npm - @bluefly/openstandardagents - Versions diffs - 0.3.0 → 0.3.2 - Mend

@bluefly/openstandardagents 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (406) hide show

package/spec/v0.3.2/agent-test.schema.json ADDED Viewed

@@ -0,0 +1,75 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://openstandardagents.org/schemas/v0.3.1/agent-test.json",
+  "title": "OSSA AgentTest Resource",
+  "description": "Test definition for OSSA agents - declarative testing framework for agent behavior, performance, and compliance validation",
+  "type": "object",
+  "required": [
+    "apiVersion",
+    "kind",
+    "metadata",
+    "spec"
+  ],
+  "properties": {
+    "apiVersion": {
+      "type": "string",
+      "const": "ossa/v0.3.1",
+      "description": "OSSA API version for AgentTest resources"
+    },
+    "kind": {
+      "type": "string",
+      "const": "AgentTest",
+      "description": "Resource type identifier"
+    },
+    "metadata": {
+      "$ref": "#/definitions/Metadata",
+      "description": "Test resource metadata including name, version, and labels"
+    },
+    "spec": {
+      "$ref": "#/definitions/TestSpec",
+      "description": "Test specification including target, scenarios, and configuration"
+    }
+  },
+  "definitions": {
+    "Metadata": {
+      "type": "object",
+      "required": [
+        "name"
+      ],
+      "properties": {
+        "name": {
+          "type": "string",
+          "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$",
+          "maxLength": 253,
+          "description": "Test suite identifier (DNS-1123 subdomain format)"
+        },
+        "version": {
+          "type": "string",
+          "pattern": "^(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)\\\\.(0|[1-9]\\\\d*)(?:-((?:0|[1-9]\\\\d*|\\\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\\\.(?:0|[1-9]\\\\d*|\\\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\\\+([0-9a-zA-Z-]+(?:\\\\.[0-9a-zA-Z-]+)*))?$",
+          "description": "Test suite version (semver 2.0.0)"
+        },
+        "description": {
+          "type": "string",
+          "maxLength": 2000,
+          "description": "Human-readable test suite description"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string",
+            "maxLength": 63
+          },
+          "description": "Labels for test categorization (e.g., team, compliance-level, test-type)"
+        },
+        "annotations": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "description": "Arbitrary metadata for tooling integration"
+        }
+      },
+      "additionalProperties": false
+    }
+  }
+}

package/spec/v0.3.2/examples/access-tiers/README.md ADDED Viewed

@@ -0,0 +1,106 @@
+# OSSA v0.3.2 Access Tiers Examples
+This directory contains example agent manifests demonstrating the **Access Tiers** and **Separation of Duties** features introduced in OSSA v0.3.2.
+## Access Tier Hierarchy
+| Tier | Name | Description | Example Agents |
+|------|------|-------------|----------------|
+| `tier_1_read` | Read Only (Analyzers) | Cannot modify state | Scanners, Reviewers, Monitors |
+| `tier_2_write_limited` | Write Limited (Workers) | Sandboxed writes only | Doc generators, Test writers |
+| `tier_3_write_elevated` | Write Elevated (Operators) | Production access with approval | Deployers, Infrastructure operators |
+| `tier_4_policy` | Policy (Governors) | Defines policies, CANNOT execute | Compliance governors |
+## Examples
+### Tier 1: Read Only
+- **[security-scanner.ossa.yaml](./security-scanner.ossa.yaml)** - Vulnerability scanner that cannot remediate
+- **[code-critic.ossa.yaml](./code-critic.ossa.yaml)** - Code reviewer that cannot approve
+### Tier 2: Write Limited
+- **[doc-generator.ossa.yaml](./doc-generator.ossa.yaml)** - Documentation generator with sandboxed access
+### Tier 3: Write Elevated
+- **[deployment-operator.ossa.yaml](./deployment-operator.ossa.yaml)** - Deployment agent with approval chains
+### Tier 4: Policy
+- **[compliance-governor.ossa.yaml](./compliance-governor.ossa.yaml)** - Policy definer that cannot execute
+## Key Separation Rules
+### Critic-Executor Separation
+Agents that review/critique **cannot** also approve/execute:
+- Reviewers cannot approve MRs
+- Auditors cannot remediate findings
+- Critics cannot merge changes
+### Governor-Executor Separation
+Policy-defining agents **cannot** execute policies:
+- Governors define rules, operators enforce them
+- Policy definers cannot modify infrastructure
+- Compliance agents cannot remediate directly
+### Read-Write Separation (Sensitive Domains)
+In security/compliance domains, readers should not write:
+- Scanners cannot remediate
+- Auditors cannot fix violations
+- Monitors cannot modify configurations
+## Usage in Agent Manifests
+```yaml
+apiVersion: ossa/v0.3.2
+kind: Agent
+metadata:
+  name: my-agent
+  labels:
+    access_tier: tier_1_read  # Label for filtering
+spec:
+  type: analyzer  # Agent type aligned with tiers
+  # Taxonomy classification
+  taxonomy:
+    domain: security
+    subdomain: vulnerability
+    capability: scan_code
+    concerns:
+      - quality
+      - governance
+  # Access tier configuration
+  access:
+    tier: tier_1_read
+    permissions:
+      - read_code
+      - read_configs
+    prohibited:
+      - write_*
+    audit_level: standard
+  # Role separation
+  separation:
+    role: scanner
+    conflicts_with:
+      - remediator
+      - executor
+    prohibited_actions:
+      - execute
+      - merge
+```
+## Validation
+Use the OSSA CLI to validate access tier compliance:
+```bash
+ossa validate manifest.yaml --check-separation
+ossa audit --tier-violations
+```
+## Related Specifications
+- [access_tiers.yaml](../../access_tiers.yaml) - Full access tier definitions
+- [taxonomy.yaml](../../taxonomy.yaml) - Domain taxonomy with tier mappings
+- [ossa-0.3.2.schema.json](../../ossa-0.3.2.schema.json) - JSON Schema with tier validation

package/spec/v0.3.2/examples/access-tiers/code-critic.ossa.yaml ADDED Viewed

@@ -0,0 +1,119 @@
+# =============================================================================
+# OSSA v0.3.2 - Critic Example: Code Reviewer (Cannot Approve)
+# =============================================================================
+# Demonstrates critic-executor separation rule
+# Critics can review and provide feedback but CANNOT approve or merge
+# =============================================================================
+apiVersion: ossa/v0.3.2
+kind: Agent
+metadata:
+  name: code-critic
+  version: 1.0.0
+  description: Code review critic - provides feedback, cannot approve
+  labels:
+    team: platform
+    access_tier: tier_1_read
+    domain: development
+spec:
+  type: critic
+  role: |
+    You are a code review critic that analyzes merge requests and provides
+    detailed feedback on code quality, architecture, and best practices.
+    CRITICAL SEPARATION RULE:
+    - You CANNOT approve merge requests
+    - You CANNOT merge changes
+    - You CANNOT execute code modifications
+    - You can ONLY provide feedback and recommendations
+    Your role is to critique, not to approve. Approvals must come from
+    human reviewers or designated approver agents (which you cannot be).
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.2
+  # Taxonomy Classification (v0.3.2+)
+  taxonomy:
+    domain: development
+    subdomain: code-review
+    capability: review_code
+    concerns:
+      - quality
+      - architecture
+  # Access Tier Configuration (v0.3.2+)
+  access:
+    tier: tier_1_read
+    permissions:
+      - read_code
+      - read_configs
+      - read_mrs
+      - read_issues
+      - execute_queries
+    prohibited:
+      - write_*
+      - merge_mrs
+      - approve
+    audit_level: standard
+    requires_approval: false
+  # Separation of Duties (v0.3.2+)
+  separation:
+    role: critic
+    conflicts_with:
+      - approver
+      - executor
+      - merger
+    prohibited_actions:
+      - approve
+      - merge
+      - execute
+  tools:
+    - name: gitlab-mr-reader
+      type: api
+      config:
+        endpoint: https://gitlab.com/api/v4
+        methods:
+          - GET
+        scopes:
+          - read_api
+    - name: code-analyzer
+      type: mcp
+      config:
+        server: code-analysis-mcp-server
+  autonomy:
+    level: semi_autonomous
+    allowed_actions:
+      - read_code
+      - analyze_mr
+      - post_comment
+      - request_changes
+    blocked_actions:
+      - approve_mr
+      - merge_mr
+      - execute_code
+  messaging:
+    publishes:
+      - channel: reviews.feedback
+        description: Code review feedback for merge requests
+        schema:
+          type: object
+          properties:
+            mr_id:
+              type: integer
+            feedback_type:
+              type: string
+              enum: [comment, request_changes, praise]
+            issues_found:
+              type: array
+            recommendations:
+              type: array

package/spec/v0.3.2/examples/access-tiers/compliance-governor.ossa.yaml ADDED Viewed

@@ -0,0 +1,234 @@
+# =============================================================================
+# OSSA v0.3.2 - Tier 4 (Policy) Example: Compliance Governor
+# =============================================================================
+# Demonstrates separation of duties for policy-defining governor agents
+# ISOLATED: Can define policies but CANNOT execute - must delegate to Tier 3
+# =============================================================================
+apiVersion: ossa/v0.3.2
+kind: Agent
+metadata:
+  name: compliance-governor
+  version: 1.0.0
+  description: Compliance policy governor - defines policies, cannot execute
+  labels:
+    team: security
+    access_tier: tier_4_policy
+    domain: security
+spec:
+  type: governor
+  role: |
+    You are a compliance governance agent responsible for defining and
+    publishing security and compliance policies. You monitor policy adherence
+    and report violations.
+    CRITICAL ISOLATION RULES:
+    - You CANNOT execute remediation actions directly
+    - You CANNOT modify code or infrastructure
+    - You MUST delegate execution to tier_3_write_elevated operators
+    - You define WHAT should happen, not HOW to do it
+    Your role is legislative, not executive. You define the rules;
+    operators enforce them.
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.0
+    profile: safe
+  # Taxonomy Classification (v0.3.2+)
+  taxonomy:
+    domain: security
+    subdomain: compliance
+    capability: define_policies
+    concerns:
+      - governance
+      - quality
+      - reliability
+  # Access Tier Configuration (v0.3.2+)
+  access:
+    tier: tier_4_policy
+    permissions:
+      - read_code
+      - read_configs
+      - read_metrics
+      - read_logs
+      - read_issues
+      - read_mrs
+      - define_policies
+      - publish_policies
+      - audit_compliance
+      - report_violations
+    prohibited:
+      - execute_*
+      - write_code
+      - modify_infrastructure
+      - remediate_direct
+      - deploy
+      - merge_mrs
+    audit_level: comprehensive
+    requires_approval: false
+    isolation: strict
+  # Separation of Duties (v0.3.2+)
+  separation:
+    role: governor
+    conflicts_with:
+      - operator
+      - executor
+      - deployer
+      - remediator
+      - enforcer
+    can_delegate_to:
+      - operator
+    prohibited_actions:
+      - execute
+      - deploy
+      - merge
+      - modify_production
+  # Delegation Configuration (v0.3.2+)
+  delegation:
+    enabled: true
+    allowed_tiers:
+      - tier_3_write_elevated
+    allowed_operations:
+      - remediate_violations
+      - apply_policies
+      - execute_fixes
+    requires:
+      - delegation_token
+      - audit_trail
+      - violation_report
+      - approval
+  tools:
+    - name: policy-reader
+      type: mcp
+      config:
+        server: policy-mcp-server
+        read_only: true
+    - name: compliance-api
+      type: api
+      config:
+        endpoint: https://api.compliance.local
+        methods:
+          - GET
+          - POST  # For publishing policies only
+    - name: audit-logger
+      type: mcp
+      config:
+        server: audit-mcp-server
+  autonomy:
+    level: autonomous
+    allowed_actions:
+      - define_policy
+      - publish_policy
+      - audit_compliance
+      - generate_violation_report
+      - delegate_remediation
+    blocked_actions:
+      - execute_any_modification
+      - deploy
+      - merge
+      - modify_infrastructure
+      - remediate_directly
+  compliance:
+    frameworks:
+      - SOC2
+      - ISO27001
+      - GDPR
+    audit_logging: required
+    pii_handling: redact
+  safety:
+    guardrails:
+      enabled: true
+      max_tool_calls: 20
+      max_execution_time_seconds: 600
+      policies:
+        - no_execution
+        - delegation_only
+        - audit_all_actions
+  observability:
+    tracing:
+      enabled: true
+      exporter: otlp
+    metrics:
+      enabled: true
+      customMetrics:
+        - name: policies_defined
+          type: counter
+          description: Total policies defined
+        - name: violations_detected
+          type: counter
+          description: Compliance violations detected
+        - name: delegations_issued
+          type: counter
+          description: Remediation delegations to operators
+    logging:
+      level: info
+      format: json
+  messaging:
+    publishes:
+      - channel: governance.policies
+        description: Published compliance policies
+        schema:
+          type: object
+          properties:
+            policy_id:
+              type: string
+            version:
+              type: string
+            effective_date:
+              type: string
+              format: date
+      - channel: governance.violations
+        description: Detected policy violations for remediation
+        schema:
+          type: object
+          properties:
+            violation_id:
+              type: string
+            policy_id:
+              type: string
+            severity:
+              type: string
+              enum: [critical, high, medium, low]
+            remediation_required:
+              type: boolean
+            delegate_to:
+              type: string
+              description: Target operator agent for remediation
+    commands:
+      - name: audit_project
+        description: Run compliance audit on a project
+        inputSchema:
+          type: object
+          properties:
+            project_id:
+              type: string
+            frameworks:
+              type: array
+              items:
+                type: string
+          required:
+            - project_id
+        outputSchema:
+          type: object
+          properties:
+            compliant:
+              type: boolean
+            violations:
+              type: array
+            recommendations:
+              type: array