Normalize agent instructions and workplan frontmatter (STATE-WP-0067)

- Align agent files with on-disk workplan prefixes (infer from workplan ids)
- Set workplan domain to registered domain_slug; add topic_slug where applicable
- Repair frontmatter delimiter formatting; migrate legacy task status literals
- Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates

.claude/rules/first-session.md

@@ -1,11 +1,11 @@
 ## First Session Protocol
 
-Triggered when `get_domain_summary("netkingdom")` shows **no workstreams**.
+Triggered when `get_domain_summary("infotech")` shows **no workstreams**.
 The project is registered but work has not yet been structured.
 
 **Step 1 — Read, don't write**
-- `~/the-custodian/canon/projects/netkingdom/project_charter_v0.1.md` — purpose, scope
-- `~/the-custodian/canon/projects/netkingdom/roadmap_v0.1.md` — planned phases
+- `~/the-custodian/canon/projects/infotech/project_charter_v0.1.md` — purpose, scope
+- `~/the-custodian/canon/projects/infotech/roadmap_v0.1.md` — planned phases
 - Scan repo root: README, directory structure, existing code or docs
 
 **Step 2 — Survey in-progress work**
@@ -17,20 +17,20 @@ roadmap phase. **Wait for approval before creating.**
 
 **Step 4 — Create workplan file first, then DB record (ADR-001)**
 ```
-workplans/net-kingdom-WP-NNNN-<slug>.md   ← write this first
+workplans/NK-WP-NNNN-<slug>.md   ← write this first
 ```
 Then register in the hub:
 ```
-create_workstream(topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", title="...", owner="...", description="...")
+create_workstream(topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", title="...", owner="...", description="...")
 create_task(workstream_id="<id>", title="...", priority="high|medium|low")
 ```
 
 **Step 5 — Record the setup**
 ```
 add_progress_event(
-    summary="First session: structured netkingdom into N workstreams, M tasks",
+    summary="First session: structured infotech into N workstreams, M tasks",
     event_type="milestone",
-    topic_id="a6c6e745-bf54-4465-9340-1534a2be493e",
+    topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a",
     detail={"workstreams": [...], "tasks_created": M}
 )
 ```

.claude/rules/repo-identity.md

@@ -1,5 +1,5 @@
 **Purpose:** NetKingdom infrastructure and IAM platform — orchestrates SSO/MFA, multi-user onboarding, and the Keycape/Keycloak IAM profile across the NetKingdom environment.
 
-**Domain:** netkingdom
+**Domain:** infotech
 **Repo slug:** net-kingdom
-**Topic ID:** a6c6e745-bf54-4465-9340-1534a2be493e
+**Topic ID:** cee7bedf-2b48-46ef-8601-006474f2ad7a

.claude/rules/session-protocol.md

@@ -1,6 +1,7 @@
 ## Session Protocol
 
-State Hub: http://127.0.0.1:8000
+Dev Hub (State Hub API): http://127.0.0.1:8000
+MCP server name in `~/.claude.json`: `dev-hub`
 
 **Step 1 — Orient**
 
@@ -10,7 +11,7 @@ cat .custodian-brief.md
 ```
 Then call the MCP tool for richer cross-domain context when MCP tools are exposed:
 ```
-get_domain_summary("netkingdom")
+get_domain_summary("infotech")
 ```
 If MCP tools are unavailable in the current agent session, use the REST API:
 ```bash
@@ -39,11 +40,11 @@ curl -s -X PATCH "http://127.0.0.1:8000/messages/<id>/read" \
 ls workplans/
 ```
 For each file with `status: ready`, `active`, or `blocked`, note pending
-`todo`/`in_progress` tasks.
+`wait`/`todo`/`progress` tasks.
 
 **Step 4 — Present brief**
 
-1. **Active workstreams** for `netkingdom` — title, task counts, blocking decisions
+1. **Active workstreams** for `infotech` — title, task counts, blocking decisions
 2. **Pending tasks** from `workplans/` + any `[repo:net-kingdom]` hub tasks
 3. **Goal guidance** — if `goal_guidance` in summary:
    - `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"*
@@ -61,13 +62,13 @@ If no workstreams: follow First Session Protocol (`first-session.md`).
 **Session close:**
 With MCP tools:
 ```
-add_progress_event(summary="...", topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", workstream_id="<uuid>")
+add_progress_event(summary="...", topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", workstream_id="<uuid>")
 ```
 Without MCP tools:
 ```bash
 curl -s -X POST http://127.0.0.1:8000/progress/ \
   -H "Content-Type: application/json" \
-  -d '{"topic_id":"a6c6e745-bf54-4465-9340-1534a2be493e","workstream_id":"<uuid>","event_type":"note","summary":"what changed","author":"codex"}'
+  -d '{"topic_id":"cee7bedf-2b48-46ef-8601-006474f2ad7a","workstream_id":"<uuid>","event_type":"note","summary":"what changed","author":"codex"}'
 ```
 If workplan files were modified, ensure the local copy is up to date first:
 ```bash

.claude/rules/workplan-convention.md

@@ -1,7 +1,7 @@
 ## Workplan Convention (ADR-001)
 
-File location: `workplans/net-kingdom-WP-NNNN-<slug>.md`
-ID prefix: `NET-WP`
+File location: `workplans/NK-WP-NNNN-<slug>.md`
+ID prefix: `NK-WP-`
 
 Work items originate as files in this repo **before** being registered in the hub.
 
@@ -12,7 +12,7 @@ repo state, and `finished` when implementation is complete. `stalled` and
 `needs_review` are derived health labels, not stored statuses.
 
 Closed workplans may be moved to `workplans/archived/` with a completion-date
-prefix: `YYMMDD-net-kingdom-WP-NNNN-<slug>.md`. The frontmatter id remains
+prefix: `YYMMDD-NK-WP-NNNN-<slug>.md`. The frontmatter id remains
 unchanged; the prefix is only for quick visual reference.
 
 Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**:
@@ -25,4 +25,16 @@ Ecosystem todos from other agents arrive as `[repo:net-kingdom]` hub tasks —
 visible at session start. Pick one up by creating the workplan file, then registering
 the workstream.
 
+Task blocks use this shape:
+
+```task
+id: NK-WP-NNNN-T01
+status: wait | todo | progress | done | cancel
+priority: high | medium | low
+state_hub_task_id: "<uuid>"         # written by fix-consistency — do not edit
+```
+
+Status progression is `todo` → `progress` → `done`; use `wait` for waiting or
+blocked work and `cancel` for stopped work.
+
 <!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->

AGENTS.md

@@ -4,10 +4,10 @@
 
 **Purpose:** NetKingdom infrastructure and IAM platform — orchestrates SSO/MFA, multi-user onboarding, and the Keycape/Keycloak IAM profile across the NetKingdom environment.
 
-**Domain:** netkingdom
+**Domain:** infotech
 **Repo slug:** net-kingdom
-**Topic ID:** `a6c6e745-bf54-4465-9340-1534a2be493e`
-**Workplan prefix:** `NET-WP-`
+**Topic ID:** `cee7bedf-2b48-46ef-8601-006474f2ad7a`
+**Workplan prefix:** `NK-WP-`
 
 ---
 
@@ -28,7 +28,7 @@ there is no MCP server for Codex agents.
 cat .custodian-brief.md
 
 # Active workstreams for this domain
-curl -s "http://127.0.0.1:8000/workstreams/?topic_id=a6c6e745-bf54-4465-9340-1534a2be493e&status=active" \
+curl -s "http://127.0.0.1:8000/workstreams/?topic_id=cee7bedf-2b48-46ef-8601-006474f2ad7a&status=active" \
   | python3 -m json.tool
 
 # Check inbox
@@ -63,8 +63,8 @@ Omit `workstream_id` / `task_id` when not applicable.
 ```bash
 curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
   -H "Content-Type: application/json" \
-  -d '{"status": "in_progress"}'
-# values: todo | in_progress | done | blocked
+  -d '{"status": "progress"}'
+# values: wait | todo | progress | done | cancel
 ```
 
 ### Flag a task for human review
@@ -83,7 +83,7 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
 1. `cat .custodian-brief.md` — domain goal and open workstreams (offline-safe)
 2. Check inbox: `GET /messages/?to_agent=net-kingdom&unread_only=true`; mark read
 3. Scan workplans: `ls workplans/` — note `status: ready`, `active`, or `blocked` files and open tasks
-4. Check blocked tasks: `GET /tasks/?needs_human=true`
+4. Check human-needed tasks: `GET /tasks/?needs_human=true`
 
 **During work:**
 - Update task statuses in workplan files as tasks progress
@@ -151,6 +151,11 @@ every repo's agent instructions because it is high-frequency, high-risk, and eas
 get wrong.
 
 **Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
+
+<!-- REPO-AGENTS-EXTENSIONS -->
+<!-- Append repo-specific agent instructions below this marker.
+     The state-hub template sync preserves content after this line. -->
+
 ---
 
 ## Workplan Convention (ADR-001)
@@ -176,7 +181,7 @@ anything needing analysis, design, approval, dependencies, or multiple phases.
 id: NET-WP-NNNN
 type: workplan
 title: "..."
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: proposed | ready | active | blocked | backlog | finished | archived
 owner: codex
@@ -198,7 +203,7 @@ derived health labels, not frontmatter statuses.
 
 ` ` `task
 id: NET-WP-NNNN-T01
-status: todo | in_progress | done | blocked
+status: wait | todo | progress | done | cancel
 priority: high | medium | low
 state_hub_task_id: "<uuid>"         # written by fix-consistency — do not edit
 ` ` `
@@ -206,7 +211,7 @@ state_hub_task_id: "<uuid>"         # written by fix-consistency — do not edit
 Task description text.
 ```
 
-Status progression: `todo` → `in_progress` → `done` (or `blocked`)
+Status progression: `todo` → `progress` → `done`; use `wait` for waiting/blocked work and `cancel` for stopped work.
 
 To create a new workplan:
 1. Write the file following the format above

workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md

@@ -2,7 +2,7 @@
 id: NET-WP-0017
 type: workplan
 title: "IT Security Readiness For User Onboarding"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: finished
 owner: codex

workplans/NET-WP-0019-t06-adjacent-user-lifecycle-dry-run-polish.md

@@ -2,7 +2,7 @@
 id: NET-WP-0019
 type: workplan
 title: "T06-adjacent Polish: Non-Root User Lifecycle Dry-Run Automation And Control Surface Improvements"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: finished
 owner: codex
@@ -14,8 +14,7 @@ depends_on:
   - NET-WP-0018
 state_hub_workstream_id: "75d388b6-7ec1-4e1b-8c87-6ff44f953210"
 related:
-  - docs/user-engine-netkingdom-integration-assessment.md (broader user-engine vs net-kingdom fit, gaps, and recommendations)
----
+  - docs/user-engine-netkingdom-integration-assessment.md (broader user-engine vs net-kingdom fit, gaps, and recommendations)---
 
 # NET-WP-0019 - T06-adjacent Polish: Non-Root User Lifecycle Dry-Run Automation And Control Surface Improvements
 

workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md

@@ -2,7 +2,7 @@
 id: NET-WP-0020
 type: workplan
 title: "OpenBao Unseal Custody Models and SSH Automation Path"
-domain: net-kingdom
+domain: infotech
 repo: net-kingdom
 status: active
 owner: codex

workplans/NK-WP-0001-sso-mfa-platform.md

@@ -2,15 +2,14 @@
 id: NK-WP-0001
 type: workplan
 title: "SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes"
-domain: netkingdom
+domain: infotech
 status: archived
 owner: worsch
 topic_slug: netkingdom
 state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be
 created: "2026-02-28"
 updated: "2026-03-21"
-superseded_by: NK-WP-0003
----
+superseded_by: NK-WP-0003---
 
 # SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes
 
@@ -148,7 +147,6 @@ systems that do not connect to the cluster Vault.
 deployed in-cluster, secrets migrated, ESO operational and injecting secrets
 into at least one test workload (0b). Encrypted ops bundle exported and
 stored offsite.
-
 ---
 
 ### T02 — Phase 1: K8s foundations (namespaces, NetworkPolicies, cert-manager)
@@ -214,7 +212,7 @@ restore drill passed.
 ```task
 id: NK-WP-0001-T04
 state_hub_task_id: 6ad1296a-a488-4031-b665-f77030e971ed
-status: cancelled
+status: cancel
 priority: high
 note: Cancelled 2026-05-20. privacyIDEA deployment superseded by NK-WP-0003-T04 (privacyIDEA now runs in the live KeyCape stack on RAILIANCE01). This Keycloak-path variant is no longer pursued.
 ```
@@ -262,7 +260,7 @@ pi-admin enrolled with MFA, trigger-admin created, rate-limiting active.
 ```task
 id: NK-WP-0001-T05
 state_hub_task_id: b9f73aa6-9035-4643-9905-64e73a29b298
-status: cancelled
+status: cancel
 priority: high
 note: Migrated to NK-WP-0011 (enterprise federation / SAML). Refined there against the deployed KeyCape stack and the OpenBao/flex-auth architecture.
 ```
@@ -296,7 +294,7 @@ custom image with privacyIDEA JAR deployed and verified.
 ```task
 id: NK-WP-0001-T06
 state_hub_task_id: 3b6379a4-a27b-4d25-82be-bc600879f036
-status: cancelled
+status: cancel
 priority: medium
 note: Migrated to NK-WP-0011 (enterprise federation / SAML).
 ```
@@ -330,7 +328,7 @@ modes handled gracefully.
 ```task
 id: NK-WP-0001-T07
 state_hub_task_id: c7cf902a-b480-4545-a536-293070945206
-status: cancelled
+status: cancel
 priority: medium
 note: Migrated to NK-WP-0011 (enterprise federation / SAML).
 ```
@@ -373,7 +371,7 @@ audit logs flowing, Keycloak resolver configured.
 ```task
 id: NK-WP-0001-T08
 state_hub_task_id: 9cbd1d89-b5bf-491e-9d16-b1c7d57076fb
-status: cancelled
+status: cancel
 priority: medium
 note: Migrated to NK-WP-0011 (enterprise federation / SAML).
 ```

workplans/NK-WP-0002-local-identity.md

@@ -2,7 +2,7 @@
 id: NK-WP-0002
 type: workplan
 title: "Local Identity — Bootstrap User Store & Minimal OIDC"
-domain: netkingdom
+domain: infotech
 status: completed
 owner: worsch
 topic_slug: netkingdom

workplans/NK-WP-0006-recursive-platform-identity-security-architecture.md

@@ -2,7 +2,7 @@
 id: NK-WP-0006
 type: workplan
 title: Recursive platform identity and security architecture
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: done
 owner: Bernd Worsch

workplans/NK-WP-0007-object-storage-sts-credential-vending.md

@@ -2,7 +2,7 @@
 id: NK-WP-0007
 type: workplan
 title: Object Storage STS Credential Vending
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: done
 owner: codex

workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md

@@ -2,7 +2,7 @@
 id: NK-WP-0008
 type: workplan
 title: IT Security Architecture Patterns Infospace
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: done
 owner: codex
@@ -15,8 +15,7 @@ depends_on:
   - NK-WP-0006
 state_hub_workstream_id: "053c6d96-9396-40c9-a2e5-c36531e7810d"
 execution_repo: infospace-bench
-infospace_path: infospaces/patterns-of-it-securita-architecture
----
+infospace_path: infospaces/patterns-of-it-securita-architecture---
 
 # NK-WP-0008 - IT Security Architecture Patterns Infospace
 

workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md

@@ -2,7 +2,7 @@
 id: NK-WP-0009
 type: workplan
 title: NetKingdom Security Pattern Tutorials
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: proposed
 owner: codex

workplans/NK-WP-0010-genesis-security-pattern-completion.md

@@ -2,7 +2,7 @@
 id: NK-WP-0010
 type: workplan
 title: Genesis Security Pattern Completion
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: done
 owner: codex

workplans/NK-WP-0011-enterprise-federation-saml.md

@@ -2,7 +2,7 @@
 id: NK-WP-0011
 type: workplan
 title: "Enterprise Federation & SAML — Expanded-Mode Keycloak Identity Broker"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: proposed
 owner: worsch
@@ -18,8 +18,7 @@ supersedes_tasks:
   - NK-WP-0001-T05
   - NK-WP-0001-T06
   - NK-WP-0001-T07
-  - NK-WP-0001-T08
----
+  - NK-WP-0001-T08---
 
 # NK-WP-0011 — Enterprise Federation & SAML (Expanded-Mode Keycloak)
 

workplans/NK-WP-0012-iam-profile-specification.md

@@ -2,7 +2,7 @@
 id: NK-WP-0012
 type: workplan
 title: "NetKingdom IAM Profile Specification"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: finished
 owner: worsch
@@ -15,8 +15,7 @@ depends_on:
   - NK-WP-0006
 state_hub_workstream_id: 9b8e4afc-eb71-47d9-8750-799a082b320a
 enables:
-  - NK-WP-0011
----
+  - NK-WP-0011---
 
 # NK-WP-0012 — NetKingdom IAM Profile Specification
 

workplans/NK-WP-0013-playbook-capability-contract.md

@@ -2,7 +2,7 @@
 id: NK-WP-0013
 type: workplan
 title: "Playbook Capability Contract"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: finished
 owner: worsch

workplans/NK-WP-0014-user-engine-preparation-boundary-contracts.md

@@ -2,7 +2,7 @@
 id: NK-WP-0014
 type: workplan
 title: "User Engine Preparation And Boundary Contracts"
-domain: netkingdom
+domain: infotech
 repo: net-kingdom
 status: finished
 owner: codex