This page is the source-of-truth contract between the FSI-AgentGov framework repository and the FSI-AgentGov-Solutions implementation catalog. It describes how the two repositories are coupled, which artifacts cross the boundary, and how each side should pin to the other to avoid silent breakage.
The framework repository (this one) owns the 78-control taxonomy, the
control manifest at assessment/manifest/controls.json, the assessment
engine, and the regulatory-mapping documentation. The Solutions repository
owns the 36 companion solution implementations (35 live + 1 preview) that map
back to those controls.
The Solutions repository validates each solution's manifest.yaml against
the framework's controls.json to ensure every claimed control mapping is
real. That validation creates a versioning dependency: if the framework
renames or removes a control on main, every Solutions PR that consumes
the framework from main will red-line at the same instant — even if the
Solutions change is unrelated.
To keep both repositories releasable, the Solutions repository must pin
to a framework release tag, not to main.
| Boundary artifact | Owner | Consumer | Contract |
|---|---|---|---|
assessment/manifest/controls.json |
Framework | Solutions (validation), assessment engine | SemVer; control IDs are stable within a major version |
| Control IDs and pillar numbers | Framework | Solutions, downstream docs | Removal or renumbering = major version bump |
Pass-condition strings (pass_condition) |
Framework | Assessment engine evaluators | Renaming = minor unless the evaluator is also updated atomically |
| Solution → control mappings | Solutions | Framework solutions-integration.md |
Solutions cite framework tag in manifest.yaml |
Generated solutions.json (counts + per-solution version/status/controls) |
Solutions | Framework assessment/data/solutions-lock.json, solutions-index.md, prose validators |
Solutions repo publishes per-tag artifacts; framework pins the JSON into solutions-lock.json for reproducible builds |
For any framework release vX.Y.Z:
- The 78 control IDs and their pillar assignments are stable within the same major version.
- The
pass_conditionstrings used by registered evaluators are stable within the same minor version. Adding a newpass_conditionis a minor change; renaming an existing one is a major change. - The shape of
controls.json(top-level array of control objects with the keys listed inassessment/manifest/README.md) is additive within a major version — fields may be added but not removed. - Bug fixes that change
evaluator_staterollups (e.g., wiring up a missing evaluator) are minor changes. The Assessment Engine Coverage matrix shows the current state.
The Solutions repository is expected to:
- Pin its framework consumption to a release tag (e.g.,
framework_version: v1.6.2in repo-level config), notmain. - Bump the pinned tag deliberately, as part of a release of its own.
- Treat a framework major bump as a planned migration, not an incidental dependency update.
- Re-run cross-repo validation against the new tag in CI before updating the pin.
There are two patterns the Solutions repository can use. Both are acceptable; the project should pick one and document it.
# In the Solutions repo, pin the framework as a submodule at a tag.
git submodule add -b v1.6.2 https://github.com/judeper/FSI-AgentGov.git \
.frameworkPros: cryptographically pinned, fully reproducible.
Cons: contributors must remember git submodule update --init.
In the Solutions repo's validation workflow:
- name: Fetch framework manifest at pinned tag
env:
FRAMEWORK_TAG: v1.6.2 # update deliberately
run: |
curl -fsSL \
"https://raw.githubusercontent.com/judeper/FSI-AgentGov/${FRAMEWORK_TAG}/assessment/manifest/controls.json" \
-o .framework/controls.jsonPros: zero submodule overhead.
Cons: relies on the consumer to bump FRAMEWORK_TAG deliberately.
The Solutions repository is responsible for publishing the matrix below (or its equivalent) so consumers know which framework tag a given Solutions release was built against. The framework repository keeps a mirror only as a courtesy; the authoritative copy lives with the producer.
| Solutions release | Framework tag | Notes |
|---|---|---|
| maintained in the Solutions repo | maintained in the Solutions repo | This table intentionally left as a pointer — see FSI-AgentGov-Solutions release notes |
- Framework PRs that touch
controls.jsonIDs, pillars, orpass_conditionstrings must include a one-line note in the PR description identifying the change as additive, minor, or breaking. - Framework releases that include any breaking change to this contract must bump the major version and call out the change in the release notes.
- The Solutions repository owns its own migration cadence. The framework will not delete deprecated control IDs without a deprecation release in the prior major version.
- Assessment Engine Coverage — current evaluator state across all 79 controls.
- Solutions Integration — high-level architecture of the two-repo system.
- Solutions Index — current solution catalog.