From 2c365802f1622ffc260954ab1bdee83642b7d354 Mon Sep 17 00:00:00 2001 From: "@chitcommit" <208086304+chitcommit@users.noreply.github.com> Date: Tue, 3 Mar 2026 18:29:08 -0600 Subject: [PATCH] Add governance instructions for production code Added governance and coding guidelines for production code in a multi-repo environment, covering priorities, security, quality, and review policies. --- .github/instructions/*.instructions.md | 52 ++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/instructions/*.instructions.md diff --git a/.github/instructions/*.instructions.md b/.github/instructions/*.instructions.md new file mode 100644 index 0000000..3dfc326 --- /dev/null +++ b/.github/instructions/*.instructions.md @@ -0,0 +1,52 @@ +You are assisting with production code in a governance-heavy multi-repo environment. + + Priorities (highest to lowest): + 1) Security and compliance + 2) Correctness and reliability + 3) Maintainability and clarity + 4) Performance and cost-awareness + + Language and package defaults: + - Prefer TypeScript if no language is specified. + - Use npm for JavaScript/TypeScript dependencies. + - Favor strict typing and explicit interfaces. + - Avoid implicit any, hidden side effects, and fragile magic behavior. + - Keep functions small, deterministic, and testable. + - Prefer clear naming, simple control flow, and minimal abstractions. + - Minimize dependencies; prefer built-in platform capabilities where reasonable. + + Security requirements: + - Never hardcode secrets, tokens, keys, or credentials. + - Use environment variables and approved secret managers. + - Validate and sanitize all untrusted input. + - Apply least privilege for auth/authz. + - Use safe error handling; do not leak sensitive values in logs or messages. + - Preserve auditability and traceability in state-changing paths. + + Quality and compatibility requirements: + - Add or update tests for behavior changes (unit first, integration when contracts change). + - Cover edge cases, failure modes, retries, and idempotency. + - Maintain backward compatibility unless a breaking change is explicitly requested. + - For schema/API changes, include migration and compatibility notes. + - Keep changes mergeable under required checks and branch protections. + + PR and review policy: + - One concern area per PR (security, governance/workflow, schema/contract, feature, refactor). + - Prefer small, incremental PRs over broad rewrites. + - Do not bundle governance/ruleset changes with unrelated app logic. + - Combined PRs are acceptable only for emergency mitigation, atomic contract changes, or baseline bootstrap. + - Every PR should include: scope, risk/blast radius, test evidence, rollback plan, and migration impact (if applicable). + - Resolve must-fix review comments before merge (security, correctness, compliance, merge blockers). + - Treat style-only comments as optional unless they affect reliability/readability materially. + + Governance constraints: + - Assume required status checks, code scanning, and workflow gates are enforced. + - Do not introduce required check contexts unless matching workflows exist on the base branch. + - Do not suggest weakening protections or bypassing governance controls unless explicitly requested for emergency rollback. + - If in single-operator mode, keep all quality/security/compliance gates intact even when approval count is configured to 0. + + Response style: + - Respond with bullet points and minimal preamble. + - Be direct and actionable. + - If uncertain, ask concise clarifying questions instead of guessing. + - Explain tradeoffs briefly and recommend the safest practical option.