From 465a778c1fbe22b9ba1684389a1973504874ee3a Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 18 May 2026 16:55:43 +0200 Subject: [PATCH] Refresh agent instruction files --- .claude/rules/agents.md | 20 ++++ .claude/rules/architecture.md | 8 ++ .claude/rules/first-session.md | 38 +++++++ .claude/rules/repo-boundary.md | 8 ++ .claude/rules/repo-identity.md | 5 + .claude/rules/session-protocol.md | 84 ++++++++++++++ .claude/rules/stack-and-commands.md | 19 ++++ .claude/rules/workplan-convention.md | 28 +++++ AGENTS.md | 162 +++++++++++++++++++++++++++ CLAUDE.md | 147 ++---------------------- 10 files changed, 381 insertions(+), 138 deletions(-) create mode 100644 .claude/rules/agents.md create mode 100644 .claude/rules/architecture.md create mode 100644 .claude/rules/first-session.md create mode 100644 .claude/rules/repo-boundary.md create mode 100644 .claude/rules/repo-identity.md create mode 100644 .claude/rules/session-protocol.md create mode 100644 .claude/rules/stack-and-commands.md create mode 100644 .claude/rules/workplan-convention.md create mode 100644 AGENTS.md diff --git a/.claude/rules/agents.md b/.claude/rules/agents.md new file mode 100644 index 0000000..0e8a5d9 --- /dev/null +++ b/.claude/rules/agents.md @@ -0,0 +1,20 @@ +## Kaizen Agents + +Specialized agent personas available on demand via the state-hub MCP. + +**Discover:** `list_kaizen_agents()` — returns all agents with name, description, category +**Load:** `get_kaizen_agent("tdd-workflow")` — returns full instructions; read and follow them + +Common agents: + +| Agent | Category | When to use | +|-------|----------|-------------| +| `tdd-workflow` | testing | Step-by-step TDD8 workflow for any feature | +| `code-refactoring` | quality | Code quality analysis and safe refactoring | +| `test-maintenance` | testing | Diagnose and fix failing tests | +| `requirements-engineering` | process | Prevent interface/mock mismatches upfront | +| `keepaTodofile` | process | Maintain TODO.md during work | +| `project-management` | process | Track status, determine next steps | +| `datamodel-optimization` | quality | Optimize dataclasses and data structures | + +All 17 agents: call `list_kaizen_agents()` for the full list. diff --git a/.claude/rules/architecture.md b/.claude/rules/architecture.md new file mode 100644 index 0000000..7c2a645 --- /dev/null +++ b/.claude/rules/architecture.md @@ -0,0 +1,8 @@ +## Architecture + + + +## Quick Reference + +`~/state-hub/mcp_server/TOOLS.md` — MCP tool reference diff --git a/.claude/rules/first-session.md b/.claude/rules/first-session.md new file mode 100644 index 0000000..58f2cc7 --- /dev/null +++ b/.claude/rules/first-session.md @@ -0,0 +1,38 @@ +## First Session Protocol + +Triggered when `get_domain_summary("netkingdom")` shows **no workstreams**. +The project is registered but work has not yet been structured. + +**Step 1 — Read, don't write** +- `~/the-custodian/canon/projects/netkingdom/project_charter_v0.1.md` — purpose, scope +- `~/the-custodian/canon/projects/netkingdom/roadmap_v0.1.md` — planned phases +- Scan repo root: README, directory structure, existing code or docs + +**Step 2 — Survey in-progress work** +Look for TODOs, open branches, half-finished files. Note done vs. started but incomplete. + +**Step 3 — Propose workstreams to Bernd** +Propose 1–3 workstreams — each a coherent strand, weeks to months, anchored to a +roadmap phase. **Wait for approval before creating.** + +**Step 4 — Create workplan file first, then DB record (ADR-001)** +``` +workplans/key-cape-WP-NNNN-.md ← write this first +``` +Then register in the hub: +``` +create_workstream(topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", title="...", owner="...", description="...") +create_task(workstream_id="", title="...", priority="high|medium|low") +``` + +**Step 5 — Record the setup** +``` +add_progress_event( + summary="First session: structured netkingdom into N workstreams, M tasks", + event_type="milestone", + topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", + detail={"workstreams": [...], "tasks_created": M} +) +``` + + diff --git a/.claude/rules/repo-boundary.md b/.claude/rules/repo-boundary.md new file mode 100644 index 0000000..b74d916 --- /dev/null +++ b/.claude/rules/repo-boundary.md @@ -0,0 +1,8 @@ +## Repo boundary + +This repo owns **KeyCape** only. It does not own: + + diff --git a/.claude/rules/repo-identity.md b/.claude/rules/repo-identity.md new file mode 100644 index 0000000..55343f4 --- /dev/null +++ b/.claude/rules/repo-identity.md @@ -0,0 +1,5 @@ +**Purpose:** Lightweight IAM profile implementation for NetKingdom — "prepare for Keycloak without Keycloak". Implements the NetKingdom IAM Profile (OIDC/PKCE) via Authelia + LLDAP + privacyIDEA, with migration path to Keycloak in expanded mode. + +**Domain:** netkingdom +**Repo slug:** key-cape +**Topic ID:** a6c6e745-bf54-4465-9340-1534a2be493e diff --git a/.claude/rules/session-protocol.md b/.claude/rules/session-protocol.md new file mode 100644 index 0000000..c80ea41 --- /dev/null +++ b/.claude/rules/session-protocol.md @@ -0,0 +1,84 @@ +## Session Protocol + +State Hub: http://127.0.0.1:8000 + +**Step 1 — Orient** + +Read the offline-safe brief first — it works without a live hub connection: +```bash +cat .custodian-brief.md +``` +Then call the MCP tool for richer cross-domain context when MCP tools are exposed: +``` +get_domain_summary("netkingdom") +``` +If MCP tools are unavailable in the current agent session, use the REST API: +```bash +curl -s "http://127.0.0.1:8000/state/summary" | python3 -m json.tool +``` +If the hub is offline: `cd ~/state-hub && make api` + +**Step 2 — Check inbox** +With MCP tools: +``` +get_messages(to_agent="key-cape", unread_only=True) +``` +Mark read with `mark_message_read(message_id)`. Reply or act on coordination +requests before proceeding. + +Without MCP tools: +```bash +curl -s "http://127.0.0.1:8000/messages/?to_agent=key-cape&unread_only=true" \ + | python3 -m json.tool +curl -s -X PATCH "http://127.0.0.1:8000/messages//read" \ + -H "Content-Type: application/json" -d '{}' +``` + +**Step 3 — Scan workplans** +```bash +ls workplans/ +``` +For each file with `status: ready`, `active`, or `blocked`, note pending +`todo`/`in_progress` tasks. + +**Step 4 — Present brief** + +1. **Active workstreams** for `netkingdom` — title, task counts, blocking decisions +2. **Pending tasks** from `workplans/` + any `[repo:key-cape]` hub tasks +3. **Goal guidance** — if `goal_guidance` in summary: + - `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"* + - `alignment_warnings`: flag if active work is not aligned with current goal +4. **Suggested next action** — highest-priority open item +5. **SBOM status** — flag if `last_sbom_at` is unset for this repo + +If no workstreams: follow First Session Protocol (`first-session.md`). + +**During work:** `record_decision()` · `add_progress_event()` · `resolve_decision()` + +> State Hub is a *read model*. Bootstrap tools (`create_workstream`, `create_task`) +> are First Session Protocol only. Work structure belongs in repo files (ADR-001). + +**Session close:** +With MCP tools: +``` +add_progress_event(summary="...", topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", workstream_id="") +``` +Without MCP tools: +```bash +curl -s -X POST http://127.0.0.1:8000/progress/ \ + -H "Content-Type: application/json" \ + -d '{"topic_id":"a6c6e745-bf54-4465-9340-1534a2be493e","workstream_id":"","event_type":"note","summary":"what changed","author":"codex"}' +``` +If workplan files were modified, ensure the local copy is up to date first: +```bash +git -C pull --ff-only +cd ~/state-hub && make fix-consistency REPO=key-cape +``` +For repos where implementation runs on a remote machine (e.g. CoulombCore), +use the combined target which pulls before fixing: +```bash +cd ~/state-hub && make fix-consistency-remote REPO=key-cape +``` +**C-15** (DB task ahead of file) is normal in multi-machine workflows — writeback +will sync the file to match DB. **C-16** (repo behind remote) blocks all writes +until you pull — intentional to prevent clobbering remote progress. diff --git a/.claude/rules/stack-and-commands.md b/.claude/rules/stack-and-commands.md new file mode 100644 index 0000000..dc53ac6 --- /dev/null +++ b/.claude/rules/stack-and-commands.md @@ -0,0 +1,19 @@ +## Stack + + +- **Language:** +- **Key deps:** + +## Dev Commands + +```bash +# TODO: Fill in the standard commands for this repo + +# Install dependencies + +# Run tests + +# Lint / type check + +# Build / package (if applicable) +``` diff --git a/.claude/rules/workplan-convention.md b/.claude/rules/workplan-convention.md new file mode 100644 index 0000000..9e3608c --- /dev/null +++ b/.claude/rules/workplan-convention.md @@ -0,0 +1,28 @@ +## Workplan Convention (ADR-001) + +File location: `workplans/key-cape-WP-NNNN-.md` +ID prefix: `KEY-WP` + +Work items originate as files in this repo **before** being registered in the hub. + +Canonical workplan/workstream frontmatter statuses are: +`proposed`, `ready`, `active`, `blocked`, `backlog`, `finished`, `archived`. +Use `proposed` for a newly drafted plan, `ready` after review against current +repo state, and `finished` when implementation is complete. `stalled` and +`needs_review` are derived health labels, not stored statuses. + +Closed workplans may be moved to `workplans/archived/` with a completion-date +prefix: `YYMMDD-key-cape-WP-NNNN-.md`. The frontmatter id remains +unchanged; the prefix is only for quick visual reference. + +Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**: +`workplans/ADHOC-YYYY-MM-DD.md`, workstream slug `adhoc-YYYY-MM-DD`, and task ids +`ADHOC-YYYY-MM-DD-T01`, `T02`, etc. Use adhocs only for low-risk work completed +directly. Promote anything requiring analysis, design, approval, dependencies, or +multiple planned phases into a normal workplan. + +Ecosystem todos from other agents arrive as `[repo:key-cape]` hub tasks — +visible at session start. Pick one up by creating the workplan file, then registering +the workstream. + + diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..cb416cc --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,162 @@ +# KeyCape — Agent Instructions + +## Repo Identity + +**Purpose:** Lightweight IAM profile implementation for NetKingdom — "prepare for Keycloak without Keycloak". Implements the NetKingdom IAM Profile (OIDC/PKCE) via Authelia + LLDAP + privacyIDEA, with migration path to Keycloak in expanded mode. + +**Domain:** netkingdom +**Repo slug:** key-cape +**Topic ID:** `a6c6e745-bf54-4465-9340-1534a2be493e` +**Workplan prefix:** `KEY-WP-` + +--- + +## State Hub Integration + +The Custodian State Hub tracks work across all domains. Interact via HTTP REST — +there is no MCP server for Codex agents. + +| Context | URL | +|---------|-----| +| Local workstation | `http://127.0.0.1:8000` | +| Remote via tunnel | `http://127.0.0.1:18000` | + +### Orient at session start + +```bash +# Offline brief — works without hub connection +cat .custodian-brief.md + +# Active workstreams for this domain +curl -s "http://127.0.0.1:8000/workstreams/?topic_id=a6c6e745-bf54-4465-9340-1534a2be493e&status=active" \ + | python3 -m json.tool + +# Check inbox +curl -s "http://127.0.0.1:8000/messages/?to_agent=key-cape&unread_only=true" \ + | python3 -m json.tool +``` + +Mark a message read: +```bash +curl -s -X PATCH "http://127.0.0.1:8000/messages//read" \ + -H "Content-Type: application/json" -d '{}' +``` + +### Log progress (required at session close) + +```bash +curl -s -X POST http://127.0.0.1:8000/progress/ \ + -H "Content-Type: application/json" \ + -d '{ + "summary": "what was done", + "event_type": "note", + "author": "codex", + "workstream_id": "", + "task_id": "" + }' +``` + +Omit `workstream_id` / `task_id` when not applicable. + +### Update task status + +```bash +curl -s -X PATCH "http://127.0.0.1:8000/tasks/" \ + -H "Content-Type: application/json" \ + -d '{"status": "in_progress"}' +# values: todo | in_progress | done | blocked +``` + +### Flag a task for human review + +```bash +curl -s -X PATCH "http://127.0.0.1:8000/tasks/" \ + -H "Content-Type: application/json" \ + -d '{"needs_human": true, "intervention_note": "reason"}' +``` + +--- + +## Session Protocol + +**Start:** +1. `cat .custodian-brief.md` — domain goal and open workstreams (offline-safe) +2. Check inbox: `GET /messages/?to_agent=key-cape&unread_only=true`; mark read +3. Scan workplans: `ls workplans/` — note `status: ready`, `active`, or `blocked` files and open tasks +4. Check blocked tasks: `GET /tasks/?needs_human=true` + +**During work:** +- Update task statuses in workplan files as tasks progress +- Record significant decisions via `POST /decisions/` + +**Close:** +1. Update workplan file task statuses to reflect progress +2. Log: `POST /progress/` with a summary of what changed +3. Note for the custodian operator: after workplan file changes, run from + `~/state-hub`: + ```bash + make fix-consistency REPO=key-cape + ``` + This syncs task status from files into the hub DB. + +--- + +## Workplan Convention (ADR-001) + +Work items originate as files in this repo — not in the hub. The hub is a +read/cache/index layer that rebuilds from files. + +**File location:** `workplans/KEY-WP-NNNN-.md` + +**Archived location:** finished workplans may move to +`workplans/archived/YYMMDD-KEY-WP-NNNN-.md`. The `YYMMDD` prefix is +the completion/archive date; the frontmatter `id` does not change. + +**Ad Hoc Tasks:** small opportunistic fixes discovered during a session use +`workplans/ADHOC-YYYY-MM-DD.md` with task ids `ADHOC-YYYY-MM-DD-T01`, etc. Use +this only for low-risk work completed directly; create a normal workplan for +anything needing analysis, design, approval, dependencies, or multiple phases. + +**Frontmatter:** + +```yaml +--- +id: KEY-WP-NNNN +type: workplan +title: "..." +domain: netkingdom +repo: key-cape +status: proposed | ready | active | blocked | backlog | finished | archived +owner: codex +topic_slug: ... +created: "YYYY-MM-DD" +updated: "YYYY-MM-DD" +state_hub_workstream_id: "" # written by fix-consistency — do not edit +--- +``` + +Use `proposed` for a new draft, `ready` after review against current repo +state, and `finished` after implementation. `stalled` and `needs_review` are +derived health labels, not frontmatter statuses. + +**Task block format** (one per `##` section): + +``` +## Task Title + +` ` `task +id: KEY-WP-NNNN-T01 +status: todo | in_progress | done | blocked +priority: high | medium | low +state_hub_task_id: "" # written by fix-consistency — do not edit +` ` ` + +Task description text. +``` + +Status progression: `todo` → `in_progress` → `done` (or `blocked`) + +To create a new workplan: +1. Write the file following the format above +2. Notify the custodian operator to run `make fix-consistency REPO=key-cape` + (or send a message to the hub agent via `POST /messages/`) diff --git a/CLAUDE.md b/CLAUDE.md index f11069c..759e715 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,140 +1,11 @@ -# CLAUDE.md - -This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. - # KeyCape — Claude Code Instructions -## What This Repo Is - -**KeyCape** is the lightweight IAM component of NetKingdom. - -> *"Prepare for Keycloak without Keycloak"* - -KeyCape implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract -that NetKingdom applications integrate against. It orchestrates: - -| Component | Role | -|--------------|-------------------------------| -| Authelia | OIDC provider / session / tokens | -| LLDAP | Lightweight identity directory | -| privacyIDEA | MFA authority | - -Keycape is intentionally replaceable by **Keycloak** in expanded mode. All apps -must target the profile, not Keycape or Keycloak incidentals. - -## Custodian State Hub Integration - -- **Domain:** `netkingdom` -- **Repo ID:** `8a99bb74-1ec0-4478-ac70-35a7cddb0e3c` -- **State Hub API:** `http://127.0.0.1:8000` (run `cd ~/the-custodian/state-hub && make api` if offline) - -### Session Protocol - -**Start of every session:** -```bash -cat .custodian-brief.md # offline-safe orientation, always read first -``` -Then call for richer context (skip if MCP unreachable): -``` -get_domain_summary("netkingdom") -``` -This gives the full picture of active workstreams, blocking decisions, and recent -progress for the NetKingdom domain at ~10% of the cost of `get_state_summary()`. - -**During work:** -- `record_decision()` for any architectural choice (profile extensions, backend selection, etc.) -- `add_progress_event()` for milestones, blockers, discoveries -- `resolve_decision()` once a decision is closed - -**End of every session:** -``` -add_progress_event(summary="...", event_type="...", workstream_id="") -``` - -After modifying workplan files, run: -``` -cd ~/the-custodian/state-hub && make fix-consistency REPO=key-cape -``` - -## Key Documents - -| Document | Path | Purpose | -|---|---|---| -| Keycape Specification v0.1 | `wiki/KeyCapeSpecification_v0.1.md` | Architecture, design intent, objectives | -| Normative Specification Pack v0.1 | `wiki/KeyCapeSpecificationPack_v0.1.md` | Normative spec for implementation agents: identity model, LDAP schema, error taxonomy, telemetry, migration contract, acceptance test matrix | - -## Architecture - -``` -key-cape/ - wiki/ # Specifications (read before implementing) - workplans/ # Implementation workplans (ADR-001 convention) - src/ # Implementation (to be created) - tests/ # Test suite (to be created) -``` - -### Lightweight mode stack - -``` -Application ──→ NetKingdom IAM Profile - │ - KeyCape ←── config translation, claim normalization - / | \ - Authelia LLDAP privacyIDEA -``` - -### Expanded mode stack (Keycape → Keycloak) - -``` -Application ──→ NetKingdom IAM Profile - │ - Keycloak (same profile, different runtime) - / \ - LDAP privacyIDEA -``` - -## Implementation Priorities (from spec) - -1. **Profile endpoints** — OIDC discovery, authorization, token, JWKS, userinfo -2. **Canonical identity model** — product-neutral user/group/client schema -3. **Claim normalization** — stable claim set regardless of backend quirks -4. **Unsupported-feature enforcement** — structured errors, never silent emulation -5. **Telemetry** — demand visibility for unsupported features and auth events -6. **Migration tooling** — export/validate for LLDAP → Keycloak path - -## Normative Constraints (from spec — binding on implementation) - -**Never silently emulate unsupported features.** Any request outside the profile MUST fail with a structured error from this taxonomy: -- `feature_not_supported_by_profile` — outside the NetKingdom IAM Profile entirely -- `available_in_keycloak_mode_only` — exists in expanded mode, absent here by design -- `rejected_for_profile_safety` — would weaken profile guarantees or security discipline -- `invalid_profile_usage` — supported endpoint/feature used incorrectly - -**Security hard rules:** No handwritten cryptography. No handwritten password hashing. Use established protocol and crypto libraries. Strict redirect URI validation. Strict issuer consistency. - -**Canonical identity model** is the source of truth for test fixtures, provisioning, migration, and validation — not any backend's native schema. - -**Spec Pack structure** (`wiki/KeyCapeSpecificationPack_v0.1.md`) contains 7 normative components agents must read before implementing: -1. Normative Specification — OIDC/PKCE contract, endpoints, scopes, claims, client model, MFA -2. Canonical Identity Schema — User, Group, Membership, Client, Role, MFAEnrollmentReference, etc. -3. Canonical LDAP Schema + Validator Rules — restricted LDAP expression of identity model -4. Error Taxonomy — machine-readable/human-readable/loggable structured errors -5. Telemetry Schema — event types, required fields (timestamp, env, client_id, endpoint, feature_category, correlation_id, …) -6. Migration Contract — LLDAP → full LDAP, KeyCape → Keycloak migration paths -7. Acceptance Test Matrix — lightweight baseline, IAM replacement, full expansion, negative profile tests - -## Workplan Convention (ADR-001) - -Workplans live in `workplans/-.md` with YAML frontmatter: -```yaml -id: KEY-WP-0001 -type: workplan -title: "..." -domain: netkingdom -repo: key-cape -status: todo|active|done -owner: Bernd -topic_slug: netkingdom -``` - -Tasks are embedded as `## Task Title\n```task\nid: ...\nstatus: todo\n```\n` blocks. +@SCOPE.md +@.claude/rules/repo-identity.md +@.claude/rules/session-protocol.md +@.claude/rules/first-session.md +@.claude/rules/workplan-convention.md +@.claude/rules/stack-and-commands.md +@.claude/rules/architecture.md +@.claude/rules/repo-boundary.md +@.claude/rules/agents.md