fix(aios-master): flip default to delegation-first, remove "No restrictions" label

[vxavierr]

@nikolasdehor obrigado pela análise — você identificou algo que eu tinha deixado passar: a contradição não era só no agent-authority.md, eram três camadas sobrepostas se contradizendo.

Esse PR implementa o PR 1 da abordagem incremental que você sugeriu — os dois arquivos, as correções mais críticas. O PR 2 com os 4 protocolos completos vem na sequência.

O que foi feito

Ponto 1 — agent-authority.md: substituição da linha No restrictions

A linha | Execute ANY task directly | No restrictions | foi substituída por uma tabela precisa que separa:

• O que o @aios-master executa diretamente (ops de framework, orquestração, meta-ops)
• O que ele delega por padrão (tarefas com agente exclusivo mapeado) — com --force-execute como escape hatch explícito
• O que é BLOQUEADO sem exceção (git push / gh pr)

Também adicionei a tabela de delegação por tarefa, que torna o comportamento esperado inequívoco para o LLM.

Ponto 2 — aios-master.md: identity + core_principles[0]

Você apontou que core_principles[0] é a primeira instrução comportamental que o LLM lê — então é ela que define o default, independente do que vem depois. Troquei por MANDATORY PRE-EXECUTION CHECK como primeira entrada, garantindo que a verificação de delegação acontece antes de qualquer execução.

A identity foi atualizada para refletir o papel de orquestrador, não de executor universal.

Ponto 3 — create-next-story removido dos commands

Concordo com a análise: mesmo com uma nota [DELEGATE to @sm], a presença do comando no listing pode ser lida como autorização. Removi completamente — substituí por um comentário direcionando para @sm *draft {epic-path}.

O que fica para o PR 2

O rename de handoff-protocol.md → delegation-protocol.md (ou authority-enforcement.md) vai no PR 2, junto com os 4 protocolos completos — faz mais sentido renomear quando o arquivo for introduzido, não antes.

Testado em produção

Essa implementação está rodando no nosso HUB há algumas semanas. Referência: vxavierr/aios-hub@4084ec1

Closes #527

[vercel]

@vxavierr is attempting to deploy a commit to the Pedro Valério Lopez's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

The pull request restructures @aios-master's authority model from universal direct execution to delegation-first orchestration. It removes the "No restrictions" capability statement, introduces mandatory pre-execution checks to verify exclusive agent authority before task execution, and narrows direct execution scope to framework operations only, delegating all other tasks to specialized agents.

Changes

Cohort / File(s)	Summary
Agent Identity & Core Governance .aios-core/development/agents/aios-master.md	Updated identity statement to clarify master acts as orchestrator routing to specialized agents, not universal executor. Replaced core principles with mandatory pre-execution authority check and explicit delegation-first rule. Removed create-next-story command entry; added delegation notes redirecting to @sm and @pm.
Authority Rules & Delegation Mapping .claude/rules/agent-authority.md	Replaced permissive "No restrictions" capability block with precise delegation table. Introduces delegation-by-default model with optional --force-execute override. Adds mapping table of tasks and their delegated assignees. Blocks critical operations (git push, PR actions) unconditionally.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• PR #29: Modifies the same @aios-master command surface file (.aios-core/development/agents/aios-master.md), restructuring command entries and formatting alongside these semantic changes.

Suggested labels

core, agents, documentation, workflows

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: flipping @aios-master's default behavior from direct execution to delegation-first, and removing the 'No restrictions' label that enabled unrestricted execution.
Linked Issues check	✅ Passed	The PR implements the core requirements from #527: removing 'No restrictions' label, establishing a delegation-first default, implementing pre-execution checks, and preserving --force-execute override capability.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing #527: updates to agent identity/principles, delegation rules, and command surface removal are all necessary to enforce the delegation-first model.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Welcome to aios-core! Thanks for your first pull request.

What happens next?

1. Automated checks will run on your PR
2. A maintainer will review your changes
3. Once approved, we'll merge your contribution!

PR Checklist:

• Tests pass (npm test)
• Linting passes (npm run lint)
• Commit messages follow Conventional Commits

Thanks for contributing!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.aios-core/development/agents/aios-master.md (2)

399-401: ⚠️ Potential issue | 🔴 Critical

Critical contradiction undermines delegation-first model.

Line 399 states "All agents - Can execute any task from any agent directly," which directly contradicts the delegation-first behavior established in the identity (line 103: "Does NOT execute specialized agent tasks") and core principles (line 106: "DELEGATION IS THE DEFAULT"). This statement gives the model permission to bypass the mandatory pre-execution check and execute specialized tasks directly, defeating the entire PR objective.

🔧 Proposed fix to align with delegation-first model

 **I orchestrate:**
 
-- **All agents** - Can execute any task from any agent directly
+- **Framework operations** - Executes agents, tasks, workflows, IDS, and meta-operations directly
+- **Specialized tasks** - Routes to exclusive agents per agent-authority.md (override with --force-execute if needed)
 - **Framework development** - Creates and modifies agents, tasks, workflows (via `*create {type}`, `*modify {type}`)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.aios-core/development/agents/aios-master.md around lines 399 - 401, The
bullet "All agents - Can execute any task from any agent directly" contradicts
the delegation-first model; update that bullet so it explicitly forbids direct
execution of specialized agent tasks and requires delegation and the
pre-execution check instead. Replace or reword the "All agents" line to state
agents must delegate specialized tasks to the appropriate specialized agent and
follow the existing identity rule "Does NOT execute specialized agent tasks" and
the core principle "DELEGATION IS THE DEFAULT" (retain the "Framework
development" line as-is if still accurate). Ensure the new text enforces the
mandatory pre-execution check and does not grant blanket execution permissions.

---

302-308: ⚠️ Potential issue | 🟡 Minor

Add create-next-story.md to delegated tasks comment for consistency.

The delegated tasks comment lists tasks that are delegated but omits create-next-story.md, which is in the delegation table (agent-authority.md line 84) as delegating to @sm. For consistency and clarity, it should be included in this comment.

📝 Proposed fix to include missing delegated task

   # Delegated tasks (Story 6.1.2.3):
+  #   create-next-story.md → `@sm`
   #   brownfield-create-epic.md → `@pm`
   #   brownfield-create-story.md → `@pm`
   #   facilitate-brainstorming-session.md → `@analyst`
   #   generate-ai-frontend-prompt.md → `@architect`
   #   create-suite.md → `@qa`
   #   learn-patterns.md → merged into analyze-framework.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.aios-core/development/agents/aios-master.md around lines 302 - 308, The
"Delegated tasks (Story 6.1.2.3)" comment in aios-master.md is missing the
delegated task create-next-story.md; update that comment list to include the
entry "create-next-story.md → `@sm`" so it matches the delegation table (the
create-next-story.md delegation to `@sm`) and ensure formatting/ordering is
consistent with the existing entries like brownfield-create-epic.md → `@pm` and
facilitate-brainstorming-session.md → `@analyst`.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.aios-core/development/agents/aios-master.md:
- Around line 399-401: The bullet "All agents - Can execute any task from any
agent directly" contradicts the delegation-first model; update that bullet so it
explicitly forbids direct execution of specialized agent tasks and requires
delegation and the pre-execution check instead. Replace or reword the "All
agents" line to state agents must delegate specialized tasks to the appropriate
specialized agent and follow the existing identity rule "Does NOT execute
specialized agent tasks" and the core principle "DELEGATION IS THE DEFAULT"
(retain the "Framework development" line as-is if still accurate). Ensure the
new text enforces the mandatory pre-execution check and does not grant blanket
execution permissions.
- Around line 302-308: The "Delegated tasks (Story 6.1.2.3)" comment in
aios-master.md is missing the delegated task create-next-story.md; update that
comment list to include the entry "create-next-story.md → `@sm`" so it matches the
delegation table (the create-next-story.md delegation to `@sm`) and ensure
formatting/ordering is consistent with the existing entries like
brownfield-create-epic.md → `@pm` and facilitate-brainstorming-session.md →
`@analyst`.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 41aa9a9 and 3d3e792.

📒 Files selected for processing (2)

• .aios-core/development/agents/aios-master.md
• .claude/rules/agent-authority.md

[vxavierr]

Fechando para revisão interna antes de resubmeter.

[nikolasdehor]

Review — PR #542: flip default to delegation-first

@vxavierr, excelente implementação. Esse PR resolve cirurgicamente os 3 pontos que identifiquei na issue #527 — e o faz da maneira mais limpa possível para um PR 1 incremental.

O que está correto

1. agent-authority.md — substituição da tabela "No restrictions"

A nova tabela de capabilities é precisa e inequívoca. A separação em 3 categorias (executa diretamente / delega por default / bloqueado) é exatamente o que um LLM precisa para tomar a decisão certa. O --force-execute como escape hatch explícito preserva a capacidade do @aios-master sem deixar margem para interpretação ambígua.

A tabela de delegação por tarefa (9 entradas) elimina qualquer ambiguidade — o LLM não precisa inferir quem é o agente correto, está mapeado explicitamente.

2. aios-master.md — identity + core_principles[0]

Exatamente o fix correto. O core_principles[0] como "MANDATORY PRE-EXECUTION CHECK" garante que a primeira instrução comportamental que o LLM lê é "verifique antes de executar", não "execute diretamente". A identity atualizada para "Master orchestrator who routes..." reforça o frame correto desde a primeira leitura.

3. Remoção do create-next-story dos commands

Concordo 100%. A substituição por um comentário # NOTE: Story creation is @sm's exclusive domain é a abordagem certa — remove a ambiguidade sem perder a documentação.

Ponto de atenção (fora do diff, para o PR 2)

O CodeRabbit identificou que na linha ~399 de aios-master.md, a seção "I orchestrate" ainda contém:

- **All agents** - Can execute any task from any agent directly

Isso contradiz o modelo delegation-first estabelecido neste PR. Entendo que está fora do escopo deste diff (PR 1 minimal), mas é importante que o PR 2 corrija essa linha — caso contrário o LLM continua recebendo uma instrução conflitante na seção de orquestração.

Também o comentário de delegated tasks (linhas ~302-308) deveria incluir create-next-story.md → @sm para consistência com a tabela de agent-authority.md. Menor prioridade, mas bom alinhar no PR 2.

Veredicto

O PR está correto, bem delimitado, e resolve o problema mais crítico da issue #527. A abordagem incremental (PR 1 minimal + PR 2 full protocol) é a certa. LGTM.

APPROVE

[Pedrovaleriolopez]

DevOps Review — @devops (Gage)

Veredicto: APPROVED — Ready to merge quando reaberto

• Reestruturação crítica: delegation-first para @aios-master
• Human review: @nikolasdehor APPROVED — "Resolve cirurgicamente issue @aios-master executes exclusive tasks directly instead of delegating — "No restrictions" label causes enforcement gap #527"
• CodeRabbit: APPROVED + 2 itens fora do diff (para PR 2)
• Testado em produção no HUB

Ponto para PR 2: Linha ~399 "All agents - Can execute any task directly" contradiz delegation-first.
Bloqueador: Autor comentou "Fechando para revisão interna" — aguardando resubmissão.

⚡ Gage — Repository Guardian