Reference
Audit and Provenance
Explainable readiness decisions with clear value sources.
referenceautomation buildersintermediatestable2026-05-30
Recommended next
Why this matters
If ota says a repo is ready, users should be able to answer what was declared, what was inferred, what came from policy, and what changed later.
Provenance categories
repo-declared: the repo itself declared this value inota.yamlor related repo-local config.policy-derived: the value came from org policy, not from the repo contract directly.template-derived: the value was copied or expanded from a template or starter contract.detector-inferred: ota inferred the value from repo files or signals.workspace-derived: ota derived the value from workspace root naming or workspace discovery while scaffolding a workspace contract.workspace-declared: ota preserved the value from an existingota.workspace.yamlduring a merge path.user-mutated: a person or tool wrote the value during an explicit change.
Detect ownership
- detect comparison now exposes
owner_kindso automation can distinguishdetected,manual, andmergedentries directly mergedmeans ota previously wrote that field and recorded it undermetadata.ota.detect.field_ownershipmetadata.ota.detect.field_admissionisdirectfor high-confidence detector-owned writes andpromotedfor the narrow conservative detect-write starter fields ota admitted by policymetadata.ota.detect.field_source_classrecords the detector-governance class ota associated with each detect-owned field, such asenvironment_toolchain,task_command, orruntime_servicemanualmeans the field is hand-authored or explicitly pinned; fields without detect ownership metadata are treated as manual by defaultmetadata.ota.detectis ota-reserved and must remain a mapping if you want ota to persist detect ownership safely- normal drift surfaces only warn on ota-managed
mergedfields, while rewrite preview can still showmanualremovals because a full replacement would drop them
Where it shows up
ota initota workspace initota workspace detectota detectota doctorota explain- execution receipts
- policy-aware findings
Example finding
Findingtext
ERROR Missing required taskWhy: The repo contract declares agent-safe execution but does not define a runnable task.Next: add a task or adjust the contract.Source: repo contractUse cases
- understand why
doctorreported a blocker - see whether policy or repo data produced the result
- give agents the value source before suggesting a change
- keep execution receipts reviewable later
What this is not
- not a general audit database
- not hidden mutation logging
- not a ticketing system
- not a replacement for the contract
- not a fleet reporting layer