AI compliance baseline and governance structure

[phillipc]

Add AI compliance baseline and governance structure to enhance AI-assisted workflows

• Introduced AI_COMPLIANCE.md as a mandatory policy baseline for AI-assisted work.
• Updated AGENTS.md with a clear governance section outlining compliance and operational controls.

Summary by CodeRabbit

• Documentation
  • Added a mandatory AI governance & compliance baseline, agent boot/read order, verified-behaviors guidance, repo-level AI glossary, risk tiers, approval gates, exception process, incident escalation runbook, and standardized plan/validation evidence requirements; prohibits placing restricted data into unmanaged external AI tools and treats AI-generated/external content as untrusted.
• Chores
  • Switched release flow to tag-triggered publishing, added an on‑demand skills area and plan templates, and added new build/verification targets and package layout conventions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds repository AI governance: introduces normative AI_COMPLIANCE.md, updates AGENTS.md with a mandatory AI Governance section and enforced boot/read order, requires plans/ entries with risk classification and evidence, adds AI_GLOSSARY.md, references per-package verified-behaviors.json, switches releases to tag-triggered workflow, and appends AI Evidence to multiple plans. Documentation-only changes.

Changes

Cohort / File(s)	Summary
Governance & Policy AGENTS.md, AI_COMPLIANCE.md	AGENTS.md now contains a mandatory “AI Governance (Mandatory)” section, enforced boot/read order (AGENTS.md → AI_COMPLIANCE.md), planning requirements, verified-behaviors guidance, and updated maintainer release steps. New AI_COMPLIANCE.md (v1.2) defines normative language, precedence, roles/decision rights, risk model, data categories, approval gates, exception process, verification expectations, and an incident escalation runbook.
Plans & Rollouts plans/... plans/ai-compliance-governance-rollout.md, plans/ai-governance-structure-optimization.md, plans/agent-verified-behaviors.md, plans/jsx-playground.md, plans/trusted-publishing.md, plans/tsx-doc-examples-rollout.md	Adds new plan files and updates existing plans to include explicit Risk class labels and appended “AI Evidence” sections with risk, tools/commands, validation checks, and follow-up owners; rollout and verification steps recorded.
Skills / Templates skills/plan-creation/SKILL.md, skills/plan-creation/assets/plan-template.md	New plan-creation skill and a plan template added documenting how to scaffold and author plans, required fields, risk classification guidance, and completion checklist.
Glossary / Docs AI_GLOSSARY.md	New comprehensive monorepo glossary covering reactive primitives, binding system, component/JSX terminology, lifecycle/disposal, scheduler, DOM utilities, build/distribution terms, and internal conventions.
Verified Behaviors packages/*/verified-behaviors.json, AGENTS.md	Guidance added referencing per-package verified-behaviors.json as package-level, unit-tested behavior contracts and integration points.
CI / Release Docs .github/workflows/release.yml, AGENTS.md	Changed release trigger from pushes to main to tag pushes matching v*; maintainer release flow revised to merge a version PR, tag v<version> and rely on tag-triggered release workflow.
Build / Tooling references Makefile, AGENTS.md, docs	Documented make knip command and added convention for a types/ directory under packages; referenced in package-layout docs.
Minor plan edits plans/* (multiple files)	Consistent, small additions across plan documents: AI Evidence sections, risk labels, validation checklists, and owner assignment notes.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• release: automate GitHub releases #278: Related to switching release automation to tag-triggered releases and updating release workflow/docs.
• Add build and release certainty automation #238: Overlaps edits to AGENTS.md and release/workflow behavior; connected to release trigger and governance changes.
• Add JSX playground at /playground #254: Adds/extends plan requirements in AGENTS.md (plans/ precondition), directly related to the new planning enforcement.

Poem

🐇 I hopped through docs and tucked a careful line,

Read Agents first, then Compliance — by design.
Plans pinned with risk and evidence in view,
Tags wake the releases — neat and true,
A rabbit’s wink: tidy governance, too.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: introducing AI compliance baseline and governance structure across multiple new documentation files (AI_COMPLIANCE.md, updated AGENTS.md, plan documents, AI_GLOSSARY.md, and skills).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pc/ai_governance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (5)

AI_COMPLIANCE.md (1)

48-50: Optional: Vary sentence structure for readability.

Three consecutive sentences begin with "MUST" (lines 48-50). While technically correct for normative requirements, slightly varying the structure could improve readability without weakening the requirements.

✍️ Optional rewording to reduce repetition

 ### 4.2 AI Agents
 
-- MUST operate as assistants, never as autonomous approvers.
-- MUST treat generated code and generated commands as untrusted by default.
-- MUST stop and escalate when requested actions exceed authority or risk gates.
+- MUST operate as assistants, never as autonomous approvers.
+- Generated code and commands MUST be treated as untrusted by default.
+- When requested actions exceed authority or risk gates, MUST stop and escalate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AI_COMPLIANCE.md` around lines 48 - 50, Reword the three consecutive
normative sentences that all start with "MUST"—specifically the lines containing
"MUST operate as assistants, never as autonomous approvers.", "MUST treat
generated code and generated commands as untrusted by default.", and "MUST stop
and escalate when requested actions exceed authority or risk gates."—to vary
sentence openings for readability while preserving their normative force; for
example, convert one or two into constructions like "Assistants must...", "Treat
generated code and commands as untrusted by default.", or "When requested
actions exceed authority or risk gates, stop and escalate." Ensure the
requirement keywords remain clear and the obligations are unchanged.

AGENTS.md (1)

16-20: Consider adding explicit boot sequence guidance.

While the precedence model is clearly documented, AI_COMPLIANCE.md section 12 specifies a required boot sequence (read AGENTS.md first, then AI_COMPLIANCE.md). Adding this to the governance section could help agents understand the intended reading order.

📖 Optional enhancement to clarify boot sequence

 Source of truth and precedence:
 
+- At session start, read this file (`AGENTS.md`) first, then `AI_COMPLIANCE.md`.
 - `AI_COMPLIANCE.md` is the normative policy baseline for AI-assisted work.
 - `AGENTS.md` provides operational context and repository-specific workflows.
 - When guidance conflicts, follow the precedence model defined in `AI_COMPLIANCE.md`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 16 - 20, Add an explicit boot sequence note to the
governance/precedence section in AGENTS.md stating the required reading order:
read AGENTS.md first for operational context, then AI_COMPLIANCE.md for the
normative policy baseline (so the precedence model still applies), and reference
AI_COMPLIANCE.md section 12 as the source of this boot-sequence requirement;
update the paragraph around the existing "Source of truth and precedence" text
to include this single-line instruction so agents know to load AGENTS.md before
AI_COMPLIANCE.md.

plans/ai-governance-structure-optimization.md (2)

1-39: Enhance plan structure to include required traceability elements.

Similar to the rollout plan, this plan is missing traceability elements defined in AI_COMPLIANCE.md section 9. The plan should include risk class, tooling used, validation outcomes, and follow-up owner.

📋 Suggested enhancement to add missing traceability elements

 # AI Governance Structure Optimization
 
 ## Summary
 Review and tighten TKO's AI governance structure so decisions are easier to
 apply under delivery pressure and evidence is consistent across contributors
 and agents.
 
+## Risk Class
+`HIGH` — Changes to governance documents themselves are classified as HIGH risk per AI_COMPLIANCE.md section 6.3 and require explicit maintainer approval.
+
 ## Goals
 - Restructure `AI_COMPLIANCE.md` into clearer policy sections with explicit
   decision rights and approval gates.
 - Add a practical risk-to-evidence matrix tied to current TKO workflows.
 - Add explicit exception and incident handling rules with ownership and expiry.
 - Align `AGENTS.md` with the compliance baseline to reduce duplicated or
   drifting guidance.
 
 ## Non-Goals
 - No automation or CI enforcement changes in this iteration.
 - No changes to release mechanics, build tooling behavior, or package runtime.
 - No policy expansion outside repository governance and engineering controls.
 
 ## Implementation
 1. Normalize policy language (`MUST` / `SHOULD` / `MAY`) and clarify precedence.
 2. Define role accountability and approval authority for `HIGH` risk changes.
 3. Add risk model with explicit TKO high-risk path mapping.
 4. Add control gates and evidence requirements per risk class.
 5. Add exception workflow (owner, expiry, compensating controls).
 6. Add incident runbook for leakage/prompt-injection/supply-chain events.
 7. Update `AGENTS.md` governance section to point to the stricter baseline.
 
 ## Verification
 - Manual consistency check between `AI_COMPLIANCE.md` and `AGENTS.md`.
 - Confirm references map to real TKO paths and commands.
 - Confirm plan/evidence expectations remain compatible with existing `plans/`
   workflow.
 
 ## Deliverables
 - Updated `AI_COMPLIANCE.md`
 - Updated `AGENTS.md` governance section
 - This plan entry in `plans/`
+
+## AI Evidence
+- Risk class: `HIGH` (governance document changes)
+- Files changed: `AI_COMPLIANCE.md` (new), `AGENTS.md` (governance section added), `plans/ai-compliance-governance-rollout.md`, `plans/ai-governance-structure-optimization.md`
+- Tools/commands: Manual authoring; cross-document consistency verification
+- Validation: Markdown validated; precedence model verified; boot sequence confirmed; risk paths mapped to real TKO directories
+- Result: Comprehensive governance baseline with clear roles, risk tiers, and operational controls
+- Follow-up owner: TKO maintainers (quarterly review cycle per AI_COMPLIANCE.md section 13)

Based on learnings, plans for substantial AI-assisted changes should include objective, risk class, files changed, tooling used, validation evidence, and follow-up owner.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plans/ai-governance-structure-optimization.md` around lines 1 - 39, Update
this plan to include the traceability fields required by AI_COMPLIANCE.md
section 9: add a "Risk class" (e.g., LOW/MEDIUM/HIGH), "Files changed" listing
affected docs (referencing AI_COMPLIANCE.md and AGENTS.md), "Tooling used"
(tools/versions used for edits/validation), "Validation outcomes" (summary of
checks performed and their results), and a "Follow-up owner" with a clear
expiry/next-review date; ensure the AGENTS.md governance section reference is
updated to point to the new baseline and include these traceability items in the
plan header and Implementation steps (items 1–7) so reviewers can verify
compliance.

---

22-26: Optional: Reduce repetitive sentence beginnings for better readability.

Lines 22-26 begin four consecutive sentences with "Add" or "Define". Consider varying the sentence structure slightly.

✍️ Optional rewording to reduce repetition

 ## Implementation
 1. Normalize policy language (`MUST` / `SHOULD` / `MAY`) and clarify precedence.
 2. Define role accountability and approval authority for `HIGH` risk changes.
-3. Add risk model with explicit TKO high-risk path mapping.
-4. Add control gates and evidence requirements per risk class.
-5. Add exception workflow (owner, expiry, compensating controls).
-6. Add incident runbook for leakage/prompt-injection/supply-chain events.
+3. Create risk model with explicit TKO high-risk path mapping.
+4. Establish control gates and evidence requirements per risk class.
+5. Document exception workflow (owner, expiry, compensating controls).
+6. Provide incident runbook for leakage/prompt-injection/supply-chain events.
 7. Update `AGENTS.md` governance section to point to the stricter baseline.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plans/ai-governance-structure-optimization.md` around lines 22 - 26, The list
items 1–5 repeat sentence starts ("Normalize", "Define", "Add") which reduces
readability; reword those bullets to vary sentence openings and flow while
preserving meaning—for example, change item 2 to "Establish role accountability
and approval authority for `HIGH` risk changes", item 3 to "Introduce a risk
model that maps explicit TKO high‑risk paths", item 4 to "Specify control gates
and required evidence per risk class", and item 5 to "Create an exception
workflow (owner, expiry, compensating controls)"; apply similar small tweaks to
other bullets so each begins with a different verb or phrase.

plans/ai-compliance-governance-rollout.md (1)

1-23: Enhance plan structure to include required traceability elements.

The plan is missing several elements that are recommended for substantial AI-assisted changes. According to the governance baseline being introduced in this PR (AI_COMPLIANCE.md section 9), plans should include:

• Risk class (HIGH/MEDIUM/LOW)
• Tooling/commands used
• Validation outcomes and results
• Follow-up owner

📋 Suggested enhancement to add missing traceability elements

 # AI Compliance Governance Rollout
 
 ## Summary
 Introduce a repository-specific AI compliance baseline for TKO and wire it into `AGENTS.md` so all agents and contributors follow consistent governance controls.
 
+## Risk Class
+`LOW` — Documentation-only change with no runtime, build, or CI behavior modifications.
+
 ## Goals
 - Add a `AI_COMPLIANCE.md` in project root
 - Update `AGENTS.md` with a clear mandatory governance section.
 - Keep guidance practical for current TKO workflows (`make`, Karma, changesets, release CI).
 
 ## Non-Goals
 - No runtime code or build-system behavior changes.
 - No CI policy automation in this step.
 
 ## Implementation
 1. Define compliance baseline with scope, precedence, risk tiers, controls, and incident handling.
 2. Add mandatory boot/read order and operational controls to `AGENTS.md`.
 3. Ensure high-risk TKO areas are explicitly mapped to approval requirements.
 
 ## Verification
 - Confirm both files are valid markdown and present at repository root.
 - Check AGENTS content references `AI_COMPLIANCE.md` and governance state files.
 - Validate guidance matches existing TKO constraints (zero runtime deps, release workflow, docs verification flow).
+
+## AI Evidence
+- Risk class: `LOW`
+- Files changed: `AI_COMPLIANCE.md` (new), `AGENTS.md` (updated), `plans/ai-compliance-governance-rollout.md`, `plans/ai-governance-structure-optimization.md`
+- Tools/commands: Manual authoring and review; markdown validation
+- Validation: Markdown syntax verified; cross-references between documents checked for consistency
+- Result: Governance baseline established with clear precedence, boot sequence, and operational controls
+- Follow-up owner: TKO maintainers (quarterly review per AI_COMPLIANCE.md section 13)

Based on learnings, plans for substantial AI-assisted changes should include objective, risk class, files changed, tooling used, validation evidence, and follow-up owner.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plans/ai-compliance-governance-rollout.md` around lines 1 - 23, The plan is
missing required traceability elements (risk class, tooling, validation, owner)
per the new governance baseline §9; update the AI Compliance Rollout plan to add
a "Risk Class" (HIGH/MEDIUM/LOW), a "Tooling/Commands" list (e.g., make, Karma,
changesets, release CI commands), a "Validation & Results" section that records
concrete verification outcomes (e.g., markdown presence checks, AGENTS.md
references, CI/documentation checks) and their pass/fail details, and a
"Follow-up Owner" with an assignee and cadence; ensure these are included
alongside existing sections (Summary, Goals, Implementation, Verification) and
reference AI_COMPLIANCE.md and AGENTS.md where appropriate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@AGENTS.md`:
- Around line 16-20: Add an explicit boot sequence note to the
governance/precedence section in AGENTS.md stating the required reading order:
read AGENTS.md first for operational context, then AI_COMPLIANCE.md for the
normative policy baseline (so the precedence model still applies), and reference
AI_COMPLIANCE.md section 12 as the source of this boot-sequence requirement;
update the paragraph around the existing "Source of truth and precedence" text
to include this single-line instruction so agents know to load AGENTS.md before
AI_COMPLIANCE.md.

In `@AI_COMPLIANCE.md`:
- Around line 48-50: Reword the three consecutive normative sentences that all
start with "MUST"—specifically the lines containing "MUST operate as assistants,
never as autonomous approvers.", "MUST treat generated code and generated
commands as untrusted by default.", and "MUST stop and escalate when requested
actions exceed authority or risk gates."—to vary sentence openings for
readability while preserving their normative force; for example, convert one or
two into constructions like "Assistants must...", "Treat generated code and
commands as untrusted by default.", or "When requested actions exceed authority
or risk gates, stop and escalate." Ensure the requirement keywords remain clear
and the obligations are unchanged.

In `@plans/ai-compliance-governance-rollout.md`:
- Around line 1-23: The plan is missing required traceability elements (risk
class, tooling, validation, owner) per the new governance baseline §9; update
the AI Compliance Rollout plan to add a "Risk Class" (HIGH/MEDIUM/LOW), a
"Tooling/Commands" list (e.g., make, Karma, changesets, release CI commands), a
"Validation & Results" section that records concrete verification outcomes
(e.g., markdown presence checks, AGENTS.md references, CI/documentation checks)
and their pass/fail details, and a "Follow-up Owner" with an assignee and
cadence; ensure these are included alongside existing sections (Summary, Goals,
Implementation, Verification) and reference AI_COMPLIANCE.md and AGENTS.md where
appropriate.

In `@plans/ai-governance-structure-optimization.md`:
- Around line 1-39: Update this plan to include the traceability fields required
by AI_COMPLIANCE.md section 9: add a "Risk class" (e.g., LOW/MEDIUM/HIGH),
"Files changed" listing affected docs (referencing AI_COMPLIANCE.md and
AGENTS.md), "Tooling used" (tools/versions used for edits/validation),
"Validation outcomes" (summary of checks performed and their results), and a
"Follow-up owner" with a clear expiry/next-review date; ensure the AGENTS.md
governance section reference is updated to point to the new baseline and include
these traceability items in the plan header and Implementation steps (items 1–7)
so reviewers can verify compliance.
- Around line 22-26: The list items 1–5 repeat sentence starts ("Normalize",
"Define", "Add") which reduces readability; reword those bullets to vary
sentence openings and flow while preserving meaning—for example, change item 2
to "Establish role accountability and approval authority for `HIGH` risk
changes", item 3 to "Introduce a risk model that maps explicit TKO high‑risk
paths", item 4 to "Specify control gates and required evidence per risk class",
and item 5 to "Create an exception workflow (owner, expiry, compensating
controls)"; apply similar small tweaks to other bullets so each begins with a
different verb or phrase.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 70e760a7-75c5-4fab-ba77-2982d84e290d

📥 Commits

Reviewing files that changed from the base of the PR and between 0068527 and 3e7e993.

📒 Files selected for processing (4)

• AGENTS.md
• AI_COMPLIANCE.md
• plans/ai-compliance-governance-rollout.md
• plans/ai-governance-structure-optimization.md

[coderabbitai]

♻️ Duplicate comments (1)

AI_COMPLIANCE.md (1)

51-52: ⚠️ Potential issue | 🔴 Critical

Critical: Incomplete sentence and missing line break.

Line 51 ends with an incomplete directive: "MUST consider code quality, human readability and interface compatibility " without finishing the thought or adding proper punctuation. Additionally, section 4.3 starts immediately at line 52 without a blank line separator.

🔧 Suggested fix

Complete the sentence and add proper spacing:

-- MUST consider code quality, human readability and interface compatibility 
-### 4.3 Security and Quality Owners
+- MUST consider code quality, human readability, and interface compatibility when generating changes.
+
+### 4.3 Security and Quality Owners

Alternatively, if this bullet point should be removed (as suggested in past review comments), then:

-- MUST consider code quality, human readability and interface compatibility 
+
 ### 4.3 Security and Quality Owners

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AI_COMPLIANCE.md` around lines 51 - 52, Finish the incomplete directive that
starts with "MUST consider code quality, human readability and interface
compatibility" by completing the sentence with clear guidance (e.g., "MUST
consider code quality, human readability, and interface compatibility when
making changes to APIs and libraries.") and add a blank line before the "### 4.3
Security and Quality Owners" heading to separate sections; alternatively, if
this bullet is intended to be removed per prior reviews, delete the entire line
containing that directive instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@AI_COMPLIANCE.md`:
- Around line 51-52: Finish the incomplete directive that starts with "MUST
consider code quality, human readability and interface compatibility" by
completing the sentence with clear guidance (e.g., "MUST consider code quality,
human readability, and interface compatibility when making changes to APIs and
libraries.") and add a blank line before the "### 4.3 Security and Quality
Owners" heading to separate sections; alternatively, if this bullet is intended
to be removed per prior reviews, delete the entire line containing that
directive instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f38dafbe-1d33-490b-9b9b-a456d6204970

📥 Commits

Reviewing files that changed from the base of the PR and between 3e7e993 and 01d92d2.

📒 Files selected for processing (1)

• AI_COMPLIANCE.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

AI_COMPLIANCE.md (1)

51-51: ⚠️ Potential issue | 🔴 Critical

Complete the normative statement.

Line 51 is grammatically incomplete: "MUST consider code quality, human readability and interface compatibility" lacks a completing action. For a MUST statement to be enforceable in a normative baseline, it needs to specify what AI agents must do with these considerations (e.g., "MUST consider code quality, human readability, and interface compatibility when generating or proposing changes" or "MUST prioritize...").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AI_COMPLIANCE.md` at line 51, The normative statement "MUST consider code
quality, human readability and interface compatibility" is incomplete; edit that
sentence so it specifies the required action (e.g., "MUST consider code quality,
human readability, and interface compatibility when generating or proposing
changes to code or interfaces") to make the requirement enforceable and clear.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AI_COMPLIANCE.md`:
- Line 71: Fix the grammar in the guideline sentence "AI tooling SHOULD verified
before use" by inserting the missing verb "be" so it reads "AI tooling SHOULD be
verified before use"; locate the exact sentence in AI_COMPLIANCE.md (the line
containing "AI tooling SHOULD verified before use") and update it accordingly,
preserving casing and the "SHOULD" RFC-style keyword.
- Around line 202-203: Replace the ambiguous instruction "If required governance
files are missing, initialize minimal valid state files before proceeding with
implementation work." with a clear escalation rule: instruct agents to stop work
and escalate to maintainers when required governance files are missing, and
explicitly reference Section 4.2 ("MUST operate as assistants, never as
autonomous approvers") to forbid agents from generating or auto-initializing
normative governance documents; update the sentence to read something like "If
required governance files are missing, stop work and escalate to
maintainers—agents must not create or modify governance documents autonomously
(see Section 4.2)."

---

Duplicate comments:
In `@AI_COMPLIANCE.md`:
- Line 51: The normative statement "MUST consider code quality, human
readability and interface compatibility" is incomplete; edit that sentence so it
specifies the required action (e.g., "MUST consider code quality, human
readability, and interface compatibility when generating or proposing changes to
code or interfaces") to make the requirement enforceable and clear.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 03522006-8446-4849-9dcc-c2237edf647f

📥 Commits

Reviewing files that changed from the base of the PR and between 01d92d2 and 6d6807f.

📒 Files selected for processing (1)

• AI_COMPLIANCE.md

[coderabbitai]

🧹 Nitpick comments (1)

AI_COMPLIANCE.md (1)

30-36: Clarify precedence wording to avoid governance ambiguity.

Current order puts AGENTS.md above AI_COMPLIANCE.md, while this file is described as the normative baseline. Consider explicitly stating that compliance/security controls in AI_COMPLIANCE.md override AGENTS.md in conflicts (or invert those two entries) to prevent interpretation drift.

Suggested wording tweak

-3. `AGENTS.md`
-4. This file (`AI_COMPLIANCE.md`)
+3. This file (`AI_COMPLIANCE.md`) for compliance/security controls
+4. `AGENTS.md` for operational workflow context

Based on learnings: Follow AI governance documents: `AI_COMPLIANCE.md` is the normative policy baseline, `AGENTS.md` provides operational context, and conflicts are resolved per the precedence model in `AI_COMPLIANCE.md`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AI_COMPLIANCE.md` around lines 30 - 36, Update the precedence wording so
there is no ambiguity: explicitly state in AI_COMPLIANCE.md that its
compliance/security controls are the normative baseline and override any
conflicting guidance in AGENTS.md (or invert the list order so AI_COMPLIANCE.md
appears before AGENTS.md); reference the files by name (AI_COMPLIANCE.md,
AGENTS.md) and add a single authoritative sentence such as “In case of conflict,
the rules in AI_COMPLIANCE.md take precedence over AGENTS.md” so governance
resolution is unambiguous.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@AI_COMPLIANCE.md`:
- Around line 30-36: Update the precedence wording so there is no ambiguity:
explicitly state in AI_COMPLIANCE.md that its compliance/security controls are
the normative baseline and override any conflicting guidance in AGENTS.md (or
invert the list order so AI_COMPLIANCE.md appears before AGENTS.md); reference
the files by name (AI_COMPLIANCE.md, AGENTS.md) and add a single authoritative
sentence such as “In case of conflict, the rules in AI_COMPLIANCE.md take
precedence over AGENTS.md” so governance resolution is unambiguous.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f8672551-9067-4011-8e80-8b232be94924

📥 Commits

Reviewing files that changed from the base of the PR and between 7d9d254 and 31e909a.

📒 Files selected for processing (4)

• AGENTS.md
• AI_COMPLIANCE.md
• plans/ai-compliance-governance-rollout.md
• plans/ai-governance-structure-optimization.md

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Line 125: Update the documentation line that currently reads "types/         #
Typescript typings" to correct the language name: change "Typescript" to
"TypeScript" so the comment becomes "types/         # TypeScript typings";
locate the line containing the "types/" entry or the phrase "Typescript typings"
in the AGENTS.md content and apply this single-word capitalization fix.
- Around line 17-21: The current paragraph in AGENTS.md incorrectly implies
AI_COMPLIANCE.md is the top precedence; update the wording to match the
precedence model in AI_COMPLIANCE.md Section 3 by stating that contributors
should follow the precedence model defined in AI_COMPLIANCE.md (which may place
AGENTS.md above other docs) when guidance conflicts, and remove or rephrase the
line that asserts AI_COMPLIANCE.md is the normative top source so the two
documents are consistent (reference AGENTS.md and AI_COMPLIANCE.md in the
updated sentence).

In `@AI_GLOSSARY.md`:
- Line 37: The TOC entry "Governance & Process Terms" points to a non-existent
anchor `#governance--process-terms`; fix it by either adding a matching section
heading exactly "Governance & Process Terms" (so the generated anchor becomes
governance--process-terms) or by updating the TOC link to match the actual
heading used in the document; locate the TOC line "20. [Governance & Process
Terms](`#governance--process-terms`)" and reconcile it with the corresponding
section title (or create that section) so the anchor resolves.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bdb85391-bdb7-4cf2-9fb6-3e63adff7703

📥 Commits

Reviewing files that changed from the base of the PR and between 7d9d254 and 4a6e8ed.

📒 Files selected for processing (9)

• AGENTS.md
• AI_COMPLIANCE.md
• AI_GLOSSARY.md
• plans/agent-verified-behaviors.md
• plans/ai-compliance-governance-rollout.md
• plans/ai-governance-structure-optimization.md
• plans/jsx-playground.md
• plans/trusted-publishing.md
• plans/tsx-doc-examples-rollout.md

✅ Files skipped from review due to trivial changes (4)

• plans/trusted-publishing.md
• plans/jsx-playground.md
• plans/tsx-doc-examples-rollout.md
• plans/agent-verified-behaviors.md

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

AGENTS.md (1)

25-26: Clarify accepted risk-class values in AGENTS.md for consistent plans.

risk class is required, but the allowed values are not stated here. Adding HIGH / MEDIUM / LOW inline will reduce reviewer interpretation variance.

✏️ Suggested wording

-- Add or update a plan in `plans/` with objective, risk class, planned changes and steps,
+- Add or update a plan in `plans/` with objective, risk class (`HIGH` / `MEDIUM` / `LOW`), planned changes and steps,
   tooling used, validation evidence, and any follow-up owner.

Also applies to: 182-183

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 25 - 26, Update the AGENTS.md line that instructs
adding "risk class" to plans so it explicitly lists the accepted values (e.g.,
"risk class: HIGH / MEDIUM / LOW") to ensure consistency; modify the sentence
mentioning "risk class" (the instruction that currently reads about objective,
risk class, planned changes and steps) and the duplicate occurrence around lines
182-183 to include the allowed enums "HIGH / MEDIUM / LOW" inline.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Around line 181-183: Replace the ambiguous "should" in the sentence
"Significant changes should have a plan file in `plans/`" with explicit
mandatory language for AI-assisted work and add a concrete requirement: for
substantial AI-assisted changes, require adding/updating a plan in `plans/` that
documents objective, risk class, planned changes, step-by-step implementation
and verification steps, tooling used, validation evidence, and a named follow-up
owner; ensure this new wording aligns with the existing section that treats
substantial AI-assisted changes as mandatory so there is no ambiguity.

---

Nitpick comments:
In `@AGENTS.md`:
- Around line 25-26: Update the AGENTS.md line that instructs adding "risk
class" to plans so it explicitly lists the accepted values (e.g., "risk class:
HIGH / MEDIUM / LOW") to ensure consistency; modify the sentence mentioning
"risk class" (the instruction that currently reads about objective, risk class,
planned changes and steps) and the duplicate occurrence around lines 182-183 to
include the allowed enums "HIGH / MEDIUM / LOW" inline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1587720d-1014-4347-89e7-f3c71267bf60

📥 Commits

Reviewing files that changed from the base of the PR and between 88b9780 and e34ba3f.

📒 Files selected for processing (1)

• AGENTS.md

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Strengthen plan requirement language to avoid policy ambiguity.

Line 181 says significant changes “should” have a plan, while Line 23-Line 26 frames substantial AI-assisted changes as mandatory. Consider making this section explicitly mandatory for the AI-assisted scope to avoid interpretation drift.

✏️ Suggested wording

-Significant changes should have a plan file in `plans/` before implementation
-begins. Plans document the context, approach, risk class, and verification steps. Review
+For substantial AI-assisted changes, add or update a plan file in `plans/`
+before implementation begins. Plans document the context, approach, risk class,
+and verification steps. Review
 existing plans in that directory for format examples.

Based on learnings: For substantial AI-assisted changes, add or update a plan in plans/ documenting objective, risk class, planned changes, steps, tooling used, validation evidence, and follow-up owner.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 181 - 183, Replace the ambiguous "should" in the
sentence "Significant changes should have a plan file in `plans/`" with explicit
mandatory language for AI-assisted work and add a concrete requirement: for
substantial AI-assisted changes, require adding/updating a plan in `plans/` that
documents objective, risk class, planned changes, step-by-step implementation
and verification steps, tooling used, validation evidence, and a named follow-up
owner; ensure this new wording aligns with the existing section that treats
substantial AI-assisted changes as mandatory so there is no ambiguity.

[coderabbitai]

🧹 Nitpick comments (1)

skills/plan-creation/SKILL.md (1)

38-41: Use consistent risk adjective style in example bullets.

These lines use HIGH risk / LOW risk, while other sections use HIGH-risk / LOW-risk. Standardizing improves policy readability and searchability.

✏️ Suggested edit

-- `plans/trusted-publishing.md` — HIGH risk release and publishing changes
-- `plans/ai-governance-structure-optimization.md` — HIGH risk governance and approval model changes
+- `plans/trusted-publishing.md` — HIGH-risk release and publishing changes
+- `plans/ai-governance-structure-optimization.md` — HIGH-risk governance and approval model changes
 - `plans/agent-verified-behaviors.md` — LOW risk generated docs/reference work
-- `plans/tsx-doc-examples-rollout.md` — LOW risk docs convention rollout
+- `plans/tsx-doc-examples-rollout.md` — LOW-risk docs convention rollout

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/plan-creation/SKILL.md` around lines 38 - 41, Update the risk
adjective styling in the example bullets so they match the rest of the document:
change occurrences of "HIGH risk" and "LOW risk" in the bullets referencing
plans/trusted-publishing.md, plans/ai-governance-structure-optimization.md,
plans/agent-verified-behaviors.md, and plans/tsx-doc-examples-rollout.md to
"HIGH-risk" and "LOW-risk" respectively to ensure consistent hyphenation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@skills/plan-creation/SKILL.md`:
- Around line 38-41: Update the risk adjective styling in the example bullets so
they match the rest of the document: change occurrences of "HIGH risk" and "LOW
risk" in the bullets referencing plans/trusted-publishing.md,
plans/ai-governance-structure-optimization.md,
plans/agent-verified-behaviors.md, and plans/tsx-doc-examples-rollout.md to
"HIGH-risk" and "LOW-risk" respectively to ensure consistent hyphenation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88dd65d1-fca5-4a55-947f-48768c84a8df

📥 Commits

Reviewing files that changed from the base of the PR and between e34ba3f and f6e188b.

📒 Files selected for processing (3)

• AGENTS.md
• skills/plan-creation/SKILL.md
• skills/plan-creation/assets/plan-template.md

✅ Files skipped from review due to trivial changes (1)

• skills/plan-creation/assets/plan-template.md