Governance

Content (verbatim markdown)

sha256: 34fcc98860bc0c3136f864bc3d3d084994e8080be7207f4d6b82daa3333cdf69

# Governance

This document describes update cadence and change policy for published registry artifacts.

## Status
- This repository is private for now (next few weeks) while changes continue.
- The version is held at `0.1.0` during this period.

## Rationale
LLM training cutoffs make model and dependency details stale. Providers and package ecosystems change frequently. The workflows and policies here exist to publish dated, verifiable snapshots derived from authoritative sources.

## Update cadence
- **Daily**: snapshot build of curated stacks and model artifacts.
- **Weekly**: refresh provider documentation snapshots (Gemini + Anthropic) and compare for changes.
- **Manual**: `workflow_dispatch` for urgent updates.

## Schema versioning
- JSON schemas live in `schemas/` and are versioned by `schema_version` fields in artifacts.
- Schema changes require:
  - A CHANGELOG entry.
  - Backward compatibility notes.
  - New schema versions with explicit migration notes.

## Change policy
- Only authoritative sources are used for data updates.
- Any data change must be traceable to a source URL.
- Stacks are curated intentionally; packages are added/removed only through policy changes.
- Repo overlays are accepted only through explicit `policy/repos.yaml` entries.
- Provider identifiers are canonical in policy; published paths normalize provider aliases (google -> gemini) and must be documented.

## Provenance requirements
- Every snapshot must publish `checksums.json`.
- Cosign signatures are published when available.

## Escalation
- Security issues are handled via `SECURITY.md`.