Root Allowlist Governance
This document is the normative policy for repo-root governance. The live inventory is generated, not maintained here. Use these surfaces together:- Canonical contract:
operations/governance/config/root-governance.json - Generated root projection:
.allowlist - Generated live map:
docs-guide/repo-ops/config/root-governance-map.mdx - Generated sync reports:
workspace/reports/repo-ops/ROOT_GOVERNANCE_SYNC_LATEST.{json,md}
Policy
.allowlist is machine-readable input to the root-structure gate in .githooks/pre-commit.
It must never be used as:
- a notes file
- a migration plan
- a report sink
- a place to pre-allow future paths
operations/governance/config/root-governance.json. .allowlist is a generated projection.
Root Admission Rules
An entry may remain at repo root only when at least one of these is true:- the platform discovers it by fixed root path
- the repo uses it as a root entrypoint or contract
- the published URL contract depends on the root path
- the repo has explicitly approved it as a root subsystem
docs-guide/**for policy and maintainer docsoperations/**andtools/**for scripts and runtime logicworkspace/**for plans, audits, reports, and local scratch outputs
Generated Governance Model
The root-governance generator must deterministically write:.allowlistdocs-guide/repo-ops/config/root-governance-map.mdxworkspace/reports/repo-ops/ROOT_GOVERNANCE_SYNC_LATEST.jsonworkspace/reports/repo-ops/ROOT_GOVERNANCE_SYNC_LATEST.md
operations/scripts/validators/governance/compliance/check-root-governance-sync.js must fail when those outputs drift from operations/governance/config/root-governance.json.
Root Hygiene Rules
.allowlist may contain only:
- root-level entries
- blank lines
#comment lines
- nested paths
- HTML comments
- prose paragraphs
- report output
- retired entries
.DS_Store.cache/.playwright-cli/- backup files
- debug logs
workspace/reports/_local/playwright/**.
Local .env compatibility is allowed only as an untracked root file. It is not part of the governed root set.
Approved Root Decisions In This Model
The following decisions are locked into the current governance contract:ai-tools/is an approved root subsystem and must not be treated as accidental root drift in this pass.docs-index.json,llms.txt, andsitemap-ai.xmlare ratified AI-first public root artifacts.llms-full.txtis retired and must not be regenerated or documented as active..cursorrulesis retired and must not be recreated as a governed root surface.
Change Process
When root governance changes:- Edit
operations/governance/config/root-governance.json. - Regenerate root-governance outputs.
- Update manual policy docs that describe the rules, not the live inventory.
- Run the root-governance validator and affected generated-artifact checks.
.allowlist as the primary source of truth.
Related
docs-guide/repo-ops/config/root-governance-map.mdxdocs-guide/repo-ops/config/repo-config-map.mdxdocs-guide/policies/agent-governance-framework.mdxoperations/scripts/generators/content/catalogs/generate-docs-index.jsoperations/scripts/generators/ai/llm/generate-llms-files.jsoperations/scripts/generators/content/seo/generate-ai-sitemap.jstools/lib/docs/docs-index-utils.jsoperations/scripts/automations/content/language-translation/translate-docs.jsdocs-guide/contributing/contributing.mdxdocs-guide/contributing/git-hooks.mdxdocs-guide/contributing/agent-instructions.mdx
api/ Governance
api/ is a schema-only directory. It contains OpenAPI specification files referenced by the docs platform for API reference rendering.
Rules:
- Spec files only —
api/must contain only OpenAPI/JSON schema files (.yaml,.json). No.mdxpage content, no.backupfiles, no partial mirrors. - No backup files —
openapi.yaml.backupand similar were removed as part of Phase 0 cleanup (2026-03-21). Future backups belong in_workspace/archive/if they exist at all. - No duplicate subdirs —
api/worker/was removed (2026-03-21) as it was an exact mirror ofapi/root files. If worker-specific specs diverge in the future, they get their own named spec file inapi/, not a subdirectory mirror. - Size — specs are schema-only; they should remain small. If a spec exceeds 500 KB, review for consolidation.
| File | Purpose |
|---|---|
api/gateway.openapi.yaml | Gateway API spec |
api/openapi.yaml | Primary public API spec |
api/openapi.json | JSON mirror of openapi.yaml |
api/ai-worker.yaml | AI Worker API spec |
api/cli-http.yaml | CLI HTTP API spec |
api/studio.yaml | Studio API spec |
_workspace/ Standard for Root Folders
Every named root folder (excluding dot-dirs, v1/, and v2/) may contain a _workspace/ subdirectory for maintainer-only scratch, planning, and archive material.
Folders with _workspace/ (created 2026-03-21):
| Folder | _workspace/ subdirs |
|---|---|
ai-tools/ | skill-research/, rule-drafts/, archive/ |
api/ | (root — use for spec-related scratch only) |
docs-guide/ | archive/, drafts/ |
snippets/ | (root — use for component/asset scratch) |
tools/ | (root — use for tooling scratch) |
workspace/ | N/A — the folder is itself the workspace |
_workspace/under a root folder must not appear indocs.jsonnavigation.- All root-folder
_workspace/dirs are covered by.mintignorepatterns (/ai-tools/_workspace/**,/api/_workspace/**,/snippets/_workspace/**,/tools/_workspace/**). - The approved subdir names match the
v2/section_workspace/contract:notes/,plans/,research/,reviews/,drafts/,handoff/,archive/,deprecated/,context-data/,staging/. - Root-folder
_workspace/content follows the same TTL rules asdocs-guide/_workspace/: 30-day TTL for scratch (notes, drafts, research, reviews), 90-day TTL for archive.