| name | kms-sync-rules |
| description | Auto-detect changed files via git diff and emit only the applicable AGENTS.md synchronization sub-rules as a checklist. Use after every code change. |
KMS Sync Rules (Auto-Detect)
Detect changed files and emit only the synchronization sub-rules that apply to your current changes.
Step 1 — Detect Changes
Run the following to discover what has changed:
git diff --name-only HEAD
git diff --name-only --cached
git diff --name-only origin/develop...HEAD 2>/dev/null || git diff --name-only HEAD~1
Collect the union of changed paths. If no files are detected, ask the user to describe what they changed.
Step 2 — Map Paths to Sub-Rules
Apply this path → rule mapping to the detected file list:
| Path pattern | Sub-rules triggered |
|---|
crate/server/src/routes/** (new/modified handler) | 4.2, 4.10 |
crate/kmip/src/** or crate/server/src/core/operations/** | 4.3, 4.10 |
crate/clients/clap/src/** or crate/clients/ckms/src/** | 4.4, 4.15 |
ui/src/** (new UI feature path) | 4.1, 4.4 |
crate/clients/wasm/src/** | 4.5 |
crate/server/src/config/** | 4.6, 4.7 |
crate/server/src/middlewares/** or crate/server/src/config/wizard/auth_wizard.rs | 4.9 |
test_data/vectors/** or crate/test_kms_server/** | verify 4.10 completeness |
Cargo.lock or ui/pnpm-lock.yaml | 4.11 |
crate/server/src/routes/aws_xks/** or azure_ekm/** or google_cse/** or ms_dke/** | 4.12, 4.10 |
crate/hsm/** | 4.13 |
documentation/** or cli_documentation/** or README.md | 4.14 |
ui/tests/e2e/** | 4.16 |
crate/crypto/build.rs | 4.17 |
Additional heuristic checks:
- If any changed Rust file contains
#[cfg(feature = "non-fips")] changes → add 4.8
- If
crate/clients/ckms/src/commands.rs changed → add 4.15
- If
crate/server/src/start_kms_server.rs changed → verify 4.1, 4.2, 4.8, 4.9 as applicable
- If any changed file is in
crate/server/src/middlewares/, crate/server/src/core/operations/, or crate/crypto/src/ and the change fixes a security bug → remind: update SECURITY.md with a COSMIAN-YYYY-NNN entry (run /security-review to generate it)
Step 3 — Emit the Applicable Checklist
Output only the sub-rules that were triggered. For each, print the full checklist from the reference below.
Sub-Rule Reference
Rule 4.1 — Server SPA routes ⇔ React Router ⇔ Menu items
(triggered by: ui/src/** with new route, or start_kms_server.rs changes)
Rule 4.2 — REST endpoints ⇔ OpenAPI ⇔ Route registration
(triggered by: crate/server/src/routes/**)
Rule 4.3 — KMIP operations: types → dispatch → implementation
(triggered by: crate/kmip/src/**, crate/server/src/core/operations/**)
Rule 4.4 — CLI ⇔ Web UI feature parity
(triggered by: crate/clients/clap/**, crate/clients/ckms/**, ui/src/**)
Rule 4.5 — WASM bindings ⇔ Web UI
(triggered by: crate/clients/wasm/src/**)
Rule 4.6 — Server configuration ⇔ Wizard ⇔ TOML templates
(triggered by: crate/server/src/config/**)
Rule 4.7 — Server wizard ⇔ Client wizard
(triggered by: crate/server/src/config/wizard/**)
Rule 4.8 — Non-FIPS gating across the stack
Triggered by: non-fips feature changes detected in diff
Rule 4.9 — Auth middleware consistency
(triggered by: crate/server/src/middlewares/**, crate/server/src/config/wizard/auth_wizard.rs)
Rule 4.10 — Test vectors: directory → runner → README
Triggered by: most code changes
Rule 4.11 — Nix vendor hashes ⇔ lock files
(triggered by: Cargo.lock, ui/pnpm-lock.yaml)
Rule 4.12 — Cloud provider integrations
(triggered by: crate/server/src/routes/aws_xks/**, azure_ekm/**, google_cse/**, ms_dke/**)
Rule 4.13 — HSM backend support
(triggered by: crate/hsm/**)
Rule 4.14 — Documentation ⇔ mkdocs ⇔ README
(triggered by: documentation/**, cli_documentation/**, README.md)
Rule 4.15 — CLI documentation auto-generation
(triggered by: crate/clients/ckms/src/**, crate/clients/clap/src/**)
Rule 4.16 — E2E test documentation
(triggered by: ui/tests/e2e/**)
Rule 4.17 — OpenSSL version updates
(triggered by: crate/crypto/build.rs)