guardian-framework 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +463 -0
- package/dist/cli.js +12958 -0
- package/dist/exports.js +12765 -0
- package/package.json +61 -0
- package/templates/languages/go-patterns.md +411 -0
- package/templates/languages/java-patterns.md +545 -0
- package/templates/languages/python-patterns.md +312 -0
- package/templates/languages/rust-patterns.md +232 -0
- package/templates/languages/typescript-patterns.md +313 -0
- package/templates/pi/INDEX.md +437 -0
- package/templates/pi/agent/AGENTS.md +166 -0
- package/templates/pi/agents/architecture-coordinator.md +40 -0
- package/templates/pi/agents/architecture-validator.md +36 -0
- package/templates/pi/agents/bootstrap-implementer.md +37 -0
- package/templates/pi/agents/issue-factory.md +31 -0
- package/templates/pi/agents/operations-validator.md +32 -0
- package/templates/pi/agents/security-validator.md +33 -0
- package/templates/pi/architecture/CHANGELOG.md +78 -0
- package/templates/pi/architecture/decisions/ADR-template.md +76 -0
- package/templates/pi/architecture/diagrams/system-overview.md +159 -0
- package/templates/pi/architecture/modules/module-template.md +152 -0
- package/templates/pi/context/checklists.md +91 -0
- package/templates/pi/context/domain-workflow.md +180 -0
- package/templates/pi/context/output-formats.md +135 -0
- package/templates/pi/context/patterns-base.md +47 -0
- package/templates/pi/context/patterns.md +38 -0
- package/templates/pi/context/project.md +88 -0
- package/templates/pi/domain/exploration.md +93 -0
- package/templates/pi/domain/ubiquitous-language.md +24 -0
- package/templates/pi/extensions/architect-lib/generators.ts +528 -0
- package/templates/pi/extensions/architect-lib/helpers.ts +344 -0
- package/templates/pi/extensions/architect-lib/types.ts +117 -0
- package/templates/pi/extensions/architect.ts +1425 -0
- package/templates/pi/extensions/ask-user-question.ts +579 -0
- package/templates/pi/extensions/bash-guard.ts +556 -0
- package/templates/pi/extensions/config-reload.ts +115 -0
- package/templates/pi/extensions/coordinator.ts +304 -0
- package/templates/pi/extensions/curator.ts +543 -0
- package/templates/pi/extensions/domain-explorer.ts +990 -0
- package/templates/pi/extensions/filechanges.ts +656 -0
- package/templates/pi/extensions/goal-loop.ts +717 -0
- package/templates/pi/extensions/hooks.ts +452 -0
- package/templates/pi/extensions/kanban.ts +547 -0
- package/templates/pi/extensions/pipeline.ts +1246 -0
- package/templates/pi/extensions/plan-mode.ts +209 -0
- package/templates/pi/extensions/project-scaffolder.ts +284 -0
- package/templates/pi/extensions/read-only-mode.ts +192 -0
- package/templates/pi/extensions/redaction.ts +128 -0
- package/templates/pi/extensions/session-persistence.ts +174 -0
- package/templates/pi/extensions/slash-commands.ts +229 -0
- package/templates/pi/extensions/snippets.ts +201 -0
- package/templates/pi/extensions/validation-runner.ts +100 -0
- package/templates/pi/github/agents/architecture-coordinator.agent.md +27 -0
- package/templates/pi/github/agents/architecture-validator.agent.md +20 -0
- package/templates/pi/github/agents/bootstrap-implementer.agent.md +20 -0
- package/templates/pi/github/agents/epic-planner.agent.md +70 -0
- package/templates/pi/github/agents/issue-factory.agent.md +20 -0
- package/templates/pi/github/agents/operations-validator.agent.md +20 -0
- package/templates/pi/github/agents/security-validator.agent.md +20 -0
- package/templates/pi/github/copilot/settings.json +16 -0
- package/templates/pi/github/copilot-instructions.md +155 -0
- package/templates/pi/github/instructions/architecture.instructions.md +71 -0
- package/templates/pi/github/instructions/validation.instructions.md +69 -0
- package/templates/pi/github/workflows/01-planning-workflow.md +75 -0
- package/templates/pi/github/workflows/02-issue-generation-workflow.md +69 -0
- package/templates/pi/github/workflows/03-implementation-workflow.md +80 -0
- package/templates/pi/github/workflows/04-validation-workflow.md +68 -0
- package/templates/pi/preflight_report.json +99 -0
- package/templates/pi/prompts/blueprint-update.md +262 -0
- package/templates/pi/prompts/blueprint-validate.md +218 -0
- package/templates/pi/prompts/bug-fix.md +50 -0
- package/templates/pi/prompts/ci-blueprint.md +131 -0
- package/templates/pi/prompts/context-refresh.md +258 -0
- package/templates/pi/prompts/epic-plan.md +356 -0
- package/templates/pi/prompts/epic-template.md +186 -0
- package/templates/pi/prompts/feature-development.md +131 -0
- package/templates/pi/prompts/git-issues.md +243 -0
- package/templates/pi/prompts/hotfix.md +71 -0
- package/templates/pi/prompts/issue-closeout.md +342 -0
- package/templates/pi/prompts/issue-draft.md +218 -0
- package/templates/pi/prompts/issue-implementation-series.md +173 -0
- package/templates/pi/prompts/issue-merge.md +372 -0
- package/templates/pi/prompts/issue-template-set.md +392 -0
- package/templates/pi/prompts/issue-template.md +207 -0
- package/templates/pi/prompts/pattern-extract.md +269 -0
- package/templates/pi/prompts/plan-to-issues.md +430 -0
- package/templates/pi/prompts/refactoring.md +82 -0
- package/templates/pi/prompts/scope-analyzer.md +254 -0
- package/templates/pi/prompts/sync-check.md +230 -0
- package/templates/pi/scripts/categorize-issues.sh +171 -0
- package/templates/pi/scripts/ci/check_architecture_conformance.sh +748 -0
- package/templates/pi/scripts/ci/check_planning_packet.py +228 -0
- package/templates/pi/scripts/ci/run_hardening_stages.sh +264 -0
- package/templates/pi/scripts/ci/run_preflight.sh +649 -0
- package/templates/pi/scripts/ci/run_stage.sh +193 -0
- package/templates/pi/scripts/ci/stage_docs_policy.sh +82 -0
- package/templates/pi/scripts/ci/stage_integration.sh +3 -0
- package/templates/pi/scripts/ci/stage_lint.sh +130 -0
- package/templates/pi/scripts/ci/stage_migration_verify.sh +3 -0
- package/templates/pi/scripts/ci/stage_package_build.sh +3 -0
- package/templates/pi/scripts/ci/stage_release_readiness.sh +3 -0
- package/templates/pi/scripts/ci/stage_remaining.sh +242 -0
- package/templates/pi/scripts/ci/stage_security.sh +3 -0
- package/templates/pi/scripts/ci/stage_static_analysis.sh +114 -0
- package/templates/pi/scripts/ci/stage_unit.sh +119 -0
- package/templates/pi/scripts/ci/validate_agent_output.py +181 -0
- package/templates/pi/scripts/ci/validate_agent_output.sh +243 -0
- package/templates/pi/scripts/create-feature-branch.sh +136 -0
- package/templates/pi/scripts/create-mr.sh +117 -0
- package/templates/pi/scripts/fetch-issues.sh +131 -0
- package/templates/pi/scripts/generate-architecture.sh +161 -0
- package/templates/pi/scripts/git/close-epic.sh +69 -0
- package/templates/pi/scripts/git/close-issue.sh +35 -0
- package/templates/pi/scripts/git/create-tracking-issue.sh +174 -0
- package/templates/pi/scripts/git/link-issue-to-epic.sh +51 -0
- package/templates/pi/scripts/git/update-tracking-issue.sh +66 -0
- package/templates/pi/scripts/languages/go/validate-architecture.sh +139 -0
- package/templates/pi/scripts/languages/go/validate-canonical.sh +129 -0
- package/templates/pi/scripts/languages/go/validate-ci.sh +132 -0
- package/templates/pi/scripts/languages/go/validate-integration.sh +156 -0
- package/templates/pi/scripts/languages/go/validate-operations.sh +146 -0
- package/templates/pi/scripts/languages/go/validate-security.sh +135 -0
- package/templates/pi/scripts/languages/go/validate-tests.sh +125 -0
- package/templates/pi/scripts/languages/java/validate-annotations.sh +185 -0
- package/templates/pi/scripts/languages/java/validate-architecture.sh +159 -0
- package/templates/pi/scripts/languages/java/validate-canonical.sh +114 -0
- package/templates/pi/scripts/languages/java/validate-ci.sh +269 -0
- package/templates/pi/scripts/languages/java/validate-integration.sh +149 -0
- package/templates/pi/scripts/languages/java/validate-operations.sh +142 -0
- package/templates/pi/scripts/languages/java/validate-security.sh +174 -0
- package/templates/pi/scripts/languages/java/validate-spring-architecture.sh +227 -0
- package/templates/pi/scripts/languages/java/validate-tests.sh +159 -0
- package/templates/pi/scripts/languages/python/validate-architecture.sh +99 -0
- package/templates/pi/scripts/languages/python/validate-canonical.sh +124 -0
- package/templates/pi/scripts/languages/python/validate-ci.sh +130 -0
- package/templates/pi/scripts/languages/python/validate-integration.sh +119 -0
- package/templates/pi/scripts/languages/python/validate-operations.sh +107 -0
- package/templates/pi/scripts/languages/python/validate-security.sh +68 -0
- package/templates/pi/scripts/languages/python/validate-tests.sh +102 -0
- package/templates/pi/scripts/languages/rust/validate-architecture.sh +188 -0
- package/templates/pi/scripts/languages/rust/validate-canonical.sh +146 -0
- package/templates/pi/scripts/languages/rust/validate-ci.sh +147 -0
- package/templates/pi/scripts/languages/rust/validate-integration.sh +149 -0
- package/templates/pi/scripts/languages/rust/validate-operations.sh +154 -0
- package/templates/pi/scripts/languages/rust/validate-security.sh +153 -0
- package/templates/pi/scripts/languages/rust/validate-tests.sh +150 -0
- package/templates/pi/scripts/languages/typescript/validate-architecture.sh +157 -0
- package/templates/pi/scripts/languages/typescript/validate-canonical.sh +135 -0
- package/templates/pi/scripts/languages/typescript/validate-ci.sh +244 -0
- package/templates/pi/scripts/languages/typescript/validate-integration.sh +166 -0
- package/templates/pi/scripts/languages/typescript/validate-operations.sh +162 -0
- package/templates/pi/scripts/languages/typescript/validate-security.sh +169 -0
- package/templates/pi/scripts/languages/typescript/validate-tests.sh +158 -0
- package/templates/pi/scripts/merge-mr.sh +95 -0
- package/templates/pi/scripts/mr-validation.sh +228 -0
- package/templates/pi/scripts/validate-architecture-readiness.sh +153 -0
- package/templates/pi/scripts/validate-architecture.sh +22 -0
- package/templates/pi/scripts/validate-canonical.sh +22 -0
- package/templates/pi/scripts/validate-ci.sh +37 -0
- package/templates/pi/scripts/validate-integration.sh +22 -0
- package/templates/pi/scripts/validate-operations.sh +22 -0
- package/templates/pi/scripts/validate-security.sh +22 -0
- package/templates/pi/scripts/validate-tests.sh +22 -0
- package/templates/pi/scripts/validate-ubiquitous-language.sh +291 -0
- package/templates/pi/scripts/validation-cache.sh +139 -0
- package/templates/pi/skills/agents/architecture-coordinator.md +178 -0
- package/templates/pi/skills/agents/architecture-generator.md +79 -0
- package/templates/pi/skills/agents/architecture-validator.md +74 -0
- package/templates/pi/skills/agents/ci-mr-validator.md +46 -0
- package/templates/pi/skills/agents/code-developer.md +76 -0
- package/templates/pi/skills/agents/commit.md +46 -0
- package/templates/pi/skills/agents/curator.md +71 -0
- package/templates/pi/skills/agents/debug.md +59 -0
- package/templates/pi/skills/agents/documentation-maintainer.md +36 -0
- package/templates/pi/skills/agents/goal-loop.md +125 -0
- package/templates/pi/skills/agents/hooks.md +122 -0
- package/templates/pi/skills/agents/integration-validator.md +35 -0
- package/templates/pi/skills/agents/issue-creator.md +75 -0
- package/templates/pi/skills/agents/issue-factory.md +143 -0
- package/templates/pi/skills/agents/kanban.md +85 -0
- package/templates/pi/skills/agents/land.md +59 -0
- package/templates/pi/skills/agents/operations-validator.md +43 -0
- package/templates/pi/skills/agents/pipeline.md +113 -0
- package/templates/pi/skills/agents/plan-mode.md +77 -0
- package/templates/pi/skills/agents/pull.md +40 -0
- package/templates/pi/skills/agents/push.md +41 -0
- package/templates/pi/skills/agents/security-validator.md +85 -0
- package/templates/pi/skills/agents/session-persistence.md +119 -0
- package/templates/pi/skills/agents/slash-commands.md +117 -0
- package/templates/pi/skills/agents/snippets.md +99 -0
- package/templates/pi/skills/agents/subagent-registry.md +78 -0
- package/templates/pi/skills/agents/test-validator.md +42 -0
- package/templates/pi/skills/validators/architecture-validator.md +43 -0
- package/templates/pi/skills/validators/ci-validator.md +27 -0
- package/templates/pi/skills/validators/context-compaction.md +73 -0
- package/templates/pi/skills/validators/integration-validator.md +38 -0
- package/templates/pi/skills/validators/model-registry.md +96 -0
- package/templates/pi/skills/validators/operations-validator.md +34 -0
- package/templates/pi/skills/validators/security-guards.md +72 -0
- package/templates/pi/skills/validators/security-validator.md +41 -0
- package/templates/pi/skills/validators/system-prompt-tiers.md +69 -0
- package/templates/pi/skills/validators/test-validator.md +33 -0
- package/templates/pi/types.ts +62 -0
- package/templates/pi/validators/README.md +93 -0
- package/templates/pi/validators/default.toml +209 -0
- package/templates/pi/validators/spring.toml +142 -0
- package/templates/pi/workpad.md +53 -0
- package/templates/project/java/Dockerfile +14 -0
- package/templates/project/java/README.md +40 -0
- package/templates/project/java/pom.xml +132 -0
- package/templates/project/typescript/Dockerfile +15 -0
- package/templates/project/typescript/README.md +29 -0
- package/templates/project/typescript/package.json +23 -0
- package/templates/project/typescript/tsconfig.json +21 -0
- package/templates/workflow.md +123 -0
|
@@ -0,0 +1,392 @@
|
|
|
1
|
+
# Guardian Issue Template Set
|
|
2
|
+
|
|
3
|
+
> **Use these templates to generate architecture-aware, independently reviewable issues.**
|
|
4
|
+
> Every issue generated by the Issue Factory follows these templates. Each issue is the smallest independently reviewable unit with complete session context.
|
|
5
|
+
|
|
6
|
+
## General Rules
|
|
7
|
+
|
|
8
|
+
Every issue must contain:
|
|
9
|
+
|
|
10
|
+
- **Why** — Business or platform reason
|
|
11
|
+
- **Scope** — Exact change
|
|
12
|
+
- **In scope** — Bullet list of what's included
|
|
13
|
+
- **Out of scope** — Bullet list of what's explicitly excluded
|
|
14
|
+
- **Dependencies** — blocked by / blocks relationships
|
|
15
|
+
- **Acceptance criteria** — Tied to specific Guardian validators
|
|
16
|
+
- **Verification requirements** — Unit/integration/conformance tests
|
|
17
|
+
- **Canonical references** — Architecture module + ADR paths
|
|
18
|
+
- **Files/layers affected** — domain, application, infrastructure, api
|
|
19
|
+
- **Rollout or operational notes** — When relevant
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
## 1. Contract Issue Template
|
|
24
|
+
|
|
25
|
+
Use for: Domain contracts, API contracts, event contracts, compatibility rules.
|
|
26
|
+
|
|
27
|
+
### Title
|
|
28
|
+
|
|
29
|
+
`contract: <concrete contract change>`
|
|
30
|
+
|
|
31
|
+
### Why
|
|
32
|
+
|
|
33
|
+
Why this contract must be defined before implementation.
|
|
34
|
+
|
|
35
|
+
### Scope
|
|
36
|
+
|
|
37
|
+
Define the architecture contract precisely.
|
|
38
|
+
|
|
39
|
+
### In scope
|
|
40
|
+
|
|
41
|
+
- aggregate or state-machine rule changes
|
|
42
|
+
- API contract changes
|
|
43
|
+
- event contract changes
|
|
44
|
+
- compatibility rules
|
|
45
|
+
|
|
46
|
+
### Out of scope
|
|
47
|
+
|
|
48
|
+
- repository implementation
|
|
49
|
+
- worker implementation
|
|
50
|
+
- dashboards/runbooks
|
|
51
|
+
|
|
52
|
+
### Dependencies
|
|
53
|
+
|
|
54
|
+
- blocked by: epic approval
|
|
55
|
+
- blocks: schema, repository, handler, runtime issues
|
|
56
|
+
|
|
57
|
+
### Acceptance criteria
|
|
58
|
+
|
|
59
|
+
- [ ] Domain/application/runtime contract is explicit
|
|
60
|
+
- [ ] compatibility and versioning rules are explicit
|
|
61
|
+
- [ ] forbidden changes are listed
|
|
62
|
+
- [ ] impacted layers are listed
|
|
63
|
+
|
|
64
|
+
### Verification
|
|
65
|
+
|
|
66
|
+
- architecture review
|
|
67
|
+
- contract review
|
|
68
|
+
|
|
69
|
+
### Canonical references
|
|
70
|
+
|
|
71
|
+
- `.pi/architecture/modules/<module>.md`
|
|
72
|
+
- relevant ADRs
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## 2. Schema / Index / Config Issue Template
|
|
77
|
+
|
|
78
|
+
Use for: Migrations, indexes, RLS policies, queue/Redis/blob/config changes.
|
|
79
|
+
|
|
80
|
+
### Title
|
|
81
|
+
|
|
82
|
+
`infrastructure: <schema/index/config action>`
|
|
83
|
+
|
|
84
|
+
### Why
|
|
85
|
+
|
|
86
|
+
Why persistence or runtime configuration must change.
|
|
87
|
+
|
|
88
|
+
### Scope
|
|
89
|
+
|
|
90
|
+
Describe exact schema/index/config changes.
|
|
91
|
+
|
|
92
|
+
### In scope
|
|
93
|
+
|
|
94
|
+
- migrations
|
|
95
|
+
- indexes
|
|
96
|
+
- RLS policies
|
|
97
|
+
- queue/Redis/blob/config changes
|
|
98
|
+
|
|
99
|
+
### Out of scope
|
|
100
|
+
|
|
101
|
+
- handler or API behavior beyond what config enables
|
|
102
|
+
- rollout communications unless required for safety
|
|
103
|
+
|
|
104
|
+
### Dependencies
|
|
105
|
+
|
|
106
|
+
- blocked by: contract issue
|
|
107
|
+
- blocks: repository/service and runtime issues
|
|
108
|
+
|
|
109
|
+
### Acceptance criteria
|
|
110
|
+
|
|
111
|
+
- [ ] migration or config change is explicit
|
|
112
|
+
- [ ] required indexes/policies are present
|
|
113
|
+
- [ ] tenant isolation impact is reviewed
|
|
114
|
+
- [ ] rollback path is documented
|
|
115
|
+
|
|
116
|
+
### Verification
|
|
117
|
+
|
|
118
|
+
- migration verification
|
|
119
|
+
- integration tests
|
|
120
|
+
- conformance tests when applicable
|
|
121
|
+
|
|
122
|
+
### Canonical references
|
|
123
|
+
|
|
124
|
+
- `.pi/architecture/modules/<module>.md`
|
|
125
|
+
- `.pi/architecture/decisions/ADR-*.md`
|
|
126
|
+
|
|
127
|
+
---
|
|
128
|
+
|
|
129
|
+
## 3. Repository / Service Issue Template
|
|
130
|
+
|
|
131
|
+
Use for: Repository logic, storage adapters, Redis/queue/blob/AI service integration.
|
|
132
|
+
|
|
133
|
+
### Title
|
|
134
|
+
|
|
135
|
+
`infrastructure: <repository or service change>`
|
|
136
|
+
|
|
137
|
+
### Why
|
|
138
|
+
|
|
139
|
+
Why adapters or persistence services must change.
|
|
140
|
+
|
|
141
|
+
### Scope
|
|
142
|
+
|
|
143
|
+
List repositories, service adapters, or infrastructure modules touched.
|
|
144
|
+
|
|
145
|
+
### In scope
|
|
146
|
+
|
|
147
|
+
- repository logic
|
|
148
|
+
- storage adapters
|
|
149
|
+
- Redis/queue/blob/AI service integration changes
|
|
150
|
+
- timeout/retry/circuit-breaker changes
|
|
151
|
+
|
|
152
|
+
### Out of scope
|
|
153
|
+
|
|
154
|
+
- API contract redesign
|
|
155
|
+
- broad runtime orchestration refactors not required for this issue
|
|
156
|
+
|
|
157
|
+
### Dependencies
|
|
158
|
+
|
|
159
|
+
- blocked by: contract issue, schema/index/config issue
|
|
160
|
+
- blocks: handler/runtime issues
|
|
161
|
+
|
|
162
|
+
### Acceptance criteria
|
|
163
|
+
|
|
164
|
+
- [ ] tenant guarantees remain intact
|
|
165
|
+
- [ ] idempotency behavior remains intact
|
|
166
|
+
- [ ] timeout/retry behavior is explicit
|
|
167
|
+
- [ ] required observability is added
|
|
168
|
+
|
|
169
|
+
### Verification
|
|
170
|
+
|
|
171
|
+
- integration tests
|
|
172
|
+
- infrastructure-focused conformance tests
|
|
173
|
+
|
|
174
|
+
### Canonical references
|
|
175
|
+
|
|
176
|
+
- `.pi/architecture/modules/<module>.md`
|
|
177
|
+
- `.pi/architecture/decisions/ADR-*.md`
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## 4. Handler / Runtime Issue Template
|
|
182
|
+
|
|
183
|
+
Use for: Command/query handlers, UoW/outbox behavior, worker logic, LangGraph flow changes.
|
|
184
|
+
|
|
185
|
+
### Title
|
|
186
|
+
|
|
187
|
+
`application-runtime: <handler or worker action>`
|
|
188
|
+
|
|
189
|
+
### Why
|
|
190
|
+
|
|
191
|
+
Why application flow or worker behavior must change.
|
|
192
|
+
|
|
193
|
+
### Scope
|
|
194
|
+
|
|
195
|
+
Describe the exact command/query/handler/runtime behavior to implement.
|
|
196
|
+
|
|
197
|
+
### In scope
|
|
198
|
+
|
|
199
|
+
- command or query handlers
|
|
200
|
+
- UoW/outbox behavior
|
|
201
|
+
- worker logic
|
|
202
|
+
- LangGraph flow changes
|
|
203
|
+
- retry/resume/checkpoint logic
|
|
204
|
+
|
|
205
|
+
### Out of scope
|
|
206
|
+
|
|
207
|
+
- unrelated schema redesign
|
|
208
|
+
- unrelated frontend/BFF changes
|
|
209
|
+
|
|
210
|
+
### Dependencies
|
|
211
|
+
|
|
212
|
+
- blocked by: contract issue, repository/service issue
|
|
213
|
+
- blocks: verification and rollout issues
|
|
214
|
+
|
|
215
|
+
### Acceptance criteria
|
|
216
|
+
|
|
217
|
+
- [ ] transaction boundary is explicit
|
|
218
|
+
- [ ] state transitions are valid
|
|
219
|
+
- [ ] idempotency behavior is explicit
|
|
220
|
+
- [ ] replay/resume safety is preserved
|
|
221
|
+
- [ ] errors and observability are updated
|
|
222
|
+
|
|
223
|
+
### Verification
|
|
224
|
+
|
|
225
|
+
- unit tests
|
|
226
|
+
- integration tests
|
|
227
|
+
- runtime conformance tests
|
|
228
|
+
|
|
229
|
+
### Canonical references
|
|
230
|
+
|
|
231
|
+
- `.pi/architecture/modules/<module>.md`
|
|
232
|
+
- `.pi/architecture/decisions/ADR-*.md`
|
|
233
|
+
|
|
234
|
+
---
|
|
235
|
+
|
|
236
|
+
## 5. Verification / Conformance Issue Template
|
|
237
|
+
|
|
238
|
+
Use for: Architecture conformance tests, integration regression tests, contract validation, CI enforcement.
|
|
239
|
+
|
|
240
|
+
### Title
|
|
241
|
+
|
|
242
|
+
`verification: <conformance area>`
|
|
243
|
+
|
|
244
|
+
### Why
|
|
245
|
+
|
|
246
|
+
Why the architecture needs executable verification for this area.
|
|
247
|
+
|
|
248
|
+
### Scope
|
|
249
|
+
|
|
250
|
+
Describe exact checks or tests to add.
|
|
251
|
+
|
|
252
|
+
### In scope
|
|
253
|
+
|
|
254
|
+
- architecture conformance tests
|
|
255
|
+
- integration regression tests
|
|
256
|
+
- contract validation tests
|
|
257
|
+
- CI enforcement additions
|
|
258
|
+
|
|
259
|
+
### Out of scope
|
|
260
|
+
|
|
261
|
+
- feature implementation unrelated to verification
|
|
262
|
+
|
|
263
|
+
### Dependencies
|
|
264
|
+
|
|
265
|
+
- blocked by: contract and implementation issues
|
|
266
|
+
- blocks: release readiness for the epic
|
|
267
|
+
|
|
268
|
+
### Acceptance criteria
|
|
269
|
+
|
|
270
|
+
- [ ] failing behavior is detectable automatically
|
|
271
|
+
- [ ] tests run in Guardian CI pipeline
|
|
272
|
+
- [ ] required fixtures/services are defined
|
|
273
|
+
- [ ] documentation explains what is enforced
|
|
274
|
+
|
|
275
|
+
### Verification
|
|
276
|
+
|
|
277
|
+
- CI execution proof
|
|
278
|
+
- failing test demonstration where appropriate
|
|
279
|
+
|
|
280
|
+
### Canonical references
|
|
281
|
+
|
|
282
|
+
- `.pi/architecture/modules/<module>.md`
|
|
283
|
+
- `.pi/architecture/decisions/ADR-*.md`
|
|
284
|
+
|
|
285
|
+
---
|
|
286
|
+
|
|
287
|
+
## 6. Rollout / Runbook / Ops Issue Template
|
|
288
|
+
|
|
289
|
+
Use for: Dashboards, alerts, runbooks, SLO updates, rollout sequencing, rollback steps.
|
|
290
|
+
|
|
291
|
+
### Title
|
|
292
|
+
|
|
293
|
+
`operations: <rollout or runbook change>`
|
|
294
|
+
|
|
295
|
+
### Why
|
|
296
|
+
|
|
297
|
+
Why production readiness requires this operational work.
|
|
298
|
+
|
|
299
|
+
### Scope
|
|
300
|
+
|
|
301
|
+
Describe exact rollout, monitoring, alerting, or runbook output.
|
|
302
|
+
|
|
303
|
+
### In scope
|
|
304
|
+
|
|
305
|
+
- dashboards
|
|
306
|
+
- alerts
|
|
307
|
+
- runbooks
|
|
308
|
+
- SLO updates
|
|
309
|
+
- rollout sequencing
|
|
310
|
+
- rollback steps
|
|
311
|
+
|
|
312
|
+
### Out of scope
|
|
313
|
+
|
|
314
|
+
- primary code implementation unless minimal for observability hooks
|
|
315
|
+
|
|
316
|
+
### Dependencies
|
|
317
|
+
|
|
318
|
+
- blocked by: implementation and verification issues
|
|
319
|
+
|
|
320
|
+
### Acceptance criteria
|
|
321
|
+
|
|
322
|
+
- [ ] operational visibility exists
|
|
323
|
+
- [ ] alerting or dashboard updates are defined
|
|
324
|
+
- [ ] rollback steps exist
|
|
325
|
+
- [ ] release checklist impact is documented
|
|
326
|
+
|
|
327
|
+
### Verification
|
|
328
|
+
|
|
329
|
+
- runbook review
|
|
330
|
+
- dashboard/alert validation
|
|
331
|
+
- rollout rehearsal or dry run where necessary
|
|
332
|
+
|
|
333
|
+
### Canonical references
|
|
334
|
+
|
|
335
|
+
- `.pi/architecture/modules/<module>.md`
|
|
336
|
+
- `.pi/architecture/decisions/ADR-*.md`
|
|
337
|
+
|
|
338
|
+
---
|
|
339
|
+
|
|
340
|
+
## 7. High-Risk Issue Addendum
|
|
341
|
+
|
|
342
|
+
Use this addendum for issues labeled `risk::high`.
|
|
343
|
+
|
|
344
|
+
### Additional Required Fields
|
|
345
|
+
|
|
346
|
+
- Failure mode analysis
|
|
347
|
+
- Data integrity risk
|
|
348
|
+
- Multi-tenant isolation risk
|
|
349
|
+
- Security review notes
|
|
350
|
+
- Rollback plan
|
|
351
|
+
- Feature flag or staged rollout decision
|
|
352
|
+
|
|
353
|
+
### Additional Approvals
|
|
354
|
+
|
|
355
|
+
- Architecture Validator Agent
|
|
356
|
+
- Security Agent or security reviewer
|
|
357
|
+
- Operations Agent or release reviewer
|
|
358
|
+
|
|
359
|
+
---
|
|
360
|
+
|
|
361
|
+
## Recommended Labels
|
|
362
|
+
|
|
363
|
+
| Label | Meaning |
|
|
364
|
+
|-------|---------|
|
|
365
|
+
| `layer::domain` | Domain model, entities, value objects |
|
|
366
|
+
| `layer::application` | Use cases, services, handlers |
|
|
367
|
+
| `layer::infrastructure` | Databases, queues, external APIs |
|
|
368
|
+
| `layer::api` | REST/gRPC endpoints, middleware |
|
|
369
|
+
| `layer::security` | Auth, encryption, secrets |
|
|
370
|
+
| `layer::operations` | Observability, runbooks, DR |
|
|
371
|
+
| `type::feature` | New functionality |
|
|
372
|
+
| `type::hardening` | Security/performance improvement |
|
|
373
|
+
| `type::migration` | Schema or config migration |
|
|
374
|
+
| `type::test` | Test-only work |
|
|
375
|
+
| `risk::high` | Breaks existing behavior |
|
|
376
|
+
| `risk::medium` | Changes internal behavior |
|
|
377
|
+
| `risk::low` | Additive, no breaking changes |
|
|
378
|
+
|
|
379
|
+
---
|
|
380
|
+
|
|
381
|
+
## Dependency Ordering
|
|
382
|
+
|
|
383
|
+
1. **contract issue** — Domain contracts, API contracts
|
|
384
|
+
2. **schema/index issue** — Migrations, indexes, config
|
|
385
|
+
3. **repository/service issue** — Data access, adapters
|
|
386
|
+
4. **handler/runtime issue** — Business logic, workers
|
|
387
|
+
5. **verification issue** — Tests, conformance
|
|
388
|
+
6. **rollout/runbook issue** — Ops, monitoring
|
|
389
|
+
|
|
390
|
+
---
|
|
391
|
+
|
|
392
|
+
*Use the smallest template that matches the actual unit of work.*
|
|
@@ -0,0 +1,207 @@
|
|
|
1
|
+
# Guardian Issue Contract
|
|
2
|
+
|
|
3
|
+
> **Professional issue template with complete context for a fresh session agent to implement correctly.**
|
|
4
|
+
> Every issue generated by `/architect` follows this contract. The YAML front matter is parsed by Guardian; the body is the agent's complete session context.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Template
|
|
9
|
+
|
|
10
|
+
```markdown
|
|
11
|
+
---
|
|
12
|
+
guardian_issue:
|
|
13
|
+
id: ISSUE-001
|
|
14
|
+
title: "JWT Token Validation"
|
|
15
|
+
epic: "Auth Module v1"
|
|
16
|
+
epic_id: EPIC-001
|
|
17
|
+
tracking_issue: 100
|
|
18
|
+
status: planned
|
|
19
|
+
priority: high
|
|
20
|
+
created_at: "2026-05-17T00:00:00Z"
|
|
21
|
+
updated_at: "2026-05-17T00:00:00Z"
|
|
22
|
+
|
|
23
|
+
intent: |
|
|
24
|
+
Implement JWT token validation for the auth system. Validate tokens from
|
|
25
|
+
request headers, check expiry, verify signature with RS256, and enforce
|
|
26
|
+
required claims (sub, iss, exp, iat).
|
|
27
|
+
|
|
28
|
+
dependencies:
|
|
29
|
+
- name: none
|
|
30
|
+
type: external
|
|
31
|
+
note: "No internal dependencies. This is a root component."
|
|
32
|
+
|
|
33
|
+
in_scope:
|
|
34
|
+
- JWT token parsing and validation
|
|
35
|
+
- RS256 signature verification with JWK rotation
|
|
36
|
+
- Expiry and claim validation
|
|
37
|
+
- Error handling for invalid/expired tokens
|
|
38
|
+
- Unit tests for all validation paths
|
|
39
|
+
- Integration tests with mock JWT provider
|
|
40
|
+
|
|
41
|
+
out_of_scope:
|
|
42
|
+
- Token generation (handled by upstream auth provider)
|
|
43
|
+
- OAuth2 flow (handled by OAuth2 Provider Integration component)
|
|
44
|
+
- Session storage (handled by Session Management component)
|
|
45
|
+
- UI/login pages
|
|
46
|
+
|
|
47
|
+
affected_layers:
|
|
48
|
+
domain:
|
|
49
|
+
- "New: JwtToken entity"
|
|
50
|
+
- "New: TokenValidator interface"
|
|
51
|
+
- "New: ValidationError domain errors"
|
|
52
|
+
application:
|
|
53
|
+
- "New: ValidateToken use case"
|
|
54
|
+
- "New: TokenValidationService"
|
|
55
|
+
infrastructure:
|
|
56
|
+
- "New: JwkClient for fetching public keys"
|
|
57
|
+
- "New: Redis cache for JWK rotation"
|
|
58
|
+
api:
|
|
59
|
+
- "New: Auth middleware for token validation"
|
|
60
|
+
- "Modified: Error response format for 401/403"
|
|
61
|
+
|
|
62
|
+
canonical_references:
|
|
63
|
+
- module: ".pi/architecture/modules/auth-system.md#jwt-token-validation"
|
|
64
|
+
- adr:
|
|
65
|
+
- ".pi/architecture/decisions/ADR-001-auth-pattern.md"
|
|
66
|
+
- ".pi/architecture/decisions/ADR-003-jwt-algorithm.md"
|
|
67
|
+
- last_sync: "2026-05-17"
|
|
68
|
+
|
|
69
|
+
acceptance_criteria:
|
|
70
|
+
- "CI pipeline passes (validate-ci.sh)"
|
|
71
|
+
- "All unit tests pass with ≥ 90% coverage"
|
|
72
|
+
- "Integration tests pass against mock JWT provider"
|
|
73
|
+
- "validate-security.sh passes (no hardcoded secrets, proper key handling)"
|
|
74
|
+
- "validate-architecture.sh passes (layer boundaries respected)"
|
|
75
|
+
- "validate-canonical.sh passes (implementation references architecture)"
|
|
76
|
+
|
|
77
|
+
validators:
|
|
78
|
+
- ci
|
|
79
|
+
- tests
|
|
80
|
+
- security
|
|
81
|
+
- architecture
|
|
82
|
+
- canonical
|
|
83
|
+
|
|
84
|
+
implementation_notes: |
|
|
85
|
+
- Use PyJWT library for Python / jsonwebtoken for TypeScript
|
|
86
|
+
- JWK cache TTL: 1 hour, refresh on signature failure
|
|
87
|
+
- Required claims: sub, iss, exp, iat, aud
|
|
88
|
+
- Reject tokens with exp < now() - 30s (clock skew tolerance)
|
|
89
|
+
- Log validation failures at WARN level with token ID (not full token)
|
|
90
|
+
- Do NOT log token contents or secrets
|
|
91
|
+
|
|
92
|
+
file_changes:
|
|
93
|
+
- "create: src/auth/jwt_validator.py"
|
|
94
|
+
- "create: src/auth/token_validator.py"
|
|
95
|
+
- "create: src/auth/errors.py"
|
|
96
|
+
- "create: tests/unit/auth/test_jwt_validator.py"
|
|
97
|
+
- "create: tests/integration/auth/test_token_validation.py"
|
|
98
|
+
- "modify: src/middleware/auth_middleware.py"
|
|
99
|
+
|
|
100
|
+
pipeline_steps:
|
|
101
|
+
- implement
|
|
102
|
+
- validate
|
|
103
|
+
- create-mr
|
|
104
|
+
- merge
|
|
105
|
+
---
|
|
106
|
+
|
|
107
|
+
# ISSUE-001: JWT Token Validation
|
|
108
|
+
|
|
109
|
+
## Intent
|
|
110
|
+
|
|
111
|
+
Implement JWT token validation for the auth system. Validate tokens from
|
|
112
|
+
request headers, check expiry, verify signature with RS256, and enforce
|
|
113
|
+
required claims (sub, iss, exp, iat).
|
|
114
|
+
|
|
115
|
+
## Dependencies
|
|
116
|
+
|
|
117
|
+
```
|
|
118
|
+
┌─────────────────────────────────┐
|
|
119
|
+
│ JWT Token Validation │ ← THIS ISSUE
|
|
120
|
+
│ (root component, no deps) │
|
|
121
|
+
└──────────────┬──────────────────┘
|
|
122
|
+
│
|
|
123
|
+
▼
|
|
124
|
+
┌─────────────────────────────────┐
|
|
125
|
+
│ OAuth2 Provider Integration │ ← ISSUE-002 (depends on this)
|
|
126
|
+
└─────────────────────────────────┘
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
No internal dependencies. This is a root component.
|
|
130
|
+
|
|
131
|
+
## In Scope
|
|
132
|
+
|
|
133
|
+
- JWT token parsing and validation
|
|
134
|
+
- RS256 signature verification with JWK rotation
|
|
135
|
+
- Expiry and claim validation
|
|
136
|
+
- Error handling for invalid/expired tokens
|
|
137
|
+
- Unit tests for all validation paths
|
|
138
|
+
- Integration tests with mock JWT provider
|
|
139
|
+
|
|
140
|
+
## Out of Scope
|
|
141
|
+
|
|
142
|
+
- Token generation (handled by upstream auth provider)
|
|
143
|
+
- OAuth2 flow (handled by OAuth2 Provider Integration component)
|
|
144
|
+
- Session storage (handled by Session Management component)
|
|
145
|
+
- UI/login pages
|
|
146
|
+
|
|
147
|
+
## Affected Layers
|
|
148
|
+
|
|
149
|
+
### Domain
|
|
150
|
+
- New: `JwtToken` entity
|
|
151
|
+
- New: `TokenValidator` interface
|
|
152
|
+
- New: `ValidationError` domain errors
|
|
153
|
+
|
|
154
|
+
### Application
|
|
155
|
+
- New: `ValidateToken` use case
|
|
156
|
+
- New: `TokenValidationService`
|
|
157
|
+
|
|
158
|
+
### Infrastructure
|
|
159
|
+
- New: `JwkClient` for fetching public keys
|
|
160
|
+
- New: Redis cache for JWK rotation
|
|
161
|
+
|
|
162
|
+
### API
|
|
163
|
+
- New: Auth middleware for token validation
|
|
164
|
+
- Modified: Error response format for 401/403
|
|
165
|
+
|
|
166
|
+
## Canonical References
|
|
167
|
+
|
|
168
|
+
- **Module:** `.pi/architecture/modules/auth-system.md#jwt-token-validation`
|
|
169
|
+
- **ADR-001:** `.pi/architecture/decisions/ADR-001-auth-pattern.md`
|
|
170
|
+
- **ADR-003:** `.pi/architecture/decisions/ADR-003-jwt-algorithm.md`
|
|
171
|
+
|
|
172
|
+
## Acceptance Criteria
|
|
173
|
+
|
|
174
|
+
| # | Criterion | Validator |
|
|
175
|
+
|---|-----------|-----------|
|
|
176
|
+
| 1 | CI pipeline passes | `validate-ci.sh` |
|
|
177
|
+
| 2 | All unit tests pass with ≥ 90% coverage | `validate-tests.sh` |
|
|
178
|
+
| 3 | Integration tests pass against mock JWT provider | `validate-integration.sh` |
|
|
179
|
+
| 4 | No hardcoded secrets, proper key handling | `validate-security.sh` |
|
|
180
|
+
| 5 | Layer boundaries respected | `validate-architecture.sh` |
|
|
181
|
+
| 6 | Implementation references architecture | `validate-canonical.sh` |
|
|
182
|
+
|
|
183
|
+
## Implementation
|
|
184
|
+
|
|
185
|
+
> **Agent:** Load this file as your complete session context. All information you need is above.
|
|
186
|
+
> Start by reading the canonical reference files, then implement following the layer structure.
|
|
187
|
+
|
|
188
|
+
### Steps
|
|
189
|
+
|
|
190
|
+
1. Read canonical architecture references
|
|
191
|
+
2. Create domain entities and interfaces
|
|
192
|
+
3. Implement validation logic
|
|
193
|
+
4. Add JWK client with caching
|
|
194
|
+
5. Create auth middleware
|
|
195
|
+
6. Write unit tests (≥ 90% coverage)
|
|
196
|
+
7. Write integration tests
|
|
197
|
+
8. Run all validators
|
|
198
|
+
9. Create MR
|
|
199
|
+
|
|
200
|
+
## Notes
|
|
201
|
+
|
|
202
|
+
- Use PyJWT library for Python / jsonwebtoken for TypeScript
|
|
203
|
+
- JWK cache TTL: 1 hour, refresh on signature failure
|
|
204
|
+
- Required claims: sub, iss, exp, iat, aud
|
|
205
|
+
- Reject tokens with exp < now() - 30s (clock skew tolerance)
|
|
206
|
+
- Log validation failures at WARN level with token ID (not full token)
|
|
207
|
+
- **Do NOT log token contents or secrets**
|