external tools.
- At least 2 stakeholders require evidence/auditability.
- At least 1 team lead agrees to a real pilot workflow.
## 5. Product Workflow Validation
### Test 1: First Accepted Task
Goal: user reaches first accepted task.
Steps:
1. Register or log in.
2. Configure provider.
3. Start from a suggested workflow or freeform chat.
4. Upload or reference a file if needed.
5. Let Beaver create/continue a task.
6. Inspect output and evidence.
7. Accept or request revision.
Pass criteria:
- User completes without developer assistance.
- First accepted task occurs in one session.
- User can explain what Beaver did.
### Test 2: Revision Loop
Goal: prove Beaver handles "not good enough yet."
Steps:
1. Run a task.
2. Ask for a specific revision.
3. Confirm the same task context continues.
4. Accept revised output.
Pass criteria:
- Revision feedback is preserved.
- Task timeline shows revision.
- User does not need to restate full context.
### Test 3: Evidence Review
Goal: verify trust and auditability.
Steps:
1. Give reviewer a completed task detail page.
2. Ask them what happened, what tools/files were used, and what result was produced.
3. Ask whether they would approve the output.
Pass criteria:
- >=80% reviewers identify the key actions and artifacts.
- Reviewers can state at least one risk or confidence reason.
### Test 4: Skill Reuse
Goal: prove accepted work can compound.
Steps:
1. Accept a task.
2. Generate skill candidate/draft.
3. Review and publish skill.
4. Run a similar task.
5. Check whether skill activates and improves work.
Pass criteria:
- At least 3 pilot skills are reused twice.
- Users report lower effort on repeated task.
### Test 5: Scheduled Workflow
Goal: validate proactive work.
Steps:
1. Create scheduled job.
2. Trigger or wait for scheduled run.
3. Review notification/output.
4. Accept or revise.
Pass criteria:
- Scheduled run is visible.
- Output enters review flow.
- Failed run has clear recovery path.
## 6. Technical Validation
### Deployment Validation
Run on a fresh Linux/WSL2 host:
1. Build images.
2. Create Docker network.
3. Start router proxy.
4. Start authz service.
5. Start deploy control.
6. Start auth portal.
7. Register user.
8. Configure provider.
9. Open app instance.
10. Complete first task.
Pass criteria:
- Under 2 hours with docs only.
- No undocumented environment variables.
- Public exposure limited to auth portal and router proxy.
### Instance Isolation Validation
Checks:
- Instance A cannot access Instance B workspace.
- User file roots stay scoped.
- Router sends host to correct container.
- Provider config is instance-specific.
- Deleting one instance does not affect another.
Pass criteria:
- No cross-instance reads/writes.
- Registry state remains consistent.
### Runtime Validation
Checks:
- Chat API.
- WebSocket/runtime status.
- Task creation and deletion.
- Task detail events.
- File upload/preview/download/delete.
- Tool test.
- Skill candidate/draft/review/publish.
- Cron create/toggle/run/delete.
- Settings provider save.
- Runtime restart.
Pass criteria:
- Critical user flows pass on desktop and mobile viewport.
- Failure states have visible recovery.
## 7. Security And Governance Validation
### Control Plane
- Confirm `deploy-control` and `authz-service` are not publicly reachable.
- Confirm tokens are required for control-plane calls.
- Confirm instance creation cannot be triggered without authorization.
### Files
- Confirm only allowed user roots are visible.
- Confirm absolute-style or cross-prefix paths are rejected.
- Confirm delete operations require explicit user action.
### Tools
- Classify pilot tools as read, workspace write, external write, destructive, credential/permission.
- Record tool calls in task evidence.
- Block or require review for dangerous actions.
### Connectors
- Use sandbox/test accounts for pilot when possible.
- Confirm callback base URL is per-instance.
- Confirm disconnect/reconnect path.
### Memory
Until Memory Control Center exists:
- Keep memory use conservative.
- Document what is stored.
- Avoid enabling opaque long-term memory for sensitive pilots.
## 8. Usability Validation
Viewports:
- 320px.
- 375px.
- 390px.
- 768px.
- 1024px.
- 1365px.
- One mobile landscape viewport.
Screens:
- Auth portal login/register/provider onboarding.
- Chat workbench.
- Task list/detail.
- Files.
- Skills.
- Marketplace.
- Tools.
- Notifications/cron.
- Outlook/connectors if in pilot.
- Settings/status/logs.
Pass criteria:
- No horizontal overflow.
- No inaccessible critical controls.
- Touch targets are usable.
- Loading, empty, error, success, and disabled states are visible.
## 9. Metrics Validation
Instrument or manually collect:
- Time to first accepted task.
- Accepted tasks per user/team/week.
- Acceptance rate.
- Revision rate.
- Task run failure rate.
- Evidence coverage.
- Skill candidates.
- Skill drafts.
- Published skills.
- Skill reuse.
- Scheduled run success.
- Provider setup failure.
- Instance creation failure.
- Connector setup failure.
Minimum pilot dashboard:
```text
Accepted tasks
Acceptance rate
Revision rate
Task failures
Skill reuse
Scheduled runs
Deployment/provider errors
Critical incidents
```
## 10. Pilot Exit Criteria
Proceed to broader rollout only if:
- A pilot team completes >=30 accepted tasks in 30 days.
- At least 2 recurring workflows are active.
- At least 5 skills are created and 3 reused twice.
- Task acceptance rate is >=60%.
- No critical security or deployment incidents occur.
- Fresh deployment can be repeated from docs.
- Admin can diagnose common failures from status/logs/runbook.
- Pilot owner can clearly state why Beaver is better than chat-only AI for their workflow.
## 11. Decision Matrix
| Result | Decision |
| --- | --- |
| High task acceptance, low skill reuse | Improve skill learning and workflow templates |
| High interest, deployment friction | Invest in deploy runbook and health console |
| Good demos, low recurring use | Revisit target segment and workflow selection |
| High usage, trust concerns | Prioritize evidence narrative, policy, memory controls |
| Connector demand dominates | Narrow connector roadmap to one high-value system |
| Memory concerns dominate | Build Memory Control Center before expansion |

387
docs/product-discovery/skill-replay-eval/PRD-skill-replay-eval.md Normal file
View File

@ -0,0 +1,387 @@
# PRD: Skill Replay Eval
Date: 2026-06-09
Status: Product discovery complete; implementation validation required
## 1. Summary
Skill Replay Eval is Beaver's evidence-based quality gate for reusable Agent skills. It evaluates a skill draft against accepted historical task runs, compares baseline and candidate behavior, reports execution/surrogate/blocked tool coverage, checks preservation for revised skills, and helps reviewers decide whether a draft can be published.
The goal is not to replace human review. The goal is to make review decisions safer, faster, and grounded in real task behavior.
## 2. Contacts
| Role | Owner | Comment |
| --- | --- | --- |
| Product | TBD | Owns scope, rollout, customer research, metrics |
| Engineering | TBD | Owns replay runner, tool policy, eval report, UI wiring |
| Design | TBD | Owns reviewer decision flow and report comprehension |
| Security / IT reviewer | TBD | Owns replay side-effect policy and launch approval |
| Customer pilot lead | TBD | Owns pilot participant selection and feedback loop |
## 3. Background
Beaver's product promise is that successful AI tasks can become reusable skills. This is valuable only if skill publishing is trustworthy. The current heuristic evaluator can estimate draft quality from text and accepted run metadata, but it cannot prove the draft behaves correctly in realistic tasks. It also cannot reliably detect tool misuse, unsafe side effects, or missing instructions in revised skills.
The new design introduces replay-style evaluation:
- Select accepted historical task cases.
- Run a baseline arm and a candidate arm.
- Execute safe tools in a replay context.
- Record unsafe or unavailable tools for surrogate judgment.
- Block destructive actions.
- Aggregate score, coverage, confidence, regressions, and preservation risk.
- Show the report in the Skills review page.
- Use publish gates to prevent low-confidence or unsafe releases.
Why now:
- Beaver already has task evidence, accepted runs, skill candidates, skill drafts, safety reports, eval reports, review, and publish flow.
- The customer-facing story emphasizes enterprise governance and reusable skills.
- Without stronger eval, the skill-learning loop can create risk instead of trust.
## 4. Objective
### Objective
Make skill publishing evidence-based and safe enough for enterprise pilot use.
### Why It Matters
For customers, Skill Replay Eval turns Beaver from "an Agent that can learn" into "an Agent platform with controlled learning." For the team, it reduces blind publish risk and creates a repeatable way to improve skill quality.
### Key Results
| Key Result | Target |
| --- | --- |
| Trusted Skill Publish Rate | >=80% of approved drafts have replay evidence or explicit skipped-provider evidence during pilot |
| Replay Side-Effect Safety | 0 production side-effect incidents caused by replay |
| Reviewer Decision Time | Median approve/reject/revise decision under 10 minutes for common drafts |
| Report Comprehension | >=80% of reviewers correctly explain execution, surrogate, blocked, and confidence meanings in usability tests |
| Regression Visibility | 100% of replay reports expose regression count, score delta, and case-level details |
| Preservation Visibility | 100% of revise/merge replay reports with base content expose preservation result |
## 5. Market Segments
### Primary Segment: Enterprise AI Platform Teams
They want private or controlled Agent deployment, reusable workflows, governance, and auditability. They need evidence before reusable skills are distributed.
### Secondary Segment: Internal Workflow Teams
They run repeatable knowledge workflows such as reports, support, project delivery, file processing, or research. They want accepted AI work to become reusable without manual prompt engineering every time.
### Internal Segment: Beaver Operators And Engineers
They need debuggable replay behavior, predictable tool policies, and operational visibility.
### Constraints
- Replay must not execute production external writes by default.
- Replay should use existing stores and skill learning pipeline where possible.
- Evaluation report payload must remain compatible with existing UI and stored reports.
- First release should cap replay case count to control latency and cost.
- Human review remains mandatory.
## 6. Value Propositions
### For Skill Reviewers
Pain avoided: approving a skill by reading text only.
Gain: see whether the candidate improves, regresses, or preserves behavior on accepted tasks.
### For Enterprise Admins
Pain avoided: uncontrolled AI learning that silently changes team behavior.
Gain: clear publish gates, safety report, replay report, coverage, confidence, and preservation evidence.
### For Workflow Owners
Pain avoided: successful task patterns disappearing into chat history.
Gain: accepted work can become reusable skills with validation before reuse.
### For Engineers
Pain avoided: debugging vague "skill quality" complaints.
Gain: case-level traces, tool classifications, side effects, and reproducible failure categories.
## 7. Solution
### 7.1 UX / User Flow
Primary reviewer flow:
```text
Skill candidate generated
-> draft created
-> safety report generated
-> replay eval report generated
-> reviewer opens Skills draft page
-> reviewer reads summary: pass/fail, baseline, candidate, delta, coverage, confidence
-> reviewer drills into cases, tool calls, side effects, preservation report
-> reviewer approves, requests revision, or rejects
-> publish gate enforces safety, eval, confidence, blocked coverage, preservation
```
Required UI behavior:
- Show report status first: passed, failed, skipped provider, replay error, or partial.
- Show baseline average, candidate average, and score delta.
- Show execution coverage, surrogate coverage, blocked coverage, and confidence.
- Show improved, regressed, and unchanged case counts.
- Show replay cases in a compact table.
- Show raw case reports only after the summary.
- Show preservation report for revise/merge drafts.
- Use clear wording for skipped-provider reports: no replay evidence was run.
Recommended UI improvement:
- Add a reviewer decision summary above raw details:
- "Recommended action: Approve / Revise / Reject / Needs manual review"
- "Reason: low confidence, preservation failure, regression, or blocked calls"
### 7.2 Key Features
#### Historical Case Selection
Requirements:
- Select up to 10 accepted historical runs.
- For revised skills, prefer accepted runs that activated the target skill/version.
- For new skills, use candidate source runs or similar task themes.
- For merged skills, use accepted runs where related skills co-activated.
- Prefer recent accepted runs and diversify repeated tasks.
Acceptance criteria:
- Case selection returns no more than 10 cases.
- Failed or unaccepted runs are excluded.
- Baseline skill names are populated for revise and merge candidates.
#### Baseline And Candidate Replay Arms
Requirements:
- Run the same task text for both arms.
- Use the same model settings, bounded historical context, max tool iterations, and replay policy.
- Baseline arm uses no skill, old skill, or related old skills depending on candidate type.
- Candidate arm injects the draft as pinned draft guidance.
Acceptance criteria:
- Both arms produce run id, session id, final answer, finish reason, tool calls, side effects, and artifacts.
- Replay runs are marked with source `skill_replay_eval`.
- Replay does not create user-visible normal task sessions.
#### Tool Mode Classification
Requirements:
- Classify each tool call as:
- `executed`: safe to execute in replay context.
- `surrogate`: unsafe/unavailable to execute but can be judged from intended call.
- `blocked`: cannot safely execute or judge.
- Safe defaults include filesystem, user files, core, web, and search where isolation is available.
- External writes and connector/MCP write actions default to surrogate.
- Destructive operations default to blocked.
Acceptance criteria:
- Each tool trace includes tool name, arguments, schema, toolset, metadata, mode, classification reason, and result.
- Destructive terms such as delete/remove/destroy/revoke/permission/credential/payment/pay are blocked.
- External write terms such as send/post/publish/create/update/invite/reply/forward are not executed against production systems by default.
#### Surrogate Evaluation
Requirements:
- Score baseline and candidate intended tool use when tools are surrogate or blocked.
- Include task text, tool schema, arguments, classification reason, final answer, and side effects in judgment payload.
- Lower confidence when surrogate or blocked coverage is high.
Acceptance criteria:
- Reports include baseline score, candidate score, delta, confidence, and validator notes.
- Blocked calls reduce score and confidence.
- Surrogate scoring is transparent and does not pretend to be real execution.
#### Preservation Check
Requirements:
- For revise and merge drafts, compare base skill content against proposed draft content.
- Report preserved sections, changed sections, dropped sections, pass/fail, and risk level.
- Failed preservation blocks publish.
Acceptance criteria:
- Revision drafts with dropped important sections fail preservation.
- Reports are visible in the Skills UI.
- Publish gate blocks failed preservation.
#### Eval Report Model
Requirements:
- Extend existing `SkillDraftEvalReport` without breaking legacy reports.
- Keep existing fields: passed, baseline_score_avg, candidate_score_avg, score_delta, regression_count, improved_count, unchanged_count, cases, status.
- Add replay fields: eval_version, mode, execution_coverage, surrogate_coverage, blocked_coverage, confidence, case_reports, tool_mode_summary, preservation_report.
Acceptance criteria:
- Legacy reports deserialize with default replay fields.
- New reports serialize all replay fields.
- Frontend type definitions include replay fields.
#### Publish Gates
Requirements:
- Draft must still have approved review and passing safety report.
- Failed eval report blocks publish except explicit skipped-provider status.
- Replay report with low confidence blocks publish.
- Replay report with blocked coverage >=1.0 blocks publish.
- Failed preservation blocks publish.
Acceptance criteria:
- Publish attempts fail with clear errors for each gate condition.
- Skipped provider is visible and does not silently claim replay passed.
### 7.3 Technology
Backend:
- Python dataclasses.
- Existing file-backed memory stores.
- `SkillLearningPipelineService.evaluate_draft()`.
- `SkillDraftEvaluator`.
- `ReplayRunner`, `ReplayToolExecutor`, `ReplayToolPolicy`.
- `SurrogateToolEvaluator`.
- `SkillDraftEvalReport`.
- FastAPI endpoint wiring through existing Skills APIs.
Frontend:
- Next.js / TypeScript Skills page.
- Existing design system and report card patterns.
- Typed replay report fields in `types/index.ts`.
Testing:
- Unit tests for eval report compatibility.
- Case selection tests.
- Preservation tests.
- Replay executor and replay runner tests.
- Agent loop replay executor override tests.
- Surrogate scoring tests.
- Pipeline publish gate tests.
- Frontend smoke/manual review for report rendering.
### 7.4 Data Model
Eval report fields:
| Field | Type | Purpose |
| --- | --- | --- |
| `eval_version` | string | Version of eval model, e.g. `replay-v1` |
| `mode` | string | `heuristic` or `replay` |
| `execution_coverage` | number | Share of replay tool calls actually executed |
| `surrogate_coverage` | number | Share judged through surrogate |
| `blocked_coverage` | number | Share blocked |
| `confidence` | string | low, medium, high |
| `case_reports` | array | Detailed baseline/candidate case reports |
| `tool_mode_summary` | object | Aggregate tool mode counts |
| `preservation_report` | object/null | Preservation result for revise/merge |
### 7.5 Assumptions
- Accepted historical runs exist and are useful.
- Replay can be isolated enough for safe tool execution.
- Reviewers understand and trust the report after UI iteration.
- Surrogate scoring can be improved over time without blocking v1.
- Publish gates can be calibrated during pilot.
### 7.6 Non-Goals
- No production third-party writes during automatic replay.
- No automatic publishing based only on replay score.
- No full Docker orchestration per replay case in v1.
- No customer-configurable per-tool policy UI in v1.
- No replacement of human review.
- No claim that replay is a complete benchmark of all future tasks.
## 8. Release
### V0: Internal Validation
Scope:
- Current replay report fields.
- Current case selection.
- Current replay runner integration.
- Current tool policy.
- Current Skills UI report display.
- Current publish gates.
Exit criteria:
- Unit tests pass for skill learning replay surface.
- Golden tool policy tests prove no production side effects.
- Reviewer can make decisions from 5 seeded cases.
- Known limitations are documented.
### V1: Pilot Release
Scope:
- Reviewer decision summary.
- Replay readiness indicator.
- Better preservation diff.
- Operational metrics for replay status, latency, provider skip, blocked coverage.
- Customer-facing explanation for replay evidence and confidence.
Exit criteria:
- 0 replay side-effect incidents.
- >=80% reviewer comprehension in usability test.
- Median reviewer decision time under 10 minutes.
- Pilot admins accept report as sufficient review support.
### V2: Enterprise Hardening
Scope:
- LLM surrogate evaluator with human-labeled calibration.
- Policy profiles by deployment risk tier.
- Audit export.
- Skill quality trend across versions.
- Replay operations dashboard.
Exit criteria:
- Human vs surrogate agreement >=80% on unsafe tool golden set.
- Clear process for policy changes and incident review.
- Enterprise pilot customers can use audit export in governance review.
## Open Questions
- What minimum replay case count should be required before a report is considered useful?
- Should skipped-provider reports block publish in regulated deployments?
- What exact confidence levels should map to publish gate behavior?
- Which toolsets are safe in each deployment mode?
- How should reviewer overrides be recorded when they publish despite weak evidence?
- What is the long-term storage retention policy for replay traces and artifacts?
## Success Review Checklist
- Product: Does the report answer "should this skill be published?"
- Design: Can reviewers understand the summary without reading raw JSON?
- Engineering: Can replay failures be reproduced and diagnosed?
- Security: Can replay prove no production side effects by default?
- Customer: Does this strengthen Beaver's enterprise trust story?

13
docs/product-discovery/skill-replay-eval/README.md Normal file
View File

@ -0,0 +1,13 @@
# Skill Replay Eval Product Discovery
This folder turns the Skill Replay Eval design into product-facing planning artifacts.
- [Product Discovery Report](./product-discovery-report.md): opportunity, users, assumptions, experiments, feature priority, metrics, and 30/90 day recommendations.
- [PRD](./PRD-skill-replay-eval.md): product requirements for engineering, design, review, validation, and release scope.
- [Launch And Maintenance Runbook](./launch-maintenance-runbook.md): rollout, readiness checks, operational ownership, alerting, and maintenance cadence.
Related source material:
- [Skill Replay Eval Design](../../superpowers/specs/2026-06-08-skill-replay-eval-design.md)
- [Skill Replay Eval Implementation Plan](../../superpowers/plans/2026-06-08-skill-replay-eval.md)
- [Beaver customer presentation](../../presentations/skill-replay-eval/index.html)

356
docs/product-discovery/skill-replay-eval/launch-maintenance-runbook.md Normal file
View File

@ -0,0 +1,356 @@
# Skill Replay Eval Launch And Maintenance Runbook
Date: 2026-06-09
Purpose: define how to validate, launch, operate, and maintain Skill Replay Eval safely.
## 1. Launch Principle
Ship Skill Replay Eval as a guarded trust feature.
The system may help reviewers approve or reject a skill draft, but it must not create false certainty. When evidence is weak, the product should say so clearly. When tool safety is unclear, replay should prefer surrogate or blocked modes over production execution.
## 2. Ownership
| Area | Owner | Responsibility |
| --- | --- | --- |
| Product quality | Product owner | Metrics, pilot feedback, publish threshold decisions |
| Replay pipeline | Backend engineer | Case selection, replay runner, scoring, report persistence |
| Tool safety policy | Backend + security reviewer | Tool classification, blocked/surrogate rules, side-effect tests |
| Skills UI | Frontend/design owner | Report summary, reviewer decision flow, report readability |
| Operations | Deployment owner | Logs, alerts, provider availability, incident response |
| Customer pilot | Pilot lead | Participant selection, feedback, rollout communication |
## 3. Pre-Launch Readiness
### Required Code Checks
Run backend tests from `app-instance/backend`:
```bash
pytest tests/unit/test_skill_learning_eval_report_model.py -v
pytest tests/unit/test_skill_learning_case_selection.py -v
pytest tests/unit/test_skill_learning_preservation.py -v
pytest tests/unit/test_skill_learning_replay.py -v
pytest tests/unit/test_skill_learning_replay_runner.py -v
pytest tests/unit/test_agent_loop_replay_executor.py -v
pytest tests/unit/test_skill_learning_surrogate.py -v
pytest tests/unit/test_skill_learning_eval.py -v
pytest tests/unit/test_skill_learning_pipeline.py -v
```
Run frontend verification from `app-instance/frontend`:
```bash
npm run lint
npm run test -- --runInBand
```
If frontend tests are not configured, perform manual Skills page verification with seeded report payloads.
### Golden Safety Cases
Before pilot launch, create or manually verify a golden set with these cases:
| Case | Expected Result |
| --- | --- |
| Safe filesystem read | `executed` |
| Safe filesystem write to replay workspace | `executed`, no production write |
| User-file write in replay namespace | `executed` only if isolated, otherwise `surrogate` |
| Web/search read | `executed` or cached read |
| Email send | `surrogate` |
| Calendar invite | `surrogate` |
| Connector publish/post/reply | `surrogate` |
| Delete/remove/destroy | `blocked` |
| Permission/credential/payment action | `blocked` |
Launch blocker:
- Any replay case mutates production workspace, user files, credentials, external accounts, permissions, or payment state.
### Report Readiness Checks
Each replay report must show:
- Eval status.
- Baseline average.
- Candidate average.
- Score delta.
- Improved/regressed/unchanged counts.
- Execution coverage.
- Surrogate coverage.
- Blocked coverage.
- Confidence.
- Replay cases.
- Case reports.
- Preservation report when applicable.
- Raw report for debugging.
### Publish Gate Checks
Publish must fail when:
- No approved review exists.
- Safety report is missing or failed.
- Eval report failed, except explicit skipped-provider status.
- Replay confidence is low.
- Replay blocked coverage is `1.0`.
- Preservation report failed.
Publish may proceed with explicit human review when:
- Provider is unavailable and eval status is `skipped_provider_unavailable`.
- Replay evidence is partial, but reviewer records a rationale and deployment policy allows it.
## 4. Rollout Plan
### Phase 0: Shadow Mode
Audience: internal team only.
Duration: 1 week or 10 draft evaluations, whichever comes first.
Behavior:
- Generate replay reports.
- Do not change existing publish decisions unless a critical safety issue appears.
- Compare replay recommendation with human reviewer decision.
Exit criteria:
- No production side effects.
- No unexplained replay crashes on common drafts.
- Reviewers can explain report meaning.
- Product owner reviews gate threshold data.
### Phase 1: Strict Internal Gate
Audience: internal maintainers and trusted reviewers.
Behavior:
- Enforce low-confidence, blocked coverage, failed preservation, failed eval, and failed safety gates.
- Require manual rationale for skipped-provider publish.
Exit criteria:
- 0 P0 incidents.
- Publish blockers are actionable and not noisy.
- Reviewer median decision time under 10 minutes for common drafts.
### Phase 2: Pilot Customer Gate
Audience: selected pilot customer or internal department.
Behavior:
- Keep human review mandatory.
- Provide customer-facing explanation of replay evidence.
- Track skipped-provider and low-confidence cases closely.
Exit criteria:
- Pilot admin accepts report as useful governance evidence.
- No side-effect incidents.
- Top confusion points are documented and scheduled for UI copy/design improvements.
### Phase 3: General Availability Candidate
Audience: all enabled deployments.
Behavior:
- Replay Eval enabled by default where provider and case data are available.
- Skipped-provider state remains explicit.
- Tool policy remains conservative.
Exit criteria:
- Operational dashboard exists.
- Incident response is rehearsed.
- Policy change process is documented.
## 5. Monitoring
### Product Metrics
| Metric | Owner | Cadence | Alert |
| --- | --- | --- | --- |
| Trusted Skill Publish Rate | Product | Weekly | <60% for 2 weeks |
| Reviewer Decision Time | Product/design | Weekly | p95 >30 minutes |
| Replay Regression Rate | Product/engineering | Weekly | >20% of replay reports |
| Report Comprehension | Product/design | Per research round | <80% explain coverage/confidence correctly |
### Operational Metrics
| Metric | Owner | Cadence | Alert |
| --- | --- | --- | --- |
| Replay status counts | Engineering | Daily during pilot | Any spike in `replay_error` or `partial` |
| Provider unavailable skip rate | Operations | Daily | >25% of evals in pilot |
| Replay latency p50/p95 | Engineering | Daily | p95 >15 minutes |
| Blocked coverage | Security/engineering | Weekly | Any report with blocked_coverage=1.0 |
| Production side-effect incidents | Security/operations | Immediate | Any nonzero event |
| Failed preservation reports | Product/engineering | Weekly | Spike after synthesizer change |
### Logs To Inspect
- Skill learning candidate events.
- Draft creation and safety report events.
- Eval report generation events.
- Replay arm run ids and source `skill_replay_eval`.
- Tool traces and classification reasons.
- Publish gate errors.
- Provider unavailable errors.
## 6. Incident Response
### P0: Production Side Effect During Replay
Examples:
- Email sent.
- Calendar invite created.
- External connector publish/post/reply happened.
- Production file or credential changed.
- Permission/payment action executed.
Immediate actions:
1. Disable replay eval generation.
2. Disable skill publish if policy risk is unclear.
3. Preserve logs, replay traces, eval reports, and affected tool metadata.
4. Identify tool name, toolset, metadata, classification reason, arguments, and tenant.
5. Patch policy to block or surrogate affected class.
6. Add a regression test to golden safety cases.
7. Notify pilot/customer owner if customer data or systems were affected.
Restart criteria:
- Root cause documented.
- Regression test passes.
- Security owner approves restart.
### P1: False Pass
Definition: draft passed replay and was published, then confirmed to regress a real accepted workflow.
Actions:
1. Unpublish or revert skill version if impact is active.
2. Add the failed task as a replay case.
3. Inspect whether case selection missed the scenario or scoring overrated it.
4. Adjust gate threshold, surrogate scoring, or preservation check.
5. Record postmortem in skill quality log.
### P1: False Block
Definition: useful draft blocked due to bad replay policy, low-confidence bug, or report construction issue.
Actions:
1. Do not bypass silently; record reviewer rationale.
2. Identify blocking rule and trace.
3. Add regression test if policy bug.
4. Decide whether threshold should change or case should remain blocked.
### P2: Provider Unavailable Spike
Actions:
1. Check provider configuration and model availability.
2. Confirm fallback status is explicit.
3. Track how many publish decisions rely on skipped-provider.
4. Pause broad rollout if skipped-provider exceeds pilot threshold.
## 7. Maintenance Cadence
### Daily During Pilot
- Check replay errors and provider skips.
- Check blocked_coverage=1.0 reports.
- Confirm no side-effect incidents.
- Review new publish gate failures.
### Weekly
- Review metrics dashboard.
- Calibrate publish gate thresholds.
- Review 3-5 replay reports for readability.
- Inspect false pass/false block candidates.
- Update tool policy based on new tools or connectors.
### Monthly
- Review customer/pilot feedback.
- Refresh golden safety cases.
- Sample preservation reports for missed instruction drops.
- Review storage growth from replay case reports and traces.
- Decide whether to promote features from Should Have to Must Have.
### Quarterly
- Revisit risk model and tool policy profiles.
- Review whether LLM surrogate calibration meets quality target.
- Decide whether to add audit export or per-deployment policy UI.
- Retire stale replay cases or update case selection logic.
## 8. Data Retention And Privacy
Replay reports may contain task text, tool arguments, schemas, final answers, and side-effect descriptions. Treat them as sensitive operational data.
Recommended policy:
- Store summarized report for normal review.
- Limit raw case report retention or restrict access to admins.
- Redact credentials, tokens, secrets, and obvious personal identifiers from tool arguments before display where possible.
- Do not include production external write results because they should not execute.
- Define tenant-specific retention before enterprise rollout.
## 9. Release Communication
### Internal Message
Skill Replay Eval adds evidence to skill publishing. Reviewers will now see whether a draft improved, regressed, or preserved accepted task behavior. Reports disclose what executed, what was judged by surrogate, what was blocked, and whether revised skills preserved important sections.
### Customer / Pilot Message
Beaver can now evaluate reusable skill drafts against prior accepted work before publication. The report shows both confidence and uncertainty. Unsafe external actions are not executed automatically during replay; they are recorded for review or blocked by policy.
### Known Limitations To Disclose
- Replay quality depends on available accepted historical runs.
- Surrogate evaluation is not the same as real execution.
- Low-confidence reports require more human review.
- Human approval is still required.
- First release does not include per-tool policy UI or full per-case container orchestration.
## 10. Rollback Plan
Rollback options:
1. Disable replay runner injection and fall back to heuristic eval.
2. Keep report fields but set mode to `heuristic`.
3. Keep publish gate requiring safety and human review.
4. Temporarily treat replay errors as non-blocking only if security owner confirms no side-effect risk.
5. Preserve failed replay reports for debugging.
Rollback triggers:
- Any P0 side-effect incident.
- Repeated replay errors that block normal skill review.
- Provider unavailable spike that makes most reports skipped.
- Reviewer decision time becomes unacceptable and no quick UI fix exists.
## 11. Launch Checklist
- [ ] Backend replay tests pass.
- [ ] Frontend report rendering verified.
- [ ] Golden tool safety cases pass.
- [ ] No production side-effect path found.
- [ ] Publish gates tested manually.
- [ ] Skipped-provider copy is clear.
- [ ] Reviewer decision summary exists or is tracked as a launch follow-up.
- [ ] Pilot participants selected.
- [ ] Metrics dashboard owner assigned.
- [ ] Incident owner and escalation path assigned.
- [ ] Rollback path verified.

512
docs/product-discovery/skill-replay-eval/product-discovery-report.md Normal file
View File

@ -0,0 +1,512 @@
# Skill Replay Eval Product Discovery Report
Date: 2026-06-09
Product stage: existing product
Primary feature: Skill Replay Eval for Beaver skill learning and publishing
Source context:
- Existing product and deployment: `README.md`, `部署指南.md`
- Feature design: `docs/superpowers/specs/2026-06-08-skill-replay-eval-design.md`
- Delivery plan: `docs/superpowers/plans/2026-06-08-skill-replay-eval.md`
- Current implementation signals: `beaver/skills/learning/{case_selection,preservation,replay,surrogate,eval}.py`, Skills page replay report UI, publish gate checks
- Customer positioning: `docs/presentations/skill-replay-eval/index.html`
## Executive Summary
Beaver is positioned as an enterprise Agent execution and governance platform. Its core value is not only running tasks, but also making AI work traceable, acceptable, reusable, and governable. Skill Replay Eval is the quality gate that makes the "reusable skill" promise credible: before a skill draft is published, Beaver should test whether it improves or preserves real task behavior.
The current design correctly identifies the product risk: heuristic-only skill scoring is not enough for enterprise trust. A draft skill can look complete in text while causing tool misuse, dropping safety instructions, or regressing accepted workflows. Replay evaluation closes this gap by comparing baseline and candidate behavior on accepted historical tasks, classifying tool calls into executed, surrogate, or blocked modes, and adding a preservation check for revised skills.
The product direction should be: ship replay eval as a staged trust feature, not as a perfect benchmark system. The first release should make evaluation coverage and uncertainty visible, block obvious regressions, and give reviewers enough evidence to approve or reject drafts. The next releases should improve case quality, sandbox isolation, surrogate judgment quality, and operational dashboards.
## Product Summary
### Product Description
Skill Replay Eval is a review and publishing gate for Beaver skills. It evaluates skill drafts against prior accepted task runs and shows whether the draft improves, preserves, or harms real task outcomes. It separates safe tool execution from surrogate evaluation for unsafe or unavailable tools, and it checks whether revised skill drafts preserve important original instructions.
### Target Users
| Segment | Job To Be Done | Success Looks Like |
| --- | --- | --- |
| Enterprise AI platform owner | Govern reusable Agent capabilities before they spread across teams | No risky skill is published without evidence, review, and audit trail |
| Skill reviewer / admin | Decide whether a skill draft is good enough to approve | Replay report explains score, coverage, regressions, and preservation risks |
| Internal workflow owner | Convert accepted tasks into repeatable team methods | Similar future tasks become faster and more reliable |
| Engineer / implementer | Build and debug the eval pipeline | Replay failures are reproducible, scoped, and observable |
| Security / IT reviewer | Understand side effects and tool risk | Production writes are not executed during automatic replay |
### Current Features
Existing Beaver product capabilities relevant to this feature:
- Task lifecycle: route, plan, execute, track, accept, modify, or abandon.
- Evidence and timeline: tool calls, artifacts, task status, and validation signals.
- Skill learning: candidates, drafts, safety report, eval report, review, publish.
- Multi-instance deployment: isolated `app-instance` per user/team via Docker.
- Tool and connector framework: local tools, MCP tools, external connectors, files, web/search, scheduled tasks.
Current Skill Replay Eval implementation signals:
- `SkillDraftEvalReport` has replay fields: mode, eval version, execution coverage, surrogate coverage, blocked coverage, confidence, case reports, tool mode summary, and preservation report.
- `select_replay_cases()` selects up to 10 accepted historical runs by candidate type.
- `ReplayToolExecutor` classifies tool calls as executed, surrogate, or blocked.
- `ReplayRunner` runs baseline and candidate arms through AgentLoop with a replay tool executor.
- `SurrogateToolEvaluator` scores non-executed calls through deterministic intended-call heuristics.
- Publish gates block low-confidence replay reports, fully blocked replay reports, and failed preservation reports.
- Skills UI exposes execution coverage, surrogate coverage, confidence, replay cases, raw case reports, and preservation reports.
### Current Architecture
```text
Accepted task runs
-> SkillLearningCandidate
-> SkillDraft
-> case selection
-> baseline arm and candidate arm
-> replay tool executor
-> executed tools for safe toolsets
-> surrogate traces for external writes or unsafe integrations
-> blocked traces for destructive calls
-> surrogate scoring and coverage aggregation
-> preservation checker for revise/merge
-> SkillDraftEvalReport
-> Skills review UI
-> publish gate
```
Product boundary:
- Replay Eval should evaluate skill behavior, not replace human review.
- Replay Eval should never write to production workspace, user files, external accounts, third-party systems, credentials, permissions, or payments by default.
- Low confidence should increase review burden instead of creating false certainty.
### Current Value Proposition
For enterprise users, Beaver can say: "Accepted work can become reusable skills, and those skills are checked against real task behavior before they are published." This directly supports Beaver's larger promise of controlled, traceable, reusable Agent execution.
### Current Challenges
| Challenge | Product Impact | Current Risk |
| --- | --- | --- |
| Historical accepted runs may be sparse or low quality | Replay evidence can be weak | Medium |
| Surrogate scoring is currently simple | Unsafe tool calls may be judged with low fidelity | High |
| Replay environment isolation must be enforceable | Enterprise trust depends on no accidental production side effects | High |
| Reviewers need clear explanations | Raw case reports can overwhelm non-engineers | Medium |
| Publish gates may be too strict or too loose | Either slows adoption or lets regressions through | Medium |
| Skill preservation is section-based | Important instruction changes inside a section may be missed | Medium |
## Missing Information And Ambiguities
- No real customer interview data is provided for skill reviewers, enterprise admins, or workflow owners.
- No baseline metrics exist for current heuristic eval false positives or false negatives.
- No defined quality threshold exists for minimum acceptable replay coverage per skill category.
- No clear operational owner is assigned for replay failures, low confidence reports, or blocked tool classifications.
- No explicit policy matrix exists per toolset, customer deployment mode, or tenant risk tier.
- No customer-facing language has been finalized for explaining surrogate evaluation limitations.
## User Segments
### Segment 1: Skill Governance Admin
This user owns skill approval. They need a reliable way to decide whether a skill should be published. Their main pain is that a skill draft can appear well-written but still fail on real tasks.
### Segment 2: Enterprise AI Platform Buyer
This user evaluates Beaver as an internal AI platform. They care about risk, adoption, cost, governance, and operational control. They need to see that reusable Agent capabilities are not published blindly.
### Segment 3: Workflow Owner
This user has repeatable work such as weekly reports, project delivery, technical support, or file processing. They want accepted workflows to become faster and more consistent over time.
### Segment 4: Beaver Engineer / Operator
This user debugs replay failures, expands safe tool coverage, adjusts publish gates, and keeps the eval pipeline reliable.
## JTBD
| User | Job Story | Current Alternative | Desired Outcome |
| --- | --- | --- | --- |
| Skill reviewer | When a skill draft is ready, I want to see whether it works on prior accepted tasks, so I can approve it with evidence | Read the draft manually | Approve, reject, or revise with confidence |
| Admin | When a skill touches tools, I want to know what would execute, what is simulated, and what is blocked, so I can manage risk | Trust reviewer judgment | Clear coverage and side-effect evidence |
| Workflow owner | When my accepted task becomes a reusable skill, I want it to preserve what made the original task successful | Rewrite prompts manually | Similar future work gets better |
| Operator | When replay fails, I want to know whether the issue is provider, tool policy, case data, or candidate behavior | Read logs manually | Fast diagnosis and recovery |
## Alternative Product Positioning
| Positioning | Strength | Weakness | Recommendation |
| --- | --- | --- | --- |
| "Skill unit tests for Agents" | Easy for engineers to understand | Too narrow; suggests deterministic tests only | Use in engineering docs |
| "Replay-based skill quality gate" | Accurate and product-relevant | Needs explanation for non-technical buyers | Primary internal positioning |
| "Enterprise Agent governance evidence" | Strong for buyers | Less precise for builders | Use in sales and customer docs |
| "A/B testing for skill drafts" | Captures baseline vs candidate | May imply live user traffic experiments | Use carefully |
Recommended positioning:
> Skill Replay Eval is Beaver's evidence-based quality gate for reusable Agent skills. It replays accepted historical tasks, compares baseline and candidate behavior, and exposes execution coverage, surrogate coverage, regressions, and preservation risk before publication.
## Opportunity Areas
| Opportunity | Importance | Current Satisfaction | Opportunity Score | Notes |
| --- | ---: | ---: | ---: | --- |
| I need proof that a skill draft improves real task behavior | 0.95 | 0.25 | 0.71 | Core opportunity |
| I need automatic replay to avoid unsafe side effects | 0.95 | 0.35 | 0.62 | Required for enterprise trust |
| I need reports that are understandable to reviewers | 0.85 | 0.35 | 0.55 | Key adoption driver |
| I need preservation of existing skill instructions | 0.80 | 0.45 | 0.44 | Important for revisions |
| I need replay failures to be diagnosable | 0.75 | 0.40 | 0.45 | Operational maturity |
| I need configurable policy per deployment | 0.70 | 0.30 | 0.49 | Later enterprise hardening |
Top opportunities:
1. Evidence that a draft improves or preserves accepted task behavior.
2. Safe replay with explicit executed/surrogate/blocked coverage.
3. Reviewer-facing explanation that turns raw traces into decisions.
## Product Expansion Ideas
Generated from PM, Designer, and Engineer perspectives.
### Product Manager Ideas
1. Replay Readiness Score: show whether a draft has enough historical evidence before eval starts.
2. Skill Release Gate Levels: allow advisory, strict, and regulated gates per workspace.
3. Regression Triage Queue: collect failed cases and route them to skill authors.
4. Customer-facing Audit Export: export replay report as PDF/Markdown for security review.
5. Skill Quality Trend: show whether a skill improves or degrades across versions.
### Product Designer Ideas
1. Reviewer Decision View: summarize "approve / revise / reject" with reasons before raw JSON.
2. Coverage Timeline: visualize executed, surrogate, and blocked calls per case.
3. Preservation Diff: show dropped or changed sections in a readable comparison.
4. Replay Case Drilldown: task text, expected behavior, baseline output, candidate output, and validator notes.
5. Confidence Language: translate low/medium/high confidence into concrete reviewer actions.
### Engineer Ideas
1. Pluggable Tool Policy Registry: classify tools by toolset, transport, metadata, and deployment risk.
2. Deterministic Replay Fixtures: save replay inputs and traces for reproducible debugging.
3. Sandbox User File Namespace: isolate user-file writes per replay arm.
4. LLM Surrogate Provider: replace deterministic heuristics with structured model judgment when available.
5. Replay Telemetry: metrics for replay latency, failure mode, blocked coverage, and provider availability.
Top 5 selected ideas:
| Rank | Idea | Why Selected | Assumptions To Validate |
| ---: | --- | --- | --- |
| 1 | Reviewer Decision View | Converts technical eval into action | Reviewers trust summarized recommendations |
| 2 | Sandbox User File Namespace | Directly addresses production side-effect risk | Existing file tooling can be redirected cleanly |
| 3 | LLM Surrogate Provider | Improves unsafe tool judgment quality | LLM judgment is consistent enough for review support |
| 4 | Replay Readiness Score | Prevents weak reports from appearing authoritative | Enough metadata exists to estimate readiness |
| 5 | Preservation Diff | Makes revision risk visible and actionable | Section and body-level diffs catch meaningful drops |
## Key Assumptions
| Assumption | Category | Impact | Uncertainty |
| --- | --- | ---: | ---: |
| Accepted historical runs are representative enough to evaluate future skill behavior | Value | High | High |
| Reviewers will use replay reports to make better publish decisions | Value | High | Medium |
| Safe tools can execute in isolation without leaking state or causing production side effects | Feasibility | High | High |
| Surrogate evaluation can judge unsafe tool calls well enough to support review | Feasibility | High | High |
| Coverage and confidence are understandable to non-engineer reviewers | Usability | Medium | High |
| Publish gates will reduce risky releases without blocking too many useful skills | Viability | High | Medium |
| Skill preservation can be detected with lightweight section checks in v1 | Feasibility | Medium | Medium |
| Replay latency will be acceptable for review workflows | Usability | Medium | Medium |
| Customers will value replay eval enough to differentiate Beaver from generic Agent tools | Business Viability | High | Medium |
| The team can maintain tool policy as tools/connectors grow | Team Capability | High | Medium |
## Prioritized Assumptions
Priority = Impact x Uncertainty.
### P0 Validate Immediately
| Assumption | Why It Matters | What Could Go Wrong | Suggested Validation |
| --- | --- | --- | --- |
| Safe replay isolation is real, not only conceptual | One accidental external write can break trust | Replay calls production filesystem, connector, or credential paths | Technical isolation test with destructive and external-write tools |
| Replay reports help reviewers make better decisions | Product value depends on review decisions changing | Reports are too raw, ignored, or misunderstood | Reviewer usability test with 5 draft decisions |
| Surrogate evaluation is good enough for unsafe tools | Many enterprise tools cannot execute in replay | It rubber-stamps bad calls or flags good calls | Golden set of unsafe tool scenarios scored by humans vs surrogate |
| Historical accepted cases are adequate for eval | Weak cases create false confidence | Too few accepted runs or repetitive cases | Analyze real run store coverage across skills |
### P1 Important
| Assumption | Why It Matters | Validation |
| --- | --- | --- |
| Publish gate thresholds are calibrated | Prevents both overblocking and underblocking | Run shadow mode for 2 weeks and compare human decisions |
| Preservation checker catches meaningful draft regressions | Revision safety depends on it | Compare section checker with manual diff review |
| Replay latency fits review workflow | Slow eval hurts adoption | Measure p50/p95 per case and per draft |
| Customers understand confidence and coverage language | Trust depends on clear communication | Customer-facing report comprehension test |
### P2 Later
| Assumption | Why It Matters | Validation |
| --- | --- | --- |
| Per-tool policy UI is needed | May not be needed in v1 | Observe support/admin requests |
| Audit export becomes a buying requirement | Useful for enterprise sales | Ask pilot buyers during procurement review |
| Skill quality trend is a major retention driver | Useful after multiple versions exist | Measure repeat reviewer usage after v1 |
## Opportunity Solution Tree
Desired outcome:
> Increase trusted skill publication: at least 80% of approved skill drafts have replay or explicit skipped-provider evidence, zero known production side effects from replay, and reviewer decision time under 10 minutes for common drafts.
```text
Outcome: Trusted skill publication
Opportunity 1: I need proof that a skill draft improves real task behavior.
Solution 1.1: Baseline vs candidate replay on accepted historical tasks.
Experiment: Run replay on 10 recent skill drafts and compare with manual reviewer judgment.
Solution 1.2: Replay readiness score before evaluation starts.
Experiment: Score existing candidates and check whether low-readiness reports are less useful.
Solution 1.3: Regression triage queue.
Experiment: Manually label failed cases for two weeks and measure fix rate.
Opportunity 2: I need replay to avoid unsafe side effects.
Solution 2.1: Tool mode classification: executed, surrogate, blocked.
Experiment: Golden tool policy test set covering filesystem, MCP, connectors, delete, send, publish.
Solution 2.2: Isolated workspace and user-file namespace per arm.
Experiment: Replay write task and verify no production paths change.
Solution 2.3: Side-effect journal in each case report.
Experiment: Security reviewer reads 5 reports and identifies all intended side effects.
Opportunity 3: I need reports I can act on.
Solution 3.1: Reviewer decision summary with approve/revise/reject guidance.
Experiment: First-click and decision-time test with reviewers.
Solution 3.2: Coverage and confidence explanation.
Experiment: Ask reviewers to explain report meaning after reading it.
Solution 3.3: Preservation diff for revisions.
Experiment: Seed dropped-instruction drafts and measure detection rate.
```
## Validation Experiments
| P0 Assumption | Hypothesis | Experiment | Cost | Duration | Success Criteria | Failure Criteria |
| --- | --- | --- | --- | --- | --- | --- |
| Safe replay isolation | Replay can execute safe tools without touching production state | Build a replay fixture that writes, reads, sends, deletes, and publishes through classified tools | Medium | 2-4 days | 100% production paths untouched; destructive calls blocked; external writes surrogate | Any real external write or production path mutation |
| Reviewer decision value | Replay reports improve approval accuracy and speed | Give 5 reviewers 8 historical drafts with and without replay report | Low | 2 days | Decision accuracy +25%; median decision time under 10 minutes | No improvement or reports misunderstood |
| Surrogate quality | Surrogate scoring agrees with human reviewer on unsafe tool calls | Create 30 unsafe-tool scenarios and compare human labels vs surrogate output | Medium | 3-5 days | >=80% agreement on pass/fail; all high-risk bad calls flagged | High-risk false pass |
| Historical case adequacy | Accepted runs provide enough useful replay cases | Audit run store across top 10 skills/candidates | Low | 1 day | >=70% candidates have >=3 meaningful accepted cases | Most candidates have no usable cases |
## Feature Prioritization
### Must Have
| Feature | Impact | Effort | Risk | Strategic Alignment |
| --- | --- | --- | --- | --- |
| Eval report compatibility fields | High | Low | Low | Required foundation |
| Historical accepted case selection | High | Medium | Medium | Required for behavior evidence |
| Baseline vs candidate replay arms | High | High | High | Core value |
| Tool mode classification | High | Medium | High | Core trust boundary |
| Replay coverage and confidence report | High | Medium | Medium | Reviewer decision support |
| Publish gates for failed/low-confidence replay | High | Low | Medium | Governance promise |
| Preservation check for revise/merge drafts | Medium | Medium | Medium | Prevents silent instruction loss |
| Skills UI report summary | High | Medium | Medium | Adoption requirement |
### Should Have
| Feature | Impact | Effort | Risk | Strategic Alignment |
| --- | --- | --- | --- | --- |
| Reviewer decision summary | High | Medium | Medium | Converts evidence to action |
| Preservation diff view | Medium | Medium | Low | Improves reviewer comprehension |
| Replay readiness score | Medium | Medium | Medium | Prevents false confidence |
| Operational metrics dashboard | Medium | Medium | Low | Needed for maintenance |
| Golden tool policy test suite | High | Medium | Medium | Needed for safety assurance |
### Could Have
| Feature | Impact | Effort | Risk | Strategic Alignment |
| --- | --- | --- | --- | --- |
| Audit export | Medium | Medium | Low | Enterprise sales support |
| Skill quality trend | Medium | Medium | Medium | Useful after version history grows |
| Per-tool admin policy UI | Medium | High | Medium | Enterprise customization |
| Replay fixtures download | Low | Medium | Low | Debugging convenience |
### Not Yet
| Feature | Reason |
| --- | --- |
| Full Docker orchestration per replay case | Too heavy for first release; design explicitly scopes it out |
| Production third-party write replay | Violates trust boundary |
| Removing human review | Replay evidence should support review, not replace it |
| Fully customizable policy UI | Add after policy needs are observed |
Features to cut from v1:
- Per-tool policy UI.
- Audit export.
- Skill quality trend.
- Full Docker-per-case orchestration.
Features likely over-engineered for v1:
- Customer-configurable replay policies before default policy is proven.
- Complex statistical scoring before case quality and surrogate accuracy are validated.
- Automatic publish for high-scoring drafts.
## Metrics Dashboard
### North Star Metric
Trusted Skill Publish Rate:
> Approved skill drafts with usable eval evidence and no post-publish regression reports / total approved skill drafts, measured weekly.
Target for v1 pilot: >=80%.
### Input Metrics
| Metric | Definition | Data Source | Visualization | Target | Alert Threshold |
| --- | --- | --- | --- | --- | --- |
| Replay Evidence Coverage | Draft eval reports with mode `replay` or explicit skipped-provider status / all eval reports | Skill eval store | Weekly line | >=80% | <60% for 2 weeks |
| Executed Tool Coverage | Executed tool calls / all replay tool calls | Case reports | Stacked bar | >=50% for safe-tool skills | <25% for safe-tool skills |
| Surrogate Coverage | Surrogate tool calls / all replay tool calls | Case reports | Stacked bar | Transparent, not necessarily low | Sudden +30% week over week |
| Blocked Coverage | Blocked tool calls / all replay tool calls | Case reports | Stacked bar | <10% | >=25% or any blocked_coverage=1.0 |
| Reviewer Decision Time | Time from eval report created to approve/reject/revise | Review events | Median and p95 | Median <10 min | p95 >30 min |
| Replay Regression Rate | Reports with regression_count > 0 / replay reports | Eval store | Weekly line | Investigate, not zero-forced | >20% |
### Leading Indicators
- Number of accepted runs eligible for replay per skill.
- Percentage of candidates with at least 3 replay cases.
- Provider unavailable skip rate.
- Replay error or partial status rate.
- Preservation failures per revised skill draft.
### Guardrail Metrics
| Guardrail | Definition | Alert |
| --- | --- | --- |
| Production Side Effect Incidents | Any replay-caused write to production workspace, user files, credentials, or external systems | Immediate P0 |
| False Pass Incidents | Published draft later confirmed to regress an accepted workflow despite passing replay | Weekly review; P1 if repeated |
| False Block Incidents | Useful draft blocked due to bad policy or low-confidence bug | Weekly review |
| Replay Latency | p95 replay completion time per draft | Alert if p95 >15 minutes in pilot |
| Report Comprehension | Reviewers correctly explain coverage/confidence in usability tests | Rework UI copy if <80% |
### Review Cadence
- Daily during pilot: replay errors, side-effect alerts, provider skips.
- Weekly: publish outcomes, regression rate, reviewer decision time, blocked/surrogate coverage.
- Monthly: threshold calibration and customer feedback.
- Quarterly: policy model, scoring model, and roadmap review.
## Customer Research Plan
No customer interviews or support tickets were provided. Run research before treating demand and usability assumptions as validated.
### Research Participants
- 3-5 internal skill reviewers or admins.
- 3 workflow owners who want accepted tasks converted into reusable skills.
- 2 enterprise/security stakeholders who review AI governance.
- 2 engineers/operators responsible for deployment and incident response.
### Research Questions
- What evidence do reviewers need before approving a reusable skill?
- Which replay report fields are meaningful, and which are noise?
- Do users understand executed vs surrogate vs blocked coverage?
- What level of uncertainty is acceptable for publishing?
- What customer-facing proof is needed for enterprise pilots?
- Which tool categories must never execute during replay?
### Recommended Actions
- Run a moderated reviewer test with current Skills page report.
- Create 5 seeded draft cases: clear improvement, clear regression, unsafe external write, preservation drop, provider unavailable.
- Ask participants to approve/revise/reject each case and explain why.
- Compare their decisions with current publish gate behavior.
## Interview Guide
### Objectives
- Validate whether replay evidence changes approval behavior.
- Identify confusing report language.
- Understand risk tolerance for surrogate and blocked calls.
- Learn what artifacts enterprise buyers need for adoption.
### Warm-Up
- Tell me about the last time you reviewed or approved reusable AI guidance, prompts, tools, or workflows.
- What made the approval easy or hard?
- What happened after it was approved?
### JTBD Questions
- Walk me through the last time an AI workflow worked well enough that you wanted to reuse it.
- What evidence did you have that it would work again?
- What would make you hesitate to publish it for others?
- What does "safe to publish" mean in your environment?
### Behavioral Questions
- Show me how you would decide whether this draft should be approved.
- Which part of this report would you read first?
- What would you ignore?
- What would you ask an engineer to explain?
### Risk Validation Questions
- If a replay report says 70% executed and 30% surrogate, what decision would you make?
- If all important external writes were surrogate-evaluated, is that enough for review?
- Which tools should always be blocked in your environment?
- What kind of failure would make you disable replay eval?
### Note Template
```text
Participant:
Role:
Date:
Last relevant review:
Decision evidence needed:
Confusing report fields:
Risk tolerance:
Must-block tool categories:
Minimum publish evidence:
Unexpected insight:
Follow-up:
```
## Recommended Next 30 Days
1. Validate replay isolation with a golden tool policy suite.
2. Run current backend unit tests around skill learning replay and publish gates.
3. Add a small reviewer decision summary above raw replay details.
4. Run 5-8 reviewer usability sessions using seeded draft cases.
5. Audit accepted run coverage for top skills and identify gaps.
6. Decide v1 gate thresholds for blocked coverage, confidence, and preservation failure.
7. Add operational logging and metrics for replay status, latency, and provider skips.
## Recommended Next 90 Days
1. Replace or augment deterministic surrogate scoring with structured LLM judgment and human-labeled calibration cases.
2. Add replay readiness scoring before eval starts.
3. Improve preservation from section presence to diff-based critical instruction detection.
4. Add customer/exportable audit summary for enterprise pilot conversations.
5. Build a replay operations dashboard.
6. Introduce deployment-level policy profiles only after default policies produce stable data.
7. Track skill quality across versions and post-publish regression reports.
## Biggest Risks
| Risk | Severity | Mitigation |
| --- | --- | --- |
| Replay accidentally mutates production state | Critical | Golden policy tests, isolated namespaces, external writes surrogate by default, P0 alert |
| Surrogate scoring gives false confidence | High | Human-labeled calibration set, show low confidence clearly, no automatic publish |
| Reviewers ignore report complexity | High | Decision summary, comprehension testing, action-oriented UI copy |
| Accepted run data is too sparse | High | Readiness score, fallback to explicit skipped/low-evidence state, collect more accepted cases |
| Publish gates block too many useful skills | Medium | Shadow mode calibration and override with explicit review rationale |
| Evaluation costs or latency grow quickly | Medium | Cap cases, cache web/search, track p95 latency, async background eval |
## Recommended Immediate Actions
1. Treat Skill Replay Eval as a v1 trust gate, not a complete benchmark.
2. Keep human review mandatory for publish.
3. Do not execute production third-party writes during automatic replay.
4. Add reviewer-facing explanations before adding more raw report data.
5. Validate isolation and surrogate quality before broad rollout.
6. Use the first pilot to learn threshold calibration, not to claim perfect quality measurement.

6
docs/superpowers/plans/2026-06-08-skill-replay-eval.md
View File

@ -2,6 +2,12 @@
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
Related product planning artifacts:
- [Product Discovery Report](../../product-discovery/skill-replay-eval/product-discovery-report.md)
- [PRD](../../product-discovery/skill-replay-eval/PRD-skill-replay-eval.md)
- [Launch And Maintenance Runbook](../../product-discovery/skill-replay-eval/launch-maintenance-runbook.md)
**Goal:** Replace heuristic-only skill draft evaluation with replay-style reports that cover all tools through either safe execution or LLM surrogate judgment, while preserving base skill content during draft synthesis.
**Architecture:** Extend the existing skill learning pipeline instead of replacing it. Add replay report fields to `SkillDraftEvalReport`, introduce focused helper modules under `beaver/skills/learning/`, then wire the enhanced evaluator through the existing `SkillLearningPipelineService.evaluate_draft()` path and Skills UI.

6
docs/superpowers/specs/2026-06-08-skill-replay-eval-design.md
View File

@ -1,5 +1,11 @@
# Skill Replay Eval Design
Related product planning artifacts:
- [Product Discovery Report](../../product-discovery/skill-replay-eval/product-discovery-report.md)
- [PRD](../../product-discovery/skill-replay-eval/PRD-skill-replay-eval.md)
- [Launch And Maintenance Runbook](../../product-discovery/skill-replay-eval/launch-maintenance-runbook.md)
## Goal
Improve skill draft evaluation so it measures real task behavior instead of relying on heuristic draft scoring. The new evaluation must cover every tool involved in a skill, while separating tools that can be executed safely from tools that require LLM surrogate judgment.