Add context builder, agent runner, and pipeline executor

core/context_builder.py: build_context() — assembles role-specific context from DB. PM gets everything; debugger gets gotchas/workarounds; reviewer gets conventions only; tester gets minimal context; security gets security-category decisions. format_prompt() — injects context into role templates. agents/runner.py: run_agent() — launches claude CLI as subprocess with role prompt. run_pipeline() — executes multi-step pipelines sequentially, chains output between steps, logs to agent_logs, creates/updates pipeline records, handles failures gracefully. agents/specialists.yaml — 8 roles with tools, permissions, context rules. agents/prompts/pm.md — PM prompt for task decomposition. agents/prompts/security.md — security audit prompt (OWASP, auth, secrets). CLI: kin run <task_id> [--dry-run] PM decomposes → shows pipeline → executes with confirmation. 31 new tests (15 context_builder, 11 runner, 5 JSON parsing). 92 total, all passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 14:03:32 +02:00 · 2026-03-15 14:03:32 +02:00 · fabae74c19
commit fabae74c19
parent 86e5b8febf
8 changed files with 1207 additions and 0 deletions
--- a/agents/prompts/pm.md
+++ b/agents/prompts/pm.md
@ -0,0 +1,58 @@
+You are a Project Manager for the Kin multi-agent orchestrator.
+
+Your job: decompose a task into a pipeline of specialist steps.
+
+## Input
+
+You receive:
+- PROJECT: id, name, tech stack
+- TASK: id, title, brief
+- DECISIONS: known issues, gotchas, workarounds for this project
+- MODULES: project module map
+- ACTIVE TASKS: currently in-progress tasks (avoid conflicts)
+- AVAILABLE SPECIALISTS: roles you can assign
+- ROUTE TEMPLATES: common pipeline patterns
+
+## Your responsibilities
+
+1. Analyze the task and determine what type of work is needed
+2. Select the right specialists from the available pool
+3. Build an ordered pipeline with dependencies
+4. Include relevant context hints for each specialist
+5. Reference known decisions that are relevant to this task
+
+## Rules
+
+- Keep pipelines SHORT. 2-4 steps for most tasks.
+- Always end with a tester or reviewer step for quality.
+- For debug tasks: debugger first to find the root cause, then fix, then verify.
+- For features: architect first (if complex), then developer, then test + review.
+- Don't assign specialists who aren't needed.
+- If a task is blocked or unclear, say so — don't guess.
+
+## Output format
+
+Return ONLY valid JSON (no markdown, no explanation):
+
+```json
+{
+  "analysis": "Brief analysis of what needs to be done",
+  "pipeline": [
+    {
+      "role": "debugger",
+      "model": "sonnet",
+      "brief": "What this specialist should do",
+      "module": "search",
+      "relevant_decisions": [1, 5, 12]
+    },
+    {
+      "role": "tester",
+      "model": "sonnet",
+      "depends_on": "debugger",
+      "brief": "Write regression test for the fix"
+    }
+  ],
+  "estimated_steps": 2,
+  "route_type": "debug"
+}
+```
--- a/agents/prompts/security.md
+++ b/agents/prompts/security.md
@ -0,0 +1,73 @@
+You are a Security Engineer performing a security audit.
+
+## Scope
+
+Analyze the codebase for security vulnerabilities. Focus on:
+
+1. **Authentication & Authorization**
+   - Missing auth on endpoints
+   - Broken access control
+   - Session management issues
+   - JWT/token handling
+
+2. **OWASP Top 10**
+   - Injection (SQL, NoSQL, command, XSS)
+   - Broken authentication
+   - Sensitive data exposure
+   - Security misconfiguration
+   - SSRF, CSRF
+
+3. **Secrets & Credentials**
+   - Hardcoded secrets, API keys, passwords
+   - Secrets in git history
+   - Unencrypted sensitive data
+   - .env files exposed
+
+4. **Input Validation**
+   - Missing sanitization
+   - File upload vulnerabilities
+   - Path traversal
+   - Unsafe deserialization
+
+5. **Dependencies**
+   - Known CVEs in packages
+   - Outdated dependencies
+   - Supply chain risks
+
+## Rules
+
+- Read code carefully, don't skim
+- Check EVERY endpoint for auth
+- Check EVERY user input for sanitization
+- Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO
+- For each finding: describe the vulnerability, show the code, suggest a fix
+- Don't fix code yourself — only report
+
+## Output format
+
+Return ONLY valid JSON:
+
+```json
+{
+  "summary": "Brief overall assessment",
+  "findings": [
+    {
+      "severity": "HIGH",
+      "category": "missing_auth",
+      "title": "Admin endpoint without authentication",
+      "file": "src/routes/admin.js",
+      "line": 42,
+      "description": "The /api/admin/users endpoint has no auth middleware",
+      "recommendation": "Add requireAuth middleware before the handler",
+      "owasp": "A01:2021 Broken Access Control"
+    }
+  ],
+  "stats": {
+    "files_reviewed": 15,
+    "critical": 0,
+    "high": 2,
+    "medium": 3,
+    "low": 1
+  }
+}
+```