M.
Control Define Verify Build Access GitHub
WHAT MUST BE TRUE

Define.

Define the work, the boundaries, and the measure for success.

Request access Verify
need
without definition, anything can happen.
solution
workflows with defined outcomes make your work verifiable.
outcome
your work scales across boundaries.
WHY DEFINE

Without definition.
Anything can happen.

Work drifts. Scope creeps. Requirements shift mid-flight. Execution without boundaries is a liability.

You need everyone aligned before you start. Not after. You need the rules locked before anyone begins. No moving the goalposts.

why this matters

I need everyone aligned before we start. Not after.

I need the rules locked before anyone begins.

scope
what paths can change, what files are in bounds
checks
what must pass before work is accepted
evidence
what artifacts must exist as proof
ownership
who decides acceptance, who can release
THE CONTRACT

With definition.
Success is clear at the start.

The workflow makes work repeatable. Same inputs, same checks, same pattern. Work can run with people, automation, or agents. The pattern stays constant.

The contract locks scope, required checks, and ownership before work begins. Pinned before execution. Cannot be modified by what it governs.

The contract is the source of truth. Local acceptance is authoritative.

why this matters

I need the work done whether it's me, my team, or a script running at 3am.

Repeatable, verifiable work. No moving the goalposts.

# work-contract.yaml
scope:
  paths: ["src/**", "tests/**"]

checks:
  - name: tests-pass
    run: pytest
  - name: lint-clean
    run: ruff check .

evidence:
  - coverage.xml
  - test-report.json

ownership:
  approver: @platform-team

The contract is pinned at workflow start. Execution cannot modify the rules it's judged by.

AGENTS AND SYSTEMS

The workflow is the guardrail.
Agents execute within it.

Give Claude Code or Codex access to your repos. The workflow defines what they can do. Scope constrains paths. Checks enforce requirements. Deviation fails closed.

The agent doesn't interpret policy. It operates within the contract. You define the guardrails. Agents follow them. No drift. No surprises.

Chain workflows into systems. One workflow triggers the next. A build runs for hours, then hands off to release management, then to production deployment. Each step verified. Each handoff receipted.

why this matters

I want to give agents access without worrying they'll break things.

The workflow is the policy. Agents can't deviate from what they're governed by.

constrained
agents operate within defined scope
fail closed
deviation fails the check
chained
workflows trigger workflows
unattended
runs for hours without intervention
NEXT

How do you know it was done right?

Verify shows how checks run at acceptance and receipts record what passed.

Verify Build