From cc3bbd255a91193d5fa564544f246293937bd1d8 Mon Sep 17 00:00:00 2001 From: Danil Silantyev Date: Sat, 11 Jul 2026 21:05:46 +0700 Subject: [PATCH 1/5] chore(gds): add repository anchor --- .gds/repository.yaml | 56 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .gds/repository.yaml diff --git a/.gds/repository.yaml b/.gds/repository.yaml new file mode 100644 index 0000000..9dffcd8 --- /dev/null +++ b/.gds/repository.yaml @@ -0,0 +1,56 @@ +schema_version: 1 + +repository: + id: "repo_01KX8PR71HN6XNJ3VN5SQCB0TF" + display_name: "nddev-zcode-app" + roles: + - "module" + lifecycle: "active" + +provider: + type: "github" + installation: "installation:github-organization" + repository_id: 1294157382 + owner: "NDDev-it-com" + name: "nddev-zcode-app" + +classification: + portfolios: + - "portfolio:organization-projects" + - "portfolio:public-modules" + visibility_contract: "public" + data_classification: "public" + +policy: + profiles: + - "repository-default" + - "organization-default" + - "public-module" + rollout_ring: "canary-modules" + +git: + default_branch: "main" + integration: "pull-request" + branch_model: "task-branches" + handoff_pr: "preferred" + cleanup: "merged-only" + +agent: + context_profile: "public-module" + generated_agents: true + serena: + enabled: false + provenance_required: false + +module: + contract: "public" + consumption: + - "git-submodule" + compatibility: "semver" + pin_policy: "default-branch-commit" + publication: + registry: "none" + github_release: "required" + +release: + mode: "github-release" From b1ad408aea11eb5e94ec5e5f845ab00c0fabee73 Mon Sep 17 00:00:00 2001 From: Danil Silantyev Date: Sat, 11 Jul 2026 21:11:02 +0700 Subject: [PATCH 2/5] chore(gds): materialize repository projections --- .claude/CLAUDE.md | 63 +++++ .gds/bundle.lock.yaml | 20 ++ .gds/compiled-policy.json | 468 ++++++++++++++++++++++++++++++++++++++ AGENTS.md | 55 +++++ 4 files changed, 606 insertions(+) create mode 100644 .claude/CLAUDE.md create mode 100644 .gds/bundle.lock.yaml create mode 100644 .gds/compiled-policy.json create mode 100644 AGENTS.md diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md new file mode 100644 index 0000000..6cbfaa5 --- /dev/null +++ b/.claude/CLAUDE.md @@ -0,0 +1,63 @@ + +# Claude Code repository contract + +## Scope + +- GDS repository ID: `repo_01KX8PR71HN6XNJ3VN5SQCB0TF`. +- Roles: `module`. +- Canonical repository facts: `.gds/repository.yaml`. +- Applied policy bundle: `.gds/bundle.lock.yaml` (`0.1.0-dev`). +- This is a first-class Claude Code projection compiled from the same typed + inputs as `AGENTS.md`; neither projection is a manual policy source. + +## Repository boundaries + +- Treat this Git repository as one independent mutation boundary. +- Preserve unrelated dirty changes, branches, worktrees, and submodules. +- Run `gds context --json` before work crosses repository boundaries. +- Do not edit generated projections; change the declared canonical input and + regenerate. + +## Safety + +- External writes require explicit approval: `true`. +- Generated projection edits: `forbidden`. +- Private parent context persistence: `forbidden`. +- Visibility: `public`; data: `public`. + +## Verification commands + +- No repository-owned verification command is declared; report it as + `NOT_PROVEN`. + +## Claude workflow routing + +- Active skill profiles: `core, module`. +- Load procedural detail from the applicable installed GDS skill projection or + plugin only when the task matches it. +- Destructive workflows remain explicit-only and still require their concrete + plan and approval gates. +- Treat documentation and Serena memories as derived evidence, never mutation + authority. + +## Done + +- Required checks pass or are explicitly reported `NOT_PROVEN`. +- Every affected Git boundary and remote result is classified. +- No secret, private-context leak, unrelated change, or unapproved projection + drift is introduced. diff --git a/.gds/bundle.lock.yaml b/.gds/bundle.lock.yaml new file mode 100644 index 0000000..3199377 --- /dev/null +++ b/.gds/bundle.lock.yaml @@ -0,0 +1,20 @@ +# GENERATED FILE — DO NOT EDIT DIRECTLY +schema_version: 1 + +bundle: + version: "0.1.0-dev" + release_sequence: 0 + channel: "development" + source_commit: "96c240d6750a912a1c7b516fd474c051d247e8c3" + digest: "sha256:4a574a3fb2cad11d55bc66ee9f464dbc1e5515f0ef4884339f9bffea4fbeda21" + +projection: + input_digest: "sha256:099b39efd569b460205abe215a45e70c45be9fafe86b3df19821ca1a7732f797" + output_digest: "sha256:8f0e7ba95ab4462ae27a890091a2f82ff8d0b905572f511653a733e69d89a40b" + files: + - path: ".claude/CLAUDE.md" + digest: "sha256:216ed3e1df48a9b233129a11136898c3df0d6d9511bbce1893c13e64ac01dd2b" + - path: ".gds/compiled-policy.json" + digest: "sha256:226b256afbe7b17f854ee3260e5d7a858cbb67f478c94525ceb7a656fa473f08" + - path: "AGENTS.md" + digest: "sha256:c8fe1e551452fd07dfbb9f8e4cefc16711ee25999d2cd1d79e9362f9bcfe298d" diff --git a/.gds/compiled-policy.json b/.gds/compiled-policy.json new file mode 100644 index 0000000..4a457de --- /dev/null +++ b/.gds/compiled-policy.json @@ -0,0 +1,468 @@ +{ + "schema_version": 1, + "compiled_policy": { + "repository_id": "repo_01KX8PR71HN6XNJ3VN5SQCB0TF", + "bundle_version": "0.1.0-dev", + "digest": "sha256:5fca177339e8c6da97053eda3688758a6d039a08d03a93f56a1c97ee47abe6e1" + }, + "sources": [ + { + "id": "repository-default", + "tier": "base", + "priority": 100, + "distribution": "public", + "path": "policies/base/repository-default.yaml", + "digest": "sha256:90d112ae49f4c44ebce3b749d543660548214061128926d3d6d11ba02827a414" + }, + { + "id": "organization-default", + "tier": "owner", + "priority": 100, + "distribution": "public", + "path": "policies/owners/organization-default.yaml", + "digest": "sha256:fe271769a3e50404a5073ca6d045ad19f784069e7d6fdceab80254c06781ed55" + }, + { + "id": "public-module", + "tier": "role", + "priority": 100, + "distribution": "public", + "path": "policies/roles/public-module.yaml", + "digest": "sha256:ece6164691eda262e2692f97bd70262ea98c268084900b3f285f3d50f3767200" + } + ], + "effective": { + "agent": { + "generated_projection_edit": "forbidden", + "profiles": [ + "core", + "module" + ] + }, + "context": { + "private_parent_persistence": "forbidden" + }, + "git": { + "branch_cleanup": "merged-only", + "default_branch": "main", + "integration": "pull-request" + }, + "github": { + "actions": { + "allowed_actions": { + "management": "managed", + "value": "selected" + }, + "enabled": { + "management": "managed", + "value": true + }, + "selected_actions": { + "management": "managed", + "value": { + "github_owned_allowed": true, + "patterns_allowed": [ + "NDDev-it-com/nddev-ci-workflows/.github/workflows/*@*" + ], + "verified_allowed": false + } + }, + "sha_pinning_required": { + "management": "managed", + "value": true + } + }, + "merge": { + "allow_auto_merge": { + "management": "managed", + "value": false + }, + "allow_merge_commit": { + "management": "managed", + "value": false + }, + "allow_rebase_merge": { + "management": "managed", + "value": false + }, + "allow_squash_merge": { + "management": "managed", + "value": true + }, + "allow_update_branch": { + "management": "managed", + "value": true + }, + "delete_branch_on_merge": { + "management": "managed", + "value": true + }, + "merge_commit_message": { + "management": "observed" + }, + "merge_commit_title": { + "management": "observed" + }, + "squash_merge_commit_message": { + "management": "managed", + "value": "PR_BODY" + }, + "squash_merge_commit_title": { + "management": "managed", + "value": "PR_TITLE" + } + }, + "rulesets": { + "management": "observed" + }, + "security": { + "management": "observed" + }, + "workflow": { + "can_approve_pull_request_reviews": { + "management": "managed", + "value": false + }, + "default_workflow_permissions": { + "management": "managed", + "value": "read" + } + } + }, + "release": { + "compatibility_contract_required": true + }, + "rollout": { + "mode": "pull-request" + }, + "security": { + "external_write_requires_approval": true, + "public_projection_scan": "required", + "secrets_in_repository": "forbidden" + } + }, + "provenance": { + "/effective/agent/generated_projection_edit": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/agent/profiles/0": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "append" + }, + "/effective/agent/profiles/1": { + "source": "public-module", + "tier": "role", + "priority": 100, + "file": "policies/roles/public-module.yaml", + "operation": "append" + }, + "/effective/context/private_parent_persistence": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/branch_cleanup": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/default_branch": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/git/integration": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/allowed_actions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/allowed_actions/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/enabled/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/enabled/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/github_owned_allowed": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/patterns_allowed/0": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/selected_actions/value/verified_allowed": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/sha_pinning_required/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/actions/sha_pinning_required/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_auto_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_auto_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_merge_commit/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_merge_commit/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_rebase_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_rebase_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_squash_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_squash_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_update_branch/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/allow_update_branch/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/delete_branch_on_merge/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/delete_branch_on_merge/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/merge_commit_message/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/merge_commit_title/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_message/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_message/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_title/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/merge/squash_merge_commit_title/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/rulesets/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/security/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/can_approve_pull_request_reviews/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/can_approve_pull_request_reviews/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/default_workflow_permissions/management": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/github/workflow/default_workflow_permissions/value": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/release/compatibility_contract_required": { + "source": "public-module", + "tier": "role", + "priority": 100, + "file": "policies/roles/public-module.yaml", + "operation": "set" + }, + "/effective/rollout/mode": { + "source": "organization-default", + "tier": "owner", + "priority": 100, + "file": "policies/owners/organization-default.yaml", + "operation": "set" + }, + "/effective/security/external_write_requires_approval": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/security/public_projection_scan": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + }, + "/effective/security/secrets_in_repository": { + "source": "repository-default", + "tier": "base", + "priority": 100, + "file": "policies/base/repository-default.yaml", + "operation": "set" + } + } +} diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..6c2159d --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,55 @@ + +# GDS repository contract + +## Scope + +- Repository ID: `repo_01KX8PR71HN6XNJ3VN5SQCB0TF`. +- Roles: `module`. +- Canonical repository facts: `.gds/repository.yaml`. +- Applied bundle: `.gds/bundle.lock.yaml` (`0.1.0-dev`). +- Compiled policy: `.gds/compiled-policy.json`. + +## Boundaries + +- This Git repository is one independent mutation boundary. +- Preserve unrelated branches, worktrees, submodules, and dirty changes. +- Resolve cross-repository work with `gds context --json` before acting. +- Generated files are projections; change their canonical inputs and regenerate. + +## Safety + +- External writes require explicit approval: `true`. +- Generated projection edits: `forbidden`. +- Private parent context persistence: `forbidden`. +- Visibility contract: `public`; data classification: `public`. + +## Development + +- No repository-owned verification command is declared; report it as `NOT_PROVEN`. + +## Agent routing + +- Active skill profiles: `core, module`. +- Use on-demand skills for procedures; do not duplicate them here. +- Treat docs and memories as derived evidence, not mutation authority. + +## Done + +- Required verification is complete or explicitly `NOT_PROVEN`. +- Git state and every affected repository boundary are classified. +- No private data, secret, or unapproved generated drift is introduced. From 0f21daed86bd2b31a8b971858fd97aaf6b951b34 Mon Sep 17 00:00:00 2001 From: Danil Silantyev Date: Sun, 12 Jul 2026 07:51:26 +0700 Subject: [PATCH 3/5] chore(gds): refresh projection provenance --- .claude/CLAUDE.md | 6 +++--- .gds/bundle.lock.yaml | 14 +++++++------- AGENTS.md | 6 +++--- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 6cbfaa5..9e1d7cb 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -1,9 +1,9 @@