ariffazil/PR Review Governance
skills/pr-review-governance/SKILL.md
High-level governance layer for pull request review across the federation. Ensures separation of duties, required signers, and constitutional compliance before merge.
development
Updated May 27, 2026
$ install --global
skillsauthnpx skillsauth add ariffazil/openclaw-workspace PR Review GovernanceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 27, 2026, 3:14 AM151.9s1 file scanned
SKILL.md
- id:
- pr-review-governance
- name:
- PR Review Governance
- version:
- 1.0.0
- description:
- High-level governance layer for pull request review across the federation. Ensures separation of duties, required signers, and constitutional compliance before merge.
- owner:
- AAA
- risk_tier:
- high
- physics:
- false
- math:
- false
- language:
- true
- schema_version:
- 1
- artifact_hash:
- pending
PR Review Governance
Overview
Not all PRs are equal. This skill applies governance rules based on risk tier:
| Risk Tier | Required Reviewers | Judge Required? | |-----------|-------------------|-----------------| | low | 1 peer | No | | medium | 1 peer + 1 architect | No | | high | 2 peers + 1 auditor | Yes (888_JUDGE) | | critical | All of above + Arif | Yes |
When to Use
- Any PR marked
highorcriticalrisk - Any PR touching constitutional files
- Any PR with >100 changed files
- Any PR deleting files
Procedure
Step 1: Risk Classification
Classify PR risk based on:
- Files touched
- Lines changed
- Repos affected
- Authority boundaries crossed
Step 2: Assign Reviewers
Per risk tier, assign required reviewer roles:
- peer (same domain)
- architect (cross-domain)
- auditor (compliance)
- judge (888_JUDGE for high/critical)
Step 3: Verify Separation of Duties
- Author ≠ approver
- Engineer cannot self-seal
- Proposer ≠ final approver for high-risk
Step 4: Block or Approve
| Condition | Action | |-----------|--------| | All required reviewers approved | Merge allowed | | Missing required reviewer | Block with comment | | Self-approval detected | Block + escalate | | Constitutional file changed | Block + 888_JUDGE |
Escalation Path
| Condition | Escalate To | |-----------|-------------| | Self-approval on high-risk PR | arifOS 888_JUDGE | | Constitutional file changed | arifOS 888_JUDGE | | Author disputes risk tier | Arif |
Skill version 1.0.0 — AAA Skill Library
Related Skills
ariffazil/skill-trigger-linter
development
VerifiedTrustedCommunity
Check every skill’s “use when” and “do not use when” clauses for collisions, missing negatives, and vague verbs like “help,” “assist,” or “improve.” Load when linting, reviewing, or validating trigger boundaries.
SKILL.mdUpdated May 27, 2026
ariffazil/skill-creator
development
VerifiedTrustedCommunity
Bootstrap, design, and package new skills. Load when capturing user intent for a new skill or drafting its initial instruction framework.
SKILL.mdUpdated May 27, 2026
ariffazil/Federation Service Health Triage
content-media
VerifiedTrustedCommunity
Diagnose which federation services are up, down, or drifting. Produce a prioritized remediation plan.
SKILL.mdUpdated May 27, 2026
ariffazil/Secret Safety Scan
business
VerifiedTrustedCommunity
Scan a repo or workspace for exposed secrets, tokens, keys, and credentials. Produce a findings report with remediation steps.
SKILL.mdUpdated May 27, 2026