Reference

Audit and Provenance

Explainable readiness decisions with clear value sources.

referenceautomation buildersintermediatestable2026-05-30

Why this matters

If ota says a repo is ready, users should be able to answer what was declared, what was inferred, what came from policy, and what changed later.

Provenance categories

  • repo-declared: the repo itself declared this value in ota.yaml or related repo-local config.
  • policy-derived: the value came from org policy, not from the repo contract directly.
  • template-derived: the value was copied or expanded from a template or starter contract.
  • detector-inferred: ota inferred the value from repo files or signals.
  • workspace-derived: ota derived the value from workspace root naming or workspace discovery while scaffolding a workspace contract.
  • workspace-declared: ota preserved the value from an existing ota.workspace.yaml during a merge path.
  • user-mutated: a person or tool wrote the value during an explicit change.

Detect ownership

  • detect comparison now exposes owner_kind so automation can distinguish detected, manual, and merged entries directly
  • merged means ota previously wrote that field and recorded it under metadata.ota.detect.field_ownership
  • metadata.ota.detect.field_admission is direct for high-confidence detector-owned writes and promoted for the narrow conservative detect-write starter fields ota admitted by policy
  • metadata.ota.detect.field_source_class records the detector-governance class ota associated with each detect-owned field, such as environment_toolchain, task_command, or runtime_service
  • manual means the field is hand-authored or explicitly pinned; fields without detect ownership metadata are treated as manual by default
  • metadata.ota.detect is ota-reserved and must remain a mapping if you want ota to persist detect ownership safely
  • normal drift surfaces only warn on ota-managed merged fields, while rewrite preview can still show manual removals because a full replacement would drop them

Where it shows up

  • ota init
  • ota workspace init
  • ota workspace detect
  • ota detect
  • ota doctor
  • ota explain
  • execution receipts
  • policy-aware findings

Example finding

Findingtext
ERROR  Missing required taskWhy: The repo contract declares agent-safe execution but does not define a runnable task.Next: add a task or adjust the contract.Source: repo contract

Use cases

  • understand why doctor reported a blocker
  • see whether policy or repo data produced the result
  • give agents the value source before suggesting a change
  • keep execution receipts reviewable later

What this is not

  • not a general audit database
  • not hidden mutation logging
  • not a ticketing system
  • not a replacement for the contract
  • not a fleet reporting layer