@deftai/directive-content 0.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agents/skills/deft/SKILL.md +6 -0
- package/.agents/skills/deft-directive-article-review/SKILL.md +11 -0
- package/.agents/skills/deft-directive-build/SKILL.md +10 -0
- package/.agents/skills/deft-directive-cost/SKILL.md +12 -0
- package/.agents/skills/deft-directive-debug/SKILL.md +13 -0
- package/.agents/skills/deft-directive-gh-arch/SKILL.md +11 -0
- package/.agents/skills/deft-directive-gh-slice/SKILL.md +10 -0
- package/.agents/skills/deft-directive-glossary/SKILL.md +10 -0
- package/.agents/skills/deft-directive-interview/SKILL.md +9 -0
- package/.agents/skills/deft-directive-pre-pr/SKILL.md +9 -0
- package/.agents/skills/deft-directive-refinement/SKILL.md +10 -0
- package/.agents/skills/deft-directive-release/SKILL.md +12 -0
- package/.agents/skills/deft-directive-review-cycle/SKILL.md +10 -0
- package/.agents/skills/deft-directive-setup/SKILL.md +10 -0
- package/.agents/skills/deft-directive-swarm/SKILL.md +10 -0
- package/.agents/skills/deft-directive-sync/SKILL.md +9 -0
- package/.agents/skills/deft-directive-triage/SKILL.md +9 -0
- package/.agents/skills/deft-directive-write-skill/SKILL.md +9 -0
- package/LICENSE.md +22 -0
- package/QUICK-START.md +167 -0
- package/UPGRADING.md +517 -0
- package/coding/build-output.md +28 -0
- package/coding/coding.md +235 -0
- package/coding/debugging.md +110 -0
- package/coding/holzmann.md +96 -0
- package/coding/hygiene.md +127 -0
- package/coding/security.md +158 -0
- package/coding/testing.md +162 -0
- package/coding/toolchain.md +44 -0
- package/commands.md +300 -0
- package/context/context.md +57 -0
- package/context/deterministic-split.md +67 -0
- package/context/examples.md +26 -0
- package/context/fractal-summaries.md +69 -0
- package/context/long-horizon.md +46 -0
- package/context/spec-deltas.md +177 -0
- package/context/tool-design.md +34 -0
- package/context/working-memory.md +62 -0
- package/contracts/boundary-maps.md +65 -0
- package/contracts/deterministic-questions.md +59 -0
- package/contracts/hierarchy.md +77 -0
- package/conventions/content-manifest.json +399 -0
- package/conventions/machine-generated-banner.md +130 -0
- package/conventions/references.md +120 -0
- package/conventions/rule-ownership.json +382 -0
- package/conventions/task-caching.md +43 -0
- package/conventions/vbrief-filenames.md +70 -0
- package/deployments/README.md +37 -0
- package/deployments/agentuity/README.md +138 -0
- package/deployments/agentuity/via-cli.md +380 -0
- package/deployments/agentuity/via-cloud.md +425 -0
- package/deployments/agentuity/via-github-actions.md +664 -0
- package/deployments/agentuity/via-gravity-network.md +606 -0
- package/deployments/agentuity/via-vpc.md +607 -0
- package/deployments/aws/README.md +38 -0
- package/deployments/aws/via-app-runner.md +612 -0
- package/deployments/aws/via-ecs-fargate.md +561 -0
- package/deployments/aws/via-elastic-beanstalk.md +628 -0
- package/deployments/aws/via-lambda.md +649 -0
- package/deployments/azure/README.md +37 -0
- package/deployments/azure/via-aks.md +390 -0
- package/deployments/azure/via-app-service.md +564 -0
- package/deployments/azure/via-container-apps.md +599 -0
- package/deployments/azure/via-functions.md +552 -0
- package/deployments/cloud-gov/README.md +63 -0
- package/deployments/cloud-gov/agents/compliance-docs.md +154 -0
- package/deployments/cloud-gov/agents.md +39 -0
- package/deployments/cloud-gov/cicd.md +64 -0
- package/deployments/cloud-gov/deployment.md +150 -0
- package/deployments/cloud-gov/logging.md +43 -0
- package/deployments/cloud-gov/manifest.md +121 -0
- package/deployments/cloud-gov/overview.md +58 -0
- package/deployments/cloud-gov/security.md +46 -0
- package/deployments/cloud-gov/services.md +72 -0
- package/deployments/cloud-gov/upstream/README.md +18 -0
- package/deployments/cloudflare/README.md +33 -0
- package/deployments/cloudflare/via-dashboard.md +83 -0
- package/deployments/cloudflare/via-git.md +90 -0
- package/deployments/cloudflare/via-github-actions.md +185 -0
- package/deployments/cloudflare/via-terraform.md +157 -0
- package/deployments/cloudflare/via-wrangler.md +165 -0
- package/deployments/fly-io/README.md +37 -0
- package/deployments/fly-io/via-dockerfile.md +648 -0
- package/deployments/fly-io/via-flyctl.md +653 -0
- package/deployments/fly-io/via-github-actions.md +695 -0
- package/deployments/fly-io/via-multi-region.md +598 -0
- package/deployments/google/README.md +34 -0
- package/deployments/google/via-app-engine.md +42 -0
- package/deployments/google/via-cloud-functions.md +23 -0
- package/deployments/google/via-cloud-run.md +330 -0
- package/deployments/google/via-gke.md +23 -0
- package/deployments/netlify/README.md +99 -0
- package/deployments/netlify/via-cli.md +17 -0
- package/deployments/netlify/via-functions.md +19 -0
- package/deployments/netlify/via-git.md +25 -0
- package/deployments/vercel/README.md +90 -0
- package/deployments/vercel/via-api.md +16 -0
- package/deployments/vercel/via-cli.md +17 -0
- package/deployments/vercel/via-git.md +24 -0
- package/docs/BROWNFIELD.md +179 -0
- package/docs/getting-started.md +137 -0
- package/docs/good-agents-md.md +137 -0
- package/events/README.md +89 -0
- package/events/event-record.schema.json +26 -0
- package/events/registry.json +166 -0
- package/events/registry.schema.json +71 -0
- package/glossary.md +145 -0
- package/incidents/README.md +81 -0
- package/incidents/_template.md +38 -0
- package/interfaces/cli.md +104 -0
- package/interfaces/rest.md +212 -0
- package/interfaces/tui.md +242 -0
- package/interfaces/web.md +123 -0
- package/languages/6502-DASM.md +132 -0
- package/languages/c.md +235 -0
- package/languages/commands.md +23 -0
- package/languages/cpp.md +132 -0
- package/languages/csharp.md +259 -0
- package/languages/dart.md +183 -0
- package/languages/delphi.md +218 -0
- package/languages/elixir.md +208 -0
- package/languages/go.md +78 -0
- package/languages/java.md +278 -0
- package/languages/javascript.md +163 -0
- package/languages/julia.md +175 -0
- package/languages/kotlin.md +193 -0
- package/languages/markdown.md +168 -0
- package/languages/mermaid.md +146 -0
- package/languages/officejs.md +392 -0
- package/languages/python.md +209 -0
- package/languages/r.md +163 -0
- package/languages/rust.md +216 -0
- package/languages/sql.md +216 -0
- package/languages/swift.md +153 -0
- package/languages/typescript.md +132 -0
- package/languages/vba.md +279 -0
- package/languages/vhdl.md +180 -0
- package/languages/visual-basic.md +151 -0
- package/languages/zig.md +196 -0
- package/meta/SOUL.md +27 -0
- package/meta/code-field.md +44 -0
- package/meta/morals.md +40 -0
- package/meta/philosophy.md +39 -0
- package/meta/project.md +49 -0
- package/meta/ralph.md +223 -0
- package/meta/security.md +80 -0
- package/meta/versioning.md +326 -0
- package/package.json +22 -0
- package/packs/lessons/lessons-pack-0.1.json +553 -0
- package/packs/patterns/patterns-pack-0.1.json +57 -0
- package/packs/rules/rules-pack-0.1.json +4767 -0
- package/packs/skills/skills-pack-0.1.json +262 -0
- package/packs/strategies/strategies-pack-0.1.json +167 -0
- package/packs/swarm-spec/swarm-spec-pack-0.1.json +17 -0
- package/patterns/executor-layer-credentials.md +227 -0
- package/patterns/llm-app.md +156 -0
- package/patterns/multi-agent.md +278 -0
- package/patterns/prompt-assembly-layer-ordering.md +154 -0
- package/patterns/role-as-overlay.md +179 -0
- package/platforms/2600.md +137 -0
- package/platforms/unity.md +329 -0
- package/references/composer-skill-porting.md +152 -0
- package/references/cost-models.md +163 -0
- package/references/ip-risk.md +246 -0
- package/references/plain-english-ux.md +275 -0
- package/resilience/context-pruning.md +67 -0
- package/resilience/continue-here.md +62 -0
- package/scm/changelog.md +276 -0
- package/scm/git.md +139 -0
- package/scm/github.md +265 -0
- package/secrets/.gitkeep +0 -0
- package/skills/deft-build/SKILL.md +20 -0
- package/skills/deft-directive-article-review/SKILL.md +156 -0
- package/skills/deft-directive-build/SKILL.md +302 -0
- package/skills/deft-directive-cost/SKILL.md +201 -0
- package/skills/deft-directive-debug/SKILL.md +140 -0
- package/skills/deft-directive-decompose/SKILL.md +96 -0
- package/skills/deft-directive-gh-arch/SKILL.md +160 -0
- package/skills/deft-directive-gh-slice/SKILL.md +199 -0
- package/skills/deft-directive-glossary/SKILL.md +118 -0
- package/skills/deft-directive-interview/SKILL.md +528 -0
- package/skills/deft-directive-pre-pr/SKILL.md +131 -0
- package/skills/deft-directive-probe/SKILL.md +127 -0
- package/skills/deft-directive-refinement/SKILL.md +403 -0
- package/skills/deft-directive-release/SKILL.md +266 -0
- package/skills/deft-directive-review-cycle/SKILL.md +401 -0
- package/skills/deft-directive-setup/SKILL.md +717 -0
- package/skills/deft-directive-swarm/SKILL.md +989 -0
- package/skills/deft-directive-sync/SKILL.md +288 -0
- package/skills/deft-directive-triage/SKILL.md +137 -0
- package/skills/deft-directive-write-skill/SKILL.md +169 -0
- package/skills/deft-interview/SKILL.md +16 -0
- package/skills/deft-pre-pr/SKILL.md +16 -0
- package/skills/deft-review-cycle/SKILL.md +16 -0
- package/skills/deft-roadmap-refresh/SKILL.md +16 -0
- package/skills/deft-setup/SKILL.md +20 -0
- package/skills/deft-swarm/SKILL.md +16 -0
- package/skills/deft-sync/SKILL.md +16 -0
- package/strategies/README.md +83 -0
- package/strategies/artifact-guards.md +85 -0
- package/strategies/bdd.md +115 -0
- package/strategies/brownfield.md +7 -0
- package/strategies/discuss.md +129 -0
- package/strategies/emit-hints.md +69 -0
- package/strategies/enterprise.md +193 -0
- package/strategies/interview.md +551 -0
- package/strategies/map.md +179 -0
- package/strategies/probe.md +151 -0
- package/strategies/rapid.md +155 -0
- package/strategies/research.md +155 -0
- package/strategies/roadmap.md +9 -0
- package/strategies/speckit.md +437 -0
- package/strategies/v0-20-contract.md +134 -0
- package/strategies/yolo.md +169 -0
- package/swarm/swarm.md +300 -0
- package/templates/COST-ESTIMATE.md +114 -0
- package/templates/PULL_REQUEST_TEMPLATE.md +35 -0
- package/templates/agent-prompt-preamble.md +409 -0
- package/templates/agents-entry.md +211 -0
- package/templates/agents-entry.placeholders.md +75 -0
- package/templates/embed.go +20 -0
- package/templates/embed_test.go +36 -0
- package/templates/make-spec-example.md +9 -0
- package/templates/make-spec.md +246 -0
- package/templates/project.md.template +52 -0
- package/templates/specification.md +1 -0
- package/templates/swarm-greptile-poller-prompt.md +556 -0
- package/templates/user.md.template +31 -0
- package/tools/RWLDL.md +80 -0
- package/tools/greptile.md +141 -0
- package/tools/installer.md +23 -0
- package/tools/taskfile-migration.md +32 -0
- package/tools/taskfile.md +185 -0
- package/tools/telemetry.md +285 -0
- package/vbrief/schemas/cache-meta.schema.json +137 -0
- package/vbrief/schemas/candidates.schema.json +130 -0
- package/vbrief/schemas/codebase-map.schema.json +213 -0
- package/vbrief/schemas/lessons-pack.schema.json +134 -0
- package/vbrief/schemas/patterns-pack.schema.json +84 -0
- package/vbrief/schemas/rules-pack.schema.json +105 -0
- package/vbrief/schemas/skills-pack.schema.json +94 -0
- package/vbrief/schemas/slices.schema.json +87 -0
- package/vbrief/schemas/strategies-pack.schema.json +89 -0
- package/vbrief/schemas/swarm-spec-pack.schema.json +84 -0
- package/vbrief/schemas/vbrief-core.schema.json +1022 -0
- package/vbrief/vbrief.md +684 -0
- package/verification/integration.md +76 -0
- package/verification/plan-checking.md +85 -0
- package/verification/uat.md +60 -0
- package/verification/verification.md +117 -0
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
<!-- AUTO-GENERATED by task packs:render -- DO NOT EDIT MANUALLY -->
|
|
2
|
+
<!-- Purpose: rendered coding rules -->
|
|
3
|
+
<!-- Source of truth: packs/rules/rules-pack-0.1.json -->
|
|
4
|
+
<!-- Regenerate with: task packs:render -->
|
|
5
|
+
<!-- Edit the source, not this file. Slice instead of loading every coding doc: task packs:slice rules by-tier --tier <TIER> (or by-domain, list) -->
|
|
6
|
+
|
|
7
|
+
# Security Standards
|
|
8
|
+
|
|
9
|
+
Baseline security requirements that apply to every project Deft creates or maintains. This is a baseline standards file, not a comprehensive security audit guide — see project-specific threat models for deeper coverage.
|
|
10
|
+
|
|
11
|
+
Legend (from RFC2119): !=MUST, ~=SHOULD, ≉=SHOULD NOT, ⊗=MUST NOT, ?=MAY.
|
|
12
|
+
|
|
13
|
+
## Universal Requirements
|
|
14
|
+
|
|
15
|
+
- ! Validate all inputs at trust boundaries; reject malformed input, do not silently sanitize
|
|
16
|
+
- ! Treat all data from outside the trust boundary (users, network, files, agents, tools) as adversarial until validated
|
|
17
|
+
- ! Run dependency vulnerability scans on introduction AND on a recurring cadence (weekly minimum)
|
|
18
|
+
- ! Keep secrets out of source, logs, error messages, and build artifacts (see [coding.md `Secrets`](coding.md#code-organization))
|
|
19
|
+
- ⊗ Roll custom cryptography, authentication, or session handling — use vetted libraries
|
|
20
|
+
- ⊗ Disable security checks "temporarily" without an issue tracking re-enablement
|
|
21
|
+
|
|
22
|
+
## Input Validation & Injection Prevention
|
|
23
|
+
|
|
24
|
+
- ! Validate type, length, range, and format at every API boundary
|
|
25
|
+
- ! Use parameterized queries / prepared statements for ALL database access
|
|
26
|
+
- ! Apply context-appropriate output encoding (HTML, URL, JSON, shell, SQL) at the point of use, not at storage
|
|
27
|
+
- ! Reject untrusted input outright when it fails validation; do not coerce or "fix" it
|
|
28
|
+
- ! Use safe deserialization (JSON over pickle/yaml-load; allow-lists for polymorphic types)
|
|
29
|
+
- ⊗ String interpolation in SQL, shell, or command construction
|
|
30
|
+
- ⊗ `eval`, `exec`, `subprocess(shell=True)`, or equivalent on untrusted input
|
|
31
|
+
- ⊗ Trust client-side validation as the sole defence — re-validate server-side
|
|
32
|
+
|
|
33
|
+
## Authentication & Authorization
|
|
34
|
+
|
|
35
|
+
- ! Use established auth libraries / identity providers (OAuth2/OIDC, Passport, Authlib, etc.)
|
|
36
|
+
- ! Enforce authorization at the API / service layer, never only in the UI
|
|
37
|
+
- ! Use short-lived access tokens; rotate refresh tokens; revoke server-side on logout / compromise
|
|
38
|
+
- ! Hash passwords with a memory-hard algorithm (argon2id, bcrypt, scrypt) — never plain SHA / MD5
|
|
39
|
+
- ! Enforce MFA for administrative / production access paths
|
|
40
|
+
- ⊗ Roll custom session, password, or token handling
|
|
41
|
+
- ⊗ Hard-code credentials, API keys, or tokens in source — see Secrets Management below
|
|
42
|
+
- ⊗ Log credentials, full tokens, or session cookies
|
|
43
|
+
|
|
44
|
+
## Secrets Management
|
|
45
|
+
|
|
46
|
+
Extends and reinforces [coding.md Secrets rule](coding.md#code-organization). Projects that include any AI agent process MUST also apply the tightened `## No-Read-Secret Rule for Agent Systems (#587)` section below -- the `.env`-files-as-default pattern that is compliant for traditional services is NOT compliant when an agent can read the filesystem.
|
|
47
|
+
|
|
48
|
+
- ! Store ALL secrets in `secrets/` as `.env` files (or a dedicated secret manager), gitignored
|
|
49
|
+
- ! Read secrets via environment variables / vault clients at runtime
|
|
50
|
+
- ! Rotate secrets on a documented cadence and on any suspected compromise
|
|
51
|
+
- ! Redact tokens, passwords, and PII before logging or surfacing in error messages
|
|
52
|
+
- ⊗ Secrets in code, config committed to VCS, CI logs, or chat transcripts
|
|
53
|
+
- ⊗ Print, `echo`, or interpolate secrets into shell strings; pass via env or `--*-file` flags instead
|
|
54
|
+
- ⊗ Log full credentials, refresh tokens, or PII
|
|
55
|
+
|
|
56
|
+
## Dependency Security
|
|
57
|
+
|
|
58
|
+
- ! Pin direct dependency versions in lock files (`uv.lock`, `package-lock.json`, `go.sum`, `Cargo.lock`)
|
|
59
|
+
- ! Audit dependencies on introduction with the language-native scanner:
|
|
60
|
+
- Python: `pip-audit` (or `uv pip audit`)
|
|
61
|
+
- Node: `npm audit` / `pnpm audit`
|
|
62
|
+
- Go: `govulncheck`
|
|
63
|
+
- Rust: `cargo audit`
|
|
64
|
+
- ! Enable Dependabot (or equivalent) for weekly version + security PRs
|
|
65
|
+
- ! Resolve CRITICAL / HIGH advisories before merge; document deferral with a tracked issue
|
|
66
|
+
- ~ Run `osv-scanner scan source --recursive .` periodically across mixed-language repos
|
|
67
|
+
- ⊗ Disable lockfile checks to "speed up" CI
|
|
68
|
+
- ⊗ Pin to floating refs (`main`, `latest`, `@v1`) for third-party GitHub Actions — pin to a full SHA
|
|
69
|
+
|
|
70
|
+
## Agent-Specific Threats
|
|
71
|
+
|
|
72
|
+
Directive builds AI agent frameworks; agents introduce a distinct threat surface beyond classic web security.
|
|
73
|
+
|
|
74
|
+
- ! Treat ALL user-provided content (chat, files, tool outputs, web fetches) as potentially adversarial — assume prompt injection
|
|
75
|
+
- ! Isolate tool outputs from the trust boundary: never expose raw internal file contents, environment variables, or system prompts to untrusted input channels
|
|
76
|
+
- ! Gate destructive tool calls (file deletion, repo deletion, force-push, admin merge, billing changes) behind explicit user consent OR a deterministic preflight check
|
|
77
|
+
- ! Bound agent autonomy: declare per-tool allow / deny lists; do not grant blanket shell or network access by default
|
|
78
|
+
- ! Log every tool invocation with arguments redacted for secrets so post-incident review is possible
|
|
79
|
+
- ⊗ Reflect retrieved web content, repo issue bodies, or third-party comments directly back into a privileged tool-call argument without sanitization
|
|
80
|
+
- ⊗ Expose internal system prompts, hidden tool definitions, or other agents' messages to an untrusted input surface
|
|
81
|
+
- ⊗ Run model-suggested shell commands without a deterministic safety classifier (see `scripts/preflight_gh.py` for the canonical pattern)
|
|
82
|
+
|
|
83
|
+
## Tooling
|
|
84
|
+
|
|
85
|
+
- ~ Static analysis: language-native linter with security rules enabled (ruff S-rules, golangci-lint gosec, eslint security plugin)
|
|
86
|
+
- ~ Secret scanners: `gitleaks` on pre-commit and CI
|
|
87
|
+
- ~ SAST: CodeQL default setup for hosted repos
|
|
88
|
+
- ~ Container scanning: `trivy fs` or `trivy image` for any Dockerfile / OCI artifact
|
|
89
|
+
- ~ Dependency review: GitHub Dependency Review action on PRs
|
|
90
|
+
|
|
91
|
+
## Reporting Vulnerabilities
|
|
92
|
+
|
|
93
|
+
- ! Every project MUST document a vulnerability reporting path (GitHub Security Advisories, `SECURITY.md`, or equivalent)
|
|
94
|
+
- ! Acknowledge reports within a documented SLA; never silently close
|
|
95
|
+
- ⊗ Discuss unfixed vulnerabilities in public issues / PRs
|
|
96
|
+
|
|
97
|
+
## No-Read-Secret Rule for Agent Systems (#587)
|
|
98
|
+
|
|
99
|
+
When AI agents are part of the system, every filesystem-accessible secret is one a prompt-injection attack could exfiltrate to an external inference server. The `.env`-on-disk pattern that is fine for traditional services becomes a structural security hole the moment a non-deterministic reader is in the loop -- the standard `dotenv` flow makes secrets part of the agent's context by construction.
|
|
100
|
+
|
|
101
|
+
- ! When the project includes any AI agent process, store secrets in a dedicated secret manager (cloud KMS / Vault / 1Password / Infisical Agent Vault) -- not in `.env` files on disk
|
|
102
|
+
- ! Inject secrets at process start into the agent's environment (or, preferred, deliver them via a credential proxy so the agent never reads the underlying value); fetch from the secret store at runtime, do not bake into images
|
|
103
|
+
- ! Scope each credential to the agent identity that uses it -- one scoped credential per agent or per deployment, auditable separately
|
|
104
|
+
- ~ For production agent systems, prefer the agent credential proxy pattern: a TLS-intercepting forward proxy (or sidecar) attaches credentials to outbound requests so the agent completes its work without ever reading the plaintext secret
|
|
105
|
+
- ⊗ Commit `.env` files in projects where any agent process can read the filesystem -- the agent's context (and any external inference server it calls) inherits everything the agent can read
|
|
106
|
+
- ⊗ Share one API key across multiple agents -- per-identity scoping is what makes the audit log usable when a key is compromised
|
|
107
|
+
|
|
108
|
+
Cross-references: [coding.md `Secrets`](coding.md#code-organization) (this rule extends the existing Secrets rule for agent contexts) | `Secrets Management` section above | the in-flight `patterns/executor-layer-credentials.md` credential-proxy pattern (Wave 2, tracked at [#806](https://github.com/deftai/directive/issues/806); not yet on master) | Infisical Agent Vault <https://github.com/Infisical/agent-vault> (reference implementation).
|
|
109
|
+
|
|
110
|
+
## Tool-Call Safety Is Independent of Text-Level Safety (#686)
|
|
111
|
+
|
|
112
|
+
Text-level safety alignment does not transfer to the tool-call boundary. An agent whose text outputs satisfy safety constraints can still execute harmful tool calls -- empirically demonstrated in the Agent Behavioral Contracts literature (Cartagena & Teixeira 2026). A safety-aligned model is NOT safe at the tool boundary unless the tool boundary enforces it separately.
|
|
113
|
+
|
|
114
|
+
- ! Enforce hard constraints on high-impact tools at the call site -- middleware, gateway, or contract layer -- separate from the model's text-level safety training
|
|
115
|
+
- ! Declare an explicit constraint tier for every tool in the tool registry: `read-only`, `reversible`, `irreversible`, or `destructive`. Tools without a declared tier MUST be treated as `destructive` by default
|
|
116
|
+
- ! Audit-log every tool invocation at the tool-call layer (tool name, arguments redacted for secrets, caller identity, outcome). Text-level logs of the model's reasoning are insufficient for post-incident review
|
|
117
|
+
- ! For `irreversible` / `destructive` tools, gate execution with a deterministic preflight (allow-list, environment check, ack token) outside the model -- never let the model decide on its own that an operation is safe
|
|
118
|
+
- ⊗ Rely on model-level safety training as the only barrier between an agent and a destructive tool call -- text alignment provides no guarantee at the tool boundary
|
|
119
|
+
- ⊗ Ship a tool registry where any tool is missing a constraint-tier declaration -- the default-to-`destructive` fallback exists for staging, not production
|
|
120
|
+
|
|
121
|
+
Cross-references: `Agent-Specific Threats` section above | the in-flight `patterns/executor-layer-credentials.md` tool-call gateway pattern (Wave 2, tracked at [#806](https://github.com/deftai/directive/issues/806); not yet on master) | [`scripts/preflight_gh.py`](../../scripts/preflight_gh.py) (#1019 reference implementation of a per-tool deterministic safety classifier) | Cartagena & Teixeira 2026 <https://arxiv.org/abs/2602.22302>.
|
|
122
|
+
|
|
123
|
+
## Destructive-Op Guardrails -- Environment Isolation + Irreversibility (#708)
|
|
124
|
+
|
|
125
|
+
The April 2026 PocketOS / Railway incident -- a Cursor/Claude agent deleted a production database AND its backups in roughly nine seconds after being told to "clean up the staging DB" -- is the canonical recurrence record for two distinct gaps: acting on a prompt-claimed environment instead of a verified one, and treating "destructive" as excluding backups. The two gates below close those gaps; the incident is documented at [`incidents/2026-04-pocketos-railway-prod-db-wipe.md`](../../incidents/2026-04-pocketos-railway-prod-db-wipe.md).
|
|
126
|
+
|
|
127
|
+
### Environment Isolation Gate
|
|
128
|
+
|
|
129
|
+
- ! Before any write or destructive operation, the agent MUST positively identify the target environment (prod / staging / dev) from a TRUSTED, NON-PROMPT signal -- env var (e.g. `APP_ENV`), config file, or connection-string introspection. The user's wording is NOT a trusted signal
|
|
130
|
+
- ! Enumerate the prod-detection heuristics explicitly in the project's runbook: hostname or connection-string contains `prod` / `production`, matches the documented prod hostname(s), or resolves into a documented prod-VPC CIDR. A trusted signal that disagrees with the prompt always wins
|
|
131
|
+
- ! If the environment cannot be verified from a trusted signal, the agent MUST refuse the operation and escalate to a human. "Probably staging" is a refusal, not an approval
|
|
132
|
+
- ⊗ Trust the user's wording (e.g. "clean up the staging DB") as environment authorisation -- the prompt is the untrusted input, the env var / connection string is the trusted signal
|
|
133
|
+
- ⊗ Heuristically downgrade an unverified environment to "non-prod" so the operation can proceed -- the gate fails closed
|
|
134
|
+
|
|
135
|
+
### Irreversibility Gate
|
|
136
|
+
|
|
137
|
+
- ! Destructive operations -- DB `DROP` / `TRUNCATE` / `DELETE` without `WHERE`, `rm -rf`, force-push to a shared branch, table rename over an existing target, AND any mutation of a backup -- require BOTH a tested rollback path AND an explicit in-session human ack token before execution
|
|
138
|
+
- ! Backups are first-class state. Deleting, overwriting, truncating, or "rotating" a backup is itself a destructive operation and MUST go through this gate
|
|
139
|
+
- ! A verified non-prod environment (Environment Isolation Gate passed with `env != prod`) MAY relax the human-ack requirement but does NOT remove the rollback-path requirement -- a dev DB without a rollback is still a footgun
|
|
140
|
+
- ~ Declare the irreversibility-tier classification for the project's destructive verbs in the in-flight `conventions/verb-classification.json` (tracked at [#1095](https://github.com/deftai/directive/issues/1095) closed-verb scope-expansion gate; not yet on master). Inline declaration in the operation's runbook is acceptable until that file lands
|
|
141
|
+
- ⊗ Execute a destructive operation in a verified prod environment without an in-session human ack token -- "the user authorised the project" is not session-scoped consent
|
|
142
|
+
- ⊗ Treat a backup as out-of-scope for the irreversibility gate -- the PocketOS incident is the recurrence record; backups were destroyed in the same nine-second window as the live database
|
|
143
|
+
|
|
144
|
+
Cross-references: [`incidents/README.md`](../incidents/README.md) (incidents library format) | [`incidents/2026-04-pocketos-railway-prod-db-wipe.md`](../../incidents/2026-04-pocketos-railway-prod-db-wipe.md) (seed entry) | `Agent-Specific Threats` section above (this section extends it) | [`scripts/preflight_gh.py`](../../scripts/preflight_gh.py) (#1019 deterministic-classifier reference) | #1095 closed-verb scope-expansion gate (consumes the irreversibility-tier classification).
|
|
145
|
+
|
|
146
|
+
## Anti-Patterns
|
|
147
|
+
|
|
148
|
+
- ⊗ "We'll add security later" — baseline standards apply from day one
|
|
149
|
+
- ⊗ Silent sanitization that masks malformed input rather than rejecting it
|
|
150
|
+
- ⊗ Disabling lockfile / signature / scanner checks to ship faster
|
|
151
|
+
- ⊗ Trusting agent / model output as if it were validated user input
|
|
152
|
+
- ⊗ Logging entire request bodies or environment dumps in production
|
|
153
|
+
- ⊗ Granting agents blanket network or shell access without per-tool allow-lists
|
|
154
|
+
- ⊗ Reflecting third-party content (issue bodies, web pages, tool outputs) into privileged tool calls unsanitized
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
**See also**: [coding.md](coding.md) (general coding standards, Secrets rule) | [testing.md](testing.md) (Security Tests section) | [hygiene.md](hygiene.md) (error-hiding anti-patterns) | [../scm/github.md](../scm/github.md) (destructive `gh` verbs preflight gate #1019) | [../incidents/README.md](../incidents/README.md) (incidents library, #708)
|
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
<!-- AUTO-GENERATED by task packs:render -- DO NOT EDIT MANUALLY -->
|
|
2
|
+
<!-- Purpose: rendered coding rules -->
|
|
3
|
+
<!-- Source of truth: packs/rules/rules-pack-0.1.json -->
|
|
4
|
+
<!-- Regenerate with: task packs:render -->
|
|
5
|
+
<!-- Edit the source, not this file. Slice instead of loading every coding doc: task packs:slice rules by-tier --tier <TIER> (or by-domain, list) -->
|
|
6
|
+
|
|
7
|
+
# Testing Standards
|
|
8
|
+
|
|
9
|
+
Universal testing requirements across all languages and interfaces.
|
|
10
|
+
|
|
11
|
+
Legend (from RFC2119): !=MUST, ~=SHOULD, ≉=SHOULD NOT, ⊗=MUST NOT, ?=MAY.
|
|
12
|
+
|
|
13
|
+
## Universal Requirements
|
|
14
|
+
|
|
15
|
+
- ! Achieve ≥85% coverage (overall + per-module/package/file)
|
|
16
|
+
- ! Include ≥50 fuzzing tests per input point
|
|
17
|
+
- ~ Have integration tests for critical paths/workflows
|
|
18
|
+
- ! Exclude entry points and main functions from coverage
|
|
19
|
+
- ! Test all code paths: normal, edge cases, error conditions
|
|
20
|
+
- ! Run `task check` (or equivalent) before commit
|
|
21
|
+
- ⊗ say a (todo-list|plan|phase|project) is done if relevant tests have not been written, run, and PASSED.
|
|
22
|
+
- ⊗ assume its ok for a test to fail in any situation
|
|
23
|
+
|
|
24
|
+
## Test-First Development
|
|
25
|
+
|
|
26
|
+
- ! Implementation is INCOMPLETE until tests written AND `task test:coverage` passes
|
|
27
|
+
- ! New functions/classes MUST have corresponding tests in same commit
|
|
28
|
+
- ! Modified functions MUST update existing tests to maintain coverage
|
|
29
|
+
- ! Run `task test:coverage` after ANY code change to verify ≥85% maintained
|
|
30
|
+
- ! If coverage drops below threshold, implementation is INCOMPLETE
|
|
31
|
+
- ~ Write tests for edge cases, not just happy paths
|
|
32
|
+
- ⊗ Skip test updates when modifying existing functions
|
|
33
|
+
- ⊗ Implement code without tests
|
|
34
|
+
- ⊗ Claim "done" before running test:coverage
|
|
35
|
+
|
|
36
|
+
## Coverage
|
|
37
|
+
|
|
38
|
+
**What to count:**
|
|
39
|
+
|
|
40
|
+
- ! All source code in src/, internal/, pkg/, lib/
|
|
41
|
+
|
|
42
|
+
**What to exclude:**
|
|
43
|
+
|
|
44
|
+
- ! Entry points: main(), **main**, index.ts (if trivial)
|
|
45
|
+
- ! Generated code
|
|
46
|
+
- ! Third-party code
|
|
47
|
+
- ! Test files themselves
|
|
48
|
+
|
|
49
|
+
**Thresholds:**
|
|
50
|
+
|
|
51
|
+
- ! ≥85% lines
|
|
52
|
+
- ! ≥85% functions/methods
|
|
53
|
+
- ! ≥85% branches
|
|
54
|
+
- ! ≥85% statements
|
|
55
|
+
|
|
56
|
+
## Test Types
|
|
57
|
+
|
|
58
|
+
### Unit Tests
|
|
59
|
+
|
|
60
|
+
- ! Individual functions/methods/components
|
|
61
|
+
- ! Normal cases + edge cases + error conditions
|
|
62
|
+
- ! Fast execution (milliseconds)
|
|
63
|
+
- ! No external dependencies (use mocks/stubs)
|
|
64
|
+
|
|
65
|
+
### Integration Tests
|
|
66
|
+
|
|
67
|
+
- ~ Full workflows with real dependencies
|
|
68
|
+
- ~ Realistic scenarios
|
|
69
|
+
- ~ Database, API, file system interactions
|
|
70
|
+
- ~ Slower execution acceptable
|
|
71
|
+
|
|
72
|
+
### Fuzzing Tests
|
|
73
|
+
|
|
74
|
+
- ! ≥50 fuzzing tests per input point
|
|
75
|
+
- ! Random/malformed inputs
|
|
76
|
+
- ! Catch unexpected crashes, hangs, exceptions
|
|
77
|
+
|
|
78
|
+
### Load/Performance Tests
|
|
79
|
+
|
|
80
|
+
- ~ For performance-critical code
|
|
81
|
+
- ~ Measure response times under load
|
|
82
|
+
- Tools: JMeter, Gatling, k6, Apache Bench
|
|
83
|
+
|
|
84
|
+
### Security Tests
|
|
85
|
+
|
|
86
|
+
- ! For code handling untrusted input
|
|
87
|
+
- ! SQL injection, XSS, auth bypass, path traversal
|
|
88
|
+
- Tools: OWASP ZAP, Burp Suite, SQLMap
|
|
89
|
+
|
|
90
|
+
### Snapshot Tests
|
|
91
|
+
|
|
92
|
+
- ~ For CLI output, rendered UI, generated files
|
|
93
|
+
- ~ Detect unintended output changes
|
|
94
|
+
|
|
95
|
+
### Build Output Tests
|
|
96
|
+
|
|
97
|
+
- ~ Build scripts that produce `dist/` artifacts have a smoke test verifying expected output files exist and contain expected content
|
|
98
|
+
- ! Non-compiled assets (manifests, configs, extension metadata) that bundlers don't track are explicitly verified post-build
|
|
99
|
+
- ~ Verify file presence, non-empty size, and structural validity (e.g. required JSON keys present)
|
|
100
|
+
- ! A build that exits 0 but produces stale or incomplete artifacts is a silent failure — treat it as a build failure (#105)
|
|
101
|
+
|
|
102
|
+
## Language-Specific Details
|
|
103
|
+
|
|
104
|
+
**Python**: [../languages/python.md](../languages/python.md#testing) - pytest, pytest-cov, pytest-mock
|
|
105
|
+
**Go**: [../languages/go.md](../languages/go.md#testing) - Testify, table-driven tests
|
|
106
|
+
**C++**: [../languages/cpp.md](../languages/cpp.md#testing) - Catch2/GoogleTest, GoogleMock
|
|
107
|
+
**TypeScript**: [../languages/typescript.md](../languages/typescript.md#testing) - Vitest/Jest, React Testing Library
|
|
108
|
+
**CLI**: [../interfaces/cli.md](../interfaces/cli.md#testing) - CliRunner, format validation
|
|
109
|
+
**REST APIs**: [../interfaces/rest.md](../interfaces/rest.md#testing) - endpoint testing, security testing
|
|
110
|
+
|
|
111
|
+
## Test Organization
|
|
112
|
+
|
|
113
|
+
**File naming:**
|
|
114
|
+
|
|
115
|
+
- Python: `test_*.py` or `*_test.py`
|
|
116
|
+
- Go: `*_test.go`
|
|
117
|
+
- C++: `test_*.cpp` or `*_test.cpp`
|
|
118
|
+
- TypeScript: `*.spec.ts` or `*.test.ts`
|
|
119
|
+
|
|
120
|
+
**Directory structure:**
|
|
121
|
+
|
|
122
|
+
```
|
|
123
|
+
project/
|
|
124
|
+
├── src/ # Source code
|
|
125
|
+
├── tests/ # Test files
|
|
126
|
+
│ ├── unit/ # Unit tests
|
|
127
|
+
│ └── integration/ # Integration tests (optional separation)
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
## Best Practices
|
|
131
|
+
|
|
132
|
+
- ! Write tests before or alongside code (TDD encouraged)
|
|
133
|
+
- ! One assertion per test (or logically grouped assertions)
|
|
134
|
+
- ~ Use descriptive test names: `test_user_login_with_invalid_password`
|
|
135
|
+
- ! Arrange-Act-Assert (AAA) pattern
|
|
136
|
+
- ! Test behavior, not implementation
|
|
137
|
+
- ≉ Rely on test execution order
|
|
138
|
+
- ! Clean up resources (files, DB, connections) in teardown
|
|
139
|
+
|
|
140
|
+
## Anti-patterns
|
|
141
|
+
|
|
142
|
+
- ⊗ Skip tests to meet deadlines
|
|
143
|
+
- ⊗ Test only happy paths (edge cases critical)
|
|
144
|
+
- ⊗ Mock everything (integration tests needed too)
|
|
145
|
+
- ⊗ Ignore flaky tests (fix or remove them)
|
|
146
|
+
- ⊗ Commit failing tests
|
|
147
|
+
- ⊗ Write tests that depend on external state
|
|
148
|
+
- ⊗ Hard-code dates, times, random values
|
|
149
|
+
- ⊗ Implementing code without tests
|
|
150
|
+
- ⊗ Claiming "done" before running test:coverage
|
|
151
|
+
- ⊗ Ignoring coverage drops
|
|
152
|
+
|
|
153
|
+
## CI/CD Integration
|
|
154
|
+
|
|
155
|
+
- ! Tests run automatically on every commit/PR
|
|
156
|
+
- ! Block merges if tests fail
|
|
157
|
+
- ! Block merges if coverage drops below threshold
|
|
158
|
+
- ~ Test in multiple environments (OS, versions)
|
|
159
|
+
|
|
160
|
+
---
|
|
161
|
+
|
|
162
|
+
**See also**: [main.md](../../main.md) | Language-specific testing in python.md, go.md, cpp.md, typescript.md
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
<!-- AUTO-GENERATED by task packs:render -- DO NOT EDIT MANUALLY -->
|
|
2
|
+
<!-- Purpose: rendered coding rules -->
|
|
3
|
+
<!-- Source of truth: packs/rules/rules-pack-0.1.json -->
|
|
4
|
+
<!-- Regenerate with: task packs:render -->
|
|
5
|
+
<!-- Edit the source, not this file. Slice instead of loading every coding doc: task packs:slice rules by-tier --tier <TIER> (or by-domain, list) -->
|
|
6
|
+
|
|
7
|
+
# Toolchain Validation
|
|
8
|
+
|
|
9
|
+
Rules for verifying that required tools are installed and functional before beginning implementation.
|
|
10
|
+
|
|
11
|
+
Legend (from RFC2119): !=MUST, ~=SHOULD, ≉=SHOULD NOT, ⊗=MUST NOT, ?=MAY.
|
|
12
|
+
|
|
13
|
+
**⚠️ See also**:
|
|
14
|
+
- [coding.md](coding.md) — Build Automation section
|
|
15
|
+
- [build-output.md](build-output.md) — post-build artifact validation
|
|
16
|
+
|
|
17
|
+
## Pre-Implementation Gate
|
|
18
|
+
|
|
19
|
+
- ! Before beginning implementation, verify all required toolchain components are installed and functional
|
|
20
|
+
- ! Required components vary by project — at minimum verify: task runner, language compiler/runtime, and platform SDK if applicable
|
|
21
|
+
- ! If any required tool is missing or non-functional, stop and report — do not proceed with implementation
|
|
22
|
+
- ⊗ Assume a tool is available because it was present in a previous session or referenced in the spec
|
|
23
|
+
- ⊗ Proceed with implementation when the build or test toolchain is unavailable
|
|
24
|
+
|
|
25
|
+
## What to Verify
|
|
26
|
+
|
|
27
|
+
- ! Task runner: `task --version` (required for quality gates)
|
|
28
|
+
- ! Language runtime/compiler: e.g. `go version`, `python --version`, `node --version`, `swift --version`
|
|
29
|
+
- ! Platform SDK (if applicable): e.g. `xcode-select -p` for iOS/macOS, Android SDK path for Android
|
|
30
|
+
- ! Project-specific tools listed in PROJECT.md or SPECIFICATION.md
|
|
31
|
+
|
|
32
|
+
## On Missing Tools
|
|
33
|
+
|
|
34
|
+
- ! Report exactly which tools are missing and provide install guidance
|
|
35
|
+
- ! Do not partially implement using available tools while skipping quality gates
|
|
36
|
+
- ~ Offer to help install missing tools if the user consents
|
|
37
|
+
## uv Project Pinning (#1011)
|
|
38
|
+
**Why this rule exists:** without an explicit pin, `uv run` walks upward from cwd looking for the nearest `pyproject.toml` and binds to whatever it finds first. When a deft consumer's repo root has no `pyproject.toml` of its own (the common case for non-Python projects), uv escapes the framework directory and resolves to an ancestor workspace `pyproject.toml`. That ancestor's build backend (frequently unresolvable in the consumer environment) crashes during environment resolution before any framework task body runs. The root-cause analysis lives in `vbrief/active/2026-05-11-1011-*.vbrief.json`.
|
|
39
|
+
The project's two-layer mitigation:
|
|
40
|
+
- ! **Layer 1 (env)** -- the root `Taskfile.yml` `env:` block sets `UV_PROJECT: '{{.TASKFILE_DIR}}'`. This is the safety net for any task that forgets the CLI flag in a future edit.
|
|
41
|
+
- ! **Layer 2 (CLI)** -- every `uv run` invocation in `tasks/*.yml` and the root `Taskfile.yml` uses the explicit `uv --project "<pin>" run ...` form. Subfiles pin against `{{.DEFT_ROOT}}` (defined via `{{joinPath .TASKFILE_DIR ".."}}`); the root `Taskfile.yml` pins against `{{.TASKFILE_DIR}}` directly. CLI beats env beats walk, so the flag is the contract; the env var is defense-in-depth.
|
|
42
|
+
- ⊗ Add a plain `uv run` line to any framework task -- the content guard in `tests/content/test_taskfile_uv_project_pin.py` will fail closed and the consumer-side breakage class returns immediately.
|
|
43
|
+
- ⊗ Rely on cwd or a caller-exported `UV_PROJECT` to pin the project root. Task's `env:` does not override an already-exported `UV_PROJECT` from the caller's shell, and propagation through included subfiles depends on inclusion semantics. The CLI flag is unconditional.
|
|
44
|
+
Cross-references: `Taskfile.yml` (Layer 1 env block), `tasks/*.yml` (Layer 2 call sites), `tests/content/test_taskfile_uv_project_pin.py` (deterministic content + slow behaviour regression).
|