Merge pull request #6 from brickhouse-tech/feat/inheritance

nmccready · web-flow · commit 9b57dc2c5b71 · 2026-03-27T16:03:24.000-04:00
feat: add inheritance convention support
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -9,17 +9,13 @@ on:
       - '.github/workflows/**'
 jobs:
   test:
-    strategy:
-      matrix:
-        node-version: ['20.x', '22.x', '24.x']
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Use Node.js 22.x
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
-          # cache: "npm" # needs lockfile if enabled
+          node-version: '22.x'
 
       - run: npm install
       - run: npm run lint
diff --git a/README.md b/README.md
@@ -63,6 +63,9 @@ AGENTS.md is also symlinked to CLAUDE.md so that Claude reads the index natively
 | `watch` | Watch `.agents/` for changes and auto-regenerate `AGENTS.md` |
 | `import <url>` | Import a rule/skill/workflow from a URL |
 | `hook` | Install a pre-commit git hook for auto-sync |
+| `inherit <label> <path>` | Add an inheritance link to AGENTS.md |
+| `inherit --list` | List current inheritance links |
+| `inherit --remove <label>` | Remove an inheritance link by label |
 | `status` | Show the current sync status of all targets and symlinks |
 | `add <type> <name>` | Add a new rule, skill, or workflow from a template (type is `rule`, `skill`, or `workflow`) |
 | `index` | Regenerate `AGENTS.md` by scanning the contents of `.agents/` |
@@ -79,6 +82,150 @@ AGENTS.md is also symlinked to CLAUDE.md so that Claude reads the index natively
 | `--dry-run` | Show what would be done without making changes |
 | `--force` | Overwrite existing files and symlinks |
 
+## Inheritance
+
+Projects can inherit agent rules from parent directories (org, team, global) using a convention-based approach. This enables hierarchical rule sharing without duplicating files.
+
+### How It Works
+
+Add an `## Inherits` section to your project's `AGENTS.md` that links to parent-level agent configs:
+
+```markdown
+## Inherits
+- [global](../../AGENTS.md)
+- [team](../AGENTS.md)
+```
+
+AI agents (Claude, Codex, etc.) follow markdown links natively — when they read your project's `AGENTS.md`, they'll traverse the inheritance chain and apply rules from all levels.
+
+### Hierarchy Example
+
+```
+~/code/                     # Global: security norms, universal rules
+  ├── .agents/
+  ├── AGENTS.md
+  └── org/                  # Org-level: coding standards, shared workflows
+      ├── .agents/
+      ├── AGENTS.md
+      └── team/             # Team-level: language-specific rules
+          ├── .agents/
+          ├── AGENTS.md
+          └── project/      # Project: project-specific rules + inherits
+              ├── .agents/
+              └── AGENTS.md  → ## Inherits links to team, org, global
+```
+
+**Inheritance is upward-only.** A project declares what it inherits from. Parent directories don't need to know about their children — when an agent works at the org level, it already has access to org-level rules.
+
+### Managing Inheritance
+
+```bash
+# Add an inheritance link
+sync-agents inherit global ../../AGENTS.md
+sync-agents inherit team ../AGENTS.md
+
+# List current inheritance links
+sync-agents inherit --list
+
+# Remove an inheritance link
+sync-agents inherit --remove global
+```
+
+The `## Inherits` section is preserved across `sync-agents index` regenerations.
+
+### Full Example
+
+Set up a three-level hierarchy: global rules → org standards → project config.
+
+```bash
+# 1. Create global rules (e.g. ~/code/.agents/)
+cd ~/code
+sync-agents init
+sync-agents add rule security
+cat > .agents/rules/security.md << 'EOF'
+---
+trigger: always_on
+---
+# Security
+- Never commit secrets or API keys
+- Validate all external input
+- Use parameterized queries for database access
+EOF
+
+# 2. Create org-level rules (e.g. ~/code/myorg/.agents/)
+cd ~/code/myorg
+sync-agents init
+sync-agents add rule go-standards
+cat > .agents/rules/go-standards.md << 'EOF'
+---
+trigger: always_on
+---
+# Go Standards
+- Use `gofmt` and `golangci-lint` on all Go files
+- Prefer table-driven tests
+- Export only what consumers need
+EOF
+
+# 3. Create project with inheritance
+cd ~/code/myorg/api-service
+sync-agents init
+sync-agents add rule api-conventions
+
+# Link to parent levels
+sync-agents inherit org ../AGENTS.md
+sync-agents inherit global ../../AGENTS.md
+
+# Sync to agent directories
+sync-agents sync
+```
+
+The project's `AGENTS.md` now looks like:
+
+```markdown
+## Inherits
+- [org](../AGENTS.md)
+- [global](../../AGENTS.md)
+
+## Rules
+- [api-conventions](.agents/rules/api-conventions.md)
+
+## Skills
+_No skills defined yet._
+
+## Workflows
+_No workflows defined yet._
+```
+
+When an AI agent reads this file, it follows the `## Inherits` links and applies rules from all three levels — project-specific API conventions, org-wide Go standards, and global security rules.
+
+### Verifying Inheritance
+
+```bash
+# Check what's inherited
+sync-agents inherit --list
+# Output:
+# - [org](../AGENTS.md)
+# - [global](../../AGENTS.md)
+
+# Remove a link if no longer needed
+sync-agents inherit --remove global
+
+# Re-add with a different path
+sync-agents inherit global ../../AGENTS.md
+```
+
+## Examples
+
+The [`examples/`](examples/) directory contains ready-to-use rules, skills, and workflows. Import them directly:
+
+```bash
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/rules/no-secrets.md
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/skills/code-review.md
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/workflows/pr-checklist.md
+```
+
+See [examples/README.md](examples/README.md) for the full list.
+
 ## Usage
 
 ```bash
diff --git a/examples/README.md b/examples/README.md
@@ -0,0 +1,36 @@
+# Examples
+
+Ready-to-use rules, skills, and workflows for `sync-agents`.
+
+## Quick Import
+
+```bash
+# Import directly from GitHub
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/rules/no-secrets.md
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/skills/code-review.md
+sync-agents import https://raw.githubusercontent.com/brickhouse-tech/sync-agents/main/examples/workflows/pr-checklist.md
+```
+
+## Contents
+
+### Rules
+| File | Description |
+|---|---|
+| [no-secrets](rules/no-secrets.md) | Prevent committing API keys, tokens, and credentials |
+| [commit-conventions](rules/commit-conventions.md) | Enforce Conventional Commits format |
+| [no-force-push](rules/no-force-push.md) | Protect shared branches from history rewrites |
+
+### Skills
+| File | Description |
+|---|---|
+| [code-review](skills/code-review.md) | Systematic PR review process |
+| [debugging](skills/debugging.md) | Structured approach to diagnosing issues |
+
+### Workflows
+| File | Description |
+|---|---|
+| [pr-checklist](workflows/pr-checklist.md) | Pre-flight checklist before opening a PR |
+
+## Contributing
+
+Add your own examples via PR! Follow the templates in `src/md/` for consistent formatting.
diff --git a/examples/rules/commit-conventions.md b/examples/rules/commit-conventions.md
@@ -0,0 +1,40 @@
+---
+trigger: always_on
+---
+
+# Commit Conventions
+
+All commits must follow [Conventional Commits](https://www.conventionalcommits.org/).
+
+## Format
+
+```
+<type>(<scope>): <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+## Types
+
+| Type | When to use |
+|---|---|
+| `feat` | New feature or capability |
+| `fix` | Bug fix |
+| `docs` | Documentation only |
+| `style` | Formatting, whitespace (no logic change) |
+| `refactor` | Code restructuring (no feature or fix) |
+| `perf` | Performance improvement |
+| `test` | Adding or updating tests |
+| `build` | Build system or dependencies |
+| `ci` | CI/CD configuration |
+| `chore` | Maintenance tasks |
+
+## Rules
+
+- Subject line: imperative mood, lowercase, no period, max 72 characters
+- Body: wrap at 72 characters, explain *what* and *why* (not *how*)
+- Breaking changes: add `BREAKING CHANGE:` in footer or `!` after type
+- Reference issues: `Fixes #123` or `Closes #456` in footer
+- One logical change per commit — don't mix features with refactors
diff --git a/examples/rules/no-force-push.md b/examples/rules/no-force-push.md
@@ -0,0 +1,15 @@
+---
+trigger: always_on
+---
+
+# No Force Push
+
+Protect shared branches from history rewrites.
+
+## Rules
+
+- Never `git push --force` to `main`, `master`, `develop`, or any release branch
+- Use `--force-with-lease` on feature branches only, and only when you own the branch
+- If a rebase is needed on a shared branch, coordinate with the team first
+- Prefer merge commits or squash merges over rebasing shared history
+- If you accidentally force-pushed a shared branch, notify the team immediately and restore from reflog
diff --git a/examples/rules/no-secrets.md b/examples/rules/no-secrets.md
@@ -0,0 +1,23 @@
+---
+trigger: always_on
+---
+
+# No Secrets
+
+Never commit secrets, credentials, or sensitive values to the repository.
+
+## Rules
+
+- Do not hardcode API keys, tokens, passwords, or connection strings in source code
+- Do not commit `.env`, `.envrc`, or any file containing secrets
+- Use environment variables or a secrets manager (1Password, Vault, AWS Secrets Manager) for all credentials
+- If a secret is accidentally committed, rotate it immediately — git history is permanent
+- Use placeholder values in examples and documentation (e.g. `YOUR_API_KEY_HERE`)
+- Ensure `.gitignore` includes: `.env`, `.env.*`, `*.pem`, `*.key`, `credentials.json`
+
+## Detection
+
+Flag any of these patterns in code review:
+- Strings matching `sk-`, `ghp_`, `gho_`, `AKIA`, `xox`, `Bearer ` followed by a long alphanumeric string
+- Base64-encoded blobs assigned to variables named `key`, `secret`, `token`, `password`, `credential`
+- Hardcoded URLs containing `@` (embedded credentials)
diff --git a/examples/skills/code-review.md b/examples/skills/code-review.md
@@ -0,0 +1,32 @@
+---
+trigger: always_on
+---
+
+# Code Review
+
+Systematic approach to reviewing pull requests.
+
+## Process
+
+1. **Understand context** — Read the PR description, linked issues, and related docs before looking at code
+2. **Check scope** — Does the PR do one thing? Flag scope creep early
+3. **Read tests first** — Tests reveal intent; if there are no tests, that's the first comment
+4. **Review logic** — Walk through the code path as if you're the runtime
+5. **Check edge cases** — Empty inputs, nulls, large datasets, concurrent access, error paths
+6. **Verify naming** — Variables, functions, and files should be self-documenting
+7. **Security scan** — Look for injection, auth bypass, data exposure, unsafe deserialization
+8. **Performance** — N+1 queries, unbounded loops, missing pagination, large allocations
+
+## Comment Style
+
+- **Blocking:** Prefix with `[blocking]` — must fix before merge
+- **Suggestion:** Prefix with `[nit]` or `[suggestion]` — take it or leave it
+- **Question:** Prefix with `[question]` — clarify intent, not a change request
+- Be specific: link to the line, show the fix, explain why
+
+## Approve When
+
+- All blocking comments are resolved
+- Tests pass and cover the change
+- No security concerns
+- Code is readable by someone who didn't write it
diff --git a/examples/skills/debugging.md b/examples/skills/debugging.md
@@ -0,0 +1,33 @@
+---
+trigger: always_on
+---
+
+# Debugging
+
+Structured approach to diagnosing and resolving issues.
+
+## Process
+
+1. **Reproduce** — Can you trigger the bug reliably? Define exact steps, inputs, and environment
+2. **Isolate** — Narrow the scope. Binary search: comment out half the code, which half breaks?
+3. **Read the error** — Stack traces, logs, error codes. The answer is often in the message
+4. **Check recent changes** — `git log --oneline -20` and `git diff` against last known working state
+5. **Form a hypothesis** — State what you think is wrong *before* changing code
+6. **Test the hypothesis** — One change at a time. If it didn't fix it, revert before trying the next thing
+7. **Verify the fix** — Reproduce the original steps. Confirm the bug is gone. Check for regressions
+8. **Document** — Add a test that would have caught it. Update comments if the code was misleading
+
+## Anti-Patterns
+
+- Shotgun debugging: changing multiple things at once
+- Print-statement overload without a hypothesis
+- Fixing symptoms instead of root causes
+- "It works on my machine" without checking environment differences
+- Ignoring warnings and deprecation notices
+
+## Tools
+
+- **Logs:** Check application logs, system logs, browser console
+- **Debugger:** Step through with breakpoints rather than guessing
+- **Git bisect:** `git bisect start` → `git bisect bad` → `git bisect good <sha>` to find the breaking commit
+- **Minimal reproduction:** Strip the problem to the smallest possible case
diff --git a/examples/workflows/pr-checklist.md b/examples/workflows/pr-checklist.md
diff --git a/src/sh/sync-agents.sh b/src/sh/sync-agents.sh
diff --git a/test/sync-agents.bats b/test/sync-agents.bats
