chore(governance): sync bootstrap registry#6
Conversation
Adds the chittyseed-fractal template as the starter default for every new repo in CHITTYFOUNDATION (and by reference, the same applies to CHITTYOS and chittyapps). Documents the fractal trinity layout (identity / authority / connectivity) as a standards-level requirement alongside the existing P/L/T/E/A ontology and compliance triad. Refs: - https://github.com/chittyfoundation/chittyseed-fractal (the template) - chittycanon://core/services/chittyschema#meta/fractal-layout - chittycanon://core/services/chittyschema#meta/repo-scope Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis pull request expands the governance infrastructure by introducing explicit, structured governance policies across multiple files. Changes include defining principal grant structures, refining protected path protections, replacing wildcard repository requirements with per-repository specifications, expanding the rules schema with comprehensive policy controls, and updating documentation with governance standards and templates. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c0bccac95e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "ty": ["chittyos-runtime"], | ||
| "vy": ["cloudflare-workers"], | ||
| "ry": ["service-ops"] |
There was a problem hiding this comment.
repo_requirements.json now mandates TY/RY terms like chittyos-runtime, service-ops, app, and product-delivery for CHITTYOS/* and CHITTYAPPS/*, but no principal in governance/owners.json currently has those grants. Because this file explicitly states CODEOWNERS eligibility depends on satisfying these requirements, these org patterns can end up with zero eligible approvers, making protected PRs effectively unmergeable until matching grants are added or requirements are relaxed.
Useful? React with 👍 / 👎.
|
|
||
| # GitHub workflow protection | ||
| \.github/workflows/pr-governance\.yml$ | ||
| \.github/workflows/governance |
There was a problem hiding this comment.
The protected-path list now only targets pr-governance.yml and workflow names containing governance, while rules.json still declares a blanket workflow restriction (cannot_modify_workflow_files and .github/workflows/**). This mismatch means non-governance workflow files can bypass hook-based protected-path enforcement even though policy says they should be blocked.
Useful? React with 👍 / 👎.
| governance/protected-paths\.txt$ | ||
|
|
||
| # Any file in governance directory | ||
| /governance/[^/]+$ |
There was a problem hiding this comment.
The regex /governance/[^/]+$ does not match common repo-relative paths like governance/new-rule.json (no leading slash) and only matches a single path segment, despite the comment saying it should cover any file in the governance directory. This can leave newly added governance files unprotected unless they are manually listed.
Useful? React with 👍 / 👎.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (1)
governance/schema.json (1)
83-96: Consider adding explicit schema constraints for the unsigned bootstrap state.The schema allows
signed_atandsignatureto benull, which is intentional for the bootstrap "unsigned" state. However, withenforcement.mode === "strict"in production (per governance/rules.json), downstream verifiers should distinguish "unsigned bootstrap" from "signed-and-valid." JSON Schema Draft-07 supportsif/thenconditions; consider adding:"if": { "properties": { "enforcement": { "properties": { "mode": { "const": "strict" } } } } }, "then": { "properties": { "signature": { "type": "string" }, "signed_at": { "type": "string" } } }Alternatively, document the bootstrap waiver explicitly so verifiers don't accidentally accept unsigned rulesets under strict mode.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@governance/schema.json` around lines 83 - 96, The signature object currently allows "signed_at" and "signature" to be null which permits an unsigned bootstrap state; update the JSON Schema (the "signature" definition) to add a Draft-07 conditional that requires non-null string values for "signature" and "signed_at" when enforcement.mode is "strict" (use an "if" that checks properties.enforcement.properties.mode.const === "strict" and a corresponding "then" that sets "signature" and "signed_at" to type "string" and non-null), and ensure this logic ties to the existing enforcement field referenced in governance/rules.json so verifiers can distinguish unsigned bootstrap vs signed-and-valid states.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@governance/owners.json`:
- Around line 189-206: The two `@CHITTYOS` principals ("@CHITTYOS/cicd-admins" and
"@CHITTYOS/developers") have empty ty/vy/ry claims (and chittyid set to
"PENDING-MINT"), causing eligibility gaps for CHITTYOS/* and CHITTYAPPS/* repos
and a SPOF on chittyid for "@nickbianchi"; either (A) immediately populate the
ty/vy/ry arrays for "@CHITTYOS/cicd-admins" and/or "@CHITTYOS/developers" to
include the required terms (e.g., add "chittyos-runtime" to ty,
"cloudflare-workers" to vy, and "service-ops" to ry) and mint the chittyid
(replace "PENDING-MINT" with the real id) or (B) narrow the enforcement scope
(the rule "codeowners_required.enforcement" and/or the org list in repo
requirements) to exclude CHITTYOS/CHITTYAPPS until those grants are populated;
also remove the single-approver SPOF by granting "@chitcommit" (or another
principal) the missing identity/crypto/mint/sign/audit terms so chittyid repos
no longer rely solely on "@nickbianchi".
In `@governance/protected-paths.txt`:
- Around line 33-34: The glob/regex pattern string `\.claude/settings.*\.json$`
overmatches because the dot before the variant is unescaped and `.*` allows
slashes; update the pattern so the dot is literal and the variant is restricted
to a filename segment (e.g. replace `\.claude/settings.*\.json$` with a pattern
that uses `\.` and a non-slash class like `\.[^/]+\.json$`) to match only files
like `.claude/settings.local.json` and not nested paths or concatenated names.
- Around line 20-21: The pattern "/governance/[^/]+$" is unmatchable against
relative paths; replace it with "governance/[^/]+$" (no leading slash) so git
diff --name-only results like "governance/new-file.json" will match; update the
entry in the protected-paths list to match the style of the other entries (e.g.,
governance/sign-rules\.sh$) to ensure the broad catch-all for top-level files
under governance is enforced.
In `@governance/repo_requirements.json`:
- Around line 5-43: The JSON lacks a fallback, a tier-1 definition, and a
documented glob precedence: add either a catch-all entry (repo "*/*") with
explicit default "requires" to define fail-open vs fail-closed behavior or add a
clear "notes" section that documents the fallback behavior; add an explicit tier
1 entry (or a "notes" line explaining why tier 1 is intentionally reserved) so
tiers are contiguous or purposely gapped; and add a glob precedence rule in the
schema/notes (e.g., "most-specific wins" or "first-match wins" and whether
explicit repo entries override wildcards) so resolution between entries like
"CHITTYOS/critical-service" and "CHITTYOS/*" is deterministic.
In `@governance/rules.json`:
- Around line 89-90: The rule uses "required_reviewers":
["@CHITTYOS/governance"] but that team/principal is not declared in
governance/owners.json, which will block PRs touching protected paths due to
protected_files with enforcement.mode: "strict" and allow_admin_bypass: false;
either add an entry for the principal "@CHITTYOS/governance" in
governance/owners.json (and ensure the corresponding GitHub team exists) or
change required_reviewers in governance/rules.json to an existing principal
(e.g., "@chitcommit" or "@nickbianchi") so the required reviewer is valid;
update the required_reviewers array in governance/rules.json or add the
principal object in governance/owners.json accordingly.
In `@profile/README.md`:
- Around line 38-52: Update the README to make the "fractal trinity layout"
description consistent by listing exactly three pillars (identity / authority /
connectivity) wherever "Fractal trinity layout" appears; remove "scopes" from
the trinity bullet and instead reference scope.json as the separate manifest
(keep mention of scope.json and the starter template chittyseed-fractal, and
ensure the validation contract
chittycanon://core/services/chittyschema#meta/fractal-layout and package.json
scripts validate:fractal and certify remain accurate).
---
Nitpick comments:
In `@governance/schema.json`:
- Around line 83-96: The signature object currently allows "signed_at" and
"signature" to be null which permits an unsigned bootstrap state; update the
JSON Schema (the "signature" definition) to add a Draft-07 conditional that
requires non-null string values for "signature" and "signed_at" when
enforcement.mode is "strict" (use an "if" that checks
properties.enforcement.properties.mode.const === "strict" and a corresponding
"then" that sets "signature" and "signed_at" to type "string" and non-null), and
ensure this logic ties to the existing enforcement field referenced in
governance/rules.json so verifiers can distinguish unsigned bootstrap vs
signed-and-valid states.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3f1ce361-9948-4374-8d74-d1c7404e70f2
📒 Files selected for processing (6)
governance/owners.jsongovernance/protected-paths.txtgovernance/repo_requirements.jsongovernance/rules.jsongovernance/schema.jsonprofile/README.md
| { | ||
| "github": "@CHITTYOS/cicd-admins", | ||
| "chittyid": "PENDING-MINT", | ||
| "entity_type": "A", | ||
| "roles": ["cicd-admins", "workflow-owners"], | ||
| "ty": { "given": [], "earned": [] }, | ||
| "vy": { "given": [], "earned": [] }, | ||
| "ry": { "given": [], "earned": [] } | ||
| }, | ||
| { | ||
| "github": "@CHITTYOS/developers", | ||
| "chittyid": "PENDING-MINT", | ||
| "entity_type": "A", | ||
| "roles": ["default-owners"], | ||
| "ty": { "given": [], "earned": [] }, | ||
| "vy": { "given": [], "earned": [] }, | ||
| "ry": { "given": [], "earned": [] } | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm whether anything else (e.g., a tools/script) populates team grants at runtime
# or whether owners.json is the sole source of truth for eligibility.
rg -nP -C3 'cicd-admins|chittyos-runtime|service-ops|product-delivery'
fd -t f 'owners.json|repo_requirements.json'Repository: chittyfoundation/.github
Length of output: 1617
🏁 Script executed:
cat -n governance/owners.json | sed -n '197,210p'Repository: chittyfoundation/.github
Length of output: 439
🏁 Script executed:
cat -n governance/rules.json | head -50Repository: chittyfoundation/.github
Length of output: 1891
🏁 Script executed:
rg -l 'grant|owner|chittyid' --type py --type js --type ts | head -20Repository: chittyfoundation/.github
Length of output: 216
🏁 Script executed:
rg -i 'populate|bootstrap|grant|eligible' --type-list | head -5
fd -t f '\.(sh|py|js|ts|yaml|yml|json)$' | xargs rg -l 'populate.*grant|grant.*populate|bootstrap' 2>/dev/null | head -10Repository: chittyfoundation/.github
Length of output: 457
🏁 Script executed:
cat -n governance/rules.json | sed -n '40,100p'Repository: chittyfoundation/.github
Length of output: 2310
🏁 Script executed:
rg -i 'bootstrap|pending|mint|rollout|phase' governance/ --type json | head -20Repository: chittyfoundation/.github
Length of output: 420
🏁 Script executed:
fd . -type f \( -name '*.sh' -o -name '*.py' -o -name '*.js' -o -name '*.ts' \) | head -20Repository: chittyfoundation/.github
Length of output: 238
🏁 Script executed:
rg 'populate|grant|eligible|bootstrap' --type json governance/ -A2 -B2Repository: chittyfoundation/.github
Length of output: 7599
🏁 Script executed:
cat governance/owners.json | jq '.principals[] | select(.github == "@nickbianchi" or .github == "@chitcommit") | {github, ty, vy, ry}' 2>/dev/nullRepository: chittyfoundation/.github
Length of output: 5598
Eligibility gaps deadlock PRs in CHITTYOS/ and CHITTYAPPS/ repos; SPOF risk on @nickbianchi for chittyid.**
Cross-checking against governance/repo_requirements.json:
| Repo pattern | Requires (ty / vy / ry) | Eligible principal? |
|---|---|---|
CHITTYFOUNDATION/chittycanon |
canon, ontology, governance / cloudflare-workers, github-actions / trust-anchor, portfolio-policy |
✅ @chitcommit, @nickbianchi |
CHITTYFOUNDATION/chittyid |
identity, crypto, governance / cloudflare-workers / mint, sign, audit |
@nickbianchi (SPOF) |
CHITTYOS/* |
chittyos-runtime / cloudflare-workers / service-ops |
❌ None — both team entries have empty ty/vy/ry |
CHITTYAPPS/* |
app / cloudflare-workers / product-delivery |
❌ None |
With governance/rules.json set to codeowners_required.enforcement: "block" and require_code_owner_reviews: true across all scoped organizations (including CHITTYOS and CHITTYAPPS), no PR can merge in CHITTYOS/CHITTYAPPS repos: no CODEOWNER principal satisfies the eligibility requirements, so the block cannot be cleared.
Option 1 (immediate fix): Populate @CHITTYOS/cicd-admins and @CHITTYOS/developers grants with the required chittyos-runtime / cloudflare-workers / service-ops terms.
Option 2 (intentional bootstrap scope): Narrow governance/rules.json scope.organizations and/or governance/repo_requirements.json to CHITTYFOUNDATION only for now, with documented rollout sequence for tier 2/3 repos.
Also address the chittyid SPOF: @nickbianchi is the sole eligible approver. Grant @chitcommit (or another principal) the identity, crypto, mint, sign, audit terms to avoid approval bottleneck.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@governance/owners.json` around lines 189 - 206, The two `@CHITTYOS` principals
("@CHITTYOS/cicd-admins" and "@CHITTYOS/developers") have empty ty/vy/ry claims
(and chittyid set to "PENDING-MINT"), causing eligibility gaps for CHITTYOS/*
and CHITTYAPPS/* repos and a SPOF on chittyid for "@nickbianchi"; either (A)
immediately populate the ty/vy/ry arrays for "@CHITTYOS/cicd-admins" and/or
"@CHITTYOS/developers" to include the required terms (e.g., add
"chittyos-runtime" to ty, "cloudflare-workers" to vy, and "service-ops" to ry)
and mint the chittyid (replace "PENDING-MINT" with the real id) or (B) narrow
the enforcement scope (the rule "codeowners_required.enforcement" and/or the org
list in repo requirements) to exclude CHITTYOS/CHITTYAPPS until those grants are
populated; also remove the single-approver SPOF by granting "@chitcommit" (or
another principal) the missing identity/crypto/mint/sign/audit terms so chittyid
repos no longer rely solely on "@nickbianchi".
| # Any file in governance directory | ||
| /governance/[^/]+$ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm how protected-paths.txt is consumed and what string the regex is matched against
# (path is typically a relative repo path with no leading slash).
rg -nP -C3 'protected[-_]paths' --type=py --type=ts --type=js --type=sh
rg -nP -C3 -g 'block-governance-edits.*' '.'Repository: chittyfoundation/.github
Length of output: 365
🏁 Script executed:
#!/bin/bash
# First, let's see the actual file and its structure
echo "=== Content of protected-paths.txt ==="
find . -name "protected-paths.txt" -type fRepository: chittyfoundation/.github
Length of output: 139
🏁 Script executed:
#!/bin/bash
# Search for all references to 'protected-paths' or 'block-governance' without file type restrictions
echo "=== Searching for protected-paths references ==="
rg -i 'protected.?paths' -l
echo ""
echo "=== Searching for block-governance references ==="
rg -i 'block.?governance' -lRepository: chittyfoundation/.github
Length of output: 229
🏁 Script executed:
#!/bin/bash
# Look for any files in governance directory and GitHub workflows that might reference protected paths
echo "=== Files in governance and .github directories ==="
find . -path "./governance/*" -type f | head -20
find . -path "./.github/*" -type f | head -20Repository: chittyfoundation/.github
Length of output: 511
🏁 Script executed:
#!/bin/bash
# Read the protected-paths.txt file with line numbers to see lines 20-21
echo "=== governance/protected-paths.txt ==="
cat -n ./governance/protected-paths.txtRepository: chittyfoundation/.github
Length of output: 1239
🏁 Script executed:
#!/bin/bash
# Read the pr-governance.yml workflow which likely uses this file
echo "=== .github/workflows/pr-governance.yml ==="
cat ./.github/workflows/pr-governance.ymlRepository: chittyfoundation/.github
Length of output: 5759
Leading slash makes the "any file in governance directory" pattern unmatchable.
Every other entry in this file is written relative to the repository root without a leading slash (e.g., governance/sign-rules\.sh$, \.claude/hooks/). This entry uses /governance/[^/]+$, which against a relative path like governance/new-file.json will never match (no / precedes governance). The result is that the broad "catch any new top-level file under governance/" protection silently does nothing — only the explicitly enumerated files on Lines 9–18 are covered, leaving any newly added governance file unprotected until someone updates this list.
The workflow uses git diff --name-only to generate relative paths, then matches them with grep -qE against these patterns. The leading slash in the pattern prevents it from ever matching.
🛡️ Proposed fix
-# Any file in governance directory
-/governance/[^/]+$
+# Any file in governance directory
+governance/[^/]+$📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Any file in governance directory | |
| /governance/[^/]+$ | |
| # Any file in governance directory | |
| governance/[^/]+$ |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@governance/protected-paths.txt` around lines 20 - 21, The pattern
"/governance/[^/]+$" is unmatchable against relative paths; replace it with
"governance/[^/]+$" (no leading slash) so git diff --name-only results like
"governance/new-file.json" will match; update the entry in the protected-paths
list to match the style of the other entries (e.g., governance/sign-rules\.sh$)
to ensure the broad catch-all for top-level files under governance is enforced.
| # Settings protection (prevents disabling hooks) | ||
| \.claude/settings.*\.json$ |
There was a problem hiding this comment.
Unescaped . in settings glob can over-match.
\.claude/settings.*\.json$ leaves the . between settings and * unescaped, so the literal-looking settings.*.json actually matches paths such as .claude/settingsXYZanything.json and even nested paths like .claude/settings/foo/bar.json (because . matches /). The intent appears to be “files like .claude/settings.local.json, .claude/settings.ci.json, etc.” — anchor the variant explicitly.
♻️ Proposed fix
-\.claude/settings.*\.json$
+\.claude/settings(\.[^/]+)?\.json$📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Settings protection (prevents disabling hooks) | |
| \.claude/settings.*\.json$ | |
| # Settings protection (prevents disabling hooks) | |
| \.claude/settings(\.[^/]+)?\.json$ |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@governance/protected-paths.txt` around lines 33 - 34, The glob/regex pattern
string `\.claude/settings.*\.json$` overmatches because the dot before the
variant is unescaped and `.*` allows slashes; update the pattern so the dot is
literal and the variant is restricted to a filename segment (e.g. replace
`\.claude/settings.*\.json$` with a pattern that uses `\.` and a non-slash class
like `\.[^/]+\.json$`) to match only files like `.claude/settings.local.json`
and not nested paths or concatenated names.
| "repos": [ | ||
| { | ||
| "repo": "*/*", | ||
| "repo": "CHITTYFOUNDATION/chittycanon", | ||
| "tier": 0, | ||
| "requires": { | ||
| "ty": ["canon", "ontology", "governance"], | ||
| "vy": ["cloudflare-workers", "github-actions"], | ||
| "ry": ["trust-anchor", "portfolio-policy"] | ||
| } | ||
| }, | ||
| { | ||
| "repo": "CHITTYFOUNDATION/chittyid", | ||
| "tier": 0, | ||
| "requires": { | ||
| "ty": ["identity", "crypto", "governance"], | ||
| "vy": ["cloudflare-workers"], | ||
| "ry": ["mint", "sign", "audit"] | ||
| } | ||
| }, | ||
| { | ||
| "repo": "CHITTYOS/*", | ||
| "tier": 2, | ||
| "requires": { | ||
| "ty": ["chittyos-runtime"], | ||
| "vy": ["cloudflare-workers"], | ||
| "ry": ["service-ops"] | ||
| } | ||
| }, | ||
| { | ||
| "repo": "CHITTYAPPS/*", | ||
| "tier": 3, | ||
| "requires": { "ty": [], "vy": ["cloudflare-workers"], "ry": [] } | ||
| "requires": { | ||
| "ty": ["app"], | ||
| "vy": ["cloudflare-workers"], | ||
| "ry": ["product-delivery"] | ||
| } | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Inspect the consumer that resolves repo -> requires to learn its non-match behavior
# and precedence handling.
rg -nP -C3 'repo_requirements|requires\.(ty|vy|ry)' --type=py --type=ts --type=js --type=shRepository: chittyfoundation/.github
Length of output: 216
🏁 Script executed:
# Search for files mentioning repo_requirements without restrictive type filters
rg -l 'repo_requirements' --max-count=20Repository: chittyfoundation/.github
Length of output: 50
🏁 Script executed:
# Explore governance directory structure
ls -la governance/ 2>/dev/null || echo "governance dir not found"Repository: chittyfoundation/.github
Length of output: 502
🏁 Script executed:
# Find all code files that might consume config files
fd -e ts -e js -e py -e sh . --max-depth=3 | head -20Repository: chittyfoundation/.github
Length of output: 50
🏁 Script executed:
# Check rules.json to validate organization scope mentioned in review
cat governance/rules.json 2>/dev/null | head -100Repository: chittyfoundation/.github
Length of output: 2986
🏁 Script executed:
# Read the complete repo_requirements.json file
cat governance/repo_requirements.jsonRepository: chittyfoundation/.github
Length of output: 1164
🏁 Script executed:
# Read the schema.json to understand tier definitions and resolver semantics
cat governance/schema.jsonRepository: chittyfoundation/.github
Length of output: 2961
🏁 Script executed:
# Search for any code that might parse/consume repo_requirements (broader search)
rg 'repo_requirements|tier.*requires|requires.*tier' -i --max-count=30Repository: chittyfoundation/.github
Length of output: 50
Unmatched repos and tier 1 have no defined behavior; precedence for glob patterns is undocumented.
Three issues to address before merging:
-
Unmatched repo fallback is unspecified. When a repository doesn't match any of the four entries (
CHITTYFOUNDATION/chittycanon,CHITTYFOUNDATION/chittyid,CHITTYOS/*,CHITTYAPPS/*), the file provides norequiresand the notes don't specify what happens next. This leaves the resolver in ambiguity: fail-open (any CODEOWNER passes, weakening governance) or fail-closed (no one eligible, deadlocking PRs). Either restore a*/*catch-all with explicit defaults, or update notes to document the fallback behavior. -
Tier 1 is missing. Tiers jump 0 → 2 → 3; tier 1 is never defined. If this gap is intentional, add a
notes:clarification. If it's an oversight, add a tier 1 entry or document why it's reserved. -
No documented precedence for glob patterns. Once a more-specific entry like
CHITTYOS/critical-servicecoexists withCHITTYOS/*, the resolver must know whether most-specific wins or first-match wins. Add a precedence rule to the schema ornotes:.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@governance/repo_requirements.json` around lines 5 - 43, The JSON lacks a
fallback, a tier-1 definition, and a documented glob precedence: add either a
catch-all entry (repo "*/*") with explicit default "requires" to define
fail-open vs fail-closed behavior or add a clear "notes" section that documents
the fallback behavior; add an explicit tier 1 entry (or a "notes" line
explaining why tier 1 is intentionally reserved) so tiers are contiguous or
purposely gapped; and add a glob precedence rule in the schema/notes (e.g.,
"most-specific wins" or "first-match wins" and whether explicit repo entries
override wildcards) so resolution between entries like
"CHITTYOS/critical-service" and "CHITTYOS/*" is deterministic.
| "required_reviewers": ["@CHITTYOS/governance"], | ||
| "minimum_approvals": 2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm the team is not declared anywhere else in the repo.
rg -nP -C2 '@?CHITTYOS/governance\b'
fd -t f 'CODEOWNERS'Repository: chittyfoundation/.github
Length of output: 323
🏁 Script executed:
cat governance/owners.jsonRepository: chittyfoundation/.github
Length of output: 7266
🏁 Script executed:
cat governance/rules.json | head -40Repository: chittyfoundation/.github
Length of output: 1177
🏁 Script executed:
sed -n '50,100p' governance/rules.jsonRepository: chittyfoundation/.github
Length of output: 1545
🏁 Script executed:
head -30 governance/rules.jsonRepository: chittyfoundation/.github
Length of output: 783
🏁 Script executed:
rg -n 'enforcement\.mode|allow_admin_bypass' governance/rules.jsonRepository: chittyfoundation/.github
Length of output: 104
🏁 Script executed:
sed -n '110,125p' governance/rules.jsonRepository: chittyfoundation/.github
Length of output: 365
required_reviewers references a team not declared in governance/owners.json.
"required_reviewers": ["@CHITTYOS/governance"] requires review by a non-existent principal. The protected_files rule applies to governance/**, .github/workflows/**, *.config.{js,ts}, lockfiles, .env*, secrets/**, and migrations/**. With enforcement.mode: "strict" and allow_admin_bypass: false, any PR touching these paths (including this one, which modifies governance/**) will be blocked unless the team exists and approves.
Either:
- add
@CHITTYOS/governanceas a principal ingovernance/owners.jsonand ensure the GitHub team exists, or - replace it with an existing principal (e.g.,
@chitcommit,@nickbianchi).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@governance/rules.json` around lines 89 - 90, The rule uses
"required_reviewers": ["@CHITTYOS/governance"] but that team/principal is not
declared in governance/owners.json, which will block PRs touching protected
paths due to protected_files with enforcement.mode: "strict" and
allow_admin_bypass: false; either add an entry for the principal
"@CHITTYOS/governance" in governance/owners.json (and ensure the corresponding
GitHub team exists) or change required_reviewers in governance/rules.json to an
existing principal (e.g., "@chitcommit" or "@nickbianchi") so the required
reviewer is valid; update the required_reviewers array in governance/rules.json
or add the principal object in governance/owners.json accordingly.
| - Fractal trinity layout: identity / authority / connectivity / scopes (see template below) | ||
| - Reusable CI via [centralized workflows](.github/workflows/) | ||
| - Claude-powered code review + governance checks | ||
|
|
||
| ## Starter Template (BINDING for new repos) | ||
|
|
||
| **[chittyseed-fractal](https://github.com/chittyfoundation/chittyseed-fractal)** — every new ChittyOS repo MUST start from this template. Click "Use this template" on the GitHub repo page, or run: | ||
|
|
||
| ```bash | ||
| gh repo create CHITTYFOUNDATION/<your-service> --template chittyfoundation/chittyseed-fractal --public | ||
| ``` | ||
|
|
||
| The template encodes the fractal trinity layout (identity / authority / connectivity), provides the standard `scope.json` manifest, CHARTER/CHITTY/CLAUDE templates, package.json with `validate:fractal` + `certify` scripts, and a CI workflow that gates merges on fractal-layout compliance. | ||
|
|
||
| Validation contract: `chittycanon://core/services/chittyschema#meta/fractal-layout` |
There was a problem hiding this comment.
Inconsistent description of the “fractal trinity layout.”
Line 38 describes the trinity as four elements: identity / authority / connectivity / scopes, while the new starter-template section on Line 50 describes it as three: identity / authority / connectivity. Since “trinity” explicitly means three, and scope.json is called out separately as the manifest, the bullet on Line 38 reads as if scopes is a fourth pillar of the trinity. Recommend reconciling so both spots state the same canonical decomposition.
📝 Suggested wording change
-- Fractal trinity layout: identity / authority / connectivity / scopes (see template below)
+- Fractal trinity layout: identity / authority / connectivity, declared via `scope.json` (see template below)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@profile/README.md` around lines 38 - 52, Update the README to make the
"fractal trinity layout" description consistent by listing exactly three pillars
(identity / authority / connectivity) wherever "Fractal trinity layout" appears;
remove "scopes" from the trinity bullet and instead reference scope.json as the
separate manifest (keep mention of scope.json and the starter template
chittyseed-fractal, and ensure the validation contract
chittycanon://core/services/chittyschema#meta/fractal-layout and package.json
scripts validate:fractal and certify remain accurate).
1 participant
Sync governance registry + repo requirements for bootstrap tiered enforcement.\n\n- Publishes updated owners/repo_requirements (given TY/VY/RY grants)\n- Updates rules/schema/protected paths for Governance workflow consumers\n- Note: rules.json remains unsigned; Tier 0/1 will still require signing.
Summary by CodeRabbit
Release Notes
New Features
Chores