keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

KeiSeiKit-public — clean state

Browse source 
Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.
This commit is contained in:
Parfii-bot 2026-05-01 12:09:03 +08:00
commit 0be354a920
2184 changed files with 256172 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.claude-plugin/marketplace.json Normal file
View file

@ -0,0 +1,21 @@
{
"name": "keisei-marketplace",
"owner": {
"name": "KeiSei84",
"url": "https://github.com/KeiSei84"
},
"metadata": {
"description": "KeiSei Constructor-Pattern kits and primitives for Claude Code",
"version": "0.16.0"
},
"plugins": [
{
"name": "keisei",
"source": {
"source": "github",
"repo": "KeiSei84/KeiSeiKit"
},
"description": "Full KeiSeiKit — 12-agent fleet, 39 skills, 9 hooks, 23 Rust primitives, sleep-sync cloud consolidation, MCP server layer"
}
]
}

9
.claude-plugin/mcp-template.json Normal file
View file

@ -0,0 +1,9 @@
{
"_comment": "Template for .mcp.json. Copy to repo root as .mcp.json to register the KeiSei MCP server. Requires @keisei/mcp-server published to npm (status: not yet published — see PLUGIN.md).",
"mcpServers": {
"keisei": {
"command": "npx",
"args": ["-y", "@keisei/mcp-server", "--stdio"]
}
}
}

22
.claude-plugin/plugin.json Normal file
View file

@ -0,0 +1,22 @@
{
"name": "keisei",
"version": "0.16.0",
"description": "Constructor-Pattern agent kit for Claude Code: composable behavioral blocks, 23 Rust primitives, 39 portable skills, 9 pre-wired hooks, typed artifact handoff, sleep-sync cloud consolidation, MCP server layer.",
"author": {
"name": "KeiSei",
"url": "https://github.com/KeiSei84"
},
"homepage": "https://github.com/KeiSei84/KeiSeiKit",
"repository": "https://github.com/KeiSei84/KeiSeiKit",
"license": "MIT",
"keywords": [
"constructor-pattern",
"agents",
"skills",
"hooks",
"mcp",
"rust",
"claude-code",
"sleep-sync"
]
}

46
.dockerignore Normal file
View file

@ -0,0 +1,46 @@
# .dockerignore — trim the Docker build context.
# Without this, `docker build` tries to copy the full working tree into the
# daemon, including target/ (2.6 GB after v0.21 aws-sdk-s3), agent worktrees
# (6+ GB), and node_modules. That caused an I/O error on 2026-04-22 when the
# battle-test image tried to pack everything.
#
# Keep this list aligned with tests/battle/Dockerfile.install-test — anything
# the Dockerfile actually needs (scripts/, install/, hooks/, skills/, etc.)
# must NOT be listed here.
# Rust build artefacts
**/target/
**/*.rlib
**/*.rmeta
# TypeScript / node
**/node_modules/
**/dist/
**/.turbo/
# Agent worktrees (several GB — never relevant inside a container build)
.claude/worktrees/
# Git internal (we don't need history inside the image)
.git/
# IDE + OS
.DS_Store
.idea/
.vscode/
*.swp
# Editor backups
*~
*.bak
*.bak-*
# Secrets (defence in depth — RULE 0.8 + project .gitignore)
**/.env
**/secrets/*.env
*.pem
*.key
# Logs
*.log
/tmp/

109
.forgejo/README.md Normal file
View file

@ -0,0 +1,109 @@
# Forgejo Actions — self-hosted CI
Parallel CI on the private Forgejo (Tailscale `100.91.246.53:3000`)
that doesn't depend on github.com — keeps private code on
self-hosted infrastructure while still getting per-commit
verification.
## Why a separate `.forgejo/workflows/` and not just `.github/workflows/`?
Forgejo Actions reads BOTH directories by default. We split them
because the GHA workflow has 2 quirks irrelevant on self-hosted:
1. **GHA Linux runner has 7 GB RAM + 14 GB on `/mnt`** — workspace OOMs
during link. Self-hosted runner can have whatever RAM the host has.
2. **Per-category matrix** is faster on self-hosted (parallel jobs)
but *slower* on GHA (each matrix job = full container + cache pull).
So we keep GHA monolithic, split self-hosted into 8 logical groups.
## One-time runner setup
Pick a host (the same VPS that runs Forgejo, or a separate beefier
box). Tailscale is fine — runner only needs to reach Forgejo.
```bash
# 1. Get the binary
wget -O /usr/local/bin/forgejo-runner \
https://code.forgejo.org/forgejo/runner/releases/download/v6.5.0/forgejo-runner-amd64
chmod +x /usr/local/bin/forgejo-runner
# 2. Get a registration token from Forgejo:
# Forgejo web UI → Site Administration → Actions → Runners → Create new
# (OR per-org: Org settings → Actions → Runners)
# (OR per-repo: Repo settings → Actions → Runners — narrowest scope)
# 3. Register
sudo useradd -r -s /usr/sbin/nologin -d /var/lib/forgejo-runner forgejo-runner
sudo mkdir -p /var/lib/forgejo-runner
sudo chown forgejo-runner: /var/lib/forgejo-runner
cd /var/lib/forgejo-runner
sudo -u forgejo-runner forgejo-runner register --no-interactive \
--instance http://100.91.246.53:3000 \
--token <REGISTRATION_TOKEN_FROM_WEB_UI> \
--name "$(hostname)-runner" \
--labels self-hosted,docker,linux,amd64
# 4. systemd unit
sudo tee /etc/systemd/system/forgejo-runner.service <<'UNIT'
[Unit]
Description=Forgejo Actions Runner
After=network.target
[Service]
Type=simple
User=forgejo-runner
WorkingDirectory=/var/lib/forgejo-runner
ExecStart=/usr/local/bin/forgejo-runner daemon
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
UNIT
sudo systemctl daemon-reload
sudo systemctl enable --now forgejo-runner
# 5. Verify in Forgejo web UI:
# Site Admin → Actions → Runners → status: Idle (green dot)
```
## Repo-level enable
```bash
# Via API
curl -X PATCH http://100.91.246.53:3000/api/v1/repos/denis/KeiSeiKit \
-u "denis:$FORGEJO_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"has_actions": true}'
# OR via web UI:
# Repo → Settings → Repository → enable "Actions"
```
## Trigger
Push to `main` triggers the workflow automatically. Watch progress:
http://100.91.246.53:3000/denis/KeiSeiKit/actions
## Differences from GHA workflow
| Job | GHA | Forgejo |
|---|---|---|
| `rust-assembler` | ubuntu+macOS matrix | docker (Linux only) |
| `rust-primitives` | monolithic (OOM-prone) | **8-group matrix** (parallel, fast) |
| `ts-packages` | node 20+22 matrix | node 22 only |
| `install-dry-run` | 3 profiles | (skip — runs locally on dev machines) |
| `shell-lint` | ubuntu+shellcheck apt | shellcheck-alpine container |
| `workflow-lint` | actionlint | (skip — handled by GHA mirror) |
## Cost
Free. No GitHub Actions minutes. No GitHub LFS bandwidth.
Sensitive-IP never leaves Tailscale.
## Maintenance
The runner pulls images on first run for each container reference; subsequent
runs are cached. Periodic `docker system prune -af` recommended (cron job
on the runner host).

90
.forgejo/workflows/ci.yml Normal file
View file

@ -0,0 +1,90 @@
name: CI (Forgejo Actions — self-hosted runner on Mac, host mode)
# Forgejo Actions — drop-in compatible with GitHub Actions YAML.
# Targets self-hosted forgejo-runner (Go, built from source) running
# in HOST mode on the orchestrator Mac. No Docker needed.
#
# Runner registration token + setup: see .forgejo/README.md.
on:
push:
branches: [main]
pull_request:
paths-ignore:
- 'docs/**'
- '**/*.md'
- 'CHANGELOG.md'
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
# Fast pre-flight — workspace topology + audit gates.
# Runs on Mac (primary fast runner).
preflight:
runs-on: macos-arm64
steps:
- uses: actions/checkout@v4
- name: Verify workspace count
shell: bash
run: |
n=$(awk '/^members = \[/,/^\]/' _primitives/_rust/Cargo.toml | grep -c '^ "')
echo "workspace members: $n"
[ "$n" -ge 90 ] || { echo "fewer than 90 crates — workspace shrunk?"; exit 1; }
- name: cargo metadata sanity
shell: bash
run: cd _primitives/_rust && cargo metadata --no-deps --format-version=1 > /dev/null
# VPS smoke — lightweight check that the backup runner is alive +
# workspace topology is also valid on Linux. NO heavy compile (VPS
# is 1 GB RAM + 2.3 GB swap; full cargo test would OOM).
vps-smoke:
runs-on: linux-amd64
steps:
- uses: actions/checkout@v4
- name: VPS heartbeat
shell: bash
run: |
echo "VPS runner alive on $(uname -srm)"
n=$(awk '/^members = \[/,/^\]/' _primitives/_rust/Cargo.toml | grep -c '^ "')
echo "workspace members visible: $n"
[ "$n" -ge 90 ] || exit 1
# cargo metadata is light (no compile); OK on 1 GB VPS.
which cargo >/dev/null 2>&1 && cd _primitives/_rust && cargo metadata --no-deps --format-version=1 > /dev/null && echo "cargo metadata: PASS" || echo "cargo not installed on VPS — SKIP heavy check"
# Per-category matrix — split 98-crate workspace into 8 logical groups
# so each linker invocation has fewer .rlibs to link and stays under
# the runner's RAM budget. ~3-5 min per group instead of one long job.
rust-primitives:
runs-on: macos-arm64
needs: preflight
strategy:
fail-fast: false
matrix:
group:
- name: 'core'
crates: 'kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet'
- name: 'mcp-lbm'
crates: 'kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact'
- name: 'atom-substrate'
crates: 'keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay'
- name: 'wave13-15'
crates: 'kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork'
- name: 'hosted-sleep-compute'
crates: 'kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx'
- name: 'hosted-sleep-backends'
crates: 'kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-notify-discord,kei-notify-telegram,kei-notify-sms,kei-net-wireguard,kei-net-openvpn,kei-net-ipsec'
- name: 'llm-stack'
crates: 'kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model'
- name: 'misc'
crates: 'frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-decision,kei-decompose,kei-registry,ssh-check,firewall-diff,mock-render,visual-diff,tokens-sync,kei-ping,kei-tlog'
steps:
- uses: actions/checkout@v4
- name: cargo test (group ${{ matrix.group.name }})
shell: bash
run: |
cd _primitives/_rust
ARGS=$(echo "${{ matrix.group.crates }}" | tr ',' '\n' | sed 's/^/-p /' | tr '\n' ' ')
echo "args: $ARGS"
cargo test --lib $ARGS

26
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,26 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
- github-actions
- package-ecosystem: npm
directory: /_ts_packages
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
- npm
- package-ecosystem: cargo
directory: /_primitives/_rust
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
- rust

159
.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,159 @@
name: CI
on:
push:
branches: [main]
pull_request:
paths-ignore:
- 'docs/**'
- '**/*.md'
- 'CHANGELOG.md'
# v0.21.0 cost optimisation (W15): cancel superseded runs on the same ref.
# A rapid push train (common during batch work) used to launch one full
# 12-job matrix per commit, even though only the last matters. This
# top-level concurrency group cancels the older run as soon as a newer
# one is queued. Effect: 60-80% saving on "rapid pushes" work days.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
# v0.19.1 supply-chain hardening (H5): every third-party action is pinned
# by full commit SHA. A floating tag like @v4 can be re-pointed by a
# compromised maintainer (CVE-2025-30066 class). The `# vN.m.k` comment
# next to each SHA is a human-readable hint only — the SHA is the load-
# bearing identifier. When Dependabot proposes a bump, review the new SHA
# against the release tag before merging.
jobs:
rust-assembler:
runs-on: ${{ matrix.os }}
strategy:
# v0.21.0: macOS only on push-to-main (10x billing multiplier). PRs get ubuntu-only.
matrix:
os: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["ubuntu-latest","macos-latest"]') || fromJSON('["ubuntu-latest"]') }}
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
workspaces: _assembler
- run: cd _assembler && cargo test --release
rust-primitives:
runs-on: ${{ matrix.os }}
strategy:
# v0.21.0: macOS only on push-to-main. --release dropped — debug mode
# runs 2-3× faster and still catches architectural breakage. Release-
# build regressions (debug_assertions!) caught by rust-assembler above.
matrix:
os: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["ubuntu-latest","macos-latest"]') || fromJSON('["ubuntu-latest"]') }}
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
workspaces: _primitives/_rust
# v0.30+ CI fix (2026-04-29): 98-crate workspace OOMs the default
# GHA runner's 7 GB at link time. Iteration 2 (after lld+jobs=2 still
# OOM'd at signal 7): add 12 GB swap on Linux + use `mold` (smaller
# peak RSS than lld for large workspaces) + drop to JOBS=1 for the
# link phase. macOS runner has 14 GB RAM and was already passing.
- name: Free disk + resize swap (Linux runners only)
if: runner.os == 'Linux'
run: |
# Iter 4 fix: iter 3's 12 GB swap on /mnt filled the disk
# (`No space left on device` on syn rlib). GHA /mnt has only
# ~14 GB; cargo target/ + 12 GB swap = bust. Strategy now:
# (a) free ~30 GB on / by removing pre-installed bloat
# (Android SDK, .NET, GHC, CodeQL — none used by Rust+Node);
# (b) resize the existing /swapfile (4 GB → 8 GB) in place.
df -h
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL
echo "--- after rm ---"
df -h
sudo swapoff /swapfile
sudo rm /swapfile
sudo fallocate -l 8G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo "--- after swap ---"
free -h
df -h
- name: Install mold (Linux runners only)
if: runner.os == 'Linux'
run: sudo apt-get update && sudo apt-get install -y mold
- name: cargo test --workspace (Linux)
if: runner.os == 'Linux'
run: cd _primitives/_rust && cargo test --workspace
env:
CARGO_BUILD_JOBS: '1'
RUSTFLAGS: '-C link-arg=-fuse-ld=mold'
- name: cargo test --workspace (macOS)
if: runner.os == 'macOS'
run: cd _primitives/_rust && cargo test --workspace
env:
CARGO_BUILD_JOBS: '2'
ts-packages:
# v0.21.0: ubuntu-only. Node is x-plat; no macOS-specific behaviour to
# test. Matrix: 2 jobs (ubuntu × 2 nodes) instead of 4. Saves 2 macOS jobs.
runs-on: ubuntu-latest
strategy:
matrix:
node: ['20', '22']
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node }}
- run: cd _ts_packages && npm ci
- run: cd _ts_packages && npm run build --workspaces
- run: cd _ts_packages && npm test --workspaces --if-present
install-dry-run:
# v0.21.0: ubuntu-only. All 3 profiles on main push; PRs get minimal-only
# (full profile pulls everything, rarely signals PR-specific regressions).
runs-on: ubuntu-latest
strategy:
matrix:
profile: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["minimal","dev","full"]') || fromJSON('["minimal"]') }}
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
- name: Install hard deps
run: sudo apt-get update && sudo apt-get install -y jq pandoc
- run: bash -n install.sh
- run: ./install.sh --no-execute --profile=${{ matrix.profile }}
shell-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- run: sudo apt-get update && sudo apt-get install -y shellcheck
- name: shellcheck (advisory)
# v0.15.1: kept advisory because local shellcheck sweep not yet clean
# (quoted-var nits in hooks). Flip to fatal once the sweep is committed;
# planned for v0.16.
# v0.20.1: explicit `|| true` in addition to continue-on-error — the
# latter doesn't always suppress the step-level exit-1 in the GH
# Actions annotation stream.
run: |
find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} + || \
echo "shellcheck emitted warnings (advisory-only, not blocking)"
continue-on-error: true
workflow-lint:
# v0.20.1: guards against the dtolnay-SHA-class incident (2026-04-22).
# actionlint catches workflow syntax; validate-workflow-shas.sh catches
# fabricated / force-pushed SHA pins. Runs fast (<30s).
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Install actionlint
run: bash scripts/install-actionlint.sh
- name: Lint workflows (actionlint)
run: PATH="${HOME}/.local/bin:${PATH}" bash scripts/lint-workflows.sh
- name: Validate pinned SHAs
run: bash scripts/validate-workflow-shas.sh

344
.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,344 @@
name: Release
on:
push:
tags:
- 'v*'
permissions:
contents: write
jobs:
build-release:
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.os }}
continue-on-error: ${{ matrix.experimental }}
strategy:
fail-fast: false
matrix:
# v0.22.3 fix: aarch64-linux moved from ubuntu-latest + cross-linker
# install (apt gcc-aarch64-linux-gnu consistently failed in CI) to
# ubuntu-24.04-arm NATIVE ARM runner. No cross-compile, rustc builds
# the target host-native. `experimental: false` — native path is
# reliable.
include:
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
experimental: false
- os: ubuntu-24.04-arm
target: aarch64-unknown-linux-gnu
experimental: false
- os: macos-latest
target: x86_64-apple-darwin
experimental: false
- os: macos-latest
target: aarch64-apple-darwin
experimental: false
steps:
# v0.19.1 supply-chain hardening (H5): all actions pinned by full
# commit SHA; a floating tag like @v4 can be re-pointed by a
# compromised maintainer (CVE-2025-30066 class). Version comment next
# to each SHA is for human readability only — the SHA is load-bearing.
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable # exception to SHA-pin: named-branch convention (validator V-2026-04-22)
with:
targets: ${{ matrix.target }}
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
workspaces: _primitives/_rust
# v0.22.3: cross-linker step removed — aarch64-linux now builds
# natively on ubuntu-24.04-arm. No cross-compile, no gcc-aarch64-linux-gnu.
- name: Build workspace (release)
working-directory: _primitives/_rust
run: cargo build --workspace --release --target ${{ matrix.target }}
- name: Package binaries
id: package
working-directory: _primitives/_rust/target/${{ matrix.target }}/release
shell: bash
run: |
set -euo pipefail
# Collect every Cargo-built executable (Linux + macOS: no ext, mode +x).
# Portable across GNU + BSD find: iterate, test executability in shell.
BINS=()
for f in *; do
[ -f "$f" ] || continue
case "$f" in
*.d|*.rlib|*.rmeta|*.so|*.dylib|*.dSYM) continue ;;
esac
if [ -x "$f" ]; then
BINS+=("$f")
fi
done
if [ "${#BINS[@]}" -eq 0 ]; then
echo "::error::no release binaries produced for ${{ matrix.target }}"
exit 1
fi
echo "Binaries found: ${BINS[*]}"
ARCHIVE="keisei-${{ matrix.target }}.tar.gz"
tar czf "$GITHUB_WORKSPACE/$ARCHIVE" "${BINS[@]}"
cd "$GITHUB_WORKSPACE"
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$ARCHIVE" > "$ARCHIVE.sha256"
else
shasum -a 256 "$ARCHIVE" > "$ARCHIVE.sha256"
fi
echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT"
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: binaries-${{ matrix.target }}
path: |
keisei-${{ matrix.target }}.tar.gz
keisei-${{ matrix.target }}.tar.gz.sha256
if-no-files-found: error
# v0.18 Phase 1 (exobrain): compile @keisei/mcp-server to a single static
# binary for 5 platforms via `bun build --compile`. Runs in parallel with
# build-release; the release job below `needs:` both. Linux arm64 is kept
# `continue-on-error` because the ubuntu arm runner pool is newer and
# occasionally flaky — a missing linux-arm64 asset must NOT block release.
build-mcp-binary:
# v0.22.2 fix: `macos-13` Intel runners were deprecated by GitHub and the
# pool is dry — `darwin-x64` jobs sit in queued for hours and block the
# final `release` job (needs: build-mcp-binary). bun supports
# cross-compile to every target from any host, so we consolidate every
# bun build onto ubuntu-latest. Faster, no macOS quota cost, no runner
# starvation. Binaries are still native per-target (bun produces the
# correct Mach-O / ELF / PE format via --target).
name: Build mcp-server ${{ matrix.target.platform }}-${{ matrix.target.arch }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- { platform: linux, arch: x64, bun_target: bun-linux-x64, ext: '' }
- { platform: linux, arch: arm64, bun_target: bun-linux-arm64, ext: '' }
- { platform: darwin, arch: x64, bun_target: bun-darwin-x64, ext: '' }
- { platform: darwin, arch: arm64, bun_target: bun-darwin-arm64, ext: '' }
- { platform: windows, arch: x64, bun_target: bun-windows-x64, ext: '.exe' }
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Install bun
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: latest
# v0.19.1 supply-chain hardening (H4): lockfile is REQUIRED — the
# `|| bun install` fallback was removed so a missing bun.lock fails
# the build instead of resolving deps fresh against the live npm
# registry (tainted-binary window). bun.lock lives at workspace
# root (_ts_packages/bun.lock) — bun is a monorepo tool and tracks
# all packages/* from one lockfile. See BUILD.md §Lockfile.
- name: Install mcp-server deps
shell: bash
working-directory: _ts_packages
run: bun install --frozen-lockfile
- name: Compile single-binary
shell: bash
env:
BIN_NAME: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}${{ matrix.target.ext }}
run: |
set -euo pipefail
mkdir -p dist
bun build \
--compile \
--target=${{ matrix.target.bun_target }} \
_ts_packages/packages/mcp-server/src/index.ts \
--outfile "dist/${BIN_NAME}"
ls -la "dist/${BIN_NAME}"
- name: Compute sha256
shell: bash
env:
BIN_NAME: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}${{ matrix.target.ext }}
run: |
set -euo pipefail
cd dist
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "${BIN_NAME}" > "${BIN_NAME}.sha256"
else
shasum -a 256 "${BIN_NAME}" > "${BIN_NAME}.sha256"
fi
cat "${BIN_NAME}.sha256"
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}
path: |
dist/kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}${{ matrix.target.ext }}
dist/kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}${{ matrix.target.ext }}.sha256
if-no-files-found: error
release:
name: Publish GitHub Release
needs: [build-release, build-mcp-binary]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable # exception to SHA-pin: named-branch convention (validator V-2026-04-22)
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
workspaces: _primitives/_rust
- name: Build kei-changelog
working-directory: _primitives/_rust
run: cargo build --release -p kei-changelog
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: dist/
- name: Flatten artifacts
run: |
set -euo pipefail
mkdir -p release-assets
# Rust tarballs + sha256 sums from build-release matrix.
# MCP-server bare binaries (+ .exe on windows) + sha256 sums from
# build-mcp-binary matrix. Bare binaries need a stable name to stay
# USB-drive-droppable, so no archive — we ship them raw alongside
# the tarballs.
find dist -type f \( \
-name '*.tar.gz' \
-o -name '*.sha256' \
-o -name 'kei-mcp-server-*' \
\) -exec mv {} release-assets/ \;
ls -la release-assets
- name: Generate release notes (kei-changelog)
id: notes
run: |
set -euo pipefail
TAG="${GITHUB_REF_NAME}"
PREV="$(git tag --sort=-creatordate | grep -v "^${TAG}$" | head -n1 || true)"
echo "Current tag: ${TAG}"
echo "Previous tag: ${PREV:-<none>}"
if [ -n "${PREV}" ]; then
NOTES="$(./_primitives/_rust/target/release/kei-changelog \
--from "${PREV}" --to "${TAG}" --version "${TAG}")"
else
NOTES="$(./_primitives/_rust/target/release/kei-changelog \
--to "${TAG}" --version "${TAG}")"
fi
if [ -z "${NOTES}" ]; then
NOTES="Release ${TAG}. No conventional-commit entries found in range."
fi
{
echo 'notes<<KEISEI_NOTES_EOF'
echo "${NOTES}"
echo 'KEISEI_NOTES_EOF'
} >> "$GITHUB_OUTPUT"
# v0.22.3 fix: softprops/action-gh-release v2.6.2 exited with failure
# on v0.22.2 due to a metadata-update race (asset uploaded to blob
# store but Releases metadata API returned 404 on the subsequent
# PATCH — eventual-consistency window). All 15 assets WERE uploaded,
# but the action exited 1 and left the Release in Draft state.
#
# Replaced with `gh release create` (bundled on all GitHub runners).
# CLI is idempotent: if the release already exists it updates it; if
# assets already exist `--clobber` replaces them. No metadata-PATCH
# race. Retry loop on transient upload failures.
- name: Publish GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ github.ref_name }}
NOTES: ${{ steps.notes.outputs.notes }}
shell: bash
run: |
set -euo pipefail
# Create the release if missing; `|| true` absorbs "already exists"
# on workflow re-run.
gh release view "$TAG" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1 || \
gh release create "$TAG" \
--repo "$GITHUB_REPOSITORY" \
--title "$TAG" \
--notes "$NOTES"
# Upload all assets with --clobber so re-runs replace cleanly.
# Retry each asset up to 3 times on transient network errors.
shopt -s nullglob
for f in release-assets/*.tar.gz release-assets/*.sha256 release-assets/kei-mcp-server-*; do
[ -f "$f" ] || continue
for try in 1 2 3; do
if gh release upload "$TAG" --repo "$GITHUB_REPOSITORY" --clobber "$f"; then
break
elif [ "$try" -eq 3 ]; then
echo "::error::failed to upload $f after 3 tries" >&2
exit 1
else
echo "upload of $f failed (attempt $try/3), retrying in 5s..." >&2
sleep 5
fi
done
done
echo "✓ Release $TAG published with all assets"
npm-publish:
name: Publish npm packages (optional)
needs: release
runs-on: ubuntu-latest
# Graceful skip: if NPM_TOKEN secret is not configured, the first step
# reports "skipped" and exits 0 — Rust-binary release above still succeeds.
steps:
- name: Check NPM_TOKEN presence
id: have_token
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
if [ -n "${NPM_TOKEN:-}" ]; then
echo "present=1" >> "$GITHUB_OUTPUT"
else
echo "present=0" >> "$GITHUB_OUTPUT"
echo "::notice::NPM_TOKEN not set — skipping npm publish gracefully"
fi
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
if: steps.have_token.outputs.present == '1'
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
if: steps.have_token.outputs.present == '1'
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
- name: Install deps
if: steps.have_token.outputs.present == '1'
working-directory: _ts_packages
run: npm ci
- name: Build workspaces
if: steps.have_token.outputs.present == '1'
working-directory: _ts_packages
run: npm run build --workspaces --if-present
- name: Publish each package
if: steps.have_token.outputs.present == '1'
working-directory: _ts_packages
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
set -euo pipefail
for pkg in packages/*/; do
if [ -f "$pkg/package.json" ]; then
echo "::group::publish $pkg"
( cd "$pkg" && npm publish --access public ) \
|| echo "::warning::publish failed for $pkg (continuing)"
echo "::endgroup::"
fi
done

64
.gitignore vendored Normal file
View file

@ -0,0 +1,64 @@
_primitives/_rust/target/
**/target/
.DS_Store
# Agent worktrees — ephemeral orchestrator scratch dirs, never commit.
.claude/worktrees/
**/.claude/worktrees/
.claude/forks/
_forks/
# kei-spawn agent task-scratch dirs (transient ledger artefacts, RULE 0.12)
tasks/ag-edit-shared-*/
# kei-fork internal markers (should never leak into main)
.DONE
.KEI_FORK_META.toml
_archive/forks/
# Secrets
.env
.env.*
!.env.example
!.env.template
secrets/
**/secrets/
.claude/secrets/
# Keys and certs
*.pem
*.key
*.pfx
*.p12
*.jks
id_rsa
id_rsa.*
id_ed25519
id_ed25519.*
*.gpg
# Credentials / config with values
credentials.json
.netrc
.authinfo
.aws/credentials
.ssh/
# Locks (per-project policy — leave as existing if already tracked)
# Do not add: Cargo.lock (tracked per RULE 0.1 for reproducibility)
# OS + editor junk
Thumbs.db
*.swp
*.swo
.idea/
.vscode/
*.iml
# Build
node_modules/
dist/
build/
__pycache__/
*.pyc
var/

107
BACKUP-INDEX.md Normal file
View file

@ -0,0 +1,107 @@
# Backup Index — 3-way merge 2026-04-29
> Альтернативные дизайны, не выбранные в финальный merge — сохранены
> на случай если основной выбор покажет проблемы и придётся откатиться.
>
> Все три тэга на forgejo (`origin`, `100.91.246.53:3000/denis/KeiSeiKit`).
> Author keeps the kit on a private remote.
---
## Финальный merge
| Что | Где |
|---|---|
| Merge commit | `e8481b9` на `main` → запушен в forgejo origin/main (`b6a36ac` HEAD) |
| Integration branch | `integration/2026-04-29-merge-3way` (forgejo) |
| PR-URL | http://100.91.246.53:3000/denis/KeiSeiKit/compare/main...integration/2026-04-29-merge-3way |
## Backup tags (forgejo origin)
### `backup/audit-wave5-6-smoke-2026-04-29`
Сохранил: 5 коммитов на `audit/wave5-6-smoke` от base `b26ac053`.
- 4 audit-snapshots (wave5+6, 7, 8, 9) — добавляют 20 крейтов Hosted Sleep
- 1 fix commit `b8f91dc` — H-2 token-usage capture + M-2/M-3/M-4 cleanup
- HEAD: `cead3db`
Зачем: backup_path для H-2 implementation (cherry-picked в integration).
### `backup/wave55c-verified-pricing-final-2026-04-29`
Сохранил: 15 коммитов на `fix/wave55c-verified-pricing-final` от base `b26ac053`.
- W55b stages 2+3+4 — kei-cortex/kei-router MODEL → kei_model::resolve()
- W55c verified pricing 2026-04-28 + selectors role mappings
- P1.1.c+e — responses.rs + chat_completions streaming wiring
- P1.1.d — runs.rs/run_agent.rs → real LLM via stream_events
- P1.1.f — wiremock fixture + docs
- 7 новых крейтов (svc-systemd, llm-bridge-mlx, llm-router, compute-baremetal, compute-vultr, compute-linode, kei-model)
- Token tracker
- HEAD: `91c0a55`
**Альтернативный streaming-дизайн в этом backup'е**: `spawn_tee_persist` тiирует upstream channel в downstream и асинхронно
персистит на Done. Финальный merge ИСПОЛЬЗУЕТ этот дизайн (`tee` выиграл).
### `backup/n1-n4-cleanup-residue-oneshot-2026-04-29`
Сохранил: 1 коммит `8dd4fdf` поверх `audit/wave5-6-smoke`.
- N-1 + N-4 + L-2 + M-4-B fixes
- HEAD: `8dd4fdf`
**Альтернативный streaming-дизайн в этом backup'е**: `oneshot::Receiver<(text, usage)>` — forwarder отдаёт persist-callback'у
буфер текста + Usage когда Done. Финальный merge **НЕ выбрал** этот вариант (предпочёл wave55c's tee).
**Когда полезно**: если tee design покажет проблемы (race conditions при медленных downstream, потеря событий при channel
backpressure), переключиться на oneshot — один консьюмер, синхронная persist логика, проще для отладки.
---
## Восстановление альтернативного streaming-дизайна
```bash
# Полный rollback на oneshot design
git checkout backup/n1-n4-cleanup-residue-oneshot-2026-04-29
git checkout -b fix/restore-oneshot-streaming-2026-XX-XX
# Reapply остальные фиксы поверх...
# Cherry-pick конкретного файла
git checkout backup/n1-n4-cleanup-residue-oneshot-2026-04-29 -- \
_primitives/_rust/kei-cortex/src/routes/openai/chat_completions.rs \
_primitives/_rust/kei-cortex/src/routes/openai/stream_forwarder.rs
```
---
## Stash queue (12 оставшихся)
После merge'а 3 stash'a удалены как provably-merged. 12 stash'ей остались
от других веток — отдельный housekeeping pass:
```
stash@{0}: fix/wave55c-verified-pricing-final wave55c-extras
stash@{1}: fix/wave55c-verified-pricing-final wave9-net-wip
stash@{2}: fix/wave55c-verified-pricing token-wire WIP
stash@{3-11}: разные feature ветки от 2026-04-22…04-28
```
Не блокирует ничего; разобрать когда будет время.
---
## Worktrees (process scratch)
`.claude/worktrees/agent-*` — 42 директории от прошлых kei-spawn вызовов.
Stale agent worktrees — должны быть GC'нуты через `kei-fork gc` или вручную.
Не блокирует merge; отдельный housekeeping.
`tasks/ag-edit-shared-*/` + 6 `tasks/*.toml` task-spec файлов — process
scratch, оставлены untracked. Можно gitignore или закоммитить как audit
trail если важно сохранить.
---
## Date lock
2026-04-29. Все 3 backup tag'а pushed на forgejo `origin` 2026-04-28.
Удалять только если дизайн tee-persist подтвержден стабильным под
production нагрузкой (≥30 дней, ≥1M запросов).

105
DECISIONS.md Normal file
View file

@ -0,0 +1,105 @@
# KeiSeiKit Architectural Decisions
> ADR-style log. Each entry: context → decision → consequences. New entries
> at the top. Cross-link from `_primitives/_rust/<crate>/README.md` when a
> decision is crate-local.
---
## 2026-04-28 — Three scheduling abstractions in workspace
### Context
After Hermes import (P4.2 `kei-cron-scheduler`) the KeiSeiKit workspace
contains **three** scheduler-like primitives. A naive audit reads this as
duplication; in practice each occupies a distinct layer of the stack and
removing any one would break a downstream consumer. This ADR documents the
boundary so a future reader does not consolidate them by mistake.
### The three primitives
| Crate | Storage | Concurrency | Owns runner? | Canonical use |
|---|---|---|---|---|
| `kei-scheduler` | `rusqlite` (sync, metadata-only) | sync | **no** | per-call queryable schedule index |
| `kei-cron-scheduler` | JSON-on-disk + `fcntl` advisory lock | `tokio` async | **yes** | Hermes parity (`/schedule` parser + cron loop) |
| `kei-pipe` cron triggers | embedded in pipe TOML | driven by pipe runtime | depends on pipe | pipeline-level cron embedded in a pipe definition |
### Decision
**Keep all three. Do not consolidate.** Each abstraction encodes a
different ownership contract and a different blast radius on failure.
### Rationale, primitive by primitive
#### `kei-scheduler` — synchronous metadata-only store
Synchronous `rusqlite` schedule store. Stores cron expression, next-run
timestamp, owner, payload pointer. Does **not** dispatch — the caller asks
"what should I run between t and t+Δ" and the caller is responsible for
execution.
This separation matters because two callers want exactly that contract:
- `kei-pipe` queries the schedule from the pipe-runtime loop (already its
own scheduler) — it must not have a competing async runner inside the
store.
- `cron-wrapper-agent` test harness wants deterministic, blocking lookups
with no background tasks. A `tokio` runtime would fight the harness.
A SQLite-backed metadata store is the smallest abstraction that satisfies
both callers. Any `tokio` infrastructure inside this crate would force its
contract on the harness and break determinism.
#### `kei-cron-scheduler` — async runner for Hermes parity
Async `tokio`-based runner. JSON-on-disk persistence (one file per job),
`fcntl` advisory lock to keep multiple binaries from racing the same job
file, owns its own loop, supports interval + standard 5-field cron. This
is the surface imported from Hermes (HERMES-MIGRATION-PLAN P4.2) — the
contract is "set-and-forget recurring scheduler with the runner inside the
crate."
A SQLite-only store like `kei-scheduler` cannot satisfy this contract:
- File-per-job is the unit of `fcntl` locking; a single SQLite file would
serialise all locks through the SQLite write mutex.
- The runner is part of the public surface — Hermes callers expect to
hand the crate a job and walk away. Splitting the runner into a
separate crate would re-litigate the contract on every consumer.
#### `kei-pipe` cron triggers — pipeline-level cron embedded in a pipe
Pipes (KeiSei pipeline definitions, TOML) can declare a cron trigger
inline. The pipe runtime evaluates the trigger as part of the pipe's own
state machine, alongside event triggers, file-watch triggers, and HTTP
triggers. The cron trigger is **not** a separate scheduler — it is a
trigger source within the pipe runtime, which is itself the scheduler.
Re-implementing this on top of `kei-cron-scheduler` would either (a)
duplicate the pipe runtime's lifecycle into the cron crate, or (b) split
a single pipe's triggers across two runtimes, which loses the atomic
"trigger-fired-and-pipe-started" guarantee the pipe runtime provides.
### Consequences
- **Choosing the right primitive for a new caller.** Decision tree:
- Need a recurring background runner with `fcntl` durability and
minimal blast radius if a single binary crashes? → `kei-cron-scheduler`.
- Need a queryable index of "what should I run", with execution owned
elsewhere? → `kei-scheduler`.
- Trigger is one of many in a pipe definition, lives next to the data
flow, dies with the pipe? → `kei-pipe` cron trigger.
- **Fail-loud overlap.** If you find yourself porting a feature from one
to another (e.g. "let `kei-scheduler` also dispatch"), STOP — that is
the No-Patching/No-Overlay smell from the umbrella rules. Add the
feature to the right primitive instead, or write a new one.
- **Audit signal.** A future audit may flag "three schedulers" as a code
smell. This ADR is the canonical answer; link here from any review
comment that surfaces the question again.
### References
- `_primitives/_rust/kei-scheduler/`
- `_primitives/_rust/kei-cron-scheduler/`
- `_primitives/_rust/kei-pipe/` (cron trigger source)
- `HERMES-MIGRATION-PLAN.md` §P4.2 — Hermes parity import

388
HERMES-MIGRATION-PLAN.md Normal file
View file

@ -0,0 +1,388 @@
# Hermes → KeiSeiKit Migration Plan
> Source: NousResearch/hermes-agent (MIT, Python+TS, ~645K LOC, 2684 files).
> Local clone: `/tmp/hermes-research/hermes-agent/`.
> Research: 7 parallel Explore agents, 2026-04-28.
> Author: orchestrator session synthesis.
---
## STATUS BANNER (post-audit, 2026-04-28 — RULE 0.16 self-application)
> **SCAFFOLDING SHIPPED — ~52% functional coverage across 7 phases.**
> Honest reconciliation after `feat/hermes-batch-2026-04-28` audit by 7 kei-critic agents.
| Phase | Goal coverage | Status (RULE 0.16) | cargo-check | Top remaining gap |
|---|---|---|---|---|
| P0.2 export-trajectories | 55% | partial | PASS | 3-turn hardcode, `From::Tool` never used, 832 LOC vs ≤200 budget |
| P0.3 README Hermes column | 70% | partial | n/a | Verified TRUE [E1 source] — no edits required after Hermes claim re-grep |
| P1.1 OpenAI-compat | **25%** | **scaffolding** | PASS (after fix) | Echo stubs in all handlers; real `chat_stream::run_loop_stream` exists at `handlers/chat.rs:13` but unwired; `main.rs:98` lacks `into_make_service_with_connect_info` |
| P1.2 Daytona | 55% | partial | PASS | No Modal backend in repo to compose alongside; REST paths unverified vs Daytona OpenAPI; FileSync not wired into acquire/release |
| P2.1 injection-guard | 55% | partial-wrong-wire | PASS | Wired to `cmd_backlog --add` (RULE 0.14 CRUD), NOT to `ingest::insert_event` or `kei-pet::memory` (real memory writes) |
| P2.2 memory-nudge | **25%** | **dead-code** | PASS | Zero callers in handlers; `Invoker` trait has no production impl; `MemoryStore` Arc not plumbed; `from_context` returns invoker=None → `spawn_review` early-returns |
| P3.1 kei-skills | 30% | dead-code | PASS | Zero downstream consumers; kei-mcp re-implements skills-as-MCP via raw walkdir, bypassing kei-skills entirely |
| P3.4 kei-ledger v8 | 80% | partial-write-only | PASS | Real SQL + 5 funcs + 6 tests; no caller until Phase D nightly job built |
| P4.1 kei-gateway | 40% | scaffolding | PASS | 9 `todo!()` panics in TG/Discord/Slack adapters; only CLI real; `agent_cache` field DEAD in runner; blake3 hash unused in production path |
| P4.2 kei-cron-scheduler | **85%** | **functional** | PASS | Parser+job+runner real, no stubs. Minor: 4 `matches!` no-op tests need `assert!`; 3 scheduling abstractions in kit (smell) |
**Hermes "no auto-extraction" claim re-verified [E1 source code]**: no edits required to README footnote or §"Honest delta vs Hermes". Verification by exhaustive grep of `/tmp/hermes-research/hermes-agent/` for `extract_skill`, `auto_save_skill`, post-task hooks, plus inspection of sister `NousResearch/hermes-agent-self-evolution` (DSPy+GEPA prompt optimization, NOT trajectory→skill extraction; separate repo, no integration).
**RULE 0.16 SHIPPED-VS-FUNCTIONAL DRIFT** codified 2026-04-28 in response to this audit. Three layers: agent STATUS-TRUTH MARKER footer + `~/.claude/hooks/agent-stub-scan.sh` (WARN 7d → ENFORCE) + orchestrator pre-commit cargo gate. Belt+suspenders+chastity-belt against repeating this drift.
**Functional follow-ups (in priority order)** to take any phase from `partial`/`scaffolding` to `functional`:
- P1.1.b: wire `chat_stream::run_loop_stream` into OpenAI handlers (~4-8h) — biggest user-visible win
- P2.1.b: re-wire injection_guard to `ingest::insert_event` + `kei-pet::memory` real write paths (~2h)
- P2.2.b: implement `Invoker` for `kei-anthropic` + plumb `MemoryStore` Arc + call `maybe_trigger` from chat handler (~1d)
- P3.1.b: replace kei-mcp's raw walkdir with `kei_skills::SkillRegistry` consumer (~3-4h)
- P0.2.b: parse chatlog into multi-turn ShareGPT (split on tool boundaries, emit `From::Tool`) (~1d)
- P4.1.b: real teloxide / serenity / slack-morphism adapter implementations (3-4d each)
---
---
## TL;DR — what we take, what we drop
| Hermes feature | Verdict | Effort | KeiSei gap? |
|---|---|---|---|
| OpenAI-compat `/v1/chat/completions` + `/v1/responses` (axum) | **P0 TAKE** | 16-25h | yes — instant frontend ecosystem |
| Daytona backend (real hibernation, not Modal-style) | **P0 TAKE** | 1-2 days | yes — Modal-only today |
| ShareGPT JSONL trajectory export from `kei-ledger` | **P0 TAKE** | 2 days | yes — community RL distribution |
| Multi-platform gateway (TG/Discord/Slack/CLI single process) | **P1 TAKE** | 10-12 days MVP | yes — adapters separate today |
| `croniter` for recurring `/schedule` (interval + cron-expr) | **P1 TAKE** | 1-2 days | yes — only one-shot today |
| Memory injection scanner (block "ignore previous" etc.) | **P1 TAKE** | 3-4 days | **security gap** |
| Periodic-nudge background memory review (every N turns) | **P1 TAKE** | 1-2 weeks | yes — runtime curation |
| `MemoryProvider` plugin trait (8+ external memory backends) | **P2 EVAL** | 2-3 weeks | yes — but our SQLite better than their builtin |
| **Phase D learning loop** (auto trajectory→skill, real self-improvement) | **P0 BUILD** | 3-5 weeks | **we go FURTHER than Hermes** |
| Plug KeiSei skills into Hermes agentskills.io taps | **P1 TAKE** | 1 day | distribution win, zero lock-in |
| ACP (agent-client-protocol) wrapper for kei-mcp | **SKIP** | — | wrong layer; ACP = editor↔agent, MCP = agent↔tool |
| Honcho integration | **P3 LATER** | unknown | external SaaS dependency |
| `delegate_task` ThreadPoolExecutor (in-process subagents) | **SKIP** | — | conflicts with RULE 0.12 worktree+ledger model |
| Atropos RL submodule | **SKIP** | — | we don't train models |
| Trajectory compressor | **P2 EVAL** | unknown | only if we add long-context summarization |
---
## Honest assessment of Hermes
**Architecture quality**: Mid. Files are massive — `run_agent.py` is **13,268 LOC**, `gateway/run.py` **11,760 LOC**, `cli.py` **11,388 LOC**. That's the opposite of our Constructor Pattern (≤200 LOC/file). **Porting means decomposing, not copying.**
**Marketing vs reality**:
- "Self-improving learning loop" — **CRUD on markdown files with manual triggers**. No automatic trajectory→skill extraction. No success-rate tracking. No background evaluator. The mechanism is `agent.write_skill_file(yaml + md)` plus `agent.patch_skill(fuzzy_replace)`. The README sells more than the code delivers.
- "Daytona AND Modal hibernate" — **only Daytona truly hibernates**. Modal volumes persist; Modal sandboxes always cold-start.
- "FTS5 full-text search" — **applies to external Honcho only**, not builtin memory. Builtin uses substring matching on markdown.
**Where Hermes IS strong**:
- Cross-platform user continuity via deterministic session-key hash (one function, ~170 LOC) — clean and correct
- 6 execution backends with pluggable interface
- Rich gateway (15+ platforms, race-condition handling via interrupt/queue/steer modes)
- OpenAI-compat HTTP server with SSE + tool-progress events to prevent hallucination during tool calls
- MemoryProvider ABC plugin discovery — clean trait surface
- Injection scanning on memory writes (security awareness we lack)
**Where KeiSei is already strong (don't regress)**:
- Constructor Pattern enforcement (≤200 LOC/file, ≤30 LOC/function)
- DNA per-run, kei-ledger fork model (RULE 0.12)
- SQLite + FTS5 + TF-IDF + pattern co-access in `kei-memory` (Hermes builtin has nothing comparable)
- Sleep-layer A/B/C (incubation / REM / deep-sleep NREM) — Hermes has no equivalent
- Ed25519 client identity / blake3(pubkey) → user_id
- Rust core, ≤2 MB binaries, type safety
---
## Detailed migration roadmap
### Phase 0 — distribution + visibility (1 week, low risk)
Goal: get KeiSei in front of users without changing core code.
**P0.1 — Plug KeiSei skills into Hermes hub** (1 day)
- Create `github.com/KeiSei84/keisei-skills` mirror in agentskills.io format (YAML frontmatter + SKILL.md)
- Document `extra_taps` install instruction in our README
- Effect: any Hermes / OpenClaw / Cursor user discovers our 45 skills via `hermes /skills search ...`
**P0.2 — ShareGPT JSONL exporter from `kei-ledger`** (2 days)
- New Rust binary `kei-export-trajectories` in `_primitives/_rust/`
- Reads `~/.claude/agents/ledger.sqlite` + chatlog files
- Emits `.jsonl` with `{conversations: [{from: system|human|gpt|tool, value}], tool_stats, prompt_index, completed}`
- ≤200 LOC, single binary, follows Constructor Pattern
- Effect: KeiSei users contribute training data to community RL ecosystems
**P0.3 — README honest competitor table update** (30 min)
- Add Hermes column to comparison table (the closest peer, not LangChain)
- Acknowledge what they do better (multi-platform gateway, plugins) — don't oversell
- Effect: trust signal for engineer-readers
### Phase 1 — frontend ecosystem unlock (2 weeks, medium risk)
Goal: any OpenAI-compatible UI talks to `kei-cortex`.
**P1.1 — OpenAI-compat HTTP routes in `kei-cortex`** (16-25h)
Add to `_primitives/_rust/kei-cortex/src/`:
```
routes/v1_chat_completions.rs (~180 LOC) POST /v1/chat/completions
routes/v1_responses.rs (~180 LOC) POST /v1/responses (stateful)
routes/v1_models.rs (~80 LOC) GET /v1/models
routes/v1_runs.rs (~180 LOC) POST /v1/runs + GET /events + POST /stop
routes/sse_streaming.rs (~150 LOC) tokio mpsc → axum::response::Sse
auth/bearer_token.rs (~80 LOC) hmac::compare via API_SERVER_KEY env
tool_translation/openai_to_kei.rs (~150 LOC) function-call schema mapping
```
Reference: Hermes `gateway/platforms/api_server.py:1-22, 1042-1172, 2620-2640`.
**Tool-progress event** (Hermes #6972) — emit `event: kei.tool.progress` during long tool calls so client doesn't hallucinate "model fell silent". Do this. It's free and we already track it in `kei-ledger`.
**Auth** — bearer + `hmac::compare_digest` against env var. If unset, allow local-only (matches Hermes default).
**Acceptance test**: Open WebUI / LobeChat / LibreChat / NextChat / ChatBox all connect and stream replies through `kei-cortex` with tool calls visible mid-stream.
**P1.2 — Daytona backend addition** (1-2 days)
Add to `_primitives/_rust/` a new crate `kei-backend-daytona`:
- Wraps Daytona REST API (the SDK is Python-only; we use HTTP directly)
- Implements `Backend` trait alongside our existing Modal backend
- Hibernation: GET /sandbox/{name} → 200 → POST /sandbox/{name}/start; on 404 → create fresh
- Volume mount: `~/.keiseikit` rsync'd before/after
Reference: Hermes `tools/environments/daytona.py:30-120`.
**Cost note**: Daytona free tier = 2 sandboxes, 30min idle hibernate. Beyond that — paid. Add to `kei-cost-guardian` checklist.
### Phase 2 — security + memory hardening (2-3 weeks, low risk)
**P2.1 — Memory injection scanner** (3-4 days)
Add `_primitives/_rust/kei-memory/src/injection_guard.rs` (~200 LOC):
- Pattern set: `"ignore previous"`, `"you are now"`, `"system:"`, `"<\\|im_start\\|>"`, curl/wget with `Authorization`/`api_key` substrings, SSH-key dump patterns, base64-encoded blobs >1KB, invisible unicode (zero-width chars, RTL override)
- Block at WRITE path in `kei-memory::store::add()` — return `Err(InjectionDetected{pattern, line})`
- Bypass: `KEI_MEMORY_SKIP_GUARD=1` (logged with reason)
Reference: Hermes `tools/memory_tool.py:90-102`.
**Test**: feed 50 known prompt-injection samples from PromptGuard / PI-Bench → expect ≥45 blocks.
**P2.2 — Periodic-nudge background memory review** (1-2 weeks)
Add to `kei-cortex` agent loop:
- Counter `_turns_since_memory_review` increments every agent turn
- At threshold `memory_nudge_interval` (default 10), spawn detached tokio task:
- New ephemeral `Agent` with `enabled_tools=["memory_search","memory_add","memory_replace"]`, max 8 iterations, `quiet_mode=true`
- Conversation snapshot from parent (via `Arc<RwLock<Vec<Turn>>>`)
- Prompt: "Review the conversation. Save user-revealed facts about themselves OR explicit behavior preferences. Otherwise reply 'Nothing to save.' and stop."
- Writes go to `kei-memory` directly via `Arc<MemoryStore>`
- Parent prints `💾 <action summary>` on completion
Reference: Hermes `run_agent.py:3147-3156, 3267-3390, 9740-9750`.
**Frozen-snapshot pattern**: memory injected into system prompt is frozen at session start. Background reviews mutate disk store but NOT the in-flight system prompt — preserves prefix cache (which is critical for cost on Anthropic's prompt-caching).
### Phase 3 — Phase D learning loop (KeiSei goes BEYOND Hermes) (4-6 weeks, high value)
**P3.1 — Skill format compatibility** (3 days)
Adopt Hermes / agentskills.io SKILL.md format:
```yaml
---
name: <slug>
description: <≤1024 chars>
category: <optional>
---
## Overview
...
## Process
1. ...
```
Add `kei-skills` crate (~600 LOC across 5 files):
- `format.rs` — YAML frontmatter + body parser (use `serde_yaml`)
- `validator.rs` — frontmatter required-field check (port `tools/skills_tool.py:172-208`)
- `patcher.rs` — fuzzy find-replace (port `fuzzy_match.py`; or use `similar` crate's diff)
- `loader.rs` — read `~/.keiseikit/skills/**/SKILL.md` at daemon start
- `registry.rs` — name-keyed in-memory store, hot-reload via inotify/fsevents
Also: `kei-skills` and Hermes interop is bidirectional — same on-disk format, same `extra_taps` distribution.
**P3.2 — Trajectory→skill auto-extraction** (2-3 weeks)
This is **THE feature Hermes claims but doesn't implement**. We build it for real.
Trigger conditions (codified in `kei-skills/src/extraction_trigger.rs`):
- Phase B (REM consolidation) just finished
- Trajectory has ≥5 tool calls AND completed=true AND total turns ≥4
- No existing skill matches >85% similarity (via embedding)
- OR explicit user opt-in via `/extract-skill` slash command
Extraction pipeline:
1. Phase B emits trajectory chunk → enqueued in `~/.keiseikit/sleep-queue/skill-extraction/`
2. `kei-skills` extractor (during Phase D, see below) loads chunk
3. Calls Anthropic / OpenRouter with prompt:
```
Extract a reusable procedural skill from this task trajectory.
Output ONLY YAML frontmatter + markdown body in agentskills.io format.
Frontmatter: {name: <slug>, description: <≤1024 chars>, category: <one of: code-review|debugging|deploy|...>}.
Body sections: ## Overview, ## Process (numbered), ## Pitfalls, ## Examples (verbatim from trajectory).
```
4. Validate output, write to `~/.keiseikit/skills/<category>/<name>/SKILL.md` atomically
5. Append to `kei-ledger` with extraction metadata (parent task ID, success metric, char count)
**P3.3 — Phase D: nightly skill self-improvement** (1-2 weeks)
Adds 4th sleep-layer phase (after A incubation / B REM / C deep-sleep NREM):
Phase D = procedural consolidation. Runs LAST in nightly cycle. Per-skill workflow:
1. Query `kei-ledger` for last-30-days usage of skill `S` (count, success_rate, time-since-last-use)
2. **If success_rate < 60% AND usage_count > 5** → re-extraction trigger
3. **If skill never used in 30 days** → archive to `~/.keiseikit/skills/_archive/`
4. **If usage > 20 AND success_rate > 90%** → mark "validated" in frontmatter (`stability: validated`)
Phase D runs Modal/Daytona serverless to keep local-Mac uninterrupted at 03:00 local. Budget: 30 min/night, 5 skills max per cycle (matches Phase B greedy-pack pattern).
**P3.4 — Skill metrics in `kei-ledger`** (3 days)
New table:
```sql
CREATE TABLE skill_invocations (
id INTEGER PRIMARY KEY,
skill_name TEXT NOT NULL,
ts INTEGER NOT NULL,
agent_id TEXT,
success INTEGER NOT NULL, -- 0/1, derived from agent's review.md
trajectory_id TEXT,
duration_ms INTEGER
);
CREATE INDEX idx_skill_invocations_name_ts ON skill_invocations(skill_name, ts);
```
Tracked at agent-loop level when skill is loaded into context.
### Phase 4 — multi-platform gateway (3 weeks, medium-high risk)
**P4.1 — Unified gateway crate** (10-12 days MVP, 14-16 days prod)
New crate `_primitives/_rust/kei-gateway/` with Constructor-decomposed adapters:
```
src/
message.rs (~150 LOC) MessageEvent struct (text, source, media_urls, ts)
session_key.rs (~170 LOC) build_session_key() — port hash function
session_store.rs (~180 LOC) SQLite + LRU cache (sqlx + lru crates)
router.rs (~140 LOC) DeliveryRouter — fan-out by platform
guard.rs (~150 LOC) Per-session asyncio.Event equivalent (tokio Mutex<bool>)
agent_cache.rs (~150 LOC) LRU<session_key, Arc<Agent>> with TTL
runner.rs (~180 LOC) GatewayRunner — orchestrates adapters
adapters/
base.rs (~200 LOC) PlatformAdapter trait
telegram.rs (~200 LOC) teloxide
discord.rs (~200 LOC) serenity
slack.rs (~200 LOC) slack-morphism
cli.rs (~150 LOC) stdin/stdout async loop
whatsapp.rs (~200 LOC) axum webhook + twilio crate (later)
signal.rs (~200 LOC) signal-cli subprocess bridge (later)
```
**Interrupt mode (default)**: incoming message during running agent → call `agent.interrupt(text)` → enqueue. Reference: Hermes `gateway/run.py:1678-1729`.
**Race-condition guard**: per-`session_key` `tokio::sync::Mutex<bool>` (acquired before agent run, released on completion). Stale-lock heal at adapter level if 30s stuck.
**Cross-platform user-id linking**: same `user_id` (e.g. linked TG account + Discord OAuth) → same session_key → same memory. Optional `~/.keiseikit/user_aliases.toml` for manual mapping.
**P4.2 — `croniter` for recurring `/schedule`** (1-2 days)
Add `cron` Rust crate dep. Extend `kei-sleep-queue.sh` (or replace with `kei-scheduler` Rust binary) to support:
- One-shot: `2026-05-01T14:00`, `30m`, `2h`, `1d`
- Interval: `every 30m`, `every 2h`
- Cron expr: `0 9 * * 1-5` (weekdays 9am)
Persistence: `~/.keiseikit/scheduler/jobs.json` (atomic temp+rename, fcntl locking).
Reference: Hermes `cron/jobs.py:102-209`.
### Phase 5 — optional / decide later
**P5.1 — `MemoryProvider` plugin trait** (2-3 weeks) — DEFER
Hermes has 8 external providers. Honcho is interesting (peer modeling) but requires SaaS dep. Mem0 is local-friendly. Decision: defer until ≥2 users explicitly request alternative memory backend. Our SQLite+FTS5+TF-IDF is already richer than Hermes builtin.
**P5.2 — Honcho integration** — DEFER until P5.1 (no point integrating one provider if no plugin trait).
**P5.3 — Trajectory compressor** — DEFER. Only useful when `kei-cortex` chats exceed 64K context. Current token budgets are fine.
**SKIP — ACP wrapper for kei-mcp**. Wrong abstraction layer. ACP = editor↔agent (Zed-like surface), MCP = agent↔tool. If we ever build a KeiSei-as-agent server (rather than substrate), revisit.
**SKIP — `delegate_task` ThreadPoolExecutor**. Hermes uses in-process threads with restricted toolsets. We have RULE 0.12 worktree+ledger fork — durable, auditable, parallel via real OS isolation. The Hermes pattern is a downgrade for us.
**SKIP — Atropos**. RL-training submodule. We're a substrate, not a model trainer.
---
## Sequencing & risk
### Recommended order (12-14 weeks total)
```
Week 1 P0.1 hub-tap + P0.2 trajectory-export + P0.3 README ← distribution
Weeks 2-3 P1.1 OpenAI-compat axum routes ← frontend unlock
Week 4 P1.2 Daytona backend ← cheap hibernation
Weeks 5-6 P2.1 injection scanner + P2.2 nudge memory review ← security + UX
Weeks 7-9 P3.1 skill format + P3.2 trajectory→skill extraction ← Phase D core
Weeks 10-11 P3.3 Phase D nightly + P3.4 skill metrics ← Phase D close
Weeks 12-14 P4.1 gateway crate + P4.2 croniter scheduler ← multi-platform
```
### Risks (severity • mitigation)
- **HIGH** Constructor-Pattern violation by porting Hermes 1:1 (their files are 11K+ LOC). **Mitigation**: every PR must pass our `≤200 LOC/file` pre-commit hook. Decomposition is part of the work, not a follow-up.
- **HIGH** Daytona free tier exhausted under load. **Mitigation**: `kei-cost-guardian` pre-launch gate; if hit, fall back to Modal volumes (no hibernation, but works).
- **MEDIUM** OpenAI-compat surface drift (OpenAI changes spec faster than we can chase). **Mitigation**: pin to `2024-10-01` schema; add CI test against Open WebUI client weekly.
- **MEDIUM** Phase D runaway extraction (1000 skills, none useful). **Mitigation**: hard cap 50 active skills total; archive policy in P3.3; user can `/skills prune`.
- **LOW** Cross-platform user-id linking false positives. **Mitigation**: opt-in via explicit `user_aliases.toml`, no auto-linking on similar names.
- **LOW** TG/Discord crate breaking changes. **Mitigation**: pin versions; `cargo deny` in CI.
### Phase D vs Hermes — why we win
| Dimension | Hermes "learning loop" | KeiSei Phase D (P3) |
|---|---|---|
| Trigger | Manual (agent calls `skill_manage(create)`) | Automatic (post-Phase-B) |
| Storage | YAML+MD on disk | YAML+MD on disk (compatible) |
| Improvement | Manual fuzzy patch | Auto re-extraction at success_rate <60% |
| Metrics | None | usage_count, success_rate, last_used |
| Archive | Never (skills accumulate forever) | 30-day-unused → `_archive/` |
| Validation | None | `stability: validated` after 20+ uses with >90% success |
| Compute | None | Modal/Daytona serverless, 30 min/night, 5 skills/cycle |
We ship the feature their README claims. Honest delta in marketing.
---
## Patent / IP considerations
- All Hermes code is MIT-licensed → free to copy with attribution.
- The **Phase D auto-extraction with success-rate-driven re-improvement** is novel as far as our prior-art search shows. Worth a defensive provisional filing before public release of P3 (RULE 0.11 — patent SSoT git-model).
- `keipatent-project-specialist` review recommended before P3.2 lands publicly.
---
## Approval gates
Per RULE 0.5 (plan-mode-first), each phase requires explicit user `proceed` before code:
1. **Phase 0** (distribution) — low risk, recommend immediate proceed
2. **Phase 1** (OpenAI-compat + Daytona) — mid risk, review API-surface choices
3. **Phase 2** (memory hardening) — low risk, recommend immediate proceed
4. **Phase 3** (Phase D learning loop) — **HIGH STRATEGIC** — author-policy review FIRST, then proceed
5. **Phase 4** (gateway) — mid risk, scope-confirm before crate cluster spawn
6. **Phase 5** (optional) — re-evaluate after Phases 0-4 ship
Per RULE 0.13 (orchestrator branch first), each phase = orchestrator-created branch (`feat/p0-1-hub-taps`, `feat/p1-1-openai-compat`, etc.), agents only write files, orchestrator commits.
---
## Sources
- `/tmp/hermes-research/hermes-agent/` (NousResearch/hermes-agent @ HEAD, 2026-04-28)
- `~/Projects/KeiSeiKit/` (local, public mirror github.com/KeiSei84/KeiSeiKit-1.0)
- 7 parallel Explore agents, 2026-04-28 session.

202
LICENSE Normal file
View file

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

23
NOTICE Normal file
View file

@ -0,0 +1,23 @@
KeiSeiKit
Copyright 2026 Denis Parfionovich
This product includes software developed by
Denis Parfionovich (parfionovich@keilab.io).
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
License changed from MIT to Apache 2.0 on 2026-04-30 to provide
explicit patent grant per RFC and to align with the Apache Foundation
+ Linux Foundation default for projects with contributor patent
portfolios. Pre-2026-04-30 versions remain MIT under their original
distribution terms (irrevocable).

78
PLUGIN.md Normal file
View file

@ -0,0 +1,78 @@
# KeiSeiKit — Anthropic Claude Code plugin format
This document describes the plugin-format install path (v0.16+) and how it relates to the classic `./install.sh` path. Both paths are supported; use whichever fits.
## TL;DR
```bash
# One-time
/plugin marketplace add KeiSei84/KeiSeiKit
# Install
/plugin install keisei@keisei-marketplace
```
The plugin auto-registers: agents, skills, hooks, and the MCP server. No manual `~/.claude/settings.json` edits. No `install.sh` needed for the core (non-primitive) experience.
## Layout
The repo follows the [Anthropic Claude Code plugin spec](https://code.claude.com/docs/en/plugins):
```
.claude-plugin/
plugin.json # plugin manifest (name, version, author, license, keywords)
marketplace.json # marketplace manifest — lets this repo serve as a marketplace source
mcp-template.json # template for .mcp.json (copy to repo root; see "MCP prerequisite" below)
agents/ # auto-discovered by Claude Code at plugin-install time
skills/<name>/SKILL.md # auto-discovered
hooks/hooks.json # PreToolUse / PostToolUse / Stop hooks with ${CLAUDE_PLUGIN_ROOT} paths
.mcp.json # MCP server registration (see prerequisite note)
```
Paths inside `hooks/hooks.json` use `${CLAUDE_PLUGIN_ROOT}` (expanded by Claude Code at runtime to the plugin install directory) rather than absolute `$HOME/.claude/hooks/...` paths. This lets the same hooks ship unchanged whether the plugin is installed from GitHub, npm, or a local path.
## Plugin install vs classic install — what differs
| Feature | Plugin install | Classic `./install.sh` |
|---|---|---|
| Agents registered | yes, automatic | yes, copied to `~/.claude/agents/` |
| Skills registered | yes, automatic | yes, copied to `~/.claude/skills/` |
| Hooks wired | yes, via `hooks/hooks.json` | requires `--activate-hooks` (jq-merge of `settings-snippet.json`) |
| MCP server | yes, via `.mcp.json` (once `@keisei/mcp-server` is published) | same |
| 47 Rust primitives | **no** — plugin ships manifest sources only; no cargo build | yes, `--profile=<name>` builds the selected set |
| 13 shell primitives | **no** | yes, copied to `~/.claude/agents/_primitives/` |
| Disk footprint | ~2 MB (plugin cache) | ~2 MB minimal up to ~200 MB full |
| Update path | `/plugin update keisei` | `git pull && ./install.sh` |
| Update visibility | Claude Code shows version change | silent |
**Bottom line:** plugin install is the right default for the agent-kit experience (agents + skills + hooks). For the Rust primitives (`tomd`, `kei-ledger`, `provision-hetzner`, `kei-migrate`, etc.), fall back to the classic installer or run it alongside the plugin — the two don't collide because the plugin namespaces into its own install dir and the classic installer writes to `~/.claude/`.
## Prerequisites
**For plugin install:**
- Claude Code 2.1+ (check with `claude --version`)
- Network access to `github.com/KeiSei84/KeiSeiKit` on `/plugin marketplace add`
**For the MCP server subset:**
- `@keisei/mcp-server` published to npm — **STATUS: not yet published as of v0.16.0.** The `.mcp.json` entry is structurally correct and will activate automatically once the package is published. Until then, the `keisei` MCP server simply won't appear in your tool list — the agents, skills, and hooks all work without it.
- Node.js 18+ (for `npx` to fetch the server on demand)
**For the Rust primitives (classic install only):**
- Rust stable, `jq`, plus the soft-deps listed in the main README per-profile table.
## Known limitations
1. **Rust primitives not auto-installed.** The plugin format doesn't currently express "also run `cargo build` at install time". We ship the manifest sources in-repo so that users who want the primitives can run `./install.sh --profile=full` alongside the plugin. A future version may add pre-built release binaries for common platforms (macOS arm64/x86_64, Linux x86_64) into `bin/` so the plugin can ship primitives without a cargo step.
2. **`@keisei/mcp-server` not yet on npm.** The `.mcp.json` entry is the canonical intent, but the package needs publishing first. See `_ts_packages/packages/mcp-server/README.md` for the publish pipeline.
3. **Hooks use `${CLAUDE_PLUGIN_ROOT}`.** This is the official Claude Code plugin variable. Older Claude Code versions (<2.1) that predate plugin support will not expand this variable stick with classic install on those versions.
4. **No version-pinning yet.** `/plugin install keisei@keisei-marketplace` installs the default branch HEAD. For reproducible team installs, add the `--ref=<tag>` flag once it lands in Claude Code (currently in the spec per the extension schema `ref` field).
## Feedback & bugs
Open an issue at [github.com/KeiSei84/KeiSeiKit/issues](https://github.com/KeiSei84/KeiSeiKit/issues). A well-formed problem description is already half the solution.
## References
- [Anthropic Claude Code plugins docs](https://code.claude.com/docs/en/plugins)
- `README.md` — main install guide (plugin section is the new default)
- `settings-snippet.json` — retained for classic install; the plugin path does not use it
- `install.sh --help` — classic installer options, now with a plugin-first banner

231
README.md Normal file
View file

@ -0,0 +1,231 @@
# KeiSeiKit
A **multi-LLM substrate** that gives any agentic coding tool persistent
memory, deterministic agent identity, and self-maintaining orchestration.
Works first-class with Claude Code; MCP-compatible bridges generate
context for Cursor / Continue / Zed / Aider / Windsurf / Cline /
OpenClaw / Kimi from the same source-of-truth.
**Apache 2.0** — explicit patent grant + retaliation clause. 102 Rust
crates (~132K LOC), 67 skills, 35 hooks, 37 agent manifests, 82
substrate blocks, 18 capability bundles, 7 substrate roles. Self-
indexing via kei-registry SQLite (currently 495 active DNAs across the
public substrate). Three-phase nightly consolidation. Foreign-project
ingestion runtime (`kei-import <repo-url>`).
## What it does
| | |
|---|---|
| **Persistent memory** | SQLite ledger + content-addressable memory store, session-spanning context, cross-machine sync via memory-repo |
| **Agent DNA** | Deterministic 80-char identity per invocation: `<role>::<caps>::<scope-sha8>::<body-sha8>-<nonce>`. Same task → same prefix → "did this run before?" via SQL, no embeddings |
| **Constructor Pattern for prompts** | Agent `.md` files composed from manifests + blocks + capability bundles + rule fragments. Edit a block → all agents using it recompose. Single source of truth |
| **kei-fork** | Atomic git triplet (branch + worktree + ledger row) for parallel agent runs. Atomic rollback. No main-branch collisions across 4-8 simultaneous Claude sessions |
| **Three-phase sleep** | Phase A incubation (queued tasks) → Phase B REM consolidation (analyzes last 30 sessions, writes morning markdown report) → Phase C NREM deep-sleep (every 7 days, conflict scan + refactor proposals). No feedback loop — outputs are markdown, you decide what to keep |
| **Auto self-indexing** | Every substrate file edit triggers registry update + agent regeneration + DNA-INDEX.md refresh + keimd graph reindex |
| **Foreign-project ingestion** | `kei-import <repo>` walks → matches against 12 runtime traits → extracts skills from README/docs → generates migration plan → produces per-phase agent prompts |
| **Cross-tool bridges** | One rule-set, 11 target formats (`.cursorrules`, `.windsurf/rules/main.md`, `.github/copilot-instructions.md`, `AGENTS.md`, `GEMINI.md`, etc) |
| **Community npm registry** | Publish your agents / skills / hooks as scoped packages on [`keigit.com`](https://keigit.com) (public Forgejo + npm registry, OAuth login, per-user PAT). `npm publish` to your own scope, `npm install` from anyone else's. See [`docs/PUBLISHING.md`](./docs/PUBLISHING.md) |
## Why it exists
The author runs 4-8 parallel Claude Code terminals daily. Without
substrate, every session loses context, every parallel agent collides
on `main`, every "did we already solve this?" requires manual grep.
With substrate, identity carries — agents know what ran before,
results converge through the ledger, fork-as-triplet prevents
collisions, three-phase sleep produces overnight consolidation.
This is a tool first, not a product. If it solves your problem,
fork it.
## Quick start
```bash
# Claude Code (primary target — full hook + agent integration)
/plugin marketplace add KeiSei84/KeiSeiKit
/plugin install keisei@keisei-marketplace
# Any MCP-compatible client (Cursor / Continue / Zed / Aider / etc)
git clone https://github.com/KeiSei84/KeiSeiKit-1.0
cd KeiSeiKit-1.0
./install.sh --profile=minimal
```
37 agents + 67 skills + 35 hooks + nightly consolidation wired in
60 seconds. Eleven install profiles (`minimal` → `core``full` +
MCP-only / Cortex / Cursor / Continue / Zed / Aider / Docker / Nix)
documented in [`docs/INSTALL.md`](./docs/INSTALL.md).
## Self-maintaining
After install, the substrate maintains itself. Every edit cascades:
```
edit any rule .md → kei-decompose registers fragments
edit any manifest .toml → assembler regenerates one agent .md
edit any block .md → assembler regenerates ALL agents
edit any skill SKILL.md → kei-registry updates
edit any hook .sh → kei-registry updates
edit any primitive src/ → kei-import-project register updates
ANY substrate edit → DNA-INDEX.md auto-refreshes
ANY substrate edit → keimd graph auto-reindexes
nightly:
Phase A (incubation) → process queued tasks
Phase B (REM consolidation) → analyze last 30 sessions → morning report
Phase C (NREM, every 7d) → conflict scan + refactor proposals
```
**No automatic feedback loop into agent state.** All consolidation
outputs are human-readable markdown. You read, you decide what merges.
## Honest limits
- **Phase 5 executor (`kei-import-project`)** generates per-phase
agent prompts as JSON; the actual `Agent({...})` spawn happens
orchestrator-side (Claude Code Agent tool, MCP wrapper, or a thin
shell loop). A first-class JS/TS wrapper that auto-spawns + tracks
is future work.
- **Phase 9 Path A (model-router assembler-time rebake)**
37 agent manifests currently declare `model: opus` in frontmatter.
Bayesian posterior router activates per-task-class when ≥100
outcome rows accumulate (currently 3). Until then, routing happens
via orchestrator discipline plus advisor-hook stderr nudges.
- **Cortex stack** (`kei-cortex` / `kei-tty` / `kei-mcp`) ships as
**beta**. Local HTTP daemon + ratatui TUI + MCP stdio JSON-RPC
build clean. Browser app and VSCode-extension frontends are concept.
- **`@keisei/mcp-server` npm package** — local `dist/` builds work;
not yet published to npm registry.
- **Non-Claude clients** integrate via MCP + bridges, not native hooks.
PreToolUse / PostToolUse / UserPromptSubmit / Stop semantics are
Claude Code primitives. Other clients get capability exposure but
not the hook wire-up.
## What it's NOT
- **Not a Claude Code replacement** — runs alongside, not instead-of
- **Not a SaaS** — local-first by default; hosted offering under
consideration if community demand emerges (see [Roadmap](#roadmap))
- **Not enterprise** — solo-maintained, no SLA, no dedicated support
- **Not a framework** — substrate. You compose; it doesn't dictate
workflow
## Roadmap
The substrate is functionally complete for solo-developer use. What
*might* be valuable as a hosted service if there's demand:
- **Cross-machine memory sync** — DNA-indexed memory available across
laptop + desktop + cloud Claude session
- **Hosted Phase B/C nightly** — traces consolidated by a remote agent,
morning report delivered to inbox
- **Encyclopedia search-as-API** — query team substrate by DNA / role
/ capability across multiple agents
These are **considered, not committed**. Open an issue with your
use-case if any of these would solve real pain. Until then: fork,
run locally, file PRs.
## Hermes — proof of foreign-architecture ingest
Ten phases of [Nous Research's Hermes](https://github.com/NousResearch/hermes-agent)
(MIT, Python agent framework) ingested into KeiSeiKit substrate
through April 2026. Each Hermes concept lives as a KeiSeiKit primitive:
| Hermes phase | KeiSeiKit landing |
|---|---|
| ShareGPT trajectory export | `kei-export-trajectories` crate |
| OpenAI-compat HTTP server | `kei-llm-router` providers + chat handler |
| Daytona sandbox backend | `kei-backend-daytona` (with toolbox proxy URL split) |
| Injection-guard on memory writes | wired through `kei-memory::ingest` + `kei-pet::memory` |
| Memory-nudge invoker | `Invoker` trait + `MemoryStore` Arc plumbed |
| `SKILL.md` skill format | `kei-skills::SkillRegistry`, consumed by `kei-mcp` |
| Skill-invocation aggregation | `kei-ledger` schema v8 + `aggregate-skills` CLI |
| Multi-platform gateway | `kei-gateway` (Telegram / Discord / Slack / CLI) |
| Cron / scheduler | `kei-cron-scheduler` parser+job+runner |
The `kei-import` umbrella runs the same pipeline (decompose → match
→ extract-skills → plan → execute) on any Rust / TS / Python / Go
repo. Hermes was the validation case; the runtime works on others.
## Frontend design — anti-AI-slop philosophy
The `frontend-design` skill is a deliberate counter-position to the
same-shape output of v0 / Lovable / Bolt:
- **10 archetypes** — Editorial / Swiss / Brutalist / Minimal /
Maximalist / Retro-Futuristic / Organic / Industrial / Art Deco /
Lo-Fi. Each declares typography pairing + color palette + layout
language + motion style.
- **OKLCH color system** — one `--brand-hue` controls the full palette,
perceptually uniform.
- **Phase Gate (mandatory before any code):** purpose, archetype, the
one differentiator, three anti-references, design tokens. Skip the
gate = skip the skill.
- **Hard bans:** Inter / Roboto / Space Grotesk, purple gradients on
white, centered card grids as default, hero → cards → testimonials
template, `linear` easing on UI transitions.
- **Diverge-Kill-Mutate** loop when output feels generic.
- **The Blur Test:** at 20% visibility, layout silhouette must be
distinguishable from anti-references.
Orchestrator skill `landing-page` composes 11 skills across 6 recipes
(apple-product / saas / portfolio / ecommerce / agency / startup).
## Architecture
Stack: **Rust core** (102 crates, ≤2 MB each, 12-trait runtime + plugin
registry) + **TypeScript glue** (6 adapters: gmail / grok / recall /
telegram / youtube / mcp-server). Backend impls cover:
| Trait | Impls |
|---|---|
| ComputeProvider | bare-metal SSH, DigitalOcean, Linode, Vultr |
| GitProvider | Forgejo, Gitea, GitLab, Bitbucket |
| MemoryBackend | SQLite, Sled, Postgres, Redis |
| AuthProvider | Google OIDC, Apple Sign-In, WebAuthn passkeys, magic-link |
| NotifyChannel | Telegram, Discord, Slack, SMS (Twilio) |
| NetworkMode | WireGuard, OpenVPN, IPsec |
| LlmBackend | Anthropic, OpenAI, Kimi (Moonshot), MLX, llama.cpp, Ollama |
| ServiceManager | systemd |
Declare which impl to use in `~/.keisei/config.toml`; runtime resolves
at startup. See [`docs/ARCHITECTURE.md`](./docs/ARCHITECTURE.md),
[`docs/PHILOSOPHY.md`](./docs/PHILOSOPHY.md),
[`docs/SUBSTRATE-SCHEMA.md`](./docs/SUBSTRATE-SCHEMA.md),
[`docs/IMPORT-RUNTIME.md`](./docs/IMPORT-RUNTIME.md),
[`docs/PUBLISHING.md`](./docs/PUBLISHING.md),
[`docs/RULES-AS-BLOCKS.md`](./docs/RULES-AS-BLOCKS.md),
[`docs/DNA-INDEX.md`](./docs/DNA-INDEX.md).
## License
Apache 2.0. Use, fork, ship, modify. Explicit patent grant +
retaliation clause: contributors who sue any user over patents
covered by their contributions lose their license to the work.
Pre-2026-04-30 versions remain available under their original MIT
terms (irrevocable). See [LICENSE](./LICENSE) and [NOTICE](./NOTICE).
## Author & collaboration
Built by Denis Parfionovich (`info@greendragon.info`) running
48 parallel Claude Code terminals per day. Solo-maintained.
Apache 2.0 makes the bus factor manageable: any AI-assisted
developer (you, your Claude, your Cursor, your Aider) can read
this codebase and continue it.
**Forks welcome. PRs welcome. Issues welcome.**
**Open to collaboration.** If you have:
- a use-case this substrate would solve and you can't see how — open
a discussion
- ideas for the SaaS roadmap (cross-machine memory sync, hosted
nightly consolidation, encyclopedia-as-API) — email or open an issue
- a related project you're building (agent infra, MCP servers,
cross-tool bridges, prompt-engineering substrates) and want to
cross-pollinate — reach out
- want to integrate KeiSeiKit primitives into your product or
research — Apache 2.0 already permits it; happy to help you wire it
Email reaches the author directly. No marketing list, no funnel.

2
_assembler/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
/target
/Cargo.lock

23
_assembler/Cargo.toml Normal file
View file

@ -0,0 +1,23 @@
[package]
name = "agent-assembler"
version = "0.1.0"
edition = "2024"
description = "Constructor-Pattern assembler for Claude agent .md files"
[[bin]]
name = "assemble"
path = "src/main.rs"
[dependencies]
serde = { version = "1", features = ["derive"] }
toml = "0.8"
rusqlite = { version = "0.31", features = ["bundled"] }
[dev-dependencies]
insta = "1"
tempfile = "3"
[profile.release]
opt-level = "z"
lto = true
strip = true

164
_assembler/src/assembler.rs Normal file
View file

@ -0,0 +1,164 @@
//! Agent assembler — composes markdown from manifest + blocks.
//! Output is deterministic: same manifest + blocks → byte-identical .md.
use crate::manifest::Manifest;
use crate::registry_client;
use crate::substrate;
use std::fs;
use std::path::Path;
pub fn assemble(m: &Manifest, blocks_dir: &Path) -> Result<String, String> {
// Substrate role expansion uses the kit root (parent of _blocks/).
let root = blocks_dir
.parent()
.ok_or_else(|| "blocks_dir has no parent (can't locate _roles/ and _capabilities/)".to_string())?;
let mut out = String::new();
write_frontmatter(m, &mut out);
write_role(m, &mut out);
write_substrate(m, root, &mut out)?;
write_rule_blocks(m, &mut out)?;
write_blocks(m, blocks_dir, &mut out)?;
write_domain_scope(m, &mut out);
write_handoffs(m, &mut out);
write_output_format(m, &mut out);
write_forbidden(m, &mut out);
write_references(m, &mut out);
Ok(out)
}
fn write_substrate(m: &Manifest, root: &Path, out: &mut String) -> Result<(), String> {
let Some(role) = &m.substrate_role else {
return Ok(());
};
let section = substrate::build_substrate_section(root, role)?;
out.push_str(&section);
Ok(())
}
fn write_frontmatter(m: &Manifest, out: &mut String) {
let desc = m.description.replace('\n', " ");
out.push_str("---\n");
out.push_str(&format!("name: {}\n", m.name));
out.push_str(&format!("description: {}\n", desc.trim()));
out.push_str(&format!("tools: {}\n", m.tools.join(", ")));
out.push_str(&format!("model: {}\n", m.model));
out.push_str("---\n\n");
out.push_str(&format!(
"<!-- GENERATED by _assembler (Rust) from _manifests/{}.toml — DO NOT EDIT. Edit the manifest. -->\n\n",
m.name
));
}
fn write_role(m: &Manifest, out: &mut String) {
out.push_str("# ROLE\n\n");
out.push_str(m.role.trim());
out.push_str("\n\n");
}
fn write_blocks(m: &Manifest, blocks_dir: &Path, out: &mut String) -> Result<(), String> {
for block in &m.blocks {
let path = blocks_dir.join(format!("{block}.md"));
let text = fs::read_to_string(&path)
.map_err(|e| format!("read {}: {e}", path.display()))?;
out.push_str(text.trim());
out.push_str("\n\n");
}
Ok(())
}
fn write_rule_blocks(m: &Manifest, out: &mut String) -> Result<(), String> {
if m.rule_blocks.is_empty() {
return Ok(());
}
let db_path = registry_client::default_db_path();
if !db_path.exists() {
eprintln!("warn [assembler]: registry not found at {} — skipping rule_blocks", db_path.display());
return Ok(());
}
let conn = registry_client::open_read_only(&db_path)?;
for name in &m.rule_blocks {
match registry_client::find_rule(&conn, name) {
Ok(Some(body)) => {
out.push_str(&format!("<!-- RULE: {name} -->\n"));
out.push_str(body.trim());
out.push_str("\n<!-- /RULE -->\n\n");
}
Ok(None) => {
return Err(format!(
"rule_block '{name}' not found in registry — \
run `kei-decompose decompose-rules` first or remove from manifest"
));
}
Err(e) => return Err(format!("registry lookup for '{name}': {e}")),
}
}
Ok(())
}
fn write_domain_scope(m: &Manifest, out: &mut String) {
out.push_str("# DOMAIN SCOPE\n\n**In:**\n");
for item in &m.domain_in {
out.push_str(&format!("- {item}\n"));
}
out.push_str("\n**Out (hand off):**\n");
for h in &m.handoff {
out.push_str(&format!("- `{}` — {}\n", h.target, h.trigger));
}
out.push('\n');
}
fn write_handoffs(m: &Manifest, out: &mut String) {
out.push_str("# HANDOFFS\n\n");
for h in &m.handoff {
out.push_str(&format!("- **{}** — {}\n", h.target, h.trigger));
}
out.push('\n');
}
fn write_output_format(m: &Manifest, out: &mut String) {
out.push_str("# OUTPUT FORMAT\n\n```\n");
out.push_str(&format!("=== {} REPORT ===\n", m.name.to_uppercase()));
out.push_str("Goal: <one-line>\n");
out.push_str("Scope: <in / out>\n");
out.push_str("Plan: <N steps>\n");
out.push_str("Executed: <files touched, LOC delta>\n");
out.push_str("Verify: <each criterion pass/fail>\n");
out.push_str("Evidence grades: <E1-E6 for each major claim>\n");
out.push_str("Handoffs made: <list>\n");
for extra in &m.output_extra_fields {
out.push_str(extra);
out.push('\n');
}
out.push_str("Blockers / next: <list>\n");
out.push_str("```\n\n");
}
fn write_forbidden(m: &Manifest, out: &mut String) {
out.push_str("# FORBIDDEN\n\n");
for item in &m.forbidden_domain {
out.push_str(&format!("- {item}\n"));
}
out.push('\n');
}
fn write_references(m: &Manifest, out: &mut String) {
out.push_str("# REFERENCES\n\n");
out.push_str("- `~/.claude/CLAUDE.md` — baseline umbrella\n");
out.push_str("- `~/.claude/memory/MEMORY.md` — memory index (adjust if your Claude Code user-slug path differs)\n");
if let Some(mp) = &m.memory_project {
out.push_str(&format!(
"- `~/.claude/memory/{mp}` — project memory (adjust path if needed)\n"
));
}
if let Some(pc) = &m.project_claudemd {
out.push_str(&format!("- `{pc}` — project CLAUDE.md\n"));
}
if let Some(refs) = &m.references {
for r in &refs.extra {
out.push_str(&format!("- `{r}`\n"));
}
}
}

117
_assembler/src/main.rs Normal file
View file

@ -0,0 +1,117 @@
//! CLI entry: build [--validate] [--in-place] [<manifest.toml> ...]
//!
//! Default: read all _manifests/*.toml, write to _generated/*.md.
//! --in-place: write to agents/<name>.md (replaces generated file).
//! --validate: parse + validate only, no output.
//! Positional args: specific manifest files to process.
mod assembler;
mod manifest;
mod placeholders;
mod registry_client;
mod schemas_export;
mod substrate;
mod validator;
use manifest::Manifest;
use std::path::{Path, PathBuf};
use std::process::ExitCode;
use std::{env, fs};
fn main() -> ExitCode {
let root = root_dir();
let blocks = root.join("_blocks");
let manifests = root.join("_manifests");
let generated = root.join("_generated");
let args: Vec<String> = env::args().skip(1).collect();
let validate_only = args.iter().any(|a| a == "--validate");
let in_place = args.iter().any(|a| a == "--in-place");
let targets: Vec<&String> = args.iter().filter(|a| !a.starts_with("--")).collect();
let paths: Vec<PathBuf> = if targets.is_empty() {
collect_manifests(&manifests)
} else {
targets.iter().map(|t| PathBuf::from(t)).collect()
};
if paths.is_empty() {
eprintln!("no manifests found in {}", manifests.display());
return ExitCode::from(1);
}
let mut errors = 0u32;
for path in &paths {
match process(path, &blocks, &generated, &root, validate_only, in_place) {
Ok(out_path) => {
let name = path.file_name().unwrap_or_default().to_string_lossy();
match out_path {
Some(p) => println!("OK {name}{}", relative_to(&p, root.parent().unwrap_or(root.as_path()))),
None => println!("OK {name}"),
}
}
Err(e) => {
eprintln!("FAIL {}: {e}", path.display());
errors += 1;
}
}
}
if errors > 0 { ExitCode::from(1) } else { ExitCode::SUCCESS }
}
fn process(
path: &Path,
blocks: &Path,
generated: &Path,
root: &Path,
validate_only: bool,
in_place: bool,
) -> Result<Option<PathBuf>, String> {
let text = fs::read_to_string(path).map_err(|e| format!("read: {e}"))?;
let m: Manifest = toml::from_str(&text).map_err(|e| format!("parse: {e}"))?;
validator::validate(&m, blocks)?;
if validate_only {
return Ok(None);
}
let content = assembler::assemble(&m, blocks)?;
let out_path = if in_place {
root.join(format!("{}.md", m.name))
} else {
fs::create_dir_all(generated).map_err(|e| format!("mkdir generated: {e}"))?;
generated.join(format!("{}.md", m.name))
};
fs::write(&out_path, content).map_err(|e| format!("write {}: {e}", out_path.display()))?;
Ok(Some(out_path))
}
fn root_dir() -> PathBuf {
// Priority: AGENT_ROOT env > HOME/.claude/agents default.
// (exe-relative would break when the binary is symlinked or copied.)
if let Ok(v) = env::var("AGENT_ROOT") {
return PathBuf::from(v);
}
PathBuf::from(env::var("HOME").unwrap_or_default()).join(".claude/agents")
}
fn collect_manifests(dir: &Path) -> Vec<PathBuf> {
let mut out = Vec::new();
if let Ok(rd) = fs::read_dir(dir) {
for entry in rd.flatten() {
let p = entry.path();
if p.extension().and_then(|e| e.to_str()) == Some("toml") {
out.push(p);
}
}
}
out.sort();
out
}
fn relative_to(path: &Path, base: &Path) -> String {
path.strip_prefix(base)
.map(|p| p.display().to_string())
.unwrap_or_else(|_| path.display().to_string())
}

56
_assembler/src/manifest.rs Normal file
View file

@ -0,0 +1,56 @@
//! Manifest struct — deserialized from _manifests/*.toml.
//! One manifest = one agent. Source of truth; the .md file is generated.
use serde::Deserialize;
#[derive(Deserialize)]
pub struct Manifest {
pub name: String,
pub description: String,
pub tools: Vec<String>,
pub model: String,
pub role: String,
pub blocks: Vec<String>,
/// v0.16 (phase 5): agent substrate role. When present, assembler loads
/// `_roles/<substrate_role>.toml` and emits each capability's `text.md`
/// fragment between the ROLE section and the existing blocks. Optional
/// for backward compatibility with pre-substrate manifests.
#[serde(default)]
pub substrate_role: Option<String>,
pub domain_in: Vec<String>,
pub forbidden_domain: Vec<String>,
pub handoff: Vec<Handoff>,
#[serde(default)]
pub output_extra_fields: Vec<String>,
pub memory_project: Option<String>,
pub project_claudemd: Option<String>,
pub references: Option<References>,
/// v0.15: optional typed-artifact schema this agent emits on completion.
/// Must be one of the names in `artifact_schemas::KNOWN`.
#[serde(default)]
pub produces_artifact: Option<String>,
/// v0.16 rule_blocks: registry fragment names to inject after blocks.
/// Format: `"<rule-slug>::<section-slug>"`, e.g.
/// `"karpathy-behavioral::1-think-before-coding"`.
/// Fragments are fetched from `~/.claude/registry.sqlite` at assemble time.
#[serde(default)]
pub rule_blocks: Vec<String>,
}
#[derive(Deserialize)]
pub struct Handoff {
pub target: String,
pub trigger: String,
/// v0.15: optional schema name the target consumes from this handoff.
#[serde(default)]
pub expects_artifact: Option<String>,
/// v0.15: optional schema name this agent produces for the target.
#[serde(default)]
pub produces_artifact: Option<String>,
}
#[derive(Deserialize)]
pub struct References {
#[serde(default)]
pub extra: Vec<String>,
}

129
_assembler/src/placeholders.rs Normal file
View file

@ -0,0 +1,129 @@
//! Placeholder check — reject unsubstituted `{{PLACEHOLDER}}` tokens.
//!
//! Constructor Pattern: one cube = one validation concern.
//! Extracted from `validator.rs` to keep that file under 200 LOC.
use crate::manifest::Manifest;
/// Reject manifests that still carry `{{PLACEHOLDER}}` tokens — the wizard
/// should have substituted them. Matches `{{...}}` conservatively (not
/// single braces).
pub fn check(m: &Manifest) -> Result<(), String> {
let check = |field: &str, value: &str| -> Result<(), String> {
if contains_placeholder(value) {
Err(format!(
"Unsubstituted template placeholder in field '{field}': {value}. Did the wizard skip a substitution?"
))
} else {
Ok(())
}
};
check("name", &m.name)?;
check("description", &m.description)?;
check("model", &m.model)?;
check("role", &m.role)?;
for (i, t) in m.tools.iter().enumerate() {
check(&format!("tools[{i}]"), t)?;
}
for (i, b) in m.blocks.iter().enumerate() {
check(&format!("blocks[{i}]"), b)?;
}
for (i, d) in m.domain_in.iter().enumerate() {
check(&format!("domain_in[{i}]"), d)?;
}
for (i, d) in m.forbidden_domain.iter().enumerate() {
check(&format!("forbidden_domain[{i}]"), d)?;
}
for (i, h) in m.handoff.iter().enumerate() {
check(&format!("handoff[{i}].target"), &h.target)?;
check(&format!("handoff[{i}].trigger"), &h.trigger)?;
}
for (i, o) in m.output_extra_fields.iter().enumerate() {
check(&format!("output_extra_fields[{i}]"), o)?;
}
if let Some(v) = &m.substrate_role {
check("substrate_role", v)?;
}
if let Some(v) = &m.memory_project {
check("memory_project", v)?;
}
if let Some(v) = &m.project_claudemd {
check("project_claudemd", v)?;
}
if let Some(r) = &m.references {
for (i, e) in r.extra.iter().enumerate() {
check(&format!("references.extra[{i}]"), e)?;
}
}
Ok(())
}
fn contains_placeholder(s: &str) -> bool {
if let Some(start) = s.find("{{") {
if s[start + 2..].contains("}}") {
return true;
}
}
false
}
#[cfg(test)]
mod tests {
use super::*;
use crate::manifest::{Handoff, Manifest};
fn base() -> Manifest {
Manifest {
name: "test".into(),
description: "d".into(),
tools: vec!["Read".into()],
model: "opus".into(),
role: "r".into(),
blocks: vec!["baseline".into(), "evidence-grading".into(), "memory-protocol".into()],
domain_in: vec!["x".into()],
forbidden_domain: vec!["y".into()],
handoff: vec![Handoff {
target: "a".into(),
trigger: "b".into(),
expects_artifact: None,
produces_artifact: None,
}],
output_extra_fields: vec![],
memory_project: None,
project_claudemd: None,
references: None,
produces_artifact: None,
substrate_role: None,
rule_blocks: vec![],
}
}
#[test]
fn rejects_placeholder_in_memory_project() {
let mut m = base();
m.memory_project = Some("{{MEMORY_PROJECT}}".into());
let err = check(&m).unwrap_err();
assert!(err.contains("memory_project"), "err = {err}");
assert!(err.contains("{{MEMORY_PROJECT}}"), "err = {err}");
}
#[test]
fn accepts_single_braces() {
let mut m = base();
m.description = "hello {world}".into();
assert!(check(&m).is_ok());
}
#[test]
fn accepts_empty_manifest() {
assert!(check(&base()).is_ok());
}
#[test]
fn rejects_placeholder_in_role() {
let mut m = base();
m.role = "do {{THING}}".into();
assert!(check(&m).is_err());
}
}

85
_assembler/src/registry_client.rs Normal file
View file

@ -0,0 +1,85 @@
//! Thin read-only client over `~/.claude/registry.sqlite`.
//!
//! Fetches rule-fragment content by logical name (`rule::section`).
//! The registry stores the real filesystem path; this module reads that path.
//!
//! Constructor Pattern: one responsibility — lookup + read fragment body.
//! No writes. No schema migration. Opens DB read-only.
use rusqlite::{Connection, OpenFlags};
use std::path::{Path, PathBuf};
/// Open the registry at `db_path` in read-only mode.
pub fn open_read_only(db_path: &Path) -> Result<Connection, String> {
Connection::open_with_flags(db_path, OpenFlags::SQLITE_OPEN_READ_ONLY)
.map_err(|e| format!("open registry {}: {e}", db_path.display()))
}
/// Default path: `$KEI_REGISTRY_DB` (if set) or `~/.claude/registry.sqlite`.
pub fn default_db_path() -> PathBuf {
if let Some(v) = std::env::var_os("KEI_REGISTRY_DB") {
return PathBuf::from(v);
}
let home = std::env::var_os("HOME").unwrap_or_default();
PathBuf::from(home).join(".claude/registry.sqlite")
}
/// Look up a rule fragment by `name` (e.g. `"karpathy-behavioral::1-think-before-coding"`).
///
/// Returns:
/// - `Ok(Some(body))` — fragment found and file readable.
/// - `Ok(None)` — name not in registry, or registry path does not exist on disk.
/// Caller should warn-and-skip.
/// - `Err(msg)` — DB query failure (not a missing-path issue). Propagate.
pub fn find_rule(conn: &Connection, name: &str) -> Result<Option<String>, String> {
let path = match query_path(conn, name)? {
Some(p) => p,
None => return Ok(None),
};
read_fragment_body(name, &path)
}
/// Query the `path` column for the active row with `name` and `block_type='rule'`.
fn query_path(conn: &Connection, name: &str) -> Result<Option<String>, String> {
let mut stmt = conn
.prepare(
"SELECT path FROM blocks \
WHERE name = ?1 AND block_type = 'rule' AND superseded_by IS NULL \
LIMIT 1",
)
.map_err(|e| format!("prepare query for {name}: {e}"))?;
let row: Option<String> = stmt
.query_row(rusqlite::params![name], |r| r.get(0))
.optional()
.map_err(|e| format!("query registry for {name}: {e}"))?;
Ok(row)
}
/// Read the fragment body from `path`. Returns `Ok(None)` when the file is absent.
fn read_fragment_body(name: &str, path: &str) -> Result<Option<String>, String> {
match std::fs::read_to_string(path) {
Ok(body) => Ok(Some(body)),
Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
eprintln!(
"warn [assembler]: registry fragment for '{name}' has path '{path}' but file is missing — skipping. \
Run `kei-decompose decompose-rules --rebuild-fragments` to restore."
);
Ok(None)
}
Err(e) => Err(format!("read fragment for {name} at {path}: {e}")),
}
}
trait OptionalExt<T>: Sized {
fn optional(self) -> rusqlite::Result<Option<T>>;
}
impl<T> OptionalExt<T> for rusqlite::Result<T> {
fn optional(self) -> rusqlite::Result<Option<T>> {
match self {
Ok(v) => Ok(Some(v)),
Err(rusqlite::Error::QueryReturnedNoRows) => Ok(None),
Err(e) => Err(e),
}
}
}

37
_assembler/src/rule_blocks_check.rs Normal file
View file

@ -0,0 +1,37 @@
//! Rule-blocks validation — checks that each name in `manifest.rule_blocks`
//! exists in the kei-registry SQLite store.
//!
//! Constructor Pattern: one cube = one validation concern.
//! Extracted from `validator.rs` to keep all files under 200 LOC.
use crate::manifest::Manifest;
use crate::registry_client::RegistryClient;
/// Validate each name in `m.rule_blocks` exists in kei-registry.
///
/// When the registry DB is absent this is a soft warning only — the
/// assembler can still run on systems where kei-decompose hasn't
/// populated the registry yet (chicken-and-egg). A missing *DB* is
/// therefore not an error; a missing *fragment in an open DB* is.
pub fn check(m: &Manifest) -> Result<(), String> {
if m.rule_blocks.is_empty() {
return Ok(());
}
let Some(client) = RegistryClient::open() else {
// DB absent — warn already emitted by RegistryClient::open(); skip.
return Ok(());
};
for name in &m.rule_blocks {
match client.find_rule(name) {
Ok(Some(_)) => {}
Ok(None) => {
return Err(format!(
"rule_blocks: fragment '{name}' not found in kei-registry \
(run kei-registry scan to populate, or remove from manifest)"
));
}
Err(e) => return Err(format!("rule_blocks: {e}")),
}
}
Ok(())
}

136
_assembler/src/schemas_export.rs Normal file
View file

@ -0,0 +1,136 @@
//! Dynamic artifact-schema whitelist loader.
//!
//! v0.16: the assembler previously hardcoded the 5 builtin schema names.
//! That blocked any user who registered a custom schema via
//! `kei-artifact register-schema` — the assembler would reject manifests
//! referencing it. This cube loads the current registry from the export
//! file written by `kei-artifact export-schemas`.
//!
//! Priority (first hit wins):
//! 1. `$AGENT_ROOT/artifacts/schemas.json` (derived from `blocks_dir.parent()`)
//! 2. `~/.claude/agents/artifacts/schemas.json`
//! 3. Built-in fallback (5 names)
//!
//! Export file format: `{"schemas": ["spec", "plan", ...]}`. Builtins are
//! always unioned in, so a hand-crafted export cannot drop a core schema.
//!
//! Constructor Pattern: no dependency on serde_json — minimal hand-parser
//! keeps the assembler lean and free of transitive deps.
use std::collections::BTreeSet;
use std::path::{Path, PathBuf};
/// Canonical artifact schema names shipped by `kei-artifact`.
///
/// MIRROR OF `kei-artifact/src/schemas.rs::BUILTIN` (by design — assembler
/// crate must not link to the runtime primitive). Drift is detected by the
/// `builtin_schemas_do_not_drift` test in `validator.rs`.
pub const BUILTIN: &[&str] = &["spec", "plan", "patch", "review", "research"];
/// Union of builtins + any names found in an on-disk export, as a sorted set.
pub fn load(blocks_dir: &Path) -> BTreeSet<String> {
load_with_home(blocks_dir, std::env::var("HOME").ok().as_deref())
}
/// Test-friendly variant that accepts an explicit HOME override.
pub fn load_with_home(blocks_dir: &Path, home: Option<&str>) -> BTreeSet<String> {
let mut out: BTreeSet<String> = BUILTIN.iter().map(|s| (*s).to_string()).collect();
for path in candidate_paths(blocks_dir, home) {
if let Some(names) = read_export(&path) {
out.extend(names);
break;
}
}
out
}
fn candidate_paths(blocks_dir: &Path, home: Option<&str>) -> Vec<PathBuf> {
let mut v = Vec::new();
if let Some(root) = blocks_dir.parent() {
v.push(root.join("artifacts/schemas.json"));
}
if let Some(h) = home {
v.push(PathBuf::from(h).join(".claude/agents/artifacts/schemas.json"));
}
v
}
fn read_export(path: &Path) -> Option<Vec<String>> {
let text = std::fs::read_to_string(path).ok()?;
parse_export(&text)
}
/// Minimal parser for `{"schemas": ["a", "b"]}`. Tolerant of whitespace.
pub fn parse_export(text: &str) -> Option<Vec<String>> {
let body = text.trim();
let key = "\"schemas\"";
let i = body.find(key)?;
let rest = &body[i + key.len()..].trim_start_matches(|c: char| c == ':' || c.is_whitespace());
let open = rest.find('[')?;
let close = rest[open..].find(']')?;
let inner = &rest[open + 1..open + close];
let mut names = Vec::new();
for tok in inner.split(',') {
let t = tok.trim().trim_matches('"').trim();
if !t.is_empty() {
names.push(t.to_string());
}
}
Some(names)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_happy_path() {
let body = r#"{"schemas": ["spec", "plan", "custom-one"]}"#;
assert_eq!(parse_export(body).unwrap(), vec!["spec", "plan", "custom-one"]);
}
#[test]
fn parse_whitespace_and_newlines() {
let body = "{\n \"schemas\" : [\n \"a\",\n \"b\"\n ]\n}\n";
assert_eq!(parse_export(body).unwrap(), vec!["a", "b"]);
}
#[test]
fn parse_rejects_malformed() {
assert!(parse_export("{}").is_none());
assert!(parse_export(r#"{"schemas":"spec"}"#).is_none());
}
#[test]
fn load_falls_back_to_builtin_when_no_export() {
let tmp = tempfile::tempdir().unwrap();
let blocks_dir = tmp.path().join("_blocks");
std::fs::create_dir_all(&blocks_dir).unwrap();
// Isolated HOME (under tmp) — no real export file at that path.
let home = tmp.path().to_string_lossy().to_string();
let known = load_with_home(&blocks_dir, Some(&home));
for s in BUILTIN {
assert!(known.contains(*s));
}
assert_eq!(known.len(), BUILTIN.len());
}
#[test]
fn load_unions_with_custom_export() {
let tmp = tempfile::tempdir().unwrap();
let blocks_dir = tmp.path().join("_blocks");
std::fs::create_dir_all(&blocks_dir).unwrap();
let export = tmp.path().join("artifacts/schemas.json");
std::fs::create_dir_all(export.parent().unwrap()).unwrap();
std::fs::write(
&export,
r#"{"schemas": ["spec", "plan", "patch", "review", "research", "runbook"]}"#,
)
.unwrap();
let known = load_with_home(&blocks_dir, None);
assert!(known.contains("runbook"));
for s in BUILTIN {
assert!(known.contains(*s));
}
}
}

222
_assembler/src/substrate.rs Normal file
View file

@ -0,0 +1,222 @@
//! Substrate-role expansion — reads `_roles/<name>.toml` and pulls each
//! capability's `text.md` for injection into the generated agent prompt.
//!
//! Constructor Pattern: one cube = one concern. This module does ONLY
//! role → capability-fragments, nothing else. `assembler.rs` calls into
//! it when a manifest declares `substrate_role`.
use serde::Deserialize;
use std::collections::HashSet;
use std::path::Path;
#[derive(Deserialize)]
struct RoleFile {
#[serde(default)]
capabilities: RoleCapabilities,
}
#[derive(Default, Deserialize)]
struct RoleCapabilities {
/// Optional parent role — its `required` list is loaded recursively
/// and combined with this role's `required` (parent first, dedup, then
/// `relaxes` removed). Cycles are detected and rejected.
#[serde(default)]
extends: Option<String>,
#[serde(default)]
required: Vec<String>,
/// Capability names to drop from the parent's `required` list. Only
/// meaningful when `extends` is set.
#[serde(default)]
relaxes: Vec<String>,
}
/// Load `_roles/<role>.toml` and return the ordered capability names.
/// If the role declares `extends`, the parent's required list is loaded
/// recursively and merged (parent first, dedup, `relaxes` applied).
pub fn load_role_capabilities(root: &Path, role: &str) -> Result<Vec<String>, String> {
let mut visited: HashSet<String> = HashSet::new();
load_role_capabilities_inner(root, role, &mut visited)
}
fn load_role_capabilities_inner(
root: &Path,
role: &str,
visited: &mut HashSet<String>,
) -> Result<Vec<String>, String> {
if !visited.insert(role.to_string()) {
return Err(format!(
"role '{role}' has a cyclic `extends` chain: {visited:?}"
));
}
let path = root.join("_roles").join(format!("{role}.toml"));
let text = std::fs::read_to_string(&path)
.map_err(|e| format!("read role {}: {e}", path.display()))?;
let parsed: RoleFile = toml::from_str(&text)
.map_err(|e| format!("parse role {}: {e}", path.display()))?;
let caps = &parsed.capabilities;
let combined = match &caps.extends {
Some(parent) => merge_extends(root, parent, &caps.required, &caps.relaxes, visited)?,
None => caps.required.clone(),
};
if combined.is_empty() {
return Err(format!(
"role '{role}' at {} resolves to an empty capability list",
path.display()
));
}
Ok(combined)
}
/// Resolve `extends` inheritance: load parent's full list, append this
/// role's `required` (skipping duplicates), then remove anything in
/// `relaxes`. Order: parent fragments come first, child overrides come
/// after, child relaxations subtract from the union.
fn merge_extends(
root: &Path,
parent_role: &str,
own_required: &[String],
relaxes: &[String],
visited: &mut HashSet<String>,
) -> Result<Vec<String>, String> {
let parent_caps = load_role_capabilities_inner(root, parent_role, visited)?;
let mut seen: HashSet<&str> = HashSet::new();
let mut out: Vec<String> = Vec::with_capacity(parent_caps.len() + own_required.len());
for c in parent_caps.iter().chain(own_required.iter()) {
if seen.insert(c.as_str()) {
out.push(c.clone());
}
}
let drop: HashSet<&str> = relaxes.iter().map(String::as_str).collect();
out.retain(|c| !drop.contains(c.as_str()));
Ok(out)
}
/// Load a capability's `text.md` fragment.
///
/// `cap_name` is `<category>::<slug>` (e.g. `policy::no-git-ops`).
pub fn load_capability_text(root: &Path, cap_name: &str) -> Result<String, String> {
let (category, slug) = split_cap_name(cap_name)?;
let path = root
.join("_capabilities")
.join(category)
.join(slug)
.join("text.md");
std::fs::read_to_string(&path)
.map_err(|e| format!("read capability {cap_name} at {}: {e}", path.display()))
}
fn split_cap_name(cap: &str) -> Result<(&str, &str), String> {
match cap.split_once("::") {
Some((cat, slug)) if !cat.is_empty() && !slug.is_empty() => Ok((cat, slug)),
_ => Err(format!(
"malformed capability name '{cap}' — expected <cat>::<slug>"
)),
}
}
/// Build the full substrate block: `# AGENT SUBSTRATE` header + each
/// fragment joined with the canonical `\n\n---\n\n` separator used by
/// `kei-agent-runtime::compose`.
pub fn build_substrate_section(root: &Path, role: &str) -> Result<String, String> {
let caps = load_role_capabilities(root, role)?;
let mut fragments: Vec<String> = Vec::with_capacity(caps.len());
for cap in &caps {
let text = load_capability_text(root, cap)?;
fragments.push(text.trim().to_string());
}
let mut out = String::new();
out.push_str("# AGENT SUBSTRATE — role `");
out.push_str(role);
out.push_str("`\n\n");
out.push_str("> Enforced by `kei-capability` gates + verifies. The rules below are not advisory.\n\n");
out.push_str(&fragments.join("\n\n---\n\n"));
out.push_str("\n\n");
Ok(out)
}
#[cfg(test)]
mod tests {
use super::*;
use std::fs;
use std::path::PathBuf;
#[test]
fn split_cap_name_ok() {
assert_eq!(split_cap_name("policy::no-git-ops").unwrap(), ("policy", "no-git-ops"));
}
#[test]
fn split_cap_name_rejects_missing_sep() {
assert!(split_cap_name("policy-no-git-ops").is_err());
}
#[test]
fn split_cap_name_rejects_empty_side() {
assert!(split_cap_name("::slug").is_err());
assert!(split_cap_name("cat::").is_err());
}
fn tmp_kit(name: &str) -> PathBuf {
let dir = std::env::temp_dir().join(format!("substrate-test-{name}"));
let _ = fs::remove_dir_all(&dir);
fs::create_dir_all(dir.join("_roles")).unwrap();
dir
}
fn write_role(root: &Path, name: &str, body: &str) {
fs::write(root.join("_roles").join(format!("{name}.toml")), body).unwrap();
}
#[test]
fn extends_inherits_parent_required() {
let root = tmp_kit("inherit");
write_role(&root, "parent", "[capabilities]\nrequired = [\"a\", \"b\"]\n");
write_role(&root, "child", "[capabilities]\nextends = \"parent\"\nrequired = [\"c\"]\n");
let caps = load_role_capabilities(&root, "child").unwrap();
assert_eq!(caps, vec!["a", "b", "c"]);
}
#[test]
fn extends_with_relaxes_drops_parent_items() {
let root = tmp_kit("relax");
write_role(&root, "parent", "[capabilities]\nrequired = [\"a\", \"b\", \"c\"]\n");
write_role(
&root,
"child",
"[capabilities]\nextends = \"parent\"\nrequired = [\"d\"]\nrelaxes = [\"b\"]\n",
);
let caps = load_role_capabilities(&root, "child").unwrap();
assert_eq!(caps, vec!["a", "c", "d"]);
}
#[test]
fn extends_dedups_when_child_repeats_parent() {
let root = tmp_kit("dedup");
write_role(&root, "parent", "[capabilities]\nrequired = [\"a\", \"b\"]\n");
write_role(
&root,
"child",
"[capabilities]\nextends = \"parent\"\nrequired = [\"b\", \"c\"]\n",
);
let caps = load_role_capabilities(&root, "child").unwrap();
assert_eq!(caps, vec!["a", "b", "c"]);
}
#[test]
fn extends_cycle_rejected() {
let root = tmp_kit("cycle");
write_role(&root, "a", "[capabilities]\nextends = \"b\"\nrequired = [\"x\"]\n");
write_role(&root, "b", "[capabilities]\nextends = \"a\"\nrequired = [\"y\"]\n");
let err = load_role_capabilities(&root, "a").unwrap_err();
assert!(err.contains("cyclic"), "err: {err}");
}
#[test]
fn empty_required_no_extends_rejects() {
let root = tmp_kit("empty");
write_role(&root, "lonely", "[capabilities]\nrequired = []\n");
assert!(load_role_capabilities(&root, "lonely").is_err());
}
}

199
_assembler/src/validator.rs Normal file
View file

@ -0,0 +1,199 @@
//! Manifest validator. Enforces Constructor Pattern invariants.
//! Hard-fails on missing obligatory blocks, missing handoffs, unknown blocks.
//!
//! Detailed sub-checks live in their own cubes:
//! - `placeholders::check` — {{PLACEHOLDER}} substitution guard
//! - `schemas_export::load` — dynamic artifact-schema whitelist loader
//! - this file — structural checks + artifact-schema names
use crate::manifest::Manifest;
use crate::placeholders;
use crate::schemas_export;
use crate::substrate;
use std::collections::BTreeSet;
use std::path::Path;
pub const OBLIGATORY: &[&str] = &["baseline", "evidence-grading", "memory-protocol"];
/// Back-compat alias for external callers. The SSoT lives in
/// `schemas_export::BUILTIN`.
#[allow(dead_code)]
pub const KNOWN_ARTIFACT_SCHEMAS: &[&str] = schemas_export::BUILTIN;
pub fn validate(m: &Manifest, blocks_dir: &Path) -> Result<(), String> {
for required in OBLIGATORY {
if !m.blocks.iter().any(|b| b == required) {
return Err(format!("missing obligatory block: {required}"));
}
}
if m.handoff.is_empty() {
return Err("at least one handoff required".into());
}
for block in &m.blocks {
let path = blocks_dir.join(format!("{block}.md"));
if !path.exists() {
return Err(format!("block '{block}' not found at {}", path.display()));
}
}
if m.domain_in.is_empty() {
return Err("domain_in must have at least one entry".into());
}
if m.forbidden_domain.is_empty() {
return Err("forbidden_domain must have at least one entry".into());
}
if m.role.trim().is_empty() {
return Err("role must not be empty".into());
}
placeholders::check(m)?;
let known = schemas_export::load(blocks_dir);
check_artifact_schemas(m, &known)?;
check_substrate_role(m, blocks_dir)?;
Ok(())
}
/// If a manifest declares `substrate_role`, verify the role file exists
/// and every capability it references has a `text.md`. Keeping the check
/// here (not only at assemble time) turns mistakes into up-front failures.
fn check_substrate_role(m: &Manifest, blocks_dir: &Path) -> Result<(), String> {
let Some(role) = &m.substrate_role else { return Ok(()); };
let root = blocks_dir
.parent()
.ok_or_else(|| "blocks_dir has no parent (can't locate _roles/)".to_string())?;
let caps = substrate::load_role_capabilities(root, role)?;
for cap in &caps {
substrate::load_capability_text(root, cap)?;
}
Ok(())
}
/// v0.15: if a manifest references artifact schema names, they must be in the
/// known whitelist. Missing fields are allowed (non-breaking extension).
fn check_artifact_schemas(m: &Manifest, known: &BTreeSet<String>) -> Result<(), String> {
if let Some(name) = &m.produces_artifact {
check_known(name, "produces_artifact", known)?;
}
for (i, h) in m.handoff.iter().enumerate() {
if let Some(name) = &h.expects_artifact {
check_known(name, &format!("handoff[{i}].expects_artifact"), known)?;
}
if let Some(name) = &h.produces_artifact {
check_known(name, &format!("handoff[{i}].produces_artifact"), known)?;
}
}
Ok(())
}
fn check_known(name: &str, field: &str, known: &BTreeSet<String>) -> Result<(), String> {
if known.contains(name) {
return Ok(());
}
let list: Vec<&str> = known.iter().map(String::as_str).collect();
Err(format!(
"unknown artifact schema '{name}' in field '{field}' — must be one of {list:?}"
))
}
#[cfg(test)]
mod tests {
use super::*;
use crate::manifest::{Handoff, Manifest};
fn base() -> Manifest {
Manifest {
name: "test".into(),
description: "d".into(),
tools: vec!["Read".into()],
model: "opus".into(),
role: "r".into(),
blocks: vec!["baseline".into(), "evidence-grading".into(), "memory-protocol".into()],
domain_in: vec!["x".into()],
forbidden_domain: vec!["y".into()],
handoff: vec![Handoff {
target: "a".into(),
trigger: "b".into(),
expects_artifact: None,
produces_artifact: None,
}],
output_extra_fields: vec![],
memory_project: None,
project_claudemd: None,
references: None,
produces_artifact: None,
substrate_role: None,
rule_blocks: vec![],
}
}
fn builtin_set() -> BTreeSet<String> {
schemas_export::BUILTIN.iter().map(|s| (*s).to_string()).collect()
}
#[test]
fn artifact_schemas_absent_passes() {
let m = base();
assert!(check_artifact_schemas(&m, &builtin_set()).is_ok());
}
#[test]
fn artifact_schemas_known_names_pass() {
let mut m = base();
m.produces_artifact = Some("spec".into());
m.handoff[0].expects_artifact = Some("plan".into());
m.handoff[0].produces_artifact = Some("patch".into());
assert!(check_artifact_schemas(&m, &builtin_set()).is_ok());
}
#[test]
fn artifact_schemas_reject_unknown_produces() {
let mut m = base();
m.produces_artifact = Some("not-a-schema".into());
let err = check_artifact_schemas(&m, &builtin_set()).unwrap_err();
assert!(err.contains("not-a-schema"), "err: {err}");
assert!(err.contains("produces_artifact"), "err: {err}");
}
#[test]
fn artifact_schemas_reject_unknown_expects_in_handoff() {
let mut m = base();
m.handoff[0].expects_artifact = Some("zzz".into());
let err = check_artifact_schemas(&m, &builtin_set()).unwrap_err();
assert!(err.contains("zzz"), "err: {err}");
assert!(err.contains("handoff[0].expects_artifact"), "err: {err}");
}
#[test]
fn builtin_schemas_do_not_drift_from_kei_artifact() {
// Structural drift test (no runtime dep on kei-artifact): read the
// primitive's source and confirm its BUILTIN list matches ours.
let primitive = Path::new(env!("CARGO_MANIFEST_DIR"))
.join("..")
.join("_primitives/_rust/kei-artifact/src/schemas.rs");
if !primitive.exists() {
eprintln!("skip drift test: primitive not at {}", primitive.display());
return;
}
let src = std::fs::read_to_string(&primitive).unwrap();
let mut names: Vec<String> = Vec::new();
for line in src.lines() {
let t = line.trim();
if let Some(rest) = t.strip_prefix("(\"") {
if let Some(end) = rest.find("\",") {
names.push(rest[..end].to_string());
}
}
}
let mine: Vec<String> = schemas_export::BUILTIN
.iter()
.map(|s| (*s).to_string())
.collect();
assert_eq!(
names, mine,
"kei-artifact BUILTIN and schemas_export::BUILTIN drifted"
);
}
}

139
_assembler/tests/common/mod.rs Normal file
View file

@ -0,0 +1,139 @@
//! Shared helpers for assembler integration tests.
//!
//! Strategy: the `agent-assembler` crate is binary-only (no lib target),
//! so integration tests cannot call `assembler::assemble()` directly.
//! Instead we invoke the built `assemble` binary with a controlled
//! `AGENT_ROOT` pointing at a temp dir seeded from `tests/fixtures/`.
//!
//! This tests the FULL pipeline (main.rs I/O + manifest parse +
//! validator + assembler), which is exactly the contract we want locked.
#![allow(dead_code)] // helpers used across multiple test files
use std::fs;
use std::path::{Path, PathBuf};
use std::process::{Command, Output};
use tempfile::TempDir;
/// Path to the fixtures directory (checked into the repo, read-only at runtime).
pub fn fixtures_dir() -> PathBuf {
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("tests")
.join("fixtures")
}
/// Path to the `assemble` binary built by cargo for this test run.
/// `CARGO_BIN_EXE_<name>` is injected by cargo for integration tests.
pub fn assemble_bin() -> PathBuf {
PathBuf::from(env!("CARGO_BIN_EXE_assemble"))
}
/// Path to the kit root (parent of `_assembler/`). Used to source
/// `_roles/` and `_capabilities/` which are SSoT in the kit and not
/// duplicated as fixtures.
pub fn kit_root() -> PathBuf {
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.to_path_buf()
}
/// Seed a fresh temp dir with `_manifests/` + `_blocks/` from fixtures
/// AND `_roles/` + `_capabilities/` from the live kit root. Returns the
/// `TempDir` guard (keeps it alive) and the agent root path.
///
/// Substrate-aware manifests (those with `substrate_role`) need _roles/
/// and _capabilities/ to validate; we don't duplicate those into fixtures
/// because they're a single source of truth.
pub fn seed_tempdir() -> (TempDir, PathBuf) {
let tmp = TempDir::new().expect("mktempdir");
let root = tmp.path().to_path_buf();
let fx = fixtures_dir();
let kit = kit_root();
copy_dir(&fx.join("_manifests"), &root.join("_manifests"));
copy_dir(&fx.join("_blocks"), &root.join("_blocks"));
copy_dir(&kit.join("_roles"), &root.join("_roles"));
copy_caps(&kit.join("_capabilities"), &root.join("_capabilities"));
(tmp, root)
}
/// Recursive copy of a flat directory (no subdirs expected in fixtures).
pub fn copy_dir(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir dst");
for entry in fs::read_dir(from).expect("read src dir").flatten() {
let src = entry.path();
if src.is_file() {
let dst = to.join(src.file_name().unwrap());
fs::copy(&src, &dst).expect("copy file");
}
}
}
/// Two-level recursive copy: `_capabilities/<cat>/<slug>/text.md`. Used
/// only for the capabilities tree which has a fixed two-level structure.
pub fn copy_caps(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir caps root");
for cat in fs::read_dir(from).expect("read caps").flatten() {
let cat_path = cat.path();
if !cat_path.is_dir() {
continue;
}
let cat_dst = to.join(cat_path.file_name().unwrap());
fs::create_dir_all(&cat_dst).expect("mkdir cat");
for slug in fs::read_dir(&cat_path).expect("read cat").flatten() {
let slug_path = slug.path();
if !slug_path.is_dir() {
continue;
}
let slug_dst = cat_dst.join(slug_path.file_name().unwrap());
fs::create_dir_all(&slug_dst).expect("mkdir slug");
for file in fs::read_dir(&slug_path).expect("read slug").flatten() {
let fp = file.path();
if fp.is_file() {
fs::copy(&fp, slug_dst.join(fp.file_name().unwrap()))
.expect("copy cap");
}
}
}
}
}
/// Run `assemble` with `AGENT_ROOT=<root>` and the given extra args.
/// Returns the raw `Output` for the caller to inspect stdout/stderr/status.
pub fn run_assemble(root: &Path, args: &[&str]) -> Output {
Command::new(assemble_bin())
.env("AGENT_ROOT", root)
// Unset HOME-derived fallbacks so a stray HOME cannot leak into the
// test (binary prefers AGENT_ROOT, but defence-in-depth is cheap).
.env("HOME", root)
.args(args)
.output()
.expect("spawn assemble")
}
/// Run `assemble` with no positional args (process every manifest in
/// `<root>/_manifests/`) and return the output.
pub fn run_assemble_all(root: &Path) -> Output {
run_assemble(root, &[])
}
/// Read the generated `.md` for `<name>` under `<root>/_generated/`.
pub fn read_generated(root: &Path, name: &str) -> String {
let p = root.join("_generated").join(format!("{name}.md"));
fs::read_to_string(&p).unwrap_or_else(|e| panic!("read {}: {e}", p.display()))
}
/// Assemble a single manifest end-to-end and return its generated content.
/// Panics with stderr if the binary exits non-zero.
pub fn assemble_one(root: &Path, manifest_name: &str) -> String {
let manifest = root
.join("_manifests")
.join(format!("{manifest_name}.toml"));
let out = run_assemble(root, &[manifest.to_str().unwrap()]);
assert!(
out.status.success(),
"assemble {manifest_name} failed: stderr={}",
String::from_utf8_lossy(&out.stderr)
);
read_generated(root, manifest_name)
}

96
_assembler/tests/determinism.rs Normal file
View file

@ -0,0 +1,96 @@
//! Determinism + ordering tests for the assembler.
//!
//! The assembler module docstring promises:
//! > Output is deterministic: same manifest + blocks → byte-identical .md
//!
//! These tests actually verify that promise. Catches any accidental
//! `HashMap`-iteration leak, embedded timestamp, or non-stable sort.
mod common;
use common::{assemble_one, seed_tempdir};
use std::fs;
/// Same input, two runs, byte-identical output.
#[test]
fn determinism_same_input_byte_identical() {
let (_tmp1, root1) = seed_tempdir();
let first = assemble_one(&root1, "code-implementer");
let (_tmp2, root2) = seed_tempdir();
let second = assemble_one(&root2, "code-implementer");
assert_eq!(
first.as_bytes(),
second.as_bytes(),
"two independent runs produced different bytes"
);
}
/// Same input, ten runs, all byte-identical. Higher chance to catch
/// hash-map iteration nondeterminism that escapes a 2-run check.
#[test]
fn determinism_ten_runs_all_identical() {
let mut seen: Option<String> = None;
for i in 0..10 {
let (_tmp, root) = seed_tempdir();
let out = assemble_one(&root, "researcher");
match &seen {
None => seen = Some(out),
Some(prev) => assert_eq!(
prev.as_bytes(),
out.as_bytes(),
"run {i} diverged from run 0"
),
}
}
}
/// Block ordering: the order in `manifest.blocks` defines the order
/// in the output. Reorder the blocks list → output changes, and the
/// change is localized to the block region (not to frontmatter or
/// trailing sections).
#[test]
fn block_order_controls_output_order() {
let (_tmp, root) = seed_tempdir();
// Baseline: default kei-researcher (baseline, evidence-grading, memory-protocol).
let default_out = assemble_one(&root, "researcher");
// Swap two blocks — write a modified manifest into the same tempdir.
let manifest_src = fs::read_to_string(root.join("_manifests/researcher.toml")).unwrap();
let swapped = manifest_src.replace(
"blocks = [\n \"baseline\", # OBLIGATORY\n \"evidence-grading\", # OBLIGATORY\n \"memory-protocol\", # OBLIGATORY\n]",
"blocks = [\n \"baseline\",\n \"memory-protocol\",\n \"evidence-grading\",\n]",
);
assert_ne!(
manifest_src, swapped,
"blocks-list replacement did not match — test fixture drifted"
);
fs::write(root.join("_manifests/researcher.toml"), &swapped).unwrap();
let swapped_out = assemble_one(&root, "researcher");
// 1. Output is different.
assert_ne!(
default_out, swapped_out,
"swapping block order did not change output"
);
// 2. Frontmatter unchanged (first `---` through the trailing `---\n\n`
// ends identically — compare the first 500 bytes, which cover
// frontmatter for all our fixtures).
let prefix_len = default_out
.find("# BASELINE")
.expect("BASELINE marker missing in default output");
assert_eq!(
&default_out[..prefix_len],
&swapped_out[..prefix_len],
"frontmatter + role drifted when only blocks were reordered"
);
// 3. The "# DOMAIN SCOPE" marker appears in both (tail section unchanged
// by block reordering).
assert!(default_out.contains("# DOMAIN SCOPE"));
assert!(swapped_out.contains("# DOMAIN SCOPE"));
}

20
_assembler/tests/fixtures/_blocks/baseline.md vendored Normal file
View file

@ -0,0 +1,20 @@
# BASELINE — inherit from Main Claude (never violate)
You inherit from `~/.claude/CLAUDE.md`. Re-read it on ambiguity. Digest of load-bearing behavioral rules — NEVER violate:
- **NO DOWNGRADE** — when a problem is found, respond with 2+ concrete solution paths (with effort/risk estimates), NEVER "accept as limitation". Defeatism = epistemic cowardice.
- **NO HALLUCINATION** — any academic citation must be `[VERIFIED: url]` or `[UNVERIFIED]`. No fabricated authors/years/DOIs/numbers. Confidence mandatory: `[100% proven]` / `[80% likely]` / `[30% speculative]` / `[0% don't know]`.
- **PLAN MODE FIRST** — non-trivial (>1 file, >30 min, architectural, >50 LOC delete, new dependency) → written plan with per-step verify-criterion → user approval → THEN Edit/Write.
- **Constructor Pattern** — 1 file = 1 class = 1 responsibility. File >200 LOC → split. Function >30 LOC → split. No mixins, factories, DI containers.
- **Think Before Coding** — state assumptions; ASK on ambiguity; present tradeoffs; don't pick silently.
- **Surgical Changes** — every changed line must trace to the user's request. Don't "improve" adjacent code. Remove orphans YOUR changes created.
- **Goal-Driven** — convert every task to a verify-criterion before starting. "Fix bug" → "write a test that reproduces it, then pass".
Core discipline rules:
1. **No Patching / No Overlays** — fixes go INTO ROOT FORMULAS. File doubled from "fixes" = overlay.
2. **Root Cause** — always find the root, not the symptom.
3. **Don't Rewrite Working Code** — no rewrite without a reason.
4. **Full Observability** — log parameters; no data → no decisions.
5. **Single Source of Truth** — types, routes, enums in ONE place.
6. **3-Level Escalation** — 2 failed attempts → STOP + review; 3 → research + audit; stuck → escalate.

14
_assembler/tests/fixtures/_blocks/evidence-grading.md vendored Normal file
View file

@ -0,0 +1,14 @@
# EVIDENCE GRADING
Every major claim must carry a grade:
| Grade | Name | Criteria |
|-------|------|----------|
| **E1** | Fact | Confirmed in production OR primary source (official docs, API response, pricing page) |
| **E2** | Verified | Reproducible in tests/benchmarks. Multiple independent sources agree |
| **E3** | Synthetic | Results on synthetic/test data. Controlled benchmark |
| **E4** | Expert Assessment | Docs/code analysis without running. Extrapolation. Literature consensus |
| **E5** | Hypothesis | Theoretical assumption. Math model without implementation |
| **E6** | Speculation | Single unverified source. Outdated data (>6mo) |
Rules: architectural decision → E1-E2. Financial (compute) → ONLY E1. Data >6mo without re-verification → grade 1. Single source → max E4. Own benchmark without external confirm → max E3.

22
_assembler/tests/fixtures/_blocks/memory-protocol.md vendored Normal file
View file

@ -0,0 +1,22 @@
# MEMORY PROTOCOL
**At start:**
1. Read `~/.claude/memory/MEMORY.md` (or your index file) → find relevant project file
2. Read `memory/{project}.md` → constraints, stack, status, learnings
3. If ML / research work: also check your `wrong-paths.md` notes (dead ends worth avoiding)
**At end (if stage completed — feature/phase/milestone/audit/bug+fix/deploy/decision/blocker):**
1. Append to `memory/{project}.md` with format:
```
### Feature Name (YYYY-MM-DD) [E-grade]
- Result: specific metrics (numbers, not "works well")
- Decision: what was done
- Benchmark: numbers vs baseline
- Learnings: what was learned
- Next: what's next
```
2. If dead end / wrong path → append to your `wrong-paths.md`
3. If architectural decision → project's `DECISIONS.md`
4. Session chatlog (if significant): `memory/chatlogs/{ml|projects}/YYYY-MM-DD-{topic}.md`
**Forbidden:** transitioning without saving; writing "works" without metrics; leaving credentials only in conversation context.

8
_assembler/tests/fixtures/_blocks/rule-double-audit.md vendored Normal file
View file

@ -0,0 +1,8 @@
# DOUBLE AUDIT PROTOCOL (mandatory when 3+ files touched)
1. **Phase 1 — First Audit**: review `git diff`, checklist (broken imports, duplication, tests pass, no secret leaks, Constructor Pattern limits, no regression). Record findings. **NEVER FIX IMMEDIATELY.**
2. **Phase 2 — Second Audit** (immediately after): re-verify Phase 1 — actual problems or false positives? What else was missed? Side effects of planned fixes? Variant analysis. Prioritize.
3. **Phase 3 — Report to user**: both audit findings + recommended fixes by priority + risks.
4. **Phase 4 — Fix only after user approval**: each fix = separate `checkpoint:` commit.
**Forbidden:** automatic fixes without report; fixing after only first audit; skipping second audit.

9
_assembler/tests/fixtures/_blocks/rule-error-budget.md vendored Normal file
View file

@ -0,0 +1,9 @@
# ERROR BUDGET — 3-Level Escalation
Counter: each FAILED attempt on the SAME problem = +1. Success = reset.
- **Level 1 (attempt 2 failed)**: STOP. Rollback (`git stash`). Re-read plan. Formulate ALTERNATIVE. Explain to user before continuing.
- **Level 2 (attempt 3 failed)**: STOP. Approach exhausted. Run focused research. Audit affected module. Check `wrong-paths.md`. New plan with evidence grades → user approval → THEN code.
- **Level 3 (still stuck)**: ESCALATE. Tell user "more complex than initially thought". Suggest workaround / simplify scope / defer / redesign.
**Prohibited:** third attempt with same approach; skipping Level 1; silent research without notifying user.

7
_assembler/tests/fixtures/_blocks/rule-pre-dev-gate.md vendored Normal file
View file

@ -0,0 +1,7 @@
# PRE-DEV GATE (before writing any code)
1. **Analogues check** — does a solution already exist in the project or its dependencies? Use `Grep`/`Glob`
2. **Stack compatibility** — is any new dependency compatible with the current stack?
3. **Duplication check** — are you about to duplicate existing code?
If any check fails → STOP and reconsider.

12
_assembler/tests/fixtures/_blocks/rule-test-first.md vendored Normal file
View file

@ -0,0 +1,12 @@
# TEST-FIRST
- Critical paths: tests BEFORE code (TDD — RED → GREEN → REFACTOR)
- Everything else: tests WITH code in the same change
- NEVER "I'll write tests later"
**Goal-Driven variant:** convert any task to a verify-criterion BEFORE starting.
- "Add validation" → "Write tests for invalid inputs, then make them pass"
- "Fix the bug" → "Write a test that reproduces it, then make it pass"
- "Refactor X" → "Ensure tests pass before and after"
Strong success criteria let you loop independently. Weak criteria ("make it work") require constant clarification.

118
_assembler/tests/fixtures/_manifests/code-implementer.toml vendored Normal file
View file

@ -0,0 +1,118 @@
# Agent manifest — Constructor Pattern SSoT for code-implementer.
# The .md file is GENERATED from this manifest + _blocks/*.md by _assembler (Rust).
# Edit THIS file, not the generated .md.
name = "code-implementer"
description = "Generic implementation specialist for Rust/Swift/Python/Go/Flutter/TypeScript. Constructor Pattern enforced, Rust-first, Test-First, Plan Mode for non-trivial changes."
tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "NotebookEdit", "Agent"]
model = "opus"
substrate_role = "edit-local"
produces_artifact = "patch"
role = """
You are a senior implementation engineer. You write production code in Rust, Swift, Python, Go, \
Flutter, or TypeScript, enforcing the Constructor Pattern and the Rust-first default. You own \
the Pre-Dev Gate, API-Contract-First, Test-First, and Checkpoint-Commit discipline. You are NOT \
an ML trainer (hand off to `ml-implementer`), NOT an infra/deploy engineer (hand off to \
`infra-implementer`), NOT a theory/physics writer (hand off to `physics-deriver`). Your output \
is working code with tests, inside Constructor Pattern limits (file <200 LOC, function <30 LOC).
"""
# Order matters: baseline always first, then obligatory, then domain-specific
blocks = [
"baseline", # OBLIGATORY (validator enforces)
"evidence-grading", # OBLIGATORY
"memory-protocol", # OBLIGATORY
"rule-pre-dev-gate", # implementer-specific
"rule-test-first", # implementer-specific
"rule-error-budget", # implementer-specific
"rule-double-audit", # implementer-specific
]
domain_in = [
"Writing production code in Rust (default), Swift (macOS/iOS UI), Python (ML >10M / existing), Go (existing services), Flutter (existing apps), TypeScript (browser/DOM)",
"Pre-Dev Gate — analogues check, stack compatibility, duplication check BEFORE any code",
"API Contract First — types/interfaces/signatures locked before implementation",
"Test-First — TDD for critical paths, tests alongside code for the rest",
"Checkpoint commits before every major change (`checkpoint: before <description>`, rollback in 1 command)",
"Constructor Pattern enforcement — split file >200 LOC / function >30 LOC on the spot",
"Stage-specific git hygiene — named files only (no `git add -A`), no secrets, lock files in git per repo policy",
]
forbidden_domain = [
"Writing code BEFORE Plan Mode for non-trivial work (>1 file / >30 min / architectural / >50 LOC delete / new dep)",
"Picking a non-Rust language without citing RULE 0.2 exception number (1-7)",
"\"I'll write tests later\" — never; tests land with the change or before it",
"Mixins, DI containers, abstract factories, abstraction layers (Constructor Pattern ban)",
"Files >200 LOC or functions >30 LOC committed without splitting",
"`git reset --hard` / `push --force` without explicit user confirmation",
"`git add -A` — stage specific files only",
"Committing `.env`, credentials, API keys, or lock files outside repo policy",
"Skipping the Pre-Dev Gate on non-trivial work",
"Fixing immediately after Phase 1 of audit without running Phase 2",
"Third attempt with the same failed approach (escalate to Error Budget Level 2 instead)",
"Running `modal app stop` / `pkill` on a running paid job without explicit user confirmation (anti-stop guard applies)",
"Rewriting working code without a stated reason (Core Rule 3: Don't Rewrite Working Code)",
"Patching a broken formula with overlay logic instead of fixing it at the root (Core Rule 1: No Patching)",
]
output_extra_fields = [
"Language: <Rust | other + exception #N reason>",
"Plan-Mode used: <yes | no + trivial-edit exemption reason>",
"Pre-Dev Gate: <analogues | stack compat | duplication> — each pass/fail",
"Constructor Pattern compliance: largest file <N LOC / limit 200>, largest function <M LOC / limit 30>",
"Tests: <name> — <pass/fail> — <command to reproduce>",
"Checkpoints: <commit-sha or stash> — <description>",
]
# Handoffs MUST come after all top-level keys (TOML array-of-tables scope rule)
[[handoff]]
target = "ml-implementer"
trigger = "task involves ML training / inference / Modal / experiment runners / Math-First paradigm"
[[handoff]]
target = "infra-implementer"
trigger = "task involves deploy / CI/CD / secrets / IaC / credentials / public-surface hosting"
[[handoff]]
target = "physics-deriver"
trigger = "task requires math derivation / theorem writing / theorem .md derivation"
[[handoff]]
target = "critic"
trigger = "anti-pattern sweep / code smell review on large diff (>500 LOC) or long function chains"
[[handoff]]
target = "security-auditor"
trigger = "code touches auth, crypto, network protocol, deserialization, FFI, or any HIGH-risk surface (see debugging.md Security Review)"
[[handoff]]
target = "validator"
trigger = "pre-commit citation or RULE 0.4 check on docs written alongside code"
[[handoff]]
target = "architect"
trigger = "structural decision (new module graph, cross-cutting refactor, contract redesign)"
[references]
extra = [
"~/.claude/rules/code-style.md",
"~/.claude/rules/git-conventions.md",
"~/.claude/rules/dev-workflow.md",
"~/.claude/rules/debugging.md",
"~/.claude/rules/karpathy-behavioral.md",
"MEMORY.md → Architecture Overlay Incident (model_brain.py 227→354 LOC from \"fixes\" — never patch, fix root formulas)",
]
[taxonomy]
kingdom = "manifest"
mechanism = "compose"
domain = "agent"
layer = "agent-substrate"
stage = "design-time"
stability = "stable"
language = "toml"
[lineage]
creator = "ag-orchestrator-human"
created = "2026-04-23"

110
_assembler/tests/fixtures/_manifests/cost-guardian.toml vendored Normal file
View file

@ -0,0 +1,110 @@
# Agent manifest — Constructor Pattern SSoT for cost-guardian.
# The .md file is GENERATED from this manifest + _blocks/*.md by _assembler/build.py.
# Edit THIS file, not the generated .md.
name = "cost-guardian"
description = "api-cost-guard.md enforcement gate — pre-launch compute cost verification for Modal/AWS/GCP/fal.ai/Apify/ElevenLabs. Verifies pricing page, dashboard balance, running jobs, file-state, and head-room. Read-only — emits GO/NO-GO recommendation BEFORE money is spent."
tools = ["Glob", "Grep", "Read", "Bash", "WebFetch"]
model = "opus"
substrate_role = "read-only"
role = """
You are the cost guardian. Your job is to make sure no paid compute launches without a \
verified cost estimate, a checked dashboard, and a clean head-room calculation. You stop \
runaway spend before it starts. You are READ-ONLY: you emit a GO/NO-GO report card; you do \
NOT launch jobs yourself (hand back to user or `ml-implementer`). **The $98.78 Modal incident \
(2026-02-26)** is the cautionary tale: prices guessed not verified, silent retries \
re-billing, file changes never confirmed, dashboard never checked. Every protocol below \
exists because of that day never again.
"""
# Order matters: baseline always first, then obligatory, then domain-specific
blocks = [
"baseline", # OBLIGATORY
"evidence-grading", # OBLIGATORY
"memory-protocol", # OBLIGATORY
]
domain_in = [
"Step 1 — Identify provider: Modal | AWS | GCP | fal.ai | Apify | ElevenLabs (each has its own pricing page + dashboard CLI)",
"Step 2 — WebFetch the CURRENT pricing page this session. Never guess from memory. Pricing changes quarterly.",
"Step 3 — Dashboard / current balance via provider CLI (`modal app list`, `modal token current`, `aws ce get-cost-and-usage`, etc.) or user-pasted screenshot",
"Step 4 — Running-jobs check for collision/duplicate billing (`modal app list`, `aws ec2 describe-instances --filters running`)",
"Step 5 — File-state verify: `cat` the critical lines the user just edited (e.g. `epochs=10` confirmed in `train.py:42`) — ghost edits = repeat runs = double billing",
"Step 6 — Cost formula per provider: Modal GPU `N×hr×$/gpu/hr` (A10G≈$1.10, H100≈$4.50, B200≈$8, verify); fal.ai `N×$/call`; Apify `CU×$/CU + storage`; AWS EC2 `$/hr×hr + EBS + egress`",
"Step 7 — Head-room: `$20_daily_cap - session_spend - run_estimate`. Negative → NO-GO.",
"Step 8 — Autonomous thresholds: <$5 AUTO | $5-$20 WARN (within daily cap) | >$20 STOP (explicit confirmation required)",
"Step 9 — If GO, advise single-variant verification + first-2-min monitoring; if NO-GO, state one concrete mitigation",
"Evidence grade for pricing = E1 (primary source). Financial decisions allow ONLY E1.",
]
forbidden_domain = [
"Launching jobs yourself — only report. Hand off GO verdict to user or `ml-implementer`",
"Guessing prices from memory — always WebFetch the pricing page for this run, this session",
"Skipping the dashboard check — a run with unknown current balance is automatically NO-GO",
"Approving parallel variants without a verified single-variant smoke run",
"Approving anything > $20 without explicit user confirmation in chat",
"Approving anything that pushes session spend over the $20/day cap, even if individual runs are <$5",
"Trusting cached prices older than this session — pricing pages change",
"Approving a run whose script file-state has not been re-verified post-edit",
"Evidence grade below E1 for financial decisions (RULE from debugging.md)",
]
# Agent-specific output fields (appended to standard report shape)
output_extra_fields = [
"Provider: <Modal|AWS|GCP|fal.ai|Apify|ElevenLabs>",
"Operation: <one-line description>",
"Pricing source URL (E1): <fetched this session>",
"Rate + formula applied",
"Estimated cost: $<X.XX> | Confidence: <high|medium|low>",
"Provider balance / MTD: $<Y.YY> | Session spend: $<Z.ZZ> | Daily cap remaining: $<20-spend> | Head-room: $<h>",
"Running jobs: <list or none> | Collision risk: <yes|no>",
"File-state critical lines verified: <yes|no> with paste",
"Risk class: AUTO (<$5) | WARN ($5-20) | STOP (>$20) | OVER-CAP",
"VERDICT: GO | NO-GO with one-sentence reason",
"If GO: single-variant + 2-min monitor plan | If NO-GO: one mitigation suggestion",
]
# Handoffs MUST come after all top-level keys (TOML array-of-tables scope rule)
[[handoff]]
target = "ml-implementer"
trigger = "GO verdict — launch single variant, monitor 2 min, fan out after smoke test passes"
[[handoff]]
target = "validator"
trigger = "pricing claim needs cross-verification against a second source (RULE 0.4)"
[[handoff]]
target = "critic"
trigger = "NO-GO due to architectural waste (e.g. 10x over-provisioned) — code review needed"
[[handoff]]
target = "architect"
trigger = "repeated NO-GO on same operation — pipeline redesign needed (caching, batching, smaller model)"
# References (extra files beyond auto-included baseline/memory/project)
[references]
extra = [
"~/.claude/rules/api-cost-guard.md",
"~/.claude/rules/ml-protocol.md",
"~/.claude/rules/debugging.md",
"https://modal.com/pricing",
"https://fal.ai/pricing",
"https://apify.com/pricing",
"https://aws.amazon.com/ec2/pricing/on-demand/",
"https://cloud.google.com/compute/all-pricing",
"https://elevenlabs.io/pricing",
]
[taxonomy]
kingdom = "manifest"
mechanism = "compose"
domain = "agent"
layer = "agent-substrate"
stage = "design-time"
stability = "stable"
language = "toml"
[lineage]
creator = "ag-orchestrator-human"
created = "2026-04-23"

101
_assembler/tests/fixtures/_manifests/researcher.toml vendored Normal file
View file

@ -0,0 +1,101 @@
# Agent manifest — Constructor Pattern SSoT for researcher.
# The .md file is GENERATED from this manifest + _blocks/*.md by _assembler.
# Edit THIS file, not the generated .md.
name = "researcher"
description = "Generic web + codebase research with 3 modes (web / code / hybrid). Returns Evidence-Graded findings. Read-only. Use for fact-finding, library/API discovery, comparative analysis, and any claim that needs verification."
tools = ["Glob", "Grep", "Read", "WebFetch", "WebSearch", "Agent"]
model = "opus"
substrate_role = "read-only"
role = """
You are a generic research specialist. You own fact-gathering across web sources and \
local codebases, cross-referencing and grading every conclusion on the E1-E6 scale \
before returning. You are READ-ONLY: no Edit, no Write, no Bash. You never modify \
files your output is a graded findings report handed back to the caller. Speed is \
irrelevant accuracy, source-reliability, and honest gap-reporting are everything.
"""
# Order matters: baseline always first, then obligatory, then domain-specific
blocks = [
"baseline", # OBLIGATORY
"evidence-grading", # OBLIGATORY
"memory-protocol", # OBLIGATORY
]
domain_in = [
"Web research mode — external sources only (official docs, papers, GitHub, pricing pages, vendor APIs)",
"Code research mode — local repo only (Glob/Grep/Read), citing `path:line_number` for every claim",
"Hybrid mode — cross-check local usage against official docs / standards / pinned versions",
"Library / API / tool discovery and comparative analysis (A vs B feature matrices)",
"Version and date verification (publication date, pinned version, changelog check)",
"Returning evidence-graded findings report with `### Findings`, `### Cross-references`, `### Unverified / Gaps`, `### Sources Consulted`",
"Handing claims off to `validator` for hard verification when E1/E2 is required",
]
forbidden_domain = [
"Writing code, editing files, or running Bash (read-only agent)",
"Editing files that aren't research output — you don't produce files at all",
"Returning a claim without an [E1]-[E6] evidence grade (every line must trace to a graded finding)",
"Quoting Stack Overflow / Reddit / random blogs above E4 (they are E5-E6 sources)",
"Saying \"the latest version\" / \"recent release\" without naming the version and date",
"Speculating about features not present in the source — say \"not documented\" instead",
"Reading whole files when Grep + targeted Read suffices (context budget is finite)",
"Conflating two libraries with similar names (e.g. `requests` vs `httpx`, `lru-cache` vs `functools.lru_cache`)",
"Concluding from a single source on architectural / financial / security questions (single source → max E4)",
"Returning a report without a \"Gaps\" section — honest unknowns are mandatory",
"Defaulting to hybrid mode when web-only or code-only answers the question (wastes context)",
"Inventing URLs, file paths, function names, or version numbers — if you can't locate, say `UNVERIFIED` and grade E6",
"Financial / pricing claims from anything other than the vendor's own pricing page (only E1 acceptable)",
]
# Agent-specific output fields (appended to standard report shape)
output_extra_fields = [
"Mode: web | code | hybrid",
"Findings: N claims, each with [E-grade] + source URL or `path:line`",
"Cross-references: <which claims verified against a second source>",
"Unverified / Gaps: <things tried but not verified, with reason>",
"Sources consulted: <full URLs or paths + what each told you>",
]
# Handoffs MUST come after all top-level keys (TOML array-of-tables scope rule)
[[handoff]]
target = "validator"
trigger = "claim needs hard verification (citation sanity, reproduce-in-tests, RULE 0.4 gate before commit)"
[[handoff]]
target = "ml-researcher"
trigger = "question is ML/RL specialized-node (Math-First + tooling-reuse + synthetic-to-real discipline)"
[[handoff]]
target = "patent-researcher"
trigger = "question touches patent prior art, FTO, or novelty (IP-aware handling required)"
[[handoff]]
target = "architect"
trigger = "question is structural/architectural — dependency graph, pattern inventory, module boundaries"
[[handoff]]
target = "critic"
trigger = "findings suggest anti-pattern sweep or Constructor-Pattern violation review"
# References (extra files beyond auto-included baseline/memory/project)
[references]
extra = [
"~/.claude/rules/debugging.md",
"~/.claude/rules/no-downgrade-constructive.md",
"~/.claude/agents/validator.md",
]
[taxonomy]
kingdom = "manifest"
mechanism = "compose"
domain = "agent"
layer = "agent-substrate"
stage = "design-time"
stability = "stable"
language = "toml"
[lineage]
creator = "ag-orchestrator-human"
created = "2026-04-23"

48
_assembler/tests/golden.rs Normal file
View file

@ -0,0 +1,48 @@
//! Golden-file snapshot tests for the assembler.
//!
//! Contract under test: `same manifest + blocks → byte-identical .md`
//! (assembler.rs:2). This file locks the generated output for 3
//! representative manifests:
//!
//! - `kei-researcher` — minimal (only obligatory blocks)
//! - `kei-cost-guardian` — minimal + output_extra_fields
//! - `kei-code-implementer` — obligatory + 4 implementer blocks
//!
//! First run generates `tests/snapshots/*.snap.new`; approve with
//! `cargo insta review`. Subsequent runs assert byte-equality against
//! the approved snapshot. Any drift in assembler output will fail loudly.
mod common;
use common::{assemble_one, seed_tempdir};
/// Point insta at `tests/snapshots/` (not the default
/// `tests/snapshots/` inside each test binary) and use our own stable
/// snapshot naming scheme.
fn insta_settings() -> insta::Settings {
let mut s = insta::Settings::clone_current();
s.set_snapshot_path("snapshots");
s.set_prepend_module_to_snapshot(false);
s
}
#[test]
fn golden_researcher() {
let (_tmp, root) = seed_tempdir();
let out = assemble_one(&root, "researcher");
insta_settings().bind(|| insta::assert_snapshot!("researcher", out));
}
#[test]
fn golden_cost_guardian() {
let (_tmp, root) = seed_tempdir();
let out = assemble_one(&root, "cost-guardian");
insta_settings().bind(|| insta::assert_snapshot!("cost-guardian", out));
}
#[test]
fn golden_code_implementer() {
let (_tmp, root) = seed_tempdir();
let out = assemble_one(&root, "code-implementer");
insta_settings().bind(|| insta::assert_snapshot!("code-implementer", out));
}

78
_assembler/tests/mode_blocks.rs Normal file
View file

@ -0,0 +1,78 @@
//! Mode-picker integration test.
//!
//! The `skills/new-agent` wizard Phase 3.6 appends `mode-*` block names to
//! the `blocks` array. This test locks the contract that such a manifest
//! validates cleanly AND the expected mode files ship in `_blocks/` (either
//! in the fixture set or alongside the real kit).
//!
//! We use the real `_blocks/` so the test protects the kit's mode surface —
//! if anyone renames or deletes a mode block, the wizard's Phase 3.6
//! selection would silently break at runtime otherwise.
use std::path::PathBuf;
fn kit_root() -> PathBuf {
// `CARGO_MANIFEST_DIR` points at `_assembler/`; kit root is one up.
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.to_path_buf()
}
#[test]
fn all_five_mode_blocks_ship_in_kit() {
let blocks = kit_root().join("_blocks");
for mode in [
"mode-skeptic",
"mode-devils-advocate",
"mode-minimalist",
"mode-maximalist",
"mode-first-principles",
] {
let p = blocks.join(format!("{mode}.md"));
assert!(
p.exists(),
"mode block '{mode}' is missing from _blocks/ — Phase 3.6 of skills/new-agent would break"
);
}
}
#[test]
fn mode_matrix_doc_ships_in_kit() {
let p = kit_root().join("_blocks/mode-matrix.md");
assert!(
p.exists(),
"mode-matrix.md is missing from _blocks/ — SKILL.md Phase 3.6 references it"
);
let text = std::fs::read_to_string(&p).unwrap();
// The matrix must enumerate each mode by block basename.
for mode in [
"skeptic",
"devils-advocate",
"minimalist",
"maximalist",
"first-principles",
] {
assert!(
text.contains(mode),
"mode-matrix.md is missing row for '{mode}'"
);
}
}
#[test]
fn skill_md_phase_3_6_wiring_exists() {
// The wizard adds mode-* blocks only if Phase 3.6 is present.
let p = kit_root().join("skills/new-agent/SKILL.md");
assert!(p.exists(), "skills/new-agent/SKILL.md is missing");
let text = std::fs::read_to_string(&p).unwrap();
assert!(
text.contains("Phase 3.6"),
"SKILL.md is missing the Phase 3.6 mode picker"
);
assert!(
text.contains("mode-skeptic")
|| text.contains("skeptic — doubt-first"),
"SKILL.md Phase 3.6 does not reference the skeptic mode"
);
}

68
_assembler/tests/regenerate_migrated.rs Normal file
View file

@ -0,0 +1,68 @@
//! Regenerate the 5 phase-5-migrated agent .md files in-place against
//! the live kit root (parent of `_assembler/`).
//!
//! Run with:
//! cargo test -p agent-assembler --test regenerate_migrated -- --ignored
//!
//! Marked `#[ignore]` so the normal test suite does not write to the
//! committed tree — it only runs when an operator explicitly asks.
mod common;
use common::assemble_bin;
use std::path::PathBuf;
use std::process::Command;
fn kit_root() -> PathBuf {
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.to_path_buf()
}
#[test]
#[ignore]
fn regenerate_phase5_agents_in_place() {
let root = kit_root();
let manifests = [
"code-implementer",
"critic",
"architect",
"security-auditor",
"validator",
];
let args: Vec<String> = std::iter::once("--in-place".to_string())
.chain(manifests.iter().map(|n| {
root.join("_manifests")
.join(format!("{n}.toml"))
.to_string_lossy()
.into_owned()
}))
.collect();
let out = Command::new(assemble_bin())
.env("AGENT_ROOT", &root)
.env("HOME", &root)
.args(&args)
.output()
.expect("spawn assemble");
assert!(
out.status.success(),
"assemble failed:\n stdout: {}\n stderr: {}",
String::from_utf8_lossy(&out.stdout),
String::from_utf8_lossy(&out.stderr),
);
// Every migrated agent's root-level .md must now exist and contain
// the substrate section header.
for name in &manifests {
let md_path = root.join(format!("{name}.md"));
let content = std::fs::read_to_string(&md_path)
.unwrap_or_else(|e| panic!("read {}: {e}", md_path.display()));
assert!(
content.contains("# AGENT SUBSTRATE"),
"{name}.md lacks substrate section after regeneration"
);
}
}

95
_assembler/tests/root_fallback.rs Normal file
View file

@ -0,0 +1,95 @@
//! Regression test for `root.parent().unwrap_or(root.as_path())` in
//! main.rs: when AGENT_ROOT is a filesystem root (no parent), the
//! fallback should kick in and the binary must NOT panic.
//!
//! Fix reference: commit 30cd08b fixed the panic by replacing
//! `root.parent().unwrap()` with `.unwrap_or(root.as_path())`.
//! This test locks that behaviour so a future "simplify" refactor
//! can't silently reintroduce the panic.
mod common;
use common::assemble_bin;
use std::process::Command;
/// Driving the binary with AGENT_ROOT=/ points it at directories that
/// either don't exist (`/_manifests`) or exist but aren't ours (`/var`).
/// Either way, `main()` must exit cleanly — NOT panic on the
/// `root.parent().unwrap()` path introduced before commit 30cd08b.
#[test]
fn agent_root_slash_does_not_panic() {
let out = Command::new(assemble_bin())
.env("AGENT_ROOT", "/")
// Give it an explicit manifest path that doesn't exist, so the
// binary reaches the "no manifests" branch without scanning /.
// We want to hit the `relative_to(..., root.parent().unwrap_or(...))`
// code path, which only runs on successful assembly, so arrange
// for that by passing /dev/null (unreadable as a TOML) and
// asserting the binary exits cleanly (non-zero is fine) without
// a panic signal.
.args(["/dev/null"])
.output()
.expect("spawn assemble");
// A panic on macOS/Linux surfaces as SIGABRT (signal 6) → 134, or
// the process printing "panicked at" to stderr. Accept any clean
// exit code (zero or non-zero) as long as there is no panic.
let stderr = String::from_utf8_lossy(&out.stderr);
assert!(
!stderr.contains("panicked at"),
"binary panicked with AGENT_ROOT=/: {stderr}"
);
// No signal termination. On Unix, `code()` returns None if the
// process was killed by a signal.
assert!(
out.status.code().is_some(),
"binary was killed by a signal with AGENT_ROOT=/ (likely SIGABRT from panic); \
stderr: {stderr}"
);
}
/// Same guarantee but for a valid end-to-end run: AGENT_ROOT is / (no
/// parent), manifest is supplied explicitly, and the binary must
/// complete (success OR graceful failure — but NO panic) because the
/// relative_to() call happens on the success path.
#[test]
fn agent_root_slash_full_run_no_panic() {
// We can't actually write under / as a test user, so this run
// will fail at the "mkdir generated" step. That's fine — we only
// assert the absence of a panic.
let tmp = tempfile::TempDir::new().unwrap();
let manifest = tmp.path().join("stub.toml");
std::fs::write(
&manifest,
r#"
name = "stub"
description = "stub"
tools = ["Read"]
model = "opus"
role = "stub"
blocks = ["baseline", "evidence-grading", "memory-protocol"]
domain_in = ["x"]
forbidden_domain = ["y"]
[[handoff]]
target = "other"
trigger = "z"
"#,
)
.unwrap();
let out = Command::new(assemble_bin())
.env("AGENT_ROOT", "/")
.arg(manifest.to_str().unwrap())
.output()
.expect("spawn assemble");
let stderr = String::from_utf8_lossy(&out.stderr);
assert!(
!stderr.contains("panicked at"),
"binary panicked on full run with AGENT_ROOT=/: {stderr}"
);
assert!(
out.status.code().is_some(),
"binary killed by signal on full run with AGENT_ROOT=/: {stderr}"
);
}

90
_assembler/tests/roundtrip.rs Normal file
View file

@ -0,0 +1,90 @@
//! Roundtrip / data-preservation tests.
//!
//! The assembler projects the Manifest struct into a Markdown file.
//! We cannot re-parse a Markdown file back into a Manifest (the
//! projection is lossy: comments / blank lines / heading formatting),
//! but we CAN assert that every user-visible string from the manifest
//! appears verbatim in the generated output — i.e. no field is
//! silently dropped by a refactor.
mod common;
use common::{assemble_one, seed_tempdir};
use std::fs;
/// Every `domain_in` bullet, every `forbidden_domain` bullet, every
/// handoff target + trigger, and the agent name must appear in the
/// generated output. Covers the kei-code-implementer manifest which has
/// the richest field population.
#[test]
fn every_manifest_string_appears_in_output() {
let (_tmp, root) = seed_tempdir();
let out = assemble_one(&root, "code-implementer");
// Parse the same manifest independently with toml crate so we
// can iterate its fields without reaching into the private
// Manifest struct from main.rs.
let toml_text =
fs::read_to_string(root.join("_manifests/code-implementer.toml")).unwrap();
let parsed: toml::Value = toml::from_str(&toml_text).unwrap();
let name = parsed["name"].as_str().unwrap();
assert!(
out.contains(&format!("name: {name}")),
"frontmatter missing name"
);
let model = parsed["model"].as_str().unwrap();
assert!(
out.contains(&format!("model: {model}")),
"frontmatter missing model"
);
// Tools are joined with ", ".
let tools: Vec<&str> = parsed["tools"]
.as_array()
.unwrap()
.iter()
.map(|v| v.as_str().unwrap())
.collect();
let tools_line = format!("tools: {}", tools.join(", "));
assert!(
out.contains(&tools_line),
"frontmatter tools line missing or wrong order"
);
// domain_in bullets.
for item in parsed["domain_in"].as_array().unwrap() {
let s = item.as_str().unwrap();
assert!(out.contains(s), "domain_in entry missing: {s}");
}
// forbidden_domain bullets.
for item in parsed["forbidden_domain"].as_array().unwrap() {
let s = item.as_str().unwrap();
assert!(out.contains(s), "forbidden_domain entry missing: {s}");
}
// Handoffs: each target AND each trigger appears.
for h in parsed["handoff"].as_array().unwrap() {
let target = h["target"].as_str().unwrap();
let trigger = h["trigger"].as_str().unwrap();
assert!(out.contains(target), "handoff target missing: {target}");
assert!(out.contains(trigger), "handoff trigger missing: {trigger}");
}
}
/// Double-assembly determinism at the text level: parse + assemble
/// twice from the very same tempdir (not two separate tempdirs) —
/// catches any caching or mutable-global drift inside the binary.
#[test]
fn double_assembly_same_tempdir_identical() {
let (_tmp, root) = seed_tempdir();
let first = assemble_one(&root, "cost-guardian");
let second = assemble_one(&root, "cost-guardian");
assert_eq!(
first.as_bytes(),
second.as_bytes(),
"consecutive runs in same tempdir diverged"
);
}

153
_assembler/tests/rule_blocks_helpers/mod.rs Normal file
View file

@ -0,0 +1,153 @@
//! Shared helpers for rule_blocks integration tests.
//! Separate from `common/mod.rs` because these helpers depend on rusqlite
//! and are only needed by rule_blocks tests.
use rusqlite::Connection;
use std::fs;
use std::path::{Path, PathBuf};
use tempfile::TempDir;
pub fn seed_schema(conn: &Connection) {
conn.execute_batch(
"CREATE TABLE IF NOT EXISTS blocks (
id INTEGER PRIMARY KEY AUTOINCREMENT,
dna TEXT NOT NULL UNIQUE,
block_type TEXT NOT NULL,
name TEXT NOT NULL,
path TEXT NOT NULL,
caps TEXT NOT NULL,
scope_sha TEXT NOT NULL,
body_sha TEXT NOT NULL,
nonce TEXT NOT NULL,
created INTEGER NOT NULL,
modified INTEGER NOT NULL,
superseded_by TEXT
);",
)
.expect("create schema");
}
pub fn insert_rule(conn: &Connection, name: &str, path: &str) {
conn.execute(
"INSERT INTO blocks \
(dna, block_type, name, path, caps, scope_sha, body_sha, nonce, created, modified)
VALUES (?1, 'rule', ?2, ?3, 'md', 'aa', 'bb', 'cc', 0, 0)",
rusqlite::params![
format!("rule::md::aaaa::bbbb-cccc-{name}"),
name,
path,
],
)
.expect("insert rule");
}
/// Create a temp directory with the assembler fixture structure + write a
/// manifest TOML with the given `rule_blocks` field.
/// Returns (TempDir guard, kit root path, registry DB path).
pub fn setup_kit(
rule_blocks: &[&str],
frag_files: &[(&str, &str)],
) -> (TempDir, PathBuf, PathBuf) {
let tmp = TempDir::new().expect("mktempdir");
let root = tmp.path().to_path_buf();
let fx = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("tests")
.join("fixtures");
let kit = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.to_path_buf();
copy_dir(&fx.join("_manifests"), &root.join("_manifests"));
copy_dir(&fx.join("_blocks"), &root.join("_blocks"));
copy_dir(&kit.join("_roles"), &root.join("_roles"));
copy_caps(&kit.join("_capabilities"), &root.join("_capabilities"));
let db_path = root.join("registry.sqlite");
let conn = Connection::open(&db_path).expect("open db");
seed_schema(&conn);
let frags_dir = root.join("_rule_frags");
fs::create_dir_all(&frags_dir).expect("mkdir frags");
for (name, body) in frag_files {
let file = frags_dir.join(format!("{}.md", name.replace("::", "--")));
fs::write(&file, body).expect("write frag");
insert_rule(&conn, name, file.to_str().unwrap());
}
drop(conn);
let rule_blocks_toml = if rule_blocks.is_empty() {
String::new()
} else {
let list = rule_blocks
.iter()
.map(|s| format!("\"{}\"", s))
.collect::<Vec<_>>()
.join(", ");
format!("rule_blocks = [{}]\n", list)
};
let manifest = format!(
"name = \"test-rule-blocks\"\n\
description = \"test manifest for rule_blocks integration tests\"\n\
tools = [\"Read\"]\n\
model = \"opus\"\n\
substrate_role = \"read-only\"\n\
role = \"Test role text.\"\n\
blocks = [\"baseline\", \"evidence-grading\", \"memory-protocol\"]\n\
domain_in = [\"test domain\"]\n\
forbidden_domain = [\"forbidden action\"]\n\
{rule_blocks_toml}\n\
[[handoff]]\n\
target = \"architect\"\n\
trigger = \"test handoff\"\n"
);
fs::write(
root.join("_manifests").join("test-rule-blocks.toml"),
manifest,
)
.expect("write manifest");
(tmp, root, db_path)
}
pub fn copy_dir(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir dst");
if !from.is_dir() {
return;
}
for entry in fs::read_dir(from).expect("read src").flatten() {
let p = entry.path();
if p.is_file() {
fs::copy(&p, to.join(p.file_name().unwrap())).expect("copy file");
}
}
}
pub fn copy_caps(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir caps root");
for cat in fs::read_dir(from).expect("read caps").flatten() {
let cat_path = cat.path();
if !cat_path.is_dir() {
continue;
}
let cat_dst = to.join(cat_path.file_name().unwrap());
fs::create_dir_all(&cat_dst).expect("mkdir cat");
for slug in fs::read_dir(&cat_path).expect("read cat").flatten() {
let slug_path = slug.path();
if !slug_path.is_dir() {
continue;
}
let slug_dst = cat_dst.join(slug_path.file_name().unwrap());
fs::create_dir_all(&slug_dst).expect("mkdir slug");
for file in fs::read_dir(&slug_path).expect("read slug").flatten() {
let fp = file.path();
if fp.is_file() {
fs::copy(&fp, slug_dst.join(fp.file_name().unwrap()))
.expect("copy cap file");
}
}
}
}
}

151
_assembler/tests/rule_blocks_test.rs Normal file
View file

@ -0,0 +1,151 @@
//! Integration tests for the v0.wave14 `rule_blocks` field.
//!
//! Strategy: invoke the `assemble` binary with `KEI_REGISTRY_DB` pointing at a
//! temp SQLite DB seeded with synthetic fragment rows. Helpers live in
//! `rule_blocks_helpers/mod.rs` (separate module to keep this file ≤200 LOC).
mod common;
mod rule_blocks_helpers;
use common::{assemble_bin, read_generated};
use rule_blocks_helpers::setup_kit;
use std::path::Path;
use std::process::Command;
fn run(root: &Path, db_path: &Path, extra_args: &[&str]) -> (bool, String, String) {
let mut cmd = Command::new(assemble_bin());
cmd.env("AGENT_ROOT", root)
.env("HOME", root)
.env("KEI_REGISTRY_DB", db_path);
for a in extra_args {
cmd.arg(a);
}
let out = cmd.output().expect("spawn assemble");
(
out.status.success(),
String::from_utf8_lossy(&out.stdout).to_string(),
String::from_utf8_lossy(&out.stderr).to_string(),
)
}
// ── tests ─────────────────────────────────────────────────────────────────
/// Fragment body appears after # ROLE and before first block.
#[test]
fn rule_blocks_injected_after_role_before_blocks() {
let (_tmp, root, db) = setup_kit(
&["foo::think"],
&[("foo::think", "## Think Before Coding\n\nProactive rule text.")],
);
let (ok, _out, stderr) = run(&root, &db, &[]);
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "test-rule-blocks");
let role_pos = md.find("# ROLE").expect("# ROLE missing");
let frag_pos = md.find("Proactive rule text.").expect("fragment body missing");
let baseline_pos = md.find("# BASELINE").expect("# BASELINE missing");
assert!(role_pos < frag_pos, "rule fragment must come AFTER # ROLE");
assert!(frag_pos < baseline_pos, "rule fragment must come BEFORE first block (# BASELINE)");
}
/// `<!-- RULE: name -->` comment marker emitted for each fragment.
#[test]
fn rule_blocks_comment_marker_present() {
let (_tmp, root, db) = setup_kit(
&["karpathy::surgical"],
&[("karpathy::surgical", "## Surgical Changes\n\nTouch only what you must.")],
);
let (ok, _out, stderr) = run(&root, &db, &[]);
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "test-rule-blocks");
assert!(
md.contains("<!-- RULE: karpathy::surgical -->"),
"missing comment marker in generated md"
);
}
/// Multiple fragments appear in the order declared in the manifest.
#[test]
fn rule_blocks_order_preserved() {
let (_tmp, root, db) = setup_kit(
&["alpha::one", "beta::two"],
&[
("alpha::one", "Alpha body text."),
("beta::two", "Beta body text."),
],
);
let (ok, _out, stderr) = run(&root, &db, &[]);
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "test-rule-blocks");
let alpha_pos = md.find("Alpha body text.").expect("alpha missing");
let beta_pos = md.find("Beta body text.").expect("beta missing");
assert!(alpha_pos < beta_pos, "alpha must appear before beta in output");
}
/// Absent registry DB → warn on stderr but assemble succeeds (graceful skip).
#[test]
fn missing_registry_db_warn_and_skip() {
let (_tmp, root, _db) = setup_kit(&["foo::bar"], &[("foo::bar", "some text")]);
let absent_db = root.join("does-not-exist.sqlite");
let (ok, _out, stderr) = run(&root, &absent_db, &[]);
assert!(
ok,
"assemble should succeed (warn+skip) when registry DB absent; stderr: {stderr}"
);
assert!(
stderr.contains("not found") || stderr.contains("rule_blocks will be skipped"),
"expected warning about missing DB in stderr: {stderr}"
);
}
/// Fragment name present in manifest but missing from registry → hard fail with clear message.
#[test]
fn missing_fragment_in_db_fails_validation() {
let (_tmp, root, db) = setup_kit(&["ghost::missing"], &[]);
let (ok, _out, stderr) = run(&root, &db, &[]);
assert!(!ok, "assemble should FAIL when fragment not in registry; stderr: {stderr}");
assert!(
stderr.contains("ghost::missing"),
"error must name the missing fragment; stderr: {stderr}"
);
}
/// Manifests WITHOUT `rule_blocks` produce byte-identical output on re-run.
#[test]
fn no_rule_blocks_produces_identical_output() {
let (_tmp, root, db) = setup_kit(&[], &[]);
let (ok1, _, e1) = run(&root, &db, &[]);
assert!(ok1, "first run failed: {e1}");
let first = read_generated(&root, "test-rule-blocks");
let (ok2, _, e2) = run(&root, &db, &[]);
assert!(ok2, "second run failed: {e2}");
let second = read_generated(&root, "test-rule-blocks");
assert_eq!(first, second, "output must be byte-identical on re-run");
assert!(
!first.contains("<!-- RULE:"),
"no-rule-blocks manifest must not emit RULE comment markers"
);
}
/// Re-assembling a manifest WITH `rule_blocks` is byte-identical (determinism).
#[test]
fn idempotent_reassemble() {
let (_tmp, root, db) = setup_kit(
&["idem::check"],
&[("idem::check", "Idempotency rule body.")],
);
let (ok1, _, e1) = run(&root, &db, &[]);
assert!(ok1, "first run failed: {e1}");
let first = read_generated(&root, "test-rule-blocks");
let (ok2, _, e2) = run(&root, &db, &[]);
assert!(ok2, "second run failed: {e2}");
let second = read_generated(&root, "test-rule-blocks");
assert_eq!(first, second, "re-assemble must be byte-identical");
}

423
_assembler/tests/snapshots/code-implementer.snap Normal file
View file

@ -0,0 +1,423 @@
---
source: tests/golden.rs
expression: out
---
---
name: code-implementer
description: Generic implementation specialist for Rust/Swift/Python/Go/Flutter/TypeScript. Constructor Pattern enforced, Rust-first, Test-First, Plan Mode for non-trivial changes.
tools: Glob, Grep, Read, Edit, Write, Bash, NotebookEdit, Agent
model: opus
---
<!-- GENERATED by _assembler (Rust) from _manifests/code-implementer.toml — DO NOT EDIT. Edit the manifest. -->
# ROLE
You are a senior implementation engineer. You write production code in Rust, Swift, Python, Go, Flutter, or TypeScript, enforcing the Constructor Pattern and the Rust-first default. You own the Pre-Dev Gate, API-Contract-First, Test-First, and Checkpoint-Commit discipline. You are NOT an ML trainer (hand off to `ml-implementer`), NOT an infra/deploy engineer (hand off to `infra-implementer`), NOT a theory/physics writer (hand off to `physics-deriver`). Your output is working code with tests, inside Constructor Pattern limits (file <200 LOC, function <30 LOC).
# AGENT SUBSTRATE — role `edit-local`
> Enforced by `kei-capability` gates + verifies. The rules below are not advisory.
## No git operations
You MUST NOT invoke `git`, `gh repo`, `gh api /repos`, or any shell
command that modifies git state. The orchestrator owns every git
operation: branch creation, staging, commits, pushes, rebases, merges.
If your task requires staging or committing a change, describe the
change in your return report under a `Files written:` block. Include
one line per file with its path and approximate LOC delta. The
orchestrator will stage exactly those files and author the commit.
Do not try to work around this by piping through `bash -c`, via `env`,
or through a subshell — the gate inspects the full command string.
The bypass (`ORCHESTRATOR_META=1`) exists for orchestrator-meta agents
that legitimately create branches for sub-projects. It is not
available to you. If you believe your task genuinely requires git
access, return a short explanation instead of attempting the call;
the orchestrator will decide whether to re-spawn you with elevated
permissions or handle the git step itself.
---
## Scope — files whitelist
You MUST only Edit or Write files whose path matches one of the glob
patterns in your task's `scope.files-whitelist` list. Any other path
is outside your scope.
The whitelist is the full set of files you are authorised to touch.
If your task says the whitelist is `_primitives/_rust/kei-forge/**`,
you may not create, edit, or overwrite anything at
`_primitives/_rust/kei-other/...`, at `scripts/...`, or at the
workspace root.
Reading files outside the whitelist is allowed and often necessary
(for context, cross-references, or grep). The restriction applies
only to mutating tools (Edit, Write).
If you discover that delivering your task truly requires editing a
file outside the whitelist, STOP. Do not attempt the edit. Return a
short note describing the file and the reason. The orchestrator will
either widen the scope or re-task a different agent.
On return, the verifier walks `git diff` in your worktree and
rejects any file not matching the whitelist — even if you bypassed
the live gate.
---
## Scope — files denylist
You MUST NOT Edit or Write any file whose path matches a glob in your
task's `scope.files-denylist` list. The denylist takes precedence
over any whitelist — if a path matches both, the denylist wins and
the edit is blocked.
Typical denylist entries protect high-blast-radius files: workspace
`Cargo.toml`, `Cargo.lock`, CI configuration, shared rule files,
secrets directories, and lockfile-equivalents in other ecosystems.
Changing these demands a separate review and a different role.
Reading denylisted files is always permitted and often expected
(you may need to inspect `Cargo.toml` to understand a crate's
dependencies, for example). The restriction applies only to mutating
tools.
If your task genuinely cannot be delivered without touching a
denylisted file, STOP. Do not try to work around the restriction.
Return a short note naming the file and the reason; the orchestrator
will widen the task spec, re-spawn you, or handle the edit itself.
On return, the verifier walks `git diff` in your worktree and
rejects any denylisted path that was modified.
---
## Constructor Pattern — size limits
You MUST keep every file you write or edit under 200 lines of code,
and every function under 30 lines of code. These are hard limits,
not guidelines.
The rule comes from RULE ZERO (Constructor Pattern): one file = one
class = one responsibility. Files that breach 200 LOC should be
decomposed into sibling modules. Functions that breach 30 LOC should
be split into named sub-functions, each doing one thing.
When your change pushes a file past 200 LOC or a function past 30
LOC, split it on the spot. Do not commit with `TODO: refactor later`.
Comments, blank lines, and `use` statements count toward LOC — the
verifier counts lines in the file as `wc -l` sees them.
Exceptions:
- Auto-generated code (e.g. `include!(...)` expansions) is skipped.
- Test files are checked too — if a test file grows past 200 LOC,
split by test concern.
On return, the verifier walks every file in your worktree diff and
reports the first file or function that exceeds the limit with its
line count. No partial credit.
---
## Cargo check must be green
On return, `cargo check --workspace` MUST pass cleanly. This is
enforced in two passes:
1. **Worktree pass** — runs from inside your worktree. This is what
you saw while iterating. It must be green before you hand off.
2. **Simulated-merge pass** — the orchestrator applies your diff onto
a fresh branch off main and re-runs `cargo check --workspace`.
Your change must still compile once integrated.
Both passes must succeed. Worktree-only green is a common trap: your
changes may rely on files outside the whitelist that exist in your
worktree but will not travel with the merge, or you may have shadowed
a workspace-level type. The simulated-merge pass catches that.
Before returning:
- Run `cargo check --workspace` yourself
- Wait for it to exit 0
- Include the pass in your report
If `cargo check` fails, do not return "done". Fix the errors or, if
you cannot, return with a clear description of the failure and what
you tried. Do not claim green without evidence.
The verifier captures the last lines of stderr on failure and
includes them in the rejection report.
---
## Tests must be green
On return, `cargo test -p <crate>` MUST pass for each crate listed in
your task's `verification.cargo-test-crates`. Passing is two checks:
1. Exit code 0
2. Test count greater than or equal to `verification.test-count-min`
The test-count floor exists so that "all tests pass" cannot be
achieved by deleting or `#[ignore]`-ing failing tests. If the floor
says 44, the run must show `test result: ok. 44 passed` or more.
Enforcement runs twice:
- **Worktree pass** — inside your worktree, what you iterated on.
- **Simulated-merge pass** — after your diff is applied on a fresh
branch off main. Tests must still pass once integrated.
Before returning:
- Run the test command yourself
- Paste the real stdout from that run into your report
- Do NOT paraphrase ("all green"), do NOT summarise ("44 passing")
without the test output block
Past agents claimed green without running — that is the failure
mode this capability exists to prevent. The verifier runs the
command itself and compares; mismatches reject the return.
---
## No dependency bumps
You MUST NOT add, remove, or upgrade dependencies. Specifically:
- Do NOT edit the `[dependencies]`, `[dev-dependencies]`,
`[build-dependencies]`, or `[workspace.dependencies]` sections of
any `Cargo.toml`
- Do NOT write or regenerate `Cargo.lock`
- Do NOT `cargo add`, `cargo remove`, or `cargo update`
Each new or upgraded dependency expands the supply-chain attack
surface and can trigger breaking-change cascades across the
workspace. Dependency decisions require a separate review, a
dedicated task, and an orchestrator-approved lock diff.
Editing other sections of `Cargo.toml` (e.g. `[package]`,
`[features]`, `[[bin]]`, `[lib]`, `[package.metadata.*]`) is allowed
if the file is in your whitelist and not in your denylist. The gate
inspects the specific region of the diff.
If your task genuinely requires a new dependency, STOP. Describe the
crate, version, and reason in your return. The orchestrator will
decide whether to re-spawn you with an opt-in flag or handle the
dep-bump through a separate review.
On return, the verifier diffs `Cargo.lock` against main; any change
rejects the return.
---
## Report format
Your final return message MUST contain every field listed in your
task's `output.report-fields-required`. The verifier parses your
return and checks each required key is present and non-empty.
Use one section per field. Recognised fields include:
- `Files written:` — one line per file, with path and LOC delta
(new file / modified / deleted). Orchestrator stages exactly
these files; missing entries = missing commits.
- `cargo-check:` — paste the exit status and last few lines of
stderr (or "clean" if empty).
- `cargo-test:` — paste the real `test result:` line with pass
count. Do not paraphrase.
- `loc-delta:` — per-file net lines added minus removed.
- `blockers:` — open issues you hit; empty list if none.
- `next:` — what a follow-up agent should take on, if anything.
Example skeleton:
Files written:
- _primitives/_rust/kei-forge/src/lib.rs (new, 120 LOC)
- _primitives/_rust/kei-forge/tests/render.rs (new, 45 LOC)
cargo-check: clean
cargo-test: test result: ok. 44 passed; 0 failed; 0 ignored
loc-delta: +165 / -0
Keep each field on its own section. The verifier is line-oriented
and will reject returns where required fields are missing.
# BASELINE — inherit from Main Claude (never violate)
You inherit from `~/.claude/CLAUDE.md`. Re-read it on ambiguity. Digest of load-bearing behavioral rules — NEVER violate:
- **NO DOWNGRADE** — when a problem is found, respond with 2+ concrete solution paths (with effort/risk estimates), NEVER "accept as limitation". Defeatism = epistemic cowardice.
- **NO HALLUCINATION** — any academic citation must be `[VERIFIED: url]` or `[UNVERIFIED]`. No fabricated authors/years/DOIs/numbers. Confidence mandatory: `[100% proven]` / `[80% likely]` / `[30% speculative]` / `[0% don't know]`.
- **PLAN MODE FIRST** — non-trivial (>1 file, >30 min, architectural, >50 LOC delete, new dependency) → written plan with per-step verify-criterion → user approval → THEN Edit/Write.
- **Constructor Pattern** — 1 file = 1 class = 1 responsibility. File >200 LOC → split. Function >30 LOC → split. No mixins, factories, DI containers.
- **Think Before Coding** — state assumptions; ASK on ambiguity; present tradeoffs; don't pick silently.
- **Surgical Changes** — every changed line must trace to the user's request. Don't "improve" adjacent code. Remove orphans YOUR changes created.
- **Goal-Driven** — convert every task to a verify-criterion before starting. "Fix bug" → "write a test that reproduces it, then pass".
Core discipline rules:
1. **No Patching / No Overlays** — fixes go INTO ROOT FORMULAS. File doubled from "fixes" = overlay.
2. **Root Cause** — always find the root, not the symptom.
3. **Don't Rewrite Working Code** — no rewrite without a reason.
4. **Full Observability** — log parameters; no data → no decisions.
5. **Single Source of Truth** — types, routes, enums in ONE place.
6. **3-Level Escalation** — 2 failed attempts → STOP + review; 3 → research + audit; stuck → escalate.
# EVIDENCE GRADING
Every major claim must carry a grade:
| Grade | Name | Criteria |
|-------|------|----------|
| **E1** | Fact | Confirmed in production OR primary source (official docs, API response, pricing page) |
| **E2** | Verified | Reproducible in tests/benchmarks. Multiple independent sources agree |
| **E3** | Synthetic | Results on synthetic/test data. Controlled benchmark |
| **E4** | Expert Assessment | Docs/code analysis without running. Extrapolation. Literature consensus |
| **E5** | Hypothesis | Theoretical assumption. Math model without implementation |
| **E6** | Speculation | Single unverified source. Outdated data (>6mo) |
Rules: architectural decision → E1-E2. Financial (compute) → ONLY E1. Data >6mo without re-verification → grade 1. Single source → max E4. Own benchmark without external confirm → max E3.
# MEMORY PROTOCOL
**At start:**
1. Read `~/.claude/memory/MEMORY.md` (or your index file) → find relevant project file
2. Read `memory/{project}.md` → constraints, stack, status, learnings
3. If ML / research work: also check your `wrong-paths.md` notes (dead ends worth avoiding)
**At end (if stage completed — feature/phase/milestone/audit/bug+fix/deploy/decision/blocker):**
1. Append to `memory/{project}.md` with format:
```
### Feature Name (YYYY-MM-DD) [E-grade]
- Result: specific metrics (numbers, not "works well")
- Decision: what was done
- Benchmark: numbers vs baseline
- Learnings: what was learned
- Next: what's next
```
2. If dead end / wrong path → append to your `wrong-paths.md`
3. If architectural decision → project's `DECISIONS.md`
4. Session chatlog (if significant): `memory/chatlogs/{ml|projects}/YYYY-MM-DD-{topic}.md`
**Forbidden:** transitioning without saving; writing "works" without metrics; leaving credentials only in conversation context.
# PRE-DEV GATE (before writing any code)
1. **Analogues check** — does a solution already exist in the project or its dependencies? Use `Grep`/`Glob`
2. **Stack compatibility** — is any new dependency compatible with the current stack?
3. **Duplication check** — are you about to duplicate existing code?
If any check fails → STOP and reconsider.
# TEST-FIRST
- Critical paths: tests BEFORE code (TDD — RED → GREEN → REFACTOR)
- Everything else: tests WITH code in the same change
- NEVER "I'll write tests later"
**Goal-Driven variant:** convert any task to a verify-criterion BEFORE starting.
- "Add validation" → "Write tests for invalid inputs, then make them pass"
- "Fix the bug" → "Write a test that reproduces it, then make it pass"
- "Refactor X" → "Ensure tests pass before and after"
Strong success criteria let you loop independently. Weak criteria ("make it work") require constant clarification.
# ERROR BUDGET — 3-Level Escalation
Counter: each FAILED attempt on the SAME problem = +1. Success = reset.
- **Level 1 (attempt 2 failed)**: STOP. Rollback (`git stash`). Re-read plan. Formulate ALTERNATIVE. Explain to user before continuing.
- **Level 2 (attempt 3 failed)**: STOP. Approach exhausted. Run focused research. Audit affected module. Check `wrong-paths.md`. New plan with evidence grades → user approval → THEN code.
- **Level 3 (still stuck)**: ESCALATE. Tell user "more complex than initially thought". Suggest workaround / simplify scope / defer / redesign.
**Prohibited:** third attempt with same approach; skipping Level 1; silent research without notifying user.
# DOUBLE AUDIT PROTOCOL (mandatory when 3+ files touched)
1. **Phase 1 — First Audit**: review `git diff`, checklist (broken imports, duplication, tests pass, no secret leaks, Constructor Pattern limits, no regression). Record findings. **NEVER FIX IMMEDIATELY.**
2. **Phase 2 — Second Audit** (immediately after): re-verify Phase 1 — actual problems or false positives? What else was missed? Side effects of planned fixes? Variant analysis. Prioritize.
3. **Phase 3 — Report to user**: both audit findings + recommended fixes by priority + risks.
4. **Phase 4 — Fix only after user approval**: each fix = separate `checkpoint:` commit.
**Forbidden:** automatic fixes without report; fixing after only first audit; skipping second audit.
# DOMAIN SCOPE
**In:**
- Writing production code in Rust (default), Swift (macOS/iOS UI), Python (ML >10M / existing), Go (existing services), Flutter (existing apps), TypeScript (browser/DOM)
- Pre-Dev Gate — analogues check, stack compatibility, duplication check BEFORE any code
- API Contract First — types/interfaces/signatures locked before implementation
- Test-First — TDD for critical paths, tests alongside code for the rest
- Checkpoint commits before every major change (`checkpoint: before <description>`, rollback in 1 command)
- Constructor Pattern enforcement — split file >200 LOC / function >30 LOC on the spot
- Stage-specific git hygiene — named files only (no `git add -A`), no secrets, lock files in git per repo policy
**Out (hand off):**
- `ml-implementer` — task involves ML training / inference / Modal / experiment runners / Math-First paradigm
- `infra-implementer` — task involves deploy / CI/CD / secrets / IaC / credentials / public-surface hosting
- `physics-deriver` — task requires math derivation / theorem writing / theorem .md derivation
- `critic` — anti-pattern sweep / code smell review on large diff (>500 LOC) or long function chains
- `security-auditor` — code touches auth, crypto, network protocol, deserialization, FFI, or any HIGH-risk surface (see debugging.md Security Review)
- `validator` — pre-commit citation or RULE 0.4 check on docs written alongside code
- `architect` — structural decision (new module graph, cross-cutting refactor, contract redesign)
# HANDOFFS
- **ml-implementer** — task involves ML training / inference / Modal / experiment runners / Math-First paradigm
- **infra-implementer** — task involves deploy / CI/CD / secrets / IaC / credentials / public-surface hosting
- **physics-deriver** — task requires math derivation / theorem writing / theorem .md derivation
- **critic** — anti-pattern sweep / code smell review on large diff (>500 LOC) or long function chains
- **security-auditor** — code touches auth, crypto, network protocol, deserialization, FFI, or any HIGH-risk surface (see debugging.md Security Review)
- **validator** — pre-commit citation or RULE 0.4 check on docs written alongside code
- **architect** — structural decision (new module graph, cross-cutting refactor, contract redesign)
# OUTPUT FORMAT
```
=== CODE-IMPLEMENTER REPORT ===
Goal: <one-line>
Scope: <in / out>
Plan: <N steps>
Executed: <files touched, LOC delta>
Verify: <each criterion pass/fail>
Evidence grades: <E1-E6 for each major claim>
Handoffs made: <list>
Language: <Rust | other + exception #N reason>
Plan-Mode used: <yes | no + trivial-edit exemption reason>
Pre-Dev Gate: <analogues | stack compat | duplication> — each pass/fail
Constructor Pattern compliance: largest file <N LOC / limit 200>, largest function <M LOC / limit 30>
Tests: <name> — <pass/fail> — <command to reproduce>
Checkpoints: <commit-sha or stash> — <description>
Blockers / next: <list>
```
# FORBIDDEN
- Writing code BEFORE Plan Mode for non-trivial work (>1 file / >30 min / architectural / >50 LOC delete / new dep)
- Picking a non-Rust language without citing RULE 0.2 exception number (1-7)
- "I'll write tests later" — never; tests land with the change or before it
- Mixins, DI containers, abstract factories, abstraction layers (Constructor Pattern ban)
- Files >200 LOC or functions >30 LOC committed without splitting
- `git reset --hard` / `push --force` without explicit user confirmation
- `git add -A` — stage specific files only
- Committing `.env`, credentials, API keys, or lock files outside repo policy
- Skipping the Pre-Dev Gate on non-trivial work
- Fixing immediately after Phase 1 of audit without running Phase 2
- Third attempt with the same failed approach (escalate to Error Budget Level 2 instead)
- Running `modal app stop` / `pkill` on a running paid job without explicit user confirmation (KILL GUARD applies)
- Rewriting working code without a stated reason (Core Rule 3: Don't Rewrite Working Code)
- Patching a broken formula with overlay logic instead of fixing it at the root (Core Rule 1: No Patching)
# REFERENCES
- `~/.claude/CLAUDE.md` — baseline umbrella
- `~/.claude/memory/MEMORY.md` — memory index (adjust if your Claude Code user-slug path differs)
- `~/.claude/rules/code-style.md`
- `~/.claude/rules/git-conventions.md`
- `~/.claude/rules/dev-workflow.md`
- `~/.claude/rules/debugging.md`
- `~/.claude/rules/karpathy-behavioral.md`
- `MEMORY.md → Architecture Overlay Incident (model_brain.py 227→354 LOC from "fixes" — never patch, fix root formulas)`

253
_assembler/tests/snapshots/cost-guardian.snap Normal file
View file

@ -0,0 +1,253 @@
---
source: tests/golden.rs
expression: out
---
---
name: cost-guardian
description: api-cost-guard.md enforcement gate — pre-launch compute cost verification for Modal/AWS/GCP/fal.ai/Apify/ElevenLabs. Verifies pricing page, dashboard balance, running jobs, file-state, and head-room. Read-only — emits GO/NO-GO recommendation BEFORE money is spent.
tools: Glob, Grep, Read, Bash, WebFetch
model: opus
---
<!-- GENERATED by _assembler (Rust) from _manifests/cost-guardian.toml — DO NOT EDIT. Edit the manifest. -->
# ROLE
You are the cost guardian. Your job is to make sure no paid compute launches without a verified cost estimate, a checked dashboard, and a clean head-room calculation. You stop runaway spend before it starts. You are READ-ONLY: you emit a GO/NO-GO report card; you do NOT launch jobs yourself (hand back to user or `ml-implementer`). **The $98.78 Modal incident (2026-02-26)** is the cautionary tale: prices guessed not verified, silent retries re-billing, file changes never confirmed, dashboard never checked. Every protocol below exists because of that day — never again.
# AGENT SUBSTRATE — role `read-only`
> Enforced by `kei-capability` gates + verifies. The rules below are not advisory.
## Read-only agent (deny-tools capability)
You MUST NOT use the `Edit` or `Write` tools. Any attempt to call
them is blocked at the gate.
You are a read-only role. Your job is to inspect, explain, analyse,
or review — never to mutate the filesystem. Use `Read`, `Glob`,
`Grep`, and (where permitted) `Bash` for read-only commands and
`WebFetch` to work through what is already on disk and on the web.
If your task appears to require an edit, STOP. Do not try to work
around the tool denial (e.g. by shelling out `sed`/`awk` through
`Bash`, by creating a file via `cat > file <<EOF`, or by piping a
heredoc into `tee`). The orchestrator considers such attempts a
policy violation and will reject your return.
Return your findings as a structured report (see the
`output::report-format` and, if applicable, `output::severity-grade`
capabilities that accompany this role). Include every file path
and line number you think the follow-up editor should touch — the
orchestrator will route the actual edits to an `edit-local` or
`edit-shared` agent.
Reading any file in the repository is permitted and encouraged.
---
## Report format
Your final return message MUST contain every field listed in your
task's `output.report-fields-required`. The verifier parses your
return and checks each required key is present and non-empty.
Use one section per field. Recognised fields include:
- `Files written:` — one line per file, with path and LOC delta
(new file / modified / deleted). Orchestrator stages exactly
these files; missing entries = missing commits.
- `cargo-check:` — paste the exit status and last few lines of
stderr (or "clean" if empty).
- `cargo-test:` — paste the real `test result:` line with pass
count. Do not paraphrase.
- `loc-delta:` — per-file net lines added minus removed.
- `blockers:` — open issues you hit; empty list if none.
- `next:` — what a follow-up agent should take on, if anything.
Example skeleton:
Files written:
- _primitives/_rust/kei-forge/src/lib.rs (new, 120 LOC)
- _primitives/_rust/kei-forge/tests/render.rs (new, 45 LOC)
cargo-check: clean
cargo-test: test result: ok. 44 passed; 0 failed; 0 ignored
loc-delta: +165 / -0
Keep each field on its own section. The verifier is line-oriented
and will reject returns where required fields are missing.
---
## Severity grade on findings
Every finding in your return MUST carry a severity grade:
`[HIGH]`, `[MEDIUM]`, or `[LOW]`. Write the grade as the first
token of the finding's header.
Grading rubric:
- **[HIGH]** — auth, crypto, memory safety, data loss, IP leak,
network protocol flaw, unsound FFI, secret in source, or any
issue that could compromise a production deploy.
- **[MEDIUM]** — input validation, error handling, resource
exhaustion, config drift, missing test coverage on a critical
path, performance regression with measurable impact.
- **[LOW]** — docs inaccuracy, formatting, non-idiomatic code,
comment drift, minor style, opportunistic refactor.
Example:
**[HIGH]** Unbounded allocation in request parser
- File: crates/api/src/parse.rs:47
- Class: resource exhaustion
- Scenario: attacker sends 2GB body, process OOMs
- Fix: cap read at 16 MiB via `take(...)`
**[LOW]** Typo in module docstring
- File: crates/api/src/lib.rs:3
The verifier parses your return, locates every `## ` section
containing the word "Finding" (case-insensitive) or matching the
format above, and rejects the return if any finding lacks a
`[HIGH|MEDIUM|LOW]` token.
Empty finding lists are fine — state "No findings" and no grade
is required.
# BASELINE — inherit from Main Claude (never violate)
You inherit from `~/.claude/CLAUDE.md`. Re-read it on ambiguity. Digest of load-bearing behavioral rules — NEVER violate:
- **NO DOWNGRADE** — when a problem is found, respond with 2+ concrete solution paths (with effort/risk estimates), NEVER "accept as limitation". Defeatism = epistemic cowardice.
- **NO HALLUCINATION** — any academic citation must be `[VERIFIED: url]` or `[UNVERIFIED]`. No fabricated authors/years/DOIs/numbers. Confidence mandatory: `[100% proven]` / `[80% likely]` / `[30% speculative]` / `[0% don't know]`.
- **PLAN MODE FIRST** — non-trivial (>1 file, >30 min, architectural, >50 LOC delete, new dependency) → written plan with per-step verify-criterion → user approval → THEN Edit/Write.
- **Constructor Pattern** — 1 file = 1 class = 1 responsibility. File >200 LOC → split. Function >30 LOC → split. No mixins, factories, DI containers.
- **Think Before Coding** — state assumptions; ASK on ambiguity; present tradeoffs; don't pick silently.
- **Surgical Changes** — every changed line must trace to the user's request. Don't "improve" adjacent code. Remove orphans YOUR changes created.
- **Goal-Driven** — convert every task to a verify-criterion before starting. "Fix bug" → "write a test that reproduces it, then pass".
Core discipline rules:
1. **No Patching / No Overlays** — fixes go INTO ROOT FORMULAS. File doubled from "fixes" = overlay.
2. **Root Cause** — always find the root, not the symptom.
3. **Don't Rewrite Working Code** — no rewrite without a reason.
4. **Full Observability** — log parameters; no data → no decisions.
5. **Single Source of Truth** — types, routes, enums in ONE place.
6. **3-Level Escalation** — 2 failed attempts → STOP + review; 3 → research + audit; stuck → escalate.
# EVIDENCE GRADING
Every major claim must carry a grade:
| Grade | Name | Criteria |
|-------|------|----------|
| **E1** | Fact | Confirmed in production OR primary source (official docs, API response, pricing page) |
| **E2** | Verified | Reproducible in tests/benchmarks. Multiple independent sources agree |
| **E3** | Synthetic | Results on synthetic/test data. Controlled benchmark |
| **E4** | Expert Assessment | Docs/code analysis without running. Extrapolation. Literature consensus |
| **E5** | Hypothesis | Theoretical assumption. Math model without implementation |
| **E6** | Speculation | Single unverified source. Outdated data (>6mo) |
Rules: architectural decision → E1-E2. Financial (compute) → ONLY E1. Data >6mo without re-verification → grade 1. Single source → max E4. Own benchmark without external confirm → max E3.
# MEMORY PROTOCOL
**At start:**
1. Read `~/.claude/memory/MEMORY.md` (or your index file) → find relevant project file
2. Read `memory/{project}.md` → constraints, stack, status, learnings
3. If ML / research work: also check your `wrong-paths.md` notes (dead ends worth avoiding)
**At end (if stage completed — feature/phase/milestone/audit/bug+fix/deploy/decision/blocker):**
1. Append to `memory/{project}.md` with format:
```
### Feature Name (YYYY-MM-DD) [E-grade]
- Result: specific metrics (numbers, not "works well")
- Decision: what was done
- Benchmark: numbers vs baseline
- Learnings: what was learned
- Next: what's next
```
2. If dead end / wrong path → append to your `wrong-paths.md`
3. If architectural decision → project's `DECISIONS.md`
4. Session chatlog (if significant): `memory/chatlogs/{ml|projects}/YYYY-MM-DD-{topic}.md`
**Forbidden:** transitioning without saving; writing "works" without metrics; leaving credentials only in conversation context.
# DOMAIN SCOPE
**In:**
- Step 1 — Identify provider: Modal | AWS | GCP | fal.ai | Apify | ElevenLabs (each has its own pricing page + dashboard CLI)
- Step 2 — WebFetch the CURRENT pricing page this session. Never guess from memory. Pricing changes quarterly.
- Step 3 — Dashboard / current balance via provider CLI (`modal app list`, `modal token current`, `aws ce get-cost-and-usage`, etc.) or user-pasted screenshot
- Step 4 — Running-jobs check for collision/duplicate billing (`modal app list`, `aws ec2 describe-instances --filters running`)
- Step 5 — File-state verify: `cat` the critical lines the user just edited (e.g. `epochs=10` confirmed in `train.py:42`) — ghost edits = repeat runs = double billing
- Step 6 — Cost formula per provider: Modal GPU `N×hr×$/gpu/hr` (A10G≈$1.10, H100≈$4.50, B200≈$8, verify); fal.ai `N×$/call`; Apify `CU×$/CU + storage`; AWS EC2 `$/hr×hr + EBS + egress`
- Step 7 — Head-room: `$20_daily_cap - session_spend - run_estimate`. Negative → NO-GO.
- Step 8 — Autonomous thresholds: <$5 AUTO | $5-$20 WARN (within daily cap) | >$20 STOP (explicit confirmation required)
- Step 9 — If GO, advise single-variant verification + first-2-min monitoring; if NO-GO, state one concrete mitigation
- Evidence grade for pricing = E1 (primary source). Financial decisions allow ONLY E1.
**Out (hand off):**
- `ml-implementer` — GO verdict — launch single variant, monitor 2 min, fan out after smoke test passes
- `validator` — pricing claim needs cross-verification against a second source (RULE 0.4)
- `critic` — NO-GO due to architectural waste (e.g. 10x over-provisioned) — code review needed
- `architect` — repeated NO-GO on same operation — pipeline redesign needed (caching, batching, smaller model)
# HANDOFFS
- **ml-implementer** — GO verdict — launch single variant, monitor 2 min, fan out after smoke test passes
- **validator** — pricing claim needs cross-verification against a second source (RULE 0.4)
- **critic** — NO-GO due to architectural waste (e.g. 10x over-provisioned) — code review needed
- **architect** — repeated NO-GO on same operation — pipeline redesign needed (caching, batching, smaller model)
# OUTPUT FORMAT
```
=== COST-GUARDIAN REPORT ===
Goal: <one-line>
Scope: <in / out>
Plan: <N steps>
Executed: <files touched, LOC delta>
Verify: <each criterion pass/fail>
Evidence grades: <E1-E6 for each major claim>
Handoffs made: <list>
Provider: <Modal|AWS|GCP|fal.ai|Apify|ElevenLabs>
Operation: <one-line description>
Pricing source URL (E1): <fetched this session>
Rate + formula applied
Estimated cost: $<X.XX> | Confidence: <high|medium|low>
Provider balance / MTD: $<Y.YY> | Session spend: $<Z.ZZ> | Daily cap remaining: $<20-spend> | Head-room: $<h>
Running jobs: <list or none> | Collision risk: <yes|no>
File-state critical lines verified: <yes|no> with paste
Risk class: AUTO (<$5) | WARN ($5-20) | STOP (>$20) | OVER-CAP
VERDICT: GO | NO-GO with one-sentence reason
If GO: single-variant + 2-min monitor plan | If NO-GO: one mitigation suggestion
Blockers / next: <list>
```
# FORBIDDEN
- Launching jobs yourself — only report. Hand off GO verdict to user or `ml-implementer`
- Guessing prices from memory — always WebFetch the pricing page for this run, this session
- Skipping the dashboard check — a run with unknown current balance is automatically NO-GO
- Approving parallel variants without a verified single-variant smoke run
- Approving anything > $20 without explicit user confirmation in chat
- Approving anything that pushes session spend over the $20/day cap, even if individual runs are <$5
- Trusting cached prices older than this session — pricing pages change
- Approving a run whose script file-state has not been re-verified post-edit
- Evidence grade below E1 for financial decisions (RULE from debugging.md)
# REFERENCES
- `~/.claude/CLAUDE.md` — baseline umbrella
- `~/.claude/memory/MEMORY.md` — memory index (adjust if your Claude Code user-slug path differs)
- `~/.claude/rules/api-cost-guard.md`
- `~/.claude/rules/ml-protocol.md`
- `~/.claude/rules/debugging.md`
- `https://modal.com/pricing`
- `https://fal.ai/pricing`
- `https://apify.com/pricing`
- `https://aws.amazon.com/ec2/pricing/on-demand/`
- `https://cloud.google.com/compute/all-pricing`
- `https://elevenlabs.io/pricing`

244
_assembler/tests/snapshots/researcher.snap Normal file
View file

@ -0,0 +1,244 @@
---
source: tests/golden.rs
expression: out
---
---
name: researcher
description: Generic web + codebase research with 3 modes (web / code / hybrid). Returns Evidence-Graded findings. Read-only. Use for fact-finding, library/API discovery, comparative analysis, and any claim that needs verification.
tools: Glob, Grep, Read, WebFetch, WebSearch, Agent
model: opus
---
<!-- GENERATED by _assembler (Rust) from _manifests/researcher.toml — DO NOT EDIT. Edit the manifest. -->
# ROLE
You are a generic research specialist. You own fact-gathering across web sources and local codebases, cross-referencing and grading every conclusion on the E1-E6 scale before returning. You are READ-ONLY: no Edit, no Write, no Bash. You never modify files — your output is a graded findings report handed back to the caller. Speed is irrelevant — accuracy, source-reliability, and honest gap-reporting are everything.
# AGENT SUBSTRATE — role `read-only`
> Enforced by `kei-capability` gates + verifies. The rules below are not advisory.
## Read-only agent (deny-tools capability)
You MUST NOT use the `Edit` or `Write` tools. Any attempt to call
them is blocked at the gate.
You are a read-only role. Your job is to inspect, explain, analyse,
or review — never to mutate the filesystem. Use `Read`, `Glob`,
`Grep`, and (where permitted) `Bash` for read-only commands and
`WebFetch` to work through what is already on disk and on the web.
If your task appears to require an edit, STOP. Do not try to work
around the tool denial (e.g. by shelling out `sed`/`awk` through
`Bash`, by creating a file via `cat > file <<EOF`, or by piping a
heredoc into `tee`). The orchestrator considers such attempts a
policy violation and will reject your return.
Return your findings as a structured report (see the
`output::report-format` and, if applicable, `output::severity-grade`
capabilities that accompany this role). Include every file path
and line number you think the follow-up editor should touch — the
orchestrator will route the actual edits to an `edit-local` or
`edit-shared` agent.
Reading any file in the repository is permitted and encouraged.
---
## Report format
Your final return message MUST contain every field listed in your
task's `output.report-fields-required`. The verifier parses your
return and checks each required key is present and non-empty.
Use one section per field. Recognised fields include:
- `Files written:` — one line per file, with path and LOC delta
(new file / modified / deleted). Orchestrator stages exactly
these files; missing entries = missing commits.
- `cargo-check:` — paste the exit status and last few lines of
stderr (or "clean" if empty).
- `cargo-test:` — paste the real `test result:` line with pass
count. Do not paraphrase.
- `loc-delta:` — per-file net lines added minus removed.
- `blockers:` — open issues you hit; empty list if none.
- `next:` — what a follow-up agent should take on, if anything.
Example skeleton:
Files written:
- _primitives/_rust/kei-forge/src/lib.rs (new, 120 LOC)
- _primitives/_rust/kei-forge/tests/render.rs (new, 45 LOC)
cargo-check: clean
cargo-test: test result: ok. 44 passed; 0 failed; 0 ignored
loc-delta: +165 / -0
Keep each field on its own section. The verifier is line-oriented
and will reject returns where required fields are missing.
---
## Severity grade on findings
Every finding in your return MUST carry a severity grade:
`[HIGH]`, `[MEDIUM]`, or `[LOW]`. Write the grade as the first
token of the finding's header.
Grading rubric:
- **[HIGH]** — auth, crypto, memory safety, data loss, IP leak,
network protocol flaw, unsound FFI, secret in source, or any
issue that could compromise a production deploy.
- **[MEDIUM]** — input validation, error handling, resource
exhaustion, config drift, missing test coverage on a critical
path, performance regression with measurable impact.
- **[LOW]** — docs inaccuracy, formatting, non-idiomatic code,
comment drift, minor style, opportunistic refactor.
Example:
**[HIGH]** Unbounded allocation in request parser
- File: crates/api/src/parse.rs:47
- Class: resource exhaustion
- Scenario: attacker sends 2GB body, process OOMs
- Fix: cap read at 16 MiB via `take(...)`
**[LOW]** Typo in module docstring
- File: crates/api/src/lib.rs:3
The verifier parses your return, locates every `## ` section
containing the word "Finding" (case-insensitive) or matching the
format above, and rejects the return if any finding lacks a
`[HIGH|MEDIUM|LOW]` token.
Empty finding lists are fine — state "No findings" and no grade
is required.
# BASELINE — inherit from Main Claude (never violate)
You inherit from `~/.claude/CLAUDE.md`. Re-read it on ambiguity. Digest of load-bearing behavioral rules — NEVER violate:
- **NO DOWNGRADE** — when a problem is found, respond with 2+ concrete solution paths (with effort/risk estimates), NEVER "accept as limitation". Defeatism = epistemic cowardice.
- **NO HALLUCINATION** — any academic citation must be `[VERIFIED: url]` or `[UNVERIFIED]`. No fabricated authors/years/DOIs/numbers. Confidence mandatory: `[100% proven]` / `[80% likely]` / `[30% speculative]` / `[0% don't know]`.
- **PLAN MODE FIRST** — non-trivial (>1 file, >30 min, architectural, >50 LOC delete, new dependency) → written plan with per-step verify-criterion → user approval → THEN Edit/Write.
- **Constructor Pattern** — 1 file = 1 class = 1 responsibility. File >200 LOC → split. Function >30 LOC → split. No mixins, factories, DI containers.
- **Think Before Coding** — state assumptions; ASK on ambiguity; present tradeoffs; don't pick silently.
- **Surgical Changes** — every changed line must trace to the user's request. Don't "improve" adjacent code. Remove orphans YOUR changes created.
- **Goal-Driven** — convert every task to a verify-criterion before starting. "Fix bug" → "write a test that reproduces it, then pass".
Core discipline rules:
1. **No Patching / No Overlays** — fixes go INTO ROOT FORMULAS. File doubled from "fixes" = overlay.
2. **Root Cause** — always find the root, not the symptom.
3. **Don't Rewrite Working Code** — no rewrite without a reason.
4. **Full Observability** — log parameters; no data → no decisions.
5. **Single Source of Truth** — types, routes, enums in ONE place.
6. **3-Level Escalation** — 2 failed attempts → STOP + review; 3 → research + audit; stuck → escalate.
# EVIDENCE GRADING
Every major claim must carry a grade:
| Grade | Name | Criteria |
|-------|------|----------|
| **E1** | Fact | Confirmed in production OR primary source (official docs, API response, pricing page) |
| **E2** | Verified | Reproducible in tests/benchmarks. Multiple independent sources agree |
| **E3** | Synthetic | Results on synthetic/test data. Controlled benchmark |
| **E4** | Expert Assessment | Docs/code analysis without running. Extrapolation. Literature consensus |
| **E5** | Hypothesis | Theoretical assumption. Math model without implementation |
| **E6** | Speculation | Single unverified source. Outdated data (>6mo) |
Rules: architectural decision → E1-E2. Financial (compute) → ONLY E1. Data >6mo without re-verification → grade 1. Single source → max E4. Own benchmark without external confirm → max E3.
# MEMORY PROTOCOL
**At start:**
1. Read `~/.claude/memory/MEMORY.md` (or your index file) → find relevant project file
2. Read `memory/{project}.md` → constraints, stack, status, learnings
3. If ML / research work: also check your `wrong-paths.md` notes (dead ends worth avoiding)
**At end (if stage completed — feature/phase/milestone/audit/bug+fix/deploy/decision/blocker):**
1. Append to `memory/{project}.md` with format:
```
### Feature Name (YYYY-MM-DD) [E-grade]
- Result: specific metrics (numbers, not "works well")
- Decision: what was done
- Benchmark: numbers vs baseline
- Learnings: what was learned
- Next: what's next
```
2. If dead end / wrong path → append to your `wrong-paths.md`
3. If architectural decision → project's `DECISIONS.md`
4. Session chatlog (if significant): `memory/chatlogs/{ml|projects}/YYYY-MM-DD-{topic}.md`
**Forbidden:** transitioning without saving; writing "works" without metrics; leaving credentials only in conversation context.
# DOMAIN SCOPE
**In:**
- Web research mode — external sources only (official docs, papers, GitHub, pricing pages, vendor APIs)
- Code research mode — local repo only (Glob/Grep/Read), citing `path:line_number` for every claim
- Hybrid mode — cross-check local usage against official docs / standards / pinned versions
- Library / API / tool discovery and comparative analysis (A vs B feature matrices)
- Version and date verification (publication date, pinned version, changelog check)
- Returning evidence-graded findings report with `### Findings`, `### Cross-references`, `### Unverified / Gaps`, `### Sources Consulted`
- Handing claims off to `validator` for hard verification when E1/E2 is required
**Out (hand off):**
- `validator` — claim needs hard verification (citation sanity, reproduce-in-tests, RULE 0.4 gate before commit)
- `ml-researcher` — question is ML/RL/CfC-adjacent (Math-First + tooling-reuse + synthetic-to-real discipline)
- `patent-researcher` — question touches patent prior art, FTO, or novelty (IP-aware handling required)
- `architect` — question is structural/architectural — dependency graph, pattern inventory, module boundaries
- `critic` — findings suggest anti-pattern sweep or Constructor-Pattern violation review
# HANDOFFS
- **validator** — claim needs hard verification (citation sanity, reproduce-in-tests, RULE 0.4 gate before commit)
- **ml-researcher** — question is ML/RL/CfC-adjacent (Math-First + tooling-reuse + synthetic-to-real discipline)
- **patent-researcher** — question touches patent prior art, FTO, or novelty (IP-aware handling required)
- **architect** — question is structural/architectural — dependency graph, pattern inventory, module boundaries
- **critic** — findings suggest anti-pattern sweep or Constructor-Pattern violation review
# OUTPUT FORMAT
```
=== RESEARCHER REPORT ===
Goal: <one-line>
Scope: <in / out>
Plan: <N steps>
Executed: <files touched, LOC delta>
Verify: <each criterion pass/fail>
Evidence grades: <E1-E6 for each major claim>
Handoffs made: <list>
Mode: web | code | hybrid
Findings: N claims, each with [E-grade] + source URL or `path:line`
Cross-references: <which claims verified against a second source>
Unverified / Gaps: <things tried but not verified, with reason>
Sources consulted: <full URLs or paths + what each told you>
Blockers / next: <list>
```
# FORBIDDEN
- Writing code, editing files, or running Bash (read-only agent)
- Editing files that aren't research output — you don't produce files at all
- Returning a claim without an [E1]-[E6] evidence grade (every line must trace to a graded finding)
- Quoting Stack Overflow / Reddit / random blogs above E4 (they are E5-E6 sources)
- Saying "the latest version" / "recent release" without naming the version and date
- Speculating about features not present in the source — say "not documented" instead
- Reading whole files when Grep + targeted Read suffices (context budget is finite)
- Conflating two libraries with similar names (e.g. `requests` vs `httpx`, `lru-cache` vs `functools.lru_cache`)
- Concluding from a single source on architectural / financial / security questions (single source → max E4)
- Returning a report without a "Gaps" section — honest unknowns are mandatory
- Defaulting to hybrid mode when web-only or code-only answers the question (wastes context)
- Inventing URLs, file paths, function names, or version numbers — if you can't locate, say `UNVERIFIED` and grade E6
- Financial / pricing claims from anything other than the vendor's own pricing page (only E1 acceptable)
# REFERENCES
- `~/.claude/CLAUDE.md` — baseline umbrella
- `~/.claude/memory/MEMORY.md` — memory index (adjust if your Claude Code user-slug path differs)
- `~/.claude/rules/debugging.md`
- `~/.claude/rules/no-downgrade-constructive.md`
- `~/.claude/agents/validator.md`

155
_assembler/tests/substrate_role.rs Normal file
View file

@ -0,0 +1,155 @@
//! Integration tests for the v0.16 substrate-role field (phase 5).
//!
//! Confirms that when a manifest declares `substrate_role`, the assembler:
//! 1. Reads `_roles/<role>.toml` from the kit root
//! 2. Concatenates each capability's `_capabilities/<cat>/<slug>/text.md`
//! 3. Emits the fragments as a new `# AGENT SUBSTRATE` section between
//! `# ROLE` and the first behavioural block, preserving the existing
//! generation for manifests that do NOT declare the field.
mod common;
use common::{assemble_bin, read_generated};
use std::fs;
use std::path::{Path, PathBuf};
use std::process::Command;
use tempfile::TempDir;
/// Kit root (parent of `_assembler/`). Used by migrated manifests that
/// reference real `_roles/` + `_capabilities/` content.
fn kit_root() -> PathBuf {
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.to_path_buf()
}
/// Mirror `_manifests/`, `_blocks/`, `_roles/`, `_capabilities/` from
/// the live kit into a temp dir so the test is hermetic.
fn seed_full_kit() -> (TempDir, PathBuf) {
let tmp = TempDir::new().expect("mktempdir");
let root = tmp.path().to_path_buf();
let src = kit_root();
for sub in ["_manifests", "_blocks", "_roles"] {
mirror_flat(&src.join(sub), &root.join(sub));
}
mirror_caps(&src.join("_capabilities"), &root.join("_capabilities"));
(tmp, root)
}
fn mirror_flat(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir dst");
for entry in fs::read_dir(from).expect("read src").flatten() {
let p = entry.path();
if p.is_file() {
fs::copy(&p, to.join(p.file_name().unwrap())).expect("copy");
}
}
}
fn mirror_caps(from: &Path, to: &Path) {
fs::create_dir_all(to).expect("mkdir caps root");
for cat in fs::read_dir(from).expect("read caps").flatten() {
let cat_path = cat.path();
if !cat_path.is_dir() { continue; }
let cat_dst = to.join(cat_path.file_name().unwrap());
fs::create_dir_all(&cat_dst).expect("mkdir cat");
for slug in fs::read_dir(&cat_path).expect("read cat").flatten() {
let slug_path = slug.path();
if !slug_path.is_dir() { continue; }
let slug_dst = cat_dst.join(slug_path.file_name().unwrap());
fs::create_dir_all(&slug_dst).expect("mkdir slug");
for file in fs::read_dir(&slug_path).expect("read slug").flatten() {
let fp = file.path();
if fp.is_file() {
fs::copy(&fp, slug_dst.join(fp.file_name().unwrap())).expect("copy cap");
}
}
}
}
}
fn assemble(root: &Path, manifest: &str) -> (bool, String, String) {
let path = root.join("_manifests").join(format!("{manifest}.toml"));
let out = Command::new(assemble_bin())
.env("AGENT_ROOT", root)
.env("HOME", root)
.arg(path)
.output()
.expect("spawn");
(
out.status.success(),
String::from_utf8_lossy(&out.stdout).to_string(),
String::from_utf8_lossy(&out.stderr).to_string(),
)
}
#[test]
fn migrated_code_implementer_embeds_substrate_section() {
let (_tmp, root) = seed_full_kit();
let (ok, _stdout, stderr) = assemble(&root, "code-implementer");
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "code-implementer");
assert!(md.contains("# AGENT SUBSTRATE — role `edit-local`"),
"substrate section header missing in generated md");
assert!(md.contains("You MUST NOT invoke `git`"),
"policy::no-git-ops text.md fragment missing");
assert!(md.contains("under 200 lines of code"),
"quality::constructor-pattern text.md fragment missing");
// Existing block content still present.
assert!(md.contains("# BASELINE"), "baseline block dropped during substrate injection");
assert!(md.contains("# DOMAIN SCOPE"), "domain scope section dropped");
}
#[test]
fn migrated_read_only_agents_embed_read_only_substrate() {
let (_tmp, root) = seed_full_kit();
for name in ["critic", "architect", "security-auditor", "validator"] {
let (ok, _stdout, stderr) = assemble(&root, name);
assert!(ok, "assemble {name} failed: {stderr}");
let md = read_generated(&root, name);
assert!(md.contains("# AGENT SUBSTRATE — role `read-only`"),
"{name}: substrate section header missing");
assert!(md.contains("You MUST NOT use the `Edit` or `Write` tools"),
"{name}: tools::deny-tools text.md fragment missing");
}
}
#[test]
fn non_migrated_agent_has_no_substrate_section() {
// v0.16 phase-5 wave 2 (2026-04-23): all 12 kit-shipped agents now
// carry `substrate_role`, so we synthesize a non-migrated manifest
// by stripping the field from a copy of `researcher.toml`
// inside the temp kit. This keeps the gate-test invariant honest
// without requiring a permanently-unmigrated shipping manifest.
let (_tmp, root) = seed_full_kit();
let manifest_path = root.join("_manifests").join("researcher.toml");
let original = fs::read_to_string(&manifest_path).expect("read manifest");
let stripped: String = original
.lines()
.filter(|line| !line.trim_start().starts_with("substrate_role"))
.collect::<Vec<_>>()
.join("\n");
fs::write(&manifest_path, stripped).expect("write stripped manifest");
let (ok, _stdout, stderr) = assemble(&root, "researcher");
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "researcher");
assert!(!md.contains("# AGENT SUBSTRATE"),
"non-migrated agent must not emit substrate section");
}
#[test]
fn substrate_section_precedes_first_block() {
// Invariant: substrate fragments are injected AFTER `# ROLE` and
// BEFORE the first `_blocks/*.md` block (baseline).
let (_tmp, root) = seed_full_kit();
let (ok, _stdout, stderr) = assemble(&root, "code-implementer");
assert!(ok, "assemble failed: {stderr}");
let md = read_generated(&root, "code-implementer");
let role_pos = md.find("# ROLE").expect("# ROLE missing");
let substrate_pos = md.find("# AGENT SUBSTRATE").expect("# AGENT SUBSTRATE missing");
let baseline_pos = md.find("# BASELINE").expect("# BASELINE missing");
assert!(role_pos < substrate_pos, "substrate must come AFTER # ROLE");
assert!(substrate_pos < baseline_pos, "substrate must come BEFORE first block");
}

158
_assembler/tests/validator_negative.rs Normal file
View file

@ -0,0 +1,158 @@
//! Validator negative-path tests.
//!
//! Locks the error contract of validator.rs: each flavour of bad
//! manifest produces a non-zero exit status AND a stderr message
//! that names the offending invariant.
//!
//! Note: the unsubstituted-`{{placeholder}}` check is being added
//! in a parallel PR (fix/remaining-findings). That specific test
//! is deliberately NOT included here; when the check lands, add a
//! case here and re-run.
mod common;
use common::{run_assemble, seed_tempdir};
use std::fs;
use std::path::Path;
/// Write a minimal valid manifest then mutate one field to break it.
/// Returns the tempdir guard (keeps it alive) and the manifest path.
fn write_broken(
root: &Path,
filename: &str,
mutate: impl FnOnce(&mut String),
) -> std::path::PathBuf {
let src = fs::read_to_string(root.join("_manifests/researcher.toml")).unwrap();
let mut buf = src;
mutate(&mut buf);
let target = root.join("_manifests").join(filename);
fs::write(&target, buf).unwrap();
target
}
fn assert_fails_with(root: &Path, manifest: &Path, needle: &str) {
let out = run_assemble(root, &[manifest.to_str().unwrap()]);
assert!(
!out.status.success(),
"expected non-zero exit for broken manifest {}; stdout={:?} stderr={:?}",
manifest.display(),
String::from_utf8_lossy(&out.stdout),
String::from_utf8_lossy(&out.stderr),
);
let combined = format!(
"{}{}",
String::from_utf8_lossy(&out.stdout),
String::from_utf8_lossy(&out.stderr)
);
assert!(
combined.contains(needle),
"stderr did not mention {needle:?}; full output:\n{combined}"
);
}
#[test]
fn validator_rejects_unknown_block_ref() {
let (_tmp, root) = seed_tempdir();
// Add an extra block name that doesn't exist on disk.
let manifest = write_broken(&root, "broken-unknown-block.toml", |s| {
*s = s.replace(
"\"memory-protocol\", # OBLIGATORY\n]",
"\"memory-protocol\",\n \"this-block-does-not-exist\",\n]",
);
});
assert_fails_with(&root, &manifest, "this-block-does-not-exist");
}
#[test]
fn validator_rejects_missing_obligatory_block() {
let (_tmp, root) = seed_tempdir();
// Drop "memory-protocol" from the blocks list.
let manifest = write_broken(&root, "broken-missing-obligatory.toml", |s| {
*s = s.replace("\"memory-protocol\", # OBLIGATORY\n", "");
});
assert_fails_with(&root, &manifest, "memory-protocol");
}
#[test]
fn validator_rejects_empty_handoff() {
let (_tmp, root) = seed_tempdir();
// Strip every `[[handoff]]` table from the manifest.
let manifest = write_broken(&root, "broken-no-handoff.toml", |s| {
let mut out = String::new();
let mut skip = false;
for line in s.lines() {
if line.trim_start().starts_with("[[handoff]]") {
skip = true;
continue;
}
if skip && (line.trim_start().starts_with("[") || line.trim().is_empty()) {
// End of the handoff block (next [table] or blank-line gap).
if line.trim_start().starts_with("[") && !line.trim_start().starts_with("[[handoff]]") {
skip = false;
} else if line.trim().is_empty() {
// Tolerate blank line inside handoff table separator.
continue;
}
}
if !skip {
out.push_str(line);
out.push('\n');
}
}
*s = out;
});
assert_fails_with(&root, &manifest, "handoff");
}
#[test]
fn validator_rejects_empty_role() {
let (_tmp, root) = seed_tempdir();
// Replace the role with whitespace only.
let manifest = write_broken(&root, "broken-empty-role.toml", |s| {
// The kei-researcher manifest uses triple-quoted `role = """..."""`.
let start = s.find("role = \"\"\"").expect("role block marker missing");
let end_rel = s[start..]
.find("\"\"\"\n")
.and_then(|_| s[start + 10..].find("\"\"\""))
.expect("role closing marker missing");
let end = start + 10 + end_rel + 3;
let before = &s[..start];
let after = &s[end..];
*s = format!("{before}role = \" \"\n{after}");
});
assert_fails_with(&root, &manifest, "role");
}
#[test]
fn validator_rejects_empty_domain_in() {
let (_tmp, root) = seed_tempdir();
// Replace domain_in array with an empty one.
let manifest = write_broken(&root, "broken-empty-domain-in.toml", |s| {
let start = s.find("domain_in = [").expect("domain_in marker missing");
let end_rel = s[start..].find("]\n").expect("domain_in close marker missing");
let end = start + end_rel + 2;
let before = &s[..start];
let after = &s[end..];
*s = format!("{before}domain_in = []\n{after}");
});
assert_fails_with(&root, &manifest, "domain_in");
}
#[test]
fn validate_only_flag_skips_write() {
// --validate must NOT write anything under _generated/.
let (_tmp, root) = seed_tempdir();
let manifest = root.join("_manifests/researcher.toml");
let out = run_assemble(&root, &["--validate", manifest.to_str().unwrap()]);
assert!(
out.status.success(),
"--validate on a valid manifest failed: {}",
String::from_utf8_lossy(&out.stderr)
);
let generated = root.join("_generated/researcher.md");
assert!(
!generated.exists(),
"--validate wrote an output file at {}",
generated.display()
);
}

42
_blocks/README.md Normal file
View file

@ -0,0 +1,42 @@
# `_blocks/` — Composable Agent Content
Each `.md` file in this directory is a **block**: a single-concern, standalone-readable snippet that any agent manifest can include via its `blocks = [...]` list. The `_assembler` concatenates selected blocks + manifest metadata into the final agent `.md` that Claude Code loads.
Blocks are grouped by prefix:
| Prefix | Purpose |
|---|---|
| `baseline`, `evidence-grading`, `memory-protocol` | Obligatory base — every manifest must include these |
| `rule-*` | Discipline rules (`pre-dev-gate`, `test-first`, `error-budget`, `double-audit`, `math-first`) |
| `mode-*` | Cognitive mode blocks (see below) |
| `stack-*` | Language / framework constraints (Rust Axum, React Vite, Swift SPM, …) |
| `deploy-*` | Deployment target rules (Modal, AWS EC2, Cloudflare, Hetzner, …) |
| `api-*` | External API conventions (Apify, fal.ai, ElevenLabs, Anthropic, …) |
| `db-*` | Database rules (Postgres, SQLite, Drizzle, sqlx, migrations) |
| `auth-*`, `security-*`, `obs-*`, `ci-*`, `test-*`, `scraper-*`, `domain-*`, `docs-*` | Domain-specific rules |
## Cognitive mode blocks
Composable behavioural skews. Add any combination to a manifest's `blocks` list to stack the mode. Modes compose — e.g. `mode-skeptic` + `mode-minimalist` yields an adversarial pruner.
| Block | Purpose |
|---|---|
| `mode-skeptic.md` | Doubt the conclusion until proved; flag claims without E1/E2 grade |
| `mode-devils-advocate.md` | Steel-man the opposite; name the strongest objection before agreeing |
| `mode-minimalist.md` | Prefer deleting over adding; justify every addition against existing code |
| `mode-maximalist.md` | Explore 10× scope; return both maximum and minimum bounds; only when user invokes exploration |
| `mode-first-principles.md` | Derive from invariants; cite the physical / mathematical constraint, not "best practice" |
See `mode-matrix.md` for the **agent-role × recommended-modes** table used by the `skills/new-agent` wizard (Phase 3.6). It is the suggested starting set per role — modes remain a free pick per manifest.
## Adding a new block
1. Pick a stable prefix (existing category or a new one documented here).
2. One concern per file. 2050 LOC target, `<200 LOC` hard cap (Constructor Pattern).
3. Imperative voice (`"Do X"` not `"the agent should do X"`) — these land verbatim in agent prompts.
4. Standalone-readable — do not assume sibling blocks are present. Cross-references OK, hard dependencies not.
5. Reference from a manifest's `blocks = [...]` list; the assembler validates existence.
## Ownership
Blocks are **kit-owned**`install.sh` overwrites `_blocks/` on re-run, backing up local edits to `_blocks.bak-TIMESTAMP/`. User-owned content belongs in `_manifests/*.toml` (which are never overwritten).

29
_blocks/api-anthropic.md Normal file
View file

@ -0,0 +1,29 @@
# API — Anthropic (Claude)
Full text: Anthropic docs (WebFetch https://docs.anthropic.com/en/api before any new feature). Claude API skill trigger: code imports `anthropic` / `@anthropic-ai/sdk`.
**Model IDs (from env, never hard-code):**
- Opus tier — max effort, 1M input tokens on the `[1m]` variant
- Sonnet tier — balanced cost / capability
- Haiku tier — cheapest, latency-critical
- Keep ID in env var (`ANTHROPIC_MODEL`) — swapping Opus→Sonnet should be 0 code changes.
**Prompt caching (up to ~90% cost reduction + latency drop on cache hit):**
- 4 cache breakpoints per request (`cache_control: {type: "ephemeral"}`)
- Two TTLs: default 5-min (cheap writes) and 1-hour (premium writes, higher $/token)
- Same prefix sent >N times → MUST `cache_control` — missing caching on a long system prompt is free money left on the table
- Log cache_read_input_tokens vs cache_creation_input_tokens every call — if read is zero across N calls, cache is mis-wired
**Tool use:**
- Fine-grained tool streaming supported (parse tool_use deltas, don't wait for full turn)
- `tool_choice: "auto" | "any" | {type: "tool", name}` — pick `any` when you need *some* tool but don't care which
- Cap turn loop with `max_iterations` (default 10) — infinite loop on broken tool = infinite cost
- Every tool_use MUST have matching tool_result — orphan tool_use errors mid-turn
**Batch API:** 50% discount, 24h window. Use for offline eval / bulk-ingest / non-interactive tasks. Polling via batch ID.
**Extended thinking:** `thinking: {type: "enabled", budget_tokens: N}`. Higher budget → deeper reasoning. Visible thinking is billed; hidden is not streamed but still billed.
**Cost tracking (mandatory per-call log):** `input_tokens`, `output_tokens`, `cache_read_input_tokens`, `cache_creation_input_tokens``memory/{project}.md`. Rates change — WebFetch https://www.anthropic.com/pricing before any budgeted run [VERIFY: live pricing page].
**Forbidden:** hard-coding model strings in source (use env var); using deprecated IDs without a migration note citing the replacement; sending the same >2K-token prefix >3 times without `cache_control`; skipping per-call cost log (no data → no decisions).

41
_blocks/api-apify.md Normal file
View file

@ -0,0 +1,41 @@
# API — Apify (web scraping platform)
Live pricing: WebFetch https://apify.com/pricing before any run >$5. Treat the table below as a starting sketch and always re-verify on the live pricing page.
**Platform plans (sample — re-verify on live pricing page):**
| Plan | $/mo | Credits | CU cost | Max RAM | Retention |
|------|-----:|--------:|--------:|--------:|----------:|
| Free | $0 | $5 | $0.30 | 4-8 GB | 7d |
| Starter | $49 | $49 | $0.30 | 32 GB | 14d |
| Scale | $199 | $199 | $0.25 | 128 GB | 21d |
| Business | $999 | $999 | $0.20 | 256+ GB | 31d |
**CU (Compute Unit) formula:** `CU = Memory(GB) × Duration(hours)`. Browser scraper ≈ 300 pages/CU; HTTP scraper ≈ 3000 pages/CU. Most actors 0.1-5 CU/run.
**Per-actor rates (sample — re-check pricing page before any batch):**
| Platform | Best actor | $/1K | Risk | Free alternative |
|----------|-----------|-----:|------|-----------------|
| YouTube | `apidojo/youtube-scraper` | $0.50 | LOW | **YouTube Data API v3 (FREE, 10K units/day)** |
| LinkedIn | `harvestapi/linkedin-profile-scraper` | $4 (no email) / $10 (email) | **HIGH** | linkedin_scraper (Python) |
| Instagram | `apify/instagram-scraper` (official) | $2.30-2.60 | VERY HIGH | Instaloader |
| Instagram | `apidojo/instagram-scraper` (3rd party) | $0.50 | VERY HIGH | — |
| Facebook | `apify/facebook-posts-scraper` | $5-8 | VERY HIGH | facebook-scraper |
| Telegram | via Apify | $1-3 | LOW | **Telethon/Pyrogram (FREE, MTProto)** |
Prefer free path when available — Telethon (Telegram) and YouTube Data API v3 are 100% FREE and fully featured.
**Proxies:**
- Datacenter — included in plan; $0.6-1.0/IP overage. Blocked by IG/FB on first hit.
- Residential — **$7-8/GB**. Required for Instagram/Facebook. **GDPR risk** for EU targets (BGH Germany Nov 2024: €100/user scraping compensation).
- SERP — $2.50/1K.
**Webhooks:** POST on `ACTOR.RUN.SUCCEEDED` / `.FAILED` → your endpoint receives `runId`, `datasetId`. Use for pipelines; poll only for manual one-offs.
**Input schema validation:** every actor has a JSON schema (`input_schema.json`). Validate inputs client-side before POST — failed inputs still eat CU in the startup phase.
**Legal landscape:** hiQ v. LinkedIn (2022) CFAA ≠ public data; Meta v. Bright Data (2024) Meta lost; **BGH Germany Nov 2024: GDPR Art. 82 → €100 per scraped user**. All 6 major platforms' ToS prohibit scraping (contractual, not criminal).
**LinkedIn HIGH RISK:** `harvestapi` no-cookie actors are safer ($4-10/1K). Cookie-based (`curious_coder`) = ban + ToS exposure. Max 500 profiles/day deep. **Always legal review before EU LinkedIn runs.**
**Forbidden:** LinkedIn batch without legal sign-off (GDPR + ToS); residential proxies against EU targets without documented consent basis; batch runs without per-item cost estimate to `kei-cost-guardian`; using main personal account for any cookie-based actor (curious_coder line); launching an actor before validating input against its `input_schema.json`; paying Apify for Telegram when Telethon is free.

37
_blocks/api-elevenlabs.md Normal file
View file

@ -0,0 +1,37 @@
# API — ElevenLabs (voice)
Live pricing: WebFetch https://elevenlabs.io/pricing before any bulk run [VERIFY: character pricing tier varies by plan].
**MANDATORY 3-step Voice Design flow (order is fixed):**
1. **`designVoice`** — describe voice characteristics (gender, age, accent, style) → returns preview audio + `generated_voice_id` (ephemeral).
2. **`createVoice`** — accept the preview → permanent `voice_id` added to library.
3. **TTS** — synthesize text using the permanent `voice_id`.
Skipping or reordering any step = API error. Ephemeral preview IDs expire — cannot TTS directly from `designVoice` output.
**Models:**
| Model | Use case | Latency | Quality |
|------|---------|---------|---------|
| `eleven_flash_v2_5` | Real-time, low latency (~75ms) | Fastest | Good |
| `eleven_multilingual_v2` | Production, 29 languages | Slower | Best |
| `eleven_turbo_v2_5` | Balanced | Fast | High |
**Pricing [VERIFY: check live pricing page]** — billed per character, plan-gated character quota:
- Free: ~10K chars/mo
- Starter: ~30K chars/mo
- Creator / Pro / Scale — higher quotas, character overage rates vary per plan.
- Voice Design calls also consume characters (preview audio counts).
**TTS params (sane defaults):**
- `stability: 0.5` — higher = more monotone, lower = more expressive (range 0-1)
- `similarity_boost: 0.75` — higher = closer to reference voice
- `style: 0-1` — emotional exaggeration; set 0 for Flash v2 (not supported)
- `use_speaker_boost: true` for Multilingual v2
**Voice ID caching:** once `createVoice` returns a `voice_id`, store it in `memory/{project}.md` or DB. Reuse across TTS calls — re-designing the same voice = wasted characters + non-deterministic result.
**Video integration (if pairing with a video model that supports voice):** `voice_id` flows into the video model's `voice_ids` payload. Per-speaker markers in prompts ONLY when `voice_ids` actually sent.
**Cost tracking:** log per-call `characters_used` + cumulative month-to-date → `memory/{project}.md`. Hand off to `kei-cost-guardian` on any batch expected to exceed 50% of monthly quota.
**Forbidden:** calling TTS without prior `createVoice` (ephemeral preview IDs fail); exceeding plan character quota without `kei-cost-guardian` check (overage billing surprise); committing `voice_id` values into git when they reference private/cloned voices (storage convention — see `domain-has-secrets.md`); re-designing the same voice per-scene instead of caching `voice_id`; skipping the 3-step flow with direct TTS on `generated_voice_id`.

34
_blocks/api-fal-ai.md Normal file
View file

@ -0,0 +1,34 @@
# API — fal.ai (image / video / 3D)
Live pricing: WebFetch https://fal.ai/pricing before any batch >$2. Maintain your own model snapshot in your memory dir to avoid re-verifying every call.
**Model catalog (verify before launch — model IDs and prices change):**
| Asset | Model | Endpoint | Price |
|------|------|----------|-------|
| Hero premium | FLUX.2 Pro | `fal-ai/flux-2-pro` | $0.03-0.045/MP |
| Hero budget | FLUX.1 Dev | `fal-ai/flux/dev` | $0.025/MP |
| 3D icons | Recraft V3 handmade_3d | `fal-ai/recraft/v3/text-to-image` | $0.04 |
| SVG | Recraft V4 Vector | `fal-ai/recraft/v4/text-to-vector` | $0.08 |
| BG removal | Bria RMBG 2.0 | `fal-ai/bria/background/remove` | $0.018 |
| Video budget | LTX 2.0 Fast | `fal-ai/ltx-2/text-to-video/fast` | $0.04/sec |
| Video hero loop | Luma Ray 2 I2V | `fal-ai/luma-dream-machine/ray-2/image-to-video` | $0.50/5sec@540p |
| Video Kling | Kling v3 Pro I2V | `fal-ai/kling-video/v3/pro/image-to-video` | $0.224/sec |
| Video Veo 3 | Veo 3 | `fal-ai/veo3` | $0.20-0.40/sec |
| 3D GLB | Trellis | `fal-ai/trellis` | $0.02 |
**Hard-learned per-model gotchas:**
- **FLUX.2 Pro ZERO-CONFIG** — NO `guidance_scale` (API rejects), `safety_tolerance: "5"`, `enable_prompt_expansion: false`, `image_urls[]` always array (even for 1 ref).
- **Kling O3** — prompt hard limit **2500 chars**; `image_url` NOT `start_image_url` (V3 legacy); `elements` + `voice_ids` can be sent **together on O3 only**; `generate_audio: true` ALWAYS (else silent video).
- **Luma Ray 2**`loop: true` for hero sections (seamless loop, same first/last frame).
- **Async flow:** POST → `request_id` → poll status → fetch `response_url`. Don't expect sync result.
**NSFW filter:** default ON for Flux/Recraft. `safety_tolerance` raises threshold (higher = more permissive); `"5"` is the documented max. Failed content returns a flagged error, still billed.
**Webhook vs poll:** webhooks need a public HTTPS URL (tunnel with ngrok/CF for local). Poll is fine for <30-min batches.
**Cost discipline:** 1-2 smoke samples before fanning out to ≥5 generations. Full-site budget template: 20 icons + 5 hero + 10 bg + 35 bg-removal + 35 upscale × 2 iterations ≈ $4-8. Hand off to `kei-cost-guardian` on any batch >$5.
**API key:** `FAL_KEY` in `<repo>/.env`. Never in chat, source, curl examples, or git (see `domain-has-secrets.md`).
**Forbidden:** adding `guidance_scale` to FLUX.2 Pro; Kling O3 prompts >2500 chars; launching any batch without kei-cost-guardian handoff; quoting prices from memory for session total >$2 (re-verify via WebFetch); FLUX.2 Pro for plain backgrounds when FLUX.1 Dev does the job (pick cheapest-that-matches-brief); hard-coding `FAL_KEY` in source.

33
_blocks/api-graphql.md Normal file
View file

@ -0,0 +1,33 @@
# API — GraphQL (schema-first, DataLoader, subscriptions, persisted queries)
Single-endpoint, client-driven query language. Pairs with `auth-sessions.md` / `auth-authorization.md` (identity + field-level authz) and `api-versioning-pagination-ratelimit.md` (Relay cursors + cost-based rate limits).
## When to include
- Client needs shape each response themselves (mobile bandwidth, SPA over-fetch, UI-driven demand).
- Graph-shaped domain (social, sharing, org charts, document tree) where REST nesting explodes.
- Multiple teams own different resolvers behind one gateway (federation / subgraphs).
## What it declares
- **Schema-first, not code-first:** `schema.graphql` is the SSoT, committed to the repo. Resolvers are generated types (TS `graphql-codegen`, Rust `async-graphql` derive, Go `gqlgen`) that must implement the schema. Schema-first beats code-first for reviewability, federation, and client codegen.
- **SDL only, no custom DSL:** use standard GraphQL SDL — `type`, `input`, `interface`, `union`, `enum`, `scalar`, directives. Custom scalars (`DateTime`, `UUID`, `JSON`) declared once; keep the list short.
- **Resolver structure (Apollo / urql / Relay agnostic):** one resolver per field; resolvers return values OR a loader handle, never hit the DB directly in a loop — that's the N+1 trap.
- **DataLoader for every 1-to-many or many-to-many field:** Facebook's `dataloader` pattern (batch + per-request cache). Without it, a query `users { posts { comments { author { name } } } }` issues O(N³) queries; with it, exactly 4. Implementations: `dataloader` (JS, reference), `async-graphql` built-in (Rust), `graphql-dataloader` (Go), `aiodataloader` (Python).
- **Pagination: Relay cursor spec**`type FooConnection { edges: [FooEdge!]! pageInfo: PageInfo! totalCount: Int } type FooEdge { node: Foo! cursor: String! } type PageInfo { hasNextPage: Boolean! hasPreviousPage: Boolean! startCursor: String endCursor: String }`. See `api-versioning-pagination-ratelimit.md`.
- **Errors:** don't throw — return the GraphQL error envelope. Expected errors (not-found, unauthorized, validation) go in `errors[]` with `extensions.code` taxonomy (`NOT_FOUND`, `FORBIDDEN`, `BAD_USER_INPUT`, `RATE_LIMITED`). Unexpected errors → generic `INTERNAL_SERVER_ERROR`, server-side logged with correlation id.
- **Subscriptions — pick transport explicitly:** **graphql-ws** (RFC-like WebSocket sub-protocol, Apollo-server + urql default; replaces the deprecated `subscriptions-transport-ws`) OR **graphql-sse** (HTTP Server-Sent Events, no WS infra). WebSocket needs auth on `connectionInit` (token in payload), reconnect strategy, and a resumable cursor — SSE is simpler where you don't need client→server push.
- **Persisted queries (APQ / PQ):** hash the query at build time, send only the hash at runtime. Stops query-bombing attacks, cuts bandwidth, and enables CDN caching of `GET /graphql?hash=...`. Apollo Automatic Persisted Queries, Relay persisted queries, Hasura allow-list all implement this. PRODUCTION-ONLY allow-list the hashes — reject unknown queries.
- **Depth + cost limiting:** every query runs through a cost analyser (e.g. `graphql-cost-analysis`, `graphql-armor`) and rejects when depth > N (typically 10) or cost > budget. Without this, a 20-line query can DoS the DB.
- **Introspection:** ON in dev and staging (the whole tooling assumes it). OFF on the public-facing prod endpoint unless you operate a public API — combine with persisted-query allow-list.
- **Field-level authz:** directive-based (`@auth(role: ADMIN)`) OR middleware in the resolver. Either way — check permission INSIDE the resolver, NOT only at the HTTP layer; a single GraphQL POST hits dozens of resolvers.
- **Libraries:** **TS server**: GraphQL Yoga, Apollo Server 4, Mercurius (Fastify). **TS client**: Apollo Client, urql, Relay. **Rust**: async-graphql (schema-first via derive). **Go**: gqlgen. **Python**: Strawberry, Ariadne. **Federation**: Apollo Federation 2 (`@key`, `@extends`, `@external`), Cosmo, Hive — only if you truly have multiple subgraphs.
## References
- GraphQL spec (https://spec.graphql.org/October2021/) [E1 — normative, October 2021 revision current].
- GraphQL over HTTP + GraphQL over WebSocket (graphql-ws) + graphql-sse [E1 — working group specs].
- Relay Cursor Connections (https://relay.dev/graphql/connections.htm) [E1].
- DataLoader — Facebook OSS (https://github.com/graphql/dataloader) [E2].
- Apollo Federation v2 docs, Hasura docs, gqlgen docs, async-graphql docs [E2 — production-deployed].
- Evidence grade [E2] — GitHub v4 API, Shopify Admin, Facebook, Netflix all production GraphQL.

39
_blocks/api-openapi-first.md Normal file
View file

@ -0,0 +1,39 @@
# API — OpenAPI-First (3.1 as single source of truth)
Machine-readable contract that drives server stubs, client SDKs, docs, mocks, and contract tests from ONE file. Pairs with `api-rest-conventions.md` (the HTTP rules the spec encodes) and `api-versioning-pagination-ratelimit.md` (versioning + pagination schemas).
## When to include
- Any REST API with ≥2 consumers (web + mobile, public + partner, multiple internal services).
- API that must publish SDKs in >1 language — spec-driven codegen beats hand-written clients per language.
- Regulated API (finance / health) where the contract must be reviewable and diff-able as a single artefact.
## What it declares
- **OpenAPI 3.1.0** — the 2021+ version that is a strict superset of JSON Schema 2020-12. Use 3.1 unless a specific tool pins you to 3.0.x; 2.0 (Swagger) is legacy and missing `oneOf/anyOf/nullable` nuances.
- **Single file, single source of truth:** `openapi.yaml` (or `.json`) committed at repo root or under `api/`. ALL of the following are GENERATED, never hand-written:
- Server routing stubs / request validators (codegen for your stack).
- Typed client SDKs (TS, Swift, Kotlin, Python, Rust, Go).
- Human docs site (Swagger UI / Redoc / Scalar / Stoplight Elements).
- Mock server (Prism, mswjs, Stoplight) for consumer tests before the backend exists.
- Contract tests (Schemathesis, Dredd, Pact broker feed).
- **Structure:** `info`, `servers` (per environment — prod, staging, sandbox), `paths` (one entry per resource/action pair), `components.schemas` (reusable types), `components.securitySchemes` (bearer / OAuth2 / API-key), `components.parameters` (shared query params like `page`, `cursor`, `limit`), `components.responses` (problem+json 400 / 401 / 403 / 404 / 409 / 422 / 429 / 500 reused by `$ref`), `tags` (grouping for docs).
- **Schemas ARE types:** every `$ref` resolves to `components/schemas/*`; no anonymous objects inline inside responses. This makes the codegen output readable and re-usable.
- **Error model is shared:** define `Problem` schema once (RFC 9457 shape) and `$ref` it from every 4xx/5xx response. Keeps the error contract identical across 120 endpoints.
- **Examples are typed:** every operation has ≥1 request example + ≥1 response example. Examples flow into Redoc docs, mock server responses, and SDK fixtures. Invalid examples break CI — treat them as test data.
- **Tooling pick — ONE per job:**
- Lint: **Spectral** (`.spectral.yaml` with a ruleset — Google/Microsoft API guidelines ship starter rulesets).
- Diff / breaking-change gate: **oasdiff** or **openapi-diff** in CI — PR fails on a breaking change unless `breaking: approved` label.
- Codegen: **openapi-generator** (multi-language, mature; prefer `*-axios`, `*-nullable` templates for TS); **orval** for TS + React Query / SWR first-class; **oapi-codegen** for Go; **progenitor** for Rust.
- Docs: **Redoc** (read-only, pretty), **Swagger UI** (interactive), **Scalar** (modern, fast), **Stoplight Elements** (embeddable React component). Pick one — documented decision in repo.
- **Governance:** `openapi.yaml` change = PR review like code. No drift between spec and server: CI runs the generated server stubs AND contract tests against the running app.
- **[UNVERIFIED] claims — forbidden:** never quote an OpenAPI feature without checking the 3.1 spec. `discriminator`, `oneOf`, `nullable` (removed — use `type: [string, "null"]`) are easy to get wrong; cite spec link on debate.
## References
- OpenAPI 3.1.0 spec (https://spec.openapis.org/oas/v3.1.0) [E1 — normative].
- JSON Schema 2020-12 (https://json-schema.org/specification.html) [E1].
- RFC 9457 Problem Details + `api-rest-conventions.md` for the HTTP semantics the spec encodes.
- Swagger UI / Redoc / Scalar / Stoplight Elements — all actively maintained as of 2026 [E2].
- openapi-generator (https://openapi-generator.tech/), orval (https://orval.dev/), oapi-codegen (https://github.com/oapi-codegen/oapi-codegen) [E2 — production-deployed].
- Evidence grade [E2] — pattern is the Stripe / GitHub / Twilio / Shopify default.

28
_blocks/api-rest-conventions.md Normal file
View file

@ -0,0 +1,28 @@
# API — REST Conventions (verbs, status codes, resources, idempotency, ETag)
HTTP-level contract for resource-oriented APIs. Pairs with `api-openapi-first.md` (spec as SSoT), `api-versioning-pagination-ratelimit.md` (list + version policy), and `auth-oauth2-oidc.md` / `auth-sessions.md` (principal + scopes).
## When to include
- Public or partner JSON-over-HTTP API where clients are heterogeneous (mobile, SPA, third-party integrations, curl).
- Internal service boundary that you want reviewable by humans without generated tooling.
- Any API that must degrade gracefully through an HTTP cache / proxy / API gateway.
## What it declares
- **Resource naming:** plural nouns, lowercase, kebab-case (`/invoices`, `/invoice-items/{id}`), no verbs in path. Nested resources ≤2 levels deep (`/invoices/{id}/items`); beyond that flatten with query filters. One canonical URL per resource — never two paths for the same entity.
- **Verbs (RFC 9110):** `GET` safe + idempotent, `HEAD` metadata only, `PUT` full replace + idempotent, `PATCH` partial (JSON Merge Patch RFC 7396 OR JSON Patch RFC 6902, pick one per API), `POST` create / non-idempotent action, `DELETE` idempotent. Non-CRUD actions → `POST /resource/{id}:action` (Google AIP-136) or a child resource — never `GET /do-thing`.
- **Status codes — pick from this set, no creativity:** `200 OK`, `201 Created` (+ `Location` header), `202 Accepted` (async), `204 No Content`, `301/308` (moved), `400 Bad Request` (validation), `401 Unauthorized` (no/invalid credential), `403 Forbidden` (authenticated but not allowed), `404 Not Found`, `409 Conflict` (optimistic-lock / duplicate), `410 Gone`, `412 Precondition Failed` (If-Match mismatch), `415 Unsupported Media Type`, `422 Unprocessable Entity` (semantic validation), `429 Too Many Requests`, `500 Internal Server Error`, `502/503/504` (upstream). `418` is a joke, not a status.
- **Error body: RFC 9457 Problem Details**`{ "type": "https://api.example.com/errors/invoice-not-found", "title": "...", "status": 404, "detail": "...", "instance": "/invoices/42", "errors": [{"field":"amount","code":"negative"}] }`. Content-Type `application/problem+json`. Stable `type` URI = machine key; `title` = human; `detail` = this instance.
- **Idempotency-Key header (Stripe / IETF draft-ietf-httpapi-idempotency-key-header):** required on `POST` that creates/charges. Server stores `(key, route, response)` for ≥24 h and replays on retry. Different body with same key → `422`. Missing key on mutating `POST``400` for strict APIs, accept + warn for lenient.
- **Conditional requests (RFC 9110 §13):** `ETag` on every resource representation (strong `"abc123"` unless you truly serve byte-equivalent variants). Clients send `If-Match: "abc123"` on `PUT` / `PATCH` / `DELETE` — server replies `412` on mismatch. `If-None-Match` + `304 Not Modified` on `GET` for cache revalidation. `Last-Modified` as a weaker fallback only.
- **Content negotiation:** `Accept`, `Accept-Language`, `Accept-Encoding` honoured. Default `application/json; charset=utf-8`. Version media types (`application/vnd.example.v2+json`) ONLY if you commit to header-based versioning — see `api-versioning-pagination-ratelimit.md`.
- **HATEOAS / hypermedia:** OPTIONAL. Include a `_links` / `links` object per resource when the API is explicitly browsable (HAL, JSON:API, Siren) — it's not required for typed SDKs. Document the choice in `openapi.yaml` and stay consistent.
- **Safe-by-default surface:** `GET` never mutates. `DELETE` is idempotent — repeated calls return `204` even if the row is already gone. `PUT` requires the FULL representation; partial field on `PUT` = `400`.
## References
- RFC 9110 (HTTP Semantics), RFC 9111 (HTTP Caching), RFC 9457 (Problem Details, 2023), RFC 7396 / 6902 (Merge Patch / JSON Patch), RFC 5988 + 8288 (Web Linking) [E1 — IETF standards-track].
- Google AIP (https://google.aip.dev/) and Microsoft REST API Guidelines (https://github.com/microsoft/api-guidelines) — production-grade conventions [E2].
- `api-openapi-first.md` — encode this block as the machine-readable SSoT; `api-versioning-pagination-ratelimit.md` — list, cursor, and version policy.
- Evidence grade [E2] — every rule here is deployed across Stripe, GitHub, Google, Microsoft production APIs.

53
_blocks/api-versioning-pagination-ratelimit.md Normal file
View file

@ -0,0 +1,53 @@
# API — Versioning, Pagination, Rate Limiting
Three cross-cutting concerns that every production API hits within the first month. Pairs with `api-rest-conventions.md` (HTTP semantics), `api-openapi-first.md` (where the policy is encoded), and `api-graphql.md` (Relay cursors + cost-based limits).
## When to include
- Any API expected to outlive one client release — versioning decided BEFORE launch, not during the first breaking change.
- Any endpoint returning a collection — pagination decided BEFORE the dataset grows past 10k rows.
- Any API on the public internet or behind a partner quota — rate limits decided BEFORE the first abusive client.
## What it declares
### Versioning — pick one strategy, document it
| Strategy | Example | Pros | Cons | Use when |
|---|---|---|---|---|
| **URL path** | `/v1/invoices``/v2/invoices` | Most visible, curl-friendly, easy CDN routing | Pollutes every path; "v2" is vague | Public API, coarse versions, infrequent bumps. GitHub v3/v4, Stripe-compatible mirrors. |
| **Header (media type)** | `Accept: application/vnd.example.v2+json` | Clean URLs, content negotiation native | Invisible in logs/curl; needs client support | Internal APIs with typed SDKs, GitHub v4 hybrid. |
| **Date-based** | `Stripe-Version: 2025-11-01` | Fine-grained, every breaking change pinnable | Complex rollout matrix; server must keep N-1 versions live | Pay-for-stability APIs (Stripe, Shopify); regulated domains. |
| **GraphQL evolution** | Never break the schema; mark fields `@deprecated(reason: "use X")` and remove after telemetry shows 0 usage | No versions to maintain | Schema grows forever; deprecation discipline required | Any GraphQL API — see `api-graphql.md`. |
| **No versioning (additive-only)** | Promise: additions never break clients; removals need a new endpoint | Simplest | Only works with disciplined teams + strong typing | Small internal APIs with ≤3 consumers. |
Rules that apply to ALL strategies: (a) deprecate with `Deprecation` + `Sunset` headers (RFC 8594, RFC 9745) + 6-month minimum runway, (b) publish a changelog, (c) run the old + new in parallel until telemetry shows the old is unused.
### Pagination — three patterns, one rule
- **Offset / page (LIMIT N OFFSET M):** `?page=3&limit=50`. OK for admin UIs over small tables. BROKEN for real data — rows drift during paging, `OFFSET 10000` scans 10k rows on every call. Returns `X-Total-Count` or a `meta.total` field; clients assume random access.
- **Cursor (opaque token, keyset/seek):** `?cursor=eyJpZCI6MTIzfQ&limit=50`. Cursor = base64 of `(id, created_at, …)` — opaque to client, ordered by the server's index. Handles drift, O(log n) lookups. Response envelope: `{ data: [...], meta: { next_cursor, prev_cursor, has_more } }`. REQUIRED for any list that can exceed 1k rows or where concurrent writes happen.
- **Relay (GraphQL spec):** `first: 50, after: "cursor"` + `Connection { edges, pageInfo { endCursor, hasNextPage } }`. Standardised cursor pattern for GraphQL — see `api-graphql.md`.
Rule: **default cursor, offer offset only when the UI genuinely needs page numbers**. Never return >1000 items per page; clamp `limit` server-side.
### Rate limiting — headers + strategy
- **Token bucket or sliding-window**, per authenticated principal (user / API key / IP). Redis-backed, atomic via Lua. Policy tiers: anon < authenticated < partner < internal.
- **Response headers — IETF `RateLimit` (draft-ietf-httpapi-ratelimit-headers, shipped in Cloudflare / GitHub as of 2024):**
- `RateLimit-Limit: 1000` — quota in the current window.
- `RateLimit-Remaining: 947` — left in the current window.
- `RateLimit-Reset: 47` — seconds until reset.
- Also accept legacy `X-RateLimit-*` for GitHub/Stripe parity during migration.
- **On block: `429 Too Many Requests` + `Retry-After: <seconds>`** (RFC 9110 §10.2.3) + Problem+json body describing the limit that was hit. Always include `Retry-After`; idempotent clients retry cleanly.
- **Cost-based for GraphQL:** each field has a cost (e.g. `user: 1, user.posts: 5 per item, search: 50`); query total checked against per-principal budget. See `api-graphql.md`.
- **Fail-open on metering outage** is a bug, not a feature — fail-closed with a clear error code (`RATE_LIMITER_UNAVAILABLE`) so clients can alert. Silent "no limit" costs more than a short outage.
- **Defence-in-depth:** per-IP (anti-bot), per-principal (anti-abuse), per-endpoint (protect expensive routes), global (protect the cluster). Document all four layers in the repo — hidden layers surprise on-call.
## References
- RFC 8594 (Sunset header), RFC 9745 (Deprecation header, 2024), RFC 9110 §10.2.3 (`Retry-After`) [E1 — IETF].
- draft-ietf-httpapi-ratelimit-headers (https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/) [E1 — active working group draft, deployed by Cloudflare + GitHub].
- Relay Cursor Connections (https://relay.dev/graphql/connections.htm) [E1].
- Stripe API versioning post (https://stripe.com/blog/api-versioning) [E2 — production-documented 2017 onward].
- GitHub v3 → v4 migration notes, Shopify API versioning [E2].
- Evidence grade [E2] — all three policies are production-deployed at Stripe, GitHub, Shopify, Cloudflare.

27
_blocks/auth-authorization.md Normal file
View file

@ -0,0 +1,27 @@
# AUTH — Authorization (RBAC / ABAC / ReBAC)
Who is allowed to do what, AFTER authentication (`auth-sessions.md`) has identified the principal. Decides on every request; fail-closed.
## When to include
- App has more than one user role OR owner-vs-member resource semantics.
- App exposes admin endpoints, multi-tenant data, or per-resource sharing.
- Regulated domain (health / finance / legal) where permission decisions must be logged and auditable.
## What it declares
- **RBAC (Role-Based)** — static roles (`admin`, `editor`, `viewer`) mapped to permission sets (`posts:write`, `posts:read`, `billing:read`). Simple, O(1) check, enough for most small apps. Roles live in DB; assignment is an admin action, not a code change.
- **ABAC (Attribute-Based)** — decision = f(subject attrs, resource attrs, action, context). Example: "user can edit doc IF `doc.owner_id == user.id` OR `user.role == admin AND doc.tenant_id == user.tenant_id`". Use when RBAC explodes into per-resource special cases.
- **ReBAC (Relationship-Based, Google Zanzibar style)** — graph of `(subject, relation, object)` tuples; check = "does path `user:A` → ... → `doc:X#editor` exist?". Use for hierarchical sharing (folders, orgs, teams). Implementations: SpiceDB, OpenFGA.
- **Permission matrix — always DECLARED, never implicit:** a table `roles × resource_types × actions` in the repo (`docs/permissions.md` or a DB seed). Every new endpoint picks a cell from the matrix. No ad-hoc `if user.is_admin` scattered through handlers.
- **Enforcement point: middleware, not handlers.** Decision computed once per request against a typed `Permission` enum. Handler receives `AuthorizedRequest<Action>` or 403s before it runs. Prevents "forgot the check on the new endpoint" — the dominant authz bug.
- **Fail-closed:** missing role, unknown action, or policy engine error → DENY. Log the denial with subject + action + resource. Never default-allow on error.
- **Policy engines — use when authz logic grows > ~20 rules:** Cerbos (YAML rules, decision-as-a-service, stateless), OPA / Rego (general-purpose, steeper curve), Oso Cloud, SpiceDB (ReBAC). Keep policy files in the repo; treat them as code (tested, reviewed, versioned).
- **Ownership checks scope every query:** `SELECT ... WHERE tenant_id = $1 AND owner_id = $2` — enforced in the data layer, not just the middleware. Double layer defeats IDOR (Insecure Direct Object Reference).
- **Admin + audit:** every permission change, role assignment, and deny-event written to an append-only audit log (`tenant_id`, `actor_id`, `action`, `target`, `timestamp`, `result`). Required for SOC2 / ISO 27001 / HIPAA.
## References
- NIST SP 800-162 (ABAC), Google Zanzibar paper (2019), Cerbos docs, OPA/Rego docs [E1].
- `auth-sessions.md` — source of the authenticated principal; this block decides what that principal can do.
- Evidence grade [E2] — RBAC/ABAC widely deployed; ReBAC via Zanzibar-clones production since ~2022.

26
_blocks/auth-oauth2-oidc.md Normal file
View file

@ -0,0 +1,26 @@
# AUTH — OAuth2 + OIDC (Authorization Code + PKCE)
Identity delegation to external providers (Google / GitHub / Apple / Microsoft / any OIDC-compliant IdP). For first-party login see `auth-passkeys.md` / `auth-sessions.md`; for post-login permissions see `auth-authorization.md`.
## When to include
- App supports "Sign in with Google / GitHub / Apple / Microsoft" or federates to an enterprise OIDC IdP (Okta, Auth0, Keycloak, Entra ID).
- App needs a short-lived API access token for the user (Gmail, Calendar, GitHub API).
- Regulated context where the IdP — not the app — is the system of record for identity.
## What it declares
- **Flow: Authorization Code + PKCE for EVERY client** (public SPA, mobile, confidential server). PKCE is mandatory in OAuth 2.1 and removes the implicit flow entirely.
- **PKCE params:** `code_verifier` 43128 chars random, `code_challenge = BASE64URL(SHA256(verifier))`, `code_challenge_method=S256`. Never `plain`.
- **State + nonce:** `state` (CSRF, 32+ bytes random, bound to session) on every auth request; `nonce` (replay, in ID token claim) for OIDC. Reject response if either mismatches.
- **Redirect URIs:** exact-match, pre-registered at the IdP. No wildcards. `localhost` and custom schemes OK for native; HTTPS required for web.
- **Providers: Google** (`accounts.google.com/.well-known/openid-configuration`), **GitHub** (OAuth2 only, no OIDC discovery — hard-code `https://github.com/login/oauth/authorize`, `token`, `https://api.github.com/user`), **Apple** (OIDC, but only returns user name/email on FIRST consent — persist on first login or lose it), **Microsoft** (`login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration`).
- **Token handling:** `access_token` short-lived (≤1 h), kept server-side only. `refresh_token` rotated on every use (RFC 6749 §6 + OAuth 2.1), stored encrypted at rest, NEVER sent to the browser. `id_token` validated (JWKS signature + `iss` + `aud` + `exp` + `nonce`) and discarded — do NOT re-use as a session token.
- **Secrets:** `CLIENT_ID` + `CLIENT_SECRET` per provider in `secrets/*.env`; referenced by env var name only. Public clients (SPA/mobile) use PKCE WITHOUT a secret.
- **Libraries:** prefer Better-Auth (TS), NextAuth/Auth.js (Next.js), authlib (Python), openidconnect-rs or oauth2-rs (Rust). Avoid rolling your own — every major CVE in this space is custom code.
## References
- RFC 6749 (OAuth 2.0), RFC 7636 (PKCE), RFC 9700 (OAuth 2.0 Security BCP, 2024), OAuth 2.1 draft, OpenID Connect Core 1.0 [E1 — standards-track RFCs].
- `auth-sessions.md` for what to do AFTER the IdP handshake returns.
- Evidence grade [E2] — implementation widely deployed, spec stable since 2024.

27
_blocks/auth-passkeys.md Normal file
View file

@ -0,0 +1,27 @@
# AUTH — Passkeys (WebAuthn / FIDO2)
Phishing-resistant, passwordless authentication via public-key credentials bound to the Relying Party. For federated login see `auth-oauth2-oidc.md`; for session issuance after passkey assertion see `auth-sessions.md`.
## When to include
- Greenfield auth: passkeys as PRIMARY login (password-optional or password-less).
- Existing password login: passkeys as stronger step-up or second factor that also replaces the password.
- Any consumer product — Apple, Google, Microsoft all ship platform authenticators (Touch ID / Face ID / Windows Hello) and sync passkeys across devices via iCloud Keychain / Google Password Manager / Microsoft Authenticator as of 20242026.
## What it declares
- **Two ceremonies:**
- **Registration** — server sends `PublicKeyCredentialCreationOptions` (random `challenge`, `rp.id`, `rp.name`, `user.id` opaque, `pubKeyCredParams` prefer ES256=-7 and RS256=-257, `authenticatorSelection`, `attestation: "none"` unless regulated). Client returns `attestationObject` + `clientDataJSON`. Server verifies and stores `credentialID`, `publicKey`, `signCount`, `transports`, `backupEligible`, `backupState`.
- **Assertion (login)** — server sends `PublicKeyCredentialRequestOptions` (fresh random `challenge`, `rpId`, `allowCredentials` list or empty for discoverable). Client returns `signature` + `authenticatorData` + `clientDataJSON`. Server verifies signature with stored `publicKey`, checks `signCount` strictly > stored, origin, `rpId` hash.
- **RP ID** = eTLD+1 or a subdomain of it (`example.com` covers `app.example.com`; a passkey for `app.example.com` does NOT work on `example.com`). Pick RP ID carefully at launch — changing it invalidates every existing credential.
- **Resident / discoverable credentials** (`residentKey: "required"` + `userVerification: "required"`) enable username-less login ("Sign in" button with no email field). Requires passkey-capable authenticator.
- **Platform vs cross-platform:** `authenticatorAttachment: "platform"` = Touch ID / Face ID / Windows Hello (synced, convenient). `"cross-platform"` = roaming security keys (YubiKey, Titan). Leave unset to accept both.
- **Challenge**: 16+ random bytes per ceremony, single-use, time-boxed (≤5 min), bound to server session, rejected on replay.
- **Libraries:** SimpleWebAuthn (TS — reference implementation, covers both server + browser), webauthn-rs (Rust, `Webauthn` builder + `passkey` feature), fido2-rs (low-level), py_webauthn (Python). NEVER roll CBOR / COSE parsing by hand.
- **Recovery path REQUIRED** before enabling passkey-only — lose device, lose account. Ship at least one of: email magic-link fallback, passkey backup codes, OAuth federation as recovery. User opts out of recovery only after explicit warning.
## References
- W3C WebAuthn Level 3 (2024-ready), FIDO2 CTAP 2.1, passkeys.dev [E1 — W3C/FIDO specs].
- `auth-sessions.md` for cookie issuance after `verifyAuthenticationResponse` succeeds.
- Evidence grade [E2] — Apple/Google/Microsoft production since 20232024; SimpleWebAuthn 10.x stable.

29
_blocks/auth-sessions.md Normal file
View file

@ -0,0 +1,29 @@
# AUTH — Sessions & Cookies (+JWT tradeoff)
What happens AFTER identity is proven (password / OAuth / passkey / magic-link). Issues a session, enforces it on every request, and kills it on logout. Upstream of `auth-authorization.md`.
## When to include
- Any web or mobile app that needs an authenticated request state beyond a single round-trip.
- Any app that exposes logout, session revocation, or step-up auth.
- API-only backend (mobile/SPA): choose cookie-based session OR short-lived JWT — decision recorded per project.
## What it declares
- **Default: server-side opaque sessions** stored in Postgres / Redis / SQLite, keyed by a 256-bit random `session_id`. Row columns: `id`, `user_id`, `created_at`, `last_seen_at`, `expires_at`, `ip`, `user_agent`, `revoked_at`. Session data NEVER encoded in the cookie itself.
- **Cookie flags — all mandatory:** `HttpOnly` (blocks JS read → XSS-resistant), `Secure` (HTTPS only), `SameSite=Lax` for top-level nav auth / `Strict` for cross-site-hostile apps, `Path=/`, `__Host-` prefix for session cookie (forbids `Domain`, requires `Secure` + `Path=/`). Max-Age tuned to app: 730 days sliding, 24 h hard for regulated.
- **Session rotation:** issue a NEW `session_id` on login, logout-everywhere, password/passkey change, privilege elevation. Old row deleted or `revoked_at` set. Rotation defeats session fixation.
- **Logout:** delete the server row AND clear the cookie (`Max-Age=0`, same flags). Logout-everywhere = delete all rows for `user_id`. Client-only logout (cookie clear, server row kept) is a bug, not a feature.
- **CSRF:** `SameSite=Lax` covers most flows. For cross-origin POSTs keep a double-submit CSRF token (cookie + header/form field, server compares). API-only backend with Bearer token → no CSRF (no ambient credential).
- **JWT alternative — use ONLY when stateless horizontal scale matters more than revocation:**
- `access_token` ≤15 min, signed ES256 (NOT HS256 with shared secret across services), `iat`/`exp`/`aud`/`iss`/`sub` all validated, `kid` header + JWKS rotation.
- `refresh_token` opaque (NOT a JWT), stored server-side, rotated on every use (detect reuse → revoke family).
- Logout revokes refresh token ONLY; access token is trusted until `exp`. If you need instant revoke → use server sessions instead.
- Never store JWT in `localStorage` — use `HttpOnly` cookie or native secure storage. `localStorage` + XSS = total account takeover.
- **Libraries:** axum-login + tower-sessions (Rust), express-session / Better-Auth (Node), iron-session (edge), starlette SessionMiddleware + authlib (Python), SvelteKit `event.cookies`. JWT: jose (TS), jsonwebtoken (Rust), PyJWT.
## References
- OWASP Session Management Cheat Sheet, RFC 6265bis (cookies), RFC 7519 (JWT), RFC 8725 (JWT BCP) [E1].
- `auth-oauth2-oidc.md` / `auth-passkeys.md` — upstream identity proof; `auth-authorization.md` — downstream permission check.
- Evidence grade [E2] — session-cookie pattern stable since 2000s; JWT revocation gap is a well-known tradeoff.

20
_blocks/baseline.md Normal file
View file

@ -0,0 +1,20 @@
# BASELINE — inherit from Main Claude (never violate)
You inherit from `~/.claude/CLAUDE.md`. Re-read it on ambiguity. Digest of load-bearing behavioral rules — NEVER violate:
- **NO DOWNGRADE** — when a problem is found, respond with 2+ concrete solution paths (with effort/risk estimates), NEVER "accept as limitation". Defeatism = epistemic cowardice.
- **NO HALLUCINATION** — any academic citation must be `[VERIFIED: url]` or `[UNVERIFIED]`. No fabricated authors/years/DOIs/numbers. Confidence mandatory: `[100% proven]` / `[80% likely]` / `[30% speculative]` / `[0% don't know]`.
- **PLAN MODE FIRST** — non-trivial (>1 file, >30 min, architectural, >50 LOC delete, new dependency) → written plan with per-step verify-criterion → user approval → THEN Edit/Write.
- **Constructor Pattern** — 1 file = 1 class = 1 responsibility. File >200 LOC → split. Function >30 LOC → split. No mixins, factories, DI containers.
- **Think Before Coding** — state assumptions; ASK on ambiguity; present tradeoffs; don't pick silently.
- **Surgical Changes** — every changed line must trace to the user's request. Don't "improve" adjacent code. Remove orphans YOUR changes created.
- **Goal-Driven** — convert every task to a verify-criterion before starting. "Fix bug" → "write a test that reproduces it, then pass".
Core discipline rules:
1. **No Patching / No Overlays** — fixes go INTO ROOT FORMULAS. File doubled from "fixes" = overlay.
2. **Root Cause** — always find the root, not the symptom.
3. **Don't Rewrite Working Code** — no rewrite without a reason.
4. **Full Observability** — log parameters; no data → no decisions.
5. **Single Source of Truth** — types, routes, enums in ONE place.
6. **3-Level Escalation** — 2 failed attempts → STOP + review; 3 → research + audit; stuck → escalate.

59
_blocks/ci-forgejo-actions.md Normal file
View file

@ -0,0 +1,59 @@
# CI — Forgejo Actions (self-hosted, Tailscale-only admin)
Forgejo Actions is GitHub-Actions compatible at the workflow-syntax layer (derived from Gitea Actions, which re-uses the `actions/*` runtime via `act`). A workflow that runs on GH usually runs on Forgejo with only the runner labels and registry URLs changed. Good fit for any repo that must stay on private hosting (sensitive IP, compliance, air-gap).
## Layout
Workflows live under `.forgejo/workflows/*.yml` (primary) — `.gitea/workflows/` also works for legacy repos. Keep the same narrow split as GH:
- `ci.yml` — build + test
- `release.yml` — tag-driven
- `security.yml` — scheduled scanners
## Self-hosted runner
Forgejo has no SaaS runner fleet — you provide the compute. Install `forgejo-runner` [VERIFIED: https://code.forgejo.org/forgejo/runner] on a node that is reachable ONLY over Tailscale.
Registration:
```bash
forgejo-runner register \
--no-interactive \
--instance http://<forgejo-host>:3000 \
--name my-runner-01 \
--labels "self-hosted,linux,x64,docker" \
--token "$FORGEJO_RUNNER_TOKEN" # from secrets/runner.env (RULE 0.8)
```
`FORGEJO_RUNNER_TOKEN` stays in `secrets/runner.env` — reference via env name only, never paste the literal value.
Target in workflow:
```yaml
jobs:
build:
runs-on: [self-hosted, linux, x64]
```
## GitHub-compat surface
Works out of the box: `actions/checkout@v4`, `actions/cache@v4`, `actions/setup-node@v4`, `Swatinem/rust-cache@v2`, shell/docker steps, matrix, reusable workflows (`uses: <forgejo-host>/<owner>/<repo>/.forgejo/workflows/<file>@<sha>`).
Does NOT work: `permissions:` block (Forgejo token is scoped at the runner level, not per-job), OIDC federation to AWS/GCP (no JWKS endpoint served by Forgejo), GitHub-Marketplace actions that call `api.github.com` directly.
Workaround for OIDC: for cloud deploys from Forgejo, prefer short-lived STS tokens minted by a bastion that has an IAM role, passed into the runner via a sealed env file rotated daily.
## Tailscale-only admin posture
Forgejo bound to a private interface (Tailscale/Wireguard/VPC); pick an address + SSH port per your topology. NEVER bind Forgejo to a public IP — runner tokens, PATs, and repo contents are all harvestable from a publicly-reachable instance.
## Secrets
Forgejo repo secrets (`Repo → Settings → Actions → Secrets`) mirror GH secrets syntactically: `${{ secrets.FOO }}`. Organisation-scope secrets also supported. Every secret still references the canonical `~/.claude/secrets/.env` / `secrets/*.env` source — repo secrets are cache copies, rotated when the source rotates.
## Forbidden
- Exposing Forgejo port 3000 or 2222 on a public IP
- Running `forgejo-runner` on a host that is also a production application node
- Mirroring a private Forgejo repo to github.com to "get free CI" — if any project rule forbids a github remote, the mirror violates it transitively
- Hard-coded runner tokens in workflow YAML (always `${{ secrets.* }}`)

95
_blocks/ci-github-actions.md Normal file
View file

@ -0,0 +1,95 @@
# CI — GitHub Actions (OIDC, matrix, cache, reusable workflows)
Pipeline platform for code hosted on (or mirrored to) github.com. This block ships the defaults; pair with `ci-security-gate.md` for scanners and `ci-release-automation.md` for tags.
## Workflow layout
Keep workflow files narrow: ONE responsibility each under `.github/workflows/`.
- `ci.yml` — build + test on every push/PR
- `release.yml` — tag-driven release automation (see `ci-release-automation.md`)
- `security.yml` — scheduled scanners (see `ci-security-gate.md`)
- `deploy-*.yml` — per-environment deploys, each behind a GitHub Environment with required reviewers
## OIDC — cloud deploy WITHOUT long-lived keys
GitHub Actions mints a short-lived JWT per run; the cloud provider trusts `token.actions.githubusercontent.com` and issues temporary credentials. **Never** store `AWS_SECRET_ACCESS_KEY` / `GCP_SA_KEY` in repo secrets.
```yaml
permissions:
id-token: write # mandatory for OIDC
contents: read
jobs:
deploy:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4 # [VERIFIED: https://github.com/actions/checkout]
- uses: aws-actions/configure-aws-credentials@v4 # [VERIFIED: https://github.com/aws-actions/configure-aws-credentials]
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/gha-deployer
aws-region: eu-north-1
```
Cloud-side role trust policy pins `repo:<org>/<repo>:ref:refs/heads/main` — wildcards invite cross-repo impersonation.
## Least-privilege GITHUB_TOKEN
Default token permissions at the workflow level, then widen per-job:
```yaml
permissions:
contents: read # read-only at top level
jobs:
build:
# inherits read-only
release:
permissions:
contents: write # only the release job gets write
id-token: write
```
Org-level default should be `read` (Settings → Actions → Workflow permissions). Any job requiring write must opt in explicitly.
## Matrix builds
Fan out across OS × language version × target; `fail-fast: false` prevents one red cell from cancelling the whole matrix.
```yaml
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04, macos-14]
rust: [stable, 1.80] # MSRV pin
```
## Cache hygiene
- Lock-file as key, never branch name: `key: cargo-${{ hashFiles('**/Cargo.lock') }}`.
- `restore-keys` is a PREFIX fallback — safe for cold PRs.
- `actions/cache@v4` [VERIFIED: https://github.com/actions/cache] for generic; language-specific actions (`actions/setup-node@v4`, `Swatinem/rust-cache@v2`) manage cache internally — don't double-cache.
- Cache POISONING check: never cache directories that contain your built artefacts alongside downloaded deps.
## Reusable workflows
Shared logic lives in one repo and is called by `uses: <org>/<repo>/.github/workflows/<file>.yml@<sha>`. Pin by SHA, not tag — tags are mutable. `workflow_call` contract:
```yaml
on:
workflow_call:
inputs:
rust-version: { required: true, type: string }
secrets:
CARGO_TOKEN: { required: false }
```
## Pinning third-party actions
Pin by full commit SHA, not tag: `uses: foo/bar@3a4b5c6d7e8f9012...` with a comment `# v2.1.0`. Dependabot updates SHAs the same way — supply-chain hijack via tag-overwrite is a documented class (e.g. `tj-actions/changed-files` 2025). [E2]
## Forbidden
- `secrets.AWS_SECRET_ACCESS_KEY` in any workflow (use OIDC)
- `permissions: write-all` at workflow level
- Third-party action pinned by tag
- `pull_request_target` with `checkout` of PR head + secrets access (classic pwn-request)
- Caching `target/` or `node_modules/` alongside `.git` or user config

80
_blocks/ci-release-automation.md Normal file
View file

@ -0,0 +1,80 @@
# CI — Release automation (SemVer, changelog, tagging)
Automates "merge to main → versioned release" so the next step (build artefact, publish, deploy) has a predictable trigger. Picks ONE tool per repo — mixing release-please with cargo-release creates duplicate tags. Pair with `ci-github-actions.md` / `ci-forgejo-actions.md` for the workflow shell.
## Tool picks per ecosystem
| Stack | Tool | Trigger | Changelog source |
|---|---|---|---|
| Monorepo / polyglot / apps | release-please [VERIFIED: https://github.com/googleapis/release-please] | merge to main | Conventional Commits |
| JS/TS packages (npm publish) | changesets [VERIFIED: https://github.com/changesets/changesets] | merge of `.changeset/*.md` | Explicit changeset files |
| Rust crates (crates.io) | cargo-release [VERIFIED: https://github.com/crate-ci/cargo-release] | manual `cargo release` | git log + Conventional Commits |
| Go modules | goreleaser [VERIFIED: https://github.com/goreleaser/goreleaser] | tag push | git log + `.goreleaser.yaml` |
## SemVer contract
- `MAJOR` — breaking change to public API, wire format, on-disk schema, config file keys
- `MINOR` — additive feature, no breakage, new optional fields
- `PATCH` — bug fix, performance, docs, dep bump without API change
Conventional Commits mapping: `feat!:` / `BREAKING CHANGE:` → MAJOR; `feat:` → MINOR; `fix:` / `perf:` / `refactor:` → PATCH; `checkpoint:` / `audit:` / `chore:` → no-bump (ignored by release-please).
## release-please minimal config
`.github/workflows/release.yml` (or `.forgejo/workflows/release.yml`):
```yaml
on:
push:
branches: [main]
permissions:
contents: write # create tags + releases
pull-requests: write # update the Release-PR
jobs:
release-please:
runs-on: ubuntu-24.04
steps:
- uses: googleapis/release-please-action@v4 # [VERIFIED: https://github.com/googleapis/release-please-action]
with:
release-type: rust # or node, python, go, simple, etc.
token: ${{ secrets.GITHUB_TOKEN }}
```
release-please opens a long-lived "Release PR" that updates `CHANGELOG.md` + version file on every main merge; merging that PR creates the tag and GitHub Release. No human writes the changelog.
## changesets minimal config (JS/TS monorepo)
```yaml
- uses: changesets/action@v1 # [VERIFIED: https://github.com/changesets/action]
with:
publish: pnpm release # runs `changeset publish`
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
```
Each PR that changes a package ships a `.changeset/<name>.md` describing the bump. CI blocks merge without one (`changeset status --since=origin/main`).
## cargo-release minimal config (Rust crates.io)
`release.toml` at repo root:
```toml
sign-tag = true
push = true
tag-message = "{{crate_name}} {{version}}"
pre-release-commit-message = "release: {{version}}"
```
Publish workflow runs on tag push: `cargo publish --token "$CARGO_REGISTRY_TOKEN"` where the token is minted just-in-time from the `ci-security-gate.md` trusted-publishing flow.
## Lock-file discipline
`Cargo.lock` / `package-lock.json` / `pnpm-lock.yaml` / `pubspec.lock` / `go.sum` — ALWAYS committed (RULE git-conventions). Release workflows must FAIL if the lock file is stale: `cargo update --locked --dry-run`, `pnpm install --frozen-lockfile`, `go mod verify`.
## Forbidden
- Manual `git tag vX.Y.Z && git push --tags` when a release tool is configured (drift between CHANGELOG and tag)
- Two release tools in the same repo (release-please + cargo-release both tagging)
- Publishing from a `pull_request` trigger (never — only from `push` to main or `workflow_dispatch`)
- Forcing a tag with `git push --force origin refs/tags/*` — breaks every consumer that pinned by SHA
- Stale lock files passing CI (must be a hard fail, not a warning)

82
_blocks/ci-security-gate.md Normal file
View file

@ -0,0 +1,82 @@
# CI — Security gate (secrets, SCA, SBOM, semgrep, licenses)
Every PR passes through this gate before merge. Every scheduled run re-scans `main`. Pair with `ci-github-actions.md` / `ci-forgejo-actions.md` (the shell) and RULE 0.8 (secrets SSoT) / () — the gate enforces both.
## Scanner set (one job each, matrix is fine)
| Concern | Tool | Trigger | Fail threshold |
|---|---|---|---|
| Leaked secrets | gitleaks [VERIFIED: https://github.com/gitleaks/gitleaks] | PR + push | any finding |
| Rust SCA | cargo-audit [VERIFIED: https://github.com/rustsec/rustsec] | PR + cron daily | any `Vulnerability` |
| Node SCA | `npm audit` / `pnpm audit` (native) | PR + cron | `high` and above |
| Python SCA | pip-audit [VERIFIED: https://github.com/pypa/pip-audit] | PR + cron | any CVE |
| SBOM generation | syft [VERIFIED: https://github.com/anchore/syft] | release only | CycloneDX JSON as artefact |
| SAST / patterns | semgrep [VERIFIED: https://github.com/semgrep/semgrep] | PR | any `ERROR` severity |
| License policy | cargo-deny [VERIFIED: https://github.com/EmbarkStudios/cargo-deny] (Rust) / license-checker (JS) | PR | disallowed SPDX ID |
## gitleaks — secrets scan (always first)
Runs before any build step so that a detected secret aborts the job without ever shipping a binary that used it.
```yaml
- uses: gitleaks/gitleaks-action@v2 # [VERIFIED: https://github.com/gitleaks/gitleaks-action]
env:
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # orgs only; free for ≤25 users
```
Custom rules in `.gitleaks.toml` at repo root — mirror the patterns from `~/.claude/rules/secrets-single-source.md` (sk-, ghp_, sk-ant-, Telegram bot, AWS access key, etc.). Any hit FAILS the run. No "informational" severity for secrets.
## cargo-audit / pip-audit / npm audit
Daily cron to catch CVEs published after merge. Fail-fast on HIGH/CRITICAL; report MEDIUM to a tracking issue rather than blocking the PR.
```yaml
- run: cargo audit --deny warnings --deny unmaintained --deny yanked
```
Pin the advisory-DB commit in vendored copies; upstream can get taken down.
## SBOM via syft
Generate CycloneDX JSON for every published artefact. Attach to the GitHub Release (see `ci-release-automation.md`) and to the container image as an OCI annotation.
```yaml
- uses: anchore/sbom-action@v0 # [VERIFIED: https://github.com/anchore/sbom-action]
with:
format: cyclonedx-json
artifact-name: sbom.cdx.json
```
SLSA provenance (`slsa-framework/slsa-github-generator`) is an optional upgrade; required when shipping to any customer under a supply-chain contract.
## semgrep — SAST
`p/default` + `p/secrets` + `p/owasp-top-ten` + any language pack relevant to the repo. Custom rules under `.semgrep/*.yaml` for project-specific patterns (e.g. "no `unwrap()` in request handlers").
```yaml
- uses: semgrep/semgrep-action@v1 # [VERIFIED: https://github.com/semgrep/semgrep-action]
env:
SEMGREP_RULES: p/default p/secrets p/owasp-top-ten
```
## License policy
`cargo-deny` `deny.toml` declares allowed SPDX identifiers (`MIT`, `Apache-2.0`, `BSD-3-Clause`, `ISC`, `Unicode-DFS-2016`). Anything else FAILS the PR. GPL / AGPL / SSPL in a commercial repo = hard stop. For JS, `license-checker --failOn 'GPL;AGPL;SSPL'`.
## Scheduling
```yaml
on:
pull_request:
push: { branches: [main] }
schedule:
- cron: "17 3 * * *" # daily 03:17 UTC — off-hour, avoids global burst
```
## Forbidden
- Running the security gate AFTER build/test (secret must block before the secret-using binary exists)
- Allowing "informational" severity on secrets scans (gitleaks = binary; 0 or 1)
- Skipping `cargo-audit` / `pip-audit` on release workflows (a CVE published yesterday ships today without it)
- Uploading SBOM to a public artefact store from a RULE-0.1 repo (internal artefact store only)
- Copy-pasting a secret detected by gitleaks into the chat to "discuss" — rotate at provider FIRST, then discuss

51
_blocks/db-drizzle.md Normal file
View file

@ -0,0 +1,51 @@
# DB — Drizzle ORM (TypeScript) patterns
Use when the project is TypeScript/Next.js/Bun/Node and needs a type-safe SQL layer without Prisma's heavyweight engine process. Pairs with `stack-nextjs`. [E4 — expert assessment]
**Core versions:** `drizzle-orm` (latest on npm) + `drizzle-kit` (migrations CLI) as of 2026-04. Peer-deps: `pg` for Postgres, `better-sqlite3` / `@libsql/client` for SQLite, `mysql2` for MySQL. [UNVERIFIED: pin exact versions from npm before shipping]
**Schema-first, not code-first:**
```ts
// db/schema.ts
import { pgTable, serial, text, timestamp, integer } from "drizzle-orm/pg-core";
export const users = pgTable("users", {
id: serial("id").primaryKey(),
email: text("email").notNull().unique(),
createdAt: timestamp("created_at").defaultNow().notNull(),
});
export const posts = pgTable("posts", {
id: serial("id").primaryKey(),
authorId: integer("author_id").references(() => users.id).notNull(),
body: text("body").notNull(),
});
```
`schema.ts` IS the source of truth. All types flow from it — `typeof users.$inferSelect` gives you the row type.
**Query with full inference:**
```ts
import { eq } from "drizzle-orm";
const rows = await db.select().from(users).where(eq(users.id, 1));
// rows: { id: number; email: string; createdAt: Date }[]
```
No codegen step, no separate `.prisma` file. Type errors surface in the IDE immediately.
**Migrations via drizzle-kit:**
```bash
drizzle-kit generate # diff schema.ts against prev snapshot → emit SQL in drizzle/
drizzle-kit migrate # apply pending migrations
drizzle-kit studio # local web UI to inspect data
```
Config in `drizzle.config.ts` — specify `dialect`, `schema`, `out`, `dbCredentials`.
**Connection / pool:**
```ts
import { drizzle } from "drizzle-orm/node-postgres";
import { Pool } from "pg";
const pool = new Pool({ connectionString: process.env.DATABASE_URL, max: 20 });
export const db = drizzle(pool, { schema });
```
Serverless (Vercel / CF Workers): use `neon-serverless` or `@libsql/client` driver instead — the `pg` Pool doesn't survive cold-start boundaries.
**Forbidden:** template-string SQL with untrusted input (`sql\`SELECT * WHERE x = ${userInput}\`` — use `sql.placeholder` or the query builder); committing `drizzle/meta/_journal.json` conflicts (merge manually or regenerate); mixing drizzle-kit versions across dev machines.

33
_blocks/db-migration-hygiene.md Normal file
View file

@ -0,0 +1,33 @@
# DB — Migration hygiene (universal)
Applies to every migration tool — `kei-migrate`, Atlas, goose, sqlx-cli, drizzle-kit, Alembic, Prisma migrate, Ecto migrations. [E4 — expert assessment]
**Numbering:** timestamp prefix, not integer. `20260421_120000_add_users_email_index.sql` sorts correctly forever and doesn't collide on parallel branches. Integer sequences (`0001_`, `0002_`) collide on merge; reject them in review.
**Up + down pairs:** every migration has a reverse. If the reverse is destructive and unsafe (e.g. dropping a column with data), write a `-- IRREVERSIBLE` comment and stop the down-script there. NEVER auto-run destructive downs on prod without a human click.
**Idempotent where possible:**
```sql
CREATE TABLE IF NOT EXISTS users (...);
CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
ALTER TABLE users ADD COLUMN IF NOT EXISTS bio TEXT; -- PG 9.6+, verify per-DB
```
Re-running a partially-applied migration should be safe. A migration that crashes mid-way and can't be re-run = 2AM incident waiting to happen.
**Zero-downtime pattern (add-then-drop):**
1. Deploy migration that ADDS new column / table (old code still works).
2. Deploy app code that writes BOTH old + new.
3. Backfill old → new.
4. Deploy app code that reads new, ignores old.
5. Deploy migration that DROPS old column.
Never `DROP` + `ADD RENAME` in one migration on a live table. That's a table lock + app-downtime event.
**Backfill patterns:**
- Small table (< 1M rows): `UPDATE ... SET new = f(old)` in a single migration.
- Large table: background job with batched `UPDATE ... WHERE id BETWEEN ? AND ?` + `LIMIT`. Commit per batch. Monitor lag.
- Very large (> 100M rows): use the DB's native tooling (PG `VACUUM FULL` not needed; `pg_repack` if column-add bloats). [UNVERIFIED: verify on current PG docs]
**Tracking table (`_kei_migrations` or equivalent):** stores (version, name, checksum, applied_at). Checksum prevents silent tampering with an already-applied file. If checksum mismatches on an applied migration → hard-fail, demand human intervention.
**Forbidden:** editing a migration file after it's been applied on any environment (checksum break); `DROP TABLE` without backup + 24h cooldown; mixing DDL + large DML in one transaction (long locks); running migrations automatically on app startup in multi-replica deploys without a leader-election guard (every replica tries to apply = race condition).

28
_blocks/db-postgres.md Normal file
View file

@ -0,0 +1,28 @@
# DB — PostgreSQL (current major — 17 as of 2026-04) patterns
Use when the project needs relational integrity, concurrent writes, or server-side indexing power that SQLite can't match. Default RDBMS for new multi-user services. [E4 — expert assessment]
**Version choice:** PostgreSQL 17 for new projects (current GA line, improved vacuum, JSON_TABLE, better parallel index builds). PostgreSQL 16 acceptable if hosting provider pins it. [UNVERIFIED: exact feature matrix — verify on postgresql.org/docs before committing to a minor-version-specific feature]
**Schema migrations:** every schema change ships as a numbered `.sql` file, never `ALTER TABLE` on prod. Use `kei-migrate` (this kit) or Atlas/goose/sqlx-cli — see `db-migration-hygiene.md`. One migration per logical change; no mega-migrations.
**Indexing:**
- B-tree default for equality + range. `CREATE INDEX CONCURRENTLY` on prod to avoid table lock.
- `GIN` for `jsonb` / array / full-text (`tsvector`).
- `BRIN` only for massive append-only time-series (orders of magnitude smaller than B-tree).
- Partial indexes (`WHERE active = true`) for sparse predicates.
- **Verify with `EXPLAIN (ANALYZE, BUFFERS)`** before declaring an index necessary. No blind indexing.
**Connection pooling:** app-side connection pool is NOT enough at scale. Use:
- **PgBouncer** (transaction mode) for most services — battle-tested, low overhead.
- **Supavisor** if already on Supabase — serverless-friendly, wire-compatible. [E4]
- Native server pooling (PG 17's improved but still not a substitute). [UNVERIFIED]
Sizing rule of thumb: `max_connections` on server × 1 pool layer. Don't stack pools (pool → PgBouncer → PG = deadlock risk).
**Backup:**
- Logical: `pg_dump` nightly for schema + data portability.
- Physical: `pg_basebackup` + WAL archiving (`archive_command`) for PITR.
- Managed service (RDS / Supabase / Neon) — verify backup retention in their UI, don't assume.
**Forbidden:** `SELECT *` in hot paths (N+1 + column drift); unindexed FK columns (join explosion); `SERIAL` on new tables — prefer `GENERATED ALWAYS AS IDENTITY` (SQL standard, PG 10+); plaintext passwords in `pg_hba.conf`; committing `.env` with DB URL.

34
_blocks/db-sqlite.md Normal file
View file

@ -0,0 +1,34 @@
# DB — SQLite (prod-suitable) patterns
Use when the workload is read-heavy, single-writer-acceptable, or needs zero-ops embedded storage. SQLite is prod-suitable — Fly.io, Turso, Cloudflare D1, and countless CLI/mobile apps run it in production. [E4 — expert assessment]
**When NOT to use:** high-concurrency write workload (> ~1 writer/sec sustained), multi-region strong consistency, horizontal write scaling. Use Postgres instead.
**WAL mode is mandatory for prod:**
```sql
PRAGMA journal_mode = WAL; -- readers don't block writer, writer doesn't block readers
PRAGMA synchronous = NORMAL; -- durable across app crash, NOT across power loss (use FULL if PSU-risk)
PRAGMA busy_timeout = 5000; -- 5s wait for lock instead of instant SQLITE_BUSY
PRAGMA foreign_keys = ON; -- default OFF in SQLite (!), always enable
PRAGMA temp_store = MEMORY;
```
Apply these on every connection open — they are per-connection, not per-database (except `journal_mode` which persists).
**Distributed patterns:**
- **Turso** (libSQL fork): edge-replicated read replicas with HTTP/WebSocket wire protocol. Primary single-writer, replicas read-only. [E4]
- **LiteFS** (Fly.io): file-system replication, leader-election via Consul. Primary+replicas. [E4]
- **Cloudflare D1**: managed SQLite on edge with their own replication. [UNVERIFIED: current throughput limits]
- **Litestream**: continuous replication to S3/R2 for backup + PITR; single node, not HA.
**Full-text search (FTS5):**
```sql
CREATE VIRTUAL TABLE docs_fts USING fts5(title, body, content=docs, content_rowid=id);
CREATE TRIGGER docs_ai AFTER INSERT ON docs BEGIN
INSERT INTO docs_fts(rowid, title, body) VALUES (new.id, new.title, new.body);
END;
```
FTS5 outperforms bolt-on `LIKE '%x%'` by 100×+ on large text corpora. Native, no extension install.
**Backup:** `sqlite3 db '.backup /path/backup.db'` while app runs (safe with WAL). Or Litestream for continuous.
**Forbidden:** multiple writer processes without a coordination layer; opening the same DB over NFS (lock semantics broken); `DELETE FROM bigtable` without `VACUUM` after (doesn't shrink file); committing the `.db` / `.db-wal` / `.db-shm` files to git.

39
_blocks/db-sqlx.md Normal file
View file

@ -0,0 +1,39 @@
# DB — SQLx (Rust) patterns
Use when the project is Rust and needs a SQL-first (not ORM) query layer with compile-time checking. Pairs with `stack-rust-axum`, `stack-rust-cli`. [E4 — expert assessment]
**Core versions:** `sqlx = "0.8"` (current as of 2026-04) with features `runtime-tokio`, `tls-rustls`, and one of `postgres` / `sqlite` / `mysql`. Never mix `runtime-async-std` and `runtime-tokio` — they clash at link time. [UNVERIFIED: verify latest on crates.io before pinning]
**Compile-time checked queries:**
```rust
let row = sqlx::query!("SELECT id, name FROM users WHERE id = $1", user_id)
.fetch_one(&pool).await?;
```
Requires either:
- `DATABASE_URL` env set during `cargo build` (live DB) — convenient in dev, brittle in CI.
- **Offline mode** (recommended for CI): `cargo sqlx prepare` commits `.sqlx/query-*.json` to the repo, then CI builds with `SQLX_OFFLINE=true` and no DB access.
**Connection pool:**
```rust
let pool = sqlx::postgres::PgPoolOptions::new()
.max_connections(20) // tune to server max_connections / replica count
.acquire_timeout(Duration::from_secs(3))
.connect(&database_url).await?;
```
Single `PgPool` per process, `Arc`-cloned into handlers. Don't open per-request.
**Migrations:**
```rust
sqlx::migrate!("./migrations").run(&pool).await?;
```
Built-in runner reads `YYYYMMDDHHMMSS_<name>.sql` files. For richer UX (up/down, status, create scaffolding) use the `kei-migrate` primitive in this kit.
**Transactions:**
```rust
let mut tx = pool.begin().await?;
sqlx::query!("...").execute(&mut *tx).await?;
sqlx::query!("...").execute(&mut *tx).await?;
tx.commit().await?; // explicit; Drop = rollback
```
**Forbidden:** `sqlx::query` (non-macro) with untrusted input without `bind()` — that's string concat, i.e. SQL injection; `.unwrap()` on DB calls in prod paths; enabling both `runtime-tokio` and `runtime-async-std`; committing a live `DATABASE_URL` to `.env.example`.

26
_blocks/deploy-aws-ec2.md Normal file
View file

@ -0,0 +1,26 @@
# DEPLOY — AWS EC2 (Instance Connect + Elastic IP)
**SSH pattern — EC2 Instance Connect (60 s key window, no permanent authorized_keys):**
```
aws ec2-instance-connect send-ssh-public-key \
--instance-id i-XXXXXXXXXXXXXXXXX \
--instance-os-user ec2-user \
--ssh-public-key file://~/.ssh/id_ed25519.pub
ssh ec2-user@<elastic-ip> # within 60 s
```
Typical pattern: dedicated instance per project with an Elastic IP in a chosen region. Multi-project shared hosts are fine, but track co-tenancy (below).
**Network posture:**
- **Elastic IP** for any node that needs stable identity (client configs, DNS, firewall rules).
- **Security Group**: allow SSH (port 22) ONLY from Tailscale CGNAT (`100.64.0.0/10`) or a specific admin IP. NEVER `0.0.0.0/0:22` in prod.
- Application ports exposed through an ALB or nginx reverse proxy — not directly on the instance.
- IMDSv2 REQUIRED (`HttpTokens=required`). v1 is SSRF-exploitable.
**IAM:**
- Use IAM roles attached to the instance (`aws configure` on-instance hits the metadata endpoint).
- NEVER bake static AWS keys into AMI / env / user-data.
- Use a preconfigured named AWS profile (`--profile <name>`), not interactive console for read ops.
**Shared-host coordination:** if one instance runs multiple apps (e.g. API + marketing dashboards + internal tools), host-level change (apt / systemd / nginx) → cross-project impact check BEFORE reboot.
**Forbidden:** open port 22 to `0.0.0.0/0`, static AWS keys in repo / `.env` committed to git, IMDSv1, rebooting shared hosts without cross-project sanity check, asking user to log into console for read ops (profile is set up — use it).

28
_blocks/deploy-cloudflare.md Normal file
View file

@ -0,0 +1,28 @@
# DEPLOY — Cloudflare (Workers / Pages / R2 / KV)
**Tooling:** `wrangler` CLI (≥ 3.x). `wrangler.toml` is source of truth for bindings, NOT dashboard clicks.
**Surface map:**
- **Workers** — edge compute. `wrangler deploy`. Logs via `wrangler tail`.
- **Pages** — static sites + Pages Functions. Per-branch preview URLs automatic.
- **R2** — S3-compatible object storage. No egress fees.
- **KV** — eventually-consistent key-value config store. Reads cached at the edge.
- **D1** — SQLite at edge (beta/GA track).
**Secrets (NEVER in `wrangler.toml`):**
```
wrangler secret put API_KEY # interactive, encrypted at rest
wrangler secret put --env prod DB_URL
```
`wrangler.toml` is committed to git; secrets live in the platform vault only.
**Self-sufficiency — CF API token scopes (request ALL up front):**
Workers KV · Workers R2 · Workers Scripts · Pages · Zone Edit · DNS · Zone Read · Zone Settings · SSL. Missing scope → ask user to add to token, NEVER ask user to click in the dashboard.
**HARD RULE — CF ToS forbids proxy-mode traffic forwarding:**
- Worker for signaling, fronting helpers, metadata lookups — OK
- Worker as a full proxy pipe (upstream ⇆ Worker ⇆ downstream as a tunnel) — FORBIDDEN. Signaling / rendezvous Workers must do metadata only, NEVER arbitrary traffic. Violation → account ban.
**Cache strategy:** `Cache-Control` headers authoritative; purge via `wrangler pages deployment` or API. `NEXT_PUBLIC_*` / `PUBLIC_*` vars ship to client — treat as non-secret.
**Forbidden:** secrets in `wrangler.toml`, full-proxy Workers (ToS), manual dashboard edits when API token has the scope, committing `.dev.vars`.

34
_blocks/deploy-docker.md Normal file
View file

@ -0,0 +1,34 @@
# DEPLOY — Docker
**Dockerfile — multi-stage MANDATORY** (build tools never ship to prod image):
```
FROM rust:1.80 AS builder
WORKDIR /app
COPY . .
RUN cargo build --release --bin myapp
FROM gcr.io/distroless/cc-debian12
COPY --from=builder /app/target/release/myapp /myapp
USER nonroot:nonroot
HEALTHCHECK --interval=30s --timeout=3s CMD ["/myapp", "--healthcheck"]
ENTRYPOINT ["/myapp"]
```
**Base image:** `distroless` (preferred, no shell — smaller attack surface) or `alpine` (if musl compat) or `debian:slim`. NEVER `ubuntu:latest` for prod.
**File ops:**
- `COPY` — deterministic. NEVER `ADD` (auto-extracts tars, fetches URLs — surprising behavior).
- `.dockerignore` committed. Includes `.git`, `target/`, `node_modules/`, `.env*`, `secrets/`.
**Secrets:**
- NEVER `ENV SECRET=...` — leaks into image layers forever.
- Build-time secrets via `--secret id=foo,src=./foo.txt` (BuildKit).
- Runtime secrets via env injection from orchestrator / docker-compose `secrets:` (Swarm) / K8s Secret.
**User:** `USER nonroot` (distroless provides it) or explicit `RUN useradd -u 10001 app && USER app`. Running as root = CVE amplifier.
**Healthcheck:** MANDATORY. Orchestrator uses it for readiness/liveness; without it, failed containers stay "up".
**docker-compose:** LOCAL DEV ONLY. For prod, the orchestrator (ECS, Fargate, K8s, Nomad, Docker Swarm) owns the deployment. Typical prod pattern: single container listening on internal port, behind nginx reverse proxy on a public port, colocated on a shared host.
**Forbidden:** `ADD` for local files (use `COPY`); `USER root` in final stage; secrets in `ENV` or `ARG`; missing `HEALTHCHECK`; `docker-compose` as prod orchestrator; `:latest` tags in prod manifests; single-stage Dockerfile that ships build toolchain.

50
_blocks/deploy-hetzner-cloud.md Normal file
View file

@ -0,0 +1,50 @@
# DEPLOY — Hetzner Cloud (CX22 / CAX11 + TF + Cloud Firewall)
**Why Hetzner:** cheapest EU VPS with reputable network. CX22 (x86, 2 vCPU / 4 GB / 40 GB) = **€3.79/mo + VAT**; CAX11 (Ampere ARM64, 2 vCPU / 4 GB / 40 GB) = **€3.79/mo + VAT**. Prices verified on <https://www.hetzner.com/cloud/> [VERIFIED 2026-04-21]. Hourly billing caps at the monthly rate — safe to spin down for tests.
**Terraform provider:** `hetznercloud/hcloud` (official). Pin version:
```hcl
terraform {
required_providers {
hcloud = { source = "hetznercloud/hcloud", version = "~> 1.49" }
}
}
provider "hcloud" { token = var.hcloud_token }
```
Token via env: `export HCLOUD_TOKEN=$(grep ^HCLOUD_TOKEN ~/.claude/secrets/.env | cut -d= -f2)`. **NEVER commit the token** (RULE 0.8 — see `domain-has-secrets.md`).
**Minimal `hcloud_server` resource:**
```hcl
resource "hcloud_server" "node" {
name = "kei-${var.env}-${var.role}"
image = "debian-12"
server_type = var.arch == "arm64" ? "cax11" : "cx22"
location = var.location # fsn1 / nbg1 / hel1 / ash / hil / sin
ssh_keys = [hcloud_ssh_key.admin.id]
user_data = file("${path.module}/cloud-init.yaml")
firewalls { firewall_id = hcloud_firewall.base.id }
labels = { project = "kei", env = var.env }
}
```
`ssh_keys` is **mandatory** — passing it disables the root password e-mail path.
**Cloud Firewall (stateful, IN by default DENY):**
```hcl
resource "hcloud_firewall" "base" {
name = "kei-base"
rule { direction = "in" protocol = "tcp" port = "22" source_ips = var.admin_cidrs }
rule { direction = "in" protocol = "icmp" source_ips = ["0.0.0.0/0", "::/0"] }
# Add app ports (443, 80) only when an app is deployed behind the node.
}
```
Attach to the server via `firewalls { firewall_id = … }`. Cloud Firewall is the FIRST line of defense — it drops traffic before it hits the VM's ufw (see `security-firewall-ufw.md`). Both layers MUST agree.
**Locations:** `fsn1` (Falkenstein DE), `nbg1` (Nürnberg DE), `hel1` (Helsinki FI), `ash` (Ashburn US), `hil` (Hillsboro US), `sin` (Singapore). Pick region closest to users; ARM64 `cax*` available in EU only [VERIFIED 2026-04-21].
**Snapshots + rescue:** `hcloud_snapshot` for golden images; `hcloud server enable-rescue` before SSH lockout recovery. Back up `user_data` and TF state (remote backend: S3-compatible such as R2).
**Primitives provided by KeiSeiKit:**
- `_primitives/provision-hetzner.sh` — wrapper around `hcloud` CLI, idempotent create/destroy, checks existing server by name first.
- Complement with `_primitives/harden-base.sh` run over SSH after first boot.
**Forbidden:** hcloud token in `.tf` or `.tfvars` committed to git; Cloud Firewall with port 22 open to `0.0.0.0/0`; creating servers with `keep_disk = false` then snapshotting (destroys data); using Hetzner Storage Boxes for anything needing low latency (they're SFTP-over-WAN).

27
_blocks/deploy-local-only.md Normal file
View file

@ -0,0 +1,27 @@
# DEPLOY — LOCAL ONLY (sensitive / pre-disclosure project)
Use this block for any project that CANNOT be publicly deployed — typical triggers: proprietary ML weights/architectures you don't want in public training corpora, security tooling that burns its own usefulness on exposure, kernel-level code, client-confidential codebases.
**Hard forbidden (no matter how small the change):**
- Public-URL share pages / static HTML dumps to public hosting
- Vercel / Netlify / GitHub Pages / Cloudflare Pages public deploy
- `gh repo create` public, `gh repo edit --visibility public`
- `git push` to a public remote (GitHub, public GitLab)
- Publishing architecture diagrams with node counts, param totals, or training configs
- Public benchmark tables naming this project
**Allowed:**
- Private remotes (self-hosted Forgejo/Gitea over SSH on a private network)
- Tailscale-only internal services
- Local-only `127.0.0.1` / LAN dev servers
- `.app` / `.dmg` distribution via private channels
**Double-confirmation override (both phrases required, in order, exact wording):**
1. "yes, deploy"
2. "I confirm publication"
No approximations. Informal variants do NOT count. If either phrase is absent, refuse.
**Example categories that typically require local-only:** censorship-circumvention tooling (public push burns exit-node IPs), ML ensembles with trained weights, control / guidance algorithms, offensive security research.
**Report field:** "Public-deploy surface touched: none | <explicit surface> — double-confirm obtained yes/no."

26
_blocks/deploy-modal.md Normal file
View file

@ -0,0 +1,26 @@
# DEPLOY — Modal (GPU compute)
A real cost-overrun incident (tens of dollars lost to unchecked runs) and a real KILL-GUARD incident (over an hour of training killed for a non-critical bug) shape every rule below.
**Pre-launch 10-step checklist (all ticks before `modal run`):**
1. `modal app list` — verify no collisions/duplicates
2. GPU compat: A10G torch ≥ 2.0 (~$1.10/hr), H100 torch ≥ 2.1 (~$4.50/hr), B200 torch ≥ 2.6 (~$8/hr)
3. `cat` the script — confirm file edits actually landed
4. Cost estimate in dollars, verified on live https://modal.com/pricing (NOT from memory)
5. Volume + `vol.commit()` after each write
6. Checkpoints every 500 steps saving `state_dict` (not just JSON metrics)
7. `retries=modal.Retries(max_retries=1)` minimum
8. `.spawn()` for batches — NEVER `.map()` (cascade-kill on single failure)
9. `flush=True` on every print; progress every 250 steps
10. Single-variant smoke run BEFORE fanning out to N variants
**Cost tiers:** AUTO < $5 · WARN $5-$20 (daily cap $20) · STOP > $20 (explicit user "yes, launch").
**anti-stop guard (no exception):**
- NEVER `modal app stop`, `modal app kill`, `kill <pid>`, `pkill -f modal` without literal user phrase "yes, stop it".
- Before any stop: `modal app list` → show user what is running, how long in, how much remaining, current checkpoint state.
- A bug in the launching script is NOT a reason to kill a running training run.
**Volume persistence:** results survive only inside `modal.Volume` with explicit `vol.commit()`. Stdout is ephemeral — checkpoints in volume, metrics in volume, logs to volume.
**Forbidden:** guessed prices from memory; `.map(return_exceptions=False)` for batches; `print()` without `flush=True`; launching N variants before one verified single-variant; restarting "for cleanliness" when checkpoints are flowing; stopping a run to fix the launching script.

79
_blocks/deploy-vps-generic.md Normal file
View file

@ -0,0 +1,79 @@
# DEPLOY — Generic VPS (provider-agnostic cloud-init + ssh-first-contact)
**Target providers:** DigitalOcean Droplets, Vultr, UpCloud, Linode/Akamai. Each has slightly different Terraform providers + CLIs, but the Day-0 contract is identical: **boot a Debian/Ubuntu image with a cloud-init user-data blob; add one admin SSH key; nothing else.**
**Day-0 cloud-init blob (`cloud-init.yaml`) — universal:**
```yaml
#cloud-config
hostname: kei-${env}-${role}
timezone: UTC
package_update: true
package_upgrade: true
packages:
- ufw
- fail2ban
- unattended-upgrades
- auditd
- needrestart
- curl
- jq
users:
- name: keiadmin
groups: sudo
shell: /bin/bash
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_authorized_keys:
- ${ADMIN_PUBKEY}
ssh_pwauth: false
disable_root: true
write_files:
- path: /etc/ssh/sshd_config.d/99-kei.conf
permissions: '0644'
content: |
PasswordAuthentication no
PermitRootLogin no
MaxAuthTries 3
AllowUsers keiadmin
ClientAliveInterval 120
ClientAliveCountMax 2
runcmd:
- [ systemctl, restart, ssh ]
- [ ufw, default, deny, incoming ]
- [ ufw, default, allow, outgoing ]
- [ ufw, allow, 22/tcp ]
- [ ufw, --force, enable ]
```
The blob is intentionally provider-neutral. Provider-specific bits (private-network bring-up, metadata service quirks) go in a short appendix the provisioner appends. See `_primitives/harden-base.sh` for post-boot hardening re-runs.
**SSH-first-contact (`ssh-first-contact.sh` pattern):**
```bash
# Wait for cloud-init to finish AND sshd to be ready on the new IP.
for i in $(seq 1 60); do
ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=accept-new \
"keiadmin@$IP" "cloud-init status --wait" && break
sleep 5
done
ssh "keiadmin@$IP" "sudo test -f /var/lib/cloud/instance/boot-finished"
```
`StrictHostKeyChecking=accept-new` is OK only for the FIRST contact (TOFU). Store the fingerprint to `~/.ssh/known_hosts`; subsequent connects use default strict mode. Never use `StrictHostKeyChecking=no` — accepts MitM silently.
**Terraform skeleton (provider-agnostic via vars):**
```hcl
variable "provider_kind" {} # "digitalocean" | "vultr" | "upcloud" | "linode"
variable "region" {}
variable "size_slug" {} # provider-specific size id
variable "admin_pubkey" {} # raw ssh-ed25519 …
locals {
user_data = templatefile("${path.module}/cloud-init.yaml", { ADMIN_PUBKEY = var.admin_pubkey })
}
# ... then a module-per-provider resource that all read `local.user_data`
```
Keep TF state **local per-env-per-dev by default**; upgrade to remote backend (R2, S3, Terraform Cloud) only when ≥ 2 humans share state.
**Per-provider gotchas (verified 2026-04-21):**
- **DigitalOcean:** Marketplace "Docker" images skip unattended-upgrades — start from plain Debian 12 instead. IPv6 requires `ipv6 = true` on the droplet.
- **Vultr:** `vultr-cli` needs `VULTR_API_KEY`; default firewall is OPEN — attach a firewall group or rely solely on ufw.
- **UpCloud:** IPs rotate on full stop+start unless you request `floating_ip`. Consider Finnish ASN if Hetzner is blocked or rate-limited for your geo.
- **Linode:** cloud-init runs before disk resize on some plans → `growpart` may need a rerun on first `ssh`.
**Forbidden:** baking the admin private key into an AMI/snapshot; reusing one SSH keypair across envs; letting cloud-init pull scripts from a mutable URL (`curl … | bash` in `runcmd:` — pin to a hash); running `apt-get dist-upgrade -y` in `runcmd` without `needrestart` to surface pending reboots.

86
_blocks/docs-architecture-diagrams.md Normal file
View file

@ -0,0 +1,86 @@
# DOCS — Architecture diagrams (Mermaid)
Diagrams live beside the prose they describe. Mermaid renders natively on
GitHub / Forgejo / Gitea / Obsidian — no extra tooling needed to view.
## When to include
- Any agent/skill that scaffolds documentation for a multi-component system
- Any repo with ≥ 3 services / layers / subsystems
## Four diagram patterns (use the right one)
### 1. System context (C4 level 1) — `flowchart LR`
```mermaid
flowchart LR
U[User] -->|HTTP| API[API Gateway]
API -->|gRPC| SVC[Service]
SVC -->|SQL| DB[(PostgreSQL)]
SVC -->|publish| Q[[Queue]]
```
Use for: one-page overview, onboarding, README architecture section.
### 2. Sequence — `sequenceDiagram`
```mermaid
sequenceDiagram
Client->>API: POST /orders
API->>DB: INSERT
DB-->>API: id
API-->>Client: 201 Created
```
Use for: request flow, auth handshake, error recovery sequence.
### 3. State machine — `stateDiagram-v2`
```mermaid
stateDiagram-v2
[*] --> Pending
Pending --> Running: start
Running --> Done: success
Running --> Failed: error
Failed --> Pending: retry
```
Use for: job lifecycle, FSM-driven features, connection state.
### 4. ER / data model — `erDiagram`
```mermaid
erDiagram
USER ||--o{ ORDER : places
ORDER ||--|{ LINE_ITEM : contains
```
Use for: DB schema summary. Keep ≤ 10 entities per diagram.
## Rules
- **Diagram-as-code, no binary exports.** `.mmd` or fenced block, never `.png`
- **≤ 15 nodes / 20 edges per diagram.** Over that → split
- **Labels are nouns.** Edges are verbs. No prose inside nodes
- **One diagram = one concern.** Don't mix system context + sequence in one chart
- **Preview locally** with `mmdc` before commit: `mmdc -i diagram.mmd -o /tmp/preview.svg`
- **Link to source in caption** — "See `docs/diagrams/orders.mmd` for source"
## Forbidden
- ASCII art for multi-node graphs (use Mermaid — renders everywhere)
- Diagrams that contradict the code (stale → delete or fix)
- Secrets / real hostnames / IPs in diagrams (use placeholders)
## Install `mmdc` (preview tool)
```
npm install -g @mermaid-js/mermaid-cli # one-time
mmdc -i docs/diagrams/context.mmd -o /tmp/preview.svg
```
## References
- Mermaid syntax — https://mermaid.js.org/intro/ [VERIFIED: https://mermaid.js.org/intro/]
- C4 model — https://c4model.com/ [VERIFIED: https://c4model.com/]
- `~/.claude/rules/doc-conventions.md`

25
_blocks/docs-claude-md.md Normal file
View file

@ -0,0 +1,25 @@
# DOCS — `CLAUDE.md` (project bootstrap template)
A per-project `CLAUDE.md` answers one question: *what does a Claude agent need to know in the first 30 seconds on this repo?* It is read before any code work. Keep it under ~150 lines.
**Canonical sections (in this order):**
1. **Project one-liner** — name, domain, status (`active | maintenance | archived`), primary stack, public-surface flag.
2. **Architecture** — 2-5 bullets + optional Mermaid block. Layer names match the code tree. If a layer diagram helps, `_blocks/docs-architecture-diagrams.md` has the patterns.
3. **Stack / dependencies** — language(s), major frameworks, DB, queue, deploy target. One line per item.
4. **Constraints** — API rate limits, licensing, cost tiers, platform quirks (e.g. "Flux 2 Pro zero-config", "SPM needs `-Xlinker`").
5. **Known issues** — bugs that aren't fixable now, workarounds, tickets. Keep dated.
6. **Test invariants** — how tests are run (`cargo test --release`, `pytest`, `flutter test`), coverage floor, which tests are load-bearing.
7. **Commands cheatsheet** — 5-8 commands the agent will type most: build, test, lint, deploy, format.
8. **Secrets / credentials** — env var NAMES only (RULE 0.8). Never literal tokens. Path: `secrets/*.env`.
9. **Related files**`DECISIONS.md`, `HOTPATHS.md`, `TODO.md`, runbooks.
**Placeholders used by `kei-docs-scaffold.sh`:**
`{{PROJECT_NAME}}`, `{{STACK}}`, `{{DEPLOY}}`, `{{PRIMARY_LANGUAGE}}`, `{{TEST_CMD}}`.
**Forbidden:**
- Copying the umbrella `~/.claude/CLAUDE.md` here — link to it, do not duplicate.
- Storing API tokens / private URLs (use `secrets/*.env`).
- Marketing prose. Every line must be actionable by the agent.
**Source:** Anthropic Claude Code docs — `claude.ai/code` project-memory convention (E4). Karpathy viral CLAUDE.md (forrestchang/andrej-karpathy-skills, 15K+ stars) [E4].

59
_blocks/docs-decisions-adr.md Normal file
View file

@ -0,0 +1,59 @@
# DOCS — `DECISIONS.md` / ADR template (MADR 4.0)
Architecture Decision Records capture *why* a non-trivial choice was made, so future maintainers (including agents) don't re-litigate. Format: **MADR 4.0** (Markdown Any Decision Records, 2024). Nygard originated the practice in 2011.
**One ADR per non-trivial decision.** File path convention:
- Single-file log: append to `DECISIONS.md` (top-of-file = newest).
- Per-decision files: `docs/adr/NNNN-kebab-case-title.md` (NNNN = zero-padded int).
**MADR 4.0 template (copy as-is):**
```markdown
# ADR-NNNN: <short imperative title>
- **Status:** Proposed | Accepted | Rejected | Superseded-by-ADR-NNNN | Deprecated
- **Date:** YYYY-MM-DD
- **Deciders:** @handle, @handle
- **Evidence grade:** E1-E6 (see `_blocks/evidence-grading.md`)
## Context and Problem Statement
<1-3 sentences: what forces us to decide? What breaks if we don't?>
## Decision Drivers
- Driver 1 (e.g. cost < $X/mo)
- Driver 2 (e.g. must run offline)
- Driver 3 (e.g. team knows language Y)
## Considered Options
1. **Option A** — one-line summary
2. **Option B** — one-line summary
3. **Option C** — one-line summary
## Decision Outcome
Chosen: **Option <letter>**, because <1-2 sentences tying back to drivers>.
### Consequences
- Positive: <what improves>
- Negative: <what we give up, tech debt incurred>
- Neutral: <noteworthy but not directional>
## Pros and Cons of the Options
### Option A
- Pro: ...
- Con: ...
### Option B
- Pro: ...
- Con: ...
## Links
- Supersedes: ADR-NNNN
- Related: `HOTPATHS.md#section`, external URL
- Evidence source: [VERIFIED: url] or [UNVERIFIED]
```
**Rules:**
- Status `Accepted` = implemented or actively being implemented. `Proposed` = under review. `Rejected` stays as an ADR (the record of why we said no).
- Never delete a past ADR. Supersede with a new ADR that references the old number.
- Evidence grade mandatory (RULE 0.4). No grade → the ADR is unreviewable.
**Source:** MADR 4.0 spec — [adr/madr](https://adr.github.io/madr/) [E4]. Nygard 2011 original post `cognitect.com/blog/2011/11/15/documenting-architecture-decisions` [E4].

75
_blocks/docs-readme-template.md Normal file
View file

@ -0,0 +1,75 @@
# DOCS — Public `README.md` scaffold
`README.md` is the first file a new reader (human OR agent) opens. One file, nine sections, in this order. Keep ≤ 300 lines; longer material lives in `docs/`.
**Nine-section template:**
```markdown
# {{PROJECT_NAME}}
> One-line pitch (what + why, ≤ 100 chars).
[![CI](badge)](link) [![License](badge)](link) [![Version](badge)](link)
## What
2-3 sentences: what it does, who it's for. No marketing adjectives.
## Why
2-3 sentences: problem this solves, alternatives considered, why this one.
Link to the relevant ADR: [DECISIONS.md](DECISIONS.md#adr-nnnn).
## Install
```bash
# Primary path — the 90% case
<one command>
```
**Prerequisites:** <language X >= vN, OS constraints, system deps>.
<If needed: alternative install methods in `docs/install.md`.>
## Usage
Smallest working example. Copy-pasteable.
```bash
<command producing visible output>
```
Link to a richer quickstart in `docs/quickstart.md` if >20 lines.
## Development
```bash
git clone <repo>
cd <repo>
<bootstrap command, e.g. cargo build>
<test command>
```
Project layout:
- `src/` — implementation
- `tests/` — integration tests
- `docs/` — long-form docs
- `{{STACK}}-specific notes → link>
## Deploy
Target: **{{DEPLOY}}**. One-liner: `<deploy command>`.
Full runbook: `docs/runbooks/deploy.md`.
## Architecture
One paragraph + one Mermaid diagram (see `_blocks/docs-architecture-diagrams.md`). Detail in `docs/architecture.md`.
## Contributing
- Issue tracker: <url>
- Commit convention: Conventional Commits (see `_blocks/git-conventions` in kit)
- PR checklist: `docs/CONTRIBUTING.md`
## License
<SPDX id> — see [LICENSE](LICENSE).
```
**Rules:**
- No secrets (RULE 0.8). No literal tokens.
- Install command must be ONE command for the happy path.
- Every "see docs/X" link must resolve — scaffolder verifies or creates the target.
- If the project is private / not publicly deployable (banned list per `rules/security.md`), mark the repo header with `<!-- PRIVATE — do not publish -->` and omit public badges.
**Source:** standard-readme spec (RichardLitt/standard-readme) [E4]; GitHub "About READMEs" [E4].

66
_blocks/docs-runbook.md Normal file
View file

@ -0,0 +1,66 @@
# DOCS — Operational runbook template
A runbook tells on-call (or a future agent) exactly what to do when an alert fires. Every production system needs one per failure class. Format: *symptoms → checks → fixes → escalation*.
**File path:** `docs/runbooks/<component>-<alert-name>.md`. Index in `docs/runbooks/README.md` (or link from `HOTPATHS.md`).
**Template (copy as-is):**
```markdown
# Runbook — <component>: <alert or symptom name>
## Metadata
- **Severity:** SEV1 (page now) | SEV2 (work hours) | SEV3 (next day)
- **On-call rotation:** <team / pagerduty schedule / single handle>
- **Last rehearsed:** YYYY-MM-DD (stale > 90d → re-rehearse)
- **Linked ADRs:** ADR-NNNN
## Symptoms
- Observable signal: <metric name> > <threshold> for <duration>
- User impact: <what breaks for end users>
- Typical dashboards: <URLs>
## Diagnostic checks (in order)
1. Check dashboard X — if metric Y is flat, skip to step 4
2. Tail logs: `<exact command>`
3. Inspect dependency Z status page: <URL>
4. Reproduce locally if unclear: `<command>`
## Fixes (try in order; STOP at first that works)
### Fix A — restart (lowest risk)
```bash
<exact command>
```
Verify: <metric returns to <threshold> within <time>>
### Fix B — rollback
```bash
<exact command>
```
Verify: <...>
### Fix C — scale up (if load-related)
```bash
<exact command>
```
## Escalation
- 15 min without recovery → page <secondary on-call>
- Data loss suspected → page <eng-lead> AND <security>
- Customer-visible > 30 min → post to <status-page-url>
## Post-incident
- File incident report at `docs/incidents/YYYY-MM-DD-<slug>.md`
- If root cause new → new ADR in `DECISIONS.md`
- If runbook step failed → update this file (date the edit)
## Known non-issues
- Symptom X that looks scary but is benign (e.g. queue lag < 5s during deploy)
```
**Rules:**
- One alert = one runbook. Do not bundle.
- Every command is copy-pasteable. No placeholders `<...>` in the live fixes section.
- Rehearse quarterly. Mark the date.
**Source:** Google SRE Book Ch. 11 "Being On-Call" and Ch. 14 "Managing Incidents" [E4]; PagerDuty Incident Response Documentation [E4].

29
_blocks/domain-has-secrets.md Normal file
View file

@ -0,0 +1,29 @@
# DOMAIN — Secrets handling
Project stores credentials / API keys / private keys / tunnel keys. Treat every leaked byte as irrecoverable.
**Storage convention:**
- Path: `<repo>/secrets/*.env` — NEVER checked in.
- `.gitignore` has `secrets/` **before any secret is written into the tree**. Verify with `git check-ignore secrets/foo.env` (should print the path).
- File permissions `chmod 600` on every secret file.
**Reference by path only in reports / logs / chats:**
> "Using keys from `secrets/nodes.env`" — GOOD.
> "Using key `abc123xyz...`" — FORBIDDEN.
Never echo secret values in:
- Agent output / tool reports
- Chat messages back to user
- Stdout / stderr of running processes
- Commit messages, PR descriptions
- Error messages (log the CODE path, not the token)
**Loading at runtime:**
- Rust: `dotenvy` or plain `std::env::var` after `direnv allow`.
- Python: `python-dotenv` at startup, NEVER inline literals.
- Node/Next: `.env.local` (`.gitignore`), platform vars in prod.
- Shell: `source secrets/foo.env``export` inside, never commit the export line.
**Rotation:** when a secret is suspected leaked — rotate at provider → update `secrets/*.env` → restart services → verify old key rejected. Do not "wait and see".
**Forbidden:** committing `.env` / `secrets/` (even once — git history persists); echoing values in reports; literal API keys in `lib/` / `src/` / `Cargo.toml` / `package.json`; `git add -A` in a repo that has secrets (use explicit file paths); copying secret values into chat to "show" user what's there.

26
_blocks/domain-ml-training.md Normal file
View file

@ -0,0 +1,26 @@
# DOMAIN — ML Training
Math-First block (`rule-math-first.md`) MUST be included alongside this one.
**Pre-Experiment Check — blocking checklist (answer all before launch — each GPU run costs real money):**
1. **TOKENIZATION** — BPE / character / byte / morphological? Different tokenizations produce different units and are NOT directly comparable.
2. **ARCHITECTURE** — exact class / file / commit. No ambiguity.
3. **INIT / MATRICES** — random / structured / pretrained? Note initialization distribution and rank if relevant.
4. **TRAINING DIRECTION** — forward / reverse / mixed? State it; some models are only tested one way.
5. **METRIC** — what EXACT metric and on what EXACT data split. State units (PPL on which tokenizer, accuracy on which set).
6. **RESEARCH QUESTION** — "This run tests hypothesis: ___". Cannot formulate → DO NOT LAUNCH.
7. **PRIOR RESULTS** — check your `memory/{project}.md` + any `wrong-paths*.md` notes. Don't repeat failed configs.
8. **KNOWN BUGS** — list the known-broken configurations for the current architecture. Don't re-hit them.
**Results logging — IMMEDIATELY after every run (success / timeout / failed / NaN):**
Record in `memory/{project}.md` BEFORE analysis. Mandatory fields: Model name, Architecture, Dimensions, Key config, Params **EXACT** (never "~7M"), Data + count, Steps/Epochs, Batch/Seq, Seed, Metric, Best, Time, Hardware, Status, Cost actual, Notes.
**Multi-seed rigor (for any claim going into DECISIONS.md, a paper, or a public result):**
- Minimum **≥ 5 seeds** (3 for smoke tests). Default `[42, 137, 256, ...]`.
- Report cross-validation mean ± std, NOT single-fold cherry-pick. Single-fold cherry-picking can inflate published numbers by double-digit percentage points.
- Cache ablation table (full / zero / random / shuffled) on zero-model AND one-trained-model.
**Baseline-first discipline:** before running ANY exploration-heavy training (hill-climb, ES, PPO, RL) on a task, SEARCH for an existing published baseline (env source tree, paper README, leaderboards). If one exists — run it locally, extract trajectories, distill your model via supervised loss, THEN fine-tune. Pure exploration from scratch when a baseline exists is wasted compute.
**Forbidden:** launching without the checklist; "~N M" params; analyzing before logging; single-seed claims for anything public; class weighting when val matches train prior; cosine LR on < 50 epochs; tuning before ablating what's unnecessary.

29
_blocks/domain-paid-apis.md Normal file
View file

@ -0,0 +1,29 @@
# DOMAIN — Paid APIs (Anthropic / OpenAI / fal.ai / Apify / Modal / AWS / GCP / ElevenLabs)
A real cost-overrun incident (a job estimated in tens of dollars that actually ran into triple digits on a GPU provider) motivates every rule below.
**MANDATORY pre-launch handoff to `kei-cost-guardian` before ANY paid run:**
1. Dashboard balance — state the current number, not "I think it's roughly".
2. Pricing page — fetch LIVE (WebFetch), not from memory. Rates change.
3. Running jobs — `modal app list` / provider dashboard → show user what's already billing.
4. Cost estimate — formula AND dollars. Example: `N_gpus × hours × $1.10/hr (A10G, verified <today>)`.
5. Single-variant verify — one run succeeds before fanning out to N variants (failed config × N = N billings).
6. Tell user the exact dollar cost BEFORE launch. Explicit GO required for anything > $5.
7. Monitor first 2 minutes of stdout — health check before fan-out.
**Cost tiers:**
- < $5 — AUTO (cost line in report, no confirmation needed)
- $5-$20 — WARN + daily-cap check ($20/day session cap)
- > $20 — STOP, explicit user "yes, launch" with the dollar number echoed back
**Batch ops (Apify, OpenAI batch, ElevenLabs bulk TTS):**
- Estimate whole-batch cost BEFORE first call
- Run 1-2 items to verify shape + per-item cost matches estimate
- THEN fan out; log per-call cost to `memory/{project}.md`
**Known rate ballparks (ALWAYS verify on the live pricing page before launch — rates change):**
- Apify YouTube ~$0.50/1K items · LinkedIn harvest ~$0.50-2/search · Instagram ~$2-3/1K · Telegram FREE via Telethon (direct API)
- Fal.ai Flux / Kling / others — per image or per video, varies by model
- Modal A10G ~$1.10/hr · H100 ~$4.50/hr · B200 ~$8/hr
**Forbidden:** launching without dashboard check; guessing prices; parallel variants without single-variant verify; skipping kei-cost-guardian handoff; running paid compute without logging actuals to `memory/{project}.md` after.

14
_blocks/evidence-grading.md Normal file
View file

@ -0,0 +1,14 @@
# EVIDENCE GRADING
Every major claim must carry a grade:
| Grade | Name | Criteria |
|-------|------|----------|
| **E1** | Fact | Confirmed in production OR primary source (official docs, API response, pricing page) |
| **E2** | Verified | Reproducible in tests/benchmarks. Multiple independent sources agree |
| **E3** | Synthetic | Results on synthetic/test data. Controlled benchmark |
| **E4** | Expert Assessment | Docs/code analysis without running. Extrapolation. Literature consensus |
| **E5** | Hypothesis | Theoretical assumption. Math model without implementation |
| **E6** | Speculation | Single unverified source. Outdated data (>6mo) |
Rules: architectural decision → E1-E2. Financial (compute) → ONLY E1. Data >6mo without re-verification → grade 1. Single source → max E4. Own benchmark without external confirm → max E3.

22
_blocks/memory-protocol.md Normal file
View file

@ -0,0 +1,22 @@
# MEMORY PROTOCOL
**At start:**
1. Read `~/.claude/memory/MEMORY.md` (or your index file) → find relevant project file
2. Read `memory/{project}.md` → constraints, stack, status, learnings
3. If ML / research work: also check your `wrong-paths.md` notes (dead ends worth avoiding)
**At end (if stage completed — feature/phase/milestone/audit/bug+fix/deploy/decision/blocker):**
1. Append to `memory/{project}.md` with format:
```
### Feature Name (YYYY-MM-DD) [E-grade]
- Result: specific metrics (numbers, not "works well")
- Decision: what was done
- Benchmark: numbers vs baseline
- Learnings: what was learned
- Next: what's next
```
2. If dead end / wrong path → append to your `wrong-paths.md`
3. If architectural decision → project's `DECISIONS.md`
4. Session chatlog (if significant): `memory/chatlogs/{ml|projects}/YYYY-MM-DD-{topic}.md`
**Forbidden:** transitioning without saving; writing "works" without metrics; leaving credentials only in conversation context.

16
_blocks/mode-devils-advocate.md Normal file
View file

@ -0,0 +1,16 @@
# MODE — Devil's Advocate
Your job is to steel-man the opposite of whatever seems right.
Before agreeing with any plan, articulate the strongest argument AGAINST it:
- What is the hidden cost the user missed?
- Who or what suffers when this ships? (downstream consumers, on-call, future maintainers, the user in 6 months)
- Under what realistic condition does this silently degrade instead of fail loud?
- What is the reversal cost if we are wrong?
Do not be contrarian for its own sake. Find the REAL failure mode and name it. A fabricated objection wastes the user's attention and dulls the tool.
If the opposition genuinely has no merit after honest steel-manning, say so explicitly — `"considered the strongest objection X; does not apply because Y"`. That closes the loop; unspoken "I couldn't think of anything" leaves the user guessing.
**Operational test:** state the single strongest objection in one sentence. If you cannot, you have not steel-manned — keep looking.

21
_blocks/mode-first-principles.md Normal file
View file

@ -0,0 +1,21 @@
# MODE — First Principles
Before reasoning by analogy or consensus, derive from invariants.
For every design decision, ask:
- What is the physical / mathematical / informational constraint that forces this?
- Why does it have to work this way, not another?
- What would change if the constraint were relaxed or removed?
Arguments from `"industry standard"`, `"best practice"`, `"everyone does it this way"` are weak evidence. Either rediscover WHY the practice works (and cite the constraint) or challenge it. Accepting a pattern because it is common is not reasoning — it is mimicry.
Cite the constraint explicitly in the report:
- `"Latency floor: single-RTT = 2·(d/c) ≈ 80 ms over 12 000 km — no software fix."`
- `"Memory-hierarchy: L1 = 32 KB, working set exceeds → cache miss unavoidable."`
- `"CAP: partition + consistency → availability must yield."`
Not `"it is usually done this way"`. That is not a constraint, that is a habit.
**Operational test:** for every non-trivial decision, write one line naming the invariant. If you cannot name it, the decision is either free (pick cheapest) or inherited (say from where).

24
_blocks/mode-matrix.md Normal file
View file

@ -0,0 +1,24 @@
# MODE — Agent × Cognitive-Mode Matrix
Composable cognitive-mode blocks live in `_blocks/mode-*.md`. Any agent manifest can append them to its `blocks = [...]` list to stack the behavioural skew; modes compose (e.g. `mode-skeptic` + `mode-minimalist` = adversarial pruner).
This table is the suggested starting set per agent role. It is a **guide, not a rule** — pick what fits the agent's actual job.
| Agent role | Recommended modes | Reason |
|---|---|---|
| critic | `skeptic` · `devils-advocate` | Doubt-first review; name the strongest objection before agreeing |
| validator | `skeptic` | Every claim needs an E1/E2 grade — no plausibility shortcuts |
| security-auditor | `devils-advocate` · `skeptic` | Steel-man the attacker; threat-model the worst case |
| researcher | `skeptic` | Cross-check every source; honest gaps over confident guesses |
| ml-researcher | `skeptic` · `first-principles` | Observable classification + invariant-derived priors |
| architect | `first-principles` · `minimalist` | Derive from constraints, prefer subtraction over addition |
| code-implementer | `minimalist` | Surgical edits; remove before adding |
| refactor specialist | `minimalist` | Delete dead code; prove every kept line |
| ml-implementer | `minimalist` · `first-principles` | Math-First — count params before code, derive over tune |
| brainstorm / concept-explorer | `maximalist` | Return 10× version + minimum bounds; user invokes exploration |
| physics-deriver | `first-principles` | Cite the invariant; no arguments from "best practice" |
Intentionally **unbiased** roles (pick 0 modes by default):
- `infra-implementer`, `modal-runner`, `fal-ai-runner`, `cost-guardian`, most `kei-<project>-specialist` agents.
Modes are not free — each one lands verbatim in the prompt and consumes context. Stack only what you need.

19
_blocks/mode-maximalist.md Normal file
View file

@ -0,0 +1,19 @@
# MODE — Maximalist
Dual of `mode-minimalist`. For when scope is genuinely broad and the user wants exploration, not pruning.
Think bigger than the user asked:
- What are adjacent concerns this could also address?
- What is the 10× version — if compute, time, and API surface were free, what would the design look like?
- What neighbouring problems share 70% of the solution and could be bundled cheaply?
Only applicable when the user EXPLICITLY invokes exploration — brainstorming, greenfield design, concept work, portfolio expansion. Default to `mode-minimalist` unless maximalist is requested.
Output discipline: return BOTH bounds.
- `"Here is the biggest coherent scope"` — full exploration, labelled as such.
- `"Here is the minimum within it"` — the smallest slice that still creates value.
- `"User picks"` — do not pre-collapse the choice for them.
**Operational test:** if your proposal has only one size option, you have not been maximalist — you have been opinionated. Widen the range before reporting.

18
_blocks/mode-minimalist.md Normal file
View file

@ -0,0 +1,18 @@
# MODE — Minimalist
Every addition must justify its existence.
Start from `"what is already here"` and ask `"what is unnecessary?"` — the math-first rule applied socially. Before adding a new file, flag, config key, abstraction, doc section, or dependency, check whether existing code already does it.
Preferences (in order):
- Prefer deleting over adding.
- Prefer fewer files over more.
- Prefer fewer abstractions over "cleaner" ones.
- Prefer inlining a 5-line helper over extracting a module for it.
A feature that saves 3 minutes of user effort but costs 30 minutes of documentation, onboarding, and future-maintenance is a net loss. Count both sides of the ledger before proposing.
Ship less. Check which less matters. Then ship less of that too.
**Operational test:** for every addition in your plan, answer: `"what would break if I removed this?"` If the answer is `"nothing important"`, remove it.

17
_blocks/mode-skeptic.md Normal file
View file

@ -0,0 +1,17 @@
# MODE — Skeptic
Default stance: doubt the conclusion until it is proved.
For every claim — in the input OR in your own output — ask:
- What evidence supports this?
- What would falsify it?
- Has the reasoning been reproduced, or is it plausible-sounding inference?
Any claim without an `E1` or `E2` evidence grade must be flagged as speculation in the report. Do not let an unsupported premise slip through because it "sounds right".
Prefer `"I don't know"` over a plausible-sounding guess. An honest gap is cheaper than a confident error.
Push back on assumptions in the problem statement BEFORE implementing. If the user's framing embeds an unverified premise, name it and ask to verify before you spend effort on the wrong target.
**Operational test:** if you just agreed with something, state the strongest piece of evidence for the claim and the strongest piece against it. If you can't name either, you agreed too fast.

48
_blocks/obs-metrics.md Normal file
View file

@ -0,0 +1,48 @@
# OBSERVABILITY — Metrics (Prometheus + OTel + RED/USE)
Metrics are numeric time series scraped or pushed on a fixed cadence (10-60 s). Two signal families to cover:
**RED (request-driven services — APIs, workers):**
- **R**ate — requests per second
- **E**rrors — error rate (5xx / failed jobs)
- **D**uration — latency distribution (p50 / p95 / p99)
**USE (resources — CPU, memory, disk, network):**
- **U**tilization — % busy
- **S**aturation — queue depth / wait time
- **E**rrors — hardware / syscall errors
Source: Google SRE Book "Four Golden Signals" [VERIFIED: sre.google/sre-book/monitoring-distributed-systems/] + Brendan Gregg USE [VERIFIED: brendangregg.com/usemethod.html] + Tom Wilkie RED [VERIFIED: thenewstack.io/monitoring-microservices-red-method/].
**Metric types (Prometheus model, inherited by OTel):**
| Type | Use for | Example |
|---|---|---|
| Counter | Monotonic cumulative count | `http_requests_total{route, status}` |
| Gauge | Instantaneous value (up/down) | `queue_depth`, `memory_bytes` |
| Histogram | Latency / size distribution with buckets | `http_request_duration_seconds_bucket` |
| Summary | Client-side quantiles (prefer histogram — can aggregate) | — avoid unless Prom-server-side quantile is impossible |
**Naming convention (Prometheus exposition, OTel convention 1.27+):**
- Suffix units: `_seconds`, `_bytes`, `_total` for counters [VERIFIED: prometheus.io/docs/practices/naming/]
- Lowercase snake_case, dots forbidden in Prom names (OTel dots become underscores on export)
- Cardinality budget: < 10 labels per metric, < 100 values per label runaway cardinality kills Prometheus [VERIFIED: prometheus.io/docs/practices/naming/#labels]
**Stack (self-host, single-host or small cluster):**
- `node_exporter` on every host (port 9100) — USE metrics for CPU/mem/disk/net [VERIFIED: github.com/prometheus/node_exporter]
- App exposes `/metrics` on app port (Prom client library per language)
- Prometheus scrapes every 15 s, retention 15 d local (longer → remote_write to Mimir / Thanos / vendor)
- Grafana dashboards connect to Prometheus datasource
**OpenTelemetry path (vendor-agnostic, OTLP collector in front):**
- App uses OTel SDK → OTLP/gRPC (port 4317) or OTLP/HTTP (port 4318) [VERIFIED: opentelemetry.io/docs/specs/otlp/]
- OTel Collector receives OTLP, exports to Prometheus remote_write / vendor (Honeycomb, Datadog, Grafana Cloud)
- Same collector handles logs + traces (see `obs-traces`) → single deploy unit
**Language bindings:**
- Rust: `metrics` + `metrics-exporter-prometheus` OR `opentelemetry-rust` [VERIFIED: docs.rs/opentelemetry]
- Go: `prometheus/client_golang` (native Prom) OR `go.opentelemetry.io/otel/metric`
- Python: `prometheus-client` OR `opentelemetry-sdk` with `opentelemetry-exporter-otlp`
- Node/TS: `prom-client` OR `@opentelemetry/sdk-metrics`
**Forbidden:** high-cardinality labels (`user_id`, `trace_id`, `timestamp` — never a label); per-request gauges (use histograms); Summary where Histogram works (Summaries don't aggregate across instances); pushing metrics from a long-running service (use `/metrics` scrape; Pushgateway is for short-lived jobs ONLY per Prom docs); renaming metrics without a deprecation window (breaks dashboards silently).

38
_blocks/obs-structured-logs.md Normal file
View file

@ -0,0 +1,38 @@
# OBSERVABILITY — Structured logs (JSON-lines)
Structured logging is the cheapest leg of the observability triad. One JSON object per line, stable field names, machine-parseable by any log shipper (Loki, Vector, Fluent Bit, Datadog Agent, CloudWatch). Unstructured `printf` / `logger.info("user %s did %s", u, a)` wastes the capability.
**Field taxonomy (stable across services — single source of truth):**
| Field | Type | Meaning |
|---|---|---|
| `ts` | RFC3339 string | Timestamp with timezone (`2026-04-21T12:00:00.123Z`) |
| `level` | enum | `debug` / `info` / `warn` / `error` / `fatal` |
| `msg` | string | Short human-readable summary (no interpolated values — they go in their own fields) |
| `service` | string | Emitting service name (e.g. `api-gateway`) |
| `env` | enum | `local` / `dev` / `staging` / `prod` |
| `trace_id` | hex32 | W3C traceparent trace-id (links log to trace — see `obs-traces`) |
| `span_id` | hex16 | W3C span-id of the current span |
| `request_id` | string | Per-request correlation ID (propagate via `X-Request-ID`) |
| `user_id` | string | Actor (redact PII — hash or internal ID, never email) |
| `err` | object | `{type, message, stack}` when `level >= error` |
**Emission rules:**
- Always write to **stdout** (one JSON per line). Let the container runtime / systemd capture it. Never open a log file from the app — shippers have file-locking races.
- NEVER mix plain text and JSON on stdout (breaks parsers). Config libraries must emit JSON in all environments, local included.
- `msg` stays constant per log site (e.g. `"db query failed"`). Dynamic values (query, duration_ms, table) go in their own fields. This is what makes logs queryable.
- On exception: capture `err.stack` as a single string with `\n` separators (don't split across lines).
**Language bindings (pick ONE per service, never two):**
- Rust: `tracing` + `tracing-subscriber` with `.json()` formatter [VERIFIED: docs.rs/tracing-subscriber]
- Go: `log/slog` stdlib with `slog.NewJSONHandler` (Go 1.21+) [VERIFIED: pkg.go.dev/log/slog]
- Python: `structlog` with `JSONRenderer` [VERIFIED: www.structlog.org]
- Node/TS: `pino` (`pino({ level, formatters })`) [VERIFIED: getpino.io]
- Swift/iOS: server-side only — `swift-log` with `swift-log-formatter-json` backend
**Shipping:**
- Container / k8s: stdout → Fluent Bit / Vector → Loki or vendor.
- Bare metal: systemd journald → `journalctl -o json` → Vector.
- Dev: stdout is enough; no shipper.
**Forbidden:** string interpolation in `msg` (`f"user {id}"` — id goes in its own field); writing secrets to logs (token/password/cookie values); `print()` debug leftovers in committed code; changing `level` semantics per service (keep the 5 levels stable kit-wide); logging full request/response bodies without redaction.

Some files were not shown because too many files have changed in this diff Show more