From 7c0e4382ae70c393b1055c5ae0a7eb719e78ca2a Mon Sep 17 00:00:00 2001 From: Scott McCarty Date: Sun, 15 Mar 2026 17:43:01 -0400 Subject: [PATCH 1/2] Add Gemini Code Assist styleguide from constitution --- .gemini/styleguide.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .gemini/styleguide.md diff --git a/.gemini/styleguide.md b/.gemini/styleguide.md new file mode 100644 index 0000000..4607e08 --- /dev/null +++ b/.gemini/styleguide.md @@ -0,0 +1,28 @@ +# CrunchTools Autonomous Agent Code Review Standards + +## Trust Boundary +- P-Agent (privileged) and Q-Agent (quarantined) MUST be separated +- P-Agent MUST NOT process raw untrusted content directly +- Q-Agent MUST NOT hold credentials or make tool calls +- Trust boundary enforced by deterministic software, NEVER by another LLM + +## MCP Server Governance +- Only allowlisted MCP servers — no runtime discovery +- Every server scored on the 8-dimension scorecard (minimum B/15 for production) +- All tools classified by risk tier: read-only, write, system, network + +## Runtime Security +- Circuit breakers required: max tool calls, token budget, repeated invocations, conversation depth +- Rate limiting per-tool, per-server, and global +- Audit logging as structured JSON — no credentials in logs +- Dead man's switch: pause if no human input within configured window + +## Container Security +- Rootless execution, read-only root filesystem +- SELinux enforcing (`:Z` mounts) +- No host network, dropped capabilities +- All dependencies pinned to exact versions + +## Versioning +- Semantic Versioning 2.0.0 +- AI-assisted commits MUST include `Co-Authored-By` trailer From 6e48ea921174996914a1d1cb402c6a2b56a6ac56 Mon Sep 17 00:00:00 2001 From: Scott McCarty Date: Sun, 15 Mar 2026 17:43:02 -0400 Subject: [PATCH 2/2] Add Gemini Code Assist config --- .gemini/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .gemini/config.yaml diff --git a/.gemini/config.yaml b/.gemini/config.yaml new file mode 100644 index 0000000..bc55c07 --- /dev/null +++ b/.gemini/config.yaml @@ -0,0 +1,5 @@ +ignore_patterns: + - "vendor/**" + - "*.min.js" + - ".gourmand-cache/**" + - "*.lock"