[feature] Agent Proxy: Just-In-Time Semantic Policy Injection

[paudley]

Pre-flight

• I searched existing issues first.

Problem statement

Currently, loading all the SKILL.md and policy files into the system prompt incurs a heavy upfront token tax. The agent receives hundreds of rules for Python ASTs, Git workflows, and formatting, even if the current task only involves writing a simple Markdown file.

Proposed solution

Implement Semantic Policy Injection in the proxy. The system prompt should remain lean. The proxy should detect the agent's intent based on the tool calls it issues, and inject rules "Just-In-Time".

If a git commit tool is called -> Inject safe-git-workflow rules.

If a Python file is opened -> Inject Python AST policies.

Examples or prior art

OpenWolf utilizes a cerebrum.md approach to dynamically feed project-specific conventions to the agent only exactly when relevant.

Alternatives considered

Standard RAG systems querying a documentation vector database, but this risks injecting poorly aligned or hallucinated policy fragments compared to exact, rule-based trigger injection.

Additional context

This requires the proxy to have a robust pattern-matching or intent-detection mechanism on incoming AGENT_API tool requests.

[paudley]

Stage 1 plan for #56.

Issue summary:

• Implement the first just-in-time semantic policy injection slice for Agent Proxy/hook intent detection.
• Keep startup context lean by emitting compact, exact policy/skill pointers only when incoming tool calls show matching intent.

Workspace:

• Worktree: /home/paudley/Active/gmeow/coding-ethos/.worktrees/paudley-56-agent-proxy-jit-semantic-policy-injection
• Branch: paudley/56-agent-proxy-jit-semantic-policy-injection

Implementation scope:

• Add a PreToolUse semantic injection path in the hook runtime.
• Trigger safe-git-workflow guidance only for mutating Git intents such as policy-git commit, while keeping read-only Git inspection quiet.
• Trigger compact Python static-analysis guidance for file-target tool calls naming .py files.
• Render auditable TOON context with trigger, reason, skill id, policy scope, and next action.
• Document provider capability limits, especially providers that do not surface allowed PreToolUse context.

Validation gates:

• Focused Go tests for semantic policy injection and provider encoding.
• go test -buildvcs=false ./internal/hooks.
• make build because hook runtime behavior changes.
• make check and bin/coding-ethos-run policy-git diff --check before commit.

Commit/PR:

• Commit through bin/coding-ethos-run policy-git only.
• Push and open a plain project-scoped PR with Closes #56 if validation and policy hooks pass.

[paudley]

Stage 1 implementation is published.

PR: #261
Branch: paudley/56-agent-proxy-jit-semantic-policy-injection
Commit: c6db516 feat(proxy): add semantic policy injection

Implemented:

• deterministic PreToolUse semantic policy injection for mutating Git intents and Python file targets
• quiet read-only Git inspection behavior
• advisory hook-output composition so session-start context advice remains visible
• README.md and docs/AGENT_PROXY.md documentation for the JIT injection slice

Validation:

• go test -buildvcs=false ./go/internal/hooks -run 'TestRun(InjectsSemanticPolicyForGitMutation|SkipsSemanticPolicyForReadOnlyGitInspection|InjectsSemanticPolicyForPythonFileTarget)|TestEncodeGeminiSemanticPolicyInjection' -count=1 -v
• go test -buildvcs=false ./go/internal/hooks -run TestRunInjectsContextAdviceOnSessionStartWhenThresholdCrossed -count=1 -v
• bin/coding-ethos-run policy-tool golangci-lint ./go/internal/hooks/...
• make build
• make check (passed; existing non-blocking testing.go_coverage_goal warning remains)
• bin/coding-ethos-run policy-git diff --check

Next: wait five minutes, then run Stage 2 feedback/check analysis on PR #261.

[paudley]

Stage 2 remediation for PR #261 is pushed.

PR: #261
Commit: 4adf67b fix(proxy): handle semantic policy review feedback

Feedback addressed:

• Gemini/CodeRabbit global Git option detection: shellCommandMutatesGit now finds the Git subcommand after leading global options such as -C, -c, --git-dir, and --work-tree, with direct detector coverage for git, policy-git, and coding-ethos-git forms.
• Gemini allocation feedback: mergeAdvisoryHookOutputs now allocates the merged output directly instead of taking the address of a block-local copy.
• CodeRabbit JSON test feedback: TestEncodeGeminiSemanticPolicyInjection now decodes provider output as JSON and asserts structured fields before checking injected context.

Validation:

• go test -buildvcs=false ./go/internal/hooks -run "TestShellCommandMutatesGitSkipsGlobalOptions|TestRun(InjectsSemanticPolicyForGitMutation|InjectsSemanticPolicyForGitMutationWithGlobalOptions|SkipsSemanticPolicyForReadOnlyGitInspection|SkipsSemanticPolicyForReadOnlyGitInspectionWithGlobalOptions|InjectsSemanticPolicyForPythonFileTarget|InjectsContextAdviceOnSessionStartWhenThresholdCrossed)|TestEncodeGeminiSemanticPolicyInjection" -count=1 -v
• bin/coding-ethos-run policy-tool golangci-lint ./go/internal/hooks/...
• make build
• make check (passed; existing non-blocking testing.go_coverage_goal warning remains)
• bin/coding-ethos-run policy-git diff --check

Current status:

• The old review threads remain unresolved in GitHub until reviewer state refreshes.
• CodeRabbit reported a review rate limit on the new commit, so its prior CHANGES_REQUESTED review may remain sticky even though the requested changes are addressed.

[paudley]

Stage 2 final status for PR #261.

Pushed commits:

• c6db516 feat(proxy): add semantic policy injection
• 4adf67b fix(proxy): handle semantic policy review feedback

Validation and CI:

• Local make build passed.
• Local make check passed with the existing non-blocking testing.go_coverage_goal warning.
• Managed golangci for ./go/internal/hooks/... passed.
• GitHub checks are passing, including Unified lint, Go coverage, SARIF gate, Python 3.11/3.13, CodeQL, OSV, Scorecard, Zizmor, and CLA.
• CodeRabbit check is passing and reports review approved after the remediation commit.

Merge status:

• Direct squash merge was refused by base branch policy.
• Squash auto-merge is enabled for PR Add semantic policy injection #261.
• Remaining blocker is required review: GitHub reports reviewDecision: REVIEW_REQUIRED and mergeStateStatus: BLOCKED.

No admin override was used.