diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md new file mode 100644 index 0000000..7c972f2 --- /dev/null +++ b/.claude/CLAUDE.md @@ -0,0 +1,63 @@ + +# Claude Code repository contract + +## Scope + +- GDS repository ID: `repo_01KX8PR71HN6XNJ3VN5SQCB0TF`. +- Roles: `module`. +- Canonical repository facts: `.gds/repository.yaml`. +- Applied policy bundle: `.gds/bundle.lock.yaml` (`0.1.0-dev`). +- This is a first-class Claude Code projection compiled from the same typed + inputs as `AGENTS.md`; neither projection is a manual policy source. + +## Repository boundaries + +- Treat this Git repository as one independent mutation boundary. +- Preserve unrelated dirty changes, branches, worktrees, and submodules. +- Run `gds context --json` before work crosses repository boundaries. +- Do not edit generated projections; change the declared canonical input and + regenerate. + +## Safety + +- External writes require explicit approval: `true`. +- Generated projection edits: `forbidden`. +- Private parent context persistence: `forbidden`. +- Visibility: `public`; data: `public`. + +## Verification commands + +- No repository-owned verification command is declared; report it as + `NOT_PROVEN`. + +## Claude workflow routing + +- Active skill profiles: `core, module`. +- Load procedural detail from the applicable installed GDS skill projection or + plugin only when the task matches it. +- Destructive workflows remain explicit-only and still require their concrete + plan and approval gates. +- Treat documentation and Serena memories as derived evidence, never mutation + authority. + +## Done + +- Required checks pass or are explicitly reported `NOT_PROVEN`. +- Every affected Git boundary and remote result is classified. +- No secret, private-context leak, unrelated change, or unapproved projection + drift is introduced. diff --git a/.gds/bundle.lock.yaml b/.gds/bundle.lock.yaml new file mode 100644 index 0000000..5b22b19 --- /dev/null +++ b/.gds/bundle.lock.yaml @@ -0,0 +1,20 @@ +# GENERATED FILE - DO NOT EDIT DIRECTLY +schema_version: 1 + +bundle: + version: "0.1.0-dev" + release_sequence: 0 + channel: "development" + source_commit: "06dd4355b03d600bbf40eee21e86fb9e424d42c5" + digest: "sha256:82c50767f8891f2235905270a8f3f98fa10f56a2d5aac1db768f3f8b522606b7" + +projection: + input_digest: "sha256:229eda43354f1690ccec8d8070eb8392b3072c1ab9ff80b451ce500a5d8867cb" + output_digest: "sha256:701ff062593f8e74e75e290c12ab20bee00aed5cf63195d5df7f783b8194d000" + files: + - path: ".claude/CLAUDE.md" + digest: "sha256:b62ac7223e22c7618e349f85c069993e529796af30b925182c04d25e7aaecc30" + - path: ".gds/compiled-policy.json" + digest: "sha256:226b256afbe7b17f854ee3260e5d7a858cbb67f478c94525ceb7a656fa473f08" + - path: "AGENTS.md" + digest: "sha256:24a10b8af5fc20a4e5209b768c6c78dfd07c96b3a6028e2aff159abf18ed32ea" diff --git a/.gds/compiled-policy.json b/.gds/compiled-policy.json new file mode 100644 index 0000000..4a457de --- /dev/null +++ b/.gds/compiled-policy.json @@ -0,0 +1,468 @@ +{ + "schema_version": 1, + "compiled_policy": { + "repository_id": "repo_01KX8PR71HN6XNJ3VN5SQCB0TF", + "bundle_version": "0.1.0-dev", + "digest": "sha256:5fca177339e8c6da97053eda3688758a6d039a08d03a93f56a1c97ee47abe6e1" + }, + "sources": [ + { + "id": "repository-default", + "tier": "base", + "priority": 100, + "distribution": "public", + "path": "policies/base/repository-default.yaml", + "digest": "sha256:90d112ae49f4c44ebce3b749d543660548214061128926d3d6d11ba02827a414" + }, + { + "id": "organization-default", + "tier": "owner", + "priority": 100, + "distribution": "public", + "path": "policies/owners/organization-default.yaml", + "digest": "sha256:fe271769a3e50404a5073ca6d045ad19f784069e7d6fdceab80254c06781ed55" + }, + { + "id": "public-module", + "tier": "role", + "priority": 100, + "distribution": "public", + "path": "policies/roles/public-module.yaml", + "digest": "sha256:ece6164691eda262e2692f97bd70262ea98c268084900b3f285f3d50f3767200" + } + ], + "effective": { + "agent": { + "generated_projection_edit": "forbidden", + "profiles": [ + "core", + "module" + ] + }, + "context": { + "private_parent_persistence": "forbidden" + }, + "git": { + "branch_cleanup": "merged-only", + "default_branch": "main", + "integration": "pull-request" + }, + "github": { + "actions": { + "allowed_actions": { + "management": "managed", + "value": "selected" + }, + "enabled": { + "management": "managed", + "value": true + }, + "selected_actions": { + "management": "managed", + "value": { + "github_owned_allowed": true, + "patterns_allowed": [ + "NDDev-it-com/nddev-ci-workflows/.github/workflows/*@*" + ], + "verified_allowed": false + } + }, + "sha_pinning_required": { + "management": "managed", + "value": true + } + }, + "merge": { + "allow_auto_merge": { + "management": "managed", + "value": false + }, + "allow_merge_commit": { + "management": "managed", + "value": false + }, + "allow_rebase_merge": { + "management": "managed", + "value": false + }, + "allow_squash_merge": { + "management": "managed", + "value": true + }, + "allow_update_branch": { + "management": "managed", + "value": true + }, + "delete_branch_on_merge": { + "management": "managed", + "value": true + }, + "merge_commit_message": { + "management": "observed" + }, + "merge_commit_title": { + "management": "observed" + }, + "squash_merge_commit_message": { + "management": "managed", + "value": "PR_BODY" + }, + "squash_merge_commit_title": { + "management": "managed", + "value": "PR_TITLE" + } + }, + "rulesets": { + "management": "observed" + }, + "security": { + "management": "observed" + }, + "workflow": { + "can_approve_pull_request_reviews": { + "management": "managed", + "value": false + }, + "default_workflow_permissions": { + "management": "managed", + "value": "read" + } + } + }, + "release": { + "compatibility_contract_required": true + }, + "rollout": { + "mode": "pull-request" + }, + "security": { + "external_write_requires_approval": true, + "public_projection_scan": "required", + "secrets_in_repository": "forbidden" + } + }, + "provenance": { + "/effective/agent/generated_projection_edit": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/agent/profiles/0": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "append" + }, + "/effective/agent/profiles/1": { + "source": "public-module", + "tier": "role", + "priority": 100, + "file": "policies/roles/public-module.yaml", + "operation": "append" + }, + "/effective/context/private_parent_persistence": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/branch_cleanup": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/default_branch": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/integration": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/allowed_actions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/allowed_actions/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/enabled/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/enabled/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/github_owned_allowed": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/patterns_allowed/0": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/verified_allowed": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/sha_pinning_required/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/sha_pinning_required/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_auto_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_auto_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_merge_commit/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_merge_commit/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_rebase_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_rebase_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_squash_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_squash_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_update_branch/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_update_branch/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/delete_branch_on_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/delete_branch_on_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/merge_commit_message/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/merge_commit_title/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_message/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_message/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_title/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_title/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/rulesets/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/security/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/can_approve_pull_request_reviews/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/can_approve_pull_request_reviews/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/default_workflow_permissions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/default_workflow_permissions/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/release/compatibility_contract_required": { + "source": "public-module", + "tier": "role", + "priority": 100, + "file": "policies/roles/public-module.yaml", + "operation": "set" + }, + "/effective/rollout/mode": { + "source": "organization-default", + "tier": "owner", + "priority": 100, + "file": "policies/owners/organization-default.yaml", + "operation": "set" + }, + "/effective/security/external_write_requires_approval": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/security/public_projection_scan": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/security/secrets_in_repository": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + } + } +} diff --git a/.gds/repository.yaml b/.gds/repository.yaml new file mode 100644 index 0000000..9dffcd8 --- /dev/null +++ b/.gds/repository.yaml @@ -0,0 +1,56 @@ +schema_version: 1 + +repository: + id: "repo_01KX8PR71HN6XNJ3VN5SQCB0TF" + display_name: "nddev-zcode-app" + roles: + - "module" + lifecycle: "active" + +provider: + type: "github" + installation: "installation:github-organization" + repository_id: 1294157382 + owner: "NDDev-it-com" + name: "nddev-zcode-app" + +classification: + portfolios: + - "portfolio:organization-projects" + - "portfolio:public-modules" + visibility_contract: "public" + data_classification: "public" + +policy: + profiles: + - "repository-default" + - "organization-default" + - "public-module" + rollout_ring: "canary-modules" + +git: + default_branch: "main" + integration: "pull-request" + branch_model: "task-branches" + handoff_pr: "preferred" + cleanup: "merged-only" + +agent: + context_profile: "public-module" + generated_agents: true + serena: + enabled: false + provenance_required: false + +module: + contract: "public" + consumption: + - "git-submodule" + compatibility: "semver" + pin_policy: "default-branch-commit" + publication: + registry: "none" + github_release: "required" + +release: + mode: "github-release" diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..ca0f2c1 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,55 @@ + +# GDS repository contract + +## Scope + +- Repository ID: `repo_01KX8PR71HN6XNJ3VN5SQCB0TF`. +- Roles: `module`. +- Canonical repository facts: `.gds/repository.yaml`. +- Applied bundle: `.gds/bundle.lock.yaml` (`0.1.0-dev`). +- Compiled policy: `.gds/compiled-policy.json`. + +## Boundaries + +- This Git repository is one independent mutation boundary. +- Preserve unrelated branches, worktrees, submodules, and dirty changes. +- Resolve cross-repository work with `gds context --json` before acting. +- Generated files are projections; change their canonical inputs and regenerate. + +## Safety + +- External writes require explicit approval: `true`. +- Generated projection edits: `forbidden`. +- Private parent context persistence: `forbidden`. +- Visibility contract: `public`; data classification: `public`. + +## Development + +- No repository-owned verification command is declared; report it as `NOT_PROVEN`. + +## Agent routing + +- Active skill profiles: `core, module`. +- Use on-demand skills for procedures; do not duplicate them here. +- Treat docs and memories as derived evidence, not mutation authority. + +## Done + +- Required verification is complete or explicitly `NOT_PROVEN`. +- Git state and every affected repository boundary are classified. +- No private data, secret, or unapproved generated drift is introduced.