Specification | Covenant v1

1. Purpose

covenant.yml is a deterministic governance contract for repositories. It defines what human contributors, software agents, and manager actors may do across repository interaction surfaces.

The policy is machine-readable and schema-validated. No enforcement decision depends on natural language interpretation.

Read this page as an implementation guide: sections 2-5 define the contract and evaluation pipeline, sections 6-11 define behavior and interfaces, and sections 12-14 define compliance and shared terminology.

2. Canonical Location

The policy file must be placed at the repository root:

/covenant.yml

No alias locations are part of Covenant v1.

3. Decision Model

Covenant uses three outcomes:

allow: action is accepted
warn: action is accepted but flagged
deny: action is rejected

Strictness ordering: deny > warn > allow

In practice, this means any failing requirement can only keep or increase strictness. A decision never becomes less strict later in evaluation.

4. Top-Level Contract

Think of top-level keys as contract modules: each one controls a different stage of evaluation, verification, or enforcement.

Key	Purpose
`spec_version`	Pins behavior to a known spec contract.
`defaults`	Fallback decision behavior when no rule matches.
`actors`	Identity mapping for human, agent, and manager actor profiles.
`surfaces`	Optional surface-level configuration and constraints.
`rules`	Primary policy logic (actor + action + constraints -> outcome).
`requirements`	Evidence and provenance requirements applied after rule selection.
`attestation`	Cryptographic verification controls and failure handling.
`enforcement`	Action plan templates for `allow`/`warn`/`deny` decisions.
`routing`	Branch reroute behavior for selected denied operations.
`policies`	Pre-rule global gates (for example eligible-label checks).
`metadata`	Informational fields that do not change the decision model.

Unknown top-level keys are invalid.

4.1 Policies

The policies section defines cross-cutting constraints that are evaluated before rule matching.

agent_eligible_labels restricts agents to issues carrying at least one eligible label.

policies:
  agent_eligible_labels:
    labels: [agent-friendly, good-first-bot-issue]
    actions: [issue.solve, issue.comment]
    on_missing: deny

labels: at least one of these labels must be present on the issue.
actions: optional list limiting which canonical issue actions the gate applies to.
on_missing: decision used when labels are missing (allow, warn, or deny).

This gate only affects agents. Humans and managers are not subject to it.

5. Deterministic Resolution Algorithm

Input event envelope:

{
  "action": "pull_request.open",
  "actor": { "id": "ci-agent[bot]", "kind": "agent" },
  "repository": { "name": "acme/project", "visibility": "public" },
  "target": { "branch": "main", "thread_mode": "mixed", "labels": ["ai"] },
  "evidence": {
    "model": "gpt-5",
    "provider": "openai",
    "prompt_record": "prompt://123",
    "test_proof": "tests://ci/123"
  },
  "attestation": {}
}

Envelope Field	How to interpret it
`action`	Canonical operation being evaluated (for example `pull_request.open`).
`actor`	Who initiated the event; used for actor-kind resolution and profile matching.
`repository`	Repository context used by rules or conditions (name, visibility, and related metadata).
`target`	Action target context such as branch, labels, and thread mode.
`evidence`	Provenance fields evaluated by requirement profiles.
`attestation`	Signed proof block, required only where policy demands it.

Resolution steps:

Normalize incoming platform event into canonical action and envelope.
Apply policies gates (for example agent_eligible_labels) before rule matching.
Match candidate rules by actor, action, target, and conditions.
Compute specificity tuple: actor specificity, action specificity, target specificity, condition count.
Select highest tuple.
If tie: apply strictness tie-break (deny > warn > allow).
If no rule matches: use defaults.unmatched.
Apply requirements checks.
Apply attestation checks when required.
Compute final decision as the maximum strictness of rule outcome and requirement/attestation failures.
Compute reason codes and emit enforcement action plan.

Think of the algorithm as a fixed pipeline: normalize -> gate -> match -> escalate -> enforce. Because the order is fixed, identical inputs always produce identical outputs.

6. Interaction Matrix

The matrix below maps each canonical action to expected decision ranges per actor kind. Hover selected headers and action names for field-level guidance.

This is a capability map, not a direct allow-list. The final decision for a given event still depends on your concrete rules, policies gates, and requirement failures.

Interaction	Human	Agent	Manager	Typical Controls
`issue.open`	allow/warn/deny	allow/warn/deny	allow	templates, labels, attestation
`issue.comment`	allow/warn/deny	allow/warn/deny	allow	thread mode control
`issue.label`	allow/warn/deny	allow/warn/deny	allow	auto-label policy
`issue.solve`	allow/warn/deny	allow/warn/deny	allow	evidence policy
`pull_request.open`	allow/warn/deny	allow/warn/deny	allow	provenance and tests
`pull_request.update`	allow/warn/deny	allow/warn/deny	allow	re-attestation
`pull_request.review.submit`	allow/warn/deny	allow/warn/deny	allow	reviewer policy
`pull_request.review.approve`	allow/warn/deny	allow/warn/deny	allow	human-only gates
`pull_request.merge`	allow/warn/deny	allow/warn/deny	allow	branch and ruleset checks
`conversation.intervene_human_thread`	allow/warn/deny	allow/warn/deny	allow	human thread protection
`conversation.intervene_agent_thread`	allow/warn/deny	allow/warn/deny	allow	agent thread policy
`maintenance.cleanup`	allow/warn/deny	allow/warn/deny	allow	close PR, delete branch
`routing.to_develop_bot`	allow/warn/deny	allow/warn/deny	allow	reroute to develop-bot branch

Thread modes are explicit: human, agent, mixed.

7. Attestation Contract

Attestation version: covenant.attestation.v1

The signed payload binds identity, action, repository context, policy revision, and freshness controls into one verifiable artifact.

Field	Expected meaning
`version`	Contract version of the attestation payload.
`actor_id`	Exact actor identity that created the action.
`action`	Canonical action being attested.
`repository`	Repository identifier this attestation applies to.
`ref`	Git reference tied to the action context.
`policy_sha256`	Hash binding the signature to a specific policy revision.
`timestamp`	Creation time used for freshness checks.
`nonce`	Single-use token used for replay protection.

Verification key registry: actors.agents[].verification

Minimum controls:

Signature verification
Timestamp freshness (attestation.max_age_seconds)
Replay protection (attestation.nonce_ttl_seconds)
Policy hash equality

A valid signature is necessary but not sufficient: freshness, nonce reuse, and policy-hash checks must all pass.

8. Enforcement Operations

Enforcement operations are deterministic side effects. They explain, route, or block actions based on the final decision.

Operation	Typical use
`comment`	Communicate why a decision was produced.
`label`	Mark issues/PRs for workflow routing or review queues.
`close_pull_request`	Stop disallowed changes from remaining open.
`delete_branch`	Clean up denied or obsolete contribution branches.
`reroute_to_branch`	Retarget blocked PRs to a staging branch.
`fail_status`	Surface policy failures in CI checks.

Actions are planned deterministically from enforcement.<decision> and optional routing rules.

9. Canonical Actions

Canonical actions are normalized event names used by rules. Platform-specific event payloads should map to one of these before evaluation.

Action	When it is used
`issue.open`	Create a new issue.
`issue.comment`	Add a comment to an issue.
`issue.label`	Add or change issue labels.
`issue.solve`	Close or resolve an issue.
`pull_request.open`	Create a new pull request.
`pull_request.update`	Push updates to an existing pull request.
`pull_request.review.submit`	Submit a review on a pull request.
`pull_request.review.approve`	Set review state to approved.
`pull_request.merge`	Merge an approved pull request.
`conversation.intervene_human_thread`	Comment in a thread labeled as human-focused.
`conversation.intervene_agent_thread`	Comment in a thread labeled as agent-focused.
`maintenance.cleanup`	Perform maintenance actions like close/relabel/delete branch.
`routing.to_develop_bot`	Retarget denied pull requests to a configured staging branch.

Wildcards supported in rules: * and <surface>.* (e.g., pull_request.*)

Use exact actions when you need strict control, and surface wildcards when you want broader but still explicit policy coverage.

10. Resolution Flow

Incoming platform event
  -> Normalize to canonical action
  -> Apply policies gates
  -> Match candidate rules
  -> Compute specificity tuple
  -> Select rule or defaults.unmatched
  -> Apply provenance requirements
  -> Apply attestation checks
  -> Finalize decision and reason codes
  -> Plan enforcement operations
  -> Emit CI outputs and badges

This condensed flow mirrors the algorithm in section 5 and is useful as a debugging checklist when a decision looks unexpected.

11. Public Interfaces

These interfaces are the stable integration points for local tooling, CI workflows, and policy-aware automation.

CLI

covenant validate [policy-path]
covenant eval --event <json|path> [--policy <path>]
covenant badge --format json|shields [--policy <path>]

GitHub Action

Inputs: policy-path, event-json, mode

Outputs: decision, reason_codes, enforcement_actions

Schema

schema/covenant.schema.json

Integrators should treat CLI output and action outputs as machine contracts, and use the schema for validation before policy evaluation.

12. Conformance

A Covenant v1 implementation is conformant if:

Identical event + identical policy always produce identical output.
Unsupported keys are rejected.
No decision depends on free-text interpretation.
Decision and reason codes are emitted in machine-readable form.

Conformance is about behavior, not language. If two engines disagree on a decision for the same input, at least one is non-conformant.

13. Reason Codes

Conformant engines emit machine-readable reason codes with each decision.

Treat reason codes as your debugging API: they explain exactly which gate, rule, or verification check influenced the final outcome.

Rule Selection

Code	Meaning
`rule.selected.<id>`	Rule with the given ID was selected as the best match.
`defaults.unmatched`	No rule matched; `defaults.unmatched` was applied.

Policies Gate

Code	Meaning
`policies.agent_eligible_labels.missing`	Agent issue action had no eligible label.

Provenance / Evidence

Code	Meaning
`requirements.provenance_profile_missing`	Referenced provenance profile is not defined.
`requirements.provenance.missing.<field>`	Required evidence field is absent or empty.

Attestation

Code	Meaning
`attestation.missing`	No `attestation` block was provided.
`attestation.invalid_version`	Attestation version is not `covenant.attestation.v1`.
`attestation.actor_mismatch`	`attestation.actor_id` does not match `event.actor.id`.
`attestation.action_mismatch`	`attestation.action` does not match `event.action`.
`attestation.policy_hash_mismatch`	`attestation.policy_sha256` does not match evaluated policy.
`attestation.invalid_timestamp`	`attestation.timestamp` is not parseable.
`attestation.expired`	Attestation is older than `attestation.max_age_seconds`.
`attestation.invalid_nonce`	`attestation.nonce` is missing or invalid.
`attestation.replayed_nonce`	Nonce was already seen within `nonce_ttl_seconds`.
`attestation.verification_key_missing`	No verification key is registered for the actor profile.
`attestation.unsupported_verification_type`	Verification type is not supported.
`attestation.invalid_signature_encoding`	Public key or signature is not valid base64.
`attestation.invalid_signature`	Signature verification failed.
`attestation.signature_verification_error`	Internal error occurred during signature verification.

14. Glossary

Use this glossary as the canonical meaning of terms used across policy files, CLI output, and documentation.

Term	Definition
actor	Entity performing an action: `human`, `agent`, or `manager`.
agent	Software system acting autonomously on a repository.
action	Canonical interaction event, e.g. `pull_request.open`.
attestation	Signed payload asserting context for an agent action.
decision	Policy evaluation outcome: `allow`, `warn`, or `deny`.
evidence	Provenance fields in `event.evidence` (model, provider, prompt_record, test_proof).
manager	Trusted actor kind declared in policy for governance automation.
outcome	Rule-declared value (`allow`, `warn`, `deny`) before requirement escalation.
policy	Full contents of a `covenant.yml` file.
profile	Named actor entry under `actors.agents[]`, `actors.humans[]`, or `actors.managers[]`.
provenance	Origin/context metadata for an agent action.
rule	Policy entry mapping actor + action (+ optional target/conditions) to an outcome.
surface	Namespace grouping related actions, such as `issue` or `pull_request`.
thread mode	Conversation type: `human`, `agent`, or `mixed`.