@jaguilar87/gaia-ops 3.2.2 → 3.3.0

package/CHANGELOG.md

@@ -5,6 +5,35 @@ All notable changes to the CLAUDE.md orchestrator instructions are documented in
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.3] - 2025-12-09
+
+### Service-Level Permission Wildcards
+
+Simplified permission patterns using service-level wildcards for better Claude Code compatibility.
+
+#### Changed
+- **AWS patterns**: Simplified from `Bash(aws rds describe-:*)` to `Bash(aws rds :*)`
+  - Service-level wildcards: `aws ec2`, `aws rds`, `aws s3`, `aws iam`, etc.
+  - Works around Claude Code pattern matching issues with hyphens
+- **GCP patterns**: Simplified to `Bash(gcloud compute :*)`, `Bash(gcloud container :*)`, etc.
+- **Format standardization**: Removed spaces before `:*` for commands without arguments
+
+#### Fixed
+- Agent README files renamed back to `README.md` (underscore prefix removed)
+- Pattern matching now works for `aws rds describe-db-instances` and similar commands
+
+#### Impact
+- **Read-only commands**: Execute automatically ✓
+- **Modification commands** (start/stop, upload, resize): Now execute automatically (Option A1)
+- **Destructive commands** (delete, terminate): Still blocked ✓
+
+#### Philosophy (Option A1 - Permissive with guardrails)
+- Wide `allow[]` for entire services (e.g., `aws ec2 :*`)
+- Strict `deny[]` for destructive operations
+- Trade-off: Modification commands no longer require confirmation
+
+---
+
 ## [3.2.2] - 2025-12-09
 
 ### Enhanced Permissions System

package/agents/README.en.md

@@ -17,7 +17,7 @@ User sends question
         |
    Selects agent
         |
-  terraform | gitops | gcp | aws | devops | gaia
+  terraform | gitops | gcp | aws | devops | speckit | gaia
         |
 [Context Provider] -> Agent executes
         |
@@ -33,7 +33,8 @@ User sends question
 | **gcp-troubleshooter** | GCP diagnostics | T0 |
 | **aws-troubleshooter** | AWS diagnostics | T0 |
 | **devops-developer** | Code and CI/CD | T0-T2 |
-| **Gaia** | Agent system | T0-T2 |
+| **speckit-planner** | Feature specification and planning | T0-T2 |
+| **gaia** | Agent system | T0-T2 |
 
 ## Security Tiers
 
@@ -52,6 +53,9 @@ User sends question
 # Orchestrator selects automatically
 "Deploy auth-service version 1.2.3"
 # -> gitops-operator
+
+"Plan a notification feature"
+# -> speckit-planner
 ```
 
 ### Manual
@@ -62,6 +66,12 @@ Task(
   description="Deploy auth service",
   prompt="Deploy auth-service version 1.2.3"
 )
+
+Task(
+  subagent_type="speckit-planner",
+  description="Plan notification feature",
+  prompt="Create spec for push notification system"
+)
 ```
 
 ## Smart Routing
@@ -80,4 +90,4 @@ Task(
 
 ---
 
-**Updated:** 2025-12-06 | **Agents:** 6
+**Updated:** 2025-12-10 | **Agents:** 7

package/agents/README.md

@@ -17,7 +17,7 @@ Usuario envia pregunta
         |
    Selecciona agente
         |
-  terraform | gitops | gcp | aws | devops | gaia
+  terraform | gitops | gcp | aws | devops | speckit | gaia
         |
 [Context Provider] -> Agente ejecuta
         |
@@ -33,7 +33,8 @@ Usuario envia pregunta
 | **gcp-troubleshooter** | Diagnostico GCP | T0 |
 | **aws-troubleshooter** | Diagnostico AWS | T0 |
 | **devops-developer** | Codigo y CI/CD | T0-T2 |
-| **Gaia** | Sistema de agentes | T0-T2 |
+| **speckit-planner** | Especificacion y planificacion de features | T0-T2 |
+| **gaia** | Sistema de agentes | T0-T2 |
 
 ## Tiers de Seguridad
 
@@ -52,6 +53,9 @@ Usuario envia pregunta
 # El orquestador selecciona automaticamente
 "Despliega auth-service version 1.2.3"
 # -> gitops-operator
+
+"Planificar feature de notificaciones"
+# -> speckit-planner
 ```
 
 ### Manual
@@ -62,6 +66,12 @@ Task(
   description="Deploy auth service",
   prompt="Deploy auth-service version 1.2.3"
 )
+
+Task(
+  subagent_type="speckit-planner",
+  description="Plan notification feature",
+  prompt="Create spec for push notification system"
+)
 ```
 
 ## Routing Inteligente
@@ -80,4 +90,4 @@ Task(
 
 ---
 
-**Actualizado:** 2025-12-06 | **Agentes:** 6
+**Actualizado:** 2025-12-10 | **Agentes:** 7

package/agents/speckit-planner.md

@@ -0,0 +1,409 @@
+---
+name: speckit-planner
+description: Specialized agent for feature specification, planning, and task generation using the Spec-Kit framework. Internalizes all Spec-Kit knowledge for consistent, precise workflow execution.
+tools: Read, Edit, Glob, Grep, Bash, Task, AskUserQuestion
+model: inherit
+---
+
+You are a feature planning specialist who guides users through the complete Spec-Kit workflow. You have internalized all Spec-Kit knowledge and execute workflows consistently every time.
+
+## Quick Start
+
+**Your approach:**
+
+1. **Understand** - What stage is the user at? (new feature? existing spec? need tasks?)
+2. **Guide** - Lead them through the appropriate workflow phase
+3. **Generate** - Create artifacts with proper structure and metadata
+
+**Be conversational.** Ask clarifying questions. Validate each step before proceeding.
+
+---
+
+## Core Identity
+
+You are the **single source of truth** for feature planning in this project. You:
+
+- Know the exact structure of spec.md, plan.md, tasks.md
+- Apply task enrichment rules automatically (agents, tiers, tags)
+- Ensure governance compliance at every step
+- Guide users conversationally through ambiguities
+
+---
+
+## Internalized Knowledge
+
+### Workflow Overview
+
+```
+Idea → /speckit.specify → spec.md
+              ↓
+       /speckit.plan → plan.md + research.md + data-model.md
+              ↓
+       /speckit.tasks → tasks.md (enriched)
+              ↓
+       /speckit.implement → Execution
+```
+
+### Security Tiers (Mandatory Classification)
+
+| Tier | Operations | Approval |
+|------|-----------|----------|
+| T0 | Read-only (get, describe, logs, show) | Auto |
+| T1 | Validation (validate, lint, template) | Auto |
+| T2 | Simulation (plan, dry-run, diff) | Auto |
+| T3 | Realization (apply, push, deploy) | **User Required** |
+
+### Agent Routing Rules (Apply to Every Task)
+
+| Keywords in Task | Agent | Default Tier |
+|-----------------|-------|--------------|
+| terraform, terragrunt, .tf, infrastructure, vpc, gke, cloud-sql | terraform-architect | T0/T2/T3 |
+| kubectl, helm, flux, kubernetes, k8s, deployment, service, ingress | gitops-operator | T0/T2/T3 |
+| gcloud, GCP, cloud logging, IAM, service account | gcp-troubleshooter | T0 |
+| docker, npm, build, test, CI, pipeline, Dockerfile | devops-developer | T0-T1 |
+
+### Tag Generation (Apply ALL Matching)
+
+**Technology tags:** #terraform #kubernetes #helm #docker #gcp #aws
+**Domain tags:** #database #security #networking #api #monitoring
+**Work type tags:** #setup #test #deploy #config #docs #debug
+
+---
+
+## Artifact Structures
+
+### spec.md Structure
+
+```markdown
+# Feature Specification: [FEATURE NAME]
+
+**Feature Branch**: `[###-feature-name]`
+**Created**: [DATE]
+**Status**: Draft
+
+## User Scenarios & Testing *(mandatory)*
+
+### Primary User Story
+[Main user journey in plain language]
+
+### Acceptance Scenarios
+1. **Given** [state], **When** [action], **Then** [outcome]
+
+### Edge Cases
+- What happens when [boundary]?
+
+## Requirements *(mandatory)*
+
+### Functional Requirements
+- **FR-001**: System MUST [capability]
+- **FR-002**: [NEEDS CLARIFICATION: specific question]
+
+### Key Entities *(if data involved)*
+- **[Entity]**: [What it represents]
+
+## Review Checklist
+- [ ] No implementation details
+- [ ] Requirements testable and unambiguous
+- [ ] All [NEEDS CLARIFICATION] resolved
+```
+
+### plan.md Structure
+
+```markdown
+# Implementation Plan: [FEATURE]
+
+**Branch**: `[###-feature-name]` | **Spec**: [link]
+
+## Summary
+[Primary requirement + technical approach]
+
+## Technical Context
+**Language/Version**: [e.g., TypeScript 5.0]
+**Primary Dependencies**: [e.g., NestJS, React]
+**Storage**: [e.g., PostgreSQL]
+**Testing**: [e.g., Jest, Playwright]
+**Project Type**: [single/web/mobile]
+
+## Constitution Check
+- [ ] GitOps patterns enforced
+- [ ] HTTPS for external endpoints
+- [ ] Health checks included
+- [ ] No :latest image tags
+
+## Phase 0: Research
+[Unknowns to resolve]
+
+## Phase 1: Design
+[Contracts, data model, architecture]
+
+## Phase 2: Task Planning
+[Approach for task generation - DO NOT create tasks.md]
+```
+
+### tasks.md Structure with Enrichment
+
+```markdown
+# Tasks: [FEATURE NAME]
+
+## Phase 3.1: Setup
+- [ ] T001 Create project structure
+  <!-- 🤖 Agent: devops-developer | 👁️ T0 | ❓ 0.70 -->
+  <!-- 🏷️ Tags: #setup #config -->
+  <!-- 🎯 skill: project_setup (6.0) -->
+
+## Phase 3.2: Tests First (TDD)
+- [ ] T004 [P] Contract test POST /api/users
+  <!-- 🤖 Agent: devops-developer | ✅ T1 | 🔥 1.00 -->
+  <!-- 🏷️ Tags: #test #api -->
+  <!-- 🎯 skill: testing_validation (10.0) -->
+
+## Phase 3.3: Core Implementation
+- [ ] T008 User model in src/models/user.py
+  <!-- 🤖 Agent: devops-developer | ✅ T1 | ⚡ 0.90 -->
+  <!-- 🏷️ Tags: #code -->
+  <!-- 🎯 skill: application_development (8.0) -->
+
+## Phase 3.4: Integration
+- [ ] T015 Connect service to database
+  <!-- 🤖 Agent: gitops-operator | 👁️ T0 | ⚡ 0.60 -->
+  <!-- 🏷️ Tags: #database #kubernetes -->
+  <!-- 🎯 skill: kubernetes_deployment (6.0) -->
+
+## Phase 3.5: Polish
+- [ ] T020 Performance tests
+  <!-- 🤖 Agent: devops-developer | ✅ T1 | ⚡ 1.00 -->
+  <!-- 🏷️ Tags: #test #performance -->
+  <!-- 🎯 skill: testing_validation (8.0) -->
+```
+
+### High-Risk Task Format (T2/T3)
+
+```markdown
+- [ ] T042 Apply Terraform changes to production
+  <!-- 🤖 Agent: terraform-architect | 🚫 T3 | 🔥 0.95 -->
+  <!-- 🏷️ Tags: #terraform #infrastructure #production -->
+  <!-- ⚠️ HIGH RISK: Analyze before execution -->
+  <!-- 💡 Suggested: /speckit.analyze-task T042 -->
+  <!-- 🎯 skill: terraform_infrastructure (12.0) -->
+```
+
+---
+
+## Workflow Execution
+
+### Phase 1: Specify (Create spec.md)
+
+**Trigger:** User describes a feature idea
+
+**Steps:**
+1. Parse feature description
+2. Ask clarifying questions for ambiguities:
+   - What users/roles are involved?
+   - What's the expected scale?
+   - Any security/compliance requirements?
+   - Integration points?
+3. Generate spec.md following template
+4. Mark remaining ambiguities with `[NEEDS CLARIFICATION: question]`
+5. Present spec for user validation
+
+**Output:** `specs/###-feature-name/spec.md`
+
+### Phase 2: Plan (Create plan.md)
+
+**Trigger:** User wants to plan implementation
+
+**Prerequisites:** spec.md exists and is validated
+
+**Steps:**
+1. Load and analyze spec.md
+2. Run clarification for any `[NEEDS CLARIFICATION]` markers
+3. Fill Technical Context (ask if needed)
+4. Execute Constitution Check
+5. Generate research.md (unknowns to resolve)
+6. Generate data-model.md (entities from spec)
+7. Generate contracts/ (API specs from requirements)
+8. Complete plan.md
+9. STOP - Do NOT create tasks.md
+
+**Output:** `plan.md`, `research.md`, `data-model.md`, `contracts/`
+
+### Phase 3: Tasks (Create tasks.md)
+
+**Trigger:** User wants to generate tasks
+
+**Prerequisites:** plan.md exists
+
+**Steps:**
+1. Load plan.md, data-model.md, contracts/
+2. Generate tasks by category:
+   - **Setup**: Project init, dependencies, linting
+   - **Tests [P]**: Contract tests, integration tests (TDD)
+   - **Core**: Models, services, endpoints
+   - **Integration**: DB, middleware, logging
+   - **Polish [P]**: Unit tests, performance, docs
+3. Apply enrichment to EVERY task:
+   - Detect agent from keywords
+   - Classify security tier
+   - Add tags
+   - Mark [P] for parallel tasks
+4. Add HIGH RISK warning to T2/T3 tasks
+5. Run validation:
+   - All requirements have tasks?
+   - No gaps in coverage?
+   - Dependencies correct?
+
+**Output:** `tasks.md` with inline metadata
+
+### Phase 4: Implement
+
+**Trigger:** User wants to execute tasks
+
+**Steps:**
+1. Load tasks.md
+2. For each task:
+   - If HIGH RISK: Auto-trigger analysis, ask confirmation
+   - Execute task
+   - Mark as [x] when complete
+3. Report progress
+
+---
+
+## Conversational Patterns
+
+### When Starting Fresh
+
+```
+User: "I need to add a new feature for..."
+
+You: "Let me help you create a feature specification.
+
+**Quick questions to understand scope:**
+1. Who are the primary users of this feature?
+2. What's the expected scale (users, data volume)?
+3. Any integration with existing systems?
+4. Security/compliance requirements?
+
+Once I understand these, I'll create a structured spec.md for your review."
+```
+
+### When Clarifying Ambiguities
+
+```
+User: "Add caching to the API"
+
+You: "I need to clarify a few things:
+
+📦 **Which API?**
+- tcm-api (NestJS, port 3001)
+- pg-api (Spring Boot, port 8086)
+
+🔧 **Cache type?**
+- Redis (persistent, distributed)
+- In-memory (local, faster)
+- CDN (for static content)
+
+Once clarified, I'll update the spec with concrete requirements."
+```
+
+### When Generating Tasks
+
+```
+You: "Based on plan.md, I'll generate tasks with automatic enrichment.
+
+**Task breakdown:**
+- 3 setup tasks
+- 6 test tasks (TDD - run first)
+- 8 implementation tasks
+- 4 integration tasks
+- 3 polish tasks
+
+**High-risk tasks detected (require approval):**
+- T042: Apply Terraform changes (T3)
+- T055: Push to production namespace (T3)
+
+Ready to generate tasks.md?"
+```
+
+---
+
+## Governance Compliance
+
+### Code-First Protocol (Mandatory)
+
+Before creating any new resource:
+1. **Discover**: Search for similar existing resources
+2. **Read**: Examine 2-3 examples
+3. **Extract**: Document patterns
+4. **Replicate**: Follow discovered patterns
+5. **Explain**: Document pattern choice
+
+### GitOps Principles
+
+- All Kubernetes changes go through Git
+- No manual `kubectl apply` in production
+- Changes require: git commit → push → Flux reconciliation
+
+### Conventional Commits
+
+Format: `<type>(<scope>): <description>`
+Types: `feat`, `fix`, `refactor`, `docs`, `test`, `chore`, `ci`
+
+---
+
+## Scope
+
+### CAN DO
+- Create spec.md, plan.md, tasks.md
+- Run clarification workflows
+- Apply task enrichment (agents, tiers, tags)
+- Validate governance compliance
+- Guide through Spec-Kit workflow
+- Read existing specs and artifacts
+
+### CANNOT DO
+- Execute infrastructure changes (delegate to terraform-architect)
+- Execute Kubernetes operations (delegate to gitops-operator)
+- Run application builds (delegate to devops-developer)
+- Diagnose cloud issues (delegate to troubleshooters)
+
+### DELEGATE
+
+When user wants to execute tasks:
+```
+"Task T015 requires Kubernetes operations.
+Delegating to gitops-operator for execution."
+```
+
+When user asks about infrastructure:
+```
+"For infrastructure questions, use gcp-troubleshooter or terraform-architect.
+I focus on planning and task generation."
+```
+
+---
+
+## Output Protocol
+
+**CRITICAL:** All artifacts go to the feature directory:
+```
+<speckit-root>/specs/<feature-name>/
+├── spec.md
+├── plan.md
+├── tasks.md
+├── research.md
+├── data-model.md
+└── contracts/
+```
+
+**Report to user after each phase:**
+```markdown
+✅ [Phase] complete: [artifact]
+
+**Files created:**
+- spec.md (45 lines)
+- ...
+
+**Next steps:**
+1. Review [artifact]
+2. Run: /speckit.[next-command]
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaguilar87/gaia-ops",
-  "version": "3.2.2",
+  "version": "3.3.0",
   "description": "Multi-agent orchestration system for Claude Code - DevOps automation toolkit",
   "main": "index.js",
   "type": "module",

package/templates/settings.template.json

@@ -186,97 +186,41 @@
       "Bash(git for-each-ref:*)",
 
       "Bash(aws sts:*)",
-      "Bash(aws configure list:*)",
-      "Bash(aws configure get:*)",
-      "Bash(aws ec2 describe-:*)",
-      "Bash(aws ec2 get-:*)",
-      "Bash(aws s3 ls:*)",
-      "Bash(aws s3api get-:*)",
-      "Bash(aws s3api head-:*)",
-      "Bash(aws s3api list-:*)",
-      "Bash(aws rds describe-:*)",
-      "Bash(aws iam get-:*)",
-      "Bash(aws iam list-:*)",
-      "Bash(aws lambda get-:*)",
-      "Bash(aws lambda list-:*)",
-      "Bash(aws logs describe-:*)",
-      "Bash(aws logs get-:*)",
-      "Bash(aws logs filter-:*)",
-      "Bash(aws cloudwatch describe-:*)",
-      "Bash(aws cloudwatch get-:*)",
-      "Bash(aws cloudwatch list-:*)",
-      "Bash(aws cloudformation describe-:*)",
-      "Bash(aws cloudformation get-:*)",
-      "Bash(aws cloudformation list-:*)",
-      "Bash(aws elbv2 describe-:*)",
-      "Bash(aws elb describe-:*)",
-      "Bash(aws route53 get-:*)",
-      "Bash(aws route53 list-:*)",
-      "Bash(aws secretsmanager get-:*)",
-      "Bash(aws secretsmanager list-:*)",
-      "Bash(aws secretsmanager describe-:*)",
-      "Bash(aws ssm get-:*)",
-      "Bash(aws ssm list-:*)",
-      "Bash(aws ssm describe-:*)",
-      "Bash(aws sns get-:*)",
-      "Bash(aws sns list-:*)",
-      "Bash(aws sqs get-:*)",
-      "Bash(aws sqs list-:*)",
-      "Bash(aws dynamodb describe-:*)",
-      "Bash(aws dynamodb list-:*)",
-      "Bash(aws dynamodb get-:*)",
-      "Bash(aws dynamodb scan:*)",
-      "Bash(aws dynamodb query:*)",
-      "Bash(aws ecr describe-:*)",
-      "Bash(aws ecr get-:*)",
-      "Bash(aws ecr list-:*)",
-      "Bash(aws eks describe-:*)",
-      "Bash(aws eks list-:*)",
-      "Bash(aws elasticache describe-:*)",
+      "Bash(aws configure:*)",
+      "Bash(aws ec2:*)",
+      "Bash(aws s3:*)",
+      "Bash(aws s3api:*)",
+      "Bash(aws rds:*)",
+      "Bash(aws iam:*)",
+      "Bash(aws lambda:*)",
+      "Bash(aws logs:*)",
+      "Bash(aws cloudwatch:*)",
+      "Bash(aws cloudformation:*)",
+      "Bash(aws elbv2:*)",
+      "Bash(aws elb:*)",
+      "Bash(aws route53:*)",
+      "Bash(aws secretsmanager:*)",
+      "Bash(aws ssm:*)",
+      "Bash(aws sns:*)",
+      "Bash(aws sqs:*)",
+      "Bash(aws dynamodb:*)",
+      "Bash(aws ecr:*)",
+      "Bash(aws eks:*)",
+      "Bash(aws elasticache:*)",
 
       "Bash(gcloud version:*)",
       "Bash(gcloud info:*)",
       "Bash(gcloud auth:*)",
       "Bash(gcloud config:*)",
-      "Bash(gcloud projects list:*)",
-      "Bash(gcloud projects describe:*)",
-      "Bash(gcloud compute instances list:*)",
-      "Bash(gcloud compute instances describe:*)",
-      "Bash(gcloud compute networks list:*)",
-      "Bash(gcloud compute networks describe:*)",
-      "Bash(gcloud compute networks subnets list:*)",
-      "Bash(gcloud compute networks subnets describe:*)",
-      "Bash(gcloud compute firewall-rules list:*)",
-      "Bash(gcloud compute firewall-rules describe:*)",
-      "Bash(gcloud compute addresses list:*)",
-      "Bash(gcloud compute addresses describe:*)",
-      "Bash(gcloud compute disks list:*)",
-      "Bash(gcloud compute disks describe:*)",
-      "Bash(gcloud compute images list:*)",
-      "Bash(gcloud compute images describe:*)",
-      "Bash(gcloud compute zones list:*)",
-      "Bash(gcloud compute regions list:*)",
-      "Bash(gcloud container clusters list:*)",
-      "Bash(gcloud container clusters describe:*)",
-      "Bash(gcloud container clusters get-credentials:*)",
-      "Bash(gcloud container node-pools list:*)",
-      "Bash(gcloud container node-pools describe:*)",
-      "Bash(gcloud sql instances list:*)",
-      "Bash(gcloud sql instances describe:*)",
-      "Bash(gcloud sql databases list:*)",
-      "Bash(gcloud sql users list:*)",
-      "Bash(gcloud redis instances list:*)",
-      "Bash(gcloud redis instances describe:*)",
-      "Bash(gcloud iam service-accounts list:*)",
-      "Bash(gcloud iam service-accounts describe:*)",
-      "Bash(gcloud iam service-accounts get-iam-policy:*)",
-      "Bash(gcloud iam roles list:*)",
-      "Bash(gcloud iam roles describe:*)",
-      "Bash(gcloud logging read:*)",
-      "Bash(gcloud logging logs list:*)",
-      "Bash(gcloud services list:*)",
-      "Bash(gcloud artifacts repositories list:*)",
-      "Bash(gcloud artifacts docker images list:*)",
+      "Bash(gcloud projects:*)",
+      "Bash(gcloud compute:*)",
+      "Bash(gcloud container:*)",
+      "Bash(gcloud sql:*)",
+      "Bash(gcloud redis:*)",
+      "Bash(gcloud iam:*)",
+      "Bash(gcloud logging:*)",
+      "Bash(gcloud services:*)",
+      "Bash(gcloud artifacts:*)",
       "Bash(gsutil ls:*)",
       "Bash(gsutil cat:*)",
       "Bash(gsutil stat:*)",

package/tests/permissions-validation/test_permissions_validation.py

@@ -282,16 +282,16 @@ def get_test_cases() -> List[TestCase]:
         TestCase("mkdir new-directory", PermissionResult.ASK, "Create directory", "file"),
         TestCase("chmod 755 script.sh", PermissionResult.ASK, "Change permissions", "file"),
 
-        # AWS modifying
-        TestCase("aws s3 cp file.txt s3://bucket/", PermissionResult.ASK, "Upload to S3", "aws"),
-        TestCase("aws ec2 start-instances --instance-ids i-123", PermissionResult.ASK, "Start EC2", "aws"),
-        TestCase("aws ec2 stop-instances --instance-ids i-123", PermissionResult.ASK, "Stop EC2", "aws"),
-        TestCase("aws lambda update-function-code --function-name fn", PermissionResult.ASK, "Update Lambda", "aws"),
-
-        # GCP modifying
-        TestCase("gcloud compute instances start my-vm", PermissionResult.ASK, "Start GCE instance", "gcp"),
-        TestCase("gcloud compute instances stop my-vm", PermissionResult.ASK, "Stop GCE instance", "gcp"),
-        TestCase("gcloud container clusters resize my-cluster", PermissionResult.ASK, "Resize GKE", "gcp"),
+        # AWS modifying (ALLOW with service-level wildcards - Option A1)
+        TestCase("aws s3 cp file.txt s3://bucket/", PermissionResult.ALLOW, "Upload to S3", "aws"),
+        TestCase("aws ec2 start-instances --instance-ids i-123", PermissionResult.ALLOW, "Start EC2", "aws"),
+        TestCase("aws ec2 stop-instances --instance-ids i-123", PermissionResult.ALLOW, "Stop EC2", "aws"),
+        TestCase("aws lambda update-function-code --function-name fn", PermissionResult.ALLOW, "Update Lambda", "aws"),
+
+        # GCP modifying (ALLOW with service-level wildcards - Option A1)
+        TestCase("gcloud compute instances start my-vm", PermissionResult.ALLOW, "Start GCE instance", "gcp"),
+        TestCase("gcloud compute instances stop my-vm", PermissionResult.ALLOW, "Stop GCE instance", "gcp"),
+        TestCase("gcloud container clusters resize my-cluster", PermissionResult.ALLOW, "Resize GKE", "gcp"),
 
         # Docker modifying
         TestCase("docker build -t my-image .", PermissionResult.ASK, "Build image", "docker"),

package/tools/1-routing/agent_router.py

@@ -77,6 +77,17 @@ class IntentClassifier:
                 "exclude": ["infrastructure"],
                 "confidence_boost": 0.80
             },
+            "feature_planning": {
+                "include": [
+                    "spec-kit", "speckit", "specify", "plan", "tasks",
+                    "feature", "specification", "requirements", "requerimiento",
+                    "planificar", "planear", "crear tareas", "generate tasks",
+                    "spec.md", "plan.md", "tasks.md", "enrichment",
+                    "workflow", "implement feature", "new feature"
+                ],
+                "exclude": ["terraform apply", "kubectl apply", "deploy"],
+                "confidence_boost": 0.92
+            },
             "infrastructure_validation": {
                 "include": [
                     "validate", "check", "verify", "scan", "lint",
@@ -158,6 +169,11 @@ class CapabilityValidator:
                 "can_do": ["application_development", "infrastructure_validation"],
                 "cannot_do": ["kubernetes_operations", "infrastructure_creation"],
                 "requires_context": ["application", "development"]
+            },
+            "speckit-planner": {
+                "can_do": ["feature_planning"],
+                "cannot_do": ["infrastructure_creation", "kubernetes_operations", "infrastructure_diagnosis"],
+                "requires_context": ["speckit", "planning"]
             }
         }
 
@@ -265,7 +281,8 @@ class AgentRouter:
             "infrastructure_diagnosis": "gcp-troubleshooter",
             "kubernetes_operations": "gitops-operator",
             "application_development": "devops-developer",
-            "infrastructure_validation": "terraform-architect"
+            "infrastructure_validation": "terraform-architect",
+            "feature_planning": "speckit-planner"
         }
 
         return intent_to_agent.get(intent, "devops-developer")
@@ -356,6 +373,30 @@ class AgentRouter:
                 ],
                 description="Application development and CI/CD"
             ),
+
+            "speckit-planner": RoutingRule(
+                agent="speckit-planner",
+                keywords=[
+                    "spec-kit", "speckit", "specify", "specification",
+                    "feature", "requirements", "requerimiento", "requerimientos",
+                    "planificar", "planear", "crear tareas", "generate tasks",
+                    "spec.md", "plan.md", "tasks.md",
+                    "enrichment", "enrich tasks",
+                    "workflow planning", "feature planning"
+                ],
+                patterns=[
+                    r"create.*spec",
+                    r"crear.*spec",
+                    r"planificar.*feature",
+                    r"plan.*feature",
+                    r"generate.*tasks",
+                    r"generar.*tareas",
+                    r"spec-?kit",
+                    r"new.*feature.*spec",
+                    r"requirements.*document"
+                ],
+                description="Feature specification, planning, and task generation (Spec-Kit)"
+            ),
         }
 
     def _load_tasks_metadata(self) -> Dict[str, Dict[str, Any]]:
@@ -736,6 +777,9 @@ def main():
             "Check flux reconciliation status",
             "Review Cloud SQL IAM bindings",
             "Plan infrastructure changes with terragrunt",
+            "Create a spec for new authentication feature",
+            "Planificar feature de notificaciones",
+            "Generate tasks for the API migration",
         ]
 
         if router.tasks_metadata:

package/tools/agent_capabilities.json

@@ -136,5 +136,28 @@
       "depends on specialist agents for implementation"
     ],
     "routing_score_boost": 0.9
+  },
+  "speckit-planner": {
+    "domains": ["speckit", "specification", "planning", "requirements", "features", "tasks", "workflow"],
+    "tiers": ["T0", "T1", "T2"],
+    "tools": ["Read", "Edit", "Glob", "Grep", "Bash", "Task", "AskUserQuestion"],
+    "confidence_keywords": ["spec-kit", "speckit", "specify", "feature", "requirement", "plan", "task", "enrichment", "spec.md", "plan.md", "tasks.md"],
+    "capabilities": [
+      "feature_specification",
+      "implementation_planning",
+      "task_generation",
+      "task_enrichment",
+      "governance_validation",
+      "clarification_workflow",
+      "artifact_creation",
+      "dependency_analysis"
+    ],
+    "limitations": [
+      "cannot execute infrastructure changes",
+      "cannot execute kubernetes operations",
+      "cannot run builds or tests",
+      "delegates execution to specialized agents"
+    ],
+    "routing_score_boost": 1.25
   }
-}
+}