chore: bootstrap agnostic agent harness framework

This commit is contained in:
rikrdo
2026-05-03 17:46:19 +02:00
commit 622e5df382
23 changed files with 809 additions and 0 deletions

63
harness/agents.matrix.yml Normal file
View File

@@ -0,0 +1,63 @@
version: 1
roles:
leader:
can_edit: ["work/", "backlog/", "spec/", "harness/"]
cannot_edit: ["src/", "tests/"]
responsibilities:
- plan
- orchestrate
- enforce_gates
- close_feature
architect:
can_edit: ["spec/", "harness/contracts/", "docs/"]
cannot_edit: ["src/", "tests/", "backlog/features.json:status"]
responsibilities:
- design
- update_contracts
implementer:
can_edit: ["src/", "tests/", "work/artifacts/"]
cannot_edit:
- "backlog/features.json:done"
- "work/history.md"
- "work/artifacts/*/reviewer.json"
- "work/artifacts/*/security.json"
- "work/artifacts/*/qa.json"
- "work/artifacts/*/leader-close.json"
responsibilities:
- implement_feature
- write_tests
- produce_implementer_evidence
reviewer:
can_edit: ["work/artifacts/"]
cannot_edit: ["src/", "tests/", "backlog/"]
responsibilities:
- technical_review
- emit_reviewer_verdict
security:
can_edit: ["work/artifacts/"]
cannot_edit: ["src/", "tests/", "backlog/"]
responsibilities:
- sast
- dependency_review
- secret_scan
- emit_security_verdict
qa:
can_edit: ["work/artifacts/"]
cannot_edit: ["src/", "tests/", "backlog/"]
responsibilities:
- acceptance_traceability
- integration_e2e_checks
- regression_checks
- emit_qa_verdict
anti_cheat:
- "Implementer cannot promote feature to done"
- "Done requires reviewer/security/qa approved artifacts"
- "Leader close requires verify.sh success"
- "Evidence must be on disk; chat-only claims are invalid"

View File

@@ -0,0 +1,19 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://arnes.local/evidence.schema.json",
"title": "Gate Evidence",
"type": "object",
"required": ["feature_id", "agent", "verdict", "summary", "evidence", "timestamp"],
"properties": {
"feature_id": { "type": "string", "minLength": 1 },
"agent": { "type": "string", "enum": ["reviewer", "security", "qa", "leader"] },
"verdict": { "type": "string", "enum": ["APPROVED", "CHANGES_REQUESTED"] },
"summary": { "type": "string", "minLength": 1 },
"evidence": {
"type": "array",
"items": { "type": "string", "minLength": 1 }
},
"timestamp": { "type": "string", "format": "date-time" }
},
"additionalProperties": true
}

View File

@@ -0,0 +1,21 @@
# Handoff Contract
## Regla anti teléfono-descompuesto
Los agentes **no** devuelven código en chat. Deben escribir a disco y responder solo:
- `done -> <ruta>`
- `blocked -> <ruta>`
## Rutas estándar por feature
- `work/artifacts/<feature_id>/implementer.md`
- `work/artifacts/<feature_id>/reviewer.json`
- `work/artifacts/<feature_id>/security.json`
- `work/artifacts/<feature_id>/qa.json`
- `work/artifacts/<feature_id>/leader-close.json`
## Campos mínimos de artefactos JSON de gate
- `feature_id` (string)
- `agent` (reviewer|security|qa|leader)
- `verdict` (APPROVED|CHANGES_REQUESTED)
- `summary` (string)
- `evidence` (array de comandos/salidas/rutas)
- `timestamp` (ISO 8601)

View File

@@ -0,0 +1,16 @@
# Governance Policy
## Reglas
- Una sola feature activa (`in_progress`) a la vez.
- El pipeline es secuencial con gates obligatorios.
- `done` solo por `leader` y solo con evidencia completa.
## Separación de funciones
- Implementer construye.
- Reviewer/Security/QA validan.
- Leader decide cierre.
## Prohibiciones
- Saltar gates.
- Aprobar con evidencia incompleta.
- Cerrar con `verify.sh` en rojo.

View File

@@ -0,0 +1,12 @@
# Quality Policy
## Gate QA (obligatorio)
Cada feature debe tener `work/artifacts/<feature_id>/qa.json` con:
- `verdict`: APPROVED | CHANGES_REQUESTED
- trazabilidad criterio de aceptación -> test
- resultado de pruebas integración/E2E relevantes
## Reglas
- No hay `done` sin cobertura mínima de acceptance.
- No hay `done` con regresiones abiertas.
- Claims sin evidencia ejecutable no son válidos.

View File

@@ -0,0 +1,12 @@
# Security Policy
## Gate de seguridad (obligatorio)
Cada feature debe tener `work/artifacts/<feature_id>/security.json` con:
- `verdict`: APPROVED | CHANGES_REQUESTED
- `checks`: secretos, dependencias, SAST básico, validación de inputs
- `findings`: lista de hallazgos con severidad
## Reglas
- Si hay hallazgos críticos/altos sin mitigación: `CHANGES_REQUESTED`.
- No se permite exponer credenciales ni secretos en repo/chat.
- Dependencias nuevas requieren justificación en `spec/tech.md`.

View File

@@ -0,0 +1,55 @@
version: 1
feature_states:
allowed: [pending, in_progress, blocked, done]
stages:
- name: intake
owner: leader
input:
- backlog/features.json
- work/current.md
output:
- work/current.md
- name: design
owner: architect
optional: true
output:
- work/artifacts/<feature_id>/architect.md
- name: build
owner: implementer
output:
- work/artifacts/<feature_id>/implementer.md
- name: review_gate
owner: reviewer
required: true
output:
- work/artifacts/<feature_id>/reviewer.json
- name: security_gate
owner: security
required: true
output:
- work/artifacts/<feature_id>/security.json
- name: qa_gate
owner: qa
required: true
output:
- work/artifacts/<feature_id>/qa.json
- name: close
owner: leader
required: true
output:
- work/artifacts/<feature_id>/leader-close.json
- work/history.md
close_requirements:
- reviewer.json.verdict == "APPROVED"
- security.json.verdict == "APPROVED"
- qa.json.verdict == "APPROVED"
- scripts/verify.sh exit_code == 0