coulomb/adaptive-pricing
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete ADAPTIVE-WP-0001 State Hub bootstrap

Browse Source 
Set bootstrap workplan active and finish all tasks: refine SCOPE.md and
README.md, add Dev Workflow and credential routing to AGENTS.md, propagate
.claude/rules/credential-routing.md, and document early-phase verification
commands (fix-consistency, registry sanity check).
This commit is contained in:
Bernd Worsch
2026-06-22 01:20:07 +02:00
parent 3af0c8b7f7
commit 3feba6eebc
5 changed files with 179 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
AGENTS.md
View File

@@ -11,6 +11,29 @@
---
## Dev Workflow
The repository is in an **early framework phase**: Markdown documentation, research
notes, and capability registry YAML. No application runtime, package manifest, or
automated test suite exists yet. Executable implementation begins under
`workplans/ADAPTIVE-WP-0002-economic-observatory-mvp.md`.
| Need | Command |
|------|---------|
| Install | none — no runtime dependencies |
| Test | none configured yet |
| Lint / format | none configured — match surrounding Markdown style |
| Build | none — documentation-only repo |
| Run | none |
| Workplan / hub sync | `cd ~/state-hub && make fix-consistency REPO=adaptive-pricing REPO_PATH=~/adaptive-pricing` |
| Registry sanity | `grep -q '^version:' registry/indexes/capabilities.yaml && echo OK` |
**Verify a change before declaring it done:** run `make fix-consistency` (expect
PASS), and confirm edited docs stay aligned with `INTENT.md` and
`docs/ProductRequirementsDocument.md`.
---
## State Hub Integration
The Custodian State Hub tracks work across all domains. Interact via HTTP REST —
@@ -101,7 +124,58 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
---
{CREDENTIAL_ROUTING}
## Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=adaptive-pricing` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
---
<!-- REPO-AGENTS-EXTENSIONS -->
<!-- Append repo-specific agent instructions below this marker.