docs: add agent workflow enforcement

Author: vparla

.codex/workflows/agent-skill-gate.md

@@ -0,0 +1,20 @@
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: .codex/workflows/agent-skill-gate.md
+Purpose: Codex workflow bridge for enforcing mcp-cpp agent and skill guardrails
+==========================================================================================================
+-->
+
+# Codex Agent And Skill Gate
+
+Codex should treat `agents.md` and `SKILLS.MD` as the canonical repo contract.
+
+1. Read `agents.md`.
+2. Read `SKILLS.MD`.
+3. Use `.vscode/tasks.json` for repeatable editor-run Docker flows when working in VS Code.
+4. Use Docker-only execution, WSL on Windows, and `bash` on Linux or macOS.
+5. Do not use bind mounts, named volumes, `docker cp`, `-o type=local`, or any Docker pattern that writes
+   back to the host.
+6. If any failure appears, even if it looks unrelated, stop and fix it before continuing.

.cursor/rules/00-agent-skill-enforcement.mdc

@@ -0,0 +1,26 @@
+---
+description: >-
+  Enforce agents.md and SKILLS.MD, docker-first no-host-write execution,
+  and fail-stop remediation for every mcp-cpp task.
+alwaysApply: true
+---
+
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: .cursor/rules/00-agent-skill-enforcement.mdc
+Purpose: Cursor rule that enforces mcp-cpp agent and skill guardrails
+==========================================================================================================
+-->
+
+# mcp-cpp Agent And Skill Enforcement
+
+- Read `agents.md` and `SKILLS.MD` at session start and before each materially new task.
+- Select every matching skill from `SKILLS.MD` before proposing or running commands.
+- Use Docker only. Windows commands go through `wsl -d Ubuntu -- bash -lc "..."`.
+- Do not use bind mounts, named volumes, `docker cp`, `-o type=local`, or any Docker pattern that writes back to
+  the host.
+- Treat every failure as blocking, even if it looks unrelated to the active request. Fix it immediately, rerun the
+  failed gate, and only then continue.
+- If a task truly requires host writes, host IPC, or host network access, stop and ask the human first.

.github/copilot-instructions.md

@@ -0,0 +1,20 @@
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: .github/copilot-instructions.md
+Purpose: VS Code Copilot instructions for enforcing mcp-cpp agent and skill rules
+==========================================================================================================
+-->
+
+# mcp-cpp Copilot Instructions
+
+Start every task by reading `agents.md` and `SKILLS.MD`.
+
+- Use the matching skill sections from `SKILLS.MD` before proposing commands or edits.
+- Run architecture checks before broader validation.
+- Use `.vscode/tasks.json` for repeatable editor-run Docker workflows.
+- Use Docker-first execution only. Windows commands go through WSL; Linux and macOS use `bash`.
+- Do not use bind mounts, named volumes, `docker cp`, or any Docker export that writes back to the host.
+- Treat every failure as blocking, even if it is not directly tied to the active request. Fix it immediately before
+  continuing.

.gitignore

@@ -79,6 +79,9 @@ Thumbs.db
 # IDE/editor metadata
 # -------------------
 .vscode/
+!.vscode/
+.vscode/*
+!.vscode/tasks.json
 .idea/
 *.user
 *.vcxproj.user

.vscode/tasks.json

@@ -0,0 +1,103 @@
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "docker: build test image",
+      "type": "shell",
+      "command": "docker",
+      "args": [
+        "buildx",
+        "build",
+        "-f",
+        "Dockerfile.demo",
+        "--target",
+        "test",
+        "--progress=plain",
+        "--pull",
+        "--load",
+        "-t",
+        "mcp-cpp-test",
+        "."
+      ],
+      "options": {
+        "cwd": "${workspaceFolder}"
+      },
+      "windows": {
+        "command": "wsl",
+        "args": [
+          "-d",
+          "Ubuntu",
+          "--",
+          "bash",
+          "-lc",
+          "cd \"$(wslpath '${workspaceFolder}')\" && docker buildx build -f Dockerfile.demo --target test --progress=plain --pull --load -t mcp-cpp-test ."
+        ]
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "docker: run architecture gate",
+      "type": "shell",
+      "command": "docker",
+      "args": [
+        "run",
+        "--rm",
+        "--network",
+        "none",
+        "--read-only",
+        "--tmpfs",
+        "/tmp:rw,noexec,nosuid,size=1g",
+        "--entrypoint",
+        "bash",
+        "mcp-cpp-test",
+        "-lc",
+        "cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -R '^Architecture' -VV --output-on-failure"
+      ],
+      "dependsOn": "docker: build test image",
+      "windows": {
+        "command": "wsl",
+        "args": [
+          "-d",
+          "Ubuntu",
+          "--",
+          "bash",
+          "-lc",
+          "docker run --rm --network none --read-only --tmpfs /tmp:rw,noexec,nosuid,size=1g --entrypoint bash mcp-cpp-test -lc 'cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -R \"^Architecture\" -VV --output-on-failure'"
+        ]
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "docker: run full ctest gate",
+      "type": "shell",
+      "command": "docker",
+      "args": [
+        "run",
+        "--rm",
+        "--network",
+        "none",
+        "--read-only",
+        "--tmpfs",
+        "/tmp:rw,noexec,nosuid,size=1g",
+        "--entrypoint",
+        "bash",
+        "mcp-cpp-test",
+        "-lc",
+        "cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -VV --output-on-failure"
+      ],
+      "dependsOn": "docker: build test image",
+      "windows": {
+        "command": "wsl",
+        "args": [
+          "-d",
+          "Ubuntu",
+          "--",
+          "bash",
+          "-lc",
+          "docker run --rm --network none --read-only --tmpfs /tmp:rw,noexec,nosuid,size=1g --entrypoint bash mcp-cpp-test -lc 'cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -VV --output-on-failure'"
+        ]
+      },
+      "problemMatcher": []
+    }
+  ]
+}

.windsurf/skills/repo-guardrails/SKILL.md

@@ -0,0 +1,26 @@
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: .windsurf/skills/repo-guardrails/SKILL.md
+Purpose: Windsurf skill for enforcing mcp-cpp repo guardrails
+==========================================================================================================
+-->
+
+---
+name: repo-guardrails
+description: >-
+  Apply mcp-cpp agent rules and repo skills to every task. Use Docker-first
+  execution, WSL on Windows, bash on macOS/Linux, block all host-write Docker
+  patterns, and stop immediately on any failure.
+---
+
+# Repo Guardrails
+
+Read `agents.md` first, then `SKILLS.MD`.
+
+- Use the matching skill sections in `SKILLS.MD` before running commands or proposing edits.
+- Keep all build, test, and debug work inside Docker images built from repo context.
+- Do not mount the repo into containers and do not write artifacts back to the host.
+- If any failure appears, fix it immediately before continuing, even when it looks tangential.
+- Use `bash` on Linux and macOS, and `wsl -d Ubuntu -- bash -lc "..."` on Windows.

.windsurf/workflows/agent-skill-gate.md

@@ -0,0 +1,23 @@
+---
+description: >-
+  Open agents.md and SKILLS.MD first, then use the repo's docker-first
+  fail-stop workflow before any other work.
+---
+
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: .windsurf/workflows/agent-skill-gate.md
+Purpose: Windsurf workflow for enforcing mcp-cpp agent and skill guardrails
+==========================================================================================================
+-->
+
+# Agent And Skill Gate
+
+1. Open `agents.md`.
+2. Open `SKILLS.MD`.
+3. Select the matching skills.
+4. Use only the Docker command templates from `SKILLS.MD`.
+5. If any failure, denial, failing test, or unrelated regression appears, stop and fix it before doing anything else.
+6. If the only path needs host writes, host IPC, or host network access, escalate to the human first.

CLAUDE.md

@@ -0,0 +1,19 @@
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: CLAUDE.md
+Purpose: Claude Code entrypoint for mcp-cpp repo rules and skills
+==========================================================================================================
+-->
+
+# Claude Code Instructions
+
+Load `@agents.md` and `@SKILLS.MD` before planning, editing, or running commands.
+
+- Treat `agents.md` as the canonical policy file and `SKILLS.MD` as the execution workflow.
+- Use Docker-first execution only. Windows uses `wsl -d Ubuntu -- bash -lc "..."`; Linux and macOS use `bash`.
+- No Docker host writes: no bind mounts, named volumes, `docker cp`, or `-o type=local`.
+- Any failure is blocking, even if it looks unrelated to the active task. Fix it immediately, rerun the failed gate,
+  and only then continue.
+- If the only path forward needs host writes, host IPC, or host network access, stop and ask the human first.

SKILLS.MD

@@ -0,0 +1,86 @@
+<!--
+==========================================================================================================
+SPDX-License-Identifier: MIT
+Copyright (c) 2025 Vinny Parla
+File: SKILLS.MD
+Purpose: Repo-local skill map for agentic tools working in mcp-cpp
+==========================================================================================================
+-->
+
+# MCP C++ SDK Skills
+
+`agents.md` is the canonical policy file. This file turns those rules into repeatable execution skills for
+Codex, Windsurf, Cursor, VS Code, and Claude Code.
+
+## Load Order
+
+1. Read `agents.md`.
+2. Read `SKILLS.MD`.
+3. Select every matching skill before acting.
+4. If any command, test, build, access check, lint, doc check, or unrelated validation fails, stop and fix it
+   immediately before continuing.
+
+## Skill: repo-governance
+
+Use for every task.
+
+- Reuse `include/mcp/` interfaces and shared transport/auth abstractions before adding parallel code paths.
+- Run architecture checks first. If architecture enforcement fails, all other work is blocked.
+- Keep SPDX headers, repository-relative `File:` paths, tests, and docs aligned with the change.
+- Never run builds, tests, or debug commands on the host.
+
+## Skill: docker-first-no-host-write
+
+Use for build, test, debug, inspection, or automation work that executes code.
+
+- Linux and macOS commands use `bash`.
+- Windows commands use `wsl -d Ubuntu -- bash -lc "..."`
+- Build from repo context, then run from image-embedded source. Do not mount the repo into containers.
+- Do not use bind mounts, named volumes, `docker cp`, `-o type=local`, or any Docker pattern that writes back to
+  the host.
+- Prefer `--network none`. If network or IPC is required, stop and get explicit human approval first.
+
+```bash
+# Linux/macOS
+docker buildx build -f Dockerfile.demo --target test --progress=plain --pull --load -t mcp-cpp-test .
+docker run --rm --network none --read-only \
+  --tmpfs /tmp:rw,noexec,nosuid,size=1g \
+  --entrypoint bash mcp-cpp-test \
+  -lc "cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -R '^Architecture' -VV --output-on-failure"
+docker run --rm --network none --read-only \
+  --tmpfs /tmp:rw,noexec,nosuid,size=1g \
+  --entrypoint bash mcp-cpp-test \
+  -lc "cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -VV --output-on-failure"
+
+# Windows (PowerShell via WSL)
+wsl -d Ubuntu -- bash -lc "cd /mnt/<drive>/<path-to-repo>/mcp-cpp && \
+docker buildx build -f Dockerfile.demo --target test --progress=plain --pull --load -t mcp-cpp-test ."
+wsl -d Ubuntu -- bash -lc "docker run --rm --network none --read-only \
+  --tmpfs /tmp:rw,noexec,nosuid,size=1g \
+  --entrypoint bash mcp-cpp-test \
+  -lc 'cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -R \"^Architecture\" -VV --output-on-failure'"
+wsl -d Ubuntu -- bash -lc "docker run --rm --network none --read-only \
+  --tmpfs /tmp:rw,noexec,nosuid,size=1g \
+  --entrypoint bash mcp-cpp-test \
+  -lc 'cp -a /src/build /tmp/build && ctest --test-dir /tmp/build -VV --output-on-failure'"
+```
+
+Emit results to stdout or stderr only. Do not export artifacts back to the host.
+
+## Skill: failure-first-remediation
+
+Use whenever anything fails, including failures that look unrelated to the active task.
+
+- Treat access-denied errors, safe-directory errors, failing unrelated tests, header drift, doc drift, lint issues,
+  and Docker misconfiguration as blocking failures.
+- Fix the failure immediately, rerun the failed gate, then rerun the next broader gate that depends on it.
+- Do not scope a failure away as "out of band" or "not part of this task."
+
+## Skill: review-and-delivery
+
+Use when reviewing or finalizing work.
+
+- Findings come first in reviews, with file and line references.
+- For implementation work, verify the architecture gate before broader test suites.
+- If repository rules and tool rules conflict, obey the stricter rule and update the enforcement docs in the same
+  change.