@dragonflymcp/plugin 1.0.0

package/templates/synchronizations/archive/security-flow.yaml.template

@@ -0,0 +1,477 @@
+# Security Flow Synchronizations
+# Continuous security assurance throughout the workflow
+#
+# WYSIWID Principle: This YAML IS the security workflow logic
+# Read this file to understand exactly when security checks run
+
+version: "1.0.0"
+description: |
+  Implements security-by-design with checks at every workflow phase:
+  - Threat modeling after story capture
+  - Architecture validation for security patterns
+  - Implementation scanning for vulnerabilities
+  - Pre-commit verification as final gate
+
+configuration:
+  # Severity thresholds for blocking
+  block_on:
+    - critical  # Always block on critical
+    - high      # Block on high by default
+
+  # Allow override with user approval
+  allow_override:
+    high: true       # User can approve high-severity with justification
+    critical: false  # Never allow override for critical
+
+  # Parallel execution settings
+  parallel:
+    threat_model: true      # Run parallel with code-analysis
+    scan_implementation: true  # Run parallel with quality.review
+
+synchronizations:
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Phase 1: Story → Threat Model
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  #
+  # Generates threat model immediately after story capture.
+  # Runs in parallel with code-analysis.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "story-to-threat-model"
+    description: "Generate threat model when story is ready"
+    when:
+      concept: "story"
+      action: "create"
+      status: "completed"
+    where:
+      query: "story.status == 'ready'"
+    then:
+      - concept: "security"
+        action: "threat_model"
+        model: "sonnet"
+        parallel: true  # Runs in parallel with code-analysis
+        inputs:
+          story_id: "${story.id}"
+          title: "${story.title}"
+          description: "${story.description}"
+          acceptance_criteria: "${story.acceptance_criteria}"
+
+    slo_expectations:
+      expected_duration_ms: 3000
+      max_duration_ms: 15000
+      expected_cost_usd: 0.002
+      max_cost_usd: 0.005
+      success_rate_target: 0.95
+
+      on_timeout:
+        action: "warn"  # Don't block workflow, but log warning
+        continue: true
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Story ready - generating threat model"
+      security_phase: "threat_modeling"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Phase 2: Architecture → Security Validation
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  #
+  # Validates architecture design against threat model and
+  # OWASP security patterns. Can block if critical gaps found.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "arch-to-security-validation"
+    description: "Validate architecture against security requirements"
+    when:
+      concept: "architecture"
+      action: "design"
+      status: "completed"
+    where:
+      query: "architecture.status == 'completed'"
+    then:
+      - concept: "security"
+        action: "validate_architecture"
+        model: "sonnet"
+        inputs:
+          arch_id: "${architecture.id}"
+          story_id: "${story.id}"
+          threat_model_id: "${security.threat_model.id}"
+          decisions: "${architecture.decisions}"
+          patterns: "${architecture.patterns}"
+
+    slo_expectations:
+      expected_duration_ms: 4000
+      max_duration_ms: 20000
+      expected_cost_usd: 0.002
+      max_cost_usd: 0.005
+      success_rate_target: 0.95
+
+      on_timeout:
+        action: "retry"
+        max_retries: 1
+        backoff_ms: 2000
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Architecture complete - validating security patterns"
+      security_phase: "architecture_validation"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Architecture Security Blocked
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  #
+  # When architecture fails security validation, return to
+  # architecture for revision.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "security-arch-blocked"
+    description: "When architecture fails security validation"
+    when:
+      concept: "security"
+      action: "validate_architecture"
+      status: "completed"
+    where:
+      query: "security.decision == 'block'"
+    then:
+      - action: "ask_user"
+        questions:
+          - question: "Architecture failed security validation. Issues: ${security.issues}. How to proceed?"
+            header: "Security Block"
+            multiSelect: false
+            options:
+              - label: "Revise architecture"
+                description: "Return to architecture to address security gaps"
+              - label: "Override with justification"
+                description: "Proceed anyway (requires documented justification)"
+              - label: "Cancel feature"
+                description: "Stop the workflow"
+
+        on_answer:
+          "Revise architecture":
+            - concept: "architecture"
+              action: "revise"
+              model: "opus"
+              inputs:
+                original_architecture_id: "${architecture.id}"
+                security_issues: "${security.issues}"
+                constraint: "Address security requirements: ${security.requirements}"
+
+          "Override with justification":
+            - action: "ask_user"
+              questions:
+                - question: "Enter security justification for override:"
+                  header: "Justification"
+                  multiSelect: false
+                  options:
+                    - label: "Risk accepted for MVP"
+                      description: "Will address before production"
+                    - label: "Mitigated by other controls"
+                      description: "External controls reduce risk"
+                    - label: "False positive"
+                      description: "Analysis incorrect"
+            - action: "set_flag"
+              flag: "security.override"
+              value: true
+            - action: "log"
+              level: "warn"
+              message: "Security override: ${answer.justification} for ${security.issues}"
+
+          "Cancel feature":
+            - action: "cancel_workflow"
+              reason: "Security validation failed - user cancelled"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Architecture security blocked - user decision required"
+      decision_point: true
+      security_phase: "architecture_validation"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Phase 3: Implementation → Vulnerability Scan
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  #
+  # Scans implementation code for vulnerabilities.
+  # Runs in parallel with quality.review.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "impl-to-security-scan"
+    description: "Scan implementation for vulnerabilities"
+    when:
+      concept: "implementation"
+      action: "generate"
+      status: "completed"
+    where:
+      query: "implementation.status == 'completed'"
+    then:
+      - concept: "security"
+        action: "scan_implementation"
+        model: "sonnet"
+        parallel: true  # Runs in parallel with quality.review
+        inputs:
+          impl_id: "${implementation.id}"
+          arch_id: "${architecture.id}"
+          files_created: "${implementation.files_created}"
+          files_modified: "${implementation.files_modified}"
+          threat_model_id: "${security.threat_model.id}"
+
+    slo_expectations:
+      expected_duration_ms: 4000
+      max_duration_ms: 20000
+      expected_cost_usd: 0.002
+      max_cost_usd: 0.005
+      success_rate_target: 0.95
+
+      on_timeout:
+        action: "warn"
+        continue: true
+        message: "Security scan timed out - manual review recommended"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Implementation complete - scanning for vulnerabilities"
+      security_phase: "vulnerability_scanning"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Security Scan Found Critical Issues
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "security-scan-critical"
+    description: "When scan finds critical vulnerabilities"
+    when:
+      concept: "security"
+      action: "scan_implementation"
+      status: "completed"
+    where:
+      query: "security.vulnerabilities.critical > 0"
+    then:
+      - action: "notify"
+        level: "error"
+        message: |
+          CRITICAL SECURITY VULNERABILITIES FOUND
+
+          ${security.vulnerabilities.critical} critical issues must be fixed:
+          ${security.critical_issues}
+
+          Workflow blocked until resolved.
+
+      - concept: "implementation"
+        action: "fix_security"
+        model: "sonnet"
+        inputs:
+          impl_id: "${implementation.id}"
+          vulnerabilities: "${security.critical_issues}"
+          recommendations: "${security.recommendations}"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Critical security vulnerabilities - automatic fix triggered"
+      security_phase: "vulnerability_remediation"
+      severity: "critical"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Security Scan Found High Issues (User Decision)
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "security-scan-high"
+    description: "When scan finds high-severity vulnerabilities"
+    when:
+      concept: "security"
+      action: "scan_implementation"
+      status: "completed"
+    where:
+      query: "security.vulnerabilities.critical == 0 AND security.vulnerabilities.high > 0"
+    then:
+      - action: "ask_user"
+        questions:
+          - question: "${security.vulnerabilities.high} high-severity issues found. How to proceed?"
+            header: "Security Issues"
+            multiSelect: false
+            options:
+              - label: "Fix issues (Recommended)"
+                description: "Fix high-severity vulnerabilities before commit"
+              - label: "Proceed with warning"
+                description: "Accept risk and continue (requires justification)"
+              - label: "Cancel"
+                description: "Stop and review issues"
+
+        on_answer:
+          "Fix issues (Recommended)":
+            - concept: "implementation"
+              action: "fix_security"
+              model: "sonnet"
+              inputs:
+                impl_id: "${implementation.id}"
+                vulnerabilities: "${security.high_issues}"
+
+          "Proceed with warning":
+            - action: "set_flag"
+              flag: "security.high_accepted"
+              value: true
+            - action: "log"
+              level: "warn"
+              message: "High-severity issues accepted: ${security.high_issues}"
+
+          "Cancel":
+            - action: "notify"
+              message: "Review security issues in koan/security/scan-${implementation.id}.yaml"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "High-severity security issues - user decision required"
+      decision_point: true
+      security_phase: "vulnerability_remediation"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Phase 4: Pre-Commit → Security Verification
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  #
+  # Final security gate before version.commit.
+  # Verifies all issues resolved and generates attestation.
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "pre-commit-security-verify"
+    description: "Final security verification before commit"
+    when:
+      concept: "quality"
+      action: "review"
+      status: "completed"
+    where:
+      query: "review.status == 'approved'"
+
+    # Wait for security scan to complete
+    depends_on:
+      required:
+        - id: "impl-to-security-scan"
+          status: "completed"
+          timeout_ms: 20000
+
+    then:
+      - concept: "security"
+        action: "verify_commit"
+        model: "sonnet"
+        inputs:
+          impl_id: "${implementation.id}"
+          scan_id: "${security.scan.id}"
+          files_to_commit: "${implementation.files_changed}"
+
+    slo_expectations:
+      expected_duration_ms: 3000
+      max_duration_ms: 15000
+      expected_cost_usd: 0.002
+      max_cost_usd: 0.005
+      success_rate_target: 0.99
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Quality approved - final security verification"
+      security_phase: "commit_verification"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Security Verified → Proceed to Commit
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "security-verified-to-commit"
+    description: "When security verification passes, allow commit"
+    when:
+      concept: "security"
+      action: "verify_commit"
+      status: "completed"
+    where:
+      query: "security.decision == 'approve'"
+    then:
+      - concept: "version"
+        action: "commit"
+        model: "sonnet"
+        inputs:
+          implementation_id: "${implementation.id}"
+          story_id: "${story.id}"
+          flow_id: "${flow.id}"
+          security_attestation: "${security.attestation.id}"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Security verified - proceeding to commit"
+      security_attestation: "${security.attestation.id}"
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Secrets Detected → Block Commit
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "secrets-detected-block"
+    description: "Block commit when secrets detected in files"
+    when:
+      concept: "security"
+      action: "verify_commit"
+      status: "completed"
+    where:
+      query: "security.secrets_detected == true"
+    then:
+      - action: "notify"
+        level: "error"
+        message: |
+          SECRETS DETECTED IN STAGED FILES
+
+          Files with secrets:
+          ${security.secrets_files}
+
+          Commit blocked. Remove secrets before proceeding.
+
+      - action: "set_flag"
+        flag: "version.blocked"
+        value: true
+        reason: "Secrets detected in staged files"
+
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Secrets detected - commit blocked"
+      security_phase: "commit_verification"
+      severity: "critical"
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Security Flow Summary
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+#
+# Complete security flow:
+#
+#   Story ─────────────────┬──> Threat Model (parallel)
+#                          │
+#   Architecture ──────────┴──> Security Validation
+#                               │
+#                     ┌─────────┴─────────┐
+#                     │                   │
+#               [approved]            [blocked]
+#                     │                   │
+#                     v                   v
+#   Implementation ───┴──> Security Scan (parallel with quality)
+#                               │
+#                     ┌─────────┴─────────┐
+#                     │                   │
+#               [clean/low]         [critical/high]
+#                     │                   │
+#                     v                   v
+#   Quality ─────────────> Security Verify │
+#                               │         │
+#                     ┌─────────┴─────────┤
+#                     │                   │
+#               [approved]            [blocked]
+#                     │                   │
+#                     v                   v
+#                 Commit              Fix Issues
+#
+# Security Phases:
+#   1. Threat Modeling - Identify assets, threats, requirements
+#   2. Architecture Validation - Check design against OWASP
+#   3. Vulnerability Scanning - Detect issues in code
+#   4. Commit Verification - Final gate with attestation
+#
+# Cost per Feature:
+#   - Threat model:      $0.002
+#   - Arch validation:   $0.002
+#   - Impl scan:         $0.002
+#   - Commit verify:     $0.002
+#   - Total:             ~$0.008
+#
+# Blocking Behavior:
+#   - Critical vulnerabilities: Always block
+#   - High vulnerabilities: Block by default, user override allowed
+#   - Secrets detected: Always block, no override

package/templates/synchronizations/archive/slo-monitoring.yaml.template

@@ -0,0 +1,209 @@
+# SLO Monitoring Synchronizations
+# Automatic post-action SLO validation for all concepts
+#
+# WYSIWID Principle: This YAML defines when SLO monitoring happens
+
+synchronizations:
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Universal SLO Monitoring
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # Triggered after ANY concept action completes
+  # Only runs if the triggering sync rule has slo_expectations defined
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "post-action-slo-monitor"
+    description: "After any action completes, validate against SLO expectations"
+    when:
+      concept: "*"           # Any concept
+      action: "*"            # Any action
+      status: "completed"    # Only successful completions
+    where:
+      # Only monitor if the sync rule that triggered this action has SLOs defined
+      query: "sync_rule.slo_expectations != null"
+    then:
+      - concept: "slo"
+        action: "monitor"
+        model: "sonnet"       # Fast numeric analysis, <500ms overhead
+        inputs:
+          action_id: "${action.id}"
+          concept: "${action.concept}"
+          sync_id: "${sync.id}"
+          slo_config: "${sync_rule.slo_expectations}"
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "Post-action SLO validation"
+      slo_monitoring: true
+
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # SLO Violation Handlers
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  # These rules handle specific violation types
+  # Triggered by slo.monitor when violations detected
+  # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  - id: "slo-timeout-retry"
+    description: "Retry action when timeout occurs and retries available"
+    when:
+      concept: "slo"
+      action: "monitor"
+      status: "completed"
+    where:
+      query: "violations.any(v => v.type == 'timeout') AND handler.action == 'retry' AND handler.retries_remaining > 0"
+    then:
+      # Retry the original action that timed out
+      - concept: "${violation.concept}"
+        action: "${violation.action}"
+        model: "${violation.model}"
+        inputs: "${violation.original_inputs}"
+        retry: true
+        retry_count: "${handler.retry_count + 1}"
+        backoff_ms: "${handler.backoff_ms}"
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "SLO timeout violation - retry attempt ${handler.retry_count + 1}"
+      triggered_by_violation: "${violation.id}"
+
+  - id: "slo-timeout-escalate"
+    description: "Escalate to human when retries exhausted"
+    when:
+      concept: "slo"
+      action: "monitor"
+      status: "completed"
+    where:
+      query: "violations.any(v => v.type == 'timeout') AND handler.action == 'retry' AND handler.retries_remaining == 0"
+    then:
+      - action: "ask_user"
+        questions:
+          - question: "Action '${violation.concept}.${violation.action}' exceeded timeout (${violation.actual}ms > ${violation.threshold}ms). Retries exhausted. How to proceed?"
+            header: "SLO Timeout Escalation"
+            multiSelect: false
+            options:
+              - label: "Continue anyway"
+                description: "Accept the timeout and continue workflow"
+              - label: "Increase timeout"
+                description: "Increase max_duration_ms and retry"
+              - label: "Cancel workflow"
+                description: "Stop this workflow due to performance issue"
+        on_answer:
+          "Continue anyway":
+            - concept: "slo"
+              action: "alert"
+              model: "sonnet"
+              inputs:
+                violation: "${violation}"
+                user_decision: "accepted"
+
+          "Increase timeout":
+            - concept: "slo"
+              action: "update_threshold"
+              model: "sonnet"
+              inputs:
+                sync_id: "${violation.sync_id}"
+                threshold: "max_duration_ms"
+                new_value: "${violation.threshold * 1.5}"
+            - concept: "${violation.concept}"
+              action: "${violation.action}"
+              model: "${violation.model}"
+              inputs: "${violation.original_inputs}"
+              retry: true
+
+          "Cancel workflow":
+            - concept: "story"
+              action: "cancel"
+              model: "sonnet"
+              inputs:
+                story_id: "${story.id}"
+                reason: "User cancelled due to timeout violations"
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "SLO timeout escalated - retries exhausted"
+      decision_point: true
+      user_interaction: "ask_user_question"
+
+  - id: "slo-cost-exceeded-alert"
+    description: "Alert when cost threshold exceeded"
+    when:
+      concept: "slo"
+      action: "monitor"
+      status: "completed"
+    where:
+      query: "violations.any(v => v.type == 'cost_exceeded')"
+    then:
+      - concept: "slo"
+        action: "alert"
+        model: "sonnet"
+        inputs:
+          violation: "${violations.find(v => v.type == 'cost_exceeded')}"
+          handler_config: "${sync_rule.slo_expectations.on_cost_exceeded}"
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "SLO cost violation - sending alert"
+
+  - id: "slo-context-exceeded-investigate"
+    description: "Create investigation task when context limit exceeded"
+    when:
+      concept: "slo"
+      action: "monitor"
+      status: "completed"
+    where:
+      query: "violations.any(v => v.type == 'context_exceeded') AND handler.investigate == true"
+    then:
+      - concept: "slo"
+        action: "alert"
+        model: "sonnet"
+        inputs:
+          violation: "${violations.find(v => v.type == 'context_exceeded')}"
+          handler_config: "${sync_rule.slo_expectations.on_context_exceeded}"
+          create_task: true
+          task_description: "Investigate context token violation: ${violation.actual} tokens > ${violation.threshold} tokens. Check Phase 2 optimizations."
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "SLO context violation - investigation task created"
+      investigation: true
+
+  - id: "slo-quality-escalate"
+    description: "Escalate when quality falls below target"
+    when:
+      concept: "slo"
+      action: "monitor"
+      status: "completed"
+    where:
+      query: "violations.any(v => v.type == 'quality_below_target')"
+    then:
+      - concept: "slo"
+        action: "alert"
+        model: "sonnet"
+        inputs:
+          violation: "${violations.find(v => v.type == 'quality_below_target')}"
+          handler_config: "${sync_rule.slo_expectations.on_quality_below_target}"
+          escalate: true
+    provenance:
+      flow_id: "${flow.id}"
+      reason: "SLO quality violation - escalating"
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# SLO Monitoring Summary
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+#
+# Flow:
+#   1. Any concept action completes
+#   2. post-action-slo-monitor triggers (if rule has SLOs)
+#   3. slo.monitor compares actual vs expected
+#   4. If violations:
+#      - timeout → retry (if retries available) → escalate (if exhausted)
+#      - cost_exceeded → alert
+#      - context_exceeded → alert + investigate
+#      - quality_below_target → escalate
+#   5. Update monthly metrics
+#   6. Record violations
+#
+# Performance:
+#   - SLO monitoring adds <500ms per action (Sonnet)
+#   - Only runs when slo_expectations defined
+#   - No monitoring = no overhead
+#
+# Integration:
+#   - Works with all concepts (story, architecture, implementation, etc.)
+#   - Reads from provenance (no data duplication)
+#   - Writes to koan/slo/ (monthly aggregation)
+#