Skip to content

ReviewGuard Adoption Plan

1. Why Use It Here

  • You already have policy-driven engineering goals.
  • Agent-led development benefits from deterministic PR gating.
  • ReviewGuard helps enforce contract/security/governance checks early.

2. Rollout Strategy

  1. Week 1: run all rules in warn mode.
  2. Week 2: promote high-signal rules to error:
  3. contract-first
  4. hardcoded-secret block
  5. mutation-tests-required
  6. Week 3+: tune and promote remaining rules.

3. Source Documents for Policy Mapping

  • agent_policy.yaml
  • Agent_Enforcement.md
  • CI_Enforcement_Checklist.md
  • openapi.spectral.yaml

4. Minimum Blocking Rules (Day 1)

  • Contract updates required when API behavior changes.
  • Hardcoded secret patterns blocked.
  • Backend mutation changes require tests.
  • API spec changes require compatibility note.
  • ADR reference checks.
  • Broad authz heuristics (can be noisy until tuned).

6. Integration Notes

  • Keep ReviewGuard as PR governance layer.
  • Keep CI for deep validation:
  • OpenAPI lint/breaking checks
  • SAST/DAST/dependency scans
  • integration/E2E tests

7. Success Criteria

  • Reduced policy violations merged to main.
  • Lower review burden for repeated rule classes.
  • Stable false-positive rate after tuning.