|
| 1 | +# Station Profiles Roadmap |
| 2 | + |
| 3 | +Station profiles are a planned lifecycle primitive for supervised long-running |
| 4 | +workloads. They are not implemented in the current CLI: there is no |
| 5 | +`crabbox station` command, `stationProfile` config key, or `modelAccess` |
| 6 | +credential path yet. |
| 7 | + |
| 8 | +This page records the product and security boundary for |
| 9 | +[issue #193](https://github.com/openclaw/crabbox/issues/193) so future PRs can |
| 10 | +ship the feature in reviewable pieces. |
| 11 | + |
| 12 | +## Terms |
| 13 | + |
| 14 | +**Station** is the proposed user-facing primitive: a durable supervised workload |
| 15 | +record bound to a warm lease. A station is still a Crabbox box; the difference |
| 16 | +is that Crabbox records one long-running workload lifecycle instead of only a |
| 17 | +single `run` invocation. |
| 18 | + |
| 19 | +**stationProfile** is the proposed config selector for named station policies, |
| 20 | +for example `default` or `agent`. |
| 21 | + |
| 22 | +**Agent Station** is shorthand for a station using `stationProfile: agent`. |
| 23 | +The agent loop is repo-owned code. Crabbox supervises and records it, but does |
| 24 | +not own the prompt loop, planning strategy, model choice, or test |
| 25 | +interpretation. |
| 26 | + |
| 27 | +**modelAccess** is the proposed explicit credential-delivery policy for |
| 28 | +model/tool access. It must be separate from ordinary `env.allow` forwarding. |
| 29 | + |
| 30 | +Use **reasoning access** only in explanatory copy. It means the repo-owned |
| 31 | +workload may run a reasoning loop because a user granted scoped model/tool |
| 32 | +access. Crabbox must not expose, judge, store, or reconstruct model reasoning. |
| 33 | + |
| 34 | +## Phase Gates |
| 35 | + |
| 36 | +Ship Station in phases, with separate review for each phase: |
| 37 | + |
| 38 | +1. Generic Station, no model credentials. |
| 39 | +2. `agent` station profile, still no model credentials by default. |
| 40 | +3. `modelAccess`, only after Station behavior and evidence are stable. |
| 41 | + |
| 42 | +Phase 1 should target SSH-backed lease providers first. Delegated-run providers |
| 43 | +should wait until they expose an explicit station-capable contract. |
| 44 | + |
| 45 | +## Phase 1 Contract |
| 46 | + |
| 47 | +A Station is not just `warmup && run --keep` under a new name. The minimum |
| 48 | +contract is: |
| 49 | + |
| 50 | +- one durable station id; |
| 51 | +- one or more attempts; |
| 52 | +- one lease id per attempt; |
| 53 | +- one supervisor boot id, pid/start time, command hash, and workdir per |
| 54 | + attempt; |
| 55 | +- explicit TTL and idle timeout; |
| 56 | +- separate lease heartbeat and station heartbeat; |
| 57 | +- station-centered status, logs, stop reason, and terminal state; |
| 58 | +- idempotent stop that preserves the original terminal reason; |
| 59 | +- evidence written on stop, failure, TTL expiry, idle expiry, or lost |
| 60 | + supervisor. |
| 61 | + |
| 62 | +Station status should keep `state`, `desiredState`, `attempt`, |
| 63 | +`lastObservedAt`, and `stopReason` separate. It should distinguish lease state, |
| 64 | +supervisor liveness, command state, and cleanup/revocation state. |
| 65 | + |
| 66 | +## Agent Profile |
| 67 | + |
| 68 | +The first `agent` profile should remain repo-owned and conservative: |
| 69 | + |
| 70 | +```yaml |
| 71 | +station: |
| 72 | + profiles: |
| 73 | + agent: |
| 74 | + enabled: true |
| 75 | + command: scripts/agent-loop.sh |
| 76 | + ttl: 10h |
| 77 | + idleTimeout: 45m |
| 78 | + restartPolicy: never |
| 79 | +``` |
| 80 | +
|
| 81 | +`restartPolicy` should default to `never`. Agent loops are not safely replayable |
| 82 | +by default, so retries are a later product decision. |
| 83 | + |
| 84 | +## modelAccess Security Gates |
| 85 | + |
| 86 | +`modelAccess` must not ship until all of these are true: |
| 87 | + |
| 88 | +- No Crabbox broker, coordinator, cloud provider, or admin credential enters the |
| 89 | + station unless explicitly part of the workload policy. |
| 90 | +- Only workload-scoped model/tool credentials enter the station. |
| 91 | +- Credentials expire at or before station TTL. |
| 92 | +- Credentials are scoped, where possible, to repo/org/user, station id, attempt |
| 93 | + id, gateway, command hash, allowed models/tools, and budget. |
| 94 | +- Credentials are never written to logs, timing JSON, events, compliance |
| 95 | + reports, artifacts, screenshots, terminal captures, failure bundles, or |
| 96 | + process arguments. |
| 97 | +- Evidence records receipts, not secrets: profile, gateway, budget, token |
| 98 | + expiry, redaction policy version, issuer, and revocation reason. |
| 99 | +- Egress defaults to deny and only allows named approved egress profiles. |
| 100 | +- Stop, TTL expiry, idle expiry, budget exhaustion, or compliance failure |
| 101 | + revokes credentials before lease teardown. |
| 102 | +- Model/tool credentials do not use ordinary repo `env.allow`; they use a |
| 103 | + separate audited delivery path. |
| 104 | + |
| 105 | +Do not return stopped `modelAccess` stations to warm pools in v1. Treat them as |
| 106 | +dirty by default because they hosted credentialed long-running work. |
| 107 | + |
| 108 | +## Evidence |
| 109 | + |
| 110 | +Station evidence should extend run evidence instead of inventing an unrelated |
| 111 | +format. Minimum fields: |
| 112 | + |
| 113 | +- station id, attempt id, lease id, and run id if one exists; |
| 114 | +- start and stop timestamps; |
| 115 | +- repo SHA, branch, and dirty summary; |
| 116 | +- command and shell/argv mode; |
| 117 | +- station profile; |
| 118 | +- supervisor boot id, pid, start time, and exit status; |
| 119 | +- TTL, idle timeout, stop reason, and final state; |
| 120 | +- log/event retention limits; |
| 121 | +- model access policy and credential receipt metadata, if enabled; |
| 122 | +- revocation timestamp and reason, if model access was enabled. |
| 123 | + |
| 124 | +## Non-goals |
| 125 | + |
| 126 | +Station should not add an agent memory database, vector index, semantic judge, |
| 127 | +scenario state machine, or model reasoning store to Crabbox core. |
| 128 | + |
| 129 | +Crabbox owns lifecycle, synchronization, supervision, cleanup, credential policy, |
| 130 | +logs, artifacts, and evidence. The repo-owned workload owns the brain. |
0 commit comments