# Governance Overview

This is the entrypoint for engineering governance.

## Priority Order (highest to lowest)
1. `governance/agent_policy.yaml` (machine-enforced policy baseline)
2. `governance/reviewguard_policy_draft.yaml` (PR governance enforcement)
3. API contracts:
   - `api/openapi.draft.yaml`
   - `api/asyncapi.draft.yaml`
4. `governance/openapi.spectral.yaml` (OpenAPI lint policy)
5. `governance/Contract_Invariant_Gates.md` (non-negotiable contract checks)
6. `governance/production_enforcement_policy.yaml` (machine-readable production controls)
7. `governance/Contract_Versioning_Policy.md` (contract evolution rules)
8. `governance/CI_Enforcement_Checklist.md` (pipeline gate requirements)
9. `governance/Agent_Enforcement.md` (agent behavior rules)
10. `governance/Coding_Standards.md` (code quality/security style rules)
11. `governance/Testing_Standards.md` (test and acceptance requirements)
12. Security governance:
   - `governance/Security_Threat_Model.md`
   - `governance/Security_Control_Verification.md`
13. `governance/Assumptions_Register.md` (explicit MVP assumptions and re-validation triggers)
14. `operations/Production_Platform_Baseline.md` (required production platform controls and deferred infra decisions)

## Policy Scope
- Contract-first/API-first
- Security and secret handling
- Data integrity and idempotency
- Compatibility/versioning
- Testing and CI gates
- Agent-generated PR requirements

## Change Control
- Governance changes require architecture/security owner review.
- Breaking policy changes must include rollout note.
- Machine-readable policies should be updated before prose docs.
- Assumptions that affect architecture/contracts/security must be tracked in `governance/Assumptions_Register.md`.