@bookedsolid/reagent 0.3.0 → 0.4.0

package/README.md

@@ -4,19 +4,21 @@ Zero-trust MCP gateway and agentic infrastructure for AI-assisted development.
 
 Reagent is two things:
 
-1. **MCP Gateway** (`reagent serve`) — a proxy server that sits between your AI assistant (Claude Code, Cursor, etc.) and downstream MCP tool servers. Every tool call flows through a zero-trust middleware chain: policy enforcement, tier classification, secret redaction, and hash-chained audit logging.
+1. **MCP Gateway** (`reagent serve`) -- a proxy server that sits between your AI assistant (Claude Code, Cursor, etc.) and downstream MCP tool servers. Every tool call flows through a zero-trust middleware chain: policy enforcement, tier classification, blocked path enforcement, secret redaction, and hash-chained audit logging.
 
-2. **Config Scaffolder** (`reagent init`) — installs safety hooks, behavioral policies, and developer tooling into any project.
+2. **Config Scaffolder** (`reagent init`) -- installs safety hooks, behavioral policies, and developer tooling into any project.
 
 ## Why Reagent?
 
 AI coding assistants are powerful but unconstrained. Reagent adds the missing governance layer:
 
-- **Policy enforcement** — graduated autonomy levels (L0 read-only → L3 full access) control which tiers of tools an agent can invoke
-- **Kill switch** — `reagent freeze` immediately blocks all tool calls across every connected MCP server
-- **Secret redaction** — tool outputs are scanned for AWS keys, GitHub tokens, API keys, PEM private keys, Discord tokens, and more — redacted before they reach the AI
-- **Audit trail** — every tool invocation is logged as hash-chained JSONL, providing tamper-evident compliance records
-- **Tool blocking** — individual tools can be permanently blocked regardless of autonomy level
+- **Policy enforcement** -- graduated autonomy levels (L0 read-only through L3 full access) control which tiers of tools an agent can invoke
+- **Kill switch** -- `reagent freeze` immediately blocks all tool calls across every connected MCP server
+- **Blocked path enforcement** -- tool arguments referencing protected paths (including `.reagent/` itself) are denied before execution
+- **Secret redaction** -- tool arguments and outputs are scanned for AWS keys, GitHub tokens, API keys, PEM private keys, Discord tokens, and more -- redacted before they reach the AI or the downstream tool
+- **Audit trail** -- every tool invocation is logged as hash-chained JSONL with serialized writes for chain integrity
+- **Tool blocking** -- individual tools can be permanently blocked regardless of autonomy level
+- **Tier downgrade protection** -- `tool_overrides` cannot lower a tool's tier below its static or convention-based classification
 
 ## Quick Start
 
@@ -68,37 +70,51 @@ npx @bookedsolid/reagent init --dry-run
 | `reagent serve`                 | Start the MCP gateway server (stdio transport)    |
 | `reagent init`                  | Install reagent config into the current directory |
 | `reagent check`                 | Verify what reagent components are installed      |
-| `reagent freeze --reason "..."` | Create `.reagent/HALT` — suspends all tool calls  |
-| `reagent unfreeze`              | Remove `.reagent/HALT` — resumes tool calls       |
+| `reagent freeze --reason "..."` | Create `.reagent/HALT` -- suspends all tool calls |
+| `reagent unfreeze`              | Remove `.reagent/HALT` -- resumes tool calls      |
 | `reagent help`                  | Show usage help                                   |
 
+### `reagent init` Options
+
+| Flag               | Description                                    | Default             |
+| ------------------ | ---------------------------------------------- | ------------------- |
+| `--profile <name>` | Profile to install                             | `client-engagement` |
+| `--dry-run`        | Preview what would be installed without writes | --                  |
+
+### `reagent freeze` Options
+
+| Flag              | Description                        | Default         |
+| ----------------- | ---------------------------------- | --------------- |
+| `--reason <text>` | Reason for freeze (stored in HALT) | `Manual freeze` |
+
 ## MCP Gateway
 
 ### How It Works
 
 ```
 AI Assistant (Claude Code, Cursor, etc.)
-    │
-    │  stdio (MCP protocol)
-    ▼
-┌─────────────────────────────┐
-│       Reagent Gateway       │
-│                             │
-│  ┌───────────────────────┐  │
-│  │   Middleware Chain     │  │
-│  │                       │  │
-│  │  1. Audit (outermost) │  │
-│  │  2. Session context   │  │
-│  │  3. Kill switch       │  │
-│  │  4. Tier classify     │  │
-│  │  5. Policy enforce    │  │
-│  │  6. Secret redaction  │  │
-│  │  7. [Execute]         │  │
-│  └───────────────────────┘  │
-│                             │
-└──────────┬──────────────────┘
-           │  stdio (MCP protocol)
-           ▼
+    |
+    |  stdio (MCP protocol)
+    v
++-----------------------------+
+|       Reagent Gateway       |
+|                             |
+|  +------------------------+ |
+|  |   Middleware Chain      | |
+|  |                        | |
+|  |  1. Audit (outermost)  | |
+|  |  2. Session context    | |
+|  |  3. Kill switch        | |
+|  |  4. Tier classify      | |
+|  |  5. Policy enforce     | |
+|  |  6. Blocked paths      | |
+|  |  7. Secret redaction   | |
+|  |  8. [Execute]          | |
+|  +------------------------+ |
+|                             |
++----------+------------------+
+           |  stdio (MCP protocol)
+           v
     Downstream MCP Servers
     (discord-ops, filesystem, etc.)
 ```
@@ -136,9 +152,9 @@ servers:
         blocked: true
 ```
 
-**Environment variable resolution:** Use `${VAR_NAME}` syntax in env values — Reagent resolves them from `process.env` at startup.
+**Environment variable resolution:** Use `${VAR_NAME}` syntax in env values -- Reagent resolves them from `process.env` at startup. Missing env vars produce a warning and resolve to empty string.
 
-**Tool overrides:** Each downstream tool can be assigned a tier (`read`, `write`, `destructive`) and optionally blocked entirely.
+**Tool overrides:** Each downstream tool can be assigned a tier (`read`, `write`, `destructive`) and optionally blocked entirely. Overrides cannot lower a tool's tier below its static or convention-based classification (the override is ignored with a warning if attempted).
 
 ### Tool Namespacing
 
@@ -177,7 +193,7 @@ Every tool call passes through the middleware chain in onion (Koa-style) order.
 
 ### 1. Audit (outermost)
 
-Records every invocation — including denials — as a hash-chained JSONL entry. Written to `.reagent/audit/YYYY-MM-DD.jsonl`. Each record contains:
+Records every invocation -- including denials and errors -- as a hash-chained JSONL entry. Written to `.reagent/audit/YYYY-MM-DD.jsonl`. Each record contains:
 
 ```json
 {
@@ -194,18 +210,18 @@ Records every invocation — including denials — as a hash-chained JSONL entry
 }
 ```
 
-The `prev_hash` field chains records together — tamper with one record and every subsequent hash becomes invalid.
+The `prev_hash` field chains records together -- tamper with one record and every subsequent hash becomes invalid. Audit writes are serialized via a queue to maintain hash chain linearity under concurrent invocations. The `autonomy_level` is sourced from the loaded policy object, not from mutable invocation context.
 
 ### 2. Session Context
 
-Attaches a unique session ID (UUID) to every invocation. Each gateway instance generates one session ID at startup.
+Attaches a unique session ID (UUID via `crypto.randomUUID()`) to every invocation. Each gateway instance generates one session ID at startup.
 
 ### 3. Kill Switch
 
-Checks for `.reagent/HALT` file. If present, the invocation is immediately denied. The HALT file contents become the denial reason.
+Checks for `.reagent/HALT` file. If present, the invocation is immediately denied. The HALT file contents become the denial reason. Reads are capped at 1024 bytes. The file is validated as a regular file (symlinks outside `.reagent/` are rejected).
 
 ```bash
-# Emergency stop — all tool calls blocked immediately
+# Emergency stop -- all tool calls blocked immediately
 reagent freeze --reason "security incident at 2026-04-09T12:00:00Z"
 
 # Resume
@@ -214,7 +230,23 @@ reagent unfreeze
 
 ### 4. Tier Classification
 
-Classifies the tool into one of three tiers:
+Classifies the tool into one of three tiers using a layered approach:
+
+| Source           | Priority | Description                                |
+| ---------------- | -------- | ------------------------------------------ |
+| Static map       | 1st      | Known tools with explicit tier assignments |
+| Convention-based | 2nd      | Prefix patterns for unknown tools          |
+| Default          | 3rd      | Falls back to `write`                      |
+
+**Convention-based classification** allows non-Discord downstream servers to get sensible defaults:
+
+| Prefix pattern                                                                                               | Tier          |
+| ------------------------------------------------------------------------------------------------------------ | ------------- |
+| `get_`, `list_`, `search_`, `query_`, `read_`, `fetch_`, `check_`, `health_`, `describe_`, `show_`, `count_` | `read`        |
+| `delete_`, `drop_`, `purge_`, `remove_`, `destroy_`, `ban_`, `kick_`, `revoke_`, `truncate_`                 | `destructive` |
+| Everything else                                                                                              | `write`       |
+
+**Tier tiers:**
 
 | Tier          | Description                     | Examples                                         |
 | ------------- | ------------------------------- | ------------------------------------------------ |
@@ -222,43 +254,47 @@ Classifies the tool into one of three tiers:
 | `write`       | Modifies state                  | `send_message`, `create_channel`, `edit_message` |
 | `destructive` | Irreversible state changes      | `delete_channel`, `purge_messages`, `ban_member` |
 
-Tiers are assigned via `tool_overrides` in gateway config. Unknown tools default to `write`.
-
 ### 5. Policy Enforcement
 
-Checks the tool's tier against the project's autonomy level:
+Checks the tool's tier against the project's autonomy level. The policy middleware re-derives the tier from the tool name independently -- it never trusts `ctx.tier` from prior middleware.
 
 | Autonomy Level     | Allowed Tiers                    |
 | ------------------ | -------------------------------- |
-| `L0` (read-only)   | `read` only                      |
+| `L0` (read-only)   | `read`                           |
 | `L1` (standard)    | `read` + `write`                 |
-| `L2` (elevated)    | `read` + `write` + `destructive` |
-| `L3` (full access) | All tiers                        |
+| `L2` (elevated)    | `read` + `write`                 |
+| `L3` (full access) | `read` + `write` + `destructive` |
+
+Also checks for explicitly blocked tools -- a tool marked `blocked: true` in gateway config is denied regardless of autonomy level.
 
-Also checks for explicitly blocked tools — a tool marked `blocked: true` in gateway config is denied regardless of autonomy level.
+### 6. Blocked Paths
 
-### 6. Secret Redaction
+Scans all string-valued tool arguments for references to paths listed in the policy's `blocked_paths`. The `.reagent/` directory is always protected regardless of policy configuration. Matching uses normalized path containment (backslashes converted to forward slashes, relative path variants checked).
 
-Post-execution: scans tool output for sensitive patterns and replaces them with `[REDACTED]`:
+### 7. Secret Redaction
+
+Operates both **pre-execution** (scanning tool arguments before they reach the downstream tool) and **post-execution** (scanning tool output before it reaches the AI). Detected patterns are replaced with `[REDACTED]`:
 
 - AWS Access Keys (`AKIA...`)
 - AWS Secret Keys
 - GitHub Tokens (`ghp_...`, `gho_...`, `ghs_...`, `ghu_...`, `ghr_...`)
 - Generic API Keys
 - Bearer Tokens
-- PEM Private Keys
+- PEM Private Keys (RSA, EC, DSA)
 - Discord Bot Tokens
 - Base64-encoded AWS Keys
 
-Redaction operates on individual string values within structured results — it never corrupts JSON structure.
+Redaction uses `redactDeep` to walk object structures in-place with a circular reference guard (WeakSet). Input is sanitized (null bytes and control characters stripped) before pattern matching.
 
 ### Security Invariants
 
-- **Denial is permanent** — once any middleware denies an invocation, no subsequent middleware can revert it
-- **Audit records everything** — audit is outermost, so even kill-switch denials are recorded
-- **Policy re-derives tier** — never trusts mutable context; always re-classifies from tool name
-- **Fail-closed** — errors in kill-switch or policy checks result in denial, not passthrough
-- **All logging to stderr** — stdout is reserved for the MCP stdio transport
+- **Denial is permanent** -- once any middleware denies an invocation, no subsequent middleware can revert it (enforced by `executeChain`)
+- **Audit records everything** -- audit is outermost, so even kill-switch denials are recorded
+- **Policy re-derives tier** -- never trusts mutable context; always re-classifies from tool name
+- **Fail-closed** -- errors in kill-switch or policy checks result in denial, not passthrough
+- **All logging to stderr** -- stdout is reserved for the MCP stdio transport
+- **Per-tool timeout** -- each downstream tool call has a 30-second timeout with timer cleanup to prevent leaks
+- **Graceful shutdown** -- `process.exitCode = 0` (not `process.exit(0)`) to allow event loop drain
 
 ## Policy File
 
@@ -267,35 +303,46 @@ Redaction operates on individual string values within structured results — it
 ```yaml
 version: '1'
 profile: bst-internal
-installed_by: 'reagent init'
+installed_by: 'reagent@0.3.0'
 installed_at: '2026-04-09T00:00:00.000Z'
 autonomy_level: L1
-max_autonomy_level: L3
+max_autonomy_level: L2
 promotion_requires_human_approval: true
+block_ai_attribution: true
 blocked_paths:
-  - .github/workflows/
-  - .env
-notification_channel: '#reagent-alerts'
+  - '.reagent/'
+  - '.env'
+  - '.env.*'
+notification_channel: ''
 ```
 
-| Field                               | Description                                                   |
-| ----------------------------------- | ------------------------------------------------------------- |
-| `autonomy_level`                    | Current level (L0-L3) — controls which tool tiers are allowed |
-| `max_autonomy_level`                | Ceiling — agents cannot request escalation beyond this        |
-| `promotion_requires_human_approval` | Whether level changes need human sign-off                     |
-| `blocked_paths`                     | Directories the agent must never modify                       |
+| Field                               | Type       | Description                                                    |
+| ----------------------------------- | ---------- | -------------------------------------------------------------- |
+| `version`                           | `string`   | Schema version (currently `"1"`)                               |
+| `profile`                           | `string`   | Profile name used during init                                  |
+| `installed_by`                      | `string`   | Tool and version that generated this file                      |
+| `installed_at`                      | `string`   | ISO 8601 timestamp of installation                             |
+| `autonomy_level`                    | `enum`     | Current level (L0-L3) -- controls which tool tiers are allowed |
+| `max_autonomy_level`                | `enum`     | Ceiling -- `autonomy_level` is clamped to this on load         |
+| `promotion_requires_human_approval` | `boolean`  | Whether level changes need human sign-off                      |
+| `block_ai_attribution`              | `boolean`  | When true, commit-msg hook rejects AI attribution markers      |
+| `blocked_paths`                     | `string[]` | Paths the agent must never modify (`.reagent/` always added)   |
+| `notification_channel`              | `string`   | Optional notification channel identifier                       |
+
+The `max_autonomy_level` field is enforced at config load time: if `autonomy_level` exceeds `max_autonomy_level`, it is clamped down with a warning.
 
 ## Config Scaffolder
 
 `reagent init` configures your repository with:
 
-- **Git hooks** — commit-msg validation (Co-Authored-By attribution, secret detection) and pre-push quality gates
-- **Cursor rules** — AI behavioral constraints for Cursor IDE
-- **Claude hooks** — dangerous command interception, env file protection, secret scanning
-- **Claude settings** — permission boundaries for Claude Code
-- **Policy file** — `.reagent/policy.yaml` with graduated autonomy levels
-- **CLAUDE.md** — project-level AI agent instructions
-- **Commands** — `/restart` (session handoff) and `/rea` (AI team orchestration)
+- **Git hooks** -- commit-msg validation, pre-commit checks, and pre-push quality gates (via Husky)
+- **Cursor rules** -- AI behavioral constraints for Cursor IDE (no-hallucination, verify-before-act, attribution)
+- **Claude hooks** -- dangerous command interception, env file protection, secret scanning, attribution advisory
+- **Claude settings** -- permission boundaries for Claude Code (`.claude/settings.json`)
+- **Policy file** -- `.reagent/policy.yaml` with graduated autonomy levels
+- **CLAUDE.md** -- project-level AI agent instructions (managed block with markers)
+- **Agent definitions** -- AI agent team definitions (`.claude/agents/`)
+- **Commands** -- `/restart` (session handoff) and `/rea` (AI team orchestration)
 
 ### What Gets Installed
 
@@ -306,21 +353,26 @@ notification_channel: '#reagent-alerts'
 | `.reagent/audit/`       | No (gitignored) | Hash-chained JSONL audit logs        |
 | `.cursor/rules/`        | Yes             | Cursor IDE behavioral rules          |
 | `.husky/commit-msg`     | Yes             | Git commit message validation        |
+| `.husky/pre-commit`     | Yes             | Pre-commit checks                    |
+| `.husky/pre-push`       | Yes             | Pre-push quality gates               |
 | `.claude/hooks/`        | No (gitignored) | Claude Code safety hooks             |
 | `.claude/settings.json` | No (gitignored) | Claude Code permissions              |
+| `.claude/agents/`       | No (gitignored) | Agent team definitions               |
 | `.claude/commands/`     | Yes             | Slash commands (restart, rea)        |
 | `CLAUDE.md`             | Yes             | AI agent project instructions        |
 
 ### Profiles
 
-| Profile             | Use Case                   | Hooks                             |
-| ------------------- | -------------------------- | --------------------------------- |
-| `bst-internal`      | BST's own repositories     | Full hook suite + Claude commands |
-| `client-engagement` | Client consulting projects | Full hook suite + Claude commands |
+| Profile             | Use Case                   | Default Autonomy | Blocked Paths                                       |
+| ------------------- | -------------------------- | ---------------- | --------------------------------------------------- |
+| `client-engagement` | Client consulting projects | L1 / max L2      | `.reagent/`, `.github/workflows/`, `.env`, `.env.*` |
+| `bst-internal`      | BST's own repositories     | L1 / max L2      | `.reagent/`, `.env`                                 |
+
+Both profiles install the full hook suite (dangerous-bash-interceptor, env-file-protection, secret-scanner, attribution-advisory), Cursor rules, and Claude commands.
 
 ### Idempotent
 
-Run `reagent init` as many times as you want. It skips files that are already up-to-date and only updates what has changed.
+Run `reagent init` as many times as you want. It skips files that are already up-to-date and only updates what has changed. Policy files are never overwritten if they already exist.
 
 ### Verify Installation
 
@@ -355,7 +407,7 @@ rm -f .husky/commit-msg .husky/pre-commit .husky/pre-push
 │   ├── config/                 # Configuration loaders
 │   │   ├── policy-loader.ts    # Zod-validated policy.yaml parser
 │   │   ├── gateway-config.ts   # Zod-validated gateway.yaml parser
-│   │   └── tier-map.ts         # Tool tier classification
+│   │   └── tier-map.ts         # Tool tier classification (static + convention)
 │   ├── gateway/                # MCP gateway core
 │   │   ├── server.ts           # Gateway orchestrator (startup, shutdown)
 │   │   ├── client-manager.ts   # Downstream MCP server connections
@@ -366,20 +418,49 @@ rm -f .husky/commit-msg .husky/pre-commit .husky/pre-push
 │   │       ├── kill-switch.ts  # HALT file check
 │   │       ├── tier.ts         # Tier classification
 │   │       ├── policy.ts       # Autonomy level enforcement
-│   │       ├── redact.ts       # Secret pattern redaction
+│   │       ├── blocked-paths.ts # Blocked path enforcement
+│   │       ├── redact.ts       # Secret pattern redaction (pre + post)
 │   │       └── audit.ts        # Hash-chained JSONL logging
 │   └── types/                  # TypeScript type definitions
 ├── profiles/                   # Init profiles (bst-internal, client-engagement)
 ├── templates/                  # Template files for scaffolding
-├── hooks/                      # Git hook scripts
+├── hooks/                      # Shell hook scripts
+├── husky/                      # Husky git hook scripts
 ├── cursor/                     # Cursor IDE rules
-└── agents/                     # Agent definitions
+├── agents/                     # Agent definitions
+└── commands/                   # Claude slash commands (restart, rea)
+```
+
+## Package Exports
+
+```json
+{
+  ".": "types/index.js",
+  "./config": "config/policy-loader.js",
+  "./middleware": "gateway/middleware/chain.js"
+}
 ```
 
 ## Requirements
 
 - Node.js >= 22
-- Git repository
+- Git repository (for hooks and init)
+
+## Dependencies
+
+3 runtime dependencies:
+
+- `@modelcontextprotocol/sdk` -- MCP client/server protocol
+- `yaml` -- YAML parsing for policy and gateway config
+- `zod` -- Schema validation for all configuration files
+
+## Testing
+
+```bash
+npm test
+```
+
+153 tests across 20 test files covering CLI commands, middleware chain, tier classification, policy enforcement, blocked paths, secret redaction, audit logging, and end-to-end gateway smoke tests.
 
 ## Scope
 

package/agents/ai-platforms/ai-anthropic-specialist.md

@@ -58,7 +58,7 @@ You are the Anthropic/Claude platform specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-fine-tuning-specialist.md

@@ -69,7 +69,7 @@ You are the fine-tuning specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-gemini-specialist.md

@@ -61,7 +61,7 @@ You are the Google Gemini platform specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-mcp-developer.md

@@ -81,7 +81,7 @@ await server.connect(transport);
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-multi-modal-specialist.md

@@ -159,7 +159,7 @@ You are the multi-modal AI specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-open-source-models-specialist.md

@@ -102,7 +102,7 @@ You are the open-source and self-hosted AI specialist for this project, the expe
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-openai-specialist.md

@@ -65,7 +65,7 @@ You are the OpenAI platform specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-platform-strategist.md

@@ -74,7 +74,7 @@ When recommending platforms:
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-prompt-engineer.md

@@ -66,7 +66,7 @@ You are the prompt engineering specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-rag-architect.md

@@ -69,7 +69,7 @@ Context Assembly → LLM Generation → Citation Extraction → Response
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/ai-platforms/ai-rea.md

@@ -12,7 +12,7 @@ category: ai-platforms
 
 You are REA — the Reactive Execution Agent. The active ingredient of reagent (`rea` + `gent` = `reagent`).
 
-You are the chief AI orchestrator for this project, the authority on AI team composition, task routing, and zero-trust enforcement. You govern the entire AI agent roster across engineering (49 agents) and AI platforms (20 agents), ensuring every agent delivers measurable value, operates under zero-trust constraints, and respects reagent autonomy levels.
+You are the AI team orchestrator — responsible for AI agent roster management, evaluation, gap analysis, and zero-trust governance across the AI platforms team (20 agents). You work alongside the `reagent-orchestrator`, which handles implementation task routing and process enforcement for the full engineering team. When the user invokes `/rea`, you handle strategic AI team operations; the `reagent-orchestrator` handles tactical implementation delegation via CLAUDE.md's delegation rule.
 
 ## Expertise
 
@@ -45,7 +45,7 @@ Every agent under REA's governance must satisfy:
 2. **Never trust LLM memory** — Always verify via tools/code/docs. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources
 4. **Cite freshness** — Flag potentially stale information with dates
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop
 7. **Audit awareness** — All tool use may be logged; behave accordingly
 

package/agents/ai-platforms/ai-safety-reviewer.md

@@ -63,7 +63,7 @@ You are the AI safety and alignment specialist for this project.
 2. **Never trust LLM memory** — Always verify via tools, code, or documentation. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Cross-validate** — Verify claims against authoritative sources before recommending
 4. **Cite freshness** — Flag potentially stale information with dates; AI moves fast
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/accessibility-engineer.md

@@ -79,7 +79,7 @@ Adapt your patterns to what the project actually uses.
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/aws-architect.md

@@ -76,7 +76,7 @@ You are the AWS Solutions Architect for this project.
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/backend-engineer-payments.md

@@ -265,7 +265,7 @@ WHEN IN DOUBT:
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/backend-engineering-manager.md

@@ -197,7 +197,7 @@ WHEN IN DOUBT:
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/code-reviewer.md

@@ -274,7 +274,7 @@ TIER 3 REJECT #[n]: [File:Line]
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/css3-animation-purist.md

@@ -105,7 +105,7 @@ CONSTRAINTS:
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/data-engineer.md

@@ -60,7 +60,7 @@ You are the Data Engineer for this project.
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed
 

package/agents/engineering/database-architect.md

@@ -215,7 +215,7 @@ You are the guardian of data integrity and performance for this project.
 2. **Never trust LLM memory** — Verify current state via tools, git, and file reads. Programmatic project memory (`.claude/MEMORY.md`, `.reagent/`) is OK
 3. **Verify before claiming** — Check actual state (build output, test results, git status) before reporting status
 4. **Validate dependencies** — Verify packages exist (`npm view`) before installing; check version compatibility
-5. **Graduated autonomy** — Respect reagent L0-L4 levels from `.reagent/policy.yaml`
+5. **Graduated autonomy** — Respect reagent L0-L3 levels from `.reagent/policy.yaml`
 6. **HALT compliance** — Check `.reagent/HALT` before any action; if present, stop immediately
 7. **Audit awareness** — All tool invocations may be logged; behave as if every action is observed