From 1ad3dfac7719dc0de2a3d80d3a2a9d75d05b962e Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Fri, 19 Jun 2026 21:13:25 +0200
Subject: [PATCH] Promote kaizen schedule to weekly cadence and add credential
 routing

- Switch coach and optimization agents from daily to weekly Monday crons
- Restore disabled tdd-workflow stanza; quote cron expressions
- Add credential routing guidance to AGENTS.md for Codex/Grok agents
- Wire credential-routing rule into CLAUDE.md for Claude Code sessions
- Scaffold kaizen agent memory files and record failed daily-triage run
---
 .kaizen/agents/coach/memory.md                | 24 +++++++++
 .kaizen/agents/optimization/memory.md         | 24 +++++++++
 .kaizen/schedule.yml                          | 17 +++---
 AGENTS.md                                     | 53 +++++++++++++++++++
 CLAUDE.md                                     |  1 +
 .../daily-triage-2026-06-18-96919365.md       | 29 ++++++++++
 6 files changed, 140 insertions(+), 8 deletions(-)
 create mode 100644 .kaizen/agents/coach/memory.md
 create mode 100644 .kaizen/agents/optimization/memory.md
 create mode 100644 memory/working/daily-triage-2026-06-18-96919365.md

diff --git a/.kaizen/agents/coach/memory.md b/.kaizen/agents/coach/memory.md
new file mode 100644
index 0000000..c0e95e1
--- /dev/null
+++ b/.kaizen/agents/coach/memory.md
@@ -0,0 +1,24 @@
+---
+agent: coach
+project: the-custodian
+last_updated: 2026-06-18
+session_count: 0
+---
+
+## Project Context
+<!-- What this agent knows about the project it works in -->
+
+## Accumulated Findings
+<!-- Patterns, recurring issues, key decisions encountered -->
+
+## What Worked
+<!-- Approaches that produced good results in this project -->
+
+## Watch Points
+<!-- Recurring risks, traps, or areas requiring extra care -->
+
+## Open Threads
+<!-- Things noticed but not yet acted on -->
+
+## Session Log
+<!-- One-line entry per session: date · summary · outcome -->
diff --git a/.kaizen/agents/optimization/memory.md b/.kaizen/agents/optimization/memory.md
new file mode 100644
index 0000000..eef8f1b
--- /dev/null
+++ b/.kaizen/agents/optimization/memory.md
@@ -0,0 +1,24 @@
+---
+agent: optimization
+project: the-custodian
+last_updated: 2026-06-18
+session_count: 0
+---
+
+## Project Context
+<!-- What this agent knows about the project it works in -->
+
+## Accumulated Findings
+<!-- Patterns, recurring issues, key decisions encountered -->
+
+## What Worked
+<!-- Approaches that produced good results in this project -->
+
+## Watch Points
+<!-- Recurring risks, traps, or areas requiring extra care -->
+
+## Open Threads
+<!-- Things noticed but not yet acted on -->
+
+## Session Log
+<!-- One-line entry per session: date · summary · outcome -->
diff --git a/.kaizen/schedule.yml b/.kaizen/schedule.yml
index f52562c..d1a2599 100644
--- a/.kaizen/schedule.yml
+++ b/.kaizen/schedule.yml
@@ -1,17 +1,18 @@
-# Kaizen scheduled agent execution (ADR-005)
-# Engagement: coulomb-loop — stabilize phase (daily crons per ADR-003)
-# Promoted 2026-06-18 after 3/3 bootstrap E2E cycles
+# Kaizen scheduled agent execution manifest (ADR-005)
+# Engagement: coulomb-loop — weekly operate cadence
+# Regulator promotes cadence per customer engagement policy (ADR-003).
+# Validate with: kaizen-agentic schedule validate
 version: '1'
 timezone: Europe/Berlin
 agents:
   coach:
-    cadence: daily
-    cron: "0 9 * * *"
+    cadence: weekly
+    cron: "0 9 * * 1"
     enabled: true
   optimization:
-    cadence: daily
-    cron: "0 10 * * *"
+    cadence: weekly
+    cron: "0 10 * * 1"
     enabled: true
   tdd-workflow:
     cadence: monthly
-    enabled: false
\ No newline at end of file
+    enabled: false
diff --git a/AGENTS.md b/AGENTS.md
index 2a3fa67..f93c3fb 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -101,6 +101,59 @@ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
 
 ---
 
+## Credential and access routing
+
+**Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect**
+for inference. Run this check **before** requesting secrets, API keys, SSH access,
+login tokens, or database passwords — in any repo, not only `ops-warden`.
+
+ops-warden **issues SSH certificates only** (`warden sign`, `cert_command`). Every
+other credential need belongs to another subsystem. **Do not** message
+`ops-warden` on State Hub expecting a secret value; the reply is a pointer, not a key.
+
+### Lookup (do this first)
+
+```bash
+warden route find "<describe your need>" --json
+warden route show <catalog-id> --json
+```
+
+Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`).
+
+| Agent runtime | How to orient |
+| --- | --- |
+| **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=the-custodian` is for coordination, not secret vending |
+| **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership |
+| **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` |
+
+### Quick routing table
+
+| I need… | Owner | ops-warden executes? |
+| --- | --- | --- |
+| SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Yes** — `warden sign` |
+| API key, DB password, provider token | OpenBao (`railiance-platform`) | No — route only |
+| Login / OIDC / MFA | key-cape / Keycloak | No — route only |
+| Authorization decision | flex-auth | No — route only |
+| activity-core → issue-core emission | activity-core + issue-core | No — `warden route show activity-core-issue-sink` |
+| SSH tunnel | ops-bridge (+ `cert_command` from warden) | No — route only |
+
+### Anti-patterns (do not do these)
+
+- `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc.
+- Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist
+- Pasting secrets into Git, State Hub, workplans, logs, or chat
+
+### Other capabilities (reuse-surface)
+
+Non-credential capabilities are usually discovered through **reuse-surface** federation
+(`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in
+every repo's agent instructions because it is high-frequency, high-risk, and easy to
+get wrong.
+
+**Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`
+
+---
+
 ## Workplan Convention (ADR-001)
 
 Work items originate as files in this repo — not in the hub. The hub is a
diff --git a/CLAUDE.md b/CLAUDE.md
index 1e568e8..f8c0694 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -8,4 +8,5 @@
 @.claude/rules/stack-and-commands.md
 @.claude/rules/architecture.md
 @.claude/rules/repo-boundary.md
+@.claude/rules/credential-routing.md
 @.claude/rules/agents.md
diff --git a/memory/working/daily-triage-2026-06-18-96919365.md b/memory/working/daily-triage-2026-06-18-96919365.md
new file mode 100644
index 0000000..0479494
--- /dev/null
+++ b/memory/working/daily-triage-2026-06-18-96919365.md
@@ -0,0 +1,29 @@
+---
+type: working-memory
+source: activity-core
+activity_id: 6fca51fa-387a-4fd0-bc4e-d62c29eb859a
+activity_core_run_id: 96919365-c608-55c1-8aeb-d165d71c342d
+instruction_id: daily-triage-report
+scheduled_for: None
+output_validated: false
+review_required: true
+model: custodian-triage-balanced
+prompt_hash: 
+created: 2026-06-18T06:07:49.563454+00:00
+---
+
+# Daily State Hub WSJF Triage - 2026-06-18
+
+Instruction daily-triage-report could not run; operator review is required.
+
+Validation error:
+
+`LLM_CONNECT_URL is not configured`
+
+```json
+{
+  "status": "execution_failed",
+  "summary": "Instruction daily-triage-report could not run; operator review is required.",
+  "validation_error": "LLM_CONNECT_URL is not configured"
+}
+```