decisions(0019) + docs(specs): non-author reviewer mandatory v0 prebuild (#75) #369

Merged

pdurlej merged 1 commit from claude/fork-C3-governance-non-author-reviewer-mandatory into main

2026-05-23 09:20:05 +02:00

claude commented

2026-05-18 08:20:15 +02:00

Collaborator

Summary

Fork-C3 prebuild per prompts/fork-dispatch-2026-05-18-retry-batch.md §2.7. Closes the convention→mechanism gap for self-approval surface exposed by PR #319 (2026-05-15) and codifies pyfallow Phase A close-out pattern (operator decision 2026-05-04/05).

decisions/0019-non-author-reviewer-mandatory.md — Proposed ADR (Nygard format, ~230 lines)
docs/specs/governance-non-author-reviewer-mandatory-v0/ (6 files, ~1100 lines total):
- README.md — entry point + safety/production boundary
- 00-constitution.md — 8 non-negotiable principles
- 01-specify.md — 10-scenario behavior matrix + 5 acceptance criteria (A1-A5)
- 02-plan.md — 7 design questions answered + alternatives + risks
- 03-tasks.md — per-slice breakdown (a operator → b codex → c optional → d claude → e claude)
- 04-implement-notes.md — Forgejo API patterns + version quirks + cousin email mapping + secret token decision
prompts/codex-governance-non-author-reviewer-mandatory.md — codex execution prompt for Slices (b)+(c) with Safety/production boundary, hard gates, stop conditions per ADR-0018

The rule (TL;DR)

Every PR on main requires ≥1 approval from a cousin different than the PR author. Universal floor regardless of size class.

Author identity = commit.author.email
Approver identity = email of Forgejo Pull Request Review approver
{author, approver} cardinality MUST be ≥ 2
ADR-0007 risk tiers compose (Trivial/Lite/Full); ADR-0019 sets floor, ADR-0007 sets ceiling
Operator is merger, NOT reviewer-of-record
Break-glass is operator-only ceremony (§ 7)

Enforcement

Forgejo branch protection on main (≥1 approval, dismiss stale on push) — Slice (a) operator-action
CI workflow non-author-review-check.yml (status check non-author-reviewer / guard) — Slice (b) codex Lite PR

Defense-in-depth pattern from ADR-0017.

Tier

Full per ADR-0007 (new governance ADR). Operator merge only.

Acceptance after rollout

5+ subsequent PRs land with valid non-author approvals
state/break-glass-log.jsonl <2 entries per quarter
Cross-repo: pyfallow/hermes-agency/iskra-openclaw/kan-ductor configured per § P7
After 4 weeks healthy operation: ADR-0019 status moves to "Accepted"

Refs #75, #319 (live evidence), pyfallow Phase A close-out 2026-05-04/05, prompts/fork-dispatch-2026-05-18-retry-batch.md §2.7

## Summary Fork-C3 prebuild per `prompts/fork-dispatch-2026-05-18-retry-batch.md` §2.7. Closes the convention→mechanism gap for self-approval surface exposed by PR #319 (2026-05-15) and codifies pyfallow Phase A close-out pattern (operator decision 2026-05-04/05). ## Contents - **`decisions/0019-non-author-reviewer-mandatory.md`** — Proposed ADR (Nygard format, ~230 lines) - **`docs/specs/governance-non-author-reviewer-mandatory-v0/`** (6 files, ~1100 lines total): - README.md — entry point + safety/production boundary - 00-constitution.md — 8 non-negotiable principles - 01-specify.md — 10-scenario behavior matrix + 5 acceptance criteria (A1-A5) - 02-plan.md — 7 design questions answered + alternatives + risks - 03-tasks.md — per-slice breakdown (a operator → b codex → c optional → d claude → e claude) - 04-implement-notes.md — Forgejo API patterns + version quirks + cousin email mapping + secret token decision - **`prompts/codex-governance-non-author-reviewer-mandatory.md`** — codex execution prompt for Slices (b)+(c) with Safety/production boundary, hard gates, stop conditions per ADR-0018 ## The rule (TL;DR) **Every PR on `main` requires ≥1 approval from a cousin different than the PR author.** Universal floor regardless of size class. - Author identity = `commit.author.email` - Approver identity = email of Forgejo Pull Request Review approver - `{author, approver}` cardinality MUST be ≥ 2 - ADR-0007 risk tiers compose (Trivial/Lite/Full); ADR-0019 sets floor, ADR-0007 sets ceiling - Operator is merger, NOT reviewer-of-record - Break-glass is operator-only ceremony (§ 7) ## Enforcement 1. Forgejo branch protection on `main` (≥1 approval, dismiss stale on push) — Slice (a) operator-action 2. CI workflow `non-author-review-check.yml` (status check `non-author-reviewer / guard`) — Slice (b) codex Lite PR Defense-in-depth pattern from ADR-0017. ## Tier **Full** per ADR-0007 (new governance ADR). Operator merge only. ## Acceptance after rollout - 5+ subsequent PRs land with valid non-author approvals - `state/break-glass-log.jsonl` <2 entries per quarter - Cross-repo: pyfallow/hermes-agency/iskra-openclaw/kan-ductor configured per § P7 - After 4 weeks healthy operation: ADR-0019 status moves to "Accepted" Refs #75, #319 (live evidence), pyfallow Phase A close-out 2026-05-04/05, `prompts/fork-dispatch-2026-05-18-retry-batch.md` §2.7

claude added 1 commit

2026-05-18 08:20:15 +02:00

decisions(0019) + docs(specs): non-author reviewer mandatory v0 prebuild (#75 )

base-is-main / guard (pull_request) Successful in 1s

Details

canary-required / collect-diff (pull_request) Successful in 4s

Details

patchwarden-pr-sanity / collect-diff (pull_request) Successful in 3s

Details

platformctl plan / auto-apply scope (pull_request) Successful in 21s

Details

canary-required / canary (pull_request) Successful in 13s

Details

patchwarden-pr-sanity / sanity (pull_request) Successful in 20s

Details

1e95285e8e

Per fork-anchor 2026-05-18 retry-batch dispatch (PR #356 §2.7).
Authoring fork: C3 (worktree-isolated per v0.1 pattern).

## ADR-0019 (proposed)

Universal floor: every PR on pdurlej/platform (and downstream
microprojects inheriting platform governance) requires ≥1 approval
from a cousin different than the PR author. Branch protection rule
on main + CI workflow `non-author-review-check.yml` enforces
mechanically. Operator is the merger, not a reviewer-of-record.

Closes the convention→mechanism gap exposed by PR #319 (live
self-approval observed 2026-05-15) and pyfallow Phase A close-out
(operator decision 2026-05-04/05).

ADR-0007 risk tiers compose, not replace:
- Trivial: self-merge invalid; must have non-author approval first
- Lite: 3 reviewers, ≥1 non-author
- Full: full canary 3+3, ≥1 non-author

Break-glass procedure is operator-only ceremony per § 7. Cousins
never invoke break-glass.

## Spec Kit (6 files)

docs/specs/governance-non-author-reviewer-mandatory-v0/:
- README.md — entry point + safety/production boundary
- 00-constitution.md — 8 non-negotiable principles (P1-P8)
- 01-specify.md — acceptance criteria + behavior matrix (10 scenarios)
- 02-plan.md — design decisions (Q1-Q7) + risks + decision queue
- 03-tasks.md — per-slice breakdown (a operator → b codex → c
  optional → d claude → e claude)
- 04-implement-notes.md — Forgejo quirks + API patterns + cousin
  email mapping + secret token decision + validation checklist

## Codex execution prompt

prompts/codex-governance-non-author-reviewer-mandatory.md:
- Safety / production boundary (does NOT authorize branch protection
  changes, production runner, operator PAT usage)
- Pre-flight (worktree pattern per v0.1, identity check)
- Per-slice instructions (b is codex's; c optional; d/e are claude's)
- Hard gates (G-ADR-0018, G-ADR-0019-P3, G-ADR-0019-P6, G-Sacred,
  G-Production-Runner, G-OperatorPAT)
- Stop conditions per ADR-0018 (NO "accept workaround" outcomes)
- Reporting format

## Tier

Full per ADR-0007 (new governance ADR). Operator merge only.

## Constraints honored

- ADR-0017: no stacked PRs (this is a single PR from main)
- ADR-0018: governance philosophy explicitly cited; "accept
  workaround" outcomes rejected
- Sacred path: no modification of policies/sacred-paths.yaml or
  control-plane/platformctl/safety.py in this PR
- Identity isolation: claude author per ADR-0010

Refs #75, #319 (live evidence), pyfallow Phase A close-out
2026-05-04/05, fork-anchor dispatch §2.7