From 25522f7c27117f02907abe7b65f69dbbb6a25805 Mon Sep 17 00:00:00 2001 From: Loretta Date: Sat, 25 Apr 2026 07:24:16 +0200 Subject: [PATCH] Add adr-author skill, ADR template, and log security issues - Introduced the `adr-author` skill for structured ADR creation; updated session setup and shared skills to require pre-loading it. - Added `SKILL.md` and `ADR_TEMPLATE.md` for ADR authoring workflow and documentation. - Updated protocol decision log with entries for the new skill and its integration. - Documented two critical JWT logging security issues in `LOGGING_ISSUES.md`. - Minor: added a cleanup Bash command in `settings.local.json`. --- .claude/settings.local.json | 3 ++- .github/copilot-instructions.md | 11 ++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.claude/settings.local.json b/.claude/settings.local.json index 062a7b19..344f27c7 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -10,7 +10,8 @@ "Bash(ls:*)", "Bash(while read:*)", "Bash(do sed -i '1a using AyCode.Core.Serializers.Toons;\\\\n' \"$f\")", - "Bash(done)" + "Bash(done)", + "Bash(rm \"C:/Users/Fullepi/.claude/projects/H--Applications-Mango-Source-FruitBankHybridApp/memory/feedback_framework_docs_no_consumer_types.md\")" ] } } diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index d023106f..da1e5897 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -61,11 +61,12 @@ You are operating in a multi-repo, documentation-first architecture. You MUST ST ## Session Setup -**Mandatory reads at session start** — in addition to this `copilot-instructions.md`, the agent MUST load the three workspace skills' `SKILL.md` files: +**Mandatory reads at session start** — in addition to this `copilot-instructions.md`, the agent MUST load the four workspace skills' `SKILL.md` files: - `docs-discovery/SKILL.md` — **reactive** (triggers on any domain question — must be ready BEFORE the first domain query arrives) - `docs-check/SKILL.md` — **reactive** (triggers at the end of every code-modifying response) - `protocol-audit/SKILL.md` — **on-demand** (triggers on explicit "audit protocol" command) +- `adr-author/SKILL.md` — **on-demand + LLM-suggested** (triggers on explicit planning/design requests, or when the LLM flags an ADR-worthy conversation and the user confirms) **Path resolution**: if this repo is the canonical protocol host (see `@repo` block below — typically AyCode.Core), the paths are local: `.github/skills//SKILL.md`. Otherwise, prefix with this repo's `own-dep-repos` AyCode.Core path (see the `## Shared Agent Skills` section below for explicit paths). @@ -73,7 +74,7 @@ You are operating in a multi-repo, documentation-first architecture. You MUST ST **Amortization — critical, do NOT re-evaluate per-turn**: the Session Setup cost is measured over the ENTIRE session, not per single turn. A typical session has many turns; the first domain question alone already recoups the investment (alternative — repeated source-code `Grep`/`Read` per turn — costs 10-20K tokens *per turn* with lower output quality). Do NOT flag pre-loaded content as "wasteful" for turns that don't invoke it — the design depends on cross-turn amortization + Rule #3 (no-re-read) + on-demand specificity of Rule #4 (Context Recovery). This amortization is the **central token-economics principle** of the entire protocol stack. -The first response's `[LOADED_DOCS: ...]` prefix must reflect **4 files** (this `copilot-instructions.md` + 3 SKILL.md). +The first response's `[LOADED_DOCS: ...]` prefix must reflect **5 files** (this `copilot-instructions.md` + 4 SKILL.md). ## Workspace Dependencies # own-dep-repos: "name: path" — paths are relative to this repo root (.github/..) @@ -98,7 +99,7 @@ The first response's `[LOADED_DOCS: ...]` prefix must reflect **4 files** (this ## Shared Agent Skills -Skills defined in other repos. **All three are pre-loaded at session start per the `## Session Setup` section above** (mandatory — ensures implicit triggers fire reliably): +Skills defined in other repos. **All four are pre-loaded at session start per the `## Session Setup` section above** (mandatory — ensures implicit triggers fire reliably): - **protocol-audit** — Cross-repo consistency audit for `.github/copilot-instructions.md` across all 5 repos. Location: `AyCode.Core/.github/skills/protocol-audit/SKILL.md` @@ -112,6 +113,10 @@ Skills defined in other repos. **All three are pre-loaded at session start per t Location: `AyCode.Core/.github/skills/docs-check/SKILL.md` **Invoke at the end of every code-modifying response.** Read-only on loaded docs; all patches surface as proposals (Rule #5 approval required). +- **adr-author** — Create Architecture Decision Records (ADRs) for architecturally significant design decisions. Structured interview (context → alternatives → trade-offs → decision → consequences) producing a durable `docs/adr/NNNN-.md` file (product decisions) or a new `LLMP-DEC-N` row in the protocol decision log (meta-protocol decisions). + Location: `AyCode.Core/.github/skills/adr-author/SKILL.md` + **Invoke on explicit user request** ("let's plan X", "decide Y vs Z", "design the W module") **or proactively flag** when the conversation looks ADR-worthy (user must confirm — never auto-invoke). + ## Protocol History Cumulative log of LLM-protocol decisions (rule changes, new skills, structural shifts):