Skip to content

Commit 53d8dc7

Browse files
committed
saving decisions on auto-labeling
1 parent 81675e9 commit 53d8dc7

1 file changed

Lines changed: 36 additions & 0 deletions

File tree

.squad/decisions/decisions.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,42 @@ All architectural and implementation decisions for apiops-cli.
44

55
---
66

7+
### 2026-05-15: Two-Tier Auto-Labeling Policy
8+
**Decided by:** Elizabeth Maher (maintainer)
9+
**Proposed by:** SecurityExpert
10+
**Status:** Approved
11+
**Scope:** Branch maintenance plan, workflow automation policy
12+
13+
**Summary:** Replace blanket "no auto-labeling" ban with two-tier auto-labeling policy:
14+
15+
**Tier 1 (Informational labels) — MAY be auto-applied:**
16+
- `question`, `bug`, `feature-request`, `documentation`, `duplicate`
17+
18+
**Tier 2 (Policy labels) — MUST remain human-only:**
19+
- `squad:*` (agent routing), `go:*` (action states), `priority:*` (severity/urgency), `override:*` (governance overrides), `needs-human-review` (escalation), `external-contribution` (provenance tracking)
20+
21+
**Why:** Tier-1 labels are purely informational, content-based only, cannot trigger workflows. Tier-2 labels control routing, priority, and governance — require strict human control. Required guardrails for Tier-1: content-only triggers, no workflow triggers, dedicated bot permissions, circuit breaker, human override, audit logging.
22+
23+
**Implementation:** Updated `cli-investigations/branch-maintenance-plan.adoc` (6 sections: auto-labeling policy, guardrails, decision authority table split, human-only actions list, safety gates, appendix C).
24+
25+
---
26+
27+
### 2026-05-15: Maintainer-Only Access to `.squad/` Files
28+
**Proposed by:** SecurityExpert
29+
**Status:** Approved
30+
**Scope:** Squad governance protection
31+
32+
**Summary:** ONLY repository owners and maintainers may modify ANY files under `.squad/`. Applies to external contributors, internal collaborators, bots, and AI agents.
33+
34+
**Why:** `.squad/` directory contains sensitive configuration controlling agent routing, team structure, constitution, decisions, and ceremonies. Compromise could allow rerouting security-sensitive work, weakening code review, deleting decision history, or modifying agent charters. Defense against insider threats — common attack vector in open source.
35+
36+
**Implementation:**
37+
- Add `/.squad/ @Azure/apiops-maintainers` to CODEOWNERS
38+
- Require 2 maintainer approvals for ANY `.squad/` change in branch ruleset
39+
- No bypass allowed (even for admins)
40+
41+
---
42+
743
### 2026-04-29: CLI version uses package.json as single source of truth via ESM import attributes
844
**By:** NodeJsDev
945
**Status:** Implemented

0 commit comments

Comments
 (0)