Policy Review Checklist¶
Use this checklist before opening or approving an AI-generated policy change.
Repository facts¶
- [ ] Every layer maps to an existing namespace prefix or documented runtime namespace.
- [ ] Every
external_dependenciesgroup maps to a real vendor/framework namespace or type prefix. - [ ] Every target assembly name is real for the repository being validated.
- [ ]
assembly_search_pathspoint to real build output directories when needed. - [ ]
source_rootsare included when method-body source scanning needs non-default roots.
Contract safety¶
- [ ] Strict contracts pass today or intentionally enforce an accepted no-new-debt gate.
- [ ] Future-state or discovery rules are in audit groups, not strict groups.
- [ ] Allow-only rules are used for pure layers where every first-party dependency should be explicit.
- [ ] Vendor/framework leakage rules use
strict_external/audit_externalinstead of pseudo-layers unless there is a deliberate compatibility reason. - [ ] Ordered layer contracts do not mix broad aggregate layers with overlapping child layers.
- [ ] Module independence rules reflect real module boundaries, not idealized names.
Ignores and debt¶
- [ ] Every
ignored_violationsentry is narrow enough to freeze known debt only. - [ ] Every ignore has a reason with a migration note or issue reference.
- [ ] No ignore uses broad patterns unless a human explicitly accepted that baseline.
- [ ] New violations are not hidden by expanding an unrelated ignore.
- [ ] Generated baselines are reviewed before being committed.
Schema and capability fit¶
- [ ] The policy uses only fields supported by
schema/dependencies.arch.schema.json. - [ ] The policy uses only contract families listed in
archlinternet.capabilities.jsonand public docs. - [ ] No unsupported fields such as
regex,severity,from,to,owner, custom groups, or unsupported namespace pattern syntax were invented. - [ ] Any layer
namespaceusing*uses it as a full segment and still maps to real repeated namespaces in the repository. - [ ] Documentation and sample policy snippets match executable YAML.
Public documentation boundary¶
- [ ] Product usage docs are in the MkDocs public documentation tree.
- [ ] Internal backlog governance, OpenSpec archives, and repository-agent instructions are not linked as product docs.
- [ ] NuGet-facing links point to the public product docs and GitHub repository, not internal Markdown files.
Local validation¶
- [ ] The policy validates against the JSON Schema when a schema validator is available.
- [ ] Strict validation was run locally.
- [ ] Audit validation was run locally if audit rules changed.
- [ ] Any failures are explained in the PR instead of hidden by broad ignores.