This file is automatically managed by StrayMark CLI. Read and follow these rules when working on this project. For complete rules:
.straymark/00-governance/AGENT-RULES.md
StrayMark externalizes the cognitive discipline of senior software engineering — explicit scope, declared decisions, named risks, recorded alternatives, audited trails — into versioned files that live alongside the code. The intent is to constrain the agent's decision space so AI-assisted work stays coherent across many turns instead of drifting into hidden technical debt.
As a side effect of doing the engineering work this way, the artifacts produced map cleanly onto the major AI governance frameworks. The rules are written for the engineering work first; the compliance evidence is what falls out when the work is done with discipline.
Frameworks the resulting evidence aligns with:
- ISO/IEC 42001:2023 (AI Management System) — vertebral standard for governance structure
- EU AI Act (Regulation 2024/1689) — risk classification, transparency, incident reporting
- NIST AI RMF 1.0 + 600-1 — risk management functions and generative AI risk profiles
- GDPR — data protection impact assessments and privacy safeguards
Optional regional scope — when .straymark/config.yml declares regional_scope: china, the framework additionally produces evidence for:
- TC260 AI Safety Governance Framework v2.0 — risk grading (TC260RA)
- PIPL (Personal Information Protection Law) — PIPIA, retention ≥ 3 years
- GB 45438-2025 (mandatory) — AI-generated content labeling (AILABEL)
- CAC Algorithm Filing — algorithm registration (CACFILE)
- GB/T 45652-2025 — pre-training & fine-tuning data security
- CSL 2026 — cybersecurity incident reporting (1h / 4h+72h+30d windows)
See
AI-GOVERNANCE-POLICY.mdfor the ISO 42001 Annex A control mapping andCHINA-REGULATORY-FRAMEWORK.mdfor the China coverage matrix. The product-level rationale lives inPropuesta/straymark-design-principles.md.
"No significant change without a documented trace — and a constrained decision space for the agent."
Check .straymark/config.yml for the project's language setting:
language: en # Options: en, es, zh-CN (default: en)Template paths based on language:
| Language | Template Path |
|---|---|
en (default) |
.straymark/templates/TEMPLATE-*.md |
es |
.straymark/templates/i18n/es/TEMPLATE-*.md |
zh-CN |
.straymark/templates/i18n/zh-CN/TEMPLATE-*.md |
If the config file doesn't exist or language is not set, use English (en) as default.
At the end of each task, you MUST report your StrayMark documentation status:
If you created documentation:
StrayMark: Created AILOG-2025-01-27-001-implement-auth.md
If documentation was not needed:
StrayMark: No documentation required (minor change / below complexity threshold)
If you should have documented but didn't:
StrayMark: Documentation pending - review required
This transparency helps users verify compliance with StrayMark rules.
When working on this project:
- Identify yourself with your platform and version (e.g.,
claude-code-v1.0,gemini-cli-v1.0,copilot-cli-v1.0) - Declare your confidence level in decisions:
high | medium | low - Record your identification in the
agent:field of the metadata
CRITICAL: Never commit directly to
mainbranch.
All changes must go through feature/fix branches and Pull Requests.
| Prefix | Purpose |
|---|---|
feature/ or feat/ |
New features |
fix/ |
Bug fixes |
hotfix/ |
Urgent production fixes |
docs/ |
Documentation only |
refactor/ |
Code refactoring |
test/ |
Test changes |
| Prefix | Use Case |
|---|---|
feat: |
New feature |
fix: |
Bug fix |
docs: |
Documentation only |
refactor: |
No behavior change |
chore: |
Maintenance |
git checkout main && git pull origin main
git checkout -b fix/descriptive-name
# ... make changes and commits ...
git push -u origin fix/descriptive-name
gh pr create --title "fix: description" --body "..."Full details:
.straymark/00-governance/GIT-BRANCHING-STRATEGY.md
| Situation | Action |
|---|---|
| Code complexity above threshold | Create AILOG — run straymark analyze <files> --output json; fallback: >20 lines |
| Decision between technical alternatives | Create AIDEC |
| Changes in auth/authorization/PII | Create AILOG (risk_level: high) + ETH draft |
| Changes in public API or DB schema | Create AILOG + consider ADR |
| Changes in ML models or AI prompts | Create AILOG + human review |
| Security-critical dependency changes | Create AILOG + human review |
| OTel instrumentation changes | Create AILOG + tag observabilidad |
| Multi-session implementation block (>1 day, >5 tasks across phases) | Declare a Charter — straymark charter new. See section 15. |
| Transversal technical debt — heritage from prior Charter, applies to multiple modules, or requires dedicated Charter to remediate | Create TDE — distinct from per-Charter R<N>. See .straymark/00-governance/AGENT-RULES.md §3 for TDE vs R<N> disambiguation. |
- Trivial changes (whitespace, typos, formatting)
- Sensitive information (credentials, tokens, API keys)
[TYPE]-[YYYY-MM-DD]-[NNN]-[description].md
Example: AILOG-2025-01-27-001-implement-oauth.md
---
id: AILOG-2026-03-25-001
title: Brief description
status: accepted
created: 2026-03-25
agent: your-agent-id-v1.0
confidence: high | medium | low
review_required: true | false
risk_level: low | medium | high | critical
tags: [oauth, authentication, api]
related:
- ADR-2026-01-20-001-use-jwt-tokens.md
# Optional regulatory fields (activate by context):
# eu_ai_act_risk: not_applicable
# nist_genai_risks: []
# iso_42001_clause: []
# observability_scope: none
---- Use kebab-case keywords:
sqlite,api-design,gnome-integration - 3 to 8 tags per document — describe topic, technology, or component
- Tags enable search and categorization in
straymark explore
- Reference other StrayMark documents by filename (with
.md):AILOG-2025-01-27-001-implement-oauth.md - For documents in subdirectories, include path from
.straymark/:07-ai-audit/agent-logs/daemon/AILOG-2026-02-03-001-file.md - For documents in the same directory, filename alone is sufficient
- Do not use task IDs, issue numbers, or URLs — those go in the document body
| Type | Agent can do | Requires human |
|---|---|---|
| AILOG | Create freely | — |
| AIDEC | Create freely | — |
| SBOM | Create freely | — |
| ETH | Create draft | Approval |
| ADR | Create draft | Review |
| SEC | Create draft | Approval (always) |
| MCARD | Create draft | Approval (always) |
| DPIA | Create draft | Approval (always) |
| REQ | Propose | Validation |
| TES | Propose | Validation |
| INC | Contribute analysis | Conclusions |
| TDE | Identify | Prioritize |
| PIPIA (china) | Create draft | Approval (always) |
| CACFILE (china) | Create draft | Approval (always — counsel + compliance officer before submission) |
| TC260RA (china) | Create draft | Approval (always) |
| AILABEL (china) | Create draft | Approval (always — before deployment) |
| Charter | Scaffold via charter new; fill scope, files, risks, tasks |
Operator owns the trigger and lifecycle transitions (declared → in-progress → closed). See section 15. |
IMPORTANT: This is the complete project structure. Not everything is loaded in this session, but any document can be accessed when needed.
.straymark/
├── 00-governance/ ← POLICIES AND RULES
│ ├── PRINCIPLES.md # Project guiding principles
│ ├── DOCUMENTATION-POLICY.md # Complete documentation policy
│ ├── AGENT-RULES.md # Detailed rules for AI agents
│ └── exceptions/ # Documented exceptions
│
├── 01-requirements/ ← REQUIREMENTS (REQ)
│ └── [REQ-*.md] # System requirements
│
├── 02-design/ ← DESIGN
│ └── decisions/ # ADRs (Architecture Decision Records)
│ └── [ADR-*.md]
│
├── 03-implementation/ ← IMPLEMENTATION GUIDES
│ └── [technical guides]
│
├── 04-testing/ ← TESTING (TES)
│ └── [TES-*.md] # Test strategies and plans
│
├── 05-operations/ ← OPERATIONS
│ ├── [runbooks]
│ └── incidents/ # Post-mortems (INC)
│ └── [INC-*.md]
│
├── 06-evolution/ ← EVOLUTION
│ └── technical-debt/ # Technical debt (TDE)
│ └── [TDE-*.md]
│
├── 07-ai-audit/ ← AI AGENT AUDIT
│ ├── agent-logs/ # Action logs (AILOG)
│ │ └── [AILOG-*.md]
│ ├── decisions/ # Agent decisions (AIDEC)
│ │ └── [AIDEC-*.md]
│ ├── ethical-reviews/ # Ethical reviews (ETH, DPIA, PIPIA*)
│ │ └── [ETH-*.md]
│ ├── regulatory-filings/ # CAC algorithm filings (CACFILE*)
│ │ └── [CACFILE-*.md]
│ └── risk-assessments/ # TC260 risk assessments (TC260RA*)
│ └── [TC260RA-*.md]
│
├── 08-security/ ← SECURITY ASSESSMENTS (SEC)
│ └── [SEC-*.md]
│
├── 09-ai-models/ ← AI MODEL CARDS (MCARD)
│ ├── [MCARD-*.md]
│ └── labeling/ # GB 45438 content labeling plans (AILABEL*)
│ └── [AILABEL-*.md]
│
├── charters/ ← CHARTERS — BOUNDED UNITS OF WORK
│ ├── [NN-slug.md] # Declarative ex-ante scope (filename: NN-slug.md, NOT TYPE-YYYY-...)
│ └── [NN-slug.telemetry.yaml] # Post-close telemetry (created by `straymark charter close`)
│
├── templates/ ← TEMPLATES (12 base + 4 China* + Charter)
* Only created when regional_scope: china is enabled in .straymark/config.yml.
│
└── QUICK-REFERENCE.md ← 1-page quick reference
| Situation | Document to load |
|---|---|
| Going to create an AILOG | .straymark/templates/TEMPLATE-AILOG.md |
| Going to create an AIDEC | .straymark/templates/TEMPLATE-AIDEC.md |
| Going to create an ADR | .straymark/templates/TEMPLATE-ADR.md |
| Going to create a REQ | .straymark/templates/TEMPLATE-REQ.md |
| Questions about naming or metadata | .straymark/00-governance/DOCUMENTATION-POLICY.md |
| Questions about autonomy limits | .straymark/00-governance/AGENT-RULES.md |
| Need to see existing requirements | List .straymark/01-requirements/ |
| Need to see existing ADRs | List .straymark/02-design/decisions/ |
| Need to see technical debt | List .straymark/06-evolution/technical-debt/ |
| Going to declare a Charter | .straymark/templates/charter/charter-template.md (or straymark charter new) |
| Need to see existing Charters | straymark charter list (or list .straymark/charters/) |
| SpecKit user — when does a feature yield a Charter? | .straymark/00-governance/SPECKIT-CHARTER-BRIDGE.md |
| Wondering why agents surface things you didn't ask | .straymark/00-governance/EMERGENT-OBSERVATION-DESIGN.md |
1. EVALUATE if the change requires documentation (see section 6)
|
v
2. LOAD the corresponding template (see section 11)
|
v
3. CREATE the document with correct naming
[TYPE]-[YYYY-MM-DD]-[NNN]-[description].md
|
v
4. If risk_level: high/critical or confidence: low
-> Mark review_required: true
| Prefix | Name | Location |
|---|---|---|
AILOG |
AI Action Log | .straymark/07-ai-audit/agent-logs/ |
AIDEC |
AI Decision | .straymark/07-ai-audit/decisions/ |
ETH |
Ethical Review | .straymark/07-ai-audit/ethical-reviews/ |
ADR |
Architecture Decision Record | .straymark/02-design/decisions/ |
REQ |
Requirement | .straymark/01-requirements/ |
TES |
Test Plan | .straymark/04-testing/ |
INC |
Incident Post-mortem | .straymark/05-operations/incidents/ |
TDE |
Technical Debt | .straymark/06-evolution/technical-debt/ |
SEC |
Security Assessment | .straymark/08-security/ |
MCARD |
Model/System Card | .straymark/09-ai-models/ |
SBOM |
Software Bill of Materials | .straymark/07-ai-audit/ |
DPIA |
Data Protection Impact Assessment | .straymark/07-ai-audit/ethical-reviews/ |
Charter |
Bounded unit of work (filename NN-slug.md, not TYPE-YYYY-…) |
.straymark/charters/ |
StrayMark is aligned with the following standards and regulations:
| Standard | Role in StrayMark | Key Documents |
|---|---|---|
| ISO/IEC 42001:2023 | Vertebral standard — AI Management System | AI-GOVERNANCE-POLICY.md |
| EU AI Act | Risk classification, incident reporting, transparency | ETH, INC, AILOG regulatory fields |
| NIST AI RMF / 600-1 | Risk management, 12 GenAI risk categories | ETH, AILOG |
| ISO/IEC 25010:2023 | Software quality model (9 characteristics) | REQ, ADR |
| ISO/IEC/IEEE 29148:2018 | Requirements engineering | REQ |
| ISO/IEC/IEEE 29119-3:2021 | Software testing documentation | TES |
| GDPR | Data protection and privacy | ETH (Data Privacy) |
| OpenTelemetry | Observability (optional, complementary) | Tag observabilidad |
| C4 Model | Architecture visualization in ADR documents | ADR (Mermaid diagrams) |
Reference: See
AI-GOVERNANCE-POLICY.mdfor the full ISO 42001 Annex A mapping to StrayMark documents.
A Charter is StrayMark's artifact for an implementation block that is too big to track as a single AILOG and too small to deserve its own product spec. It pairs declarative ex-ante scope (files to modify, risks, tasks, effort estimate) with ex-post telemetry (drift detection, external audit, lessons learned). Concretely: the kind of work that takes >1 day, spans >5 tasks, or crosses multiple sessions where an agent might lose the thread.
Charters are conceptually distinct from the 12+4 document types listed in section 13:
- They live at
.straymark/charters/NN-slug.md(sequential prefix, not date-prefix). - Their lifecycle is
declared→in-progress→closed, persisted in frontmatter as the source of truth. - Telemetry sits beside them as
NN-slug.telemetry.yaml, written bystraymark charter close. - External audits resolve to
.straymark/audits/CHARTER-NN/and merge back into telemetry.
Trigger row in section 6 names the heuristic; expanded:
- The work spans more than one working session and you need a stable scope contract you can drift-check at close.
- The work has 5+ named tasks with a topological order (e.g., a SpecKit
tasks.md). - The work warrants external audit at completion (cross-model review, cross-team review).
- You want measurable telemetry: time-to-close, drift count, lessons that feed forward.
| Stage | What happens | CLI |
|---|---|---|
| Declared | Operator scaffolds Charter, fills scope/files/risks/tasks. Status declared. |
straymark charter new |
| In progress | Operator flips status to in-progress when execution starts. Day-to-day work continues to produce AILOGs. |
(manual frontmatter edit) |
| Batch update (multi-batch only, fw-4.14.0+) | For Charters spanning 3+ batches or >1 day, the AILOG carries a ## Batch Ledger with one ### Batch N entry per batch starting as (pending). After each batch commit lands, fill the entry before pushing so the AILOG update and the work ride the same push. Single-batch Charters skip this step entirely. |
straymark charter batch-complete CHARTER-NN <N> |
| Drift check | Before closing, verify declared files vs. actual git diff. AILOG-suppressed paths are noise-filtered; pending ### Batch N entries cause a hard fail (--no-batch-ledger-check bypasses). |
straymark charter drift |
| External audit (optional) | Generate prompt → run N auditor CLIs → consolidate → merge into telemetry. | straymark charter audit + /straymark-audit-prompt + /straymark-audit-execute + /straymark-audit-review |
| Closed | Telemetry yaml emitted; status flips to closed; charter is now an audit artifact. |
straymark charter close |
- A Charter does not replace AILOGs. AILOGs document individual blocks of code work; the Charter wraps them as a unit.
originating_ailogs:in the Charter frontmatter declares which AILOGs the Charter contains. - A Charter does not replace ADRs. ADRs document architectural decisions; a Charter may reference them in
originating_specor in body sections. - A Charter bridges SpecKit features (
specs/NNN-feature/spec.md) and execution. See.straymark/00-governance/SPECKIT-CHARTER-BRIDGE.mdfor granularity heuristics and creation timing.
straymark charter new # scaffold a Charter (interactive)
straymark charter list # enumerate Charters with status/effort/origin
straymark charter status CHARTER-NN # detailed view of one Charter
straymark charter drift CHARTER-NN # file-vs-commit drift, AILOG-aware + Batch Ledger gate
straymark charter batch-complete CHARTER-NN <N> # fill AILOG `## Batch Ledger` Batch <N> (multi-batch only)
straymark charter audit CHARTER-NN # multi-model external audit (orchestration only)
straymark charter close CHARTER-NN # record telemetry; flip status to `closed`
straymark charter refresh-suggest <module> # SpecKit refresh recommendation (chain-level, fw-4.16.0+) — see §15.A
straymark charter amend CHARTER-NN # scaffold post-close Batch N.4 amendment (fw-4.16.0+) — see §15.BSchema:
.straymark/schemas/charter.schema.v0.json(declarative) and.straymark/schemas/charter-telemetry.schema.v0.json(telemetry). Both are experimental v0 — patterns crystallize after validation against a second domain (Principle #12).
Multi-Charter modules accumulate spec drift over time. After 3+ Charters in a chain, SpecKit artifacts (plan.md, data-model.md, contracts/*, quickstart.md, research.md) authored at chain start tend to lag behind the implementation. The fix is a dedicated refresh PR between Charter-N close and Charter-(N+1) declare that integrates accumulated learnings into research.md (categorized buckets: reusable patterns, code gaps, discipline patterns, empirical corrections) and ratifies operator decisions. The next Charter's ## Context cites each learning by id.
Trigger heuristic — adopt when (a) chain length ≥ 3 closed Charters in the module AND (b) rolling mean of agent_quality.r_n_plus_one_emergent_count across last 3 > 6 AND (c) no refresh PR landed since the chain's branch point. Run:
straymark charter refresh-suggest <module> # read-only — prints recommendationTelemetry — charter_telemetry.pre_declare_refresh: (optional, opt-in). See .straymark/00-governance/CHARTER-CHAIN-EVOLUTION.md Pattern 1 for full mechanics.
External audit cycles run post-close. When Critical or High findings arrive after a Charter has been marked status: closed, the bounded remediation pattern is a Batch N.4 amendment that rides on the same execute branch: a new AILOG documents the amendment, the original AILOG receives a ## Historical correction subsection pointing forward, and the telemetry gains a post_close_amendment: block. Apply only when (a) findings are Critical/High, (b) the Charter's closure criterion is materially unmet, AND (c) the fix surface fits in one cohesive PR (~< 25 files, no architectural reopen). Larger or architectural fixes warrant a new Charter.
straymark charter amend CHARTER-NN \ # scaffolds the new AILOG, edits the original, prints YAML
--trigger external_audit \
--findings-closed 5 \
--ailog-title "post-close remediation — DI wiring + retry"The command does not touch git — the operator decides when to commit. The straymark charter audit <id> --merge-reports --merge-into <telemetry-yaml> path tolerates external_audit: [] placeholders in v0.2+ schema so the round-trip with post_close_amendment is smooth. See .straymark/00-governance/CHARTER-CHAIN-EVOLUTION.md Pattern 2 for full mechanics.
StrayMark uses HTML comment markers to manage injected content in agent configuration files (AGENTS.md, CLAUDE.md, GEMINI.md, .github/copilot-instructions.md, .cursorrules, .cursor/rules/straymark.md):
<!-- straymark:begin -->
... managed content ...
<!-- straymark:end -->- Content between these markers is managed by
straymark init,update, andrepair - Do not remove or modify these markers manually — they are required for safe updates
- If markers are missing from a target file, StrayMark appends the content block at the end
- Missing-target behavior (refined in fw-4.16.2 / cli-3.14.1):
straymark init,straymark update-framework, andstraymark repairall walkdist-manifest.yml::injections:and create any missing target file (with the marker block) per individual target — a single deleted directive file likeAGENTS.mdis restored without needing to re-run init or remove anything else. There is no opt-out per target short of editing the manifest. (Historical note: throughcli-3.14.0/fw-4.16.1,straymark repairwas gated onSTRAYMARK.mdbeing absent and would silently skip a per-target restore; that gate was removed incli-3.14.1.) AGENTS.mdis the open standard donated to the Agentic AI Foundation (Linux Foundation, 2025) and is read by Claude Code, OpenAI Codex CLI, Cursor, Aider, Devin, Sourcegraph Amp, Google Jules, Zed AI, Continue, Roo Code, Factory Droids, GitHub Copilot, Gemini CLI, Windsurf, Amazon Q and others. CLI-specific files (CLAUDE.md,GEMINI.md, etc.) coexist withAGENTS.mdand provide platform-specific identity strings.
StrayMark | GitHub Strange Days Tech — Because every change tells a story.