# Copilot Instructions — CoM Virtual Enterprise ## Project Context This is the `.claude/` admin node configuration for **CoM Solutions**, a cybersecurity startup building Syn_OS (sovereign AI-assisted Cognitive Hyper-OS). This repo configures a 20-agent AI orchestration system across 6 pods, managed by Claude Code (Opus 4.6) as CADevO (Chief Agent Development Officer). **Owner:** Ty CoM — Founder, SNHU cybersecurity student, SBIR defense track. ## Architecture - **4 AI tools orchestrated:** Claude Code (architect), Kilo Code (bulk tasks), GitHub Copilot (inline completions), Gemini (knowledge curation) - **20 agents** in 6 pods: Dev-Security, Publishing, Game Design, Admin, Advisory, Command - **52 slash-command skills** spanning dev, security, publishing, ops, game design - **13 MCP servers** for external tool integration - **Constitutional governance** with Busytown/Rapture alignment axis ## Coding Standards - **Shell scripts:** POSIX-compatible Bash. Use `set -euo pipefail`. Quote all variables. Use shellcheck-clean patterns. - **Python:** Type hints on all functions. Use pathlib over os.path. Prefer dataclasses or Pydantic models. - **Rust (Syn_OS):** Follow Rust 2021 edition. Use `clippy::pedantic`. No `unsafe` without documented justification and Aegis audit. - **JSON configs:** Use 2-space indentation. Include `$schema` references where applicable. - **Markdown:** ATX headings, one sentence per line for diffs, reference links at bottom. ## Security Requirements - **Never commit secrets.** All tokens, API keys, credentials go in `.env` files or environment variables, never in tracked files. - **Pre-commit validation:** All Bash commands are pattern-matched against destructive operations (rm -rf /, format, registry deletion, pipe-to-shell). - **4-layer defense:** Permission deny list → PreToolUse hook → Haiku prompt guard → PostToolUse scan. - **Destructive operations always require confirmation.** No force-push, no --no-verify, no chmod 777. - **Supply chain:** All dependencies must be audited. Use `cargo deny` for Rust, `pip audit` for Python, `npm audit` for Node. ## File Organization ``` .claude/ ├── CLAUDE.md # Master config (loaded every session) ├── HEARTBEAT.md # Scheduled tasks and n8n workflows ├── settings.json # MCP servers, permissions, hooks ├── a2a/ # Agent-to-Agent governance ├── agents/ # 20 agent personality files ├── skills/ # 52 slash-command skills ├── hooks/ # 3 execution safety hook scripts ├── rules/ # Context-sensitive governance rules ├── scripts/ # Automation templates └── projects/ # Per-project memory and context ``` ## Commit Conventions - Use Conventional Commits: `type(scope): description` - Types: `feat`, `fix`, `security`, `docs`, `refactor`, `test`, `ci`, `chore` - Scopes: `agents`, `skills`, `hooks`, `rules`, `a2a`, `mcp`, `workflows` - Always run secret scanning before commit (part of `/save` skill) - Sign commits with GPG when available ## Testing - Shell hooks: Test with mock inputs before deploying to production hooks - Agent configs: Validate JSON schema compliance - Skills: Each skill must have a README.md with usage examples - Security hooks: Must pass all patterns in the deny list without false positives ## PR Workflow - All PRs require the security checklist in the PR template - Destructive changes (hooks, rules, settings.json) require manual review - Agent personality changes should note shadow integration implications - Dependency updates must include audit results ## Key Conventions - Hardware constraint: node (/) — max 3 concurrent agents - Prefer `cargo check` over `cargo build` to conserve resources - CLI-first: Never suggest GUI steps. Use Parrot WSL for system tasks. - Direct action over explanation. Run it, then report. - Short responses. Outcome + next steps only.