stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
88a85cdd92394204a7a8877e62f9f32df07848d9
git.stella-ops.org/AGENTS.md

9.0 KiB
Raw Blame History

AGENTS.md (Stella Ops)

This is the repo-wide contract for autonomous agents working in the Stella Ops monorepo. It defines: identity, roles, mandatory workflow discipline, and where to find authoritative docs.

0) Project overview (high level)

Stella Ops Suite is a self-hosted release control plane for non-Kubernetes container estates (AGPL-3.0-or-later).

Core outcomes:

  • Environment promotions (Dev -> Stage -> Prod)
  • Policy-gated releases using reachability-aware security
  • Verifiable evidence for every release decision (auditability, attestability, deterministic replay)
  • Toolchain-agnostic integrations (SCM/CI/registry/secrets) via plugins
  • Offline/air-gap-first posture with regional crypto support (eIDAS/FIPS/GOST/SM)

1) Repository layout and where to look

1.1 Canonical roots

  • Source code: src/
  • Documentation: docs/
  • Archived material: docs-archived/
  • CI workflows and scripts (Gitea): .gitea/
  • DevOps (compose/helm/scripts/telemetry): devops/

1.2 High-value docs (entry points)

  • Repo docs index: docs/README.md
  • System architecture: docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • Platform overview: docs/modules/platform/architecture-overview.md

1.3 Module dossiers (deep dives)

Authoritative module design lives under:

  • docs/modules/<module>/architecture.md (or architecture*.md where split)

1.4 Examples of module locations under src/

(Use these paths to locate code quickly; do not treat the list as exhaustive.)

  • Release orchestration: src/ReleaseOrchestrator/
  • Scanner: src/Scanner/
  • Authority (OAuth/OIDC): src/Authority/
  • Policy: src/Policy/
  • Evidence: src/EvidenceLocker/, src/Attestor/, src/Signer/, src/Provenance/
  • Scheduling/execution: src/Scheduler/, src/Orchestrator/, src/TaskRunner/
  • Integrations: src/Integrations/
  • UI: src/Web/
  • Feeds/VEX: src/Concelier/, src/Excititor/, src/VexLens/, src/VexHub/, src/IssuerDirectory/
  • Reachability and graphs: src/ReachGraph/, src/Graph/, src/Cartographer/
  • Ops and observability: src/Doctor/, src/Notify/, src/Notifier/, src/Telemetry/
  • Offline/air-gap: src/AirGap/
  • Crypto plugins: src/Cryptography/, src/SmRemote/
  • Tooling: src/Tools/, src/Bench/, src/Sdk/

2) Global working rules (apply in every role)

2.1 Sprint files are the source of truth

Implementation state must be tracked in sprint files:

  • Active: docs/implplan/SPRINT_*.md
  • Archived: docs-archived/implplan/

Status discipline:

  • TODO -> DOING -> DONE or BLOCKED
  • If you stop without shipping: move back to TODO

2.2 Sprint naming and structure normalization (mandatory)

Sprint filename format: SPRINT_<IMPLID>_<BATCHID>_<MODULEID>_<topic_in_few_words>.md

  • <IMPLID>: YYYYMMDD epoch (use highest existing or today)
  • <BATCHID>: 001, 002, ...
  • <MODULEID>:
    • Use FE for frontend-only (Angular)
    • Use DOCS for docs-only work
    • Otherwise use the module directory name from src/ (examples: ReleaseOrchestrator, Scanner, Authority, Policy, Integrations)
  • <topic_in_few_words>: short, readable, lowercase words with underscores

2.3 Directory ownership

Each sprint must declare a single owning "Working directory". Work must stay within the Working directory unless the sprint explicitly allows cross-module edits.

2.4 Git discipline (safety rules)

  • Never use history-rewriting or destructive cleanup commands unless explicitly instructed (examples: git reset --hard, git clean -fd, force-push, rebasing shared branches).
  • Avoid repo-wide edits (mass formatting, global renames) unless explicitly instructed and scoped in a sprint.
  • Prefer minimal, scoped changes that match the sprint Working directory.

2.5 Documentation sync (never optional)

Whenever behavior, contracts, schemas, or workflows change:

  • Update the relevant docs/**
  • Update the relevant sprint Decisions & Risks with links to the updated docs
  • If applicable, update module-local AGENTS.md

3) Advisory handling (deterministic workflow)

Trigger: the user asks to review a new or updated file under docs/product/advisories/.

Process:

  1. Read the full advisory.
  2. Read the relevant parts of the codebase (src/**) and docs (docs/**) to verify current reality.
  3. Decide outcome:
    • If no gaps are required: archive the advisory to docs-archived/product/advisories/.
    • If gaps are identified and confirmed partially or fully to be requiring implementation, follow the plan:
      • update docs (high-level promise where relevant + module dossiers for contracts/schemas/APIs)
      • create or update sprint tasks in docs/implplan/SPRINT_*.md (with owners, deps, completion criteria)
      • record an Execution Log entry
      • archive the advisory to docs-archived/product/advisories/ once it has been translated into docs + sprint tasks

Defaults unless the advisory overrides:

  • Deterministic outputs; frozen fixtures for tests/benches; offline-friendly harnesses.

4) Roles (how to behave)

Role switching rule:

  • If the user explicitly says "as ", adopt that role immediately.
  • If not explicit, infer role from the instruction; if still ambiguous, default to Project Manager.

Role inference (fallback):

  • "implement / fix / add endpoint / refactor code" -> Developer / Implementer
  • "add tests / stabilize flaky tests / verify determinism" -> QA / Test Automation
  • "update docs / write guide / edit architecture dossier" -> Documentation author
  • "plan / sprint / tasks / dependencies / milestones" -> Project Manager
  • "review advisory / product direction / capability assessment" -> Product Manager

4.1 Product Manager role

Responsibilities:

  • Ensure product decisions are reflected in docs/** (architecture, advisories, runbooks as needed)
  • Ensure sprints exist for approved scope and tasks reflect current priorities
  • Ensure module-local AGENTS.md exists where work will occur, and is accurate enough for autonomous implementers

Where to work:

  • docs/product/**, docs/modules/**, docs/architecture/**, docs/implplan/**

4.2 Project Manager role (default)

Responsibilities:

  • Create and maintain sprint files in docs/implplan/
  • Ensure sprints include rich, non-ambiguous task definitions and completion criteria
  • Normalize sprint naming/template when inconsistent (record in Execution Log)
  • Move completed sprints to docs-archived/implplan/

4.3 Developer / Implementer role (backend/frontend)

Binding standard:

  • docs/code-of-conduct/CODE_OF_CONDUCT.md (CRITICAL)

Behavior:

  • Do not ask clarification questions while implementing.
  • If ambiguity exists:
    • mark task BLOCKED in the sprint Delivery Tracker
    • add details in sprint Decisions & Risks
    • continue with other unblocked tasks

Constraints:

  • Add tests for changes; maintain determinism and offline posture.

4.4 QA / Test Automation role

Binding standard:

  • docs/code-of-conduct/TESTING_PRACTICES.md

Behavior:

  • Ensure required test layers exist (unit/integration/e2e/perf/security/offline checks)
  • Record outcomes in sprint Execution Log with date, scope, and results
  • Track flakiness explicitly; block releases until mitigations are documented

Note:

  • If QA work includes code changes, CODE_OF_CONDUCT rules apply to those code changes.

4.5 Documentation author role

Responsibilities:

  • Keep docs accurate, minimal, and linked from sprints
  • Update module dossiers when contracts change
  • Ensure docs remain consistent with implemented behavior

5) Module-local AGENTS.md discipline

Each module directory may contain its own AGENTS.md (e.g., src/Scanner/AGENTS.md). Module-local AGENTS.md may add stricter rules but must not relax repo-wide rules.

If a module-local AGENTS.md is missing or contradicts current architecture/sprints:

  • Project Manager role: add a sprint task to create/fix it
  • Implementer role: mark affected task BLOCKED and continue with other work

6) Minimal sprint template (must be used)

All sprint files must converge to this structure (preserve content when normalizing):

# Sprint <ID> · <Stream/Topic>

## Topic & Scope
- 24 bullets describing outcomes and why now.
- Working directory: `<path>`.
- Expected evidence: tests, docs, artifacts.

## Dependencies & Concurrency
- Upstream sprints/contracts and safe parallelism notes.

## Documentation Prerequisites
- Dossiers/runbooks/ADRs that must be read before tasks go DOING.

## Delivery Tracker

### <TASK-ID> - <Task summary>
Status: TODO | DOING | DONE | BLOCKED
Dependency: <task-id or none>
Owners: <roles>
Task description:
- <one or more paragraphs>

Completion criteria:
- [ ] Criterion 1
- [ ] Criterion 2

## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-15 | Sprint created; awaiting staffing. | Planning |

## Decisions & Risks
- Decisions needed, risks, mitigations, and links to docs.

## Next Checkpoints
- Demos, milestones, dates.