User Story
As an adopter relying on apexyard's role activation rules, I want the framework to mechanically detect when a role trigger fires AND remind the main agent to read the role file, so that role adoption isn't dependent on the agent remembering — it's enforced by the framework like every other governance rule.
Driver
Today's role activation is prose-only discipline. The trigger table in .claude/rules/role-triggers.md says "when a PR touches **/auth/**, Security Auditor activates" — but if the main agent doesn't remember to read roles/security/security-auditor.md before responding, the activation never actually happens. Silent rule-skip.
This is the same failure mode the framework already mechanically fixes for OTHER governance rules:
- Active-ticket requirement →
require-active-ticket.sh hook
- Merge gate →
block-unreviewed-merge.sh hook
- Migration ticket →
require-migration-ticket.sh hook
- AgDR for arch changes →
require-agdr-for-arch-pr.sh hook
Role activation should follow the same shape: detect the trigger condition mechanically, inject the role file as required context so the main agent can't avoid reading it.
Scope
A new hook (or extension of an existing one) that:
- Detects role-trigger conditions per
.claude/rules/role-triggers.md:
- Ticket label changed → relevant role's trigger (e.g.
qa label → QA Engineer)
- PR diff touches a path pattern → relevant role's trigger (e.g.
**/auth/** → Security Auditor)
- Production-incident-mentioned in user prompt → SRE
- New PRD drafted → Product Manager
- When triggered, injects a system-reminder-style line into the assistant's context:
ROLE TRIGGER: Security Auditor activates per .claude/rules/role-triggers.md
(PR diff touches **/auth/**). Read roles/security/security-auditor.md
and adopt the role before continuing.
- The main agent reads the file (Read tool — visible in tool-call log) and then proceeds with the role identity adopted.
Mechanism options
| Mechanism |
Pros |
Cons |
| UserPromptSubmit hook scans for trigger phrases |
Catches prompted activation ("act as the QA Engineer") |
Doesn't catch auto-triggers (label changes, diff content) |
| PreToolUse hook on Edit/Write scans changed file paths |
Catches diff-driven triggers (PR touches auth) |
Doesn't catch trigger-by-label or trigger-by-conversation |
| Combined: PreToolUse + UserPromptSubmit |
Covers both modes |
Two hooks to maintain |
PostToolUse on gh issue edit (label change) |
Catches label-based triggers |
One more event surface |
Pick the simplest combination that covers the documented trigger table.
Out of scope of v1
- Enforcing that the role file is actually read after the reminder (would require monitoring Read tool calls — out of scope).
- Enforcing role boundaries (CAN / CANNOT) — separate concern, more complex.
Acceptance Criteria
Risks / Dependencies
- False positives — a PR that touches
**/auth/** for trivial reasons (docs about auth, not auth code) would trigger Security Auditor. Acceptable: better to over-trigger than miss real cases; the security auditor can no-op cheaply.
- Couples with role-naming ticket — reminder line reads better with a persona name; ship independently though.
- Couples with role-activation-visibility ticket — the reminder line is the input; the activation marker the agent prints is the output. Both required for the loop to be visible.
Refs
- Sibling: role-naming consistency ticket
- Sibling: role-activation visibility ticket (the user-visible side of this loop)
- Pattern precedent:
require-active-ticket.sh, block-unreviewed-merge.sh, require-agdr-for-arch-pr.sh — same "convert prose rule to mechanical enforcement" shape
- Related:
.claude/rules/role-triggers.md § "Aspirational → Real"
User Story
As an adopter relying on apexyard's role activation rules, I want the framework to mechanically detect when a role trigger fires AND remind the main agent to read the role file, so that role adoption isn't dependent on the agent remembering — it's enforced by the framework like every other governance rule.
Driver
Today's role activation is prose-only discipline. The trigger table in
.claude/rules/role-triggers.mdsays "when a PR touches**/auth/**, Security Auditor activates" — but if the main agent doesn't remember to readroles/security/security-auditor.mdbefore responding, the activation never actually happens. Silent rule-skip.This is the same failure mode the framework already mechanically fixes for OTHER governance rules:
require-active-ticket.shhookblock-unreviewed-merge.shhookrequire-migration-ticket.shhookrequire-agdr-for-arch-pr.shhookRole activation should follow the same shape: detect the trigger condition mechanically, inject the role file as required context so the main agent can't avoid reading it.
Scope
A new hook (or extension of an existing one) that:
.claude/rules/role-triggers.md:qalabel → QA Engineer)**/auth/**→ Security Auditor)Mechanism options
gh issue edit(label change)Pick the simplest combination that covers the documented trigger table.
Out of scope of v1
Acceptance Criteria
**/auth/**), and prompted (user says "act as the X")..claude/rules/role-triggers.md§ "Aspirational → Real" updated — this ticket closes the "real" gap.Risks / Dependencies
**/auth/**for trivial reasons (docs about auth, not auth code) would trigger Security Auditor. Acceptable: better to over-trigger than miss real cases; the security auditor can no-op cheaply.Refs
require-active-ticket.sh,block-unreviewed-merge.sh,require-agdr-for-arch-pr.sh— same "convert prose rule to mechanical enforcement" shape.claude/rules/role-triggers.md§ "Aspirational → Real"