UNPKG

aiwg

Version:

Cognitive architecture for AI-augmented software development with structured memory, ensemble validation, and closed-loop correction. FAIR-aligned artifacts, 84% cost reduction via human-in-the-loop, standards adopted by 100+ organizations.

aiwg.io

jmagly/aiwg

272 lines (187 loc) 8.98 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# Agent Permission Tiers **Version**: 1.0.0 **Status**: Active **Platform**: Claude Code v2.1.33+ ## Overview This document defines a 3-tier permission model for AIWG agents that controls which sub-agents each agent can spawn. This leverages Claude Code's `Task(agent_type)` syntax introduced in v2.1.33 to enforce least-privilege access and prevent runaway agent spawning. ## Platform Compatibility | Platform | Support | Notes | |----------|---------|-------| | Claude Code | Full | Native `Task(agent_type)` support | | GitHub Copilot | Partial | Uses different delegation model | | Cursor | N/A | No sub-agent spawning | | Windsurf | N/A | Uses different agent model | | Cline | N/A | Single-agent model | This permission model is primarily for Claude Code. Other platforms handle agent restrictions through different mechanisms. ## Three-Tier Model ### Tier 1: Analyst (Read-Only) **Permission**: `Task(Explore)` only - can spawn Explore agents for information gathering **Philosophy**: Analysis and review agents should gather information and produce reports, not execute code or spawn implementation agents. **Tool Access**: Read, Grep, Glob (information gathering only) **Agents**: | Category | Agents | |----------|--------| | **Requirements** | requirements-analyst, requirements-reviewer, requirements-documenter | | **Domain Analysis** | domain-expert, business-process-analyst, system-analyst | | **Security Review** | security-auditor, security-architect, security-gatekeeper | | **Code Review** | code-reviewer, citation-verifier, quality-assessor | | **Governance** | legal-liaison, privacy-officer, raci-expert, decision-matrix-expert | | **Strategy** | metrics-analyst, product-strategist, product-designer, vision-owner | | **Documentation** | documentation-archivist, documentation-synthesizer | | **Writing** | technical-writer, test-documenter, architecture-documenter | **Rationale**: These agents analyze, review, and document. They should not execute code or spawn implementation agents. Limiting to `Task(Explore)` prevents escalation from analysis to implementation. ### Tier 2: Implementation (Execute + Explore) **Permission**: `Task(Explore)`, `Task(Bash)` - can spawn Explore and Bash agents **Philosophy**: Implementation agents need to run tests, build code, and validate their work. They can spawn exploratory agents for investigation and Bash agents for execution. **Tool Access**: Read, Write, Bash, Grep, Glob (full development toolset) **Agents**: | Category | Agents | |----------|--------| | **Development** | software-implementer, test-engineer, test-architect | | **Debugging** | debugger, database-optimizer, performance-engineer | | **DevOps** | devops-engineer, build-engineer, cloud-architect | | **Modernization** | legacy-modernizer, incident-responder, reliability-engineer | | **Integration** | integration-engineer, deployment-manager, environment-engineer | | **Accessibility** | accessibility-specialist, api-designer, api-documenter | | **Tooling** | toolsmith, mcpsmith, skillsmith, commandsmith, agentsmith | | **Research** | technical-researcher | **Rationale**: These agents produce working code and infrastructure. They need execution capability to test their work but should not have unrestricted agent spawning. ### Tier 3: Orchestrator (Unrestricted) **Permission**: Full `Task` - can spawn any agent type **Philosophy**: Orchestrators coordinate work across multiple specialists. They need unrestricted delegation to route tasks appropriately. **Tool Access**: Read, Write, Bash, Grep, Glob (full toolset) **Agents**: | Category | Agents | |----------|--------| | **Orchestration** | executive-orchestrator, architecture-designer | | **Intake** | intake-coordinator, project-manager | | **Management** | configuration-manager, traceability-manager | | **Context** | context-librarian, component-owner | **Rationale**: These agents manage workflows and delegate to specialists. They need full Task access to route work effectively. ## Permission Enforcement ### Claude Code Frontmatter For Claude Code agents, the `tools:` field in frontmatter should reflect tier: **Analyst Tier**: ```yaml --- name: Requirements Analyst tools: Read, Grep, Glob # No Task listed - cannot spawn sub-agents (or Task(Explore) if exploration needed) --- ``` **Implementation Tier**: ```yaml --- name: Software Implementer tools: Bash, Read, Write, Grep, Glob # Can spawn Explore and Bash agents --- ``` **Orchestrator Tier**: ```yaml --- name: Executive Orchestrator tools: Bash, Read, Write, Grep, Glob # Can spawn any agent (unrestricted Task) --- ``` ### Runtime Enforcement Claude Code enforces `Task(agent_type)` restrictions at runtime. Attempting to spawn an unauthorized agent type results in: ``` Error: Agent 'requirements-analyst' cannot spawn agent type 'Bash'. Permitted types: Explore ``` ## Escalation Paths When an agent needs capabilities beyond its tier: ### Analyst → Implementation **Scenario**: Security Auditor finds vulnerability requiring code fix **Solution**: Generate finding report, escalate to orchestrator to delegate to Software Implementer **Pattern**: ```markdown # Security Finding: SQL Injection in login.ts **Severity**: Critical **Location**: src/auth/login.ts:42 **Recommendation**: Parameterize query **Escalation**: Requires code change beyond auditor scope. Request delegation to Software Implementer. ``` ### Implementation → Orchestrator **Scenario**: Software Implementer encounters architectural decision **Solution**: Document decision point, escalate to Architecture Designer **Pattern**: ```markdown # Implementation Blocker: Database Schema Decision **Context**: Implementing user preferences storage **Options**: JSON column vs normalized tables **Impact**: Performance, maintainability, query complexity **Escalation**: Requires architectural decision. Request Architecture Designer evaluation. ``` ## Security Implications ### Least Privilege Restricting agent spawning follows the principle of least privilege: - Analyst agents cannot accidentally introduce code changes - Implementation agents cannot spawn unrestricted orchestrators - Only designated orchestrators have full delegation authority ### Attack Surface Reduction By limiting Task access: - Reduces risk of runaway agent spawning - Prevents privilege escalation through agent chaining - Creates clear audit trail of delegation decisions ### Monitoring Track agent spawning patterns: | Metric | Alert Threshold | |--------|----------------| | Analyst spawns Bash | Any occurrence (should be impossible) | | Implementation spawns Orchestrator | Any occurrence (escalation required) | | Orchestrator spawn depth | >3 levels (potential runaway) | ## Migration Notes ### Existing Agents Most existing agent definitions don't explicitly list `Task` in tools. This is correct - Task is a runtime capability, not a frontmatter declaration. ### Documentation Update This document serves as the canonical reference for permission tiers. Agent definitions should reference this document: ```markdown ## Permission Tier Tier: Analyst Permitted Task types: Explore See @agentic/code/frameworks/sdlc-complete/docs/agent-permission-tiers.md ``` ### Cross-Platform For platforms without `Task(agent_type)` support, this tier model serves as design guidance. Implement equivalent restrictions through platform-specific mechanisms. ## Examples ### Analyst Tier: Requirements Analyst **What they CAN do**: - Spawn `Task(Explore)` to research existing requirements - Read source code and documentation - Generate requirement specifications **What they CANNOT do**: - Spawn `Task(Bash)` to run tests - Spawn `Task(software-implementer)` to implement code - Execute arbitrary commands ### Implementation Tier: Software Implementer **What they CAN do**: - Spawn `Task(Explore)` to investigate code patterns - Spawn `Task(Bash)` to run tests - Read, write, and edit source files **What they CANNOT do**: - Spawn `Task(executive-orchestrator)` for workflow decisions - Spawn `Task(architecture-designer)` for design decisions - Delegate to agents outside Explore/Bash ### Orchestrator Tier: Executive Orchestrator **What they CAN do**: - Spawn any agent type via unrestricted `Task` - Coordinate multi-agent workflows - Make routing decisions **What they SHOULD avoid**: - Directly implementing code (delegate to Software Implementer) - Deep agent nesting (>3 levels) - Spawning agents without clear task definition ## References - Claude Code v2.1.33 Release Notes - Task(agent_type) introduction - @.claude/rules/agent-fallback.md - Agent fallback patterns - @agentic/code/frameworks/sdlc-complete/agents/agent-template.md - Agent definition template - @agentic/code/frameworks/sdlc-complete/schemas/flows/agent-capability-matrix.yaml - Capability matching --- **Maintained by**: Configuration Manager **Last Updated**: 2026-02-06 **Review Cycle**: Quarterly