Shared rules for human and agent contributions

Define what humans and agents may do with deterministic policy, strict evidence requirements, and machine-verifiable outcomes.

Open Playground Read Spec

Core Principles

Interaction Matrix

This matrix summarizes Covenant's canonical actions across actor kinds. Hover selected headers and action names for quick field explanations.

Interaction Human Agent Manager Typical Controls
issue.openallow/warn/denyallow/warn/denyallowtemplates, labels, attestation
issue.commentallow/warn/denyallow/warn/denyallowthread mode control
issue.labelallow/warn/denyallow/warn/denyallowauto-label policy
issue.solveallow/warn/denyallow/warn/denyallowevidence policy
pull_request.openallow/warn/denyallow/warn/denyallowprovenance and tests
pull_request.updateallow/warn/denyallow/warn/denyallowre-attestation
pull_request.review.submitallow/warn/denyallow/warn/denyallowreviewer policy
pull_request.review.approveallow/warn/denyallow/warn/denyallowhuman-only gates
pull_request.mergeallow/warn/denyallow/warn/denyallowbranch and ruleset checks
conversation.intervene_human_threadallow/warn/denyallow/warn/denyallowhuman thread protection
conversation.intervene_agent_threadallow/warn/denyallow/warn/denyallowagent thread policy
maintenance.cleanupallow/warn/denyallow/warn/denyallowclose PR, delete branch
routing.to_develop_botallow/warn/denyallow/warn/denyallowreroute to develop-bot branch

Policy Playground

Paste covenant.yml and a canonical event JSON payload. The playground validates policy shape and simulates deterministic evaluation.

Policy YAML

playground-policy.covenant.yml

Event JSON

playground-event.json 

      
Browser playground validates structure and rule matching. Cryptographic attestation must be verified in CI/CLI.

    


    

      
CI-Verified Badge Set

      
Every Covenant-enabled repository exposes five governance badges. This section renders every possible state, stacked by category, so maintainers can compare policy posture at a glance and avoid ambiguous badge usage.

      
Help text below focuses on the four policy-decision badges; covenant-enabled is always enabled when Covenant is active.

      

        

          
agent-pr-policy

          
Shows the strictest policy outcome for agent-authored pull requests.

          
Practical example: a human asks an agent to open a PR; allow means it can proceed, warn means it opens with policy warnings, and deny means the PR is blocked.

        

        

          
provenance-policy

          
Shows whether a default provenance profile enforces evidence fields.

          
Practical example: an agent opens a PR; with required it must include evidence like model and provider, while none means those fields are not enforced.

        

        

          
attestation-required

          
Indicates whether cryptographic attestation signatures are required.

          
Practical example: when an agent submits a PR, required or agents means it must attach a valid signed attestation payload or policy checks fail.

        

        

          
thread-intervention-policy

          
Shows whether intervention in human threads is restricted.

          
Practical example: in a human-only incident thread, controlled means an agent comment is warned or denied unless explicitly allowed.

        

      


      

        

          
covenant

          

            covenant: enabled
          

        


        

          
agent-pr-policy

          

            agent-pr-policy: allow
            agent-pr-policy: warn
            agent-pr-policy: deny
            agent-pr-policy: none
          

        


        

          
provenance-policy

          

            provenance-policy: required
            provenance-policy: configured
            provenance-policy: none
          

        


        

          
attestation-required

          

            attestation-required: required
            attestation-required: agents
            attestation-required: none
          

        


        

          
thread-intervention-policy

          

            thread-intervention-policy: controlled
            thread-intervention-policy: open
          

        

      


      
Embed these directly from GitHub raw URLs in READMEs, docs, and dashboards. See docs/BADGES.md for copy/paste snippets.

    


    

      
For Agent Operators

      
    
        
  1. Fetch and parse /covenant.yml before any action.
    2. 
        
  2. Normalize planned action to Covenant canonical action names.
    3. 
        
  3. Check effective rule outcome and requirements.
    4. 
        
  4. If attestation is required, sign covenant.attestation.v1 payload.
    5. 
        
  5. Attach evidence fields and attestation to contribution metadata.
    6.