ADLC Governance Framework for xOps
The ADLC framework provides constitutional governance for the xOps project. 1 HITL manager oversees 9 AI agents through a 6-phase lifecycle.
Framework Components
| Component | Count | Purpose |
|---|---|---|
| Constitutional Agents | 9 | AI coordination — PO, CA, MEE, IE, QAE, SCE, OE, FDE, KE |
| Core Commands | 62 | Slash command automation across 15 categories |
| Core Skills | 20 | Domain knowledge capability packages |
| Governance Hooks | 12 | Deterministic tool-call gates |
| Memory Sources | 3 | CLAUDE.md + MEMORY.md + constitution.md |
| MCP Integrations | 58 | External system connections |
6-Phase Lifecycle
PLAN — Autonomous
HITL Role: Provide directive direction
Agents: PO (Requirements + WSJF), CA (Architecture ADR)
Commands: /speckit.specify, /speckit.plan, /speckit.clarify
Skills: validation/invest-quality-gates, architecture/kiss-5s-audit
Hooks: remind-coordination, detect-nato-violation
MCP Servers: github, atlassian, filesystem
Output: ADRs + INVEST stories + gap analysis
Business Value: HITL gives strategic direction. PO decomposes into user stories. CA designs architecture. Zero HITL time on implementation details.
BUILD — Autonomous
HITL Role: Review code output
Agents: IE (IaC + modules), FDE (UI + docs), MEE (MCP + skills), KE (K3S + GitOps Stream 2)
Commands: /terraform:synth, /cdk:synth, /documentation:diagrams
Skills: terraform/terraform-patterns, cdk/building-cdk-stacks, development/local-first-docker
Hooks: enforce-specialist-delegation, enforce-container-first
MCP Servers: github, filesystem, terraform
Output: Working code + IaC modules + tests
Business Value: Specialists execute in parallel. Hooks enforce quality. HITL reviews output, not process.
TEST — HITL Approval Required
HITL Role: Approve evidence package
Agents: QAE (3-tier testing), SCE (SAST + compliance)
Commands: /terraform:test, /security:sast, /documentation:validate
Skills: testing/e2e-testing, testing/functional-testing, security/devsecops-scanning
Hooks: detect-nato-violation, block-sensitive-files
Output: Test reports + security scans in tmp/
Business Value: QA runs 3-tier tests (static → unit → E2E). Security scans for OWASP. Evidence-based — screenshots, not claims.
DEPLOY — HITL Approval Required (SNS Gate)
HITL Role: SNS Approve (1 approval per stack)
Agents: IE (terraform apply), CA (Well-Architected review)
Commands: /terraform:cost, /terraform:serverless, /screenshot
Skills: terraform/aws-sandbox-testing, architecture/provider-abstraction
Hooks: validate-bash, enforce-container-first
MCP Servers: aws, github, terraform
Output: terraform apply + health checks
Business Value: 1 SNS approval for entire stack. checkov + trivy + infracost auto-gate. HITL approves once, agents execute.
MONITOR — HITL Approval Required
HITL Role: Review SLO compliance
Agents: OE (MELT telemetry), CA (SLO review)
Commands: /dashboards:validate, /finops:metrics, /finops:analyze
Skills: observability/agentops, dashboards/dashboard-observability, finops/quality-gates
Output: SLO dashboards + MELT telemetry
Business Value: Observability agent establishes baselines. FinOps tracks cost. HITL reviews SLO compliance — no manual monitoring.
OPERATE — HITL Escalation Only
HITL Role: Escalation only (not routine operations)
Agents: PO (Retrospective), CA (Architecture review), IE (Runbook execution)
Commands: /finops:report, /speckit.retrospective, /finops:aws-monthly
Skills: finops/executive-reporting, finops/cross-cloud-analysis, operational-excellence
Output: FinOps chargeback + runbooks + retrospectives
Business Value: Steady-state — agents handle routine ops. HITL intervenes on escalation only. Retrospectives feed continuous improvement.
Governance Rules
22 Deterministic Hooks
Hooks enforce governance at the tool call level — no agent can bypass them:
| Hook | Blocks |
|---|---|
| enforce-coordination.sh | Specialist work without PO+CA approval |
| validate-bash.sh | Git mutations, GitHub API tree operations |
| detect-nato-violation.sh | Claims without evidence paths |
| enforce-specialist-delegation.sh | Raw Edit/Write without specialist Task |
| enforce-container-first.sh | tflint/checkov/terraform on host instead of container |
| detect-hardcoded-env-data.sh | Account IDs, org IDs in product docs |
| validate-docs-sync.sh | Overwriting hand-curated doc content |
| validate-rescore-freshness.sh | Re-scoring unchanged artifacts |
65 Anti-Patterns
Tracked and enforced via rules-layer. Key patterns for xOps:
NATO_VIOLATION— claims without evidence pathsREADONLY_HITL_HANDOFF— handing READONLY queries to HITL instead of executingSTANDALONE_EXECUTION— specialist work without PO+CA coordinationTESTING_THEATER— tests that don't validate real behavior
See .claude/rules/anti-patterns-catalog.md for the full catalog.
7 Constitutional Principles
| # | Principle | xOps Application |
|---|---|---|
| I | Acceptable Agency | Agents prepare; HITL approves SNS gate before terraform apply |
| II | Interoperability & Security | nnthanh101/* Docker images; docker-first enforcement |
| III | Evaluation-First | 4-way cross-validation, ≥99.5% accuracy before completion claims |
| IV | Hybrid Deployment | LOCAL ($0) → ECS Fargate ($180/mo) → K3S hybrid (BC2+) |
| V | Observability | MELT telemetry, App Signals, DORA metrics, PDCA evidence |
| VI | Governance | 22 hooks, 65 anti-patterns, 17 rules files |
| VII | Agent Engineering | INVEST stories, 4-agent consensus, evidence-based completion |