feat: introduce ai-rel tag grammar for richer agent relationships

[maximelb]

Summary

• Introduces a new canonical tag vocabulary on every ai_agent / dr-general hive record: ai-rel:<scope>:<verb>:<kind>:<id>.
• All 79 existing hive yaml files in ai-teams/ and ai-agents/ are migrated to carry the canonical equivalents of their current ai-team: / ai-agent: tags. Legacy tags remain in place so older consumers (e.g. the main webapp graph) continue to work.
• Documents the new grammar in marketplace/plugins/lc-advanced-skills/skills/lc-deployer/SKILL.md (full verb reference, worked example, legacy → canonical mapping, authoring guidance, reconstruction recipe). Multi-SOC merge/strip procedures updated to scope by both tag families.
• Adds a header comment block to ai_catalogue.yaml pointing readers at the grammar reference.

Why

ai-team:… could express agent membership and agent-to-agent hand-off. That's it. There was no way to say "this agent reads from output X" or "this agent depends on secret Y" or "this agent triggers on case tag Z" in a structured, machine-readable form — so anything beyond the hand-off graph was invisible to any consumer that reads tags off live records.

ai-rel: generalizes the scheme so any relationship an agent has with any other entity in the org can be declared as a single tag. The grammar is:

ai-rel:<scope>:<verb>:<kind>:<id>

Segment	Values
<scope>	team name (tiered-soc, intel-team, …), standalone for ungrouped agents, global for cross-scope refs (secrets, extensions)
<verb>	role, sends-to, reads-from, writes-to, triggers-on, depends-on, enriches
<kind>	agent, sensor, adapter, output, rule, hive, secret, case-tag, extension, team
<id>	entity-specific — role name for agents, secret name for secrets, case tag string for case-tags, etc. Sensors accept selector form (plat:windows) or literal SIDs.

Worked example — tiered-soc/l2-analyst:

- ai-rel:tiered-soc:role:agent:l2-analyst
- ai-rel:tiered-soc:sends-to:agent:containment
- ai-rel:tiered-soc:sends-to:agent:threat-hunter
- ai-rel:tiered-soc:sends-to:agent:malware-analyst
- ai-rel:global:depends-on:secret:soc-l2-analyst

Migration approach

• Mechanical: for each hive yaml, append the canonical equivalent of every legacy tag already present, in place. Idempotent. No existing tags are removed.
• No deployer/sync code exists today (tags are hand-authored in yaml and pushed via limacharlie sync push), so the only thing to update is the yaml + the authoring documentation.
• Older consumers that still read ai-team: / ai-agent: keep working because those tags are untouched. New consumers should read ai-rel: and fall back only when none are present.

Test plan

• Read through the updated SKILL.md "Tag Convention" section; verify the grammar, verb table, and mapping are internally consistent.
• Spot-check a few hive yaml files to confirm old + new tag sets both present and indent is preserved: git show HEAD -- ai-teams/tiered-soc/l2-analyst/hives/ai_agent.yaml, ai-agents/analyst/general-analyst/hives/ai_agent.yaml, ai-teams/bas-team/bas-executor/hives/ai_agent.yaml.
• Push a representative SOC to a test org with limacharlie sync push --hive-ai-agent --hive-dr-general and confirm the pushed records carry both tag families.
• Build a throwaway consumer that parses ai-rel: tags and rebuilds the hand-off graph; confirm it matches the graph reconstructed from legacy ai-team:sends-to: tags.

🤖 Generated with Claude Code