icdev 0.0.3__py3-none-any.whl

context/agent/response_schemas/task_decomposition.json

@@ -0,0 +1,82 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "TaskDecomposition",
+  "description": "Schema for ICDEV multi-agent task decomposition DAG. Defines a workflow composed of subtasks assigned to specialized agents with explicit dependency edges for parallel execution.",
+  "type": "object",
+  "required": ["workflow_name", "subtasks"],
+  "additionalProperties": false,
+  "properties": {
+    "workflow_name": {
+      "type": "string",
+      "description": "Short kebab-case name for the workflow",
+      "pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$",
+      "minLength": 3,
+      "maxLength": 64,
+      "examples": ["build-auth-module", "deploy-inventory-service", "modernize-payroll-app"]
+    },
+    "subtasks": {
+      "type": "array",
+      "description": "Ordered list of subtasks forming a DAG. Dependencies define execution order; independent subtasks execute in parallel.",
+      "minItems": 2,
+      "maxItems": 10,
+      "items": {
+        "type": "object",
+        "required": ["id", "agent_id", "skill_id", "description"],
+        "additionalProperties": false,
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Unique kebab-case identifier for this subtask. Must be descriptive of the work performed.",
+            "pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$",
+            "minLength": 3,
+            "maxLength": 48,
+            "examples": ["design-api", "implement-auth", "security-scan", "generate-ssp"]
+          },
+          "agent_id": {
+            "type": "string",
+            "description": "The agent responsible for executing this subtask.",
+            "enum": [
+              "orchestrator-agent",
+              "architect-agent",
+              "builder-agent",
+              "compliance-agent",
+              "security-agent",
+              "infra-agent",
+              "knowledge-agent",
+              "monitor-agent",
+              "mbse-agent",
+              "modernization-agent",
+              "requirements-analyst-agent",
+              "supply-chain-agent",
+              "simulation-agent"
+            ]
+          },
+          "skill_id": {
+            "type": "string",
+            "description": "The specific skill the agent should invoke for this subtask.",
+            "pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$",
+            "minLength": 2,
+            "maxLength": 48,
+            "examples": ["api-design", "code-generation", "sast-scan", "ssp-generation", "aggregation"]
+          },
+          "description": {
+            "type": "string",
+            "description": "Clear description of what this subtask accomplishes, including expected inputs and outputs.",
+            "minLength": 10,
+            "maxLength": 500
+          },
+          "depends_on": {
+            "type": "array",
+            "description": "List of subtask IDs that must complete before this subtask can start. Empty array means no dependencies (can start immediately).",
+            "items": {
+              "type": "string",
+              "pattern": "^[a-z0-9][a-z0-9-]*[a-z0-9]$"
+            },
+            "uniqueItems": true,
+            "default": []
+          }
+        }
+      }
+    }
+  }
+}

context/agent/response_schemas/veto_decision.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "VetoDecision",
+  "description": "Schema for domain authority veto check output. Defines whether a domain authority agent vetoes an output, the type of veto, evidence, and remediation recommendations.",
+  "type": "object",
+  "required": ["veto"],
+  "additionalProperties": false,
+  "properties": {
+    "veto": {
+      "type": "boolean",
+      "description": "Whether the authority agent vetoes the output"
+    },
+    "veto_type": {
+      "type": ["string", "null"],
+      "enum": ["hard", "soft", null],
+      "description": "Type of veto: hard (blocks, requires human override) or soft (warns, orchestrator can override)"
+    },
+    "reason": {
+      "type": ["string", "null"],
+      "description": "Specific reason for the veto, or null if no veto"
+    },
+    "evidence": {
+      "type": ["string", "null"],
+      "description": "Concrete evidence of the violation, or null if no veto"
+    },
+    "recommendations": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "List of specific fixes to resolve the issues found",
+      "default": []
+    },
+    "classification": {
+      "type": "string",
+      "default": "CUI",
+      "description": "Classification marking for this veto decision"
+    }
+  }
+}

context/agentic/__init__.py

@@ -0,0 +1,6 @@
+# CUI // SP-CTI
+# Controlled by: Department of Defense
+# CUI Category: CTI
+# Distribution: D
+# POC: ICDEV System Administrator
+# Package marker for PyPI distribution

context/agentic/architecture_patterns.md

@@ -0,0 +1,269 @@
+# [TEMPLATE: CUI // SP-CTI]
+
+# Architecture Patterns for Agentic Applications
+
+## Overview
+
+This document describes the architecture patterns used when ICDEV generates agentic child applications. These patterns ensure consistency, security, and compliance across all generated applications. Every pattern is enforced by the blueprint engine and verified during post-generation checks.
+
+Child applications are self-contained agentic systems with their own agents, memory, goals, and tools. They operate independently but can communicate back to the parent ICDEV instance via A2A protocol when a callback URL is configured.
+
+---
+
+## Pattern 1: GOTCHA Framework
+
+Every child application uses the 6-layer GOTCHA framework. This is non-negotiable — it is the structural foundation that separates probabilistic AI orchestration from deterministic tool execution.
+
+| Layer | Directory | Role in Child App |
+|-------|-----------|-------------------|
+| **Goals** | `goals/` | Process definitions — what to achieve, tool sequences, edge cases |
+| **Orchestration** | *(the AI)* | Read goal, select tools, apply args, reference context, handle errors |
+| **Tools** | `tools/` | Python scripts copied from ICDEV with path/port/db adaptations |
+| **Context** | `context/` | Static reference material: compliance catalogs, language profiles, tone |
+| **Hard Prompts** | `hardprompts/` | Reusable LLM instruction templates for common tasks |
+| **Args** | `args/` | YAML/JSON behavior settings that change behavior without editing code |
+
+**Rationale:** LLMs are probabilistic. Business logic must be deterministic. 90% accuracy per step compounds to ~59% over 5 steps. GOTCHA enforces separation of concerns so the AI orchestrates while tools execute reliably.
+
+**Enforcement:** The scaffolder generates all 6 directories. Post-generation verification checks that each contains at least one file. CLAUDE.md documents the framework for the child's AI orchestrator.
+
+---
+
+## Pattern 2: Agent Tiers
+
+Agents are organized into 3 tiers based on their role and criticality:
+
+### Tier 1: Core (Always Present)
+| Agent | Port Offset | Role |
+|-------|-------------|------|
+| Orchestrator | +0 | Task routing, workflow management, result aggregation |
+| Architect | +1 | ATLAS/M-ATLAS A/T phases, system design, technology selection |
+| Builder | +2 | TDD code generation (RED-GREEN-REFACTOR), scaffolding, lint, format |
+
+### Tier 2: Domain (Conditional — Based on Fitness Score)
+| Agent | Port Offset | Condition |
+|-------|-------------|-----------|
+| Compliance | +3 | `compliance_sensitivity >= 5` or ATO required |
+| Security | +4 | Always if compliance present; otherwise `integration_density >= 5` |
+| MBSE | +8 | `mbse_enabled = true` in user decisions |
+| Modernization | +9 | `modernization_enabled = true` (rare for new apps) |
+
+### Tier 3: Support (Always Present)
+| Agent | Port Offset | Role |
+|-------|-------------|------|
+| Knowledge | +6 | Self-healing patterns, failure analysis, recommendations |
+| Monitor | +7 | Log analysis, health checks, metrics, alerts |
+
+**Port calculation:** `child_port = icdev_base_port + port_offset + user_port_offset`
+
+Example: ICDEV Orchestrator is 8443. User offset is 1000. Child Orchestrator is 8443 + 0 + 1000 = 9443.
+
+**Agent cards:** Each agent publishes an Agent Card at `/.well-known/agent.json` describing its capabilities, skills, and A2A endpoint. Cards are generated during scaffolding and stored in `tools/agent/cards/<agent-name>.json`.
+
+---
+
+## Pattern 3: A2A Protocol
+
+Agent-to-agent communication uses JSON-RPC 2.0 over mutual TLS within a Kubernetes cluster.
+
+**Message format:**
+```json
+{
+  "jsonrpc": "2.0",
+  "method": "skill.execute",
+  "params": {
+    "skill_id": "code-generation",
+    "input": { "test_file": "/path/to/test.py" },
+    "context": { "project_id": "proj-123", "impact_level": "IL4" }
+  },
+  "id": "task-abc-123"
+}
+```
+
+**Security requirements:**
+- Mutual TLS with X.509 certificates (issued by cluster CA)
+- All capabilities dropped in container security context
+- Network policies restrict agent-to-agent traffic within namespace
+- Audit logging on every A2A message (NIST AU-2)
+
+**Parent callback:** If `parent_callback_url` is configured, the child Orchestrator can send status updates and request assistance from the parent ICDEV instance using the same A2A protocol.
+
+---
+
+## Pattern 4: Blueprint-Driven Generation
+
+A single blueprint JSON drives all generators. No hardcoded decisions exist in the generation code.
+
+**Blueprint structure:**
+```
+blueprint.json
+  ├── capability_map        # What to include
+  ├── agent_roster          # Which agents and their configs
+  ├── file_manifest         # What to copy and how to adapt
+  ├── csp_mcp_servers       # Cloud provider MCP servers
+  ├── db_schema             # Core + capability tables
+  ├── memory_config         # Memory system settings
+  ├── cicd_config           # Pipeline template and stages
+  ├── atlas_config          # ATLAS or M-ATLAS workflow
+  ├── gotcha_dirs           # Directory structure specification
+  ├── agent_ports           # Port assignments
+  └── classification        # CUI markings and encryption
+```
+
+**Rationale:** Centralized configuration prevents drift between generators. Every generator reads the blueprint, never makes assumptions. Changes to child app structure require only blueprint changes, not code changes.
+
+**Verification:** Post-generation, the blueprint hash is stored in `data/generation_summary.json`. Governance review validates the hash matches the generated output.
+
+---
+
+## Pattern 5: Copy-and-Adapt
+
+Tools are copied from ICDEV with text adaptations applied during scaffolding. ICDEV's own tools are the single source of truth — there is no separate template library.
+
+**Adaptations applied during copy:**
+- Port numbers remapped (ICDEV base -> child base + offset)
+- Database name/path updated (`data/icdev.db` -> `data/<name>.db`)
+- Import paths adjusted for child directory structure
+- CUI markings verified/applied
+- ICDEV-specific references stripped (generation tools, parent paths)
+
+**What is NOT copied:**
+- `tools/builder/agentic_fitness.py` (generation tool — grandchild prevention)
+- `tools/builder/app_blueprint.py` (generation tool — grandchild prevention)
+- Parent ICDEV configuration files
+- `.env` files (secrets are never copied)
+
+**Rationale:** Templates drift from reality. By copying actual working tools, child apps inherit battle-tested code. Adaptations are minimal and deterministic (string replacements, not logic changes).
+
+---
+
+## Pattern 6: Grandchild Prevention
+
+Child applications CANNOT generate their own child applications. This is enforced at three independent levels:
+
+**Level 1: Configuration Flag**
+The child app's `args/project_defaults.yaml` contains `agentic_generation: false`. The scaffolder checks this flag and refuses to run with `--agentic` if it is false.
+
+**Level 2: Scaffolder Stripping**
+Generation tools (`agentic_fitness.py`, `app_blueprint.py`) are excluded from the file manifest. The `--agentic` flag is not available in the child's scaffolder.
+
+**Level 3: CLAUDE.md Documentation**
+The child's CLAUDE.md explicitly states: "This application CANNOT generate child applications. Agentic generation is only available in the parent ICDEV system."
+
+**Rationale:** Uncontrolled proliferation of agentic systems creates security, compliance, and operational risks. Each generation layer adds configuration drift risk. Three independent enforcement levels ensure no single bypass can enable generation.
+
+---
+
+## Pattern 7: Minimal DB + Migration
+
+Child applications start with a minimal core database schema and expand via `migrate_add_capability()`.
+
+**Core tables (always present):**
+- `projects` — Project metadata
+- `agents` — Agent registry
+- `tasks` — Task tracking
+- `audit_trail` — Append-only audit log (immutable)
+
+**Capability tables (added per blueprint):**
+- Compliance: `nist_controls`, `compliance_assessments`, `poam_entries`
+- Security: `security_findings`, `vulnerability_scans`
+- MBSE: `sysml_elements`, `sysml_relationships`, `digital_thread_links`
+- Memory: `memory_entries`, `daily_logs`
+- Knowledge: `patterns`, `self_heal_history`
+
+**Rationale:** A child app that doesn't need MBSE shouldn't have 10 empty MBSE tables. Minimal core + capability migration keeps the database clean and schema understandable.
+
+---
+
+## Pattern 8: Dynamic CLAUDE.md
+
+The child application's CLAUDE.md is generated from a Jinja2 template that only includes documentation for capabilities present in the blueprint.
+
+**Template variables:**
+- `{{ agents }}` — List of agents with ports and roles
+- `{{ capabilities }}` — Enabled capabilities (compliance, mbse, etc.)
+- `{{ commands }}` — Available tool commands
+- `{{ databases }}` — Database tables with descriptions
+- `{{ classification }}` — Impact level and CUI marking rules
+- `{{ grandchild_prevention }}` — Always included
+
+**Rationale:** A child app's CLAUDE.md should be accurate and focused. Documenting tools that don't exist confuses the AI orchestrator and wastes context window tokens.
+
+---
+
+## Pattern 9: CSP MCP Integration
+
+Cloud Service Provider MCP servers are selected based on the child app's capabilities and cloud provider choice.
+
+**Selection logic:**
+```
+IF provider == "aws-govcloud":
+    INCLUDE aws-bedrock-mcp (LLM inference)
+    INCLUDE aws-s3-mcp (object storage)
+    IF compliance_enabled:
+        INCLUDE aws-securityhub-mcp
+    IF monitoring_enabled:
+        INCLUDE aws-cloudwatch-mcp
+
+IF provider == "azure":
+    INCLUDE azure-openai-mcp
+    INCLUDE azure-blob-mcp
+    ...
+```
+
+**Registry:** `context/agentic/csp_mcp_registry.yaml` contains the full mapping of capabilities to MCP servers per provider.
+
+**Rationale:** MCP servers are the child app's connection to cloud services. The blueprint selects only what's needed, avoiding unnecessary dependencies and reducing the attack surface.
+
+---
+
+## Pattern 10: Port Offset
+
+Child agents use ICDEV base ports + a configurable offset (default: 1000).
+
+**Default port assignments (with offset 1000):**
+
+| Agent | ICDEV Port | Child Port (offset 1000) |
+|-------|------------|--------------------------|
+| Orchestrator | 8443 | 9443 |
+| Architect | 8444 | 9444 |
+| Builder | 8445 | 9445 |
+| Compliance | 8446 | 9446 |
+| Security | 8447 | 9447 |
+| Infrastructure | 8448 | 9448 |
+| Knowledge | 8449 | 9449 |
+| Monitor | 8450 | 9450 |
+| MBSE | 8451 | 9451 |
+| Modernization | 8452 | 9452 |
+
+**Multiple children:** When generating multiple child apps from the same ICDEV instance, each should use a different offset (1000, 2000, 3000, etc.) to avoid port conflicts.
+
+**Rationale:** Port offsets allow ICDEV and child apps to coexist on the same host during development and testing without conflicts. In production K8s, each app has its own namespace and ports are internal.
+
+---
+
+## Pattern Summary
+
+| # | Pattern | Key Principle |
+|---|---------|---------------|
+| 1 | GOTCHA Framework | Separate AI orchestration from deterministic execution |
+| 2 | Agent Tiers | Core always present; domain conditional; support always present |
+| 3 | A2A Protocol | JSON-RPC 2.0 over mTLS for agent communication |
+| 4 | Blueprint-Driven | Single JSON drives all generation; no hardcoded decisions |
+| 5 | Copy-and-Adapt | ICDEV tools are the source of truth; adapt during copy |
+| 6 | Grandchild Prevention | 3-layer enforcement: config flag, scaffolder strip, CLAUDE.md |
+| 7 | Minimal DB | Core tables first; capabilities expand via migration |
+| 8 | Dynamic CLAUDE.md | Jinja2 template renders only present capabilities |
+| 9 | CSP MCP Integration | Cloud provider MCP servers selected per blueprint |
+| 10 | Port Offset | Child ports = ICDEV base + offset (default 1000) |
+
+---
+
+## Related Files
+
+- **Goal:** `goals/agentic_generation.md` — Workflow that uses these patterns
+- **Context:** `context/agentic/fitness_rubric.md` — Scoring rubric for fitness assessment
+- **Context:** `context/agentic/governance_baseline.md` — Governance requirements for child apps
+- **Context:** `context/agentic/capability_registry.yaml` — Capability definitions and dependencies
+- **Context:** `context/agentic/csp_mcp_registry.yaml` — Cloud provider MCP server mappings
+- **Tools:** `tools/builder/agentic_fitness.py`, `tools/builder/app_blueprint.py`, `tools/builder/scaffolder.py`

context/agentic/capability_registry.yaml

@@ -0,0 +1,223 @@
+# [TEMPLATE: CUI // SP-CTI]
+# Capability Registry - maps fitness scorecard dimensions to child app capabilities
+# Used by: tools/builder/app_blueprint.py
+capabilities:
+  core:
+    always_on: true
+    description: "Agent infrastructure, A2A protocol, audit trail"
+    source_dirs: ["tools/agent", "tools/a2a", "tools/audit"]
+    includes: ["tools/agent/*.py", "tools/a2a/*.py", "tools/audit/*.py", "args/agent_config.yaml", "args/cui_markings.yaml"]
+  compliance:
+    always_on: false
+    trigger: { dimension: "compliance_sensitivity", threshold: 6, or_flag: "ato_required" }
+    description: "Full 9-framework ATO compliance (NIST, FedRAMP, CMMC, CSSP, SbD, IV&V, OSCAL, eMASS, cATO)"
+    source_dirs: ["tools/compliance"]
+    includes:
+      - "tools/compliance/*.py"
+      - "tools/compliance/xacta/*.py"
+      - "tools/compliance/emass/*.py"
+      - "context/compliance/*.json"
+      - "context/compliance/*.md"
+      - "hardprompts/compliance/*.md"
+      - "args/security_gates.yaml"
+    db_tables:
+      - "compliance_controls"
+      - "project_controls"
+      - "ssp_documents"
+      - "poam_items"
+      - "stig_findings"
+      - "sbom_records"
+      - "fedramp_assessments"
+      - "cmmc_assessments"
+      - "oscal_artifacts"
+      - "cato_evidence"
+      - "cssp_assessments"
+      - "ivv_assessments"
+      - "sbd_assessments"
+  security:
+    always_on: false
+    trigger: { overall_score_minimum: 5, or_flag: "security_required" }
+    description: "SAST, dependency audit, secret detection, container scanning"
+    source_dirs: ["tools/security"]
+    includes: ["tools/security/*.py"]
+  mbse:
+    always_on: false
+    trigger: { flag: "mbse_enabled" }
+    description: "SysML parsing, DOORS NG, digital thread, model-code sync, DES compliance"
+    source_dirs: ["tools/mbse"]
+    includes: ["tools/mbse/*.py", "context/mbse/*.md"]
+    db_tables:
+      - "sysml_elements"
+      - "sysml_relationships"
+      - "doors_requirements"
+      - "digital_thread_links"
+      - "model_imports"
+      - "model_snapshots"
+      - "model_code_mappings"
+      - "des_compliance"
+  cicd:
+    always_on: true
+    description: "GitHub + GitLab CI/CD integration with webhooks and polling"
+    source_dirs: ["tools/ci"]
+    includes: ["tools/ci/**/*.py", ".claude/commands/*.md"]
+  testing:
+    always_on: true
+    description: "7-step test pipeline (py_compile, ruff, pytest, behave, bandit, playwright, gates)"
+    source_dirs: ["tools/testing"]
+    includes: ["tools/testing/*.py"]
+  dashboard:
+    always_on: false
+    trigger: { dimension: "user_interaction", threshold: 4 }
+    description: "Flask web dashboard for project status and monitoring"
+    source_dirs: ["tools/dashboard"]
+    includes: ["tools/dashboard/*.py", "tools/dashboard/templates/*.html", "tools/dashboard/static/**"]
+  knowledge:
+    always_on: true
+    description: "Pattern detection, self-healing, recommendations, monitoring"
+    source_dirs: ["tools/knowledge", "tools/monitor"]
+    includes: ["tools/knowledge/*.py", "tools/monitor/*.py"]
+  memory:
+    always_on: true
+    description: "Full memory system (MEMORY.md, logs, SQLite, semantic search, embeddings)"
+    source_dirs: ["tools/memory"]
+    includes: ["tools/memory/*.py", "memory/MEMORY.md"]
+    db_tables: ["memory_entries", "daily_logs", "memory_access_log"]
+  infrastructure:
+    always_on: true
+    description: "Terraform, Ansible, K8s, pipeline generation"
+    source_dirs: ["tools/infra"]
+    includes: ["tools/infra/*.py", "k8s/*.yaml", "docker/Dockerfile.*"]
+  maintenance:
+    always_on: true
+    description: "Dependency scanning, vulnerability checking, auto-remediation"
+    source_dirs: ["tools/maintenance"]
+    includes: ["tools/maintenance/*.py"]
+  modernization:
+    always_on: false
+    trigger: { never: true }
+    description: "Excluded from child apps — legacy modernization stays in parent ICDEV"
+    source_dirs: []
+    note: "Child apps do not include modernization. Use A2A callback to parent ICDEV."
+  # D-CHILD-1: Enterprise capabilities added in Phase 62
+  ricoas:
+    always_on: false
+    trigger: { dimension: "compliance_sensitivity", threshold: 7, or_flag: "ricoas_enabled" }
+    description: "Requirements intake, gap detection, SAFe decomposition, readiness scoring"
+    source_dirs: ["tools/requirements"]
+    includes: ["tools/requirements/*.py", "args/ricoas_config.yaml"]
+  supply_chain:
+    always_on: false
+    trigger: { follows: "ricoas" }
+    description: "Dependency graph, SBOM aggregation, ISA lifecycle, CVE triage, SCRM"
+    source_dirs: ["tools/supply_chain"]
+    includes: ["tools/supply_chain/*.py"]
+  simulation:
+    always_on: false
+    trigger: { follows: "ricoas" }
+    description: "Digital Program Twin, 6-dimension what-if simulation, Monte Carlo, COA generation"
+    source_dirs: ["tools/simulation"]
+    includes: ["tools/simulation/*.py"]
+  devsecops_zta:
+    always_on: false
+    trigger: { dimension: "compliance_sensitivity", threshold: 6, or_flag: "devsecops_enabled" }
+    description: "DevSecOps pipeline security, Zero Trust (NIST 800-207), policy-as-code, ZTA maturity"
+    source_dirs: ["tools/devsecops"]
+    includes: ["tools/devsecops/*.py", "args/devsecops_config.yaml", "args/zta_config.yaml"]
+  ai_security:
+    always_on: false
+    trigger: { overall_score_minimum: 5, or_flag: "ai_security_required" }
+    description: "Prompt injection detection, AI telemetry, ATLAS red teaming, AI BOM, OWASP LLM"
+    source_dirs: ["tools/security"]
+    includes: ["tools/security/prompt_injection_detector.py", "tools/security/ai_telemetry_logger.py", "tools/security/atlas_red_team.py", "tools/security/ai_bom_generator.py"]
+  ai_governance:
+    always_on: false
+    trigger: { flag: "ai_governance_enabled" }
+    description: "AI oversight plans, CAIO registry, appeals, incidents, ethics reviews, reassessment"
+    source_dirs: []
+    includes: ["tools/compliance/accountability_manager.py", "tools/compliance/ai_impact_assessor.py", "args/ai_governance_config.yaml"]
+  observability:
+    always_on: false
+    trigger: { overall_score_minimum: 4 }
+    description: "Distributed tracing (OTel+SQLite), W3C PROV-AGENT provenance, AgentSHAP, XAI"
+    source_dirs: ["tools/observability"]
+    includes: ["tools/observability/**/*.py", "args/observability_tracing_config.yaml"]
+  code_intelligence:
+    always_on: false
+    trigger: { overall_score_minimum: 5, or_flag: "code_intelligence_enabled" }
+    description: "AST code quality metrics, smell detection, maintainability scoring, runtime feedback"
+    source_dirs: ["tools/analysis"]
+    includes: ["tools/analysis/*.py", "args/code_quality_config.yaml"]
+  rag:
+    always_on: false
+    trigger: { flag: "rag_enabled" }
+    description: "Universal RAG: vector store ABC (SQLite/ChromaDB/FAISS), adaptive chunking, two-stage retrieval, auto-inject into two-tier LLM"
+    source_dirs: ["tools/rag"]
+    includes: ["tools/rag/*.py", "args/rag_config.yaml", "context/rag/*.json", "hardprompts/rag_rerank.md"]
+    db_tables: ["rag_chunks", "rag_ingestion_log", "rag_retrieval_log", "rag_parent_cache"]
+  fine_tuning:
+    always_on: false
+    trigger: { flag: "fine_tuning_enabled" }
+    follows: "rag"
+    description: "QLoRA fine-tuning: dataset management, labeling, training (Unsloth/OpenAI/Bedrock/Azure), GGUF export, BLEU/ROUGE-L/perplexity evaluation, auto-promotion, LLM router override (D-FT-1 through D-FT-22)"
+    source_dirs: ["tools/finetune"]
+    includes: ["tools/finetune/*.py", "args/finetune_config.yaml"]
+    db_tables: ["ft_datasets", "ft_dataset_examples", "ft_training_jobs", "ft_training_job_events", "ft_model_versions", "ft_active_models", "ft_evaluations", "ft_promotion_log", "ft_hyperparam_results"]
+  orchestration:
+    always_on: true
+    description: "Prompt chains, dispatcher mode, session purpose, ATLAS adversarial critique"
+    source_dirs: []
+    includes: ["tools/agent/prompt_chain_executor.py", "tools/agent/dispatcher_mode.py", "tools/agent/session_purpose.py", "tools/agent/atlas_critique.py", "args/prompt_chains.yaml", "args/atlas_critique_config.yaml"]
+    db_tables: ["atlas_critique_sessions", "atlas_critique_findings", "prompt_chain_executions", "dispatcher_mode_overrides", "session_purposes"]
+  govcon:
+    always_on: false
+    trigger: { never: true }
+    description: "Parent-only — GovProposal/CPMP/GovCon (D-CHILD-3)"
+    source_dirs: []
+    note: "Never included in child apps. GovCon is a parent-only capability."
+
+# Agent definitions — core agents always included, conditional depend on capabilities
+agents:
+  core:
+    - { name: orchestrator, base_port: 8443, role: "Task routing, workflow management" }
+    - { name: architect, base_port: 8444, role: "ATLAS A/T phases, system design" }
+    - { name: builder, base_port: 8445, role: "TDD code gen (RED->GREEN->REFACTOR)" }
+    - { name: knowledge, base_port: 8449, role: "Self-healing patterns, recommendations" }
+    - { name: monitor, base_port: 8450, role: "Log analysis, metrics, alerts, health checks" }
+  conditional:
+    - { name: compliance, base_port: 8446, role: "ATO artifacts, 9-framework compliance", requires_capability: "compliance" }
+    - { name: security, base_port: 8447, role: "SAST, dep audit, secret detection", requires_capability: "security" }
+    - { name: requirements_analyst, base_port: 8453, role: "Conversational intake, gap detection, SAFe decomposition", requires_capability: "ricoas" }
+    - { name: supply_chain, base_port: 8454, role: "Dependency graph, SBOM aggregation, CVE triage", requires_capability: "supply_chain" }
+    - { name: simulation, base_port: 8455, role: "Digital Program Twin, Monte Carlo, COA generation", requires_capability: "simulation" }
+    - { name: devsecops_zta, base_port: 8457, role: "DevSecOps pipeline security, Zero Trust, policy-as-code", requires_capability: "devsecops_zta" }
+
+# Essential goals — always copied to child apps regardless of scorecard
+essential_goals:
+  - build_app
+  - tdd_workflow
+  - compliance_workflow
+  - security_scan
+  - deploy_workflow
+  - monitoring
+  - self_healing
+  - agent_management
+  - integration_testing
+  - maintenance_audit
+  - requirements_intake
+  - boundary_supply_chain
+  - simulation_engine
+  - devsecops_workflow
+  - zero_trust_architecture
+  - mosa_workflow
+  - observability_traceability_xai
+  - ai_transparency
+  - ai_accountability
+  - owasp_agentic_security
+  - code_intelligence
+
+# Grandchild prevention (D28) — 3-layer mechanism to block recursive self-replication
+grandchild_prevention:
+  config_flag: true
+  scaffolder_strip: true
+  claude_md_doc: true
+  note: "3-layer prevention: config flag + scaffolder stripping + CLAUDE.md documentation"

context/agentic/csp_integration.md

@@ -0,0 +1,30 @@
+# CSP Integration — sparkpilot
+
+## Cloud Provider: AWS
+- **Region:** us-gov-west-1
+- **GovCloud:** No
+
+## Available MCP Servers
+
+| Server | Category | Description |
+|--------|----------|-------------|
+| @aws/core-mcp-server | core | Core AWS service operations |
+| @aws/aws-api-mcp-server | core | AWS API operations |
+| @aws/cdk-mcp-server | iac | AWS CDK infrastructure as code |
+| @aws/terraform-mcp-server | iac | Terraform for AWS |
+| @aws/cloudformation-mcp-server | iac | CloudFormation stack management |
+| @aws/iam-mcp-server | security | IAM policy and role management |
+| @aws/well-architected-security-mcp-server | security | Well-Architected security review |
+| @aws/cloudwatch-mcp-server | monitoring | CloudWatch metrics and logs |
+| @aws/cloudtrail-mcp-server | monitoring | CloudTrail audit logging |
+| @aws/cost-explorer-mcp-server | monitoring | Cost analysis and optimization |
+| @aws/aws-documentation-mcp-server | docs | AWS documentation search |
+| @aws/aws-knowledge-mcp-server | docs | AWS knowledge base queries |
+
+## Usage
+
+These MCP servers are configured in `.mcp.json` and available to Claude Code.
+Use them for cloud-native operations specific to the target deployment environment.
+
+For capabilities not available via AWS MCP servers, use the A2A
+callback to parent ICDEV.