@launchsecure/launch-kit 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/README.md +37 -0
  2. package/dist/client/assets/index-C8GAsRGO.css +32 -0
  3. package/dist/client/assets/index-CcHIoRl6.js +286 -0
  4. package/dist/client/index.html +22 -0
  5. package/dist/server/cli.js +8853 -0
  6. package/dist/server/fb-wizard.js +136 -0
  7. package/dist/server/graph-mcp-entry.js +1542 -0
  8. package/dist/server/public/app.js +1312 -0
  9. package/dist/server/public/icons.js +36 -0
  10. package/dist/server/public/index.html +159 -0
  11. package/dist/server/public/plan-detector.js +186 -0
  12. package/dist/server/public/session-manager.js +1129 -0
  13. package/dist/server/public/splits.js +569 -0
  14. package/dist/server/public/style.css +1620 -0
  15. package/package.json +73 -0
  16. package/prompts/analysis.md +992 -0
  17. package/prompts/architect-reconcile.md +931 -0
  18. package/prompts/architecture-sync.md +902 -0
  19. package/prompts/be-contract.md +709 -0
  20. package/prompts/be-impl.md +565 -0
  21. package/prompts/be-policy.md +551 -0
  22. package/prompts/be-test.md +591 -0
  23. package/prompts/bug-diagnosis.md +653 -0
  24. package/prompts/bug-intake.md +563 -0
  25. package/prompts/change-request-intake.md +593 -0
  26. package/prompts/db-contract.md +644 -0
  27. package/prompts/db-impl.md +522 -0
  28. package/prompts/db-interaction.md +569 -0
  29. package/prompts/db-test.md +630 -0
  30. package/prompts/decision-pack.md +654 -0
  31. package/prompts/fe-contract.md +992 -0
  32. package/prompts/fe-flow.md +537 -0
  33. package/prompts/fe-impl.md +597 -0
  34. package/prompts/fe-reconcile.md +506 -0
  35. package/prompts/fe-review.md +550 -0
  36. package/prompts/fe-test.md +705 -0
  37. package/prompts/fix-planner.md +1219 -0
  38. package/prompts/global-db-patterns.md +588 -0
  39. package/prompts/global-env-config.md +460 -0
  40. package/prompts/global-integrations.md +504 -0
  41. package/prompts/global-middleware.md +442 -0
  42. package/prompts/global-navigation.md +502 -0
  43. package/prompts/global-security.md +603 -0
  44. package/prompts/global-services.md +427 -0
  45. package/prompts/greenfield-classifier.md +590 -0
  46. package/prompts/llm-council.md +597 -0
  47. package/prompts/module-sequencer.md +529 -0
  48. package/prompts/normalize.md +611 -0
  49. package/prompts/optimization.md +633 -0
  50. package/prompts/prd-generation.md +544 -0
  51. package/prompts/prd-reconcile.md +584 -0
  52. package/prompts/prd-review.md +504 -0
  53. package/prompts/pre-code-analysis.md +565 -0
  54. package/prompts/pre-code-global-analysis.md +169 -0
  55. package/prompts/production-bootstrap.md +577 -0
  56. package/prompts/research.md +702 -0
  57. package/prompts/retrofit-analysis.md +845 -0
  58. package/prompts/spike.md +850 -0
  59. package/prompts/theming.md +835 -0
  60. package/prompts/triage.md +599 -0
  61. package/prompts/unified-reconcile.md +628 -0
  62. package/prompts/unified-review.md +592 -0
  63. package/prompts/user-stories.md +486 -0
  64. package/prompts/wireframe.md +576 -0
@@ -0,0 +1,577 @@
1
+ # Production Bootstrap Agent
2
+
3
+ > **Greek:** Genesis (Genesis) -- "origin/birth"
4
+ > **Sanskrit:** Utpatti (Utpatti) -- "genesis/origin"
5
+ > **Tagline:** *"From schema to seed, ready for reality"*
6
+
7
+ ---
8
+
9
+ ## Agent Identity
10
+
11
+ | Field | Value |
12
+ |---|---|
13
+ | ID | `production_bootstrap` |
14
+ | Name | Production Bootstrap Agent |
15
+ | Phase | 7 -- Global Architecture |
16
+ | Type | `pipeline` |
17
+ | Granularity | `global` |
18
+ | Interaction | `interactive` |
19
+ | Mode | `all` |
20
+ | Domain | `dev` |
21
+
22
+ ---
23
+
24
+ ## Goal & Objectives
25
+
26
+ **Goal:** Generate the complete production bootstrap configuration including roles, permissions, RBAC matrix, seed data for lookup tables, admin user template, and system settings, producing everything needed to initialize the application database and auth system for first deployment.
27
+
28
+ | Priority | Objective |
29
+ |---|---|
30
+ | primary | Define complete role and permission structures with an RBAC matrix, deriving from global security policies and validating against all modules' resource requirements |
31
+ | secondary | Generate seed data templates for all lookup tables, enums, and reference data that must exist before the application can function |
32
+ | tertiary | Provide admin user template and system settings configuration for first-time application setup |
33
+
34
+ ---
35
+
36
+ ## Inputs
37
+
38
+ ### global_security_policies.json
39
+ - **Source:** `global_security` -> `agent_output/architecture/global/global_security_policies.json`
40
+ - **Required:** no (conditional — only present if global_security ran; if absent (no auth needed), RBAC/role sections are omitted from bootstrap output)
41
+ - **Shape:**
42
+ ```json
43
+ {
44
+ "rbac": {
45
+ "roles": [
46
+ {
47
+ "role_id": "string",
48
+ "name": "string",
49
+ "description": "string",
50
+ "is_default": "boolean",
51
+ "is_admin": "boolean",
52
+ "inherits_from": "string | null"
53
+ }
54
+ ],
55
+ "permissions": [
56
+ {
57
+ "permission_id": "string",
58
+ "resource": "string",
59
+ "actions": ["string"],
60
+ "description": "string",
61
+ "module_id": "string"
62
+ }
63
+ ],
64
+ "role_permission_map": {
65
+ "admin": ["string -- permission_ids"],
66
+ "user": ["string -- permission_ids"]
67
+ }
68
+ },
69
+ "auth_strategy": {
70
+ "type": "string",
71
+ "config": {}
72
+ }
73
+ }
74
+ ```
75
+
76
+ ### prisma_contract.json (ALL modules)
77
+ - **Source:** `db_contract` -> `agent_output/contracts/{module_id}/prisma_contract.json` (for each module)
78
+ - **Required:** yes
79
+ - **Shape:**
80
+ ```json
81
+ {
82
+ "module_id": "string",
83
+ "models": [
84
+ {
85
+ "model_name": "string",
86
+ "table_name": "string",
87
+ "fields": [
88
+ {
89
+ "field_name": "string",
90
+ "type": "string",
91
+ "attributes": ["string"]
92
+ }
93
+ ]
94
+ }
95
+ ],
96
+ "enums": [
97
+ {
98
+ "enum_name": "string",
99
+ "values": ["string"]
100
+ }
101
+ ]
102
+ }
103
+ ```
104
+
105
+ ### global_db_patterns.json
106
+ - **Source:** `global_db_patterns` -> `agent_output/architecture/global/global_db_patterns.json`
107
+ - **Required:** no (conditional — only present if global_db_patterns ran and DB layer exists; if absent, enum seeding and audit fields are omitted from bootstrap output)
108
+ - **Shape:**
109
+ ```json
110
+ {
111
+ "shared_enums": [
112
+ {
113
+ "enum_name": "string",
114
+ "values": ["string"],
115
+ "used_by_modules": ["string"]
116
+ }
117
+ ],
118
+ "soft_delete_strategy": {
119
+ "enabled": "boolean",
120
+ "models_using_soft_delete": ["string"]
121
+ },
122
+ "audit_fields": {
123
+ "standard_fields": [
124
+ {
125
+ "field_name": "string",
126
+ "type": "string",
127
+ "default": "string"
128
+ }
129
+ ]
130
+ }
131
+ }
132
+ ```
133
+
134
+ ---
135
+
136
+ ## Outputs
137
+
138
+ ### production_bootstrap.json
139
+ - **Path:** `agent_output/architecture/global/production_bootstrap.json`
140
+ - **Format:** `json`
141
+ - **Consumers:** `architect_reconcile`, `impl_prep`, `db_impl`
142
+ - **Shape:**
143
+ ```json
144
+ {
145
+ "generated_at": "string -- ISO-8601 timestamp",
146
+ "total_roles": "number -- total roles defined",
147
+ "total_permissions": "number -- total permissions defined",
148
+ "total_seed_models": "number -- total models with seed data",
149
+ "roles": [
150
+ {
151
+ "role_id": "string -- unique role identifier (e.g., 'ROLE-001')",
152
+ "name": "string -- role name (e.g., 'admin', 'user', 'manager', 'moderator')",
153
+ "display_name": "string -- human-readable name (e.g., 'System Administrator')",
154
+ "description": "string -- what this role represents and what access it grants",
155
+ "is_default": "boolean -- true if assigned to new users automatically",
156
+ "is_admin": "boolean -- true if this role has full system access",
157
+ "is_system": "boolean -- true if this role cannot be deleted or modified by users",
158
+ "inherits_from": "string | null -- parent role_id for permission inheritance",
159
+ "created_by": "string -- 'system' for bootstrap roles",
160
+ "module_access": ["string -- module_ids this role can access (empty = all for admin)"]
161
+ }
162
+ ],
163
+ "permissions": [
164
+ {
165
+ "permission_id": "string -- unique permission identifier (e.g., 'PERM-001')",
166
+ "resource": "string -- the resource this permission applies to (e.g., 'users', 'invoices')",
167
+ "resource_display": "string -- human-readable resource name",
168
+ "actions": ["string -- 'create' | 'read' | 'update' | 'delete' | 'list' | 'export' | 'import' | 'manage'"],
169
+ "description": "string -- what this permission allows",
170
+ "module_id": "string -- which module owns this resource",
171
+ "is_system": "boolean -- true if this permission cannot be modified",
172
+ "conditions": {
173
+ "own_only": "boolean -- whether this permission only applies to user's own records",
174
+ "field_restrictions": ["string | null -- fields this permission excludes access to"]
175
+ }
176
+ }
177
+ ],
178
+ "role_permission_matrix": [
179
+ {
180
+ "role_id": "string -- role identifier",
181
+ "role_name": "string -- role name for readability",
182
+ "permissions": [
183
+ {
184
+ "permission_id": "string -- permission identifier",
185
+ "resource": "string -- resource name for readability",
186
+ "actions": ["string -- granted actions"],
187
+ "conditions": {
188
+ "own_only": "boolean",
189
+ "field_restrictions": ["string | null"]
190
+ }
191
+ }
192
+ ],
193
+ "total_permissions": "number -- count of permissions for this role"
194
+ }
195
+ ],
196
+ "seed_data": {
197
+ "description": "string -- overview of seed data purpose",
198
+ "models": [
199
+ {
200
+ "model_name": "string -- Prisma model name",
201
+ "table_name": "string -- database table name",
202
+ "module_id": "string -- module this model belongs to",
203
+ "seed_type": "string -- 'lookup' | 'enum' | 'reference' | 'system_config' | 'initial_data'",
204
+ "records": [
205
+ {
206
+ "field_values": {
207
+ "field_name": "string | number | boolean -- value for each field"
208
+ },
209
+ "description": "string -- why this record is needed"
210
+ }
211
+ ],
212
+ "depends_on": ["string | null -- model names that must be seeded first"]
213
+ }
214
+ ],
215
+ "seed_order": ["string -- model names in the order they should be seeded (respecting dependencies)"]
216
+ },
217
+ "admin_user_template": {
218
+ "description": "string -- template for creating the first admin user",
219
+ "fields": {
220
+ "email": "string -- placeholder (e.g., 'admin@example.com')",
221
+ "password": "string -- instruction (e.g., 'SET_SECURE_PASSWORD -- must be changed on first login')",
222
+ "name": "string -- placeholder (e.g., 'System Administrator')",
223
+ "role": "string -- role_id for admin role"
224
+ },
225
+ "setup_instructions": [
226
+ {
227
+ "step": "number -- step order",
228
+ "instruction": "string -- what to do",
229
+ "important": "boolean -- whether this step is critical"
230
+ }
231
+ ],
232
+ "security_notes": [
233
+ "string -- security reminders (e.g., 'Change default password immediately', 'Enable 2FA')"
234
+ ]
235
+ },
236
+ "system_settings": {
237
+ "description": "string -- application-wide settings that must be configured",
238
+ "settings": [
239
+ {
240
+ "setting_id": "string -- unique setting identifier",
241
+ "key": "string -- setting key (e.g., 'app.name', 'app.defaultLocale')",
242
+ "value": "string -- default value",
243
+ "type": "string -- 'string' | 'number' | 'boolean' | 'json'",
244
+ "category": "string -- 'general' | 'email' | 'notifications' | 'security' | 'display'",
245
+ "description": "string -- what this setting controls",
246
+ "user_configurable": "boolean -- whether end-users can change this",
247
+ "requires_restart": "boolean -- whether changing this requires app restart"
248
+ }
249
+ ]
250
+ },
251
+ "migration_checklist": {
252
+ "description": "string -- checklist for production deployment",
253
+ "pre_seed": [
254
+ {
255
+ "step": "number",
256
+ "task": "string -- what to do before seeding",
257
+ "critical": "boolean"
258
+ }
259
+ ],
260
+ "post_seed": [
261
+ {
262
+ "step": "number",
263
+ "task": "string -- what to do after seeding",
264
+ "critical": "boolean"
265
+ }
266
+ ]
267
+ }
268
+ }
269
+ ```
270
+
271
+ ---
272
+
273
+ ## Dependencies
274
+
275
+ | Depends On | Agent | Artifact | Why |
276
+ |---|---|---|---|
277
+ | input | `global_security` | `global_security_policies.json` | Provides RBAC model with roles, permissions, and role-permission map |
278
+ | input | `db_contract` (all modules) | `prisma_contract.json` | Provides model definitions and enums for seed data generation |
279
+ | input | `global_db_patterns` | `global_db_patterns.json` | Provides shared enums and audit field patterns for consistent seeding |
280
+ | barrier | ALL Phase 6 agents | All modules must complete Phase 6 before this global agent starts |
281
+
282
+ | Blocks | Agent | Why |
283
+ |---|---|---|
284
+ | output | `architect_reconcile` | Reconcile needs bootstrap config for complete architecture |
285
+ | output | `impl_prep` | Impl prep agent uses bootstrap to generate seed scripts |
286
+ | output | `db_impl` | DB implementation uses seed data and RBAC for initial migration |
287
+
288
+ ---
289
+
290
+ ## Orchestrator Communication
291
+
292
+ ### Agent Identity
293
+
294
+ This agent's ID is `production_bootstrap`. Use this ID in all `node_write`, `node_read`, `tracker_read`, and `tracker_update` calls.
295
+
296
+ ### Tracker Access
297
+
298
+ | Direction | Compressed Keys | Purpose |
299
+ |---|---|---|
300
+ | read | (none) | Global agent -- does not read `md.a` |
301
+ | write | `ag` | Report agent status (completed/failed) |
302
+
303
+ ### Output Meta
304
+
305
+ This agent does not produce routing/coordination metadata. `output_meta: null`.
306
+
307
+ ### Completion Signal
308
+
309
+ - **On success:** `tracker_update(agent_id: "production_bootstrap", status: "completed")`
310
+ - **On failure:** `tracker_update(agent_id: "production_bootstrap", status: "failed", add_intervention: { id: "...", agent_id: "production_bootstrap", type: "error", message: "..." })`
311
+
312
+ ### Scope Resolution
313
+
314
+ Global agent -- does NOT read `md.a`. Reads global and per-module artifacts from upstream agents.
315
+
316
+ ```
317
+ 1. node_read(agent_id: "production_bootstrap", input_key: "global_security_policies") — optional, may return NR-009
318
+ 2. node_read(agent_id: "production_bootstrap", input_key: "prisma_contract_all")
319
+ 3. node_read(agent_id: "production_bootstrap", input_key: "global_db_patterns") — optional, may return NR-009
320
+ 4. Process all inputs → generate bootstrap config
321
+ 5. node_write(agent_id: "production_bootstrap", output_key: "production_bootstrap", data: {...})
322
+ 6. tracker_update(agent_id: "production_bootstrap", status: "completed")
323
+ ```
324
+
325
+ ---
326
+
327
+ ## Compressed Keymap
328
+
329
+ Use these compressed keys in all `node_write` calls. The registry validates against this map — unknown keys are rejected.
330
+
331
+ ### Output: `production_bootstrap.json`
332
+
333
+ | Key | Full Name | Description |
334
+ |---|---|---|
335
+ | `ga` | generated_at | ISO-8601 timestamp |
336
+ | `tr` | total_roles | Total roles defined |
337
+ | `tp` | total_permissions | Total permissions defined |
338
+ | `ts` | total_seed_models | Total models with seed data |
339
+ | `rl` | roles | Array of role definitions |
340
+ | `rl.ri` | role_id | Unique role ID (e.g., 'ROLE-001') |
341
+ | `rl.nm` | name | Role name (e.g., 'admin') |
342
+ | `rl.dn` | display_name | Human-readable name (e.g., 'System Administrator') |
343
+ | `rl.ds` | description | What this role represents |
344
+ | `rl.id` | is_default | Assigned to new users automatically |
345
+ | `rl.ia` | is_admin | Has full system access |
346
+ | `rl.is` | is_system | Cannot be deleted or modified by users |
347
+ | `rl.ih` | inherits_from | Parent role_id for permission inheritance |
348
+ | `rl.cb` | created_by | Always 'system' for bootstrap roles |
349
+ | `rl.ma` | module_access | Module IDs this role can access |
350
+ | `pm` | permissions | Array of permission definitions |
351
+ | `pm.pi` | permission_id | Unique permission ID (e.g., 'PERM-001') |
352
+ | `pm.rs` | resource | Resource name (e.g., 'users') |
353
+ | `pm.rd` | resource_display | Human-readable resource name |
354
+ | `pm.ac` | actions | Allowed actions (create, read, update, etc.) |
355
+ | `pm.ds` | description | What this permission allows |
356
+ | `pm.mi` | module_id | Module that owns this resource |
357
+ | `pm.is` | is_system | Cannot be modified |
358
+ | `pm.cn` | conditions | Permission conditions |
359
+ | `pm.cn.oo` | own_only | Only applies to user's own records |
360
+ | `pm.cn.fr` | field_restrictions | Fields this permission excludes |
361
+ | `rm` | role_permission_matrix | Complete role-permission mapping |
362
+ | `rm.ri` | role_id | Role identifier |
363
+ | `rm.rn` | role_name | Role name for readability |
364
+ | `rm.pm` | permissions | Permissions granted to this role |
365
+ | `rm.pm.pi` | permission_id | Permission identifier |
366
+ | `rm.pm.rs` | resource | Resource name for readability |
367
+ | `rm.pm.ac` | actions | Granted actions |
368
+ | `rm.pm.cn` | conditions | Conditions on this grant |
369
+ | `rm.pm.cn.oo` | own_only | Own records only |
370
+ | `rm.pm.cn.fr` | field_restrictions | Field restrictions |
371
+ | `rm.tp` | total_permissions | Count of permissions for this role |
372
+ | `sd` | seed_data | Seed data configuration |
373
+ | `sd.ds` | description | Overview of seed data purpose |
374
+ | `sd.md` | models | Array of models with seed data |
375
+ | `sd.md.mn` | model_name | Prisma model name |
376
+ | `sd.md.tn` | table_name | Database table name |
377
+ | `sd.md.mi` | module_id | Module this model belongs to |
378
+ | `sd.md.st` | seed_type | lookup / enum / reference / system_config / initial_data |
379
+ | `sd.md.rc` | records | Array of seed records |
380
+ | `sd.md.rc.fv` | field_values | Field name-value pairs |
381
+ | `sd.md.rc.ds` | description | Why this record is needed |
382
+ | `sd.md.dp` | depends_on | Models that must be seeded first |
383
+ | `sd.so` | seed_order | Model names in seeding order |
384
+ | `au` | admin_user_template | Admin user setup template |
385
+ | `au.ds` | description | Template purpose description |
386
+ | `au.fd` | fields | Template field values |
387
+ | `au.fd.em` | email | Placeholder email |
388
+ | `au.fd.pw` | password | Instruction placeholder |
389
+ | `au.fd.nm` | name | Placeholder name |
390
+ | `au.fd.rl` | role | Role ID for admin |
391
+ | `au.si` | setup_instructions | Admin setup steps |
392
+ | `au.si.sp` | step | Step order |
393
+ | `au.si.in` | instruction | What to do |
394
+ | `au.si.im` | important | Whether step is critical |
395
+ | `au.sn` | security_notes | Security reminders |
396
+ | `ss` | system_settings | Application-wide settings |
397
+ | `ss.ds` | description | Settings overview |
398
+ | `ss.st` | settings | Array of settings |
399
+ | `ss.st.si` | setting_id | Unique setting identifier |
400
+ | `ss.st.ky` | key | Setting key (e.g., 'app.name') |
401
+ | `ss.st.vl` | value | Default value |
402
+ | `ss.st.tp` | type | string / number / boolean / json |
403
+ | `ss.st.ct` | category | general / email / notifications / security / display |
404
+ | `ss.st.ds` | description | What this setting controls |
405
+ | `ss.st.uc` | user_configurable | Whether end-users can change this |
406
+ | `ss.st.rr` | requires_restart | Whether changing requires restart |
407
+ | `mc` | migration_checklist | Production deployment checklist |
408
+ | `mc.ds` | description | Checklist overview |
409
+ | `mc.ps` | pre_seed | Pre-seed tasks |
410
+ | `mc.ps.sp` | step | Step number |
411
+ | `mc.ps.tk` | task | What to do before seeding |
412
+ | `mc.ps.cr` | critical | Whether critical |
413
+ | `mc.po` | post_seed | Post-seed tasks |
414
+ | `mc.po.sp` | step | Step number |
415
+ | `mc.po.tk` | task | What to do after seeding |
416
+ | `mc.po.cr` | critical | Whether critical |
417
+
418
+ ---
419
+
420
+ ## Tools Required
421
+
422
+ | Tool | Purpose | Exists? |
423
+ |---|---|---|
424
+ | `node_write` | Write production_bootstrap output via registry-validated compressed keys. Agent calls `node_write(agent_id: "production_bootstrap", output_key: "production_bootstrap", data: {...})`. | Pending |
425
+ | `node_read` | Read upstream artifacts (global_security_policies, prisma_contract_all, global_db_patterns). Agent calls `node_read(agent_id: "production_bootstrap", input_key: "global_security_policies")`. | Pending |
426
+ | `tracker_read` | Read pipeline state. Agent calls `tracker_read(agent_id: "production_bootstrap", fields: [...])`. | Pending |
427
+ | `tracker_update` | Report completion/failure. Agent calls `tracker_update(agent_id: "production_bootstrap", status: "completed")`. | Pending |
428
+
429
+ ---
430
+
431
+ ## Guardrails
432
+
433
+ ### Rules
434
+
435
+ | ID | Category | Severity | Rule |
436
+ |---|---|---|---|
437
+ | R-001 | `constraint` | `must` | Must define at least admin and default user roles |
438
+ | R-002 | `constraint` | `must` | Must have seed data for all lookup tables and shared enums |
439
+ | R-003 | `constraint` | `must` | Must include admin user template with setup instructions |
440
+ | R-004 | `not_allowed` | `must` | Must NOT include real credentials, passwords, or API keys in seed data |
441
+ | R-005 | `constraint` | `must` | Admin user template password must be a placeholder with instruction to change |
442
+ | R-006 | `constraint` | `must` | Seed data order must respect model dependencies (foreign keys) |
443
+ | R-007 | `data_handling` | `must` | Every permission must reference a valid resource from a known module |
444
+ | R-008 | `output_quality` | `must` | Role-permission matrix must cover all roles and all permissions with no gaps |
445
+ | R-009 | `interaction` | `should` | Should ask user for confirmation on role names and default permissions when unclear |
446
+ | R-010 | `output_quality` | `should` | System settings should cover common application configuration needs |
447
+ | R-011 | `scope_boundary` | `should` | Migration checklist should include pre-seed and post-seed verification steps |
448
+ | R-012 | `constraint` | `must` | System roles (admin, default user) must be marked is_system=true and cannot be deleted |
449
+ | R-013 | `constraint` | `must` | Must use compressed keys as defined in the Compressed Keymap section for all `node_write` / `node_read` calls. Never use expanded/full key names. |
450
+ | R-014 | `constraint` | `must` | Must use `node_write` to write output and `node_read` to read upstream artifacts. Must not use raw file writes, generic file_writer, or any other method. |
451
+ | R-015 | `constraint` | `must` | Must call `tracker_update(agent_id: "production_bootstrap", status: "completed")` before exiting on success. Must call `tracker_update(agent_id: "production_bootstrap", status: "failed", add_intervention: {...})` before exiting on failure. |
452
+
453
+ ### Limits
454
+
455
+ | Resource | Value |
456
+ |---|---|
457
+ | max_retries | 3 |
458
+ | max_tokens | 32000 |
459
+ | max_roles | 20 |
460
+ | max_permissions | 200 |
461
+ | max_seed_records_per_model | 100 |
462
+
463
+ ---
464
+
465
+ ## Scope Boundary
466
+
467
+ **In scope:**
468
+ - Defining roles with display names, descriptions, and inheritance
469
+ - Defining permissions with resource/action granularity and conditions
470
+ - Building role-permission matrix
471
+ - Generating seed data for lookup tables, enums, and reference data
472
+ - Providing admin user template with security instructions
473
+ - Defining system settings for application configuration
474
+ - Creating migration checklist for production deployment
475
+ - Asking user for clarification on role/permission decisions
476
+
477
+ **Out of scope:**
478
+ - Implementing seed scripts (Phase 10 DB implementation)
479
+ - Creating actual database records
480
+ - Managing real user accounts or credentials
481
+ - Modifying security policies (read-only from global_security)
482
+ - Defining middleware or endpoint security (already done in earlier phases)
483
+ - Infrastructure provisioning or deployment configuration
484
+
485
+ ---
486
+
487
+ ## Triggers
488
+
489
+ - Orchestrator detects that the relevant global outputs are in `completed` state (or confirmed skipped). If global_security or global_db_patterns were skipped, production_bootstrap proceeds with whatever global outputs are available
490
+ - Depends on global_security and global_db_patterns completing first
491
+ - Triggered once (global granularity)
492
+
493
+ ---
494
+
495
+ ## Checkpoints
496
+
497
+ | ID | Description | Action |
498
+ |---|---|---|
499
+ | `CP-001` | All input artifacts loaded -- security policies, prisma contracts, db patterns | `log` |
500
+ | `CP-002` | Roles defined -- asking user for confirmation on custom role names | `pause` |
501
+ | `CP-003` | Permissions extracted from all modules | `log` |
502
+ | `CP-004` | Role-permission matrix complete | `log` |
503
+ | `CP-005` | Seed data generated for all lookup tables and enums | `log` |
504
+ | `CP-006` | Admin user template created -- asking user to verify template fields | `pause` |
505
+ | `CP-007` | Production bootstrap output generated and schema-validated | `notify` |
506
+
507
+ ---
508
+
509
+ ## Validation Criteria
510
+
511
+ - At least admin and default user roles are defined
512
+ - Admin role has is_admin=true and is_system=true
513
+ - Default user role has is_default=true
514
+ - Every permission references a valid module_id
515
+ - Role-permission matrix covers all roles and all permissions
516
+ - No orphan permissions (permissions not assigned to any role)
517
+ - Seed data exists for all shared enums from global_db_patterns
518
+ - Seed data order respects model dependencies
519
+ - Admin user template has placeholder password with change instruction
520
+ - No real credentials or secrets in any output field
521
+ - System settings cover at least app name and default locale
522
+ - Output JSON passes schema validation
523
+
524
+ ---
525
+
526
+ ## Context Sources
527
+
528
+ - global_security_policies.json (RBAC model, auth strategy from global_security agent)
529
+ - prisma_contract.json from all modules (model definitions, enums for seed data)
530
+ - global_db_patterns.json (shared enums, audit fields from global_db_patterns agent)
531
+ - User conversation (for interactive role/permission confirmation)
532
+ - Common RBAC patterns for web applications
533
+
534
+ ---
535
+
536
+ ## Operation Mode
537
+
538
+ | Field | Value |
539
+ |---|---|
540
+ | Type | `interactive` |
541
+ | Fallback | `none` |
542
+
543
+ ---
544
+
545
+ ## Tool Gaps
546
+
547
+ | Gap ID | Description | Needed By | Impact Without |
548
+ |---|---|---|---|
549
+ | `TG-001` | RBAC matrix generator that automatically builds complete role-permission matrix from security policies | this agent | Must manually construct matrix; risk of missing permissions or inconsistent grants |
550
+ | `TG-002` | Seed data template generator that creates seed records from Prisma model definitions and enums | this agent | Must manually create seed records; risk of missing required lookup data |
551
+ | `TG-003` | Conversation handler for interactive role/permission confirmation with user | this agent | Must make best-guess decisions; lower quality role definitions |
552
+ | `TG-004` | `node_write` MCP tool not yet built | this agent | Cannot write output with registry validation -- blocked |
553
+ | `TG-005` | `node_read` MCP tool not yet built | this agent | Cannot read upstream artifacts with field enforcement -- blocked |
554
+ | `TG-006` | `tracker_read` MCP tool not yet built | this agent | Cannot read pipeline state -- blocked |
555
+ | `TG-007` | `tracker_update` MCP tool not yet built | this agent | Cannot report completion -- blocked |
556
+
557
+ ---
558
+
559
+ ## Generation Readiness
560
+
561
+ | `generate_agent` Param | Status | Notes |
562
+ |---|---|---|
563
+ | `fileName` | ready | `production-bootstrap` |
564
+ | `agentName` | ready | `production_bootstrap` |
565
+ | `agentRole` | ready | Production Bootstrap Configurator |
566
+ | `agentDescription` | ready | Generates roles, permissions, RBAC matrix, seed data, and admin template for production deployment |
567
+ | `operationMode` | ready | interactive, no fallback |
568
+ | `goal` | ready | Three objectives defined with clear priorities |
569
+ | `inputs` | ready | global_security_policies.json, all prisma_contract.json, global_db_patterns.json |
570
+ | `guardrails` | ready | 15 rules covering constraints, quality, data handling, interaction, universal tools, and completion signal |
571
+ | `scopeBoundary` | ready | 8 in-scope items, 6 out-of-scope items |
572
+ | `outputFormat` | ready | JSON output with full shape for production_bootstrap.json |
573
+ | `triggers` | ready | Triggered after global_security and global_db_patterns complete |
574
+ | `checkpoints` | ready | 7 checkpoints with 2 pause points for user interaction |
575
+ | `validation` | ready | 12 validation criteria |
576
+ | `contextSources` | ready | 5 context sources listed |
577
+ | `metadata` | ready | Phase 7, global, interactive, both modes |