Ekklesia CMS

Appearance

AI Skill Operations Plan

This document defines how AI skills are integrated into Ekklesia to improve product quality, design quality, and platform security without weakening tenant isolation.

Goals

  • Keep all AI-assisted development decisions auditable and human-approved.
  • Enforce tenant isolation and security controls at PR time and pre-release time.
  • Raise UI quality to a consistent, modern, clean standard across Filament surfaces.
  • Reduce regressions by requiring test and contract coverage for risky changes.

Enforcement Model

  • PR checks (blocking): must pass before merge.
  • Scheduled checks (non-blocking alert): nightly and weekly drift/security detection.
  • Release checks (blocking): run on release branch/tag.
  • Human approval: no AI action can merge code, apply labels, or publish comments automatically.

Skill Matrix

SkillTriggerScopePass/Fail RuleOutput Artifact
Tenant Isolation Auditorpull_request, push to mainModels, queries, jobs, exports, AI context buildersFail if unscoped DB access or cross-tenant context risk is detectedartifacts/tenant-audit.md
Laravel Security Reviewerpull_requestValidation, authorization, uploads, auth/token flowsFail on High/Critical findings; Medium opens warning commentartifacts/security-review.md
Prompt Safety Guardpull_request, nightlyAssistant prompts, context serialization, redaction logicFail if prompt-injection protections or redaction checks regressartifacts/prompt-safety.md
API Contract Guardianpull_requestControllers, requests, resources, Scramble docsFail if endpoint/request/response contracts drift without docs/test updatesartifacts/api-contract.md
PR Risk & Regression Reviewerpull_requestChanged code paths and impact mapFail if risk score >= 8 and no matching tests addedartifacts/pr-risk.md
Pest Coverage Gap Finderpull_requestDiff coverage + critical path coverageFail if changed lines coverage < 85% for critical modulesartifacts/test-gaps.md
Filament UX Consistency Criticpull_request label ui or changed app/Filament/**Forms, tables, states, responsive behavior, a11y basicsFail if required UX checklist items are missingartifacts/ux-review.md
Dependency Supply Chain Watcherweekly schedule + Dependabot PRComposer/npm dependency deltasFail on known exploitable CVEs; otherwise warningartifacts/dependency-watch.md
Docs/Changelog Sync Agentpull_requestDocs for architecture/behavior changesFail if behavior changed and changelog/docs not updatedartifacts/docs-sync.md
Policy Validation Gatepull_request, pushAI gate allowlist policy fileFail if policy schema/rules are invalid or too broadartifacts/policy-validation.md
Drift Reportweekly scheduleWhole-repo tenant/security finding drift snapshotInformational report for trend reviewartifacts/drift-report.md

PR Quality Gates (Required Status Checks)

Required checks on main branch protection:

  1. ci/tests (existing CI workflow)
  2. ai/policy-validation
  3. ai/tenant-isolation-audit
  4. ai/security-review
  5. ai/prompt-safety
  6. ai/api-contract-guardian
  7. ai/pr-risk-and-tests
  8. ai/test-gaps
  9. ai/ux-consistency (conditional; required when UI files change)
  10. ai/docs-sync

Merge rule:

  • Block merge on any failed required check.
  • Block merge if any required check is skipped unexpectedly.
  • Allow merge with warnings only when all required checks pass.
  • ai/pr-summary-comment should remain informational (not required), since it runs with if: always().

Implementation Phases

Phase 1 (Week 1): Security Baseline

Implement first:

  1. Tenant Isolation Auditor
  2. Laravel Security Reviewer
  3. Prompt Safety Guard
  4. Dependency Supply Chain Watcher

Definition of done:

  • Blocking checks wired in GitHub Actions.
  • Findings written as artifacts and PR summary comments.
  • At least one regression test added per blocked class of issue.

Phase 2 (Week 2): Engineering Quality Baseline

Implement:

  1. PR Risk & Regression Reviewer
  2. Pest Coverage Gap Finder
  3. API Contract Guardian

Definition of done:

  • Risk scoring appears on all PRs.
  • Diff coverage threshold enforced for critical modules (app/, routes/api.php, tests/Feature/Api/**).
  • Contract drift failures include exact endpoint and schema deltas.

Phase 3 (Week 3): Product and Design Baseline

Implement:

  1. Filament UX Consistency Critic
  2. Docs/Changelog Sync Agent

Definition of done:

  • UI PRs include checklist validation (states, spacing, responsive behavior, basic a11y).
  • Architecture-affecting PRs require docs updates in docs/architecture/** and changelog entry.

Governance Rules

  • AI outputs are advisory plus gate signals, never auto-merge actions.
  • High/Critical security findings require explicit maintainer resolution note before merge.
  • Any tenant-isolation finding is treated as a release blocker.
  • AI reviewer prompts and policies are versioned in repository and reviewed like code.

KPI Targets

  • Production incident rate from auth/tenant leaks: 0
  • PRs with required test coverage on changed critical paths: >= 95%
  • Escaped regressions from modified API endpoints: < 2% per month
  • UI review rework after merge: < 10% of UI PRs
  • Mean time to triage AI security findings: < 24h

Minimum Workflow Skeleton

Add a dedicated workflow file (example name: .github/workflows/ai-quality-security.yml) with these jobs:

  1. tenant_isolation_audit
  2. security_review
  3. prompt_safety
  4. api_contract_guardian
  5. pr_risk_and_tests
  6. ux_consistency
  7. docs_sync

Each job must:

  • check out code,
  • install dependencies,
  • run one deterministic analyzer command/script,
  • upload an artifact report,
  • fail with non-zero exit code on policy violations.

Local Developer Workflow

Before opening a PR:

  1. composer check-all
  2. run tenant isolation tests for touched modules
  3. run security-focused feature tests for touched auth/upload/AI paths
  4. update docs/guide/changelog.md for behavior changes

This keeps local and CI quality gates aligned and avoids late-stage failures.

Current Repository Wiring

The baseline gate wiring currently lives at:

  • .github/workflows/ai-quality-security.yml
  • scripts/ai-gates/*.sh
  • scripts/ai-gates/analyzers/*.php
  • scripts/ai-gates/policy.json
  • scripts/ai-gates/policy.template.json
  • scripts/ai-gates/baseline.json

Each gate script writes a markdown artifact under artifacts/*.md and exits non-zero on policy violation. Tenant and security gates also emit inline GitHub annotations (::error / ::warning) for unsuppressed findings. Tenant and security gates also export SARIF (artifacts/*.sarif) for GitHub code scanning visibility. PR runs publish one sticky summary comment with all gate statuses. Policy thresholds drive fail behavior for tenant/security severity and diff-coverage minimum. Baseline snapshot mode suppresses known finding fingerprints via scripts/ai-gates/baseline.json.

Released under the MIT License.

Ekklesia CMS — Built for the African Church