Jon Chery
f7fff95cbe
---ci---
project: ci
phase: 3
milestone: v0.8
status: complete
decisions:
- id: D-029
decision: Full STRIDE 7-category coverage with CWE mapping
rationale: Industry standard threat classification with actionable CWE remediation
confidence: 0.88
- id: D-030
decision: Reduce exec/eval false positives via string interpolation detection
rationale: execSync("ls") is safe; execSync(`rm ${x}`) is not
confidence: 0.85
requirements:
covered: [SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06]
---/ci---
SEC-01: Fixed STRIDE category misassignments. Hardcoded password is
information_disclosure (CWE-259), not spoofing. exec with interpolation
is elevation_of_privilege (CWE-78), not tampering. All 17 patterns
correctly categorized.
SEC-02: Added missing STRIDE categories: repudiation (empty catch blocks,
CWE-778) and spoofing (jwt.decode without verify, CWE-287). Also added
denial_of_service (JSON body parser without size limit, CWE-400) and
prototype pollution (CWE-1321), weak crypto (CWE-328), unsafe
deserialization (CWE-502), path traversal (CWE-22).
SEC-03: Reduced false positives: exec/eval patterns now require string
interpolation (template literal or dynamic concat), not all exec/calls.
SEC-04: Every SECURITY_PATTERNS entry has a cwe field with valid CWE ID.
SEC-05: Confidence-based auto-disposition: each pattern has a confidence
score. High confidence findings are flagged, medium require verification,
low are suppressed. Threshold configurable via constructor.
SEC-06: Security passed=false when any high-severity finding exists
(already enforced by hasHighFail check, now more explicit).
CIAgent — Continuous Intelligence
Fully autonomous, git-native AI-driven software engineering harness.
Overview
CIAgent (Continuous Intelligence) is an autonomous-first software engineering harness that eliminates human-in-the-loop overhead while preserving the rigor of guided development. It receives a specification, resolves ambiguities through a single Clarify phase, then executes the full pipeline — research, plan, execute, verify — autonomously.
The git log IS the project memory. Every decision, escalation, lesson learned, and verification result is encoded in commit messages using structured ---ci--- YAML blocks. An agent's first impulse to gather context is git log, not file reads. Another agent with access to only commit messages (no code, no diffs) can reconstruct the project state completely.
Installation
From source (package not yet published to npm):
git clone https://git.cloudinit.dev/continuous-intelligence/ci.git
cd ciagent
npm install
npm run build
npm link
Quick Start
# Initialize from inline specification
ciagent init "Build a REST API for task management"
# Initialize from a specification file
ciagent init --spec ./specs/my-project.md
# Run the full autonomous pipeline
ciagent run --all
# Run a specific phase
ciagent run research
ciagent run plan
ciagent run execute
ciagent run verify
# Execute an ad-hoc task
ciagent quick "Add authentication middleware"
# Check project status (reads from git log + branches)
ciagent status
# Review autonomous decisions (extracted from git log ---ci--- blocks)
ciagent audit
ciagent audit --verbose
# Debug an issue
ciagent debug "Tests failing on CI"
# Rollback a phase
ciagent rollback 1
# Ship a phase (verify, security, commit, tag)
ciagent ship 1
Git-Native Architecture (v0.2.0)
The Commit Schema
Every CIAgent-generated commit contains a ---ci--- YAML block with structured metadata:
feat(P01-01-02): create user registration endpoint
---ci---
phase: 1
milestone: v1.0
plan: 01-01
task: 01-01-02
status: execute
decisions:
- id: D-003
decision: Use bcrypt with 12 rounds for password hashing
rationale: Industry standard; argon2 not available in target env
confidence: 0.88
alternatives: [argon2, scrypt]
requirements:
covered: [AUTH-01]
---/ci---
- POST /auth/register validates email and password
- Checks for duplicate users
- Returns JWT token on success
What Lives Where
| Where | What | Why |
|---|---|---|
.ciagent/config.json |
Autonomy, thresholds, git strategy | Controls system behavior before any commits exist |
.ciagent/PROJECT.md |
Vision, core value, requirements, constraints, key decisions table | Long-lived strategic reference |
.ciagent/ARCHITECTURE.md |
System architecture, component boundaries, data flow | Long-lived technical reference |
.ciagent/ROADMAP.md |
Phase breakdown, milestone mapping, success criteria | Long-lived planning reference |
.ciagent/REQUIREMENTS.md |
v1/v2 requirements with REQ-IDs and traceability | Long-lived requirements reference |
| Git commit bodies | Decisions, escalations, lessons, compounds, verification results | Dynamic event stream — the audit trail |
| Git branches | Phase/milestone status | phase/NN-slug and milestone/vX.X-slug encode project structure |
Branch Strategy
main
└── milestone/v1.0-mvp
├── phase/01-authentication # in progress if not merged
├── phase/02-task-management
└── phase/03-realtime-notifications
- Branch exists + not merged = phase in progress
- Branch merged to milestone = phase complete
- Milestone branch merged to main = milestone complete
Context Reconstruction Protocol
An agent starting a session gathers context in this order:
git log --oneline -20— recent activitygit branch -a— phase/milestone structuregit log -1 --format="%b"— latest---ci---block.ciagent/config.json— autonomy + thresholds.ciagent/PROJECT.md— vision + constraints (when needed).ciagent/ROADMAP.md— phase plan + success criteria (when needed).ciagent/REQUIREMENTS.md— REQ-IDs + traceability (when planning).ciagent/ARCHITECTURE.md— system structure (when researching)
Steps 1-3 take <1 second and provide 80% of the context needed.
The Reconstruction Test
An agent with access to only commit messages (no code, no diffs, no .ciagent/ files) can reconstruct:
| Reconstructable | How |
|---|---|
| Project specification | Init commit body |
| Current phase | ---ci---.phase field + branch status |
| Current milestone | Branch names + ---ci---.milestone field |
| All decisions with rationale | git log --grep="decisions:" --format="%b" |
| Decision confidence | Each decision has confidence: 0.XX |
| Alternatives considered | Each decision has alternatives: [...] |
| Requirements coverage | git log --grep="requirements:" --format="%b" |
| Lessons learned | git log --grep="lessons:" --format="%b" |
| Compounded solutions | git log --grep="compound:" --format="%b" |
| Escalation history | git log --grep="escalation:" --format="%b" |
Commit Types
In addition to conventional commit types, CIAgent uses:
| Type | When Used |
|---|---|
decision |
Autonomous decision logged (no code change) |
compound |
Compounded solution captured |
escalation |
Escalation raised or resolved |
verify |
Verification pass/fail |
wip |
Work-in-progress checkpoint |
Autonomy Levels
| Level | Behavior |
|---|---|
full |
No human interaction after Clarify. Escalate only irreversible decisions. |
supervised |
Escalate on every Escalation Gate plus verification failures. |
guided |
Escalate on every Decision Gate. |
Configuration
CIAgent uses .ciagent/config.json for project configuration:
{
"autonomy": {
"level": "full",
"escalation_hooks": ["deploy", "delete_data", "merge_to_main"],
"clarify_budget": 10,
"decision_confidence_threshold": 0.6,
"max_revision_iterations": 3,
"max_verification_retries": 2,
"escalation_timeout_ms": 300000
},
"model_profile": "quality",
"parallelization": {
"enabled": true,
"max_concurrent_agents": 5,
"min_plans_for_parallel": 2
},
"verification": {
"automated_only": true,
"escalate_visual": true,
"escalate_external_integration": true,
"test_first": false
},
"security": {
"auto_accept_low_severity": true,
"auto_mitigate_medium_severity": true,
"escalate_high_severity": true
},
"git": {
"branching_strategy": "phase",
"auto_commit": true,
"auto_push": false
}
}
Architecture
Pipeline
SPECIFY → CLARIFY → RESEARCH → PLAN → EXECUTE → TEST → VERIFY → COMPLETE
↕ ↕ ↕ ↕ ↕
(questions) (auto-decide) (auto-run) (auto-test) (auto-verify)
Git-Native Core Modules
| Module | Purpose |
|---|---|
commit-parser |
---ci--- YAML block extraction and parsing from commit messages |
commit-builder |
Structured commit message generation for all commit types |
git-context |
Project state reconstruction from git log + git branch |
git-branch |
Phase/milestone branch lifecycle management |
ciagent-files |
.ciagent/ long-lived reference file management with update discipline |
Decision Engine
Every autonomous decision is classified by confidence:
- High (>0.85): Auto-decide, commit as
---ci---block - Medium (0.60-0.85): Auto-decide with assumption logging, flag for review
- Low (<0.60): Escalate to human
Decisions are committed to git as decision type commits. The audit trail is git log --grep="decisions:".
19 Agents
| Agent | Role | CIAgent Modification |
|---|---|---|
| orchestrator | Pipeline controller | Git-first context loading, ---ci--- commit generation |
| planner | Plan creation | Never sets autonomous: false |
| executor | Task execution | Never pauses for checkpoints |
| verifier | Output verification | Generates automated tests, not human UAT |
| researcher | Domain research | Logs assumptions, never flags for human |
| tester | Integration/e2e tests | Detects and runs existing test files, never writes tests |
| challenger | Plan stress-testing | Binding verdicts, only escalates <0.60 |
| security-auditor | Security audit | Auto-dispositions threats |
| debugger | Bug fixing | Auto-fixes when confidence > threshold |
| Others | Various | Delegates to active intelligence backend |
Verification Layers
- Structural: File existence, import/export wiring, no stubs
- Behavioral: Test infrastructure and requirement traceability (partially implemented — static analysis, no test generation yet)
- Security: Regex-based threat pattern scanning with auto-disposition (partially implemented — no STRIDE analysis yet)
- Code Quality: Regex-based code quality checks (partially implemented — no multi-persona review yet)
Specification Format
# Project: My Project
## Objective
Build a REST API for task management.
## Requirements
- User authentication (JWT-based)
- CRUD operations for tasks
- Real-time notifications
## Constraints
- Must use Node.js
- Must be production-ready
## Out of Scope
- Admin dashboard
- Mobile apps
Escalation Protocol
When CIAgent cannot proceed autonomously:
- Irreversible Action: Deploy, delete, merge to protected branch
- Verification Failure: Tests pass but functional verification fails
- Low Confidence Decision: Critical decision below threshold
- Security Escalation: High-severity threat detected
- Specification Ambiguity: Multiple valid interpretations
Each escalation is committed as an escalation type commit. Resolved escalations produce a follow-up commit with the resolution. The full escalation history is available via git log --grep="escalation:".
Current Limitations
- Agent implementations: 5 core agents have intrinsic logic (planner, executor, verifier, researcher, tester); 13 agents delegate to backends. Full LLM-powered agent behavior requires an intelligence backend.
- Package not published to npm: Install from source only until a publishing pipeline is configured.
- Behavioral/Security/Quality verification layers: Partially implemented — structural verification is complete; behavioral does static analysis; security does regex-based threat scanning; quality does regex-based code quality checks.
Differences from Learnship
| Dimension | Learnship | CIAgent |
|---|---|---|
| Project memory | .planning/ directory files (legacy) |
Git log + ---ci--- commit blocks |
| Audit trail | .ciagent/audit/*.json files (legacy) |
git log --grep="decisions:" |
| State management | STATE.md + STATE.md.json (legacy) |
Reconstructed from git on demand |
| Phase discovery | Read .planning/phases/ directory (legacy) |
git branch -a | grep phase/ |
| Human Interactions | 19+/lifecycle | 1-2/lifecycle |
| Decision Making | Human decides, agent implements | Agent decides, human reviews post-hoc |
| Verification | Human UAT | Automated tests + escalation |
| Specification | Multi-round conversation | Single spec file |
Repository
git.cloudinit.dev/continuous-intelligence/ci
License
MIT