# SYSTEM DIRECTIVE — `{{MASTER_REPO}}` ## Identity | Field | Value | |--------|-------| | Repo | `{{MASTER_REPO}}` | | Owner | `{{FORGEJO_USER}}` | | Remote | `{{FORGEJO_URL}}/{{FORGEJO_USER}}/{{MASTER_REPO}}` | **Role:** Cross-genome coordinator for the Knowledge Genome network. **Metrics:** no cross-genome boundary violations · submodule pointers current · cross-genome wikilinks valid · no private data outside local network. --- ## Architecture ```text {{MASTER_REPO}}/ ├── core-karpathy/ ← Reference pattern — read-only, never modify ├── genome-dev/ ← Submodule: web development, Angular, TUI ├── genome-finance/ ← Submodule: personal finance (git-crypt on private/) ├── genome-homelab/ ← Submodule: Keru infrastructure and network └── AGENTS.md ← This file (update diagram when adding a genome) ``` Each genome has its own `AGENTS.md` with domain-specific rules. Genome-level operations are governed by the genome's `AGENTS.md`, not this file. --- ## Global Security Rules ### PRIVATE_CONTEXT scope - Toggle is **per-genome and per-session**. Enabling for `genome-finance` does NOT enable for `genome-dev`. - Cloud LLM models: `PRIVATE_CONTEXT` must be `disabled` for all genomes. Private data never leaves the local network. ### Log sanitization - Never print decrypted secrets, session tokens, or key contents to stdout or log files. - Document only `run_id` and genome name — never the key value. ### Key management - Key injection is the host's responsibility — executed before this session starts. - Never write, suggest, or generate scripts that save `.key` files to disk. --- ## Immutable Rules 1. Operate within ONE genome at a time. No atomic commits across multiple genomes. 2. `core-karpathy` is read-only. Never commit to it. 3. Cross-genome references use relative wikilinks only: `[[../genome-target/wiki/folder/page]]`. 4. Never commit to `main` in any genome. PRs required; no self-merge. 5. Per-genome `AGENTS.md` governs all wiki operations within that genome. This file governs boundaries only. ### NEVER - Load multiple `wiki/index.md` files simultaneously for cross-genome comparison — use qmd. - Run `git-crypt`, `bw`, or Vaultwarden commands — host responsibility. - Modify files in more than one genome in the same operation. - Modify `core-karpathy` in any way. ### ASK FIRST - Any operation that touches two or more genomes. - Updating submodule pointers in master. - Any key rotation procedure. - Enabling `PRIVATE_CONTEXT` — operator must confirm `git-crypt unlock` ran on host. --- ## Session Start 1. Identify which genome(s) this session involves. 2. Read the relevant genome's `wiki/index.md` — not all genomes' indexes. 3. For cross-genome discovery: `qmd search ""` across the multi-genome index. 4. Operate on one genome at a time. Switch genome only when the previous operation is committed. --- ## Cross-Genome Lint *Manual, monthly — requires operator initiation. Not automated.* 1. Use `qmd search ""` to find pages covering the same concept across genomes. 2. Identify: - Concepts defined in 2+ genomes with potentially conflicting definitions. - Entities referenced across genomes without a canonical cross-genome wikilink. - Concepts in genome-X that should link to genome-Y but don't. 3. Report findings. Do not modify any files. 4. For each finding: create a conflict note in the genome where resolution belongs, following that genome's §Conflict procedure. --- ## Reference Operations ### Add a genome ```bash make add-genome NAME=genome-newname DESC="Domain description" ``` Then update the architecture diagram in this file. ### Sync submodules ```bash make sync ``` ### Update core-karpathy reference ```bash git submodule update --remote core-karpathy git add core-karpathy git commit -m "chore: update core-karpathy to latest gist" git push ``` ### Clone (full) ```bash git clone --recurse-submodules \ {{FORGEJO_URL}}/{{FORGEJO_USER}}/{{MASTER_REPO}}.git ``` After cloning, unlock each genome on the host before starting an agent session. ### Key rotation (emergency) If a key is compromised: `gcrypt_rotate_key ""` from project root. Update the Vaultwarden Secure Note with the new base64-encoded key. Revoke access from previous key holders. ### Key registry | Genome | Vaultwarden Secure Note | Temp key file | |--------|------------------------|---------------| | genome-dev | `genome-dev key` | `keys/genome-dev.key` | | genome-finance | `genome-finance key` | `keys/genome-finance.key` | | genome-homelab | `genome-homelab key` | `keys/genome-homelab.key` | Temp key files in `keys/` are post-export only. Delete after upload to Vaultwarden.