Skip to main content

Governance Rules

29 anti-patterns tracked | 6-layer enforcement | Content classification matrix

This page documents the governance rules that the ADLC framework enforces across all agent interactions. Rules are derived from adlc-governance.md (source of truth) and implemented through hooks, permissions, and behavioral constraints.

Anti-Pattern Registry

The ADLC framework tracks 29 anti-patterns discovered through production incidents. Each pattern has a root cause analysis, prevention mechanism, and detection hook.

Coordination Anti-Patterns

#PatternDescriptionPrevention
1STANDALONE_EXECUTIONSpecialist work without PO+CA approvalremind-coordination.sh (exit 1)
2RUBBER_STAMP_COORDINATIONRunning PO+CA in background then proceeding immediatelyFOREGROUND-only rule
3COORDINATION_WITHOUT_DELEGATIONPO+CA ran but Claude used raw Edit/Write instead of specialist Taskenforce-specialist-delegation.sh (exit 2)
4PLAN_MODE_COORDINATION_BYPASSPlan mode framing overrides coordination-first requirementRules-layer + invocation verb patterns
5SCOPE_DRIFT_BYPASSLogs from prior scope treated as valid for new questionRules-layer: self-check log scope
6HITL_REPORT_SCOPE_DRIFTImplementation logs used to authorize HITL report deliverableremind-coordination.sh v4.3.0 scope detection
7EXPLORE_AGENT_BYPASSinvoke.*agent regex matched non-coordination agents (Explore, Plan) — coordination check falsely satisfiedremind-coordination.sh: tighten COORDINATION_PATTERNS to explicit product.owner|cloud-architect names only
8RAW_TOOL_OVER_SKILLUsing raw Edit/Bash instead of task commands or ADLC skillsCLAUDE.md "Use This / NOT This" table

Evidence Anti-Patterns

#PatternDescriptionPrevention
9NATO_VIOLATIONCompletion claims without evidence pathsdetect-nato-violation.sh (exit 2)
10SKIP_EVIDENCECompletion without artifacts in tmp/detect-nato-violation.sh + evidence gate
11TEXT_OUTPUT_BYPASSImplementation content in text without PO+CA coordinationRules-layer (unhookable surface)
12KISS_MISINTERPRETATIONKISS principle misread as "shorten output" -- strips evidenceRules-layer: KISS governs code, not evidence
13JSON_ONLY_NATOUpdating JSON evidence files without updating corresponding HITL-consumable deliverable (executive report, stakeholder summary)Rules-layer: when evidence JSON changes materially, update HITL deliverable in the SAME session

Security Anti-Patterns

#PatternDescriptionPrevention
14GITHUB_API_TREE_CORRUPTIONGit tree via API without base_tree deletes all other filesvalidate-bash.sh v2.1.0 blocks gh api git endpoints
15HOOK_BYPASS_VIA_APIUsing alternative API to circumvent hook-blocked actionRules-layer: hooks are governance, not obstacles
16BARE_METAL_TOOLSRunning terraform/tflint/checkov on host instead of containerenforce-container-first.sh (exit 2)

Infrastructure Anti-Patterns

#PatternDescriptionPrevention
17CI_CONTAINER_EACCESContainer job without options: --user 0Mandatory CI pattern
18SUBMODULE_PAT_MISSINGCheckout with submodules using default GITHUB_TOKENtoken: ${{ secrets.SUBMODULE_PAT }}
19CHECKOUT_BARE_TAG_NAMEactions/checkout with bare tag name fails on dispatchNormalize to refs/tags/ prefix
20MONOLITHIC_CICost/security jobs in ci.yml instead of separate workflowsSingle-responsibility workflows
21BLIND_PLAN_EXECUTIONPlan items executed without verifying prerequisitesGate-check each plan item
22FALSE_AS_IS_STATEExplore agent returned "not found" for staged contentCross-validate with git status

Resource Discovery Anti-Patterns

#PatternDescriptionPrevention
23NARROW_SEARCH_SCOPESearching a subset of accounts manually when org-wide discovery tools exist — per-account search past 3 accounts signals org-wide tools should be usedRules-layer: attempt org-wide tools FIRST (Config Aggregator, Resource Explorer AGGREGATOR, Cost Explorer). Per-account is P2 fallback only
24SINGLE_ACCOUNT_ASSUMPTIONTrusting the task-provided account ID without verifying the resource actually exists thereRules-layer: Phase 0 MUST verify resource's actual account via org-wide discovery BEFORE deep-diving the provided account
25DELAYED_ORG_WIDE_ESCALATIONContinuing per-account manual search instead of escalating to org-wide discovery after repeated NOT_FOUNDRules-layer: after N=3 NOT_FOUND (configurable via ADLC_ORG_SEARCH_THRESHOLD), MANDATORY switch to org-wide discovery

Version Anti-Patterns

#PatternDescriptionPrevention
26FOCUS_VERSION_HALLUCINATIONAssuming FOCUS 1.3 when spec says 1.2+Grep-verify before writing
27MANUAL_VERSION_BUMPEditing VERSION/CHANGELOG when release-please existsDetect release-please presence
28RELEASE_PLEASE_DOUBLE_RELEASEManual git tag after release-please adoptionMode-detection block
29VERSION_DRIFT_SILENT_FAILrelease-please string-replace skips stale VERSION4-file consistency check

Content Classification

Defines what requires PO+CA coordination versus what agents can answer directly.

Requires Coordination (BLOCKING)

All of the following require current, in-scope coordination logs:

  • Architecture decisions (choosing between design patterns, module structures)
  • Design comparisons ("why not X vs Y", "should we use A or B")
  • Technology selection rationale (which tool, library, framework)
  • Business value analysis (cost/benefit, trade-off assessments)
  • Implementation recommendations (how to build or change something)
  • Infrastructure strategy (deployment targets, scaling approaches)
  • Security posture decisions (sandboxing strategy, access control design)
  • HITL deliverables (manager reports, executive summaries, decision matrices)

Exempt from Coordination

The following can be answered directly without coordination logs:

  • Factual lookups ("What does this Terraform resource do?")
  • CLI/tool output interpretation (explaining error messages)
  • Reading and summarising existing files without recommending changes
  • Status checks ("Does this file exist?", "What is in this directory?")
  • Simple Q&A about existing code ("What does this variable do?")
  • Error debugging of existing code (identifying bugs, not redesigning)

Boundary Cases

Question TypeClassificationRationale
"What does this pattern do?"ExemptFactual description
"Is this pattern correct?"RequiresImplies design judgement
"Should we use X or Y?"RequiresComparative design decision
"How do I fix this syntax error?"ExemptMechanical correction
"How should we restructure this?"RequiresArchitectural recommendation
"Generate a HITL report"RequiresDistinct deliverable scope

CI Container Pattern (Mandatory)

All GitHub Actions jobs using container: directive must include options: --user 0:

container:
  image: nnthanh101/terraform:2.6.0@sha256:<pinned-sha>
  options: --user 0  # Prevents EACCES on /__w/_temp/

All checkout steps with submodules: recursive must include token:

- uses: actions/checkout@v4
  with:
    submodules: recursive
    token: ${{ secrets.SUBMODULE_PAT }}

PAT scoping: Fine-grained PAT, single-repo (submodule repo only), Contents: Read-only, 90-day expiry.

Hook Coverage Limitation

Claude's text response stream is the one ungated surface -- no hook event fires on text output.

Hook EventFires OnCan Block
UserPromptSubmitUser's incoming promptYes
PreToolUseEdit/Write/Task/Bash tool callsYes
PostToolUseTool completionNo (audit only)
Text responseNot hookableNo

Mitigation: Rules-layer prohibition in CLAUDE.md and adlc-governance.md. Claude must not produce implementation content in text output unless coordination logs exist and are scoped to the current question.

Evidence Requirements

TypePath PatternFormat
Coordination logstmp/<project>/coordination-logs/*.jsonJSON with ISO8601 timestamps
Test resultstmp/<project>/test-results/*.jsonJSON with pass/fail counts
Evidence packagestmp/<project>/evidence/*.mdMarkdown with verification details
Audit trailtmp/<project>/security/*.jsonlJSON Lines (append-only)
PDCA statetmp/<project>/pdca-cycles/*.jsonJSON with cycle counts