@r3dlex/ai-catapult 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +139 -0
- package/bin/ai-catapult.js +229 -0
- package/dist/claude-plugin/.claude-plugin/marketplace.json +28 -0
- package/dist/claude-plugin/.claude-plugin/plugin.json +21 -0
- package/dist/claude-plugin/skills/ai-catapult-init/REFERENCE.md +1284 -0
- package/dist/claude-plugin/skills/ai-catapult-init/SKILL.md +79 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/README.md +48 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/archgate.md +42 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/brd-prd-traceability.md +64 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/cascade.md +110 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/ci-policy.md +107 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/documentation-blueprint.md +185 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/evals.md +93 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/foundation.md +19 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/host-policy-automation.md +151 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/language-packs.md +63 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/mcp-a2a.md +63 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/memory.md +102 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/migration.md +107 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/phases/01-discover-decide.md +33 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/phases/README.md +33 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/readme-documentation.md +120 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/release-versioning.md +188 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/skill-modernization.md +72 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/sync.md +111 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/topology.md +102 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/traceability.md +136 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/tracker-adapters.md +51 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/validation.md +276 -0
- package/dist/claude-plugin/skills/ai-catapult-init/modules/workflow.md +45 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/AGENTS.md +69 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/CLAUDE.md +3 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/GEMINI.md +3 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/boundary-manifest.json +247 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/drift/backups/.gitkeep +0 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/drift/last-drift.json +7 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/evals/.gitkeep +0 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/evals/coverage-exceptions.json +1 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/handoff/.gitkeep +0 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/matrix.json +19 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/a2a-handoff.md +51 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/registry.json +27 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/observability/audit-checklist.md +32 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/observability/conventions.md +35 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/01-discover-decide/status.json +16 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/02-govern-plan/status.json +15 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/03-configure-generate/status.json +22 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/04-validate-handoff/status.json +18 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/policies/model-routing.json +29 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/reviews/ai-failure-modes.md +42 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/rules/security.md +38 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/rules/technical-bounds.md +38 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/skills/git-ops.json +6 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/skills/workspace-sync.json +6 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/architect.md +31 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/developer.md +31 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/qa-engineer.md +31 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/traceability/.gitkeep +0 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.json +42 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.md +52 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-github/workflows/ci-prek.yml +21 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-rules.ts +178 -0
- package/dist/claude-plugin/skills/ai-catapult-init/templates/prek.toml +13 -0
- package/dist/codex-plugin/.codex-plugin/plugin.json +11 -0
- package/dist/codex-plugin/skills/ai-catapult-init/REFERENCE.md +1284 -0
- package/dist/codex-plugin/skills/ai-catapult-init/SKILL.md +79 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/README.md +48 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/archgate.md +42 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/brd-prd-traceability.md +64 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/cascade.md +110 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/ci-policy.md +107 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/documentation-blueprint.md +185 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/evals.md +93 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/foundation.md +19 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/host-policy-automation.md +151 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/language-packs.md +63 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/mcp-a2a.md +63 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/memory.md +102 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/migration.md +107 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/phases/01-discover-decide.md +33 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/phases/README.md +33 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/readme-documentation.md +120 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/release-versioning.md +188 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/skill-modernization.md +72 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/sync.md +111 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/topology.md +102 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/traceability.md +136 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/tracker-adapters.md +51 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/validation.md +276 -0
- package/dist/codex-plugin/skills/ai-catapult-init/modules/workflow.md +45 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/AGENTS.md +69 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/CLAUDE.md +3 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/GEMINI.md +3 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/boundary-manifest.json +247 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/drift/backups/.gitkeep +0 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/drift/last-drift.json +7 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/evals/.gitkeep +0 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/evals/coverage-exceptions.json +1 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/handoff/.gitkeep +0 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/matrix.json +19 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/a2a-handoff.md +51 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/registry.json +27 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/observability/audit-checklist.md +32 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/observability/conventions.md +35 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/01-discover-decide/status.json +16 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/02-govern-plan/status.json +15 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/03-configure-generate/status.json +22 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/04-validate-handoff/status.json +18 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/policies/model-routing.json +29 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/reviews/ai-failure-modes.md +42 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/rules/security.md +38 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/rules/technical-bounds.md +38 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/skills/git-ops.json +6 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/skills/workspace-sync.json +6 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/architect.md +31 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/developer.md +31 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/qa-engineer.md +31 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/traceability/.gitkeep +0 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.json +42 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.md +52 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-github/workflows/ci-prek.yml +21 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-rules.ts +178 -0
- package/dist/codex-plugin/skills/ai-catapult-init/templates/prek.toml +13 -0
- package/package.json +51 -0
- package/scripts/build-claude-plugin.sh +179 -0
- package/scripts/build-codex-plugin.sh +104 -0
- package/scripts/snapshot-dist.sh +26 -0
- package/setup.sh +63 -0
- package/skills.lock.json +6 -0
- package/src/install.js +380 -0
- package/src/scaffold.js +220 -0
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
# Skill Modernization Module
|
|
2
|
+
|
|
3
|
+
Read when auditing or updating a skill catalog for compact metadata, progressive disclosure, trigger clarity, runnable validation, cross-skill workflow links, and AI-SDLC compatibility.
|
|
4
|
+
|
|
5
|
+
## Generated outputs
|
|
6
|
+
|
|
7
|
+
| Output | Purpose |
|
|
8
|
+
| --- | --- |
|
|
9
|
+
| `.ai/skills/catalog-audit.json` | Machine-readable audit of every first-class skill description, body length, trigger boundary, and compatibility status. |
|
|
10
|
+
| `.ai/skills/description-exceptions.json` | Explicit exceptions for descriptions that exceed the hard budget; default is no exceptions. |
|
|
11
|
+
| `.ai/skills/modernization-report.md` | Human report summarizing fixes, warnings, and remaining follow-up. |
|
|
12
|
+
|
|
13
|
+
## Budget policy
|
|
14
|
+
|
|
15
|
+
- Target description length: `<= 180` characters.
|
|
16
|
+
- Hard-fail description length: `> 280` characters unless listed in `.ai/skills/description-exceptions.json` with owner, reason, and expiry.
|
|
17
|
+
- `SKILL.md` body stays under 100 lines.
|
|
18
|
+
- Descriptions state capability plus concrete trigger conditions; move examples, background, and variants to modules or references.
|
|
19
|
+
|
|
20
|
+
## Required checks
|
|
21
|
+
|
|
22
|
+
1. Audit only first-class catalog skill directories plus the `ai-sdlc-init` compatibility shim; exclude `.agents/`, hidden/runtime directories, reference fixtures, and golden outputs.
|
|
23
|
+
2. Verify every first-class skill has `name` and `description` frontmatter.
|
|
24
|
+
3. Warn when a description exceeds the 180-character target; fail when it exceeds 280 without an audited exception.
|
|
25
|
+
4. Verify body line limits and progressive-disclosure anti-patterns through `tests/test-skills.sh`.
|
|
26
|
+
5. Verify trigger/non-trigger/fallback boundaries are present in each first-class description (see "Trigger boundaries").
|
|
27
|
+
6. Validate referenced surfaces: no broken relative links, aliases resolve to a real canonical skill, every referenced file exists, and every bundled script passes `bash -n` (see "Link, alias, referenced-file, and script validation").
|
|
28
|
+
7. Verify generated workflow links remain discoverable for skills that create PRDs, issues, releases, traces, or AI-SDLC artifacts.
|
|
29
|
+
8. Emit a stable catalog audit artifact and keep exceptions explicit, reviewed, and time-bounded.
|
|
30
|
+
|
|
31
|
+
## Trigger boundaries
|
|
32
|
+
|
|
33
|
+
Every audited skill description must make three boundaries explicit so an agent can route correctly without loading the body:
|
|
34
|
+
|
|
35
|
+
- **Trigger** — the concrete conditions under which the skill should run (verbs, artifacts, keywords).
|
|
36
|
+
- **Non-trigger** — adjacent situations the skill must *not* claim, to prevent over-eager invocation (e.g. "use X instead for live-app runs"). Audit warns when a skill's description overlaps another skill's trigger without a non-trigger carve-out.
|
|
37
|
+
- **Fallback** — what happens when a precondition is missing or an optional tool/host is unavailable (graceful degradation, plain-markdown path, or "defer to <other skill>"). A skill with optional host/tool dependencies must name its fallback.
|
|
38
|
+
|
|
39
|
+
## Link, alias, referenced-file, and script validation
|
|
40
|
+
|
|
41
|
+
The audit statically validates a skill's referenced surfaces — offline, no network:
|
|
42
|
+
|
|
43
|
+
- **Broken link check** — every relative Markdown link and `modules/*`/`reference/*` pointer in `SKILL.md` and its modules resolves to a tracked file.
|
|
44
|
+
- **Alias check** — declared aliases/shims (e.g. the `ai-sdlc-init` → `ai-catapult-init` and `init-ai-repo` → `ai-catapult-init` compatibility aliases) point to a real canonical skill and do not collide with another first-class name.
|
|
45
|
+
- **Referenced-file check** — every file a skill names (templates, fixtures, ADRs, golden outputs) exists at the cited path; cite by content where line numbers would drift.
|
|
46
|
+
- **Script check** — every bundled `scripts/*` a skill invokes exists and passes `bash -n`; the audit does not execute network- or credential-dependent scripts.
|
|
47
|
+
|
|
48
|
+
## Cross-skill workflow links
|
|
49
|
+
|
|
50
|
+
- `ai-catapult-init` owns generated workflow, traceability, cascade, and catalog audit artifacts.
|
|
51
|
+
- `setup-skills` owns tracker/domain-doc configuration that downstream issue and PRD skills consume.
|
|
52
|
+
- `to-prd`, `to-issues`, and `triage` must preserve traceability IDs and tracker backlinks.
|
|
53
|
+
- `publish-semver` must link release evidence to specs, PRs, and tests.
|
|
54
|
+
- `write-a-skill` and `write-agent-docs` own authoring guidance for future catalog changes.
|
|
55
|
+
|
|
56
|
+
## Codex parity verification (P2)
|
|
57
|
+
|
|
58
|
+
The mechanical Codex-parity bar (no Claude/OMC-only hard dependencies) is
|
|
59
|
+
enforced offline by `scripts/check-codex-parity.sh`. The **verified** bar — a
|
|
60
|
+
human actually running representative skills under Codex — is recorded
|
|
61
|
+
out-of-band, never in CI. Follow `docs/learning/codex-verification.md` to run a
|
|
62
|
+
skill under Codex via `scripts/install-codex.sh`, what to record, and the pass
|
|
63
|
+
criteria; recorded transcript evidence lives under
|
|
64
|
+
`reference/fixtures/v3/standalone/.ai/evals/codex-verification/` and carries the
|
|
65
|
+
"recorded out-of-band verification, not a CI gate" disclaimer (validation check
|
|
66
|
+
#20, ADR-0004).
|
|
67
|
+
|
|
68
|
+
## Safety rules
|
|
69
|
+
|
|
70
|
+
- Do not weaken validators to make existing skills pass; fix the skill or add a reviewed exception.
|
|
71
|
+
- Do not add new runtime dependencies for catalog validation.
|
|
72
|
+
- Do not rewrite skill workflows for style only; preserve behavior unless a validation gate proves a problem.
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
# Sync Module
|
|
2
|
+
|
|
3
|
+
Read when propagating inherited assets from an umbrella repo to its managed sub-repos, when generating drift reports, or when backing up the v3 scaffold. Physical-copy is the canonical sync strategy. Symlinks and git submodules are explicitly rejected as canonical.
|
|
4
|
+
|
|
5
|
+
## Sync strategy
|
|
6
|
+
|
|
7
|
+
`sync_strategy: physical-copy` is the only canonical value in `.ai/matrix.json`. The sync lifecycle is:
|
|
8
|
+
|
|
9
|
+
1. **Resolve** — read `.ai/matrix.json` and compute the set of inherited assets and the set of managed repos.
|
|
10
|
+
2. **Backup** — write a snapshot of every destination file that will be overwritten under `.ai/drift/backups/<timestamp>/`. Skip files that are unchanged.
|
|
11
|
+
3. **Copy** — overwrite the destination with the source file. Use ordinary file copies, not symlinks and not git submodule references.
|
|
12
|
+
4. **Verify** — compute a SHA-256 of source and destination and assert equality. On mismatch, mark the asset as `failed` in the drift report and roll back from the backup.
|
|
13
|
+
5. **Audit** — append a sync record to `.ai/drift/last-sync.json` with timestamp, per-asset status, and SHA-256 values.
|
|
14
|
+
6. **Drift report** — write `.ai/drift/last-drift.json` listing per-asset `unchanged`, `updated`, `added`, or `failed` status.
|
|
15
|
+
|
|
16
|
+
## What sync is allowed to write
|
|
17
|
+
|
|
18
|
+
Sync is allowed to write only paths that appear in `.ai/matrix.json#inherited_assets`. Any other write is rejected. In particular:
|
|
19
|
+
|
|
20
|
+
- `.memory/human-override/` is never in the inherited-assets list and never written by sync.
|
|
21
|
+
- `.memory/self-learned/` is per-repo only and never written by sync.
|
|
22
|
+
- The umbrella root's own `AGENTS.md`, `CLAUDE.md`, `CONTRIBUTING.md`, and `README.md` are not written by sync unless they are explicitly listed in `inherited_assets`.
|
|
23
|
+
|
|
24
|
+
## Depth rule
|
|
25
|
+
|
|
26
|
+
Sync is allowed to run only when `current_depth <= max_allowed_depth`. For `umbrella` topologies, `max_allowed_depth` is fixed at `3`. The validator must:
|
|
27
|
+
|
|
28
|
+
1. Walk the tree rooted at the umbrella repo and compute the maximum path depth of any managed repo.
|
|
29
|
+
2. Treat any path whose depth exceeds 3 as a violation.
|
|
30
|
+
3. Refuse to run the sync when the violation persists.
|
|
31
|
+
|
|
32
|
+
## Drift detection
|
|
33
|
+
|
|
34
|
+
Drift is detected by comparing the SHA-256 of each source asset against the SHA-256 of the destination asset. Drift is reported per asset:
|
|
35
|
+
|
|
36
|
+
| Status | Meaning |
|
|
37
|
+
| --- | --- |
|
|
38
|
+
| `unchanged` | Source and destination SHA-256 match. |
|
|
39
|
+
| `updated` | Source and destination SHA-256 differ; destination was overwritten and a backup was written. |
|
|
40
|
+
| `added` | Destination did not exist; new file written. |
|
|
41
|
+
| `failed` | Sync attempted but SHA-256 mismatch persisted, or write was rejected by safety policy. The destination was rolled back from the backup. |
|
|
42
|
+
| `skipped` | Asset was intentionally skipped (e.g., excluded by `.ai/matrix.json#exclusions` or by `.memory/human-override/` membership). |
|
|
43
|
+
|
|
44
|
+
The drift report is written to `.ai/drift/last-drift.json` and has this shape:
|
|
45
|
+
|
|
46
|
+
```json
|
|
47
|
+
{
|
|
48
|
+
"schema_version": "1.0",
|
|
49
|
+
"generated_at": "2026-06-07T00:00:00Z",
|
|
50
|
+
"umbrella_root": ".",
|
|
51
|
+
"managed_repos": 3,
|
|
52
|
+
"assets": [
|
|
53
|
+
{
|
|
54
|
+
"path": "AGENTS.md",
|
|
55
|
+
"source": ".",
|
|
56
|
+
"mode": "physical-copy",
|
|
57
|
+
"status": "unchanged",
|
|
58
|
+
"source_sha256": "...",
|
|
59
|
+
"destination_sha256": "..."
|
|
60
|
+
}
|
|
61
|
+
],
|
|
62
|
+
"summary": {
|
|
63
|
+
"unchanged": 12,
|
|
64
|
+
"updated": 1,
|
|
65
|
+
"added": 0,
|
|
66
|
+
"failed": 0,
|
|
67
|
+
"skipped": 2
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Audit log
|
|
73
|
+
|
|
74
|
+
Every sync run appends an entry to `.ai/drift/sync-audit.jsonl` with one JSON object per line. Each entry has:
|
|
75
|
+
|
|
76
|
+
- `ts` — ISO-8601 timestamp.
|
|
77
|
+
- `umbrella_root` — repo path.
|
|
78
|
+
- `actor` — `ai-sdlc-init` or specific agent role.
|
|
79
|
+
- `mode` — `apply` or `dry-run`.
|
|
80
|
+
- `assets_changed` — count of `updated` and `added` assets.
|
|
81
|
+
- `assets_failed` — count of `failed` assets.
|
|
82
|
+
- `confirmation_token` — only present when `mode: apply`; references the explicit user confirmation that authorized the run.
|
|
83
|
+
|
|
84
|
+
Dry-run is the default. The first `apply` for a given run requires a fresh confirmation token. A confirmation token is valid only for the run that produced it; subsequent retries of the same plan require a fresh confirmation. See `modules/host-policy-automation.md` for the canonical confirmation-token rule.
|
|
85
|
+
|
|
86
|
+
## Local overrides
|
|
87
|
+
|
|
88
|
+
A managed sub-repo may declare a local override file at `.ai/local-overrides.json`. The file lists paths that the sub-repo does not want to inherit from the umbrella. Each entry has:
|
|
89
|
+
|
|
90
|
+
- `path` — the inherited-asset path being overridden.
|
|
91
|
+
- `reason` — short human-readable reason.
|
|
92
|
+
- `expires_at` — optional ISO-8601 timestamp after which the override should be re-evaluated.
|
|
93
|
+
|
|
94
|
+
Overrides are honored by sync; the asset status becomes `skipped` with reason `local-override`. Override expiry is enforced during drift review: an expired override is reported in the drift report under `expiring_overrides`.
|
|
95
|
+
|
|
96
|
+
## Safety rules
|
|
97
|
+
|
|
98
|
+
- Sync never deletes files outside the inherited-assets list.
|
|
99
|
+
- Destructive operations (deleting a destination, removing a backup) require explicit confirmation and emit an audit entry.
|
|
100
|
+
- Backups older than the retention window are pruned only with explicit confirmation. Default retention is 30 days; the value lives in `.ai/matrix.json#sync_status.retention_days` when present.
|
|
101
|
+
- Sync does not call hosted APIs to apply branch or policy changes. Hosted mutations are scoped to `modules/host-policy-automation.md`.
|
|
102
|
+
|
|
103
|
+
## Failure modes
|
|
104
|
+
|
|
105
|
+
| Failure | Behavior |
|
|
106
|
+
| --- | --- |
|
|
107
|
+
| `current_depth > max_allowed_depth` | Sync refuses to start. Error names the offending repo path and depth. |
|
|
108
|
+
| Destination write fails | Sync rolls back from the backup, marks the asset `failed`, and continues with the next asset. |
|
|
109
|
+
| Source file missing | Sync marks the asset `failed` and emits a `source-missing` audit entry. |
|
|
110
|
+
| Backups directory unwritable | Sync refuses to start. |
|
|
111
|
+
| `.ai/matrix.json` invalid | Sync refuses to start. The validator reports the schema violation. |
|
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
# Topology Module
|
|
2
|
+
|
|
3
|
+
Read when the target repo is a standalone repository or an umbrella repository that needs canonical topology, max-depth, and sync metadata. The matrix is generated under `.ai/matrix.json` and is the single source of truth for repo layout, sync strategy, and inherited assets.
|
|
4
|
+
|
|
5
|
+
## Topology types
|
|
6
|
+
|
|
7
|
+
| Type | When to use | Required fields in `.ai/matrix.json` |
|
|
8
|
+
| --- | --- | --- |
|
|
9
|
+
| `standalone` | A single repository with one top-level tree, no nested managed repos. | `topology_type`, `max_allowed_depth: 0`, `current_depth: 0`, `sync_strategy: physical-copy`, `upstream_authority`, `inherited_assets`, `sync_status`. |
|
|
10
|
+
| `umbrella` | A repository that owns managed sub-repositories and propagates inherited assets to them. | All standalone fields plus `managed_repositories`, `max_allowed_depth: 3`, and a per-repo `depth` value. |
|
|
11
|
+
|
|
12
|
+
`max_allowed_depth` is fixed at `3` for `umbrella` topologies. `current_depth` is the maximum path depth observed across managed repositories. When `current_depth > max_allowed_depth`, validation must fail or block the apply path; the error must identify the offending repo path and the offending depth.
|
|
13
|
+
|
|
14
|
+
## `.ai/matrix.json` schema (v1.0)
|
|
15
|
+
|
|
16
|
+
```json
|
|
17
|
+
{
|
|
18
|
+
"schema_version": "1.0",
|
|
19
|
+
"topology_type": "umbrella",
|
|
20
|
+
"max_allowed_depth": 3,
|
|
21
|
+
"current_depth": 2,
|
|
22
|
+
"sync_strategy": "physical-copy",
|
|
23
|
+
"upstream_authority": {
|
|
24
|
+
"type": "git",
|
|
25
|
+
"url": "https://github.com/example/upstream.git",
|
|
26
|
+
"ref": "main"
|
|
27
|
+
},
|
|
28
|
+
"managed_repositories": [
|
|
29
|
+
{
|
|
30
|
+
"path": "services/auth",
|
|
31
|
+
"depth": 2,
|
|
32
|
+
"inherits_assets_from": "."
|
|
33
|
+
}
|
|
34
|
+
],
|
|
35
|
+
"inherited_assets": [
|
|
36
|
+
{
|
|
37
|
+
"path": "AGENTS.md",
|
|
38
|
+
"source": ".",
|
|
39
|
+
"mode": "physical-copy"
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
"path": ".ai/matrix.json",
|
|
43
|
+
"source": ".",
|
|
44
|
+
"mode": "physical-copy"
|
|
45
|
+
}
|
|
46
|
+
],
|
|
47
|
+
"sync_status": {
|
|
48
|
+
"last_synced_at": "2026-06-07T00:00:00Z",
|
|
49
|
+
"drift_detected": false,
|
|
50
|
+
"last_drift_report": ".ai/drift/last-drift.json"
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### Required fields and types
|
|
56
|
+
|
|
57
|
+
- `schema_version` (string) — fixed at `"1.0"` until v2 is introduced.
|
|
58
|
+
- `topology_type` (string enum) — `standalone` or `umbrella`.
|
|
59
|
+
- `max_allowed_depth` (integer) — `0` for standalone, `3` for umbrella. Other values are rejected.
|
|
60
|
+
- `current_depth` (integer) — `0` for standalone, computed for umbrella.
|
|
61
|
+
- `sync_strategy` (string enum) — `physical-copy` only. `symlink` and `git-submodule` are explicitly rejected as canonical.
|
|
62
|
+
- `upstream_authority` (object) — non-null when sync reads from an upstream source. `type` is `git` or `local`. `url` and `ref` describe the source.
|
|
63
|
+
- `managed_repositories` (array) — required when `topology_type` is `umbrella`. Each entry has `path`, `depth`, and `inherits_assets_from`.
|
|
64
|
+
- `inherited_assets` (array) — list of file or directory paths propagated to managed repos. Each entry has `path`, `source`, and `mode: physical-copy`.
|
|
65
|
+
- `sync_status` (object) — `last_synced_at`, `drift_detected`, and an optional `last_drift_report` path.
|
|
66
|
+
|
|
67
|
+
### Optional fields
|
|
68
|
+
|
|
69
|
+
- `migration` (object) — references the legacy-to-v3 migration manifest; see `modules/migration.md` for the migration manifest format.
|
|
70
|
+
- `exclusions` (array of strings) — managed repos or paths that opt out of inheritance. Exclusions must be explicit and listed in the matrix, not inferred from `.gitignore`.
|
|
71
|
+
|
|
72
|
+
## Umbrella depth rule
|
|
73
|
+
|
|
74
|
+
`max_allowed_depth: 3` is a hard limit. The validator must:
|
|
75
|
+
|
|
76
|
+
1. Walk the tree rooted at the umbrella repo and compute the maximum path depth of any managed repo relative to the umbrella root.
|
|
77
|
+
2. Treat any path whose depth exceeds 3 as a violation.
|
|
78
|
+
3. Emit a blocking error that names the offending repo path and its depth.
|
|
79
|
+
4. Refuse to start the sync or apply path while the violation persists.
|
|
80
|
+
|
|
81
|
+
Depth is the number of path segments from the umbrella root to the managed repo, not the Git history depth.
|
|
82
|
+
|
|
83
|
+
## Sync-strategy rule
|
|
84
|
+
|
|
85
|
+
`sync_strategy: physical-copy` is the canonical strategy. Concretely:
|
|
86
|
+
|
|
87
|
+
- Inherited assets are propagated as ordinary file copies at sync time.
|
|
88
|
+
- The sync path writes a backup under `.ai/drift/backups/<timestamp>/` before overwriting any inherited asset.
|
|
89
|
+
- The sync path emits a drift report that lists per-asset `unchanged`, `updated`, or `added` status.
|
|
90
|
+
- Symlinks and git submodules are not the canonical strategy and must not appear as `mode` values.
|
|
91
|
+
|
|
92
|
+
See `modules/sync.md` for the full sync lifecycle, drift detection, and audit log format.
|
|
93
|
+
|
|
94
|
+
## Standalone-only files
|
|
95
|
+
|
|
96
|
+
A standalone repo does not need `managed_repositories`. A standalone repo must still set `max_allowed_depth: 0`, `current_depth: 0`, and `sync_strategy: physical-copy` so the schema is uniform.
|
|
97
|
+
|
|
98
|
+
## Safety rules
|
|
99
|
+
|
|
100
|
+
- Matrix generation never deletes files outside the inherited-assets list.
|
|
101
|
+
- Destructive migration of legacy matrix fields requires explicit confirmation; see `modules/migration.md` for the migration audit manifest format.
|
|
102
|
+
- `.memory/human-override/` is terminal priority and is never listed in `inherited_assets` because it is per-repo, not propagated.
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
# Traceability Graph Module
|
|
2
|
+
|
|
3
|
+
Read when generating or validating requirement/work-artifact traceability for an `ai-catapult-init` target repository. This module owns stable IDs, node/edge schema, backlink validation, graph fixtures, and cross-skill contracts.
|
|
4
|
+
|
|
5
|
+
## Generated outputs
|
|
6
|
+
|
|
7
|
+
| Output | Purpose |
|
|
8
|
+
| --- | --- |
|
|
9
|
+
| `.ai/traceability/graph.json` | Machine-readable node/edge graph for requirements, work items, reviews, tests, and handoffs. |
|
|
10
|
+
| `.ai/traceability/index.md` | Human index of graph nodes, backlinks, and uncovered artifacts. |
|
|
11
|
+
| `.ai/traceability/validation-report.md` | Validation result proving no dangling edges and required artifact coverage. |
|
|
12
|
+
|
|
13
|
+
Generated workflow and handoff surfaces should link to the traceability index once this phase is active.
|
|
14
|
+
|
|
15
|
+
## Stable ID policy
|
|
16
|
+
|
|
17
|
+
- IDs are deterministic strings: `<type>:<repo-id>:<slug>`.
|
|
18
|
+
- `type` is one of `brd`, `prd`, `adr`, `plan`, `issue`, `pr`, `test`, `handoff`, `workflow`, or `validation`. Schema `1.1` additively adds `eval-result` and `trajectory-trace` (see below).
|
|
19
|
+
- `repo-id` comes from `.ai/matrix.json` when present; otherwise use `root` for the local repo fixture.
|
|
20
|
+
- `slug` is lower-kebab-case from the artifact title or host key.
|
|
21
|
+
- IDs never include credentials, access tokens, or mutable host session IDs.
|
|
22
|
+
|
|
23
|
+
## Graph schema v1.0
|
|
24
|
+
|
|
25
|
+
```json
|
|
26
|
+
{
|
|
27
|
+
"schema_version": "1.0",
|
|
28
|
+
"root_repo_id": "root",
|
|
29
|
+
"generated_at": "2026-06-27T00:00:00Z",
|
|
30
|
+
"nodes": [
|
|
31
|
+
{
|
|
32
|
+
"id": "prd:root:init-ai-repo-workflow-surfaces",
|
|
33
|
+
"type": "prd",
|
|
34
|
+
"title": "init-ai-repo workflow surfaces",
|
|
35
|
+
"status": "active",
|
|
36
|
+
"repo_id": "root",
|
|
37
|
+
"path": "docs/specifications/ACTIVE/init-ai-repo-workflow-surfaces.md",
|
|
38
|
+
"backlinks": ["plan:root:init-ai-repo-pr-stack"]
|
|
39
|
+
}
|
|
40
|
+
],
|
|
41
|
+
"edges": [
|
|
42
|
+
{
|
|
43
|
+
"source": "plan:root:init-ai-repo-pr-stack",
|
|
44
|
+
"target": "prd:root:init-ai-repo-workflow-surfaces",
|
|
45
|
+
"relation": "decomposes-to",
|
|
46
|
+
"created_by": "init-ai-repo",
|
|
47
|
+
"evidence_path": ".ai/traceability/index.md"
|
|
48
|
+
}
|
|
49
|
+
]
|
|
50
|
+
}
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
## Graph schema v1.1 (additive)
|
|
54
|
+
|
|
55
|
+
Schema `1.1` is a strictly additive bump over `1.0`. No `1.0` field is removed or renamed, so existing `1.0` graphs and fixtures stay valid unchanged.
|
|
56
|
+
|
|
57
|
+
- `schema_version` is `"1.1"`.
|
|
58
|
+
- The `type` enum gains two node types: `eval-result` (a recorded LM-judge/eval outcome for a skill or PR) and `trajectory-trace` (a recorded agent trajectory captured during an eval run).
|
|
59
|
+
- New relations are permitted for the new types, e.g. `evaluated-by` (work item → `eval-result`) and `traced-by` (`eval-result` → `trajectory-trace`).
|
|
60
|
+
- All other node/edge field rules from `1.0` apply unchanged to the new types: each node still carries `id`, `type`, `title`, `status`, `repo_id`, and either `path` or `host_url`; backlinks and edges must resolve.
|
|
61
|
+
|
|
62
|
+
```json
|
|
63
|
+
{
|
|
64
|
+
"schema_version": "1.1",
|
|
65
|
+
"root_repo_id": "umbrella-root",
|
|
66
|
+
"nodes": [
|
|
67
|
+
{
|
|
68
|
+
"id": "eval-result:umbrella-root:example-output-eval",
|
|
69
|
+
"type": "eval-result",
|
|
70
|
+
"title": "example-output-eval LM-judge result",
|
|
71
|
+
"status": "active",
|
|
72
|
+
"repo_id": "umbrella-root",
|
|
73
|
+
"path": ".ai/evals/example-output-eval/evalset.json",
|
|
74
|
+
"backlinks": ["pr:umbrella-root:workflow-surfaces"]
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"id": "trajectory-trace:umbrella-root:example-output-eval",
|
|
78
|
+
"type": "trajectory-trace",
|
|
79
|
+
"title": "example-output-eval trajectory trace",
|
|
80
|
+
"status": "active",
|
|
81
|
+
"repo_id": "umbrella-root",
|
|
82
|
+
"path": ".ai/evals/example-output-eval/rubric.md",
|
|
83
|
+
"backlinks": ["eval-result:umbrella-root:example-output-eval"]
|
|
84
|
+
}
|
|
85
|
+
],
|
|
86
|
+
"edges": [
|
|
87
|
+
{
|
|
88
|
+
"source": "pr:umbrella-root:workflow-surfaces",
|
|
89
|
+
"target": "eval-result:umbrella-root:example-output-eval",
|
|
90
|
+
"relation": "evaluated-by",
|
|
91
|
+
"created_by": "init-ai-repo",
|
|
92
|
+
"evidence_path": ".ai/traceability/index.md"
|
|
93
|
+
}
|
|
94
|
+
]
|
|
95
|
+
}
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### Wiring eval evidence (eval-result / trajectory-trace)
|
|
99
|
+
|
|
100
|
+
When eval evidence exists, wire it into the graph so it is reachable from the work item it grades:
|
|
101
|
+
|
|
102
|
+
- Link the evaluated work item (a `skill`, `pr`, `test`, `issue`, or `plan` node) to its `eval-result` node with an `evaluated-by` edge (`source` = work item, `target` = `eval-result`).
|
|
103
|
+
- Link the `eval-result` node to its `trajectory-trace` node with a `traced-by` edge (`source` = `eval-result`, `target` = `trajectory-trace`).
|
|
104
|
+
- Each `eval-result` and `trajectory-trace` node's `path` MUST point at a real eval artifact under `.ai/evals/<set-id>/` that exists on disk (e.g. the recorded `judgment-demo.json` for a result, the `evalset.json` trajectory or `rubric.md` for a trace). Do not invent paths; reference the committed eval fixtures/outputs.
|
|
105
|
+
- The `evidence_path` on `evaluated-by` / `traced-by` edges should point at the same real eval artifact rather than a generic index, so the edge itself carries provenance.
|
|
106
|
+
|
|
107
|
+
Both topologies ship a fixture demonstrating this: `reference/fixtures/v3/standalone/.ai/traceability/graph-1.1.json` and `reference/fixtures/v3/umbrella/.ai/traceability/graph-1.1.json`. Each wires a `pr` node → `eval-result` (`evaluated-by`) → `trajectory-trace` (`traced-by`) against the `.ai/evals/example-output-eval/` fixtures.
|
|
108
|
+
|
|
109
|
+
### Version acceptance and migration
|
|
110
|
+
|
|
111
|
+
- The validator accepts any graph whose `schema_version` is `>= 1.1` and treats `eval-result`/`trajectory-trace` as known types; it also still accepts `1.0` graphs (back-compat). A node `type` outside the known enum still fails validation at any version.
|
|
112
|
+
- Migration is a no-op for `1.0` consumers: a `1.0` graph is a valid `1.1` graph minus the two new node types. To migrate, bump `schema_version` to `"1.1"` and add `eval-result`/`trajectory-trace` nodes as eval evidence becomes available.
|
|
113
|
+
|
|
114
|
+
## Required validation
|
|
115
|
+
|
|
116
|
+
1. Every edge `source` and `target` exists in `nodes`.
|
|
117
|
+
2. Every node has `id`, `type`, `title`, `status`, `repo_id`, and either `path` or `host_url`. Every `type` is in the known enum for the declared schema version (`1.1` adds `eval-result` and `trajectory-trace`); an unknown type fails.
|
|
118
|
+
3. Every node backlink references another existing node ID.
|
|
119
|
+
4. The graph covers BRD/PRD/ADR/plan/issue/PR/test/handoff/workflow/validation artifacts when those artifacts exist.
|
|
120
|
+
5. The human index links every node ID back to its file path or host URL.
|
|
121
|
+
6. The validation report records `status: pass` only when the graph has no dangling edges or backlinks.
|
|
122
|
+
|
|
123
|
+
## Cross-skill contracts
|
|
124
|
+
|
|
125
|
+
- `to-prd` must emit or update `prd:*` nodes for generated PRDs/specs.
|
|
126
|
+
- `to-issues` must emit or update `issue:*` nodes and `implements` / `tracked-by` edges.
|
|
127
|
+
- `triage` must preserve issue node status and host URLs when state changes.
|
|
128
|
+
- `setup-skills` must record tracker adapter source metadata for hosted issue nodes.
|
|
129
|
+
- `publish-semver` must link release/versioning evidence to PRD/spec and PR/test nodes.
|
|
130
|
+
- `ai-catapult-init` owns validation and handoff nodes for generated scaffold evidence.
|
|
131
|
+
|
|
132
|
+
## Safety rules
|
|
133
|
+
|
|
134
|
+
- Do not infer hosted links from prose when a host adapter readback is available; use the readback URL/ID.
|
|
135
|
+
- Do not drop local fallback nodes during hosted reconciliation; mark them `superseded` and link to the hosted node.
|
|
136
|
+
- Do not store credentials or private tokens in graph nodes, edges, evidence paths, or validation reports.
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# Tracker Adapters Module
|
|
2
|
+
|
|
3
|
+
Read when choosing where BRDs, PRDs, tickets, and comments live. The adapter is selected at scaffold time and referenced by `ai-catapult-init`; full operation semantics live in `setup-skills`. v3 adds an optional Jira adapter and explicit confirmation boundaries for any host adapter that mutates externally visible state.
|
|
4
|
+
|
|
5
|
+
## Adapter rule
|
|
6
|
+
|
|
7
|
+
`ai-catapult-init` selects and references setup-skills tracker adapters; it does not duplicate their full operation semantics.
|
|
8
|
+
|
|
9
|
+
| Host | Adapter | Confirmation-gated operations |
|
|
10
|
+
| --- | --- | --- |
|
|
11
|
+
| GitHub Issues | `setup-skills/issue-tracker-github.md` | create / update / close / re-open / label / assign / project move |
|
|
12
|
+
| Azure DevOps Boards | `setup-skills/issue-tracker-ado.md` | create / update / close / re-open / tag / assign / state transition |
|
|
13
|
+
| GitLab Issues | `setup-skills/issue-tracker-gitlab.md` | create / update / close / re-open / label / assign |
|
|
14
|
+
| Jira (Cloud) | `setup-skills/issue-tracker-jira.md` (v3) | create / update / transition / close / re-open / assign / project / workflow mutation |
|
|
15
|
+
| Local Markdown | `setup-skills/issue-tracker-local.md` | none (local file writes) |
|
|
16
|
+
|
|
17
|
+
## Required operation shape
|
|
18
|
+
|
|
19
|
+
Every adapter must document equivalents for:
|
|
20
|
+
|
|
21
|
+
- create ticket/work item
|
|
22
|
+
- read ticket/work item with comments
|
|
23
|
+
- list/query by state and label/tag
|
|
24
|
+
- comment
|
|
25
|
+
- update state
|
|
26
|
+
- apply/remove label or tag
|
|
27
|
+
- preserve BRD/PRD/parent backlinks
|
|
28
|
+
|
|
29
|
+
## Jira adapter (v3)
|
|
30
|
+
|
|
31
|
+
The Jira adapter is optional and confirmation-gated. Use it only when the target repo already uses Jira for issue tracking or the user explicitly opts in. The adapter must document:
|
|
32
|
+
|
|
33
|
+
- **Project bootstrap** — read existing project metadata and emit a discovery report before any mutation.
|
|
34
|
+
- **Issue creation** — create issues with `summary`, `description`, `issuetype`, `labels`, `assignee`, and BRD/PRD/parent backlinks. Capture the issue key on success.
|
|
35
|
+
- **Workflow transitions** — list the available transitions for a given issue and apply one with explicit confirmation. Non-admin auto-approval of workflow transitions is disallowed.
|
|
36
|
+
- **Comments** — append a comment and capture the comment id. Comments must preserve BRD/PRD/parent backlinks.
|
|
37
|
+
- **Search** — use JQL (`project = FOO AND type = Bug AND status != Done`) for state and label/tag queries.
|
|
38
|
+
- **Webhook ingestion** — optional; if enabled, the adapter reads webhook events and routes them to the local memory layer (`.memory/self-learned/event-patterns.json`). Webhook ingestion does not require confirmation because it is read-only.
|
|
39
|
+
|
|
40
|
+
### Confirmation boundaries for Jira
|
|
41
|
+
|
|
42
|
+
- Project creation, project metadata changes, and workflow scheme mutations are externally visible. The adapter must capture an explicit confirmation token before calling the mutation API.
|
|
43
|
+
- Issue creation, update, transition, close, and re-open are externally visible. Each apply call must capture a confirmation token.
|
|
44
|
+
- Comments and read operations do not require a confirmation token.
|
|
45
|
+
- The adapter never fabricates an approval on behalf of a non-admin actor. When the actor is not an admin and the host does not support a non-admin bypass, the apply path is rejected and the dry-run plan is returned for explicit human follow-up.
|
|
46
|
+
- The adapter never stores or generates credentials. Credentials are passed via environment variables or the host CLI's secret store.
|
|
47
|
+
- The adapter writes an audit entry to `.ai/host-policy/jira/audit.jsonl` (per-host, consistent with `modules/host-policy-automation.md`), mirroring the format in `modules/host-policy-automation.md`.
|
|
48
|
+
|
|
49
|
+
## Hosted apply path
|
|
50
|
+
|
|
51
|
+
Tracker adapter mutations are routed through the host-policy-automation apply path when they are externally visible. See `modules/host-policy-automation.md` for the discovery / dry-run / confirmation / apply / readback / audit lifecycle.
|