From 93e465525f781a875923002d9528cf658c54edfd Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 22 Jun 2026 23:16:27 +0200 Subject: [PATCH] Normalize agent instructions and workplan frontmatter (STATE-WP-0067) - Align agent files with on-disk workplan prefixes (infer from workplan ids) - Set workplan domain to registered domain_slug; add topic_slug where applicable - Repair frontmatter delimiter formatting; migrate legacy task status literals - Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates --- .claude/rules/first-session.md | 14 +++++------ .claude/rules/repo-identity.md | 4 +-- .claude/rules/session-protocol.md | 13 +++++----- .claude/rules/workplan-convention.md | 18 ++++++++++--- AGENTS.md | 25 +++++++++++-------- ...-security-readiness-for-user-onboarding.md | 2 +- ...-adjacent-user-lifecycle-dry-run-polish.md | 5 ++-- ...enbao-unseal-custody-and-ssh-automation.md | 2 +- workplans/NK-WP-0001-sso-mfa-platform.md | 16 ++++++------ workplans/NK-WP-0002-local-identity.md | 2 +- ...platform-identity-security-architecture.md | 2 +- ...7-object-storage-sts-credential-vending.md | 2 +- ...ecurity-architecture-patterns-infospace.md | 5 ++-- ...9-netkingdom-security-pattern-tutorials.md | 2 +- ...010-genesis-security-pattern-completion.md | 2 +- .../NK-WP-0011-enterprise-federation-saml.md | 5 ++-- .../NK-WP-0012-iam-profile-specification.md | 5 ++-- ...NK-WP-0013-playbook-capability-contract.md | 2 +- ...r-engine-preparation-boundary-contracts.md | 2 +- 19 files changed, 70 insertions(+), 58 deletions(-) diff --git a/.claude/rules/first-session.md b/.claude/rules/first-session.md index 7f6c552..d11964d 100644 --- a/.claude/rules/first-session.md +++ b/.claude/rules/first-session.md @@ -1,11 +1,11 @@ ## First Session Protocol -Triggered when `get_domain_summary("netkingdom")` shows **no workstreams**. +Triggered when `get_domain_summary("infotech")` shows **no workstreams**. The project is registered but work has not yet been structured. **Step 1 — Read, don't write** -- `~/the-custodian/canon/projects/netkingdom/project_charter_v0.1.md` — purpose, scope -- `~/the-custodian/canon/projects/netkingdom/roadmap_v0.1.md` — planned phases +- `~/the-custodian/canon/projects/infotech/project_charter_v0.1.md` — purpose, scope +- `~/the-custodian/canon/projects/infotech/roadmap_v0.1.md` — planned phases - Scan repo root: README, directory structure, existing code or docs **Step 2 — Survey in-progress work** @@ -17,20 +17,20 @@ roadmap phase. **Wait for approval before creating.** **Step 4 — Create workplan file first, then DB record (ADR-001)** ``` -workplans/net-kingdom-WP-NNNN-.md ← write this first +workplans/NK-WP-NNNN-.md ← write this first ``` Then register in the hub: ``` -create_workstream(topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", title="...", owner="...", description="...") +create_workstream(topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", title="...", owner="...", description="...") create_task(workstream_id="", title="...", priority="high|medium|low") ``` **Step 5 — Record the setup** ``` add_progress_event( - summary="First session: structured netkingdom into N workstreams, M tasks", + summary="First session: structured infotech into N workstreams, M tasks", event_type="milestone", - topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", + topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", detail={"workstreams": [...], "tasks_created": M} ) ``` diff --git a/.claude/rules/repo-identity.md b/.claude/rules/repo-identity.md index e10dc9a..007c5bf 100644 --- a/.claude/rules/repo-identity.md +++ b/.claude/rules/repo-identity.md @@ -1,5 +1,5 @@ **Purpose:** NetKingdom infrastructure and IAM platform — orchestrates SSO/MFA, multi-user onboarding, and the Keycape/Keycloak IAM profile across the NetKingdom environment. -**Domain:** netkingdom +**Domain:** infotech **Repo slug:** net-kingdom -**Topic ID:** a6c6e745-bf54-4465-9340-1534a2be493e +**Topic ID:** cee7bedf-2b48-46ef-8601-006474f2ad7a diff --git a/.claude/rules/session-protocol.md b/.claude/rules/session-protocol.md index 1e2821f..5529e4f 100644 --- a/.claude/rules/session-protocol.md +++ b/.claude/rules/session-protocol.md @@ -1,6 +1,7 @@ ## Session Protocol -State Hub: http://127.0.0.1:8000 +Dev Hub (State Hub API): http://127.0.0.1:8000 +MCP server name in `~/.claude.json`: `dev-hub` **Step 1 — Orient** @@ -10,7 +11,7 @@ cat .custodian-brief.md ``` Then call the MCP tool for richer cross-domain context when MCP tools are exposed: ``` -get_domain_summary("netkingdom") +get_domain_summary("infotech") ``` If MCP tools are unavailable in the current agent session, use the REST API: ```bash @@ -39,11 +40,11 @@ curl -s -X PATCH "http://127.0.0.1:8000/messages//read" \ ls workplans/ ``` For each file with `status: ready`, `active`, or `blocked`, note pending -`todo`/`in_progress` tasks. +`wait`/`todo`/`progress` tasks. **Step 4 — Present brief** -1. **Active workstreams** for `netkingdom` — title, task counts, blocking decisions +1. **Active workstreams** for `infotech` — title, task counts, blocking decisions 2. **Pending tasks** from `workplans/` + any `[repo:net-kingdom]` hub tasks 3. **Goal guidance** — if `goal_guidance` in summary: - `needs_workplan`: surface as top action — *"Repo goal '{title}' has no workplan yet"* @@ -61,13 +62,13 @@ If no workstreams: follow First Session Protocol (`first-session.md`). **Session close:** With MCP tools: ``` -add_progress_event(summary="...", topic_id="a6c6e745-bf54-4465-9340-1534a2be493e", workstream_id="") +add_progress_event(summary="...", topic_id="cee7bedf-2b48-46ef-8601-006474f2ad7a", workstream_id="") ``` Without MCP tools: ```bash curl -s -X POST http://127.0.0.1:8000/progress/ \ -H "Content-Type: application/json" \ - -d '{"topic_id":"a6c6e745-bf54-4465-9340-1534a2be493e","workstream_id":"","event_type":"note","summary":"what changed","author":"codex"}' + -d '{"topic_id":"cee7bedf-2b48-46ef-8601-006474f2ad7a","workstream_id":"","event_type":"note","summary":"what changed","author":"codex"}' ``` If workplan files were modified, ensure the local copy is up to date first: ```bash diff --git a/.claude/rules/workplan-convention.md b/.claude/rules/workplan-convention.md index 8a96828..1ce4319 100644 --- a/.claude/rules/workplan-convention.md +++ b/.claude/rules/workplan-convention.md @@ -1,7 +1,7 @@ ## Workplan Convention (ADR-001) -File location: `workplans/net-kingdom-WP-NNNN-.md` -ID prefix: `NET-WP` +File location: `workplans/NK-WP-NNNN-.md` +ID prefix: `NK-WP-` Work items originate as files in this repo **before** being registered in the hub. @@ -12,7 +12,7 @@ repo state, and `finished` when implementation is complete. `stalled` and `needs_review` are derived health labels, not stored statuses. Closed workplans may be moved to `workplans/archived/` with a completion-date -prefix: `YYMMDD-net-kingdom-WP-NNNN-.md`. The frontmatter id remains +prefix: `YYMMDD-NK-WP-NNNN-.md`. The frontmatter id remains unchanged; the prefix is only for quick visual reference. Small opportunistic tasks discovered during another session use **Ad Hoc Tasks**: @@ -25,4 +25,16 @@ Ecosystem todos from other agents arrive as `[repo:net-kingdom]` hub tasks — visible at session start. Pick one up by creating the workplan file, then registering the workstream. +Task blocks use this shape: + +```task +id: NK-WP-NNNN-T01 +status: wait | todo | progress | done | cancel +priority: high | medium | low +state_hub_task_id: "" # written by fix-consistency — do not edit +``` + +Status progression is `todo` → `progress` → `done`; use `wait` for waiting or +blocked work and `cancel` for stopped work. + diff --git a/AGENTS.md b/AGENTS.md index 37ec454..857f935 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -4,10 +4,10 @@ **Purpose:** NetKingdom infrastructure and IAM platform — orchestrates SSO/MFA, multi-user onboarding, and the Keycape/Keycloak IAM profile across the NetKingdom environment. -**Domain:** netkingdom +**Domain:** infotech **Repo slug:** net-kingdom -**Topic ID:** `a6c6e745-bf54-4465-9340-1534a2be493e` -**Workplan prefix:** `NET-WP-` +**Topic ID:** `cee7bedf-2b48-46ef-8601-006474f2ad7a` +**Workplan prefix:** `NK-WP-` --- @@ -28,7 +28,7 @@ there is no MCP server for Codex agents. cat .custodian-brief.md # Active workstreams for this domain -curl -s "http://127.0.0.1:8000/workstreams/?topic_id=a6c6e745-bf54-4465-9340-1534a2be493e&status=active" \ +curl -s "http://127.0.0.1:8000/workstreams/?topic_id=cee7bedf-2b48-46ef-8601-006474f2ad7a&status=active" \ | python3 -m json.tool # Check inbox @@ -63,8 +63,8 @@ Omit `workstream_id` / `task_id` when not applicable. ```bash curl -s -X PATCH "http://127.0.0.1:8000/tasks/" \ -H "Content-Type: application/json" \ - -d '{"status": "in_progress"}' -# values: todo | in_progress | done | blocked + -d '{"status": "progress"}' +# values: wait | todo | progress | done | cancel ``` ### Flag a task for human review @@ -83,7 +83,7 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/" \ 1. `cat .custodian-brief.md` — domain goal and open workstreams (offline-safe) 2. Check inbox: `GET /messages/?to_agent=net-kingdom&unread_only=true`; mark read 3. Scan workplans: `ls workplans/` — note `status: ready`, `active`, or `blocked` files and open tasks -4. Check blocked tasks: `GET /tasks/?needs_human=true` +4. Check human-needed tasks: `GET /tasks/?needs_human=true` **During work:** - Update task statuses in workplan files as tasks progress @@ -151,6 +151,11 @@ every repo's agent instructions because it is high-frequency, high-risk, and eas get wrong. **Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml` + + + + --- ## Workplan Convention (ADR-001) @@ -176,7 +181,7 @@ anything needing analysis, design, approval, dependencies, or multiple phases. id: NET-WP-NNNN type: workplan title: "..." -domain: netkingdom +domain: infotech repo: net-kingdom status: proposed | ready | active | blocked | backlog | finished | archived owner: codex @@ -198,7 +203,7 @@ derived health labels, not frontmatter statuses. ` ` `task id: NET-WP-NNNN-T01 -status: todo | in_progress | done | blocked +status: wait | todo | progress | done | cancel priority: high | medium | low state_hub_task_id: "" # written by fix-consistency — do not edit ` ` ` @@ -206,7 +211,7 @@ state_hub_task_id: "" # written by fix-consistency — do not edit Task description text. ``` -Status progression: `todo` → `in_progress` → `done` (or `blocked`) +Status progression: `todo` → `progress` → `done`; use `wait` for waiting/blocked work and `cancel` for stopped work. To create a new workplan: 1. Write the file following the format above diff --git a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md index 12aa0c3..f36661b 100644 --- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md +++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md @@ -2,7 +2,7 @@ id: NET-WP-0017 type: workplan title: "IT Security Readiness For User Onboarding" -domain: netkingdom +domain: infotech repo: net-kingdom status: finished owner: codex diff --git a/workplans/NET-WP-0019-t06-adjacent-user-lifecycle-dry-run-polish.md b/workplans/NET-WP-0019-t06-adjacent-user-lifecycle-dry-run-polish.md index 5e7bd27..0acbc54 100644 --- a/workplans/NET-WP-0019-t06-adjacent-user-lifecycle-dry-run-polish.md +++ b/workplans/NET-WP-0019-t06-adjacent-user-lifecycle-dry-run-polish.md @@ -2,7 +2,7 @@ id: NET-WP-0019 type: workplan title: "T06-adjacent Polish: Non-Root User Lifecycle Dry-Run Automation And Control Surface Improvements" -domain: netkingdom +domain: infotech repo: net-kingdom status: finished owner: codex @@ -14,8 +14,7 @@ depends_on: - NET-WP-0018 state_hub_workstream_id: "75d388b6-7ec1-4e1b-8c87-6ff44f953210" related: - - docs/user-engine-netkingdom-integration-assessment.md (broader user-engine vs net-kingdom fit, gaps, and recommendations) ---- + - docs/user-engine-netkingdom-integration-assessment.md (broader user-engine vs net-kingdom fit, gaps, and recommendations)--- # NET-WP-0019 - T06-adjacent Polish: Non-Root User Lifecycle Dry-Run Automation And Control Surface Improvements diff --git a/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md b/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md index 4156dae..5c23090 100644 --- a/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md +++ b/workplans/NET-WP-0020-openbao-unseal-custody-and-ssh-automation.md @@ -2,7 +2,7 @@ id: NET-WP-0020 type: workplan title: "OpenBao Unseal Custody Models and SSH Automation Path" -domain: net-kingdom +domain: infotech repo: net-kingdom status: active owner: codex diff --git a/workplans/NK-WP-0001-sso-mfa-platform.md b/workplans/NK-WP-0001-sso-mfa-platform.md index 26a5a3b..a3aa6eb 100644 --- a/workplans/NK-WP-0001-sso-mfa-platform.md +++ b/workplans/NK-WP-0001-sso-mfa-platform.md @@ -2,15 +2,14 @@ id: NK-WP-0001 type: workplan title: "SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes" -domain: netkingdom +domain: infotech status: archived owner: worsch topic_slug: netkingdom state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be created: "2026-02-28" updated: "2026-03-21" -superseded_by: NK-WP-0003 ---- +superseded_by: NK-WP-0003--- # SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes @@ -148,7 +147,6 @@ systems that do not connect to the cluster Vault. deployed in-cluster, secrets migrated, ESO operational and injecting secrets into at least one test workload (0b). Encrypted ops bundle exported and stored offsite. - --- ### T02 — Phase 1: K8s foundations (namespaces, NetworkPolicies, cert-manager) @@ -214,7 +212,7 @@ restore drill passed. ```task id: NK-WP-0001-T04 state_hub_task_id: 6ad1296a-a488-4031-b665-f77030e971ed -status: cancelled +status: cancel priority: high note: Cancelled 2026-05-20. privacyIDEA deployment superseded by NK-WP-0003-T04 (privacyIDEA now runs in the live KeyCape stack on RAILIANCE01). This Keycloak-path variant is no longer pursued. ``` @@ -262,7 +260,7 @@ pi-admin enrolled with MFA, trigger-admin created, rate-limiting active. ```task id: NK-WP-0001-T05 state_hub_task_id: b9f73aa6-9035-4643-9905-64e73a29b298 -status: cancelled +status: cancel priority: high note: Migrated to NK-WP-0011 (enterprise federation / SAML). Refined there against the deployed KeyCape stack and the OpenBao/flex-auth architecture. ``` @@ -296,7 +294,7 @@ custom image with privacyIDEA JAR deployed and verified. ```task id: NK-WP-0001-T06 state_hub_task_id: 3b6379a4-a27b-4d25-82be-bc600879f036 -status: cancelled +status: cancel priority: medium note: Migrated to NK-WP-0011 (enterprise federation / SAML). ``` @@ -330,7 +328,7 @@ modes handled gracefully. ```task id: NK-WP-0001-T07 state_hub_task_id: c7cf902a-b480-4545-a536-293070945206 -status: cancelled +status: cancel priority: medium note: Migrated to NK-WP-0011 (enterprise federation / SAML). ``` @@ -373,7 +371,7 @@ audit logs flowing, Keycloak resolver configured. ```task id: NK-WP-0001-T08 state_hub_task_id: 9cbd1d89-b5bf-491e-9d16-b1c7d57076fb -status: cancelled +status: cancel priority: medium note: Migrated to NK-WP-0011 (enterprise federation / SAML). ``` diff --git a/workplans/NK-WP-0002-local-identity.md b/workplans/NK-WP-0002-local-identity.md index 1b33fb5..ad97d03 100644 --- a/workplans/NK-WP-0002-local-identity.md +++ b/workplans/NK-WP-0002-local-identity.md @@ -2,7 +2,7 @@ id: NK-WP-0002 type: workplan title: "Local Identity — Bootstrap User Store & Minimal OIDC" -domain: netkingdom +domain: infotech status: completed owner: worsch topic_slug: netkingdom diff --git a/workplans/NK-WP-0006-recursive-platform-identity-security-architecture.md b/workplans/NK-WP-0006-recursive-platform-identity-security-architecture.md index 5b5c1c2..a9e5d59 100644 --- a/workplans/NK-WP-0006-recursive-platform-identity-security-architecture.md +++ b/workplans/NK-WP-0006-recursive-platform-identity-security-architecture.md @@ -2,7 +2,7 @@ id: NK-WP-0006 type: workplan title: Recursive platform identity and security architecture -domain: netkingdom +domain: infotech repo: net-kingdom status: done owner: Bernd Worsch diff --git a/workplans/NK-WP-0007-object-storage-sts-credential-vending.md b/workplans/NK-WP-0007-object-storage-sts-credential-vending.md index 6c3b98b..7c0aa98 100644 --- a/workplans/NK-WP-0007-object-storage-sts-credential-vending.md +++ b/workplans/NK-WP-0007-object-storage-sts-credential-vending.md @@ -2,7 +2,7 @@ id: NK-WP-0007 type: workplan title: Object Storage STS Credential Vending -domain: netkingdom +domain: infotech repo: net-kingdom status: done owner: codex diff --git a/workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md b/workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md index 3cdf277..33f2876 100644 --- a/workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md +++ b/workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md @@ -2,7 +2,7 @@ id: NK-WP-0008 type: workplan title: IT Security Architecture Patterns Infospace -domain: netkingdom +domain: infotech repo: net-kingdom status: done owner: codex @@ -15,8 +15,7 @@ depends_on: - NK-WP-0006 state_hub_workstream_id: "053c6d96-9396-40c9-a2e5-c36531e7810d" execution_repo: infospace-bench -infospace_path: infospaces/patterns-of-it-securita-architecture ---- +infospace_path: infospaces/patterns-of-it-securita-architecture--- # NK-WP-0008 - IT Security Architecture Patterns Infospace diff --git a/workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md b/workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md index 9fe60a8..197c0f4 100644 --- a/workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md +++ b/workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md @@ -2,7 +2,7 @@ id: NK-WP-0009 type: workplan title: NetKingdom Security Pattern Tutorials -domain: netkingdom +domain: infotech repo: net-kingdom status: proposed owner: codex diff --git a/workplans/NK-WP-0010-genesis-security-pattern-completion.md b/workplans/NK-WP-0010-genesis-security-pattern-completion.md index b706430..951c2e6 100644 --- a/workplans/NK-WP-0010-genesis-security-pattern-completion.md +++ b/workplans/NK-WP-0010-genesis-security-pattern-completion.md @@ -2,7 +2,7 @@ id: NK-WP-0010 type: workplan title: Genesis Security Pattern Completion -domain: netkingdom +domain: infotech repo: net-kingdom status: done owner: codex diff --git a/workplans/NK-WP-0011-enterprise-federation-saml.md b/workplans/NK-WP-0011-enterprise-federation-saml.md index 5c35204..6df4836 100644 --- a/workplans/NK-WP-0011-enterprise-federation-saml.md +++ b/workplans/NK-WP-0011-enterprise-federation-saml.md @@ -2,7 +2,7 @@ id: NK-WP-0011 type: workplan title: "Enterprise Federation & SAML — Expanded-Mode Keycloak Identity Broker" -domain: netkingdom +domain: infotech repo: net-kingdom status: proposed owner: worsch @@ -18,8 +18,7 @@ supersedes_tasks: - NK-WP-0001-T05 - NK-WP-0001-T06 - NK-WP-0001-T07 - - NK-WP-0001-T08 ---- + - NK-WP-0001-T08--- # NK-WP-0011 — Enterprise Federation & SAML (Expanded-Mode Keycloak) diff --git a/workplans/NK-WP-0012-iam-profile-specification.md b/workplans/NK-WP-0012-iam-profile-specification.md index b2fbaf0..0898038 100644 --- a/workplans/NK-WP-0012-iam-profile-specification.md +++ b/workplans/NK-WP-0012-iam-profile-specification.md @@ -2,7 +2,7 @@ id: NK-WP-0012 type: workplan title: "NetKingdom IAM Profile Specification" -domain: netkingdom +domain: infotech repo: net-kingdom status: finished owner: worsch @@ -15,8 +15,7 @@ depends_on: - NK-WP-0006 state_hub_workstream_id: 9b8e4afc-eb71-47d9-8750-799a082b320a enables: - - NK-WP-0011 ---- + - NK-WP-0011--- # NK-WP-0012 — NetKingdom IAM Profile Specification diff --git a/workplans/NK-WP-0013-playbook-capability-contract.md b/workplans/NK-WP-0013-playbook-capability-contract.md index 29a7cb9..848a594 100644 --- a/workplans/NK-WP-0013-playbook-capability-contract.md +++ b/workplans/NK-WP-0013-playbook-capability-contract.md @@ -2,7 +2,7 @@ id: NK-WP-0013 type: workplan title: "Playbook Capability Contract" -domain: netkingdom +domain: infotech repo: net-kingdom status: finished owner: worsch diff --git a/workplans/NK-WP-0014-user-engine-preparation-boundary-contracts.md b/workplans/NK-WP-0014-user-engine-preparation-boundary-contracts.md index 32c7074..8a3f153 100644 --- a/workplans/NK-WP-0014-user-engine-preparation-boundary-contracts.md +++ b/workplans/NK-WP-0014-user-engine-preparation-boundary-contracts.md @@ -2,7 +2,7 @@ id: NK-WP-0014 type: workplan title: "User Engine Preparation And Boundary Contracts" -domain: netkingdom +domain: infotech repo: net-kingdom status: finished owner: codex