docs(governance): ratify organization policy and patterns#433
Merged
Conversation
Flip the four PROPOSED foundational ADRs (meta-repo pattern, zi as canonical plugin manager, Conventional Commits, wiki content-root boundaries) to ACCEPTED, since all are de-facto enforced across the workspace. Record ss-o as decider and add a Decision Authority section to the ADR runbook clarifying who may accept an ADR.
…Rs plus runbooks and instructions Add ADR-0008 (branching model derived from ADR-0007 repo classes, resolving the repos.yml branch-model drift at its source), ADR-0009 (testing/CI scope by repo class), and ADR-0010 (security incident response: SLA, severity targets, escalation, post-incident review). Add paired runbooks (security-incident-response, onboarding, deprecation) and scoped instructions (testing, documentation) operationalizing the new decisions.
…cking Public repos have no private issues; replace the "private issue or maintainer channel" intake step with GitHub repository Security Advisories (draft GHSA), which provides private collaboration, a private fork, and CVE issuance. Also generalize the incident-owner reference from a hardcoded handle to "security contact (currently ss-o)".
ADR-0008: replace per-repo "use judgment" discretion with a canonical per-repo branch-model table that repos.yml derives from, so drift is structurally prevented; record updating CLAUDE.md as a post-acceptance action. ADR-0009: label Conventional-Commits/trailer enforcement as target-state (no live org-wide CI control exists yet), reference rather than restate workflow conventions, and add dependency-scanning (ADR-0004) plus SAST for compiled class-2 tools (ADR-0010). ADR-0010: name GitHub Security Advisories as the private intake/tracking channel, generalize the hardcoded owner to "security contact (currently ss-o)", and keep the severity table canonical here (runbook now references it instead of dupe).
…t determinant Re-verified every repo's branch model via git ls-remote: next exists only on src, wiki, zi, zsh-lint, zsh-eza; all others are main-only. The prior table wrongly listed zd (class 1) as next->main. zd deploys directly from main. This also disproves "branch model follows the class": class 1 and class 2 are each split across next and trunk, so the per-repo table is authoritative and the ADR-0007 class is only an input (it sets the publication boundary and a default).
- Symlink AI instructions to central AGENTS.md to prevent fragmentation - Apply IDE-agnostic terminology across instructions - Ratify governance ADRs and align agent personas Part of Epic ZSH-16.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
git diff --check