coulomb/the-custodian
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Promote kaizen schedule to weekly cadence and add credential routing

Browse Source 
- Switch coach and optimization agents from daily to weekly Monday crons
- Restore disabled tdd-workflow stanza; quote cron expressions
- Add credential routing guidance to AGENTS.md for Codex/Grok agents
- Wire credential-routing rule into CLAUDE.md for Claude Code sessions
- Scaffold kaizen agent memory files and record failed daily-triage run
This commit is contained in:
Bernd Worsch
2026-06-19 21:13:25 +02:00
parent e14b0bf356
commit 1ad3dfac77
6 changed files with 140 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.kaizen/agents/coach/memory.md Normal file
View File

@@ -0,0 +1,24 @@
---
agent: coach
project: the-custodian
last_updated: 2026-06-18
session_count: 0
---
## Project Context
<!-- What this agent knows about the project it works in -->
## Accumulated Findings
<!-- Patterns, recurring issues, key decisions encountered -->
## What Worked
<!-- Approaches that produced good results in this project -->
## Watch Points
<!-- Recurring risks, traps, or areas requiring extra care -->
## Open Threads
<!-- Things noticed but not yet acted on -->
## Session Log
<!-- One-line entry per session: date · summary · outcome -->

24
.kaizen/agents/optimization/memory.md Normal file
View File

@@ -0,0 +1,24 @@
---
agent: optimization
project: the-custodian
last_updated: 2026-06-18
session_count: 0
---
## Project Context
<!-- What this agent knows about the project it works in -->
## Accumulated Findings
<!-- Patterns, recurring issues, key decisions encountered -->
## What Worked
<!-- Approaches that produced good results in this project -->
## Watch Points
<!-- Recurring risks, traps, or areas requiring extra care -->
## Open Threads
<!-- Things noticed but not yet acted on -->
## Session Log
<!-- One-line entry per session: date · summary · outcome -->

17
.kaizen/schedule.yml
View File

@@ -1,17 +1,18 @@
# Kaizen scheduled agent execution (ADR-005)
# Engagement: coulomb-loop — stabilize phase (daily crons per ADR-003)
# Promoted 2026-06-18 after 3/3 bootstrap E2E cycles
# Kaizen scheduled agent execution manifest (ADR-005)
# Engagement: coulomb-loop — weekly operate cadence
# Regulator promotes cadence per customer engagement policy (ADR-003).
# Validate with: kaizen-agentic schedule validate
version: '1'
timezone: Europe/Berlin
agents:
coach:
cadence: daily
cron: "0 9 * * *"
cadence: weekly
cron: "0 9 * * 1"
enabled: true
optimization:
cadence: daily
cron: "0 10 * * *"
cadence: weekly
cron: "0 10 * * 1"
enabled: true
tdd-workflow:
cadence: monthly
enabled: false
enabled: false

53
AGENTS.md
View File

@@ -101,6 +101,59 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
---
## Credential and access routing
**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
for inference. Run this check **before** requesting secrets, API keys, SSH access,
login tokens, or database passwords — in any repo, not only `ops-warden`.
ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
other credential need belongs to another subsystem. **Do not** message
`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
### Lookup (do this first)
```bash
warden route find "<describe your need>" --json
warden route show <catalog-id> --json
```
Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
| Agent runtime | How to orient |
| --- | --- |
| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=the-custodian` is for coordination, not secret vending |
| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
### Quick routing table
| I need… | Owner | ops-warden executes? |
| --- | --- | --- |
| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
| Authorization decision | flex-auth | No — route only |
| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
### Anti-patterns (do not do these)
- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
- Pasting secrets into Git, State Hub, workplans, logs, or chat
### Other capabilities (reuse-surface)
Non-credential capabilities are usually discovered through **reuse-surface** federation
(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
every repo's agent instructions because it is high-frequency, high-risk, and easy to
get wrong.
**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
---
## Workplan Convention (ADR-001)
Work items originate as files in this repo — not in the hub. The hub is a

1
CLAUDE.md
View File

@@ -8,4 +8,5 @@
@.claude/rules/stack-and-commands.md
@.claude/rules/architecture.md
@.claude/rules/repo-boundary.md
@.claude/rules/credential-routing.md
@.claude/rules/agents.md

29
memory/working/daily-triage-2026-06-18-96919365.md Normal file
View File

@@ -0,0 +1,29 @@
---
type: working-memory
source: activity-core
activity_id: 6fca51fa-387a-4fd0-bc4e-d62c29eb859a
activity_core_run_id: 96919365-c608-55c1-8aeb-d165d71c342d
instruction_id: daily-triage-report
scheduled_for: None
output_validated: false
review_required: true
model: custodian-triage-balanced
prompt_hash:
created: 2026-06-18T06:07:49.563454+00:00
---
# Daily State Hub WSJF Triage - 2026-06-18
Instruction daily-triage-report could not run; operator review is required.
Validation error:
`LLM_CONNECT_URL is not configured`
```json
{
"status": "execution_failed",
"summary": "Instruction daily-triage-report could not run; operator review is required.",
"validation_error": "LLM_CONNECT_URL is not configured"
}
```