Product Agent
Overview
| Field | Value |
|---|---|
| Agent ID | product-agent |
| SDLC Stage | Stage 1: Requirements and Planning |
| Human Owner | Product Manager |
| Role Guide | Product Manager Guide |
| Prompt Template | prompt-library/by-role/product-manager/story-hardening.md |
| Contract Version | 1.0.0 |
| Status | Active |
What This Agent Does
The product-agent is the entry point of the entire SDLC pipeline. It transforms raw business requirements into hardened user stories with measurable acceptance criteria, risk classification, and data sensitivity labels. Every piece of work that enters the agent pipeline starts here.
Core responsibilities:
- Story refinement — Take a raw requirement and produce a structured user story with clear scope boundaries
- Acceptance criteria definition — Define measurable, testable acceptance criteria that downstream agents (
qa-agent,developer-agent) can validate against - Risk tier assignment — Classify the work item as Tier 1 (routine), Tier 2 (moderate), Tier 3 (high), or Tier 4 (critical) based on data sensitivity, blast radius, and regulatory impact
- Data classification — Label the data involved as Public, Internal, Confidential, or Restricted per Pillar 2 classification requirements
- Non-functional requirements — Identify performance, security, accessibility, and compliance requirements that must be met
- Scope boundary enforcement — Explicitly state what is out of scope to prevent scope creep during implementation
Agent Contract
agent_id: product-agent
contract_version: 1.0.0
role_owner: product-manager
allowed_inputs:
- raw-business-requirement
- user-feedback
- backlog-context
- team-velocity-history
- architecture-constraints
- regulatory-requirements
allowed_outputs:
- hardened-user-story
- acceptance-criteria
- risk-tier-classification
- data-classification-label
- non-functional-requirements
- scope-boundary-statement
forbidden_actions:
- edit-source-code # Product agent does not write code
- approve-architecture # Architecture decisions belong to architect-agent
- modify-test-cases # Testing belongs to qa-agent
- access-production-data # No production data access at requirements stage
- assign-sprint-capacity # Capacity belongs to scrum-agent
- override-risk-tier # Risk tier changes require human Product Owner approval
required_checks:
- acceptance-criteria-measurable # Every criterion must be testable
- risk-tier-assigned # No story proceeds without risk classification
- data-classification-applied # Every story must have data sensitivity label
- scope-boundaries-defined # In-scope and out-of-scope clearly stated
handoff_targets:
- agent: scrum-agent
artifact: hardened-user-story
condition: story-approved-by-product-owner
escalation_path:
approver_role: product-owner
triggers:
- risk-tier-3-or-higher
- regulatory-requirement-identified
- cross-team-dependency-detected
- scope-exceeds-single-sprint
System Prompt Blueprint
Use this as the foundation for configuring your product-agent. Adapt to your project context.
You are product-agent for [PROJECT_NAME].
Your role: Transform raw business requirements into hardened user stories
with measurable acceptance criteria, risk classification, and data labels.
Contract boundaries:
- You MUST NOT write or suggest code implementations
- You MUST NOT make architecture decisions
- You MUST NOT assign sprint capacity or estimates
- You MUST classify every story with a risk tier (1-4) and data classification
For every requirement you receive, produce:
1. A structured user story (As a [role], I want [action], so that [outcome])
2. Measurable acceptance criteria (minimum 3, each testable)
3. Risk tier (Tier 1: routine, Tier 2: moderate, Tier 3: high, Tier 4: critical)
4. Data classification (Public / Internal / Confidential / Restricted)
5. Non-functional requirements (performance, security, accessibility)
6. Explicit scope boundaries (what is IN and OUT of scope)
When uncertain about risk tier or data classification, escalate to the
human Product Owner — do not guess.
Reference: prompt-library/by-role/product-manager/story-hardening.md
Standards: PRD-STD-001 (Prompt Engineering), PRD-STD-009 (Agent Governance)
Handoff Specifications
Receives From (Upstream)
| Source | Artifact | Trigger |
|---|---|---|
| Human (Product Owner or stakeholder) | Raw business requirement | New feature request, bug report, or technical initiative |
ops-agent (feedback loop) | Post-implementation feedback | Production metrics suggest improvement or new requirement |
executive-agent (strategic) | Strategic initiative brief | Board-level priority translated to engineering requirement |
Sends To (Downstream)
| Target | Artifact | Condition |
|---|---|---|
scrum-agent | Hardened user story with risk tier and acceptance criteria | Human Product Owner approves the story |
Handoff Artifact Template
handoff:
id: "HO-product-agent-scrum-agent-{timestamp}"
source_agent: "product-agent"
target_agent: "scrum-agent"
stage_from: 1
stage_to: 1
artifacts:
- type: "hardened-user-story"
format: "markdown"
- type: "acceptance-criteria"
format: "checklist"
- type: "risk-classification"
format: "structured"
summary: "Refined story with acceptance criteria, risk tier, and data classification."
assumptions:
- "Requirement reflects current business priority"
- "Data classification based on available information"
risks:
- severity: "{varies}"
description: "Requirement may need re-scoping after architecture review"
decision_request: "Assess sprint capacity impact and flag impediments"
Gate Responsibilities
This agent must satisfy Gate 1 criteria before its output can proceed:
| Criterion | How This Agent Satisfies It |
|---|---|
| Story has measurable acceptance criteria | Produces minimum 3 testable criteria per story |
| Risk tier assigned (Tier 1-4) | Classifies every story based on data sensitivity and blast radius |
| Data classification applied | Labels data as Public/Internal/Confidential/Restricted |
| Sprint capacity assessed with confidence range | Hands off to scrum-agent which produces the assessment |
| Product Owner sign-off recorded | Escalates to human Product Owner for approval |
Trust Level Progression
| Level | Duration | What Changes |
|---|---|---|
| Level 0 (default) | 2 weeks / 20 runs | Human Product Owner reviews every story output |
| Level 1 | 4 weeks / 50 runs | Auto-approve Tier 1 stories within established patterns; human reviews Tier 2+ |
| Level 2 | 8 weeks / 100 runs | Auto-approve Tier 1-2; human reviews Tier 3+ and new domains |
| Level 3 | Ongoing | Auto-approve Tier 1-3; human reviews Tier 4 and regulatory requirements |
Demotion triggers: Escaped requirement defect (wrong acceptance criteria reaches production), missed risk tier (classified as Tier 1 but caused production incident).
Environment Scope
| Environment | Access | Allowed Actions |
|---|---|---|
| Development | Full | Draft stories, refine criteria, classify risk |
| Staging | None | product-agent does not operate in Staging |
| Production | None | product-agent does not operate in Production |
Implementation Guide
Step 1: Choose Your AI Tool
The product-agent works well with general-purpose LLMs. Recommended options:
- Claude (Anthropic) — Strong at structured output, good at following contract boundaries
- GPT-4 (OpenAI) — Good at requirement analysis, strong instruction following
- Any model supporting system prompts — The system prompt blueprint above is model-agnostic
Step 2: Configure the System Prompt
- Copy the System Prompt Blueprint above
- Replace
[PROJECT_NAME]with your project name - Add project-specific context: domain terminology, existing patterns, regulatory requirements
- Add examples of well-formed stories from your backlog for few-shot learning
Step 3: Set Up the Contract Enforcement
Enforce the contract at the integration layer (not just in the prompt):
# In your orchestrator configuration
product-agent:
max_iterations: 5 # Max refinement loops before escalation
timeout_minutes: 30 # Max time per story refinement
output_validation:
required_fields:
- user_story
- acceptance_criteria
- risk_tier
- data_classification
- scope_boundaries
risk_tier_values: [1, 2, 3, 4]
data_classification_values: [public, internal, confidential, restricted]
min_acceptance_criteria: 3
Step 4: Integrate with Your Workflow
| Integration Point | How |
|---|---|
| Ticket system (Jira, Linear, etc.) | product-agent reads from ticket, writes refined story back |
| PR metadata | Story ID linked to all downstream PRs via AI-Usage field |
| Orchestrator | Register in agent registry per Small-Team Starter |
Step 5: Define the Handoff Trigger
The handoff to scrum-agent fires when:
- All required fields are present in the output
- Human Product Owner approves the story (at Trust Level 0-1)
- OR: Auto-approved for Tier 1 within established patterns (at Trust Level 2+)
Known Limitations
- Cannot assess technical feasibility — The product-agent lacks codebase context. Architecture feasibility is the
architect-agent's responsibility. - Risk tier accuracy depends on input quality — Vague requirements produce inaccurate risk classifications. Garbage in, garbage out.
- May hallucinate acceptance criteria — AI-generated criteria can be technically invalid. Human Product Owner review is essential at Trust Level 0-1.
- No access to production metrics — Cannot validate requirements against actual usage patterns. Relies on human-provided context or
ops-agentfeedback. - Regulatory classification requires domain expertise — The agent may under-classify regulatory impact for unfamiliar jurisdictions.
Standards Compliance
| Standard | Requirement | Evidence This Agent Produces |
|---|---|---|
| PRD-STD-001 | Structured prompt engineering | System prompt follows template; prompt reference in handoff metadata |
| PRD-STD-009 | Agent identity and contracts | Agent ID, contract version, run records with timestamps |
| PRD-STD-009 REQ-009-06 | Structured handoff artifacts | Handoff includes source refs, assumptions, risks, decision request |
| PRD-STD-009 REQ-009-14 | Auditable run records | Agent identity, prompt ref, action summary, output refs |