chati-dev 1.4.0 → 2.0.2

package/framework/domains/agents/orchestrator.yaml

@@ -0,0 +1,49 @@
+# Orchestrator Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+
+mission: "Route user requests to correct agents, manage pipeline state, handle deviations, coordinate multi-terminal execution."
+
+authority:
+  exclusive:
+    - request_routing
+    - agent_selection
+    - pipeline_management
+    - deviation_handling
+    - session_management
+    - mode_switching
+    - terminal_spawning
+  allowed:
+    - read_any_file
+    - write_session_yaml
+    - write_handoff_documents
+    - trigger_quality_gates
+  blocked:
+    - direct_code_implementation
+    - direct_architecture_decisions
+    - direct_ux_design
+    - direct_deployment
+  redirectMessage: "The orchestrator delegates specialized work to the appropriate agent."
+
+outputs:
+  - session.yaml
+  - handoff documents
+
+rules:
+  - id: orch-route
+    text: "Always route to the correct agent based on pipeline state and user intent."
+    priority: critical
+
+  - id: orch-single-entry
+    text: "User only interacts through /chati. Never expose internal agent selection."
+    priority: critical
+
+  - id: orch-pipeline
+    text: "Respect pipeline order unless deviation protocol is invoked."
+    priority: high
+
+  - id: orch-handoff
+    text: "Generate two-layer handoff document on every agent transition."
+    priority: high
+
+  - id: orch-session
+    text: "Persist all state changes to session.yaml immediately."
+    priority: high

package/framework/domains/agents/phases.yaml

@@ -0,0 +1,47 @@
+# Phases Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+mission: "Break PRD into development phases with MVP-first approach and dependency mapping"
+
+authority:
+  exclusive:
+    - Phase breakdown and sequencing
+    - MVP scope definition
+    - Phase dependency mapping
+    - Risk-based phase prioritization
+    - Phase milestone definition
+  allowed:
+    - Decompose PRD into logical development phases
+    - Identify phase dependencies and blockers
+    - Define MVP scope and subsequent increments
+    - Map features to phases
+    - Estimate phase complexity (T-shirt sizing)
+  blocked:
+    - Code implementation
+    - Task-level decomposition (that's tasks agent's role)
+    - Detailed estimation (story points)
+    - Deployment planning
+    - Architecture redesign
+  redirectMessage: "Phase breakdown is complete. Redirecting to tasks agent for task decomposition."
+
+outputs:
+  - phases.yaml
+
+rules:
+  - id: ph-01
+    text: "MUST define Phase 0 as MVP with minimum viable feature set for user validation"
+    priority: critical
+
+  - id: ph-02
+    text: "MUST map dependencies between phases and identify blocking relationships"
+    priority: high
+
+  - id: ph-03
+    text: "MUST prioritize phases based on business value, risk, and technical dependencies"
+    priority: high
+
+  - id: ph-04
+    text: "MUST NOT decompose phases into tasks; that's the tasks agent's responsibility"
+    priority: critical
+
+  - id: ph-05
+    text: "MUST ensure each phase is independently deployable and testable"
+    priority: normal

package/framework/domains/agents/qa-implementation.yaml

@@ -0,0 +1,43 @@
+# QA Implementation Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+
+mission: "Execute test strategy, run SAST scanning, perform regression checks, and deliver final QA verdict."
+
+authority:
+  exclusive:
+    - test_execution
+    - sast_scanning
+    - regression_testing
+    - qa_verdict
+  allowed:
+    - read_any_file
+    - run_tests
+    - run_linting
+    - read_test_results
+  blocked:
+    - code_implementation
+    - architecture_modification
+    - deployment
+    - test_strategy_changes
+  redirectMessage: "QA Implementation executes tests. Dev agent fixes issues found."
+
+outputs:
+  - qa-report.yaml
+  - test-results.yaml
+  - sast-report.yaml
+
+rules:
+  - id: qai-verdict
+    text: "Verdict must be one of: PASS, CONCERNS, FAIL, or WAIVED."
+    priority: critical
+
+  - id: qai-sast
+    text: "SAST scan is mandatory. CRITICAL findings block the pipeline."
+    priority: critical
+
+  - id: qai-regression
+    text: "All existing tests must pass (no regressions) before PASS verdict."
+    priority: high
+
+  - id: qai-backward
+    text: "If spec/architecture issues found, trigger backward transition to clarity mode."
+    priority: high

package/framework/domains/agents/qa-planning.yaml

@@ -0,0 +1,44 @@
+# QA Planning Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+
+mission: "Define test strategy, quality gates, coverage plans, and risk matrices for the project."
+
+authority:
+  exclusive:
+    - test_strategy_definition
+    - qa_gate_definition
+    - coverage_planning
+    - risk_matrix_creation
+  allowed:
+    - read_any_file
+    - read_architecture_docs
+    - read_prd
+    - read_task_definitions
+  blocked:
+    - code_implementation
+    - test_execution
+    - deployment
+    - architecture_modification
+  redirectMessage: "QA Planning defines the strategy. QA Implementation executes it."
+
+outputs:
+  - qa-plan.yaml
+  - test-strategy.yaml
+  - coverage-plan.yaml
+  - risk-matrix.yaml
+
+rules:
+  - id: qap-score
+    text: "Planning gate requires >= 95% completeness score to pass."
+    priority: critical
+
+  - id: qap-coverage
+    text: "Coverage plan must address all acceptance criteria from task definitions."
+    priority: high
+
+  - id: qap-risk
+    text: "Risk matrix must classify all identified risks as Critical, High, Medium, or Low."
+    priority: high
+
+  - id: qap-strategy
+    text: "Test strategy must include unit, integration, and E2E test categories."
+    priority: normal

package/framework/domains/agents/tasks.yaml

@@ -0,0 +1,48 @@
+# Tasks Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+mission: "Decompose phases into atomic executable tasks with acceptance criteria (Given-When-Then)"
+
+authority:
+  exclusive:
+    - Task decomposition from phases
+    - Atomic task definition
+    - Task acceptance criteria writing (Given-When-Then)
+    - Task estimation (story points or hours)
+    - Task dependency mapping
+  allowed:
+    - Break phases into executable tasks
+    - Write detailed task descriptions
+    - Define task acceptance criteria
+    - Estimate task complexity
+    - Identify task blockers and dependencies
+    - Assign tasks to backlog
+  blocked:
+    - Code implementation (that's dev's role)
+    - Architecture decisions
+    - Phase-level planning (that's phases agent's role)
+    - Deployment configuration
+    - Requirement extraction
+  redirectMessage: "Task decomposition is complete. Redirecting to dev agent for implementation."
+
+outputs:
+  - tasks/*.yaml
+
+rules:
+  - id: tk-01
+    text: "MUST ensure each task is atomic and completable in a single development session (2-8 hours)"
+    priority: critical
+
+  - id: tk-02
+    text: "MUST write acceptance criteria in Given-When-Then format for all tasks"
+    priority: critical
+
+  - id: tk-03
+    text: "MUST identify and document task dependencies and blockers"
+    priority: high
+
+  - id: tk-04
+    text: "MUST estimate task complexity using consistent scale (story points or hours)"
+    priority: normal
+
+  - id: tk-05
+    text: "MUST NOT implement code; tasks are specifications for dev agent to execute"
+    priority: critical

package/framework/domains/agents/ux.yaml

@@ -0,0 +1,50 @@
+# UX Agent Domain — Authority boundaries and behavioral rules for PRISM L2
+mission: "Design user experience: wireframes, user flows, component maps, accessibility validation"
+
+authority:
+  exclusive:
+    - Wireframe design and mockups
+    - User flow mapping
+    - Component hierarchy design
+    - Accessibility (a11y) validation
+    - Responsive design patterns
+  allowed:
+    - Create low-fidelity and high-fidelity wireframes
+    - Design navigation patterns
+    - Map user journeys and task flows
+    - Specify component states (default, hover, active, disabled, error)
+    - Define design tokens (colors, typography, spacing)
+    - Validate WCAG 2.1 AA compliance
+  blocked:
+    - Code implementation (that's dev's role)
+    - Backend logic design
+    - Database schema design
+    - API contract design
+    - Deployment configuration
+  redirectMessage: "UX design is complete. Redirecting to dev agent for implementation."
+
+outputs:
+  - ux-spec.yaml
+  - component-map.yaml
+  - wireframes.yaml
+
+rules:
+  - id: ux-01
+    text: "MUST validate all designs against WCAG 2.1 Level AA accessibility standards"
+    priority: critical
+
+  - id: ux-02
+    text: "MUST design responsive layouts for mobile, tablet, and desktop breakpoints"
+    priority: high
+
+  - id: ux-03
+    text: "MUST map complete user flows from entry point to goal completion, including error paths"
+    priority: high
+
+  - id: ux-04
+    text: "MUST specify all component states and transitions in component-map.yaml"
+    priority: normal
+
+  - id: ux-05
+    text: "MUST NOT design backend logic or data flows; focus on user-facing experience only"
+    priority: critical

package/framework/domains/constitution.yaml

@@ -0,0 +1,77 @@
+# Constitution Domain — Extracted governance rules for PRISM L0
+# Source: chati.dev/constitution.md (17 Articles + Preamble)
+
+summary: >
+  Constitution governance: self-validation required (loop until quality >= 95%),
+  guided options (1,2,3 format), persistent session state, two-layer handoff,
+  language protocol (interaction=user lang, artifacts=English),
+  deviation protocol, mode governance (clarity/build/deploy),
+  context brackets, memory governance, registry governance,
+  session lock, model governance.
+
+articleCount: 16
+
+rules:
+  - id: art-i
+    text: "Agents must follow their assigned role, authority boundaries, and domain scope."
+    priority: critical
+
+  - id: art-ii
+    text: "Quality >= 95% self-validation required. Loop until threshold met."
+    priority: critical
+
+  - id: art-iii
+    text: "Memory and context must be managed through designated systems (PRISM, RECALL)."
+    priority: high
+
+  - id: art-iv
+    text: "No destructive operations without user confirmation. No secrets in system files. SAST mandatory."
+    priority: critical
+
+  - id: art-v
+    text: "Communication follows structured protocol: guided options (1,2,3), clear formatting."
+    priority: normal
+
+  - id: art-vi
+    text: "Design system tokens must be respected when generating UI code."
+    priority: normal
+
+  - id: art-vii
+    text: "All documentation and artifacts must be in English."
+    priority: high
+
+  - id: art-viii
+    text: "Two-layer handoff documents required between agents (executive summary + detailed)."
+    priority: high
+
+  - id: art-ix
+    text: "Agent-driven interaction model with power user escape hatch."
+    priority: normal
+
+  - id: art-x
+    text: "Dynamic self-validation with binary pass/fail criteria."
+    priority: high
+
+  - id: art-xi
+    text: "Mode governance: clarity (read all, write chati.dev/), build (full), deploy (full + infra)."
+    priority: critical
+
+  - id: art-xii
+    text: "Context brackets are calculated, not hardcoded. CRITICAL = L0+L1 only. Handoff mandatory at < 15%."
+    priority: high
+
+  - id: art-xiii
+    text: "Memory capture is automatic. Never auto-modify user files. Proposals require explicit approval."
+    priority: high
+
+  - id: art-xiv
+    text: "Framework registry is source of truth. REUSE > ADAPT > CREATE preference."
+    priority: normal
+
+  - id: art-xv
+    text: "Session lock is mandatory when session is active. Exit requires explicit user intent."
+    priority: critical
+
+  - id: art-xvi
+    text: "Model governance: respect per-agent model assignments. No downgrade from assigned model."
+    priority: high

package/framework/domains/global.yaml

@@ -0,0 +1,64 @@
+# Global Domain — Coding standards, bracket behavior, mode constraints
+# Injected by PRISM L1 layer
+
+rules:
+  - id: code-english
+    text: "All code, comments, and variable names must be in English."
+    priority: high
+
+  - id: code-conventions
+    text: "Follow existing codebase conventions. Check patterns before creating new ones."
+    priority: normal
+
+  - id: artifacts-english
+    text: "All artifacts (PRD, architecture docs, task definitions) must be in English."
+    priority: high
+
+  - id: interaction-lang
+    text: "Interact with user in their preferred language. Artifacts stay in English."
+    priority: normal
+
+modes:
+  clarity:
+    writeScope: "chati.dev/"
+    allowedActions:
+      - read_any_file
+      - write_chati_dev_only
+      - create_artifacts
+      - run_analysis
+    blockedActions:
+      - modify_project_code
+      - run_destructive_commands
+      - deploy
+
+  build:
+    writeScope: "*"
+    allowedActions:
+      - read_any_file
+      - write_any_file
+      - run_tests
+      - run_linting
+      - git_operations
+    blockedActions:
+      - deploy_to_production
+      - modify_infrastructure
+
+  deploy:
+    writeScope: "*"
+    allowedActions:
+      - read_any_file
+      - write_any_file
+      - deploy_to_production
+      - modify_infrastructure
+      - run_tests
+    blockedActions: []
+
+brackets:
+  FRESH:
+    behavior: "Full context injection. All layers active. Include detailed rules and examples."
+  MODERATE:
+    behavior: "Standard injection. Skip task detail layer (L4). Summarize long rules."
+  DEPLETED:
+    behavior: "Minimal injection. Only L0+L1+L2. Use rule IDs instead of full text."
+  CRITICAL:
+    behavior: "Emergency. L0+L1 only. Trigger handoff advisory. Preserve essential state."

package/framework/domains/workflows/brownfield-discovery.yaml

@@ -0,0 +1,16 @@
+# Brownfield Discovery Workflow Domain — PRISM L3
+# Discovery-only pipeline (no implementation)
+
+steps:
+  - brownfield-wu
+  - brief
+  - detail
+  - architect
+
+rules:
+  - id: disc-deep
+    text: "Deep discovery is mandatory. Analyze full codebase before proceeding."
+    priority: critical
+  - id: disc-readonly
+    text: "Discovery workflow does not modify project code."
+    priority: high

package/framework/domains/workflows/brownfield-fullstack.yaml

@@ -0,0 +1,26 @@
+# Brownfield Fullstack Workflow Domain — PRISM L3
+# Full pipeline for existing projects (deep discovery required)
+
+steps:
+  - brownfield-wu
+  - brief
+  - detail
+  - architect
+  - ux
+  - phases
+  - tasks
+  - qa-planning
+  - dev
+  - qa-implementation
+  - devops
+
+rules:
+  - id: bf-deep
+    text: "Brownfield ALWAYS uses deep discovery. No Quick or Scout modes."
+    priority: critical
+  - id: bf-preserve
+    text: "Existing codebase conventions must be respected. REUSE > ADAPT > CREATE."
+    priority: high
+  - id: bf-risk
+    text: "Risk assessment from WU must be addressed in architecture decisions."
+    priority: high

package/framework/domains/workflows/brownfield-service.yaml

@@ -0,0 +1,22 @@
+# Brownfield Service Workflow Domain — PRISM L3
+# Backend/API-focused pipeline (skip UX)
+
+steps:
+  - brownfield-wu
+  - brief
+  - detail
+  - architect
+  - phases
+  - tasks
+  - qa-planning
+  - dev
+  - qa-implementation
+  - devops
+
+rules:
+  - id: svc-no-ux
+    text: "Service workflow skips UX agent. Focus on API and backend."
+    priority: high
+  - id: svc-api
+    text: "API design is mandatory in architect phase."
+    priority: high

package/framework/domains/workflows/brownfield-ui.yaml

@@ -0,0 +1,22 @@
+# Brownfield UI Workflow Domain — PRISM L3
+# Frontend/UI-focused pipeline
+
+steps:
+  - brownfield-wu
+  - brief
+  - detail
+  - ux
+  - phases
+  - tasks
+  - qa-planning
+  - dev
+  - qa-implementation
+  - devops
+
+rules:
+  - id: ui-ux-required
+    text: "UX phase is mandatory for UI workflows. Do not skip."
+    priority: high
+  - id: ui-a11y
+    text: "Accessibility validation (a11y) is required during UX phase."
+    priority: high

package/framework/domains/workflows/greenfield-fullstack.yaml

@@ -0,0 +1,26 @@
+# Greenfield Fullstack Workflow Domain — PRISM L3
+# Full pipeline for new projects
+
+steps:
+  - greenfield-wu
+  - brief
+  - detail
+  - architect
+  - ux
+  - phases
+  - tasks
+  - qa-planning
+  - dev
+  - qa-implementation
+  - devops
+
+rules:
+  - id: gf-order
+    text: "Follow pipeline order strictly. WU must complete before Brief."
+    priority: high
+  - id: gf-parallel
+    text: "Detail, Architect, and UX can run in parallel after Brief."
+    priority: normal
+  - id: gf-gate
+    text: "QA-Planning gate must pass before entering BUILD phase."
+    priority: critical

package/framework/hooks/constitution-guard.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+/**
+ * Constitution Guard Hook — PreToolUse (Write/Edit/Bash)
+ *
+ * BLOCKS operations that violate Constitution Article IV:
+ * - Writing files that contain secrets/credentials
+ * - Destructive operations without explicit user confirmation
+ *
+ * Also enforces Article XV: Session lock awareness.
+ */
+
+const SECRET_PATTERNS = [
+  /(?:api[_-]?key|apikey)\s*[:=]\s*["']?[A-Za-z0-9_\-]{20,}/i,
+  /(?:secret|password|passwd|pwd)\s*[:=]\s*["']?[^\s"']{8,}/i,
+  /(?:token)\s*[:=]\s*["']?[A-Za-z0-9_\-]{20,}/i,
+  /(?:AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY)\s*[:=]/i,
+  /(?:PRIVATE[_-]?KEY|-----BEGIN (?:RSA |EC )?PRIVATE KEY)/i,
+  /(?:Bearer\s+)[A-Za-z0-9_\-./]{20,}/,
+];
+
+const DESTRUCTIVE_COMMANDS = [
+  /rm\s+-rf\s+[/~]/,
+  /git\s+reset\s+--hard/,
+  /git\s+push\s+--force/,
+  /drop\s+(?:table|database)/i,
+  /truncate\s+table/i,
+  /DELETE\s+FROM\s+\w+\s*(?:;|$)/i,
+];
+
+/**
+ * Check if content contains potential secrets.
+ */
+function containsSecrets(content) {
+  if (!content || typeof content !== 'string') return [];
+  const found = [];
+  for (const pattern of SECRET_PATTERNS) {
+    if (pattern.test(content)) {
+      found.push(pattern.source.slice(0, 40));
+    }
+  }
+  return found;
+}
+
+/**
+ * Check if a bash command is destructive.
+ */
+function isDestructiveCommand(command) {
+  if (!command || typeof command !== 'string') return false;
+  return DESTRUCTIVE_COMMANDS.some(pattern => pattern.test(command));
+}
+
+async function main() {
+  let input = '';
+  for await (const chunk of process.stdin) {
+    input += chunk;
+  }
+
+  try {
+    const event = JSON.parse(input);
+    const toolName = event.tool_name || '';
+    const toolInput = event.tool_input || {};
+
+    // Check Write/Edit operations for secrets
+    if (toolName === 'Write' || toolName === 'Edit') {
+      const content = toolInput.content || toolInput.new_string || '';
+      const secrets = containsSecrets(content);
+
+      if (secrets.length > 0) {
+        process.stdout.write(JSON.stringify({
+          decision: 'block',
+          reason: `[Article IV] Potential secret detected in file content. Pattern: ${secrets[0]}. Use environment variables instead.`,
+        }));
+        return;
+      }
+    }
+
+    // Check Bash operations for destructive commands
+    if (toolName === 'Bash') {
+      const command = toolInput.command || '';
+      if (isDestructiveCommand(command)) {
+        process.stdout.write(JSON.stringify({
+          decision: 'block',
+          reason: `[Article IV] Destructive command detected: "${command.slice(0, 60)}...". This requires explicit user confirmation.`,
+        }));
+        return;
+      }
+    }
+
+    process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  } catch {
+    process.stdout.write(JSON.stringify({ decision: 'allow' }));
+  }
+}
+
+export { containsSecrets, isDestructiveCommand, SECRET_PATTERNS, DESTRUCTIVE_COMMANDS };
+
+// Only run main when executed directly (not imported by tests)
+import { fileURLToPath } from 'url';
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main();
+}