329d7e2a4d
Final phase of agent substrate v1. 5 shipped agents now declare role at manifest level; assembler expands role's capability text fragments into the generated .md at a new `# AGENT SUBSTRATE — role <name>` section. Non-migrated agents byte-identical (golden snapshots green). Migrated agents: - kei-code-implementer → edit-local (8 caps: no-git-ops + scope/* + quality/* + safety::no-dep-bump + report-format) - kei-critic → read-only (tools::read-only + output::report-format + output::severity-grade) - kei-architect → read-only - kei-security-auditor → read-only - kei-validator → read-only _assembler/ extensions: - manifest.rs: substrate_role: Option<String> - assembler.rs: write_substrate() before blocks (backward-compat; no role = no substrate section) - substrate.rs (new, 102 LOC): loads _roles/<name>.toml, iterates capabilities.required, reads _capabilities/<cat>/<slug>/text.md, joins with \n\n---\n\n separator - validator.rs: substrate role existence + cap-text presence check - tests/substrate_role.rs (4 tests): happy path, unknown role, missing capability text, byte-parity on non-migrated - tests/regenerate_migrated.rs (ignored by default): regeneration gate _templates/task-examples/ — 5 example task.toml per migrated agent showing orchestrator the valid invocation shape. docs/AGENT-SUBSTRATE-SCHEMA.md: Phase 5 row ticked ✓ + Migrated agents subsection listing 5 agents with roles + pointer to examples. tests/substrate_integration.sh: +8 Phase-5 assertions - All 5 migrated .md files contain "# AGENT SUBSTRATE — role" - kei-code-implementer.md contains "MUST NOT invoke git" (policy::no-git-ops) - Every _templates/task-examples/*.toml parses as valid TOML - cargo check --workspace still passes post-migration - kei-agent-runtime compose works on edit-local-forge.toml example Tests: assembler 40/40 (was 30, +4 substrate_role + +1 ignored regen), kei-agent-runtime + kei-capability 37/37 preserved. Deferred: remaining 7 non-core agents (cost-guardian, modal-runner, fal-ai-runner, infra/ml-implementer, ml-researcher, researcher) migrate in v0.24 wave. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
1.1 KiB
TOML
45 lines
1.1 KiB
TOML
# Example task.toml — read-only role for kei-security-auditor.
|
|
# Security sweep scoped to HIGH-risk surfaces (auth / crypto / network
|
|
# / deserialisation / FFI).
|
|
|
|
[task]
|
|
role = "read-only"
|
|
agent-id = "read-only-security-EXAMPLE"
|
|
parent-agent = ""
|
|
|
|
[scope]
|
|
files-whitelist = [
|
|
"_primitives/_rust/**/src/**/*.rs",
|
|
"hooks/**",
|
|
"install/**",
|
|
]
|
|
files-denylist = [
|
|
"**/target/**",
|
|
"**/tests/**",
|
|
]
|
|
|
|
[verification]
|
|
cargo-check-crates = []
|
|
cargo-test-crates = []
|
|
|
|
[output]
|
|
# Parameterises output::report-format + output::severity-grade.
|
|
report-fields-required = [
|
|
"risk-classification",
|
|
"mode",
|
|
"files-reviewed",
|
|
"new-dependencies",
|
|
"per-finding",
|
|
"supply-chain-verdict",
|
|
"9-point-coverage",
|
|
]
|
|
|
|
[body]
|
|
text = """
|
|
Security audit of the agent-substrate Rust workspace: classify each
|
|
touched crate HIGH / MEDIUM / LOW, run the 9-point differential
|
|
checklist on HIGH surfaces, perform variant analysis (exact → structural
|
|
→ semantic grep), and supply-chain-check every new dep via
|
|
OSV.dev / GitHub Advisories. Every finding gets [HIGH|MEDIUM|LOW] plus
|
|
a concrete reproduction path. No 'might' / 'probably' — prove or drop.
|
|
"""
|