@bluefly/openstandardagents 0.3.1 → 0.3.2

package/dist/spec/v0.3.2/examples/access-tiers/deployment-operator.ossa.yaml

@@ -0,0 +1,201 @@
+# =============================================================================
+# OSSA v0.3.2 - Tier 3 (Write Elevated) Example: Deployment Operator
+# =============================================================================
+# Demonstrates separation of duties for elevated-access operator agents
+# Can modify production systems but requires approval chains
+# =============================================================================
+
+apiVersion: ossa/v0.3.2
+kind: Agent
+
+metadata:
+  name: deployment-operator
+  version: 1.0.0
+  description: Deployment operator agent with elevated write access
+  labels:
+    team: platform
+    access_tier: tier_3_write_elevated
+    domain: infrastructure
+
+spec:
+  type: operator
+
+  role: |
+    You are a deployment operator that manages CI/CD pipelines, deployments,
+    and infrastructure changes. You have elevated access to production systems
+    but all changes require approval through the defined approval chain.
+
+    CRITICAL: Never bypass approval processes. Never delete production data.
+    Always ensure rollback plans exist before deployment.
+
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.1
+    profile: safe
+
+  # Taxonomy Classification (v0.3.2+)
+  taxonomy:
+    domain: infrastructure
+    subdomain: deployment
+    capability: execute_deployments
+    concerns:
+      - reliability
+      - observability
+      - performance
+
+  # Access Tier Configuration (v0.3.2+)
+  access:
+    tier: tier_3_write_elevated
+    permissions:
+      - read_code
+      - read_configs
+      - read_metrics
+      - read_logs
+      - execute_deployments
+      - modify_pipelines
+      - merge_mrs
+      - modify_configs
+      - execute_commands
+    prohibited:
+      - delete_production
+      - modify_secrets_direct
+      - bypass_approvals
+      - force_push
+    audit_level: detailed
+    requires_approval: true
+    approval_chain: elevated
+
+  # Separation of Duties (v0.3.2+)
+  separation:
+    role: deployer
+    conflicts_with:
+      - governor
+      - policy_definer
+      - critic
+    can_delegate_to:
+      - worker
+      - analyzer
+
+  # Delegation Configuration (v0.3.2+)
+  delegation:
+    enabled: true
+    allowed_tiers:
+      - tier_1_read
+      - tier_2_write_limited
+    allowed_operations:
+      - gather_information
+      - run_analysis
+      - generate_reports
+      - write_docs
+    requires:
+      - task_specification
+      - audit_trail
+
+  tools:
+    - name: kubernetes
+      type: kubernetes
+      config:
+        namespace: production
+        rbac_required: true
+    - name: gitlab-ci
+      type: api
+      config:
+        endpoint: https://gitlab.com/api/v4
+        scopes:
+          - api
+          - write_repository
+    - name: deployment-monitor
+      type: mcp
+      config:
+        server: monitoring-mcp-server
+
+  autonomy:
+    level: supervised
+    approval_required:
+      - deploy_to_production
+      - modify_infrastructure
+      - delete_resources
+    allowed_actions:
+      - deploy_to_staging
+      - run_tests
+      - view_metrics
+    escalation_policy:
+      triggers:
+        - deployment_failure
+        - rollback_required
+        - security_alert
+      notify:
+        - slack:#platform-alerts
+        - gitlab:@platform-team
+
+  safety:
+    guardrails:
+      enabled: true
+      max_tool_calls: 50
+      max_execution_time_seconds: 1800
+      policies:
+        - require_rollback_plan
+        - no_production_deletes
+        - approval_chain_required
+    human_in_loop:
+      enabled: true
+      triggers:
+        - production_deployment
+        - infrastructure_change
+        - security_modification
+
+  identity:
+    provider: gitlab
+    service_account:
+      username: bot-deployer
+      email: bot-deployer@bluefly.io
+    token_source:
+      env_var: GITLAB_BOT_DEPLOYER_TOKEN
+      file_path: ~/.tokens/bot-deployer
+    authentication:
+      method: project_access_token
+      scopes:
+        - api
+        - write_repository
+        - read_registry
+
+  observability:
+    tracing:
+      enabled: true
+      exporter: otlp
+    metrics:
+      enabled: true
+      customMetrics:
+        - name: deployments_total
+          type: counter
+          description: Total deployments executed
+        - name: deployment_duration_seconds
+          type: histogram
+          description: Time to complete deployment
+        - name: rollbacks_total
+          type: counter
+          description: Total rollbacks performed
+    slo:
+      availability: 99.9
+      latency_p95_ms: 30000
+      error_budget: 0.1
+
+  messaging:
+    subscribes:
+      - channel: ci.pipeline_complete
+        description: Listen for pipeline completion to trigger deployments
+        handler: onPipelineComplete
+    publishes:
+      - channel: deployments.status
+        description: Deployment status updates
+        schema:
+          type: object
+          properties:
+            environment:
+              type: string
+            status:
+              type: string
+              enum: [started, success, failed, rolled_back]
+            version:
+              type: string

package/dist/spec/v0.3.2/examples/access-tiers/doc-generator.ossa.yaml

@@ -0,0 +1,117 @@
+# =============================================================================
+# OSSA v0.3.2 - Tier 2 (Write Limited) Example: Documentation Generator
+# =============================================================================
+# Demonstrates separation of duties for limited-write worker agents
+# Can write docs, tests, scaffolds - but not production code
+# =============================================================================
+
+apiVersion: ossa/v0.3.2
+kind: Agent
+
+metadata:
+  name: doc-generator
+  version: 1.0.0
+  description: Documentation generator agent with sandboxed write access
+  labels:
+    team: platform
+    access_tier: tier_2_write_limited
+    domain: documentation
+
+spec:
+  type: worker
+
+  role: |
+    You are a documentation generator that creates and updates documentation
+    based on code analysis. You can write to documentation files, create
+    test files, and scaffold new structures.
+
+    IMPORTANT: You cannot modify production code or merge changes. All changes
+    must go through review by a human or supervisor agent.
+
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.3
+
+  # Taxonomy Classification (v0.3.2+)
+  taxonomy:
+    domain: documentation
+    subdomain: api-docs
+    capability: generate_documentation
+    concerns:
+      - quality
+      - architecture
+
+  # Access Tier Configuration (v0.3.2+)
+  access:
+    tier: tier_2_write_limited
+    permissions:
+      - read_code
+      - read_configs
+      - write_docs
+      - write_tests
+      - create_issues
+      - create_mrs_draft
+      - execute_sandboxed
+    prohibited:
+      - write_production_code
+      - merge_mrs
+      - delete_branches
+      - modify_infrastructure
+    audit_level: standard
+    requires_approval: false
+
+  # Separation of Duties (v0.3.2+)
+  separation:
+    role: documenter
+    conflicts_with:
+      - executor
+      - deployer
+    can_delegate_to:
+      - analyzer
+
+  # Delegation Configuration (v0.3.2+)
+  delegation:
+    enabled: true
+    allowed_tiers:
+      - tier_1_read
+    allowed_operations:
+      - analyze_code
+      - scan_dependencies
+    requires:
+      - task_specification
+
+  tools:
+    - name: filesystem
+      type: mcp
+      config:
+        server: filesystem-mcp-server
+        paths:
+          - docs/**
+          - tests/**
+          - README.md
+    - name: code-reader
+      type: mcp
+      config:
+        server: filesystem-mcp-server
+        read_only: true
+
+  autonomy:
+    level: assisted
+    allowed_actions:
+      - read_code
+      - write_documentation
+      - create_draft_mr
+    blocked_actions:
+      - modify_production_code
+      - merge_changes
+      - deploy
+
+  identity:
+    provider: gitlab
+    service_account:
+      username: bot-docs
+      email: bot-docs@bluefly.io
+    token_source:
+      env_var: GITLAB_BOT_DOCS_TOKEN
+      file_path: ~/.tokens/bot-docs

package/dist/spec/v0.3.2/examples/access-tiers/security-scanner.ossa.yaml

@@ -0,0 +1,133 @@
+# =============================================================================
+# OSSA v0.3.2 - Tier 1 (Read Only) Example: Security Scanner
+# =============================================================================
+# Demonstrates separation of duties for read-only analyzer agents
+# Cannot modify code, only scan and report - critics cannot execute
+# =============================================================================
+
+apiVersion: ossa/v0.3.2
+kind: Agent
+
+metadata:
+  name: security-scanner
+  version: 1.0.0
+  description: Security vulnerability scanner - read-only analysis agent
+  labels:
+    team: security
+    access_tier: tier_1_read
+    domain: security
+
+spec:
+  type: analyzer
+
+  role: |
+    You are a security vulnerability scanner that analyzes code for potential
+    security issues. You can read code, scan dependencies, and report findings.
+
+    IMPORTANT: You cannot modify code, approve changes, or execute remediations.
+    You must report findings to a tier_3 remediator agent for action.
+
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.1
+
+  # Taxonomy Classification (v0.3.2+)
+  taxonomy:
+    domain: security
+    subdomain: vulnerability
+    capability: scan_vulnerabilities
+    concerns:
+      - quality
+      - governance
+    recommended_tier: tier_1_read
+
+  # Access Tier Configuration (v0.3.2+)
+  access:
+    tier: tier_1_read
+    permissions:
+      - read_code
+      - read_configs
+      - read_logs
+      - execute_queries
+    prohibited:
+      - write_*
+      - delete_*
+      - execute_commands
+      - modify_infrastructure
+    audit_level: standard
+    requires_approval: false
+
+  # Separation of Duties (v0.3.2+)
+  separation:
+    role: scanner
+    conflicts_with:
+      - remediator
+      - executor
+      - approver
+    prohibited_actions:
+      - execute
+      - merge
+      - approve
+
+  tools:
+    - name: code-reader
+      type: mcp
+      config:
+        server: filesystem-mcp-server
+        read_only: true
+    - name: dependency-scanner
+      type: api
+      config:
+        endpoint: https://api.security.local/scan
+        method: GET
+
+  autonomy:
+    level: semi_autonomous
+    allowed_actions:
+      - scan_code
+      - generate_report
+      - create_issue
+    blocked_actions:
+      - modify_code
+      - execute_fix
+      - approve_mr
+
+  safety:
+    content_filtering:
+      enabled: true
+      categories:
+        - credentials
+        - pii
+      action: redact
+    rate_limiting:
+      enabled: true
+      requests_per_minute: 60
+
+  observability:
+    metrics:
+      enabled: true
+      customMetrics:
+        - name: vulnerabilities_found
+          type: counter
+          description: Total vulnerabilities detected
+        - name: scan_duration_seconds
+          type: histogram
+          description: Time to complete security scan
+
+  messaging:
+    publishes:
+      - channel: security.vulnerabilities
+        description: Vulnerability findings for remediation
+        schema:
+          type: object
+          properties:
+            severity:
+              type: string
+              enum: [critical, high, medium, low]
+            cve:
+              type: string
+            affected_file:
+              type: string
+            remediation_required:
+              type: boolean

package/dist/spec/v0.3.2/examples/agent-with-identity.ossa.yaml

@@ -0,0 +1,68 @@
+# OSSA v0.3.1 Agent with Identity Configuration
+# Demonstrates service account integration for automated git operations
+apiVersion: ossa/v0.3.2
+kind: Agent
+metadata:
+  name: typescript-worker
+  version: 1.0.0
+  description: TypeScript development agent with GitLab service account identity
+  labels:
+    team: platform
+    tier: development
+spec:
+  role: |
+    You are a TypeScript development assistant that manages code changes
+    for the agent-buildkit and related TypeScript projects.
+
+  llm:
+    provider: anthropic
+    model: claude-sonnet-4-20250514
+    temperature: 0.2
+
+  # Agent Identity Configuration (v0.3.1+)
+  identity:
+    provider: gitlab
+    service_account:
+      id: 31840529
+      username: bot-ts-local
+      email: bot-ts-local@bluefly.io
+    token_source:
+      env_var: GITLAB_BOT_TS_TOKEN
+      file_path: ~/.tokens/bot-ts-local
+    patterns:
+      - "*/common_npm/*"
+      - "*/agent-buildkit"
+      - "*/agent-studio"
+    dora_tracking:
+      enabled: true
+      metrics:
+        - deployment_frequency
+        - lead_time
+        - change_failure_rate
+        - mttr
+    observability:
+      service_name: typescript-worker
+      service_namespace: development
+      service_version: "1.0.0"
+
+  tools:
+    - name: git
+      type: mcp
+      config:
+        server: git-mcp-server
+    - name: file-operations
+      type: mcp
+      config:
+        server: filesystem-mcp-server
+
+  autonomy:
+    level: supervised
+    require_approval:
+      - push_to_protected_branch
+      - delete_branch
+      - force_push
+
+  safety:
+    max_tokens_per_turn: 8000
+    rate_limits:
+      requests_per_minute: 30

package/dist/spec/v0.3.2/examples/drupal-content-writer.ossa.yaml

@@ -0,0 +1,110 @@
+apiVersion: ossa/v0.3.2
+kind: Agent
+metadata:
+  name: drupal-content-writer
+  version: 1.0.0
+  description: Autonomous content generation agent for Drupal with background processing
+
+spec:
+  capabilities:
+    - name: content.create
+      description: "Create Drupal content entities (nodes, taxonomy terms)"
+    - name: seo.optimize
+      description: "Optimize content for SEO (meta tags, keywords, structure)"
+    - name: media.select
+      description: "Select relevant media from media library"
+
+  role: |
+    You are an autonomous content writer for a Drupal website. You generate high-quality articles
+    based on content briefs, optimize them for SEO, and select appropriate media assets.
+
+    Process:
+    1. Analyze content brief and target audience
+    2. Research topic using available tools
+    3. Generate article with proper structure (H1, H2, paragraphs)
+    4. Optimize for SEO (meta description, keywords, readability)
+    5. Select relevant images from media library
+    6. Create content entity in Drupal
+
+  llm:
+    provider: ${OSSA_LLM_PROVIDER:-anthropic}
+    model: ${OSSA_LLM_MODEL:-claude-sonnet-4}
+    temperature: ${OSSA_LLM_TEMPERATURE:-0.7}
+    maxTokens: ${OSSA_LLM_MAX_TOKENS:-8192}
+
+  tools:
+    - name: drupal.node.create
+      description: "Create a new Drupal node (article, page, etc.)"
+      handler:
+        runtime: drupal
+        capability: node.create
+
+    - name: drupal.taxonomy.search
+      description: "Search taxonomy terms for tagging"
+      handler:
+        runtime: drupal
+        capability: taxonomy.search
+
+    - name: drupal.media.search
+      description: "Search media library for images"
+      handler:
+        runtime: drupal
+        capability: media.search
+
+extensions:
+  drupal:
+    # Module providing this agent
+    module: ai_agents_ossa
+
+    # Store as exportable config entity
+    config_entity: true
+
+    # Permissions for autonomous execution
+    permissions:
+      # Core Drupal entity permissions
+      entity_permissions:
+        - "create article content"
+        - "create page content"
+        - "edit own article content"
+        - "view media"
+        - "view taxonomy term"
+
+      # Custom permissions for agent execution
+      custom_permissions:
+        - "execute content writer agent"
+        - "generate ai content"
+
+      # Run as admin service account for autonomous operation
+      execution_user: "1"
+
+      # Agent runs with its own permissions (no user context)
+      permission_mode: agent_only
+
+    # Async processing via Symfony Messenger
+    messenger:
+      # Use Redis for high-performance message queue
+      transport: redis
+
+      # Dedicated queue for content generation
+      queue: content_generation
+
+      # Retry strategy for failed executions
+      retry_strategy:
+        max_retries: 3
+        delay: 2000
+        multiplier: 2
+        max_delay: 30000
+
+    # ECA workflow integration
+    workflow_engine: eca
+
+    # Discovery paths for manifest loading
+    discovery_paths:
+      - "config/agents/*.ossa.yaml"
+      - "modules/custom/ai_agents_ossa/agents/*.ossa.yaml"
+
+    # Drupal hooks for integration
+    hooks:
+      before_execute: ai_agents_ossa_content_writer_before
+      after_execute: ai_agents_ossa_content_writer_after
+      on_error: ai_agents_ossa_content_writer_error