Understand Governance
Caracal is maintained by Garudex Labs. Maintainers listed in .github/MAINTAINERS are the primary decision-makers for project areas, reviews, triage, standards, and releases.
Contribution Scale
Section titled “Contribution Scale”| Change size | Expected process |
|---|---|
| Small focused fix | Pull request with clear validation. |
| Medium bug or feature | GitHub issue with context and expected outcome before implementation. |
| Large or cross-cutting change | Proposal with problem statement, alternatives, trade-offs, open questions, and smaller sub-issues. |
| Security-sensitive change | Private security process and maintainer coordination. |
Maintainer Responsibilities
Section titled “Maintainer Responsibilities”- Review changes in owned areas.
- Enforce repository standards and product boundaries.
- Keep security reports private.
- Approve releases and release workflow changes.
- Preserve open-source and enterprise product isolation.
Code Review Requirements
Section titled “Code Review Requirements”Every change is proposed as a pull request and reviewed before merge or release.
| Requirement | Expectation |
|---|---|
| Independent review | At least one maintainer other than the author approves each pull request; authors do not approve or merge their own changes. |
| Area ownership | .github/CODEOWNERS owners are requested automatically for their paths. |
| What reviewers check | Correctness and edge cases, focused scope, Testing Policy compliance with passing CI, the pnpm run style gate, input validation and trust boundaries, secret hygiene, OSS/enterprise isolation, and updated docs. |
| Acceptance bar | One approving non-author review, all required CI checks green, resolved comments, and a judgment that the change is worthwhile and free of known disqualifying defects. |
| Release approval | Stable releases require release-approval from a maintainer other than the release preparer. |
The full contributor-facing policy lives in ./CONTRIBUTING.md.
Community Standards
Section titled “Community Standards”The project follows the repository Code of Conduct. Harassment, private-information disclosure, and disruptive behavior are not acceptable.
Security Governance
Section titled “Security Governance”Security concerns must be reported through Report a Vulnerability. Public issues are not appropriate for vulnerabilities, credential exposure, unsafe execution, or exploitable operational failures.
Next Step
Section titled “Next Step”Maintainers preparing a cut should use Release Caracal.

