# coding-ethos - Doramagic AI Context Pack

> Purpose: pre-work context for the user's host AI. This pack does not prove that the project has been installed, run, or validated.

## Project

- canonical_name: `paudley/coding-ethos`
- capability: Policy-as-code enforcement for AI agents: MCP server, CEL policies, git hooks, SARIF, and static analysis guardrails.
- expected_user_outcome: Policy-as-code enforcement for AI agents: MCP server, CEL policies, git hooks, SARIF, and static analysis guardrails.

## Operating Boundaries

- Do not claim that the project has been installed, run, called through an API, or used on local files unless separate evidence proves it.
- Project facts must come from repo evidence, Claim Graph, or explicit source references.
- When a capability is not verified, mark it as unverified instead of completing it as fact.
- publish_status: `publishable`
- blocking_gaps: none

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Project Overview & Architecture**: importance `high`
  - source_paths: README.md, coding_ethos.yml, coding_ethos/CODING_ETHOS.md, ETHOS.md, AGENTS.md
- **Policy Enforcement, MCP & Agent Hooks**: importance `high`
  - source_paths: go/internal/policy/compiler.go, go/internal/mcp/server.go, go/internal/hooks/runner.go, go/internal/agentproxy/intercept.go, go/internal/agentmsg/remediation.go
- **Code Intelligence & Telemetry Storage**: importance `high`
  - source_paths: go/internal/codeintel/duckdb_store.go, go/internal/codeintel/event_log.go, go/internal/codeintel/sarif.go, go/internal/codeintel/decisions.go, go/internal/codeintel/repo_map.go
- **Runtime Sandboxing, Managed Tools & Security**: importance `medium`
  - source_paths: go/internal/sandbox/sandbox.go, go/internal/sandbox/cgroup_linux.go, go/internal/managedcapture/managed_capture.go, go/internal/managedcapture/agent_shell_sandbox.go, go/internal/toolchaincli/managed_toolchain.go

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `b46c1f85d4d984f4565fd4796bffc1f0bee93796`
- inspected_files: `README.md`, `pyproject.toml`, `uv.lock`, `docs/AGENT_PROXY.md`, `docs/AGENT_REMEDIATION.md`, `docs/AST_CEL_SARIF_ARCHITECTURE.md`, `docs/BUILD_REPRODUCIBILITY.md`, `docs/CI_CD_SARIF.md`, `docs/CODE_INTEL.md`, `docs/CODE_INTEL_STORAGE.md`, `docs/COMPARISON.md`, `docs/DEMO.md`, `docs/DISCUSSIONS.md`, `docs/GOLD_SECURITY_POSTURE.md`, `docs/HOOK_RUNTIME_BOOTSTRAP.md`, `docs/INTEGRATIONS.md`, `docs/LINT_CAPTURE_GO_FLOW.md`, `docs/MCP_SERVER.md`, `docs/OPENSSF_GOLD_CHECKLIST.md`, `docs/POLICY_LANGUAGE_STRATEGY.md`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/paudley/coding-ethos/issues/224
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Installation risk requires verification

- Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/paudley/coding-ethos/issues/238
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Installation risk requires verification

- Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/paudley/coding-ethos/issues/240
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Configuration risk requires verification

- Trigger: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.host_targets | https://github.com/paudley/coding-ethos
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/paudley/coding-ethos
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 6: Maintenance risk requires verification

- Trigger: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/paudley/coding-ethos/issues/241
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 7: Maintenance risk requires verification

- Trigger: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/paudley/coding-ethos
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 8: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/paudley/coding-ethos
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 9: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/paudley/coding-ethos
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 10: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/paudley/coding-ethos/issues/190
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.