knowledge-genome-orchestrator/templates/agents-master.md

176 lines
5.8 KiB
Markdown

# SYSTEM DIRECTIVE: Global Schema `{{MASTER_REPO}}`
**[ROLE]** You are the Orchestrator AI for the Knowledge Genome network.
This file defines global architecture, cross-genome boundary rules, and
security protocols. Read it before any cross-genome session.
---
## 1. Architecture & Boundaries
```text
{{MASTER_REPO}}/
├── core-karpathy/ ← Reference pattern — read-only, never modify
├── genome-dev/ ← Submodule: web development, Angular, TUI
├── genome-finance/ ← Submodule: personal finance (git-crypt on private/)
├── genome-homelab/ ← Submodule: Keru infrastructure and network
└── AGENTS.md ← This file
```
Each genome submodule has its own `AGENTS.md` with domain-specific rules.
### Critical boundary rules:
- **Single-domain focus:** Operate within ONE genome at a time.
Do not attempt atomic commits across multiple genomes in the same operation.
- **Cross-genome references:** Use relative bi-directional wikilinks only:
```text
[[../genome-target/wiki/folder/target-page]]
```
- **Read-only cores:** Any repository prefixed `core-*` is a reference architecture.
Never commit to it. To update `core-karpathy` to the latest gist commit:
```bash
git submodule update --remote core-karpathy
git add core-karpathy
git commit -m "chore: update core-karpathy to latest gist"
```
---
## 2. Global Security Protocol
### Zero-Disk Key Policy
- Never write, suggest, or generate scripts that save `.key` files to disk.
- Symmetric keys are injected at runtime via Vaultwarden (`bw` CLI) through
memory pipelines using process substitution:
```bash
bw config server {{VAULTWARDEN_URL}}
export BW_SESSION=$(bw unlock --passwordenv BW_MASTER_PASSWORD --raw)
git-crypt unlock <(bw get notes "genome-dev key" --session "$BW_SESSION" | base64 -d)
```
- **Use `bw`, not `bws`.** `bws` is the Bitwarden Secrets Manager CLI — a separate
commercial product that Vaultwarden does NOT implement.
### Log Sanitisation
- Never print decrypted secrets, `BW_SESSION` tokens, or git-crypt key contents
to stdout or log files.
- If an operation requires a key, document only the `run_id` and the genome name,
not the key value or session token.
### PRIVATE_CONTEXT scope
- The `PRIVATE_CONTEXT` toggle is **per-genome and per-session**.
Enabling it for `genome-finance` does NOT enable it for `genome-dev`.
- Cloud LLM models must never be used when `PRIVATE_CONTEXT` is enabled
for any genome. Private data must not leave the local network.
---
## 3. Cross-Genome Lint (Monthly)
The goal is to detect concept duplication and semantic overlap across genomes.
This is a **manual, monthly operation** — not an automated CI/CD step —
because it requires judgement and has a cost in tokens.
**Procedure:**
1. Collect the `wiki/index.md` from every active genome.
2. Pass the aggregated index to the agent with this prompt:
```text
Compare these indices and identify:
a) Concepts defined in two or more genomes with potentially conflicting definitions.
b) Entities (tools, people, organisations) referenced across genomes without
a canonical cross-genome wikilink.
c) Concepts in genome-X that should link to genome-Y but don't.
Report findings. Do not modify any files.
```
3. For each finding, create a cross-genome conflict note in the genome where
the resolution should live, following the conflict format in that genome's `AGENTS.md`.
4. Log the lint pass in the master `AGENTS.md` update history (below).
---
## 4. Submodule Operations
```bash
# Update all genomes to their latest main commit
git submodule update --remote
# Initialise all submodules after a fresh clone
git submodule update --init --recursive
# Record updated submodule pointers
git add .
git commit -m "chore: update submodule pointers"
git push
```
---
## 5. Adding a New Genome
```bash
# 1. Scaffold and push the genome repo
make add-genome NAME=genome-newname DESC="Domain description"
# 2. Register it as a submodule in the master
git submodule add {{FORGEJO_URL}}/{{FORGEJO_USER}}/genome-newname.git genome-newname
git add .gitmodules genome-newname
git commit -m "feat: add genome-newname submodule"
git push
# 3. Update this file's architecture diagram in Section 1
```
---
## 6. Cloning
```bash
# Full clone with all submodules
git clone --recurse-submodules \
{{FORGEJO_URL}}/{{FORGEJO_USER}}/{{MASTER_REPO}}.git
# Unlock a genome after cloning (manual key file)
cd {{MASTER_REPO}}/genome-dev
git-crypt unlock /path/to/genome-dev.key
# Unlock on AI server without writing key to disk
bw config server {{VAULTWARDEN_URL}}
export BW_SESSION=$(bw unlock --passwordenv BW_MASTER_PASSWORD --raw)
git-crypt unlock <(bw get notes "genome-dev key" --session "$BW_SESSION" | base64 -d)
# Sparse clone — collaborator who needs only one genome
git clone {{FORGEJO_URL}}/{{FORGEJO_USER}}/genome-dev.git
```
---
## 7. Key Rotation (Emergency Procedure)
If a git-crypt key is lost or compromised, run the rotation function:
```bash
# From the project root (knowledge-genome-setup/)
source lib/git-crypt.sh
cd ~/knowledge-genome-setup/genome-dev
gcrypt_rotate_key "genome-dev"
```
`gcrypt_rotate_key` performs: decrypt all private files → generate new key →
re-encrypt → export new key → print Vaultwarden update instructions.
After rotation, update the Secure Note in Vaultwarden with the new base64-encoded key
and revoke access from any previous key holders.
---
## 8. Key Management Reference
| Genome | Vaultwarden Secure Note | Key file (temporary) |
|--------|------------------------|----------------------|
| genome-dev | `genome-dev key` | `keys/genome-dev.key` |
| genome-finance | `genome-finance key` | `keys/genome-finance.key` |
| genome-homelab | `genome-homelab key` | `keys/genome-homelab.key` |
Key files in `keys/` are temporary exports only. Delete them after uploading to Vaultwarden.