# arkon - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for arkon. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **Developers already using host AIs such as Claude/Codex/Cursor/Gemini**: The README or plugin config mentions multiple host AIs. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Users who want to bring professional workflows into a host AI**: The repo contains Skill documents. Evidence: `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md` Claim: `clm_0004` supported 0.86

## What It Can Do

- **AI Skill / Agent Instruction Asset Library** (Previewable before install): The project contains Skill or Agent instruction files that a host AI can read, useful for bringing professional workflows into hosts like Claude, Codex, or Cursor. Evidence: `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md` Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `README.md` Claim: `clm_0002` supported 0.86

## How to Start

- `git clone https://github.com/nduckmink/arkon.git` Evidence: `README.md` Claim: `clm_0005` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Needs admin / security approval
- **Why**: Continuing may involve secrets, accounts, external services, or sensitive context; get admin or security approval first.

### 30-Second Read

- **What to do now**: Needs admin / security approval
- **Minimum safe next step**: Run Prompt Preview first; if credentials or an enterprise environment are involved, get approval before trialing
- **Do not trust yet**: Tool permission boundaries cannot be trusted before install.
- **Continuing will touch**: Command execution, Host AI configuration, Local environment or project files

### What You Can Trust Now

- **Target-audience signal: Developers already using host AIs such as Claude/Codex/Cursor/Gemini** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Target-audience signal: Users who want to bring professional workflows into a host AI** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md` Claim: `clm_0004` supported 0.86
- **Capability exists: AI Skill / Agent Instruction Asset Library** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md` Claim: `clm_0001` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0005` supported 0.86

### What You Cannot Trust Yet

- **Tool permission boundaries cannot be trusted before install.** (unverified): MCP/tool projects usually touch files, the network, the browser, or external APIs, so permissions and logs must be checked for real.
- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior. Evidence: `CLAUDE.md`, `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md`
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **Do the install commands require network access, permissions, or global writes?** (unverified): This affects install risk in both enterprise and personal environments. Evidence: `README.md`

### What Continuing Will Touch

- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `README.md`
- **Host AI configuration**: The plugin, Skill, or rule-loading config of hosts like Claude/Codex/Cursor/Gemini/OpenCode. Why: Host configuration changes how the AI works afterward and may conflict with the user's existing rules. Evidence: `CLAUDE.md`, `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md`
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `README.md`
- **Environment variables / API keys**: Project entry docs explicitly showing API key, token, secret, or account credential configuration. Why: If a real install needs credentials, use test credentials first and go through a permission/compliance review. Evidence: `README.md`, `docs/HOW_TO_RUN.md`, `docs/SETUP.md`
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use a pre-install interactive trial to judge whether the way of working fits; it needs no authorization or environment change. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **Back up your host AI configuration first**: Skill, plugin, and rule files may change the default behavior of Claude/Cursor/Codex. (applies when: When there is a plugin manifest, a Skill, or a host rule entrypoint.)
- **Do not use real production credentials**: Once an environment variable / API key enters the host or toolchain, it can create account and compliance risk. (applies when: When environment signals like API, TOKEN, KEY, or SECRET appear.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Be ready to remove the host plugin / Skill / rule entrypoint**: If behavior is off after the trial install, you can restore the host AI to its pre-trial state.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **Be ready to revoke test API keys or tokens**: If test credentials leak or are misused, you can cut losses quickly.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0006` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `README.md` Claim: `clm_0007` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **AI Skill / Agent Instruction Asset Library**: Use role_skill_index / evidence_index to help the user pick a usable role, Skill, or workflow first. Boundary: Can be experienced via a pre-install Prompt. Evidence: `skills/arkon-edit/SKILL.md`, `skills/arkon-query/SKILL.md`, `skills/arkon-review/SKILL.md` Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `README.md` Claim: `clm_0002` supported 0.86

### Context Scale

- Total files: 281
- Important-file coverage: 40/281
- Evidence index entries: 79
- Role / Skill entries: 3

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for arkon, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat arkon as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for arkon, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 3 role / Skill / project-doc entries.

- **arkon-edit** (skill): Propose or directly apply edits to Arkon wiki pages, including proposing brand new pages. Contributors create drafts for review; editors/admins can edit/create directly. Triggers on: update wiki, fix this page, propose edit, edit wiki page, correct the KB, improve wiki, resubmit my draft, withdraw my draft, create new wiki page, propose new page. Activation hint: When the user's task is highly relevant to the workflow described by “arkon-edit”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/arkon-edit/SKILL.md`
- **arkon-query** (skill): Answer questions using the Arkon knowledge base. Searches wiki first, drills into raw sources only when needed. Supports quick, standard, and deep modes. Triggers on: what do we know about, find in KB, look up, query:, arkon query, search the wiki, tell me about, based on the KB. Activation hint: When the user's task is highly relevant to the workflow described by “arkon-query”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/arkon-query/SKILL.md`
- **arkon-review** (skill): Review, approve, request changes on, or reject pending wiki edit drafts in Arkon. Requires editor or admin role. Triggers on: review drafts, pending reviews, check draft queue, approve draft, reject draft, request changes, send draft back, review wiki changes. Activation hint: When the user's task is highly relevant to the workflow described by “arkon-review”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/arkon-review/SKILL.md`

## Evidence Index

- Indexed 79 evidence entries.

- **Arkon - The Open-Source Enterprise AI Knowledge Hub & MCP Server** (documentation): Arkon - The Open-Source Enterprise AI Knowledge Hub & MCP Server Evidence: `README.md`
- **Getting Started** (documentation): This is a Next.js https://nextjs.org project bootstrapped with create-next-app https://nextjs.org/docs/app/api-reference/cli/create-next-app . Evidence: `frontend/README.md`
- **arkon-edit: Edit the Knowledge Base** (skill_instruction): arkon-edit: Edit the Knowledge Base Evidence: `skills/arkon-edit/SKILL.md`
- **arkon-query: Query the Knowledge Base** (skill_instruction): arkon-query: Query the Knowledge Base Evidence: `skills/arkon-query/SKILL.md`
- **arkon-review: Review Wiki Drafts** (skill_instruction): Editor/admin only. If list pending drafts returns a permission error, you don't have the required role. Evidence: `skills/arkon-review/SKILL.md`
- **RTK Rust Token Killer - Token-Optimized Commands** (documentation): RTK Rust Token Killer - Token-Optimized Commands Evidence: `CLAUDE.md`
- **Architecture** (documentation): Admin Portal frontend/ Next.js application. Provides the UI for: - Knowledge base and document management - Wiki browser three-panel: page tree, content, backlinks/outlinks - Workspace management and member roles - RBAC configuration departments, roles, permissions - Employee accounts and MCP token management - AI Skills library - Audit log Evidence: `docs/ARCHITECTURE.md`
- **Setup Guide** (documentation): Two ways to run Arkon: Docker recommended for production or Development for local development and contributing . Evidence: `docs/SETUP.md`
- **AI Skills** (documentation): AI Skills are versioned agent packages that employees can access through Claude via MCP. Upload a skill package, assign it to departments or workspaces, and it becomes available in Claude's tool context for employees with the right permissions. Evidence: `docs/SKILLS.md`
- **This is NOT the Next.js you know** (documentation): This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in node modules/next/dist/docs/ before writing any code. Heed deprecation notices. Evidence: `frontend/AGENTS.md`
- **Claude** (documentation): @AGENTS.md Evidence: `frontend/CLAUDE.md`
- **Package** (package_manifest): { "name": "frontend", "version": "0.1.0", "private": true, "scripts": { "dev": "next dev", "build": "next build", "start": "next start", "lint": "eslint" }, "dependencies": { "@base-ui/react": "^1.4.1", "@types/diff": "^7.0.2", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "d3-drag": "^3.0.0", "d3-force": "^3.0.0", "diff": "^9.0.0", "lucide-react": "^1.14.0", "next": "16.2.4", "react": "19.2.4", "react-dom": "19.2.4", "react-force-graph-2d": "^1.29.1", "react-markdown": "^10.1.0", "remark-frontmatter": "^5.0.0", "remark-gfm": "^4.0.1", "shadcn": "^4.6.0", "tailwind-merge": "^3.5.0", "tw-animate-css": "^1.4.0" }, "devDependencies": { "@tailwindcss/postcss": "^4", "@types/d3-drag":… Evidence: `frontend/package.json`
- **Contributing to Arkon** (documentation): First off, thank you for considering contributing to Arkon! Every contribution — bug reports, feature requests, code, documentation — is valuable and appreciated. Evidence: `CONTRIBUTING.md`
- **PolyForm Internal Use License 1.0.0** (source_file): PolyForm Internal Use License 1.0.0 Evidence: `LICENSE`
- **Changelog** (documentation): All notable changes to Arkon are documented here. Format follows Keep a Changelog https://keepachangelog.com/en/1.1.0/ . Evidence: `CHANGELOG.md`
- **Sahara — Warm Minimalism** (documentation): North Star: "Sun-Baked Simplicity" Luxurious warmth meets disciplined minimalism. Golden tones, editorial serif headings, and abundant whitespace. Evidence: `DESIGN.md`
- **Access Control** (documentation): Arkon has a dual-realm permission system: Evidence: `docs/ACCESS-CONTROL.md`
- **Arkon — How to Run Development** (documentation): Tool Version Purpose --- --- --- Python 3.11 — 3.14 Backend runtime Node.js 20+ Frontend Next.js PostgreSQL 15+ Main database with pgvector extension Redis 7+ Background job queue MinIO Latest S3-compatible file storage Evidence: `docs/HOW_TO_RUN.md`
- **MCP & Claude Integration** (documentation): Arkon exposes a Model Context Protocol MCP server at /mcp . Employees connect Claude Desktop — or any MCP-compatible client — and Claude gets access to the compiled wiki, raw source documents, and AI skills, all filtered to the employee's permission scope. Evidence: `docs/MCP.md`
- **Wiki System** (documentation): The Arkon wiki is the primary knowledge surface. Instead of storing raw document chunks, Arkon compiles documents into structured, interlinked wiki pages — written by an LLM agent, enriched by every new document you add. Evidence: `docs/WIKI.md`
- **============================================================** (source_file): ============================================================ Arkon — Docker Compose environment cp .env.docker.example .env.docker ============================================================ Evidence: `.env.docker.example`
- **============================================================** (source_file): ============================================================ Arkon — Local development environment cp .env.local.example .env.local Requires: PostgreSQL, Redis, MinIO running on localhost ============================================================ Evidence: `.env.local.example`
- **Alembic configuration** (source_file): Alembic configuration alembic script location = alembic sqlalchemy.url = postgresql+asyncpg://arkon:arkon secret@localhost:5432/arkon Evidence: `alembic.ini`
- **Env** (source_file): config = context.config ⋮---- target metadata = Base.metadata ⋮---- def run migrations offline - None ⋮---- url = config.get main option "sqlalchemy.url" ⋮---- def do run migrations connection ⋮---- async def run async migrations - None ⋮---- connectable = async engine from config ⋮---- def run migrations online - None Evidence: `alembic/env.py`
- **Ensure MinIO bucket exists** (source_file): mcp server = create mcp server mcp http app = mcp server.http app path="/", stateless http=True ⋮---- async def seed default admin ⋮---- stmt = select Employee .where Employee.role == "admin" .limit 1 result = await session.execute stmt ⋮---- dept = Department name="Administration", description="System administrators" ⋮---- admin = Employee ⋮---- @asynccontextmanager async def lifespan app: FastAPI ⋮---- """Startup & shutdown logic composed with FastMCP lifespan .""" ⋮---- Ensure MinIO bucket exists ⋮---- Seed default admin if no admin exists yet ⋮---- Seed built-in skills idempotent — no-op if already up to date ⋮---- Warn if sensitive defaults are unchanged ⋮---- app = FastAPI ⋮---- --- M… Evidence: `app/main.py`
- **Security File count check** (source_file): def get redis settings - RedisSettings ⋮---- arq pool: Optional ArqRedis = None ⋮---- async def get arq pool - ArqRedis ⋮---- arq pool = await create pool get redis settings ⋮---- async def enqueue post extraction pipeline source id: str, has images: bool - Optional str ⋮---- pool = await get arq pool task name = "caption images task" if has images else "ingest map reduce task" job = await pool.enqueue job task name, source id ⋮---- async def finalize verbatim source session, source, tracker - dict ⋮---- n chunks = await index verbatim source session, source ⋮---- async def ingest file task ctx: dict, source id: str ⋮---- sid = uuid.UUID source id tracker = ProgressTracker sid ⋮---- source… Evidence: `app/worker.py`
- **Docker Compose** (source_file): x-backend: &backend build: context: . dockerfile: Dockerfile image: arkon-backend:latest env file: .env.docker restart: always depends on: postgres: condition: service healthy redis: condition: service healthy minio: condition: service healthy volumes: - ./temp uploads:/app/temp uploads services: postgres: image: pgvector/pgvector:pg16 container name: arkon postgres restart: always environment: POSTGRES USER: ${POSTGRES USER:-arkon} POSTGRES PASSWORD: ${POSTGRES PASSWORD:-arkon secret} POSTGRES DB: ${POSTGRES DB:-arkon} volumes: - postgres data:/var/lib/postgresql/data healthcheck: test: "CMD-SHELL", "pg isready -U ${POSTGRES USER:-arkon} -d ${POSTGRES DB:-arkon}" interval: 5s timeout: 5s r… Evidence: `docker-compose.yml`
- **Entrypoint** (source_file): set -e echo "Running database migrations..." alembic upgrade head echo "Migrations complete." echo "Seeding built-in skills..." python -m app.scripts.seed skills echo "Skills seeding complete." exec "$@" Evidence: `entrypoint.sh`
- **Web framework** (source_file): project name = "arkon" version = "0.1.0" description = "Enterprise AI Control Center — Knowledge Base & Skill Management for Claude" authors = {name = "Arkon Team"} readme = "README.md" requires-python = " =3.11, =0.104.0", "uvicorn =0.24.0", "python-multipart =0.0.9", Database "sqlalchemy asyncio =2.0", "asyncpg =0.30", "alembic =1.14", "pgvector =0.3", AI / LLM provider-agnostic — user picks at runtime "google-genai =1.0.0", "openai =1.30.0", "anthropic =0.30.0", MCP Server "fastmcp =2.0.0", Auth "bcrypt =4.0.0", "pyjwt =2.8.0", Content processing "content-core =1.14.1, =1.25.0", "python-docx =1.1.0", Storage "minio =7.2.0", Utilities "pydantic =2.9.2", "pydantic-settings =2.5.0", "loguru… Evidence: `pyproject.toml`
- **002 Rbac** (source_file): revision = '002 rbac' down revision = '002' branch labels = None depends on = None ⋮---- def upgrade - None ⋮---- def downgrade - None Evidence: `alembic/versions/002_rbac.py`
- **007 Scope Rbac** (source_file): revision = "007" down revision = "006" branch labels = None depends on = None ⋮---- def upgrade - None ⋮---- def downgrade - None Evidence: `alembic/versions/007_scope_rbac.py`
- **017 Add Skill Contributions** (source_file): revision: str = '017' down revision: Union str, None = '016' branch labels: Union str, Sequence str , None = None depends on: Union str, Sequence str , None = None ⋮---- def upgrade - None ⋮---- def downgrade - None Evidence: `alembic/versions/017_add_skill_contributions.py`
- **020 Mrp Pipeline** (source_file): revision: str = '020' down revision: Union str, None = '019' branch labels: Union str, Sequence str , None = None depends on: Union str, Sequence str , None = None ⋮---- def upgrade - None ⋮---- def downgrade - None Evidence: `alembic/versions/020_mrp_pipeline.py`
- **033 Add Wiki Branches** (source_file): revision: str = '033 add wiki branches' down revision: Union str, None = '032 cleanup legacy source pages' branch labels: Union str, Sequence str , None = None depends on: Union str, Sequence str , None = None ⋮---- def upgrade - None ⋮---- def downgrade - None Evidence: `alembic/versions/033_add_wiki_branches.py`
- **Prepend overlap prefix from previous chunk** (source_file): CHUNK TARGET CHARS = 20 000 OVERLAP CHARS = 1 000 MAX MAP CONCURRENCY = 6 EXTRACT TIMEOUT = 120 OVERLAP SEPARATOR = " …context from previous section… \n" ⋮---- @dataclass class DocumentChunk ⋮---- index: int start char: int end char: int section path: str text: str overlap prefix len: int = field default=0 ⋮---- def classify strategy full text: str, outline json: Optional list - str ⋮---- n = len full text ⋮---- def flatten outline nodes: list, depth: int = 0 - list dict ⋮---- result = ⋮---- def build chunks full text: str, outline json: Optional list , strategy: str - list DocumentChunk ⋮---- flat = flatten outline outline json or top nodes = n for n in flat if n.get "level", 99 DocumentCh… Evidence: `app/ai/mrp/mapper.py`
- **Sanity check: merged body must not be too short** (source_file): BODY SHRINK THRESHOLD = 0.7 ⋮---- MERGE TIMEOUT = 120 ⋮---- MERGE SYSTEM = """\ ⋮---- prompt = ⋮---- raw = await asyncio.wait for merged = raw.strip ⋮---- Sanity check: merged body must not be too short max input len = max len existing content , len new content min acceptable = int max input len BODY SHRINK THRESHOLD Evidence: `app/ai/mrp/merger.py`
- **Acquire advisory lock per slug, scope to prevent race conditions** (source_file): async def resolve wiki scopes session: AsyncSession, source - list tuple str, Optional uuid.UUID ⋮---- row = await session.execute ⋮---- rows = await session.execute dept ids = r 0 for r in rows ⋮---- wiki scopes = await resolve wiki scopes session, source ⋮---- total created = 0 total updated = 0 ⋮---- merge llm = None ⋮---- merge registry = ProviderRegistry session merge llm = await merge registry.get llm ⋮---- pages created = 0 pages updated = 0 ⋮---- Acquire advisory lock per slug, scope to prevent race conditions ⋮---- lock key = func.hashtext f"{pr.slug}:{scope type}:{scope id}" ⋮---- Reset action per scope — each scope processes independently action = pr.action page = None ⋮---- exis… Evidence: `app/ai/mrp/pipeline.py`
- **---------------------------------------------------------------------------** (source_file): MERGE THRESHOLD = 0.90 AMBIGUOUS LOW = 0.75 KB UPDATE THRESHOLD = 0.85 KB MAYBE THRESHOLD = 0.60 ⋮---- PUNCT TABLE = str.maketrans "", "", string.punctuation ⋮---- def normalize name: str - str ⋮---- def cosine a: list float , b: list float - float ⋮---- dot = sum x y for x, y in zip a, b na = sum x x for x in a 0.5 nb = sum x x for x in b 0.5 ⋮---- --------------------------------------------------------------------------- Step 2.1 — Collect entities and concepts from chunk extracts ⋮---- def collect raw items chunk extracts - tuple list dict , list dict , list dict ⋮---- """ Flatten entities, concepts, and claims from all SourceChunkExtract rows. Returns entities, concepts, claims where e… Evidence: `app/ai/mrp/reducer.py`
- **Collect all topic names covered by page results** (source_file): CONFLICT SIM THRESHOLD = 0.80 ⋮---- mention counts: dict str, int = {} ⋮---- name = e.get "term", "" .lower ⋮---- Collect all topic names covered by page results covered: set str = set ⋮---- uncovered = ⋮---- --------------------------------------------------------------------------- 4.2 Conflict check & Contradiction Callout ⋮---- """ For each new/updated page, find KB neighbors with high similarity and check for factual contradictions via LLM. If a contradiction is detected, prepends a standardized Obsidian Callout to pr.content md. Non-blocking: conflicts are logged and returned but don't fail the pipeline. """ ⋮---- scope type = source.scope type or "global" scope id = source.scope id c… Evidence: `app/ai/mrp/verifier.py`
- **Exact match after normalization — the strongest signal.** (source_file): MAX WRITER CONCURRENCY = 4 WRITER COMPLEX THRESHOLD EVIDENCE = 8 WRITER COMPLEX THRESHOLD EXISTING CHARS = 3 000 WRITER AGENT MAX STEPS = 10 WRITER AGENT TIMEOUT = 300 ⋮---- EXTEND SHRINK THRESHOLD = 0.9 POLISH MIN BATCHES = 3 BUDGET RESERVE RATIO = 0.7 PASS BUDGET RATIO = 0.5 MAX EXTEND RETRIES = 2 TIER B PROXIMITY CHARS = 5 000 ⋮---- @dataclass class PageWriteResult ⋮---- slug: str title: str page type: str action: str content md: str summary: str citations: list dict = field default factory=list ⋮---- entity names: list str = field default factory=list related kb pages: list str = field default factory=list ⋮---- def to dict self - dict ⋮---- @classmethod def from dict cls, d: dict - "Pa… Evidence: `app/ai/mrp/writer.py`
- **---------------------------------------------------------------------------** (source_file): IMAGE MARKER RE = re.compile r"!\ ^\ \ \ image:// 0-9a-fA-F- {36} \ " ⋮---- async def load allowed image ids session: AsyncSession, source id: uuid.UUID - set str ⋮---- result = await session.execute ⋮---- def strip invalid image markers content: str, allowed ids: set str - str ⋮---- """Remove image:// markers whose UUID isn't in allowed ids.""" ⋮---- --------------------------------------------------------------------------- JSON Schema definitions OpenAI function-calling format ⋮---- TOOL SCHEMAS = ⋮---- class AgentState ⋮---- def init self, source: Source, full text: str ⋮---- def record self, call name: str - None ⋮---- def mark done self, report: str - None ⋮---- def summary self - dic… Evidence: `app/ai/wiki_agent_tools.py`
- **--- Scope: global or project workspace ---** (source_file): class ScopeType str, PyEnum ⋮---- GLOBAL = "global" DEPARTMENT = "department" ⋮---- class SkillContributionStatus str, PyEnum ⋮---- DRAFT = "draft" PENDING = "pending" NEEDS REVISION = "needs revision" WITHDRAWN = "withdrawn" APPROVED = "approved" REJECTED = "rejected" ⋮---- WIKI DRAFT STATUSES: tuple str, ... = ⋮---- class Base DeclarativeBase ⋮---- class Source Base ⋮---- tablename = "sources" ⋮---- id: Mapped uuid.UUID = mapped column title: Mapped Optional str = mapped column String 500 full text: Mapped Optional str = mapped column Text source type: Mapped Optional str = mapped column String 50 ⋮---- scope type: Mapped str = mapped column scope id: Mapped Optional uuid.UUID = mapped co… Evidence: `app/database/models.py`
- **Oauth Models** (source_file): class OAuthClient Base ⋮---- tablename = "oauth clients" ⋮---- id: Mapped uuid.UUID = mapped column client id: Mapped str = mapped column String 64 , unique=True, index=True name: Mapped str = mapped column String 200 redirect uris: Mapped list str = mapped column ARRAY Text , default=list created at: Mapped datetime = mapped column ⋮---- @classmethod def generate client id cls - str ⋮---- class OAuthAuthCode Base ⋮---- """A short-lived authorization code issued during the OAuth flow.""" tablename = "oauth auth codes" ⋮---- code: Mapped str = mapped column String 64 , unique=True, index=True client id: Mapped str = mapped column employee id: Mapped uuid.UUID = mapped column redirect uri: Ma… Evidence: `app/database/oauth_models.py`
- **Middleware** (source_file): AUTH HINT = ⋮---- def hint description tool: Tool - Tool ⋮---- base = tool.description or "" new description = AUTH HINT + base if base else AUTH HINT.rstrip ⋮---- class ScopedToolsMiddleware Middleware ⋮---- async def on list tools self, context, call next - Sequence Tool ⋮---- tools = await call next context Evidence: `app/mcp/middleware.py`
- **Permissions** (source_file): REQUIRES ATTR = " arkon requires " ⋮---- @dataclass frozen=True class ToolRequirement ⋮---- predicate: Callable ResolvedIdentity , bool label: str ⋮---- def allows self, identity: ResolvedIdentity - bool ⋮---- ANY AUTHENTICATED = ToolRequirement ⋮---- def can contribute identity: ResolvedIdentity - bool ⋮---- def can review identity: ResolvedIdentity - bool ⋮---- CAN CONTRIBUTE WIKI = ToolRequirement ⋮---- CAN REVIEW WIKI = ToolRequirement ⋮---- CAN CREATE WIKI DIRECT = CAN REVIEW WIKI ⋮---- def kb tool mcp, , requires: ToolRequirement = ANY AUTHENTICATED, fastmcp kwargs ⋮---- def decorator fn ⋮---- def requirement for fn - ToolRequirement Evidence: `app/mcp/permissions.py`
- **Resources** (source_file): def register resources mcp: FastMCP ⋮---- @mcp.resource "arkon://about" async def about arkon - str ⋮---- @mcp.resource "arkon://wiki-index" async def wiki index resource - str ⋮---- page = await wiki service.get page by slug session, wiki service.INDEX SLUG Evidence: `app/mcp/resources.py`
- **Server** (source_file): def create mcp server - FastMCP ⋮---- mcp = FastMCP Evidence: `app/mcp/server.py`
- **Group by scope type, scope id → count.** (source_file): async def get identity ⋮---- request = get http request auth header = request.headers.get "authorization", "" token = auth header.removeprefix "Bearer " .strip ⋮---- auth svc = MCPAuthService session identity = await auth svc.verify token token ⋮---- async def get allowed source ids identity, session: Optional AsyncSession = None - Optional set str ⋮---- async def query s: AsyncSession - set str ⋮---- stmt = select Source.id .where Source.status == "ready" stmt = apply scope filter stmt, identity result = await s.execute stmt ⋮---- async def can review page session: AsyncSession, employee, page - bool ⋮---- role = await get workspace role session, employee, page.scope id ⋮---- perms = get u… Evidence: `app/mcp/tools.py`
- **Admin Models** (source_file): router = APIRouter ⋮---- class LLMSpecOut BaseModel ⋮---- id: str provider: str model id: str context window tokens: int max output tokens: int supports tools: bool supports vision: bool label: str cost per 1m input tokens: Optional float cost per 1m output tokens: Optional float notes: Optional str api key configured: bool ⋮---- class LLMCatalogOut BaseModel ⋮---- active spec id: Optional str specs: list LLMSpecOut ⋮---- class VisionSpecOut BaseModel ⋮---- max image size mb: int ⋮---- cost per image: Optional float ⋮---- class VisionCatalogOut BaseModel ⋮---- specs: list VisionSpecOut ⋮---- class SwitchBody BaseModel ⋮---- model spec id: str ⋮---- registry = ProviderRegistry db active = aw… Evidence: `app/routers/admin_models.py`
- **Audit** (source_file): router = APIRouter prefix="/audit", tags= "audit" ⋮---- class AuditEntryOut BaseModel ⋮---- id: str timestamp: str principal id: str principal type: str principal name: Optional str = None principal email: Optional str = None action: str resource type: str resource id: str decision: str reason: Optional str = None ⋮---- class AuditListResponse BaseModel ⋮---- items: list AuditEntryOut total: int page: int page size: int ⋮---- stmt = select AuditLog ⋮---- stmt = stmt.where AuditLog.principal id == uuid.UUID principal id ⋮---- stmt = stmt.where AuditLog.action == action ⋮---- stmt = stmt.where AuditLog.decision == decision ⋮---- stmt = stmt.where AuditLog.resource type == resource type ⋮----… Evidence: `app/routers/audit.py`
- **---------------------------------------------------------------------------** (source_file): wellknown router = APIRouter router = APIRouter ⋮---- @wellknown router.get "/.well-known/oauth-authorization-server" async def oauth metadata request: Request ⋮---- base = str request.base url .rstrip "/" ⋮---- @wellknown router.get "/.well-known/oauth-protected-resource" async def oauth protected resource metadata request: Request ⋮---- @wellknown router.get "/.well-known/oauth-protected-resource/mcp" async def oauth protected resource metadata path suffix request: Request ⋮---- body = await request.json name = body.get "client name", "Claude Desktop" redirect uris = body.get "redirect uris", ⋮---- svc = OAuthService db client = await svc.register client name, redirect uris ⋮---- --------… Evidence: `app/routers/oauth.py`
- **Total count** (source_file): router = APIRouter ⋮---- class DepartmentCreate BaseModel ⋮---- name: str description: Optional str = None ⋮---- class DepartmentOut BaseModel ⋮---- id: str ⋮---- description: Optional str employee count: int = 0 ⋮---- class Config ⋮---- from attributes = True ⋮---- class EmployeeCreate BaseModel ⋮---- email: str password: Optional str = None role: str = "employee" global role: str = "viewer" ⋮---- department ids: list str = ⋮---- class EmployeeOut BaseModel ⋮---- role: str global role: str ⋮---- department names: list str = is active: bool has token: bool last connected: Optional str = None ⋮---- class TokenResponse BaseModel ⋮---- token: str employee name: str instructions: str ⋮---- stmt… Evidence: `app/routers/rbac.py`
- **---------------------------------------------------------------------------** (source_file): router = APIRouter tags= "scopes" ⋮---- class ScopeMemberOut BaseModel ⋮---- id: str employee id: str employee name: str employee email: str scope type: str scope id: Optional str = None role: str granted by name: Optional str = None created at: str ⋮---- class AddMemberBody BaseModel ⋮---- role: str = "reader" ⋮---- class UpdateRoleBody BaseModel ⋮---- class MyScopeOut BaseModel ⋮---- scope name: Optional str = None ⋮---- def validate scope type scope type: str - ScopeType ⋮---- def validate role role: str - ScopeRole ⋮---- def parse scope id scope type: ScopeType, scope id str: str - Optional uuid.UUID ⋮---- """Parse scope id. 'global' scope uses ' ' or 'global' as placeholder.""" ⋮---- -… Evidence: `app/routers/scopes.py`
- **Take the first segment of the first file as the root** (source_file): router = APIRouter ⋮---- EDITABLE STATUSES = ⋮---- def assert editable contribution: SkillContribution - None ⋮---- class SkillContributionCreate BaseModel ⋮---- skill id: Optional uuid.UUID = None base version: Optional int = None title: str scope type: str = "global" scope ids: Optional List uuid.UUID = None ⋮---- class SkillContributionResponse BaseModel ⋮---- id: uuid.UUID skill id: Optional uuid.UUID contributor id: uuid.UUID base version: Optional int status: str ⋮---- storage path: Optional str scope type: str scope ids: Optional List uuid.UUID contributor name: Optional str = None created at: datetime updated at: datetime ⋮---- model config = {"from attributes": True} ⋮---- class Pu… Evidence: `app/routers/skill_contributions.py`
- **Skip corrupted skill record instead of crashing the whole request** (source_file): router = APIRouter ⋮---- def assert not system skill: Skill - None ⋮---- class SkillResponse BaseModel ⋮---- id: uuid.UUID name: str slug: str department ids: List uuid.UUID = department names: List str = current version: int version hash: Optional str status: str scope type: str = "global" scope id: Optional uuid.UUID = None is system: bool = False created at: datetime updated at: datetime ⋮---- model config = {"from attributes": True} ⋮---- class SkillVersionResponse BaseModel ⋮---- version number: int ⋮---- storage path: Optional str changelog: Optional str ⋮---- class SkillListResponse BaseModel ⋮---- items: List SkillResponse total: int ⋮---- class SkillDeleteRequest BaseModel ⋮---- id… Evidence: `app/routers/skills.py`
- **Check scope access** (source_file): router = APIRouter ⋮---- class WikiPageSummary BaseModel ⋮---- slug: str title: str page type: str status: str = "seed" summary: str knowledge type slugs: list str source ids: list uuid.UUID scope type: str = "global" scope id: Optional uuid.UUID = None scope name: Optional str = None version: int updated at: str ⋮---- class WikiScope BaseModel ⋮---- scope type: str ⋮---- name: str ⋮---- class WikiPageDetail WikiPageSummary ⋮---- content md: str backlinks: list str outlinks: list str orphaned: bool = False ⋮---- class WikiDirectEditRequest BaseModel ⋮---- change note: Optional str = None ⋮---- @field validator "content md" @classmethod def not empty cls, v: str - str ⋮---- class WikiDirectC… Evidence: `app/routers/wiki.py`
- **Verify branch is not empty** (source_file): router = APIRouter ⋮---- class BranchCreate BaseModel ⋮---- name: str description: Optional str = None scope type: str = "global" scope id: Optional uuid.UUID = None ⋮---- @field validator "name" @classmethod def name not empty cls, v: str - str ⋮---- v = v.strip ⋮---- @field validator "scope type" @classmethod def scope known cls, v: str - str ⋮---- class BranchResponse BaseModel ⋮---- id: uuid.UUID ⋮---- author id: uuid.UUID author name: Optional str = None status: str has conflict: bool = False reviewer id: Optional uuid.UUID = None reviewer name: Optional str = None reviewed at: Optional str = None reviewer note: Optional str = None created at: str updated at: str draft count: int = 0 ⋮… Evidence: `app/routers/wiki_branches.py`
- **Author-only mode: restrict to drafts this user authored. No 403 here** (source_file): router = APIRouter ⋮---- class ProposeDraftRequest BaseModel ⋮---- content md: str note: Optional str = None base version: Optional int = None scope type: Optional str = None scope id: Optional uuid.UUID = None branch id: Optional uuid.UUID = None ⋮---- @field validator "content md" @classmethod def not empty cls, v: str - str ⋮---- class ProposeCreateRequest BaseModel ⋮---- slug: str title: str page type: str = "concept" knowledge type slugs: list str = scope type: str = "global" ⋮---- summary: str = "" ⋮---- @field validator "content md" @classmethod def content not empty cls, v: str - str ⋮---- @field validator "slug" @classmethod def slug format cls, v: str - str ⋮---- v = v.strip ⋮----… Evidence: `app/routers/wiki_drafts.py`
- **Dedupe** (source_file): router = APIRouter ⋮---- MAX IDS PER REQUEST = 100 PRESIGN EXPIRY HOURS = 1 ⋮---- class ResolveRequest BaseModel ⋮---- ids: list uuid.UUID = Field default factory=list ⋮---- class ResolveResponse BaseModel ⋮---- resolved: dict str, str denied: list str ⋮---- Dedupe unique ids = list {i for i in body.ids} ⋮---- rows = await db.execute ⋮---- resolved: dict str, str = {} denied: list str = ⋮---- Cache per-source access decisions one image often shares a source with others . access cache: dict uuid.UUID, bool = {} ⋮---- source = img.source ⋮---- url = storage service.get presigned url img.minio key, expiry hours=PRESIGN EXPIRY HOURS Evidence: `app/routers/wiki_images.py`
- **Content changed → new version** (source_file): def build zip skill dir: Path - bytes ⋮---- buf = io.BytesIO ⋮---- arcname = f"{skill dir.name}/{f.relative to skill dir .as posix }" ⋮---- def upload to minio zip bytes: bytes, skill id: str, version num: int - None ⋮---- content = f.read object name = f"skills/{skill id}/versions/{version num}/content/{member.filename}" content type = mimetypes.guess type member.filename 0 or "application/octet-stream" ⋮---- async def seed one skill dir: Path - None ⋮---- slug = skill dir.name zip bytes = build zip skill dir content hash = SkillService. calculate zip content hash zip bytes ⋮---- result = await session.execute select Skill .where Skill.slug == slug skill = result.scalar one or none ⋮---- C… Evidence: `app/scripts/seed_skills.py`
- The remaining 19 evidence entries are in `AI_CONTEXT_PACK.json` or `EVIDENCE_INDEX.json`.

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `README.md`, `frontend/README.md`, `skills/arkon-edit/SKILL.md`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `README.md`, `frontend/README.md`, `skills/arkon-edit/SKILL.md`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Introduction & Key Features**: importance `high`
  - source_paths: README.md, DESIGN.md, CHANGELOG.md
- **System Architecture & Tech Stack**: importance `high`
  - source_paths: app/main.py, app/worker.py, docker-compose.yml, docs/ARCHITECTURE.md, alembic/env.py
- **MRP Pipeline: Document Ingestion & Wiki Compilation**: importance `high`
  - source_paths: app/ai/mrp/pipeline.py, app/ai/mrp/mapper.py, app/ai/mrp/reducer.py, app/ai/mrp/merger.py, app/ai/mrp/verifier.py
- **Wiki Browser, Drafts & Branches**: importance `high`
  - source_paths: app/routers/wiki.py, app/routers/wiki_drafts.py, app/routers/wiki_branches.py, app/routers/wiki_images.py, app/services/wiki_service.py
- **Department Scopes, RBAC & Audit**: importance `high`
  - source_paths: app/routers/scopes.py, app/routers/rbac.py, app/routers/audit.py, app/services/permission_engine.py, app/services/policy_engine.py
- **MCP Server & AI Provider Catalog**: importance `high`
  - source_paths: app/mcp/server.py, app/mcp/tools.py, app/mcp/resources.py, app/mcp/permissions.py, app/mcp/middleware.py
- **AI Skills: Distribution & Contribution Workflow**: importance `medium`
  - source_paths: app/services/skill_service.py, app/routers/skills.py, app/routers/skill_contributions.py, app/scripts/seed_skills.py, docs/SKILLS.md
- **Deployment, Configuration & Troubleshooting**: importance `high`
  - source_paths: Dockerfile, docker-compose.yml, .env.docker.example, .env.local.example, entrypoint.sh

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `5e4069df67b80b3ebcea1a4e841196b6f263d28e`
- inspected_files: `Dockerfile`, `README.md`, `docker-compose.yml`, `pyproject.toml`, `docs/ACCESS-CONTROL.md`, `docs/ARCHITECTURE.md`, `docs/HOW_TO_RUN.md`, `docs/MCP.md`, `docs/SETUP.md`, `docs/SKILLS.md`, `docs/WIKI.md`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/nduckmink/arkon
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/nduckmink/arkon
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/nduckmink/arkon
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
