Use when you have a written implementation plan to execute in a separate session with review checkpoints
wolf-governance
2
0
# Install this skill:
npx skills add Nice-Wolf-Studio/wolf-skills-marketplace --skill "wolf-governance"
Install specific skill from multi-skill repository
# Description
Wolf's governance framework, compliance rules, quality gates, and process standards
# SKILL.md
name: wolf-governance
description: Wolf's governance framework, compliance rules, quality gates, and process standards
version: 1.2.0
triggers:
- "governance"
- "compliance"
- "quality gates"
- "process rules"
- "approval requirements"
Wolf Governance Skill
This skill provides access to Wolf's governance framework, including compliance requirements, quality gates, approval hierarchies, and process standards refined over 50+ phases of development.
When to Use This Skill
- REQUIRED before making architectural or process changes
- When checking compliance requirements for work
- For understanding approval and review requirements
- When determining quality gates that must pass
- For escalation and authority questions
Core Governance Framework
The Four Pillars (Canon Charter)
All governance decisions are evaluated against these foundational principles:
- Portability π
- Cross-environment compatibility
- System adaptability
- Platform independence
-
Provider agnosticism
-
Reproducibility π
- Consistent outcomes
- Predictable behavior
- Deterministic processes
-
Verifiable results
-
Safety π‘οΈ
- Risk mitigation
- Secure operations
- Fail-safe mechanisms
-
Progressive validation
-
Research Value π¬
- Scientific methodology
- Knowledge advancement
- Evidence-based decisions
- Learning capture
Authority Structure
Decision Authority Hierarchy
Code Reviewers:
- Final merge authority
- Architectural decisions
- Technical standards
- Pattern enforcement
PM Agents:
- Requirements authority
- Prioritization decisions
- Workflow coordination
- Release sign-off
Specialist Roles:
- Domain expertise
- Comment-only reviews
- Advisory input
- Escalation triggers
Implementers:
- Cannot merge own PRs
- Cannot bypass gates
- Cannot grant exceptions
- Must follow process
Separation of Concerns
MANDATORY: No agent can approve their own work
- Implementers β Reviewers
- Reviewers β Different reviewer for meta-reviews
- PM defines requirements β Cannot implement
- Security can block any change
Quality Gates
Definition of Done (DoD)
MUST have (blocking):
- β
All tests passing
- β
Code review approved
- β
Documentation updated
- β
Journal entry created
- β
CI/CD checks green
- β
Proper Git/GitHub workflow followed
- Feature branch used (never main/master/develop)
- Draft PR created at task start (not task end)
- No direct commits to default branches
- Project conventions respected (templates, naming)
- Prefer gh CLI over git commands where available
- β
PR is appropriately sized (incremental PR strategy)
- <500 lines of actual code (excluding tests/docs)
- <30 files changed
- Provides stand-alone value (can merge without breaking main)
- Can be explained in 2 sentences (clear, focused scope)
- Can be reviewed in <1 hour
- If multi-PR feature: Sequence documented in first PR
- Reference: wolf-workflows/incremental-pr-strategy.md
SHOULD have (strong recommendation):
- π Performance benchmarks met
- π Security scan clean
- βΏ Accessibility validated
- π Metrics improved
MAY have (optional):
- π¨ UI/UX review
- π Internationalization
- π± Mobile testing
Two-Tier Test Pipeline
Fast-Lane (5-10 minutes)
Purpose: Rapid iteration and basic validation
Requirements:
- Linting: Max 5 errors allowed
- Unit tests: 60% coverage minimum
- Critical integration tests pass
- Security: 0 critical, β€5 high vulnerabilities
- Smoke tests: Core services start
Full-Suite (30-60 minutes)
Purpose: Production readiness validation
Requirements:
- E2E tests: 90% success rate
- Performance: Score β₯70/100
- Security: Score β₯80/100
- Cross-platform: Node 18/20/21 compatible
- Migration: Rollback procedures tested
Good/Bad Examples: Definition of Done
Example 1: Feature Pull Request
PR #456: Add user authentication
β
All MUST-have items complete:
- Tests: 47 tests passing (unit + integration + E2E)
- Fast-Lane: β
8min, 0 linting errors, 85% coverage
- Full-Suite: β
45min, 95% E2E success, perf 75/100, security 85/100
- Review: Approved by @code-reviewer-agent (not self-approved)
- Documentation:
- README.md updated with auth setup instructions
- API.md documents new endpoints
- CHANGELOG.md entry added
- Journal: 2025-11-14-user-authentication.md created
- Problems: OAuth token refresh edge case
- Decisions: Chose JWT over sessions for scalability
- Learnings: Auth middleware testing patterns
- CI: All checks green β
β
SHOULD-have items addressed:
- Performance: Login latency <200ms (target: <300ms) β
- Security: OAuth2 threat model documented, scan clean β
- Metrics: Login success rate tracking added β
Assessment: Meets Definition of Done. β
Ready to merge.
PR #457: Fix login bug
β Missing MUST-have items:
- Tests: "Tests pass on my machine" (no CI evidence)
- Fast-Lane: Not run
- Full-Suite: Skipped "to save time"
- Review: Self-approved "since it's urgent"
- Documentation: "Will update later"
- Journal: No entry created
- CI: Checks failing (linting errors, 2 test failures)
β Governance violations:
- Merged own PR (violates separation of concerns)
- Skipped quality gates "because it's a hotfix"
- No root cause analysis (reliability-fixer archetype requirement)
- No regression test added
Assessment: Does NOT meet Definition of Done. β Should be reverted and reworked.
Why this is wrong:
- Hotfixes still require governance (use expedited review, not no review)
- Self-approval violates authority structure
- Skipping tests means bug might not actually be fixed
- No journal = no learning capture = problem will recur
Example 2: Security Change
PR #789: Implement rate limiting
β
Security-hardener archetype requirements:
- Threat Model: docs/security/rate-limiting-threats.md
- Attack vectors documented
- Mitigation strategies defined
- Residual risks assessed
- Security Scan: β
0 critical, 2 high (false positives documented)
- Penetration Test: Manual testing results in journal
- Defense-in-Depth: Multiple layers (IP-based, user-based, endpoint-based)
β
Standard DoD:
- Tests: Rate limit scenarios covered (100% of rate limit logic)
- Review: Approved by @security-agent + @code-reviewer-agent
- Documentation: Rate limit policies documented
- Journal: 2025-11-14-rate-limiting-implementation.md
- CI: All gates green including security gates
β
ADR created:
- ADR-042-rate-limiting-strategy.md documents algorithm choice
Assessment: Exemplary security change. β
All gates passed.
PR #790: Add encryption
β Security-hardener failures:
- Threat Model: "Encryption is obviously good" (no actual model)
- Security Scan: Skipped "because I used a well-known library"
- Penetration Test: None performed
- Defense-in-Depth: Single layer only
β Code quality issues:
- Using deprecated crypto algorithm (MD5 for hashing)
- Hardcoded encryption keys in code
- No key rotation mechanism
- Error messages leak sensitive info
β Missing standard DoD:
- Tests: Only happy path tested
- Review: Only one approval (needs security-agent review)
- Documentation: No encryption policy documented
- Journal: No entry
- ADR: No architecture decision documented
Assessment: Critical security issues. β Must be blocked and reworked.
Why this is dangerous:
- Wrong crypto creates false sense of security
- Hardcoded keys = security theater
- No threat model = don't understand what we're protecting against
- Missing security-agent review = no domain expert validation
Example 3: Refactoring
PR #234: Refactor auth middleware
β
Maintainability-refactorer archetype requirements:
- Complexity Reduction: Cyclomatic complexity 15 β 6 (documented)
- Test Coverage: Maintained at 85% (no regression)
- Behavior Unchanged: All tests still pass (no behavior changes)
β
Evidence-based changes:
- Before metrics: 150 LOC, complexity 15, 4 code smells
- After metrics: 95 LOC, complexity 6, 0 code smells
- Performance: No degradation (latency unchanged)
β
Standard DoD:
- Tests: All existing tests pass + new tests for extracted functions
- Review: Approved by @code-reviewer-agent
- Documentation: Code comments improved, architecture notes updated
- Journal: 2025-11-14-auth-middleware-refactor.md
- Decisions: Extracted 3 functions for clarity
- Learnings: Middleware composition patterns
- CI: All gates green
Assessment: Clean refactoring. β
Improves maintainability without risk.
PR #235: Clean up code
β Refactoring violations:
- Behavior Changed: Added "small feature" during refactor
- Test Coverage: Dropped from 85% β 60%
- No Metrics: Can't prove complexity improved
β Mixed concerns:
- Refactoring + feature + bug fix in one PR
- 847 lines changed across 23 files
- No clear focus or archetype
β Missing DoD:
- Tests: 12 tests now failing "will fix in follow-up"
- Review: "Just cleanup, no review needed"
- Documentation: Not updated to reflect changes
- Journal: No entry
Assessment: Dangerous refactoring. β Reject and split into focused PRs.
Why this fails:
- Mixed refactor + feature = impossible to review safely
- Dropping coverage during refactor = introducing bugs
- Behavior change during refactor = violates maintainability-refactorer archetype
- No metrics = can't prove improvement
Process Requirements
Phase Lifecycle (Canonical)
Every phase MUST follow:
- Seed Brief π
- Problem statement
- Success criteria
- Risk assessment
-
Resource allocation
-
Pre-Phase Sweeps π
- Dependency check
- Conflict resolution
- Environment preparation
-
Baseline metrics
-
Shard Work β‘
- Incremental delivery
- Continuous validation
- Journal updates
-
Progress tracking
-
Close-Out Sweeps β
- Consolidation
- Verification
- Documentation
- Learning capture
Journal Requirements
MANDATORY for all work:
## Problems
- Issues encountered
- Blockers identified
- Unexpected behaviors
## Decisions
- Choices made
- Trade-offs accepted
- Rationale documented
## Learnings
- Patterns discovered
- Improvements identified
- Knowledge gained
Format: YYYY-MM-DD-<kebab-slug>.md
ADR (Architecture Decision Record)
Required for:
- Architectural changes
- Process modifications
- Tool selections
- Major refactoring
Format:
# ADR-XXX: Title
## Status
[Proposed | Accepted | Deprecated | Superseded]
## Context
[Problem description]
## Decision
[What was decided]
## Consequences
[Trade-offs and impacts]
Compliance Matrix
By Change Type
| Change Type | Required Approvals | Evidence | Gates |
|---|---|---|---|
| Bug Fix | Code Review | Tests, Root Cause | CI Pass |
| Feature | PM + Code Review | AC Met, Tests | DoD Complete |
| Security | Security + Code Review | Threat Model, Scan | Security Gates |
| Architecture | Architect + Code Review | ADR, Impact Analysis | Full Suite |
| Process | PM + Architect | ADR, Stakeholder Review | Governance Check |
By Risk Level
| Risk | Additional Requirements |
|---|---|
| Low | Standard gates |
| Medium | +1 reviewer, extended tests |
| High | Security review, rollback plan |
| Critical | Executive approval, staged rollout |
Governance Enforcement
Automated Checks
Pre-commit:
- Linting
- Format validation
- Secrets scanning
CI Pipeline:
- Test execution
- Coverage validation
- Security scanning
- Performance checks
Pre-merge:
- Review approval
- Gate validation
- Documentation check
- Journal verification
Manual Reviews
Required human validation:
- Architecture alignment
- Business logic correctness
- Security implications
- UX impact
Change Management
Canon Charter Changes
HIGHEST GOVERNANCE LEVEL
- Research analysis required
- ADR documentation mandatory
- Multi-stakeholder review
- 30-day comment period
Lifecycle Changes
- ADR required
- Architect approval
- Code Reviewer approval
- Backward compatibility analysis
Policy Updates
- Impact assessment
- Migration plan if breaking
- Communication plan
- Grace period for adoption
Escalation Paths
Technical Escalation
Developer β Code Reviewer β Architect β CTO
Process Escalation
Agent β PM β Orchestrator β Product Owner
Security Escalation
ANY β Security Agent β CISO β Executive
Emergency Override
Only for production incidents:
1. Document override reason
2. Apply temporary fix
3. Create follow-up ticket
4. Conduct post-mortem
Anti-Patterns (Forbidden)
β Process Violations
- Skipping quality gates
- Merging own PRs
- Bypassing security scans
- Ignoring test failures
β Authority Violations
- Exceeding role boundaries
- Granting unauthorized exceptions
- Overriding specialist objections
- Ignoring escalation requirements
β Documentation Violations
- Missing journal entries
- No ADR for architecture changes
- Outdated documentation
- No evidence for decisions
Governance Metrics
Compliance Indicators
- Gate pass rate: >95%
- Review turnaround: <4 hours
- Journal compliance: 100%
- ADR coverage: All major changes
Health Metrics
- CI reliability: >99%
- Test stability: >95%
- Security score: >80/100
- Documentation currency: <7 days
Scripts Available
check.js- Validate compliance for current workgates.js- List applicable quality gatesescalate.js- Determine escalation path
Integration with Other Skills
- wolf-principles: Governance implements principles
- wolf-archetypes: Archetypes follow governance rules
- wolf-roles: Roles have governance boundaries
Red Flags - STOP
If you catch yourself thinking:
- β "Skipping quality gates to save time" - STOP. Gates exist because skipping them costs MORE time in rework and incidents.
- β "This change is too small for governance" - Wrong. Small changes compound. All work follows governance.
- β "I'll create the journal entry later" - NO. Journal entry is part of Definition of Done. Create it NOW.
- β "Tests are passing locally, CI doesn't matter" - CI is the source of truth. Local != production.
- β "I'm just fixing a typo, no review needed" - ALL changes need review. Separation of concerns is non-negotiable.
- β "We can make an exception this time" - Exceptions become habits. Follow Advisory-First Enforcement (Principle 4).
- β "Documentation can wait until after merge" - NO. Documentation is part of DoD. Must be complete BEFORE merge.
- β "Merging my own PR is faster" - FORBIDDEN. You cannot approve your own work (Authority Structure).
STOP. Use Skill tool to load wolf-governance to check compliance requirements BEFORE proceeding.
After Using This Skill
REQUIRED NEXT STEPS:
Sequential skill chain - DO NOT skip steps
- REQUIRED NEXT SKILL: Use wolf-roles to understand role-specific compliance requirements
- Why: Governance defines WHAT must be done. Roles define WHO does it and HOW.
- Gate: Cannot execute governance without understanding role boundaries
- Tool: Use Skill tool to load wolf-roles
-
Example:
pm-agentvalidates acceptance criteria,coder-agentimplements,code-reviewerapproves -
REQUIRED NEXT SKILL: Use wolf-verification to set up verification checkpoints
- Why: Governance gates require verification. Verification skill provides three-layer validation (CoVe, HSP, RAG).
- Gate: Cannot claim compliance without verification evidence
- When: Always - verification is mandatory for all governance gates
-
Example: Security gate requires threat model verification + scan validation
-
REQUIRED BEFORE COMPLETION: Create compliance artifacts
- Journal Entry:
YYYY-MM-DD-<kebab-slug>.mddocumenting problems, decisions, learnings - ADR (if applicable): For architectural/process changes
- Evidence: Test results, security scans, performance benchmarks
- Gate: Cannot merge without complete artifact set
DO NOT PROCEED to merge without completing steps 1-3.
Verification Checklist
Before claiming governance compliance:
- [ ] Archetype selected (from wolf-archetypes)
- [ ] Quality gates identified for this work type
- [ ] Definition of Done requirements understood
- [ ] Role boundaries confirmed (from wolf-roles)
- [ ] All MUST-have DoD items completed (tests, review, docs, journal, CI)
- [ ] SHOULD-have items evaluated (performance, security, a11y, metrics)
- [ ] Approval from authorized reviewer (not self-approval)
- [ ] CI/CD checks green (not just local)
Can't check all boxes? Governance compliance incomplete. Return to this skill.
Governance Examples by Change Type
Example 1: Bug Fix (reliability-fixer archetype)
DoD Requirements:
β
Root cause documented in journal
β
Regression test added
β
All tests passing (Fast-Lane + Full-Suite)
β
Code review approved
β
CI checks green
Gates:
- Fast-Lane: <10 min, linting β€5 errors, 60% coverage
- Full-Suite: 90% E2E success, rollback tested
- Review: Code reviewer approval (not self)
Example 2: Feature (product-implementer archetype)
DoD Requirements:
β
Acceptance criteria met (PM validation)
β
Tests pass (unit + integration + E2E)
β
Documentation updated (README, API docs)
β
Journal entry created
β
Performance benchmarks met
Gates:
- PM: Acceptance criteria validation
- Code Review: Technical quality + tests
- Security: Scan clean (if data handling involved)
- CI: Fast-Lane + Full-Suite green
Example 3: Security Change (security-hardener archetype)
DoD Requirements:
β
Threat model documented
β
Security scan clean
β
Penetration test passed
β
Defense-in-depth applied
β
Monitoring/alerting added
Gates:
- Security Review: Threat model approved
- Security Scan: 0 critical, β€5 high vulns
- Code Review: Implementation quality
- CI: Security gates + standard gates
- ADR: If architectural security decision
Emergency Override Procedure
ONLY for production incidents:
1. Document override reason immediately
2. Apply minimum necessary temporary fix
3. Create follow-up ticket for proper fix
4. Conduct post-mortem within 48 hours
5. Update governance if process failed
Override does NOT mean skip governance. It means parallel governance with expedited review.
Source: docs/governance/, Canon Charter, ADRs
Last Updated: 2025-11-14
Phase: Superpowers Skill-Chaining Enhancement v2.0.0*
# Related Skills
Use when starting any conversation - establishes how to find and use skills, requiring Skill...
|
|
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.