# [RFC] TealTiger v1.3 — Governance Workflows & Policy Packs (TealFlow, OWASP Packs, Operating Model) #36
nagasatish007
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
[RFC] TealTiger v1.3 — Governance Workflows & Policy Packs (TealFlow, OWASP Packs, Operating Model)
Summary
Governance shouldn't require writing code. v1.3 introduces declarative YAML workflows (TealFlow), pre-built policy packs mapped to standards, and a complete enterprise operating model with personas, lifecycle processes, and adoption guides. The goal: governance teams can author, review, and deploy policies without touching application code.
Proposed Capabilities
Secure Change Governance (Req 3)
CODE_CHANGEaction class with attributes: target paths, branch, change type, diff hashOWASP Agentic Top 10 Policy Pack (Req 6)
policy-packs/owasp-agentic-top10/TealFlow — Declarative Governance Workflows (Req 8)
agent_action,schedule(cron),workflow_dispatch(manual),policy_violationneedsdependencies between jobsifconditionals evaluating action attributes, risk scores, env vars, agent identityusessyntax for reusable governance actions (local or remote registry)Enterprise Operating Model (Req 16)
Questions for the Community
TealFlow syntax — The workflow YAML is inspired by GitHub Actions syntax. Is that familiar enough, or would you prefer something closer to OPA/Rego, Kubernetes manifests, or something else?
Org-level inheritance — "Team workflows cannot weaken org controls" — is this the right default? Are there cases where a team legitimately needs to relax an org-level control (with approval)?
Policy packs — Beyond OWASP Agentic Top 10, what standards would you want pre-built packs for? (SOC2, PCI-DSS, HIPAA, ISO 27001, EU AI Act, internal company standards?)
Code change governance — If you're using AI code agents (Copilot, Cursor, Devin, etc.), what governance controls would you want? Path restrictions? Branch restrictions? Mandatory review? Something else?
Adoption model — Would your organization start with Governance-First (central team defines policies, developers consume read-only) or Developer-First (developers integrate SDK, governance added later)?
Operating model — Are the 6 personas sufficient? Is there a role in your org that doesn't map to these?
How to Give Feedback
Full Spec Reference
See Requirements 3, 6, 8, and 16 in the complete specification
Beta Was this translation helpful? Give feedback.
All reactions