From b5c469072106747afa9af2c6a550c0bc9032c9f2 Mon Sep 17 00:00:00 2001
From: fullsend-code
 <278716306+fullsend-ai-coder[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 14:43:46 +0000
Subject: [PATCH] docs(#1760): add effective_on review checklist to AGENTS.md

Add a "Review Checklist for New Policy Rules" section to AGENTS.md
with two items: (1) new deny/warn rules must include an effective_on
date in their rule data to provide a migration window before
enforcement, and (2) new rules must be added to the appropriate
collection(s). This ensures the review agent flags missing
effective_on dates on future PRs, addressing the gap identified
when PR #1736 was merged without one.

Closes #1760
---
 AGENTS.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index a433b40d1..728309bce 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -59,6 +59,17 @@ These files have `effective_on` dates — rules with future dates are warnings,
 | Add a shared library function | `policy/lib/` (must have test coverage) |
 | Fetch and parse an OCI blob as JSON | Use `oci.parsed_blob(ref)` from `data.lib.oci`, not `json.unmarshal(ec.oci.blob(ref))` directly. A Regal lint rule (`prefer-parsed-blob`) enforces this. |
 
+## Review Checklist for New Policy Rules
+
+- **`effective_on` date required:** New deny/warn rules MUST include an
+  `effective_on` date in their rule data entry (in `example/data/`) to
+  provide a migration window. Rules without `effective_on` enforce
+  immediately on deployment, which can break existing builds without
+  warning. Check that the corresponding rule data file has a future
+  `effective_on` date for every new rule being added.
+- **Collection membership:** New rules must be added to the appropriate
+  collection(s) in `policy/*/collection/` or they won't be evaluated.
+
 ## PR Conventions
 
 Conventional commits are encouraged. Run `make ci` before pushing. CI runs on every PR via