{"id":47928841,"url":"https://github.com/kosli-dev/agentic-sdlc-demo","last_synced_at":"2026-04-04T07:09:03.284Z","repository":{"id":346881128,"uuid":"1190952513","full_name":"kosli-dev/agentic-sdlc-demo","owner":"kosli-dev","description":"Reference implementation of an agentic SDLC with AI-driven controls for regulated financial services. Demonstrates the control points needed when AI writes production code.","archived":false,"fork":false,"pushed_at":"2026-03-26T18:55:19.000Z","size":528,"stargazers_count":0,"open_issues_count":13,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-26T20:07:03.992Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kosli-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-24T19:26:45.000Z","updated_at":"2026-03-26T18:11:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kosli-dev/agentic-sdlc-demo","commit_stats":null,"previous_names":["kosli-dev/agentic-sdlc-demo"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/kosli-dev/agentic-sdlc-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fagentic-sdlc-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fagentic-sdlc-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fagentic-sdlc-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fagentic-sdlc-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kosli-dev","download_url":"https://codeload.github.com/kosli-dev/agentic-sdlc-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosli-dev%2Fagentic-sdlc-demo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31390816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T04:26:24.776Z","status":"ssl_error","status_checked_at":"2026-04-04T04:23:34.147Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T07:09:02.554Z","updated_at":"2026-04-04T07:09:03.275Z","avatar_url":"https://github.com/kosli-dev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Agentic SDLC Demo\n\nA reference implementation of an **agentic SDLC** — what happens when AI agents\nwrite production code and you need to prove that proper controls were in place.\n\nThe application (a payment processing service) exists to give the agents\nsomething realistic to work on. The interesting part is the workflow: how\nchanges flow from ticket to production, what evidence is collected at each\nstep, and how that evidence is evaluated.\n\nAll control evidence is attested to [Kosli](https://www.kosli.com) for\ngovernance, audit, and compliance.\n\n## How It Works\n\nA change flows through two Kosli flows:\n\n```\nGitHub Issue\n │\n ▼\n┌─────────────────────────────────────────────────────┐\n│ Code Review Flow (per issue, multiple trails) │\n│ │\n│ Loop 1 ──▶ Loop 2 ──▶ ... ──▶ Final │\n│ │\n│ Each loop: │\n│ 1. Pre-review CI gate (lint, tests, Docker) │\n│ 2. Ticket integrity check (locked, untampered) │\n│ 3. Injection scan (regex, before AI sees diff) │\n│ 4. Change classification + persona selection │\n│ 5. 10 AI review agents (5 personas × 2 models) │\n│ 6. Finding dedup + cross-model severity │\n│ 7. Moderator debate + resolution │\n│ 8. Resolver: triage findings, commit fixes │\n│ 9. Cost tracking │\n│ │\n│ 97 attestations per trail │\n└─────────────────────────────────────────────────────┘\n │\n │ PR merged\n ▼\n┌─────────────────────────────────────────────────────┐\n│ Build Flow (per issue, one trail per PR) │\n│ │\n│ 1. Source directory fingerprinted (artifact) │\n│ 2. Docker build + health check │\n│ 3. 10 Rego policy control gates │\n│ (evaluate evidence from Code Review flow) │\n│ │\n│ All controls must pass for trail to be COMPLIANT │\n└─────────────────────────────────────────────────────┘\n```\n\n## Build Flow Controls\n\nThese are the control gates that run at build time. Each one uses\n`kosli evaluate trails` with a Rego policy to check evidence that was\ncollected during the code review flow. The Rego policy source, evaluation\nresult, and violations are embedded in each attestation's `user_data` for\nfull auditability.\n\n| Control | What It Checks | Why It Matters |\n|---|---|---|\n| **code-review-control** | All review trails compliant, Final trail exists | Proves a substantive multi-model review happened |\n| **ticket-integrity-control** | `ticket-integrity` attestation exists and compliant in every loop | Proves the ticket was locked and untampered throughout |\n| **lint-control** | `pre-review-lint` passed every loop | Proves code met style/quality standards before review |\n| **unit-test-control** | `pre-review-unit-tests` passed every loop | Proves unit tests passed before review |\n| **integration-test-control** | `pre-review-integration-tests` passed every loop | Proves integration tests passed before review |\n| **cost-control** | `loop-cost` within budget in every loop | Proves AI compute stayed within budget |\n| **artifact-integrity-control** | Source dir SHA256 from review matches CI build | Proves \"code reviewed = code built\" |\n| **injection-scan-control** | `diff-injection-scan` ran, 0 candidates, 0 payloads | Proves diff was scanned for prompt injection before AI agents saw it |\n| **resolver-completeness-control** | `resolver-threads-resolved` shows all findings accounted for, 0 open threads | Proves the resolver didn't drop or fabricate findings |\n| **review-quality-control** | All 5 orchestration slots present and compliant (classification, severity, dedup, debate, resolution) | Proves the review process was substantive, not a rubber stamp |\n\n### How controls are evaluated\n\nEach control follows the same pattern:\n\n1. `kosli evaluate trails` runs the Rego policy against all trails in the code review flow\n2. The policy returns `allow: true/false` and a list of `violations` (human-readable strings)\n3. The result is attested via `kosli attest generic --compliant=$ALLOWED` with the Rego source, evaluation result, and violations as `--user-data`\n4. If any control is non-compliant, the build trail is non-compliant\n\nRego policies live in `kosli/policies/`. Every policy has a corresponding\n`_test.rego` file with OPA test cases.\n\n### Strengths\n\n- **Separation of evidence and evaluation** — the code review flow produces\n evidence (attestations with structured payloads). The build flow evaluates\n that evidence with Rego policies. The two concerns are decoupled.\n- **Policy-as-code** — controls are Rego files in version control, not\n configuration in a UI. They're testable, reviewable, and auditable.\n- **Evidence embedded in attestations** — each control attestation includes\n the Rego policy source, the evaluation result, and the violations. An auditor\n can see exactly what was checked and why it passed or failed.\n- **Deterministic artifact identity** — source directory fingerprinting\n (`--artifact-type dir`) produces the same SHA256 regardless of which machine\n computes it. This lets us prove \"code reviewed = code built\".\n- **No silent passes** — controls use `kosli attest generic` with an explicit\n `--compliant` flag. There's no path where a control silently passes because\n a jq rule is missing.\n\n### Known Limitations\n\n- **`kosli-dev/setup-cli-action@v2`** is still on Node.js 20 (no v3 release).\n The deprecation warning will persist until Kosli ships a Node 24 build.\n- **Rego policy source in `user_data`** renders as raw JSON with `\\n` and `\\t`\n escape characters in the Kosli UI. The data is correct but hard to read\n inline. This is a Kosli UI limitation — multiline strings aren't rendered\n as formatted text. Attachments via `--attachments` are an alternative\n (stored in Evidence Vault, downloadable) but not visible inline.\n- **No external configuration for Rego policies** — `kosli evaluate` doesn't\n support `--data` for external values. Budget limits and expected counts are\n hardcoded in the Rego files.\n- **`kosli evaluate` output returns `violations: null`** instead of\n `violations: []` when there are no violations. Handled with `// []` in jq.\n- **Custom attestation types can't be used for control gates** —\n `kosli attest custom` has no `--compliant` flag, and custom types without\n jq evaluator rules are silently always compliant. This means control gates\n must use `generic` type, which has less structured rendering in the UI.\n\n## Code Review Flow Evidence\n\nEach review loop trail contains 97 attestation slots:\n\n| Category | Slots | Count |\n|---|---|---|\n| Pre-review CI | lint, unit tests, integration tests, Docker build | 4 |\n| Ticket integrity | locked, snapshot, verified | 1 |\n| Injection scan | regex-based, pre-review | 1 |\n| Orchestration | classification, prior context, dedup, severity, debate, resolution | 6 |\n| Agent reviews | 8 steps × 5 personas × 2 models (bound to source artifact) | 80 |\n| Resolver | threads fetched, triaged, fixes committed, threads resolved | 4 |\n| Cost tracking | per-loop AI compute budget | 1 |\n\n### Review personas (5)\n- **Security \u0026 Compliance** — financial logic, decimal precision, PII, audit trails\n- **Architecture \u0026 Patterns** — layer violations, dependency direction, `.standards/` compliance\n- **Reliability \u0026 Infrastructure** — Docker, CI, health checks, deployment config\n- **Test Quality** — assertion quality, edge cases, coverage theatre\n- **API Surface** — breaking changes, validation, error consistency\n\n### Review models (2)\n- **Claude** (Anthropic)\n- **Google Gemini** (gemini-3-flash-preview)\n\nEach persona runs on both models independently. Cross-model consensus identifies\nhigh-confidence findings (both models agree) and model-specific findings.\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for the full security architecture, contributor\nguidelines, and vulnerability reporting process.\n\n## The Application\n\nA **Payment Transaction Processing Service** built with FastAPI. Accounts,\ntransactions, fraud detection, fee calculation — representative of regulated\nfinancial services.\n\n```bash\n# Run tests\nPYTHONPATH=src pytest tests/unit -m unit -v\nPYTHONPATH=src pytest tests/integration -m integration -v\n\n# Run locally\nPYTHONPATH=src uvicorn payments.app:app --reload --port 8080\n\n# Docker\ndocker compose up --build\n```\n\n## Project Layout\n\n```\n.github/workflows/\n├── agentic-code.yml # Coding agent → review → merge\n├── ci.yml # Build flow: Docker + 10 Rego control gates\n├── pipeline-tests.yml # Test suite for pipeline infrastructure + security lint\n├── pr-loop.yml # Review loop orchestration\n├── pr-resolve.yml # Finding resolver\n├── pr-review.yml # Review agent dispatch\n├── kosli-setup-flows.yml # Flow template management\n└── kosli-setup-types.yml # Attestation type management\n\nkosli/\n├── flows/\n│ ├── build-template.yml # Build flow: 1 trail + 11 artifact attestations\n│ └── code-review-template.yml # Review flow: 97 attestations per trail\n├── policies/ # Rego policies + OPA test files\n│ ├── code-review-control.rego\n│ ├── ticket-integrity-control.rego\n│ ├── lint-control.rego\n│ ├── unit-test-control.rego\n│ ├── integration-test-control.rego\n│ ├── cost-control.rego\n│ ├── artifact-integrity-control.rego\n│ ├── injection-scan-control.rego\n│ ├── resolver-completeness-control.rego\n│ └── review-quality-control.rego\n└── attestation-types/ # Custom type schemas + jq evaluator rules\n\nscripts/\n├── coding/ # Coding agent infrastructure\n├── review/ # Review pipeline (orchestrator, agents, resolver)\n└── ci/ # Build pipeline scripts\n\nsrc/payments/ # The application\ntests/ # Unit + integration tests\n.standards/ # Architecture, Python, Docker, testing, CI standards\n```\n\n## Links\n\n- [Kosli](https://www.kosli.com) — change management and compliance platform\n- [SECURITY.md](SECURITY.md) — security architecture, contributor guidelines, vulnerability reporting\n- [The controls that nobody wrote down...](https://www.linkedin.com/pulse/controls-nobody-wrote-down-alex-kantor-o2zte/) — the article that started this\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosli-dev%2Fagentic-sdlc-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkosli-dev%2Fagentic-sdlc-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosli-dev%2Fagentic-sdlc-demo/lists"}