Skip to content

Understand Governance

Caracal is maintained by Garudex Labs. Maintainers listed in .github/MAINTAINERS are the primary decision-makers for project areas, reviews, triage, standards, and releases.

Change sizeExpected process
Small focused fixPull request with clear validation.
Medium bug or featureGitHub issue with context and expected outcome before implementation.
Large or cross-cutting changeProposal with problem statement, alternatives, trade-offs, open questions, and smaller sub-issues.
Security-sensitive changePrivate security process and maintainer coordination.
  • Review changes in owned areas.
  • Enforce repository standards and product boundaries.
  • Keep security reports private.
  • Approve releases and release workflow changes.
  • Preserve open-source and enterprise product isolation.

Every change is proposed as a pull request and reviewed before merge or release.

RequirementExpectation
Independent reviewAt least one maintainer other than the author approves each pull request; authors do not approve or merge their own changes.
Area ownership.github/CODEOWNERS owners are requested automatically for their paths.
What reviewers checkCorrectness and edge cases, focused scope, Testing Policy compliance with passing CI, the pnpm run style gate, input validation and trust boundaries, secret hygiene, OSS/enterprise isolation, and updated docs.
Acceptance barOne approving non-author review, all required CI checks green, resolved comments, and a judgment that the change is worthwhile and free of known disqualifying defects.
Release approvalStable releases require release-approval from a maintainer other than the release preparer.

The full contributor-facing policy lives in ./CONTRIBUTING.md.

The project follows the repository Code of Conduct. Harassment, private-information disclosure, and disruptive behavior are not acceptable.

Security concerns must be reported through Report a Vulnerability. Public issues are not appropriate for vulnerabilities, credential exposure, unsafe execution, or exploitable operational failures.

Maintainers preparing a cut should use Release Caracal.