chore(governance): add missing governance files#63
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Review limit reached
More reviews will be available in 49 minutes and 27 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
codeant-ai
Bot
added
the
size:L
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Reviewed by Cursor Bugbot for commit 05b11da. Configure here.
| default=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name 2>/dev/null || echo "main") | ||
| case "$default" in | ||
| main|master) echo "OK: default branch '$default' is governance-approved" ;; | ||
| *) echo "::error::Default branch '$default' is not in the approved set (main, master)"; exit 1 ;; |
There was a problem hiding this comment.
API failure bypasses branch check
Medium Severity
In branch-policy, when gh repo view fails, stderr is discarded and the script substitutes main, so the approved-branch check can pass even when the repository default branch is not main or master.
Reviewed by Cursor Bugbot for commit 05b11da. Configure here.
| if: hashFiles('.commitlintrc.json') != '' | ||
| uses: wagoid/commitlint-github-action@5a18711fb4551c356c12597d399a82599b8e2a39 # v5 | ||
| with: | ||
| configFile: .commitlintrc.json |
There was a problem hiding this comment.
Shallow fetch breaks commitlint
Medium Severity
The commit-policy job checks out only fetch-depth: 50 before wagoid/commitlint-github-action, which needs full history to resolve revision ranges; once .commitlintrc.json exists, lint can error or skip commits on larger PRs.
Reviewed by Cursor Bugbot for commit 05b11da. Configure here.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| @@ -0,0 +1,79 @@ | |||
| name: Governance | |||
There was a problem hiding this comment.
Suggestion: Add an explicit AgilePlus spec reference (for example, spec ID in a comment or workflow metadata) to tie this newly introduced governance automation to an approved spec before implementation. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
This is a newly introduced workflow file that adds governance automation, and the file contains no AgilePlus spec reference in metadata or comments. The custom rule requires new work to be tied to an approved spec before implementation, so this is a real violation.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** .github/workflows/governance.yml
**Line:** 1:1
**Comment:**
*Custom Rule: Add an explicit AgilePlus spec reference (for example, spec ID in a comment or workflow metadata) to tie this newly introduced governance automation to an approved spec before implementation.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| @@ -0,0 +1,44 @@ | |||
| # Architecture | |||
There was a problem hiding this comment.
Suggestion: Move this new Markdown document from the repository root into an approved documentation subdirectory (for example under docs/reference/) because only README.md, CLAUDE.md, and AGENTS.md are allowed as root-level Markdown files. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
This file is a new Markdown document created at the repository root. The rule explicitly allows only README.md, CLAUDE.md, and AGENTS.md at the root, so adding ARCHITECTURE.md here violates the repository documentation layout rule.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** ARCHITECTURE.md
**Line:** 1:1
**Comment:**
*Custom Rule: Move this new Markdown document from the repository root into an approved documentation subdirectory (for example under `docs/reference/`) because only `README.md`, `CLAUDE.md`, and `AGENTS.md` are allowed as root-level Markdown files.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| @@ -0,0 +1,33 @@ | |||
| # SSOT — Single Source of Truth (phenoAI) | |||
There was a problem hiding this comment.
Suggestion: Move this new governance document under the approved docs directory structure (for example under docs/) instead of creating it at repository root, since only README.md, CLAUDE.md, and AGENTS.md are allowed as new root Markdown files. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The file is a new Markdown document created at the repository root, and the rule only allows new root Markdown files named README.md, CLAUDE.md, or AGENTS.md. Since this file is SSOT.md, the suggestion correctly identifies a real violation.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** SSOT.md
**Line:** 1:1
**Comment:**
*Custom Rule: Move this new governance document under the approved docs directory structure (for example under `docs/`) instead of creating it at repository root, since only `README.md`, `CLAUDE.md`, and `AGENTS.md` are allowed as new root Markdown files.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
| run: | | ||
| default=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name 2>/dev/null || echo "main") | ||
| case "$default" in | ||
| main|master) echo "OK: default branch '$default' is governance-approved" ;; | ||
| *) echo "::error::Default branch '$default' is not in the approved set (main, master)"; exit 1 ;; |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The branch-policy check treats any gh repo view failure as defaulting to "main" and therefore passes, so branch governance is not actually enforced when the CLI/API/auth lookup fails, creating false-positive compliance instead of a real policy gate.
Suggestion: Fail closed for lookup errors: make branch detection deterministic from repository metadata and only pass when the real default branch is verified as main/master. Keep error and policy-failure paths distinct so transient lookup failures cannot be interpreted as compliant state.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/governance.yml
**Line:** 72:76
**Comment:**
*HIGH: The branch-policy check treats any `gh repo view` failure as defaulting to `"main"` and therefore passes, so branch governance is not actually enforced when the CLI/API/auth lookup fails, creating false-positive compliance instead of a real policy gate.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
1 participant
User description
L1.4 governance keystone per L1 audit 2026-06-12
Note
Low Risk
Documentation and CI policy only; no runtime, auth, or application code changes. Branch-policy job depends on
GITHUB_TOKENandghavailability on the runner.Overview
Adds L1.4 governance keystone artifacts: a new Governance GitHub Actions workflow, plus
SSOT.mdand a skeletonARCHITECTURE.md.The
.github/workflows/governance.ymlworkflow runs on push/PR tomain/masterand weekly (Mondays 06:00 UTC). It enforces three policies: a required-files job that fails CI if any ofSECURITY.md,.github/dependabot.yml,.github/workflows/scorecard.yml,.editorconfig,cliff.toml, orSSOT.mdis missing; conventional commit lint via commitlint when.commitlintrc.jsonexists (otherwise skipped, job non-blocking); and default branch must bemainormaster(viagh repo view).SSOT.mddefines canonical sources for build commands, releases, security, dependabot, branch policy (pointing at this workflow), scorecard, editorconfig, architecture, agents, and functional requirements, with a precedence order favoring executable config over markdown.ARCHITECTURE.mdis an initial workspace overview (crates, python, ports, docs) and data-flow sketch, explicitly marked as a placeholder for future detail.Reviewed by Cursor Bugbot for commit 05b11da. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add governance checks and repository source-of-truth docs
What Changed
mainormasteras the default branch.Impact
✅ Fewer missing governance files✅ Clearer branch and commit policy checks✅ Easier finding of repository authority sources💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.