Manage Env Module Slices
Purpose
Enforce module-level env boundaries (owns/requires) without modifying the env contract, and generate per-module env slices for LLM context.
The manage-env-module-slices workflow does not change env/contract.yaml. It only validates and syncs module slices.
Required Inputs
- •Module manifests:
modules/<module_id>/MANIFEST.yaml - •Env contract:
env/contract.yaml
Outputs
- •
modules/<module_id>/interact/env-slice.json(default output) - •Updated module registry:
modules/<module_id>/interact/registry.json
Procedure
Phase 0 — Contract readiness (mandatory)
- •Confirm
env/contract.yamlexists and defines the required variables. - •If the contract is missing, initialize the repo-level env contract SSOT (then resume):
- •Check
docs/project/env-ssot.jsonisrepo-env-contract - •If first-time setup, scaffold a minimal safe contract (no secrets):
python3 -B -S .ai/skills/features/environment/env-contractctl/scripts/env_contractctl.py init --root . --out .ai/.tmp/env-contract/bootstrap.md
- •Check
- •If new keys are needed, update
env/contract.yamlvia theenv-contractctlworkflow (and regenerate artifacts), then resume this skill.
Phase 1 — Declare module boundaries
- •In
modules/<module_id>/MANIFEST.yaml, add or update:
yaml
env:
owns:
- key: SERVICE_API_KEY
requires:
- LOG_LEVEL
Rules:
- •Use exact keys from
env/contract.yaml. - •Only one module may own a given key.
Phase 2 — Preflight validation (mandatory)
- •Run strict validation:
- •
node .ai/scripts/modules/env-contractctl-module.mjs verify - •Optional:
node .ai/scripts/modules/env-contractctl-module.mjs verify --strict
- •
- •Check ownership conflicts:
- •
node .ai/scripts/modules/env-contractctl-module.mjs conflicts
- •
- •If any errors or conflicts are reported, STOP and resolve:
- •Fix missing or invalid keys.
- •Resolve ownership conflicts (one owner per key).
Phase 3 — Preview slice (recommended)
- •Export a preview slice for review:
- •
node .ai/scripts/modules/env-contractctl-module.mjs export-slice --module-id <module_id>
- •
- •Ask for confirmation before writing slices, especially if updating multiple modules.
Checkpoint: request explicit approval before writing slices.
code
[APPROVAL REQUIRED] I am ready to generate and write module slices. - Command: sync-slices - Scope: all modules (or a single module if --module-id is used) Type "approve slices" to proceed.
Phase 4 — Sync module slices (writes)
- •Generate slices for all modules (requires explicit approval):
- •
node .ai/scripts/modules/env-contractctl-module.mjs sync-slices
- •
- •Or target a single module:
- •
node .ai/scripts/modules/env-contractctl-module.mjs sync-slices --module-id <module_id>
- •
- •To avoid registry updates, add
--no-registry.
Verification
- •
verifypasses with no errors - •
conflictsreports no ownership collisions - •
modules/<module_id>/interact/env-slice.jsonexists and matches declared owns/requires - • Module registry updated with
env-sliceartifact (unless--no-registry)
Boundaries
- •MUST NOT modify
env/contract.yamlin the manage-env-module-slices workflow. - •MUST NOT store secrets in repo artifacts.
- •MUST NOT treat module slices as SSOT.
- •MUST resolve ownership conflicts before syncing slices.
- •MUST obtain explicit approval before running
sync-slicesfor all modules.