Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions .github/workflows/governance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Governance

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Add an explicit AgilePlus spec reference (for example, spec ID in a comment or workflow metadata) to tie this newly introduced governance automation to an approved spec before implementation. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

This is a newly introduced workflow file that adds governance automation, and the file contains no AgilePlus spec reference in metadata or comments. The custom rule requires new work to be tied to an approved spec before implementation, so this is a real violation.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** .github/workflows/governance.yml
**Line:** 1:1
**Comment:**
	*Custom Rule: Add an explicit AgilePlus spec reference (for example, spec ID in a comment or workflow metadata) to tie this newly introduced governance automation to an approved spec before implementation.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎


on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
- cron: "0 6 * * 1"

permissions: read-all

Check warning on line 11 in .github/workflows/governance.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Replace "read-all" with specific permissions (e.g., "contents: read").

See more on https://sonarcloud.io/project/issues?id=KooshaPari_phenoAI&issues=AZ6-miPpA5hZo2luC9FC&open=AZ6-miPpA5hZo2luC9FC&pullRequest=63

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
required-files:
name: Required governance files
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
- name: Verify required files
run: |
set -e
required=(
"SECURITY.md"
".github/dependabot.yml"
".github/workflows/scorecard.yml"
".editorconfig"
"cliff.toml"
"SSOT.md"
)
missing=0
for f in "${required[@]}"; do
if [ ! -e "$f" ]; then
echo "::error file=$f::Missing required governance file: $f"
missing=1
else
echo "OK: $f"
fi
done
if [ "$missing" -eq 1 ]; then
echo "::error::One or more required governance files are missing."
exit 1
fi

commit-policy:
name: Conventional commit lint
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout (shallow)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
with:
fetch-depth: 50
- name: Conventional commit check
if: hashFiles('.commitlintrc.json') != ''
uses: wagoid/commitlint-github-action@5a18711fb4551c356c12597d399a82599b8e2a39 # v5
with:
configFile: .commitlintrc.json

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shallow fetch breaks commitlint

Medium Severity

The commit-policy job checks out only fetch-depth: 50 before wagoid/commitlint-github-action, which needs full history to resolve revision ranges; once .commitlintrc.json exists, lint can error or skip commits on larger PRs.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 05b11da. Configure here.

- name: Skip notice
if: hashFiles('.commitlintrc.json') == ''
run: echo "No .commitlintrc.json present; skipping conventional commit lint."

branch-policy:
name: Branch policy
runs-on: ubuntu-latest
steps:
- name: Verify default branch naming
run: |
default=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name 2>/dev/null || echo "main")
case "$default" in
main|master) echo "OK: default branch '$default' is governance-approved" ;;
*) echo "::error::Default branch '$default' is not in the approved set (main, master)"; exit 1 ;;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API failure bypasses branch check

Medium Severity

In branch-policy, when gh repo view fails, stderr is discarded and the script substitutes main, so the approved-branch check can pass even when the repository default branch is not main or master.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 05b11da. Configure here.

Comment on lines +72 to +76

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

The branch-policy check treats any gh repo view failure as defaulting to "main" and therefore passes, so branch governance is not actually enforced when the CLI/API/auth lookup fails, creating false-positive compliance instead of a real policy gate.

Suggestion: Fail closed for lookup errors: make branch detection deterministic from repository metadata and only pass when the real default branch is verified as main/master. Keep error and policy-failure paths distinct so transient lookup failures cannot be interpreted as compliant state.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/governance.yml
**Line:** 72:76
**Comment:**
	*HIGH: The branch-policy check treats any `gh repo view` failure as defaulting to `"main"` and therefore passes, so branch governance is not actually enforced when the CLI/API/auth lookup fails, creating false-positive compliance instead of a real policy gate.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

esac
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
44 changes: 44 additions & 0 deletions ARCHITECTURE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Architecture

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Move this new Markdown document from the repository root into an approved documentation subdirectory (for example under docs/reference/) because only README.md, CLAUDE.md, and AGENTS.md are allowed as root-level Markdown files. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

This file is a new Markdown document created at the repository root. The rule explicitly allows only README.md, CLAUDE.md, and AGENTS.md at the root, so adding ARCHITECTURE.md here violates the repository documentation layout rule.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** ARCHITECTURE.md
**Line:** 1:1
**Comment:**
	*Custom Rule: Move this new Markdown document from the repository root into an approved documentation subdirectory (for example under `docs/reference/`) because only `README.md`, `CLAUDE.md`, and `AGENTS.md` are allowed as root-level Markdown files.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎


## Overview
- phenoAI is a Rust workspace in the Phenotype ecosystem focused on AI-agent capabilities.
- Stack: Rust (Cargo workspace), Python bindings, with shared Phenotype crates.
- This document is a skeleton; expand with crate-level ownership and boundaries as the workspace evolves.

## Components
## crates/*
- Rust crates implementing the AI agent domain logic, model integrations, and shared utilities.

## python/
- Python bindings and helper modules that wrap the Rust crates for ecosystem consumers.

## ports/
- External port surfaces (CLI, MCP, library) that expose the workspace to other Phenotype projects.

## docs/
- Project documentation: guides, reports, research, reference, checklists (per `AGENTS.md` layout).

## Data flow
```text
external caller (CLI / MCP / Python)
-> ports/ entrypoint
-> crates/* domain logic
-> python/ bindings (optional)
-> external model / storage providers
```

## Key invariants
- Treat crate boundaries as explicit contracts; respect `deny.toml` and `lefthook.yml` quality gates.
- Mirror the Phenotype org scripting policy (Rust default; no new shell scripts).
- Functional requirements in `FUNCTIONAL_REQUIREMENTS.md` MUST be traceable to at least one test.
- Cross-project reuse: prefer extraction into existing shared modules (see `AGENTS.md`).

## Cross-cutting concerns (config, telemetry, errors)
- Config: load via Phenotype shared config patterns.
- Telemetry: propagate structured logs and traces across the workspace.
- Errors: normalize failure handling so port surfaces can report actionable messages.

## Future considerations
- Replace this skeleton with per-crate ownership and a concrete call-graph diagram.
- Capture release and integration assumptions as the workspace evolves (see `PLAN.md`).
- Add startup diagrams for CLI, MCP, and Python-binding paths.
33 changes: 33 additions & 0 deletions SSOT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# SSOT — Single Source of Truth (phenoAI)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Move this new governance document under the approved docs directory structure (for example under docs/) instead of creating it at repository root, since only README.md, CLAUDE.md, and AGENTS.md are allowed as new root Markdown files. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

The file is a new Markdown document created at the repository root, and the rule only allows new root Markdown files named README.md, CLAUDE.md, or AGENTS.md. Since this file is SSOT.md, the suggestion correctly identifies a real violation.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** SSOT.md
**Line:** 1:1
**Comment:**
	*Custom Rule: Move this new governance document under the approved docs directory structure (for example under `docs/`) instead of creating it at repository root, since only `README.md`, `CLAUDE.md`, and `AGENTS.md` are allowed as new root Markdown files.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎


This document records the canonical authority for cross-cutting facts in the
phenoAI repository. When a fact conflicts across docs, the source listed
here wins.

## Scope

| Domain | Authoritative source |
| --- | --- |
| Build & test commands | `justfile` (root) and per-crate `Cargo.toml` |
| Release & versioning | `cliff.toml` + `CHANGELOG.md` (git-cliff generated) |
| Security disclosure process | `SECURITY.md` |
| Dependency updates | `.github/dependabot.yml` |
| Branch & commit policy | `.github/workflows/governance.yml` |
| Repository health score | `.github/workflows/scorecard.yml` (OpenSSF) |
| Editor / formatting baseline | `.editorconfig` |
| Workspace architecture | `PLAN.md` + per-crate `Cargo.toml` |
| Agent operating model | `AGENTS.md` |
| Functional requirements | `FUNCTIONAL_REQUIREMENTS.md` |

## Precedence order

1. Executable config (workflows, `justfile`, `Cargo.toml`, `deny.toml`, `lefthook.yml`) — observed behavior.
2. `*.md` governance files in this SSOT table.
3. `PLAN.md` milestone-level contracts.
4. Anything else.

## Updating this file

- Keep the table narrow and unambiguous.
- Cite the canonical file by path; do not duplicate content.
- Update via a `chore(governance):` commit referencing the change.
Loading