---
title: "Understand Governance"
url: "https://docs.caracal.run/contributing/governance/"
markdown_url: "https://docs.caracal.run/markdown/contributing/governance.md"
description: "Maintainer ownership, contribution process, security process, and community expectations."
page_type: "reference"
concepts: []
requires: []
---

# Understand Governance

Canonical URL: https://docs.caracal.run/contributing/governance/
Markdown URL: https://docs.caracal.run/markdown/contributing/governance.md
Description: Maintainer ownership, contribution process, security process, and community expectations.
Page type: reference
Concepts: none
Requires: none

---

Caracal is maintained by Garudex Labs. Maintainers listed in `.github/MAINTAINERS` are the primary decision-makers for project areas, reviews, triage, standards, and releases.

## Contribution Scale

| Change size | Expected process |
| --- | --- |
| Small focused fix | Pull request with clear validation. |
| Medium bug or feature | GitHub issue with context and expected outcome before implementation. |
| Large or cross-cutting change | Proposal with problem statement, alternatives, trade-offs, open questions, and smaller sub-issues. |
| Security-sensitive change | Private security process and maintainer coordination. |

## Maintainer Responsibilities

- Review changes in owned areas.
- Enforce repository standards and product boundaries.
- Keep security reports private.
- Approve releases and release workflow changes.
- Preserve open-source and enterprise product isolation.

## Code Review Requirements

Every change is proposed as a pull request and reviewed before merge or release.

| Requirement | Expectation |
| --- | --- |
| Independent review | At least one maintainer other than the author approves each pull request; authors do not approve or merge their own changes. |
| Area ownership | `.github/CODEOWNERS` owners are requested automatically for their paths. |
| What reviewers check | Correctness and edge cases, focused scope, Testing Policy compliance with passing CI, the `pnpm run style` gate, input validation and trust boundaries, secret hygiene, OSS/enterprise isolation, and updated docs. |
| Acceptance bar | One approving non-author review, all required CI checks green, resolved comments, and a judgment that the change is worthwhile and free of known disqualifying defects. |
| Release approval | Stable releases require `release-approval` from a maintainer other than the release preparer. |

The full contributor-facing policy lives in [`./CONTRIBUTING.md`](https://github.com/Garudex-Labs/caracal/blob/main/CONTRIBUTING.md#code-review).

## Community Standards

The project follows the repository [Code of Conduct](https://github.com/Garudex-Labs/caracal/blob/main/.github/CODE_OF_CONDUCT.md). Harassment, private-information disclosure, and disruptive behavior are not acceptable.

## Security Governance

Security concerns must be reported through [Report a Vulnerability](/security/disclosure/). Public issues are not appropriate for vulnerabilities, credential exposure, unsafe execution, or exploitable operational failures.

## Next Step

Maintainers preparing a cut should use [Release Caracal](/contributing/release/).

## Related Pages

- [Make a Change](/contributing/workflow/)
- [Review the Threat Model](/security/threat-model/)
- [Respond to Incidents](/operations/incident-response/)
