UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

66 lines (46 loc) 3.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
--- namespace: aiwg name: security-gate platforms: [all] description: Enforce minimum security criteria before iteration close or release commandHint: argumentHint: <docs/sdlc/artifacts/project> [--interactive] [--guidance "text"] allowedTools: Read, Write, Glob, Grep model: sonnet category: security-quality --- # Security Gate (SDLC) ## Criteria - Approved threat model with mitigations or accepted risks - Zero open critical vulnerabilities; highs triaged with owners/dates - SBOM generated and reviewed (if applicable) - Secrets policy verified; no hardcoded secrets ## Output - `security-gate-report.md` with pass/fail and remediation tasks (structured artifact for downstream agents) - **Append** a gate decision block to `.aiwg/security/audit.md` (the human-readable rolling audit log see schema below) ## Rolling audit log `.aiwg/security/audit.md` is the single append-only rollup of security activity in this project. Humans read it first; downstream agents continue to consume the structured per-area artifacts. Both views are maintained. After running the gate, append a block in this exact format (create `.aiwg/security/audit.md` if it does not exist; create the `.aiwg/security/` directory if missing): ```markdown --- ## [YYYY-MM-DD HH:MM] security-gate — <gate name or scope> **Source:** security-gate **Scope:** <artifact path or release identifier under review> **Verdict:** <pass | fail | conditional> ### Findings rolled up - **[severity] location** description. Confirmation quote: `<source snippet>`. Remediation: <action>. - ... ### References - Structured artifact: `security-gate-report.md` - Related: <issue or commit reference if applicable> ``` The same schema is used by `security-auditor` for its findings. Do not rewrite or truncate prior entries append only. After appending, log an `audit` entry to `.aiwg/activity.log` per the `activity-log` rule. ## References - @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/vague-discretion.md Gate criteria must be concrete and verifiable (zero open criticals, SBOM present); never "acceptable risk" without documentation - @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/human-authorization.md Fail the gate and escalate to human; do not autonomously accept or close security findings - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/token-security.md Token security policy this gate verifies (no hardcoded secrets) - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/security-audit/SKILL.md Upstream audit skill whose findings feed into this gate's pass/fail evaluation - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/skills/check-traceability/SKILL.md Traceability verification that may be required as a security gate prerequisite - @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/activity-log.md Append-only artifact discipline used by `.aiwg/security/audit.md` - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/agents/security-auditor.md Companion writer of the rolling audit log (same schema)