From 3feba6eebc0efe2fb9dc1f8b83c9f7f56606e7e4 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Mon, 22 Jun 2026 01:20:07 +0200
Subject: [PATCH] Complete ADAPTIVE-WP-0001 State Hub bootstrap

Set bootstrap workplan active and finish all tasks: refine SCOPE.md and
README.md, add Dev Workflow and credential routing to AGENTS.md, propagate
.claude/rules/credential-routing.md, and document early-phase verification
commands (fix-consistency, registry sanity check).
---
 .claude/rules/credential-routing.md           | 50 ++++++++++++
 AGENTS.md                                     | 76 ++++++++++++++++++-
 README.md                                     | 24 +++++-
 SCOPE.md                                      | 35 +++++----
 .../ADAPTIVE-WP-0001-statehub-bootstrap.md    | 16 +++-
 5 files changed, 179 insertions(+), 22 deletions(-)
 create mode 100644 .claude/rules/credential-routing.md

diff --git a/.claude/rules/credential-routing.md b/.claude/rules/credential-routing.md
new file mode 100644
index 0000000..b534f31
--- /dev/null
+++ b/.claude/rules/credential-routing.md
@@ -0,0 +1,50 @@
+# Credential and access routing
+
+**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
+for inference. Run this check **before** requesting secrets, API keys, SSH access,
+login tokens, or database passwords — in any repo, not only `ops-warden`.
+
+ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
+other credential need belongs to another subsystem. **Do not** message
+`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
+
+### Lookup (do this first)
+
+```bash
+warden route find "<describe your need>" --json
+warden route show <catalog-id> --json
+```
+
+Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
+
+| Agent runtime | How to orient |
+| --- | --- |
+| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=adaptive-pricing` is for coordination, not secret vending |
+| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
+| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
+
+### Quick routing table
+
+| I need… | Owner | ops-warden executes? |
+| --- | --- | --- |
+| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
+| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
+| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
+| Authorization decision | flex-auth | No — route only |
+| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
+| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
+
+### Anti-patterns (do not do these)
+
+- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
+- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
+- Pasting secrets into Git, State Hub, workplans, logs, or chat
+
+### Other capabilities (reuse-surface)
+
+Non-credential capabilities are usually discovered through **reuse-surface** federation
+(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
+every repo's agent instructions because it is high-frequency, high-risk, and easy to
+get wrong.
+
+**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
\ No newline at end of file
diff --git a/AGENTS.md b/AGENTS.md
index a5aaf1b..3ef338b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,6 +11,29 @@
 
 ---
 
+## Dev Workflow
+
+The repository is in an **early framework phase**: Markdown documentation, research
+notes, and capability registry YAML. No application runtime, package manifest, or
+automated test suite exists yet. Executable implementation begins under
+`workplans/ADAPTIVE-WP-0002-economic-observatory-mvp.md`.
+
+| Need | Command |
+|------|---------|
+| Install | none — no runtime dependencies |
+| Test | none configured yet |
+| Lint / format | none configured — match surrounding Markdown style |
+| Build | none — documentation-only repo |
+| Run | none |
+| Workplan / hub sync | `cd ~/state-hub && make fix-consistency REPO=adaptive-pricing REPO_PATH=~/adaptive-pricing` |
+| Registry sanity | `grep -q '^version:' registry/indexes/capabilities.yaml && echo OK` |
+
+**Verify a change before declaring it done:** run `make fix-consistency` (expect
+PASS), and confirm edited docs stay aligned with `INTENT.md` and
+`docs/ProductRequirementsDocument.md`.
+
+---
+
 ## State Hub Integration
 
 The Custodian State Hub tracks work across all domains. Interact via HTTP REST —
@@ -101,7 +124,58 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
 
 ---
 
-{CREDENTIAL_ROUTING}
+## Credential and access routing
+
+**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
+for inference. Run this check **before** requesting secrets, API keys, SSH access,
+login tokens, or database passwords — in any repo, not only `ops-warden`.
+
+ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
+other credential need belongs to another subsystem. **Do not** message
+`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
+
+### Lookup (do this first)
+
+```bash
+warden route find "<describe your need>" --json
+warden route show <catalog-id> --json
+```
+
+Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
+
+| Agent runtime | How to orient |
+| --- | --- |
+| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=adaptive-pricing` is for coordination, not secret vending |
+| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
+| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
+
+### Quick routing table
+
+| I need… | Owner | ops-warden executes? |
+| --- | --- | --- |
+| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
+| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
+| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
+| Authorization decision | flex-auth | No — route only |
+| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
+| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
+
+### Anti-patterns (do not do these)
+
+- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
+- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
+- Pasting secrets into Git, State Hub, workplans, logs, or chat
+
+### Other capabilities (reuse-surface)
+
+Non-credential capabilities are usually discovered through **reuse-surface** federation
+(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
+every repo's agent instructions because it is high-frequency, high-risk, and easy to
+get wrong.
+
+**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
+
+---
 
 <!-- REPO-AGENTS-EXTENSIONS -->
 <!-- Append repo-specific agent instructions below this marker.
diff --git a/README.md b/README.md
index 604ed9c..145e9a5 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,23 @@
-Auto-regulating market value exploring price engine.
\ No newline at end of file
+# adaptive-pricing
+
+Auto-regulating market value exploring price engine.
+
+Framework for defining, evaluating, adapting, and implementing pricing models
+across the product lifecycle — from cost-floor analysis through customer-tunable
+pricing to payment-provider execution.
+
+## Orient
+
+| Doc | Purpose |
+|-----|---------|
+| [INTENT.md](INTENT.md) | Project purpose, problem space, lifecycle model |
+| [docs/ProductRequirementsDocument.md](docs/ProductRequirementsDocument.md) | Generic product requirements |
+| [AGENTS.md](AGENTS.md) | Agent instructions, dev workflow, State Hub integration |
+| [workplans/](workplans/) | Active workstreams and tasks |
+| [projects/coulomb-pricing/](projects/coulomb-pricing/) | Coulomb Social MVP deployment material |
+
+## Status
+
+Early framework phase (documentation and research). First implementation:
+[Economic Observatory MVP](workplans/ADAPTIVE-WP-0002-economic-observatory-mvp.md)
+for Coulomb Social.
\ No newline at end of file
diff --git a/SCOPE.md b/SCOPE.md
index 95f2005..d04fdf7 100644
--- a/SCOPE.md
+++ b/SCOPE.md
@@ -1,38 +1,41 @@
 # SCOPE
 
-> This file was generated by `statehub register`. Refine it as the repository
-> boundaries become clearer.
-
 ## One-liner
 
 Auto-regulating market value exploring price engine.
 
 ## Core Idea
 
-adaptive-pricing exists to provide the capability described in INTENT.md.
+`adaptive-pricing` provides a practical framework for defining, evaluating,
+adapting, and implementing pricing models across the product lifecycle. See
+`INTENT.md` for the full problem space, lifecycle model, and strategic direction.
 
 ## In Scope
 
-- Maintain the repository's primary implementation.
-- Keep docs, tests, and operational metadata current.
 - Generic framework documentation (`INTENT.md`, `docs/`, `research/`, `registry/`).
+- Pricing model vocabulary, lifecycle reasoning, and capability registry.
 - Project-specific deployments under `projects/<slug>/`.
+- State Hub workplans under `workplans/` (ADR-001).
 
 ## Out of Scope
 
-- Own unrelated adjacent systems.
-- Make irreversible operational decisions without human approval.
-- Project-specific MVP material in `specs/` or other generic doc paths (use
-  `projects/<slug>/` instead).
+- Owning unrelated adjacent systems (Bubble.io, Stripe, OpenRouter runtimes).
+- Making irreversible operational or pricing decisions without human approval.
+- Project-specific MVP material in generic doc paths (use `projects/<slug>/`).
 
 ## Current State
 
-- Status: active; implementation and stability should be verified by the repo agent.
+- **Phase:** early framework — documentation, research, and registry scaffolding.
+- **Runtime:** none in this repo yet; first implementation is the Coulomb Social
+  Economic Observatory MVP (`ADAPTIVE-WP-0002`).
+- **Bootstrap:** State Hub integration (`ADAPTIVE-WP-0001`) wires agent orientation,
+  workplan tracking, and custodian brief sync.
 
 ## Getting Oriented
 
-- Start with: INTENT.md
-- Product requirements (generic): docs/ProductRequirementsDocument.md
-- Agent instructions: AGENTS.md
-- Workplans: workplans/
-- Coulomb MVP artifacts: projects/coulomb-pricing/
+- Start with: `INTENT.md`
+- Product requirements (generic): `docs/ProductRequirementsDocument.md`
+- Agent instructions: `AGENTS.md`
+- Workplans: `workplans/`
+- Coulomb MVP artifacts: `projects/coulomb-pricing/`
+- Offline hub brief: `.custodian-brief.md`
\ No newline at end of file
diff --git a/workplans/ADAPTIVE-WP-0001-statehub-bootstrap.md b/workplans/ADAPTIVE-WP-0001-statehub-bootstrap.md
index 4885e32..69364b7 100644
--- a/workplans/ADAPTIVE-WP-0001-statehub-bootstrap.md
+++ b/workplans/ADAPTIVE-WP-0001-statehub-bootstrap.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Bootstrap State Hub integration"
 domain: helix_forge
 repo: adaptive-pricing
-status: ready
+status: finished
 owner: codex
 topic_slug: helix-forge
 created: "2026-06-21"
@@ -20,7 +20,7 @@ Auto-regulating market value exploring price engine.
 
 ```task
 id: ADAPTIVE-WP-0001-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "48d1c0ad-0710-44e1-a5b8-8ec775dd8b79"
 ```
@@ -28,11 +28,16 @@ state_hub_task_id: "48d1c0ad-0710-44e1-a5b8-8ec775dd8b79"
 Review `INTENT.md`, `SCOPE.md`, `AGENTS.md`, and `.custodian-brief.md`.
 Replace generated placeholders with repo-specific facts where needed.
 
+Done 2026-06-21: refined `SCOPE.md` and `README.md`, fixed `AGENTS.md` structure
+(credential routing, repository layout), propagated credential-routing rules.
+`INTENT.md` and `.custodian-brief.md` confirmed accurate (brief is fix-consistency
+generated).
+
 ## Verify Local Developer Workflow
 
 ```task
 id: ADAPTIVE-WP-0001-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "94f16d97-3fe3-498f-8aa8-136649c106ad"
 ```
@@ -41,6 +46,9 @@ Identify the repo's install, test, lint, build, and run commands. Add or refine
 those commands in the agent instructions so future coding sessions can verify
 changes confidently.
 
+Done 2026-06-21: documented early-phase dev workflow in `AGENTS.md` (no runtime
+yet; `make fix-consistency` and registry sanity check as verification steps).
+
 ## Seed First Real Workplan
 
 ```task
@@ -57,4 +65,4 @@ legacy `AdaptivePricing-MVP-Workplan.md`. After workplan file updates, run from
 
 ```bash
 make fix-consistency REPO=adaptive-pricing
-```
+```
\ No newline at end of file