guardian-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (216) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +463 -0
  3. package/dist/cli.js +12958 -0
  4. package/dist/exports.js +12765 -0
  5. package/package.json +61 -0
  6. package/templates/languages/go-patterns.md +411 -0
  7. package/templates/languages/java-patterns.md +545 -0
  8. package/templates/languages/python-patterns.md +312 -0
  9. package/templates/languages/rust-patterns.md +232 -0
  10. package/templates/languages/typescript-patterns.md +313 -0
  11. package/templates/pi/INDEX.md +437 -0
  12. package/templates/pi/agent/AGENTS.md +166 -0
  13. package/templates/pi/agents/architecture-coordinator.md +40 -0
  14. package/templates/pi/agents/architecture-validator.md +36 -0
  15. package/templates/pi/agents/bootstrap-implementer.md +37 -0
  16. package/templates/pi/agents/issue-factory.md +31 -0
  17. package/templates/pi/agents/operations-validator.md +32 -0
  18. package/templates/pi/agents/security-validator.md +33 -0
  19. package/templates/pi/architecture/CHANGELOG.md +78 -0
  20. package/templates/pi/architecture/decisions/ADR-template.md +76 -0
  21. package/templates/pi/architecture/diagrams/system-overview.md +159 -0
  22. package/templates/pi/architecture/modules/module-template.md +152 -0
  23. package/templates/pi/context/checklists.md +91 -0
  24. package/templates/pi/context/domain-workflow.md +180 -0
  25. package/templates/pi/context/output-formats.md +135 -0
  26. package/templates/pi/context/patterns-base.md +47 -0
  27. package/templates/pi/context/patterns.md +38 -0
  28. package/templates/pi/context/project.md +88 -0
  29. package/templates/pi/domain/exploration.md +93 -0
  30. package/templates/pi/domain/ubiquitous-language.md +24 -0
  31. package/templates/pi/extensions/architect-lib/generators.ts +528 -0
  32. package/templates/pi/extensions/architect-lib/helpers.ts +344 -0
  33. package/templates/pi/extensions/architect-lib/types.ts +117 -0
  34. package/templates/pi/extensions/architect.ts +1425 -0
  35. package/templates/pi/extensions/ask-user-question.ts +579 -0
  36. package/templates/pi/extensions/bash-guard.ts +556 -0
  37. package/templates/pi/extensions/config-reload.ts +115 -0
  38. package/templates/pi/extensions/coordinator.ts +304 -0
  39. package/templates/pi/extensions/curator.ts +543 -0
  40. package/templates/pi/extensions/domain-explorer.ts +990 -0
  41. package/templates/pi/extensions/filechanges.ts +656 -0
  42. package/templates/pi/extensions/goal-loop.ts +717 -0
  43. package/templates/pi/extensions/hooks.ts +452 -0
  44. package/templates/pi/extensions/kanban.ts +547 -0
  45. package/templates/pi/extensions/pipeline.ts +1246 -0
  46. package/templates/pi/extensions/plan-mode.ts +209 -0
  47. package/templates/pi/extensions/project-scaffolder.ts +284 -0
  48. package/templates/pi/extensions/read-only-mode.ts +192 -0
  49. package/templates/pi/extensions/redaction.ts +128 -0
  50. package/templates/pi/extensions/session-persistence.ts +174 -0
  51. package/templates/pi/extensions/slash-commands.ts +229 -0
  52. package/templates/pi/extensions/snippets.ts +201 -0
  53. package/templates/pi/extensions/validation-runner.ts +100 -0
  54. package/templates/pi/github/agents/architecture-coordinator.agent.md +27 -0
  55. package/templates/pi/github/agents/architecture-validator.agent.md +20 -0
  56. package/templates/pi/github/agents/bootstrap-implementer.agent.md +20 -0
  57. package/templates/pi/github/agents/epic-planner.agent.md +70 -0
  58. package/templates/pi/github/agents/issue-factory.agent.md +20 -0
  59. package/templates/pi/github/agents/operations-validator.agent.md +20 -0
  60. package/templates/pi/github/agents/security-validator.agent.md +20 -0
  61. package/templates/pi/github/copilot/settings.json +16 -0
  62. package/templates/pi/github/copilot-instructions.md +155 -0
  63. package/templates/pi/github/instructions/architecture.instructions.md +71 -0
  64. package/templates/pi/github/instructions/validation.instructions.md +69 -0
  65. package/templates/pi/github/workflows/01-planning-workflow.md +75 -0
  66. package/templates/pi/github/workflows/02-issue-generation-workflow.md +69 -0
  67. package/templates/pi/github/workflows/03-implementation-workflow.md +80 -0
  68. package/templates/pi/github/workflows/04-validation-workflow.md +68 -0
  69. package/templates/pi/preflight_report.json +99 -0
  70. package/templates/pi/prompts/blueprint-update.md +262 -0
  71. package/templates/pi/prompts/blueprint-validate.md +218 -0
  72. package/templates/pi/prompts/bug-fix.md +50 -0
  73. package/templates/pi/prompts/ci-blueprint.md +131 -0
  74. package/templates/pi/prompts/context-refresh.md +258 -0
  75. package/templates/pi/prompts/epic-plan.md +356 -0
  76. package/templates/pi/prompts/epic-template.md +186 -0
  77. package/templates/pi/prompts/feature-development.md +131 -0
  78. package/templates/pi/prompts/git-issues.md +243 -0
  79. package/templates/pi/prompts/hotfix.md +71 -0
  80. package/templates/pi/prompts/issue-closeout.md +342 -0
  81. package/templates/pi/prompts/issue-draft.md +218 -0
  82. package/templates/pi/prompts/issue-implementation-series.md +173 -0
  83. package/templates/pi/prompts/issue-merge.md +372 -0
  84. package/templates/pi/prompts/issue-template-set.md +392 -0
  85. package/templates/pi/prompts/issue-template.md +207 -0
  86. package/templates/pi/prompts/pattern-extract.md +269 -0
  87. package/templates/pi/prompts/plan-to-issues.md +430 -0
  88. package/templates/pi/prompts/refactoring.md +82 -0
  89. package/templates/pi/prompts/scope-analyzer.md +254 -0
  90. package/templates/pi/prompts/sync-check.md +230 -0
  91. package/templates/pi/scripts/categorize-issues.sh +171 -0
  92. package/templates/pi/scripts/ci/check_architecture_conformance.sh +748 -0
  93. package/templates/pi/scripts/ci/check_planning_packet.py +228 -0
  94. package/templates/pi/scripts/ci/run_hardening_stages.sh +264 -0
  95. package/templates/pi/scripts/ci/run_preflight.sh +649 -0
  96. package/templates/pi/scripts/ci/run_stage.sh +193 -0
  97. package/templates/pi/scripts/ci/stage_docs_policy.sh +82 -0
  98. package/templates/pi/scripts/ci/stage_integration.sh +3 -0
  99. package/templates/pi/scripts/ci/stage_lint.sh +130 -0
  100. package/templates/pi/scripts/ci/stage_migration_verify.sh +3 -0
  101. package/templates/pi/scripts/ci/stage_package_build.sh +3 -0
  102. package/templates/pi/scripts/ci/stage_release_readiness.sh +3 -0
  103. package/templates/pi/scripts/ci/stage_remaining.sh +242 -0
  104. package/templates/pi/scripts/ci/stage_security.sh +3 -0
  105. package/templates/pi/scripts/ci/stage_static_analysis.sh +114 -0
  106. package/templates/pi/scripts/ci/stage_unit.sh +119 -0
  107. package/templates/pi/scripts/ci/validate_agent_output.py +181 -0
  108. package/templates/pi/scripts/ci/validate_agent_output.sh +243 -0
  109. package/templates/pi/scripts/create-feature-branch.sh +136 -0
  110. package/templates/pi/scripts/create-mr.sh +117 -0
  111. package/templates/pi/scripts/fetch-issues.sh +131 -0
  112. package/templates/pi/scripts/generate-architecture.sh +161 -0
  113. package/templates/pi/scripts/git/close-epic.sh +69 -0
  114. package/templates/pi/scripts/git/close-issue.sh +35 -0
  115. package/templates/pi/scripts/git/create-tracking-issue.sh +174 -0
  116. package/templates/pi/scripts/git/link-issue-to-epic.sh +51 -0
  117. package/templates/pi/scripts/git/update-tracking-issue.sh +66 -0
  118. package/templates/pi/scripts/languages/go/validate-architecture.sh +139 -0
  119. package/templates/pi/scripts/languages/go/validate-canonical.sh +129 -0
  120. package/templates/pi/scripts/languages/go/validate-ci.sh +132 -0
  121. package/templates/pi/scripts/languages/go/validate-integration.sh +156 -0
  122. package/templates/pi/scripts/languages/go/validate-operations.sh +146 -0
  123. package/templates/pi/scripts/languages/go/validate-security.sh +135 -0
  124. package/templates/pi/scripts/languages/go/validate-tests.sh +125 -0
  125. package/templates/pi/scripts/languages/java/validate-annotations.sh +185 -0
  126. package/templates/pi/scripts/languages/java/validate-architecture.sh +159 -0
  127. package/templates/pi/scripts/languages/java/validate-canonical.sh +114 -0
  128. package/templates/pi/scripts/languages/java/validate-ci.sh +269 -0
  129. package/templates/pi/scripts/languages/java/validate-integration.sh +149 -0
  130. package/templates/pi/scripts/languages/java/validate-operations.sh +142 -0
  131. package/templates/pi/scripts/languages/java/validate-security.sh +174 -0
  132. package/templates/pi/scripts/languages/java/validate-spring-architecture.sh +227 -0
  133. package/templates/pi/scripts/languages/java/validate-tests.sh +159 -0
  134. package/templates/pi/scripts/languages/python/validate-architecture.sh +99 -0
  135. package/templates/pi/scripts/languages/python/validate-canonical.sh +124 -0
  136. package/templates/pi/scripts/languages/python/validate-ci.sh +130 -0
  137. package/templates/pi/scripts/languages/python/validate-integration.sh +119 -0
  138. package/templates/pi/scripts/languages/python/validate-operations.sh +107 -0
  139. package/templates/pi/scripts/languages/python/validate-security.sh +68 -0
  140. package/templates/pi/scripts/languages/python/validate-tests.sh +102 -0
  141. package/templates/pi/scripts/languages/rust/validate-architecture.sh +188 -0
  142. package/templates/pi/scripts/languages/rust/validate-canonical.sh +146 -0
  143. package/templates/pi/scripts/languages/rust/validate-ci.sh +147 -0
  144. package/templates/pi/scripts/languages/rust/validate-integration.sh +149 -0
  145. package/templates/pi/scripts/languages/rust/validate-operations.sh +154 -0
  146. package/templates/pi/scripts/languages/rust/validate-security.sh +153 -0
  147. package/templates/pi/scripts/languages/rust/validate-tests.sh +150 -0
  148. package/templates/pi/scripts/languages/typescript/validate-architecture.sh +157 -0
  149. package/templates/pi/scripts/languages/typescript/validate-canonical.sh +135 -0
  150. package/templates/pi/scripts/languages/typescript/validate-ci.sh +244 -0
  151. package/templates/pi/scripts/languages/typescript/validate-integration.sh +166 -0
  152. package/templates/pi/scripts/languages/typescript/validate-operations.sh +162 -0
  153. package/templates/pi/scripts/languages/typescript/validate-security.sh +169 -0
  154. package/templates/pi/scripts/languages/typescript/validate-tests.sh +158 -0
  155. package/templates/pi/scripts/merge-mr.sh +95 -0
  156. package/templates/pi/scripts/mr-validation.sh +228 -0
  157. package/templates/pi/scripts/validate-architecture-readiness.sh +153 -0
  158. package/templates/pi/scripts/validate-architecture.sh +22 -0
  159. package/templates/pi/scripts/validate-canonical.sh +22 -0
  160. package/templates/pi/scripts/validate-ci.sh +37 -0
  161. package/templates/pi/scripts/validate-integration.sh +22 -0
  162. package/templates/pi/scripts/validate-operations.sh +22 -0
  163. package/templates/pi/scripts/validate-security.sh +22 -0
  164. package/templates/pi/scripts/validate-tests.sh +22 -0
  165. package/templates/pi/scripts/validate-ubiquitous-language.sh +291 -0
  166. package/templates/pi/scripts/validation-cache.sh +139 -0
  167. package/templates/pi/skills/agents/architecture-coordinator.md +178 -0
  168. package/templates/pi/skills/agents/architecture-generator.md +79 -0
  169. package/templates/pi/skills/agents/architecture-validator.md +74 -0
  170. package/templates/pi/skills/agents/ci-mr-validator.md +46 -0
  171. package/templates/pi/skills/agents/code-developer.md +76 -0
  172. package/templates/pi/skills/agents/commit.md +46 -0
  173. package/templates/pi/skills/agents/curator.md +71 -0
  174. package/templates/pi/skills/agents/debug.md +59 -0
  175. package/templates/pi/skills/agents/documentation-maintainer.md +36 -0
  176. package/templates/pi/skills/agents/goal-loop.md +125 -0
  177. package/templates/pi/skills/agents/hooks.md +122 -0
  178. package/templates/pi/skills/agents/integration-validator.md +35 -0
  179. package/templates/pi/skills/agents/issue-creator.md +75 -0
  180. package/templates/pi/skills/agents/issue-factory.md +143 -0
  181. package/templates/pi/skills/agents/kanban.md +85 -0
  182. package/templates/pi/skills/agents/land.md +59 -0
  183. package/templates/pi/skills/agents/operations-validator.md +43 -0
  184. package/templates/pi/skills/agents/pipeline.md +113 -0
  185. package/templates/pi/skills/agents/plan-mode.md +77 -0
  186. package/templates/pi/skills/agents/pull.md +40 -0
  187. package/templates/pi/skills/agents/push.md +41 -0
  188. package/templates/pi/skills/agents/security-validator.md +85 -0
  189. package/templates/pi/skills/agents/session-persistence.md +119 -0
  190. package/templates/pi/skills/agents/slash-commands.md +117 -0
  191. package/templates/pi/skills/agents/snippets.md +99 -0
  192. package/templates/pi/skills/agents/subagent-registry.md +78 -0
  193. package/templates/pi/skills/agents/test-validator.md +42 -0
  194. package/templates/pi/skills/validators/architecture-validator.md +43 -0
  195. package/templates/pi/skills/validators/ci-validator.md +27 -0
  196. package/templates/pi/skills/validators/context-compaction.md +73 -0
  197. package/templates/pi/skills/validators/integration-validator.md +38 -0
  198. package/templates/pi/skills/validators/model-registry.md +96 -0
  199. package/templates/pi/skills/validators/operations-validator.md +34 -0
  200. package/templates/pi/skills/validators/security-guards.md +72 -0
  201. package/templates/pi/skills/validators/security-validator.md +41 -0
  202. package/templates/pi/skills/validators/system-prompt-tiers.md +69 -0
  203. package/templates/pi/skills/validators/test-validator.md +33 -0
  204. package/templates/pi/types.ts +62 -0
  205. package/templates/pi/validators/README.md +93 -0
  206. package/templates/pi/validators/default.toml +209 -0
  207. package/templates/pi/validators/spring.toml +142 -0
  208. package/templates/pi/workpad.md +53 -0
  209. package/templates/project/java/Dockerfile +14 -0
  210. package/templates/project/java/README.md +40 -0
  211. package/templates/project/java/pom.xml +132 -0
  212. package/templates/project/typescript/Dockerfile +15 -0
  213. package/templates/project/typescript/README.md +29 -0
  214. package/templates/project/typescript/package.json +23 -0
  215. package/templates/project/typescript/tsconfig.json +21 -0
  216. package/templates/workflow.md +123 -0
@@ -0,0 +1,392 @@
1
+ # Guardian Issue Template Set
2
+
3
+ > **Use these templates to generate architecture-aware, independently reviewable issues.**
4
+ > Every issue generated by the Issue Factory follows these templates. Each issue is the smallest independently reviewable unit with complete session context.
5
+
6
+ ## General Rules
7
+
8
+ Every issue must contain:
9
+
10
+ - **Why** — Business or platform reason
11
+ - **Scope** — Exact change
12
+ - **In scope** — Bullet list of what's included
13
+ - **Out of scope** — Bullet list of what's explicitly excluded
14
+ - **Dependencies** — blocked by / blocks relationships
15
+ - **Acceptance criteria** — Tied to specific Guardian validators
16
+ - **Verification requirements** — Unit/integration/conformance tests
17
+ - **Canonical references** — Architecture module + ADR paths
18
+ - **Files/layers affected** — domain, application, infrastructure, api
19
+ - **Rollout or operational notes** — When relevant
20
+
21
+ ---
22
+
23
+ ## 1. Contract Issue Template
24
+
25
+ Use for: Domain contracts, API contracts, event contracts, compatibility rules.
26
+
27
+ ### Title
28
+
29
+ `contract: <concrete contract change>`
30
+
31
+ ### Why
32
+
33
+ Why this contract must be defined before implementation.
34
+
35
+ ### Scope
36
+
37
+ Define the architecture contract precisely.
38
+
39
+ ### In scope
40
+
41
+ - aggregate or state-machine rule changes
42
+ - API contract changes
43
+ - event contract changes
44
+ - compatibility rules
45
+
46
+ ### Out of scope
47
+
48
+ - repository implementation
49
+ - worker implementation
50
+ - dashboards/runbooks
51
+
52
+ ### Dependencies
53
+
54
+ - blocked by: epic approval
55
+ - blocks: schema, repository, handler, runtime issues
56
+
57
+ ### Acceptance criteria
58
+
59
+ - [ ] Domain/application/runtime contract is explicit
60
+ - [ ] compatibility and versioning rules are explicit
61
+ - [ ] forbidden changes are listed
62
+ - [ ] impacted layers are listed
63
+
64
+ ### Verification
65
+
66
+ - architecture review
67
+ - contract review
68
+
69
+ ### Canonical references
70
+
71
+ - `.pi/architecture/modules/<module>.md`
72
+ - relevant ADRs
73
+
74
+ ---
75
+
76
+ ## 2. Schema / Index / Config Issue Template
77
+
78
+ Use for: Migrations, indexes, RLS policies, queue/Redis/blob/config changes.
79
+
80
+ ### Title
81
+
82
+ `infrastructure: <schema/index/config action>`
83
+
84
+ ### Why
85
+
86
+ Why persistence or runtime configuration must change.
87
+
88
+ ### Scope
89
+
90
+ Describe exact schema/index/config changes.
91
+
92
+ ### In scope
93
+
94
+ - migrations
95
+ - indexes
96
+ - RLS policies
97
+ - queue/Redis/blob/config changes
98
+
99
+ ### Out of scope
100
+
101
+ - handler or API behavior beyond what config enables
102
+ - rollout communications unless required for safety
103
+
104
+ ### Dependencies
105
+
106
+ - blocked by: contract issue
107
+ - blocks: repository/service and runtime issues
108
+
109
+ ### Acceptance criteria
110
+
111
+ - [ ] migration or config change is explicit
112
+ - [ ] required indexes/policies are present
113
+ - [ ] tenant isolation impact is reviewed
114
+ - [ ] rollback path is documented
115
+
116
+ ### Verification
117
+
118
+ - migration verification
119
+ - integration tests
120
+ - conformance tests when applicable
121
+
122
+ ### Canonical references
123
+
124
+ - `.pi/architecture/modules/<module>.md`
125
+ - `.pi/architecture/decisions/ADR-*.md`
126
+
127
+ ---
128
+
129
+ ## 3. Repository / Service Issue Template
130
+
131
+ Use for: Repository logic, storage adapters, Redis/queue/blob/AI service integration.
132
+
133
+ ### Title
134
+
135
+ `infrastructure: <repository or service change>`
136
+
137
+ ### Why
138
+
139
+ Why adapters or persistence services must change.
140
+
141
+ ### Scope
142
+
143
+ List repositories, service adapters, or infrastructure modules touched.
144
+
145
+ ### In scope
146
+
147
+ - repository logic
148
+ - storage adapters
149
+ - Redis/queue/blob/AI service integration changes
150
+ - timeout/retry/circuit-breaker changes
151
+
152
+ ### Out of scope
153
+
154
+ - API contract redesign
155
+ - broad runtime orchestration refactors not required for this issue
156
+
157
+ ### Dependencies
158
+
159
+ - blocked by: contract issue, schema/index/config issue
160
+ - blocks: handler/runtime issues
161
+
162
+ ### Acceptance criteria
163
+
164
+ - [ ] tenant guarantees remain intact
165
+ - [ ] idempotency behavior remains intact
166
+ - [ ] timeout/retry behavior is explicit
167
+ - [ ] required observability is added
168
+
169
+ ### Verification
170
+
171
+ - integration tests
172
+ - infrastructure-focused conformance tests
173
+
174
+ ### Canonical references
175
+
176
+ - `.pi/architecture/modules/<module>.md`
177
+ - `.pi/architecture/decisions/ADR-*.md`
178
+
179
+ ---
180
+
181
+ ## 4. Handler / Runtime Issue Template
182
+
183
+ Use for: Command/query handlers, UoW/outbox behavior, worker logic, LangGraph flow changes.
184
+
185
+ ### Title
186
+
187
+ `application-runtime: <handler or worker action>`
188
+
189
+ ### Why
190
+
191
+ Why application flow or worker behavior must change.
192
+
193
+ ### Scope
194
+
195
+ Describe the exact command/query/handler/runtime behavior to implement.
196
+
197
+ ### In scope
198
+
199
+ - command or query handlers
200
+ - UoW/outbox behavior
201
+ - worker logic
202
+ - LangGraph flow changes
203
+ - retry/resume/checkpoint logic
204
+
205
+ ### Out of scope
206
+
207
+ - unrelated schema redesign
208
+ - unrelated frontend/BFF changes
209
+
210
+ ### Dependencies
211
+
212
+ - blocked by: contract issue, repository/service issue
213
+ - blocks: verification and rollout issues
214
+
215
+ ### Acceptance criteria
216
+
217
+ - [ ] transaction boundary is explicit
218
+ - [ ] state transitions are valid
219
+ - [ ] idempotency behavior is explicit
220
+ - [ ] replay/resume safety is preserved
221
+ - [ ] errors and observability are updated
222
+
223
+ ### Verification
224
+
225
+ - unit tests
226
+ - integration tests
227
+ - runtime conformance tests
228
+
229
+ ### Canonical references
230
+
231
+ - `.pi/architecture/modules/<module>.md`
232
+ - `.pi/architecture/decisions/ADR-*.md`
233
+
234
+ ---
235
+
236
+ ## 5. Verification / Conformance Issue Template
237
+
238
+ Use for: Architecture conformance tests, integration regression tests, contract validation, CI enforcement.
239
+
240
+ ### Title
241
+
242
+ `verification: <conformance area>`
243
+
244
+ ### Why
245
+
246
+ Why the architecture needs executable verification for this area.
247
+
248
+ ### Scope
249
+
250
+ Describe exact checks or tests to add.
251
+
252
+ ### In scope
253
+
254
+ - architecture conformance tests
255
+ - integration regression tests
256
+ - contract validation tests
257
+ - CI enforcement additions
258
+
259
+ ### Out of scope
260
+
261
+ - feature implementation unrelated to verification
262
+
263
+ ### Dependencies
264
+
265
+ - blocked by: contract and implementation issues
266
+ - blocks: release readiness for the epic
267
+
268
+ ### Acceptance criteria
269
+
270
+ - [ ] failing behavior is detectable automatically
271
+ - [ ] tests run in Guardian CI pipeline
272
+ - [ ] required fixtures/services are defined
273
+ - [ ] documentation explains what is enforced
274
+
275
+ ### Verification
276
+
277
+ - CI execution proof
278
+ - failing test demonstration where appropriate
279
+
280
+ ### Canonical references
281
+
282
+ - `.pi/architecture/modules/<module>.md`
283
+ - `.pi/architecture/decisions/ADR-*.md`
284
+
285
+ ---
286
+
287
+ ## 6. Rollout / Runbook / Ops Issue Template
288
+
289
+ Use for: Dashboards, alerts, runbooks, SLO updates, rollout sequencing, rollback steps.
290
+
291
+ ### Title
292
+
293
+ `operations: <rollout or runbook change>`
294
+
295
+ ### Why
296
+
297
+ Why production readiness requires this operational work.
298
+
299
+ ### Scope
300
+
301
+ Describe exact rollout, monitoring, alerting, or runbook output.
302
+
303
+ ### In scope
304
+
305
+ - dashboards
306
+ - alerts
307
+ - runbooks
308
+ - SLO updates
309
+ - rollout sequencing
310
+ - rollback steps
311
+
312
+ ### Out of scope
313
+
314
+ - primary code implementation unless minimal for observability hooks
315
+
316
+ ### Dependencies
317
+
318
+ - blocked by: implementation and verification issues
319
+
320
+ ### Acceptance criteria
321
+
322
+ - [ ] operational visibility exists
323
+ - [ ] alerting or dashboard updates are defined
324
+ - [ ] rollback steps exist
325
+ - [ ] release checklist impact is documented
326
+
327
+ ### Verification
328
+
329
+ - runbook review
330
+ - dashboard/alert validation
331
+ - rollout rehearsal or dry run where necessary
332
+
333
+ ### Canonical references
334
+
335
+ - `.pi/architecture/modules/<module>.md`
336
+ - `.pi/architecture/decisions/ADR-*.md`
337
+
338
+ ---
339
+
340
+ ## 7. High-Risk Issue Addendum
341
+
342
+ Use this addendum for issues labeled `risk::high`.
343
+
344
+ ### Additional Required Fields
345
+
346
+ - Failure mode analysis
347
+ - Data integrity risk
348
+ - Multi-tenant isolation risk
349
+ - Security review notes
350
+ - Rollback plan
351
+ - Feature flag or staged rollout decision
352
+
353
+ ### Additional Approvals
354
+
355
+ - Architecture Validator Agent
356
+ - Security Agent or security reviewer
357
+ - Operations Agent or release reviewer
358
+
359
+ ---
360
+
361
+ ## Recommended Labels
362
+
363
+ | Label | Meaning |
364
+ |-------|---------|
365
+ | `layer::domain` | Domain model, entities, value objects |
366
+ | `layer::application` | Use cases, services, handlers |
367
+ | `layer::infrastructure` | Databases, queues, external APIs |
368
+ | `layer::api` | REST/gRPC endpoints, middleware |
369
+ | `layer::security` | Auth, encryption, secrets |
370
+ | `layer::operations` | Observability, runbooks, DR |
371
+ | `type::feature` | New functionality |
372
+ | `type::hardening` | Security/performance improvement |
373
+ | `type::migration` | Schema or config migration |
374
+ | `type::test` | Test-only work |
375
+ | `risk::high` | Breaks existing behavior |
376
+ | `risk::medium` | Changes internal behavior |
377
+ | `risk::low` | Additive, no breaking changes |
378
+
379
+ ---
380
+
381
+ ## Dependency Ordering
382
+
383
+ 1. **contract issue** — Domain contracts, API contracts
384
+ 2. **schema/index issue** — Migrations, indexes, config
385
+ 3. **repository/service issue** — Data access, adapters
386
+ 4. **handler/runtime issue** — Business logic, workers
387
+ 5. **verification issue** — Tests, conformance
388
+ 6. **rollout/runbook issue** — Ops, monitoring
389
+
390
+ ---
391
+
392
+ *Use the smallest template that matches the actual unit of work.*
@@ -0,0 +1,207 @@
1
+ # Guardian Issue Contract
2
+
3
+ > **Professional issue template with complete context for a fresh session agent to implement correctly.**
4
+ > Every issue generated by `/architect` follows this contract. The YAML front matter is parsed by Guardian; the body is the agent's complete session context.
5
+
6
+ ---
7
+
8
+ ## Template
9
+
10
+ ```markdown
11
+ ---
12
+ guardian_issue:
13
+ id: ISSUE-001
14
+ title: "JWT Token Validation"
15
+ epic: "Auth Module v1"
16
+ epic_id: EPIC-001
17
+ tracking_issue: 100
18
+ status: planned
19
+ priority: high
20
+ created_at: "2026-05-17T00:00:00Z"
21
+ updated_at: "2026-05-17T00:00:00Z"
22
+
23
+ intent: |
24
+ Implement JWT token validation for the auth system. Validate tokens from
25
+ request headers, check expiry, verify signature with RS256, and enforce
26
+ required claims (sub, iss, exp, iat).
27
+
28
+ dependencies:
29
+ - name: none
30
+ type: external
31
+ note: "No internal dependencies. This is a root component."
32
+
33
+ in_scope:
34
+ - JWT token parsing and validation
35
+ - RS256 signature verification with JWK rotation
36
+ - Expiry and claim validation
37
+ - Error handling for invalid/expired tokens
38
+ - Unit tests for all validation paths
39
+ - Integration tests with mock JWT provider
40
+
41
+ out_of_scope:
42
+ - Token generation (handled by upstream auth provider)
43
+ - OAuth2 flow (handled by OAuth2 Provider Integration component)
44
+ - Session storage (handled by Session Management component)
45
+ - UI/login pages
46
+
47
+ affected_layers:
48
+ domain:
49
+ - "New: JwtToken entity"
50
+ - "New: TokenValidator interface"
51
+ - "New: ValidationError domain errors"
52
+ application:
53
+ - "New: ValidateToken use case"
54
+ - "New: TokenValidationService"
55
+ infrastructure:
56
+ - "New: JwkClient for fetching public keys"
57
+ - "New: Redis cache for JWK rotation"
58
+ api:
59
+ - "New: Auth middleware for token validation"
60
+ - "Modified: Error response format for 401/403"
61
+
62
+ canonical_references:
63
+ - module: ".pi/architecture/modules/auth-system.md#jwt-token-validation"
64
+ - adr:
65
+ - ".pi/architecture/decisions/ADR-001-auth-pattern.md"
66
+ - ".pi/architecture/decisions/ADR-003-jwt-algorithm.md"
67
+ - last_sync: "2026-05-17"
68
+
69
+ acceptance_criteria:
70
+ - "CI pipeline passes (validate-ci.sh)"
71
+ - "All unit tests pass with ≥ 90% coverage"
72
+ - "Integration tests pass against mock JWT provider"
73
+ - "validate-security.sh passes (no hardcoded secrets, proper key handling)"
74
+ - "validate-architecture.sh passes (layer boundaries respected)"
75
+ - "validate-canonical.sh passes (implementation references architecture)"
76
+
77
+ validators:
78
+ - ci
79
+ - tests
80
+ - security
81
+ - architecture
82
+ - canonical
83
+
84
+ implementation_notes: |
85
+ - Use PyJWT library for Python / jsonwebtoken for TypeScript
86
+ - JWK cache TTL: 1 hour, refresh on signature failure
87
+ - Required claims: sub, iss, exp, iat, aud
88
+ - Reject tokens with exp < now() - 30s (clock skew tolerance)
89
+ - Log validation failures at WARN level with token ID (not full token)
90
+ - Do NOT log token contents or secrets
91
+
92
+ file_changes:
93
+ - "create: src/auth/jwt_validator.py"
94
+ - "create: src/auth/token_validator.py"
95
+ - "create: src/auth/errors.py"
96
+ - "create: tests/unit/auth/test_jwt_validator.py"
97
+ - "create: tests/integration/auth/test_token_validation.py"
98
+ - "modify: src/middleware/auth_middleware.py"
99
+
100
+ pipeline_steps:
101
+ - implement
102
+ - validate
103
+ - create-mr
104
+ - merge
105
+ ---
106
+
107
+ # ISSUE-001: JWT Token Validation
108
+
109
+ ## Intent
110
+
111
+ Implement JWT token validation for the auth system. Validate tokens from
112
+ request headers, check expiry, verify signature with RS256, and enforce
113
+ required claims (sub, iss, exp, iat).
114
+
115
+ ## Dependencies
116
+
117
+ ```
118
+ ┌─────────────────────────────────┐
119
+ │ JWT Token Validation │ ← THIS ISSUE
120
+ │ (root component, no deps) │
121
+ └──────────────┬──────────────────┘
122
+
123
+
124
+ ┌─────────────────────────────────┐
125
+ │ OAuth2 Provider Integration │ ← ISSUE-002 (depends on this)
126
+ └─────────────────────────────────┘
127
+ ```
128
+
129
+ No internal dependencies. This is a root component.
130
+
131
+ ## In Scope
132
+
133
+ - JWT token parsing and validation
134
+ - RS256 signature verification with JWK rotation
135
+ - Expiry and claim validation
136
+ - Error handling for invalid/expired tokens
137
+ - Unit tests for all validation paths
138
+ - Integration tests with mock JWT provider
139
+
140
+ ## Out of Scope
141
+
142
+ - Token generation (handled by upstream auth provider)
143
+ - OAuth2 flow (handled by OAuth2 Provider Integration component)
144
+ - Session storage (handled by Session Management component)
145
+ - UI/login pages
146
+
147
+ ## Affected Layers
148
+
149
+ ### Domain
150
+ - New: `JwtToken` entity
151
+ - New: `TokenValidator` interface
152
+ - New: `ValidationError` domain errors
153
+
154
+ ### Application
155
+ - New: `ValidateToken` use case
156
+ - New: `TokenValidationService`
157
+
158
+ ### Infrastructure
159
+ - New: `JwkClient` for fetching public keys
160
+ - New: Redis cache for JWK rotation
161
+
162
+ ### API
163
+ - New: Auth middleware for token validation
164
+ - Modified: Error response format for 401/403
165
+
166
+ ## Canonical References
167
+
168
+ - **Module:** `.pi/architecture/modules/auth-system.md#jwt-token-validation`
169
+ - **ADR-001:** `.pi/architecture/decisions/ADR-001-auth-pattern.md`
170
+ - **ADR-003:** `.pi/architecture/decisions/ADR-003-jwt-algorithm.md`
171
+
172
+ ## Acceptance Criteria
173
+
174
+ | # | Criterion | Validator |
175
+ |---|-----------|-----------|
176
+ | 1 | CI pipeline passes | `validate-ci.sh` |
177
+ | 2 | All unit tests pass with ≥ 90% coverage | `validate-tests.sh` |
178
+ | 3 | Integration tests pass against mock JWT provider | `validate-integration.sh` |
179
+ | 4 | No hardcoded secrets, proper key handling | `validate-security.sh` |
180
+ | 5 | Layer boundaries respected | `validate-architecture.sh` |
181
+ | 6 | Implementation references architecture | `validate-canonical.sh` |
182
+
183
+ ## Implementation
184
+
185
+ > **Agent:** Load this file as your complete session context. All information you need is above.
186
+ > Start by reading the canonical reference files, then implement following the layer structure.
187
+
188
+ ### Steps
189
+
190
+ 1. Read canonical architecture references
191
+ 2. Create domain entities and interfaces
192
+ 3. Implement validation logic
193
+ 4. Add JWK client with caching
194
+ 5. Create auth middleware
195
+ 6. Write unit tests (≥ 90% coverage)
196
+ 7. Write integration tests
197
+ 8. Run all validators
198
+ 9. Create MR
199
+
200
+ ## Notes
201
+
202
+ - Use PyJWT library for Python / jsonwebtoken for TypeScript
203
+ - JWK cache TTL: 1 hour, refresh on signature failure
204
+ - Required claims: sub, iss, exp, iat, aud
205
+ - Reject tokens with exp < now() - 30s (clock skew tolerance)
206
+ - Log validation failures at WARN level with token ID (not full token)
207
+ - **Do NOT log token contents or secrets**