Feat: Implement governance approval workflow

Author: rian-be

Docs/Decision/Adr/ADR_025_Governance_Approval_Workflow.md

@@ -4,7 +4,7 @@
 #adr_025
 
 ## Status
-Proposed
+Accepted
 
 ## Date
 2026-06-22

Examples/Governance/ApprovalWorkflow/ApprovalWorkflow.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\..\src\ModularityKit.Mutator.Governance.csproj" />
+    </ItemGroup>
+
+</Project>

Examples/Governance/ApprovalWorkflow/Program.cs

@@ -0,0 +1,3 @@
+using ApprovalWorkflow.Scenarios;
+
+await GovernanceApprovalWorkflowScenario.Run();

Examples/Governance/ApprovalWorkflow/README.md

@@ -0,0 +1,23 @@
+# Governance ApprovalWorkflow
+
+This example shows the governance approval workflow built on top of `MutationRequest.PendingApproval(...)` and `MutationRequestApprovalWorkflowManager`.
+
+It demonstrates:
+
+- mapping `PolicyRequirement` into request-level approval requirements
+- multi-actor approvals in the same step
+- ordered approval steps
+- transition from `Pending` to `Approved` after the final approval
+
+## Key files
+
+- [`Program.cs`](Program.cs)
+- [`Scenarios/GovernanceApprovalWorkflowScenario.cs`](Scenarios/GovernanceApprovalWorkflowScenario.cs)
+- [`src/Governance/Runtime/Approval/MutationRequestApprovalWorkflowManager.cs`](../../../src/Governance/Runtime/Approval/MutationRequestApprovalWorkflowManager.cs)
+- [`src/Governance/Abstractions/Approval/MutationApprovalRequirement.cs`](../../../src/Governance/Abstractions/Approval/MutationApprovalRequirement.cs)
+
+## Run
+
+```bash
+dotnet run --project Examples/Governance/ApprovalWorkflow/ApprovalWorkflow.csproj
+```

Examples/Governance/ApprovalWorkflow/Scenarios/GovernanceApprovalWorkflowScenario.cs

@@ -0,0 +1,111 @@
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Policies;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Model;
+using ModularityKit.Mutator.Governance.Runtime.Approval.Execution;
+using ModularityKit.Mutator.Governance.Runtime.Storage;
+
+namespace ApprovalWorkflow.Scenarios;
+
+internal static class GovernanceApprovalWorkflowScenario
+{
+    public static async Task Run()
+    {
+        var store = new InMemoryMutationRequestStore();
+        var manager = new MutationRequestApprovalWorkflowManager(store);
+
+        PrintSection("Submit Pending Approval Request");
+        var request = await store.Create(CreateApprovalRequest());
+        PrintRequest(request);
+
+        PrintSection("Approve Step 1");
+        var aliceApproval = request.ApprovalRequirements.Single(requirement => requirement.ApproverId == "alice");
+        var afterAlice = await manager.ApproveRequirement(
+            request.RequestId,
+            aliceApproval.ApprovalId,
+            MutationContext.User("alice", "Alice", "Manager approved"));
+        PrintRequest(afterAlice);
+
+        PrintSection("Approve Step 1 - Second Actor");
+        var bobApproval = afterAlice.ApprovalRequirements.Single(requirement => requirement.ApproverId == "bob");
+        var afterBob = await manager.ApproveRequirement(
+            request.RequestId,
+            bobApproval.ApprovalId,
+            MutationContext.User("bob", "Bob", "Security approved"));
+        PrintRequest(afterBob);
+
+        PrintSection("Approve Step 2");
+        var carolApproval = afterBob.ApprovalRequirements.Single(requirement => requirement.ApproverId == "carol");
+        var afterCarol = await manager.ApproveRequirement(
+            request.RequestId,
+            carolApproval.ApprovalId,
+            MutationContext.User("carol", "Carol", "Finance approved"));
+        PrintRequest(afterCarol);
+    }
+
+    private static MutationRequest CreateApprovalRequest()
+    {
+        return MutationRequest.PendingApproval(
+            stateId: "tenant-42:roles",
+            stateType: "IamRoleState",
+            mutationType: "GrantRoleMutation",
+            intent: new MutationIntent
+            {
+                OperationName = "GrantRole",
+                Category = "Security",
+                Description = "Grant elevated role to tenant operator"
+            },
+            context: MutationContext.User("requester", "Requester", "Need elevated access for incident"),
+            requirements:
+            [
+                PolicyRequirement.Approval("alice", "Manager approval"),
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Security review",
+                    Data = new
+                    {
+                        Approver = "bob",
+                        StepOrder = 1,
+                        Reason = "Security sign-off"
+                    }
+                },
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Finance review",
+                    Data = new
+                    {
+                        Approver = "carol",
+                        StepOrder = 2,
+                        Reason = "Budget sign-off"
+                    }
+                }
+            ],
+            expectedStateVersion: "v10");
+    }
+
+    private static void PrintSection(string title)
+    {
+        Console.WriteLine();
+        Console.WriteLine($"=== {title} ===");
+    }
+
+    private static void PrintRequest(MutationRequest request)
+    {
+        Console.WriteLine($"Request status: {request.Status}");
+        Console.WriteLine($"Pending reason: {request.PendingReason?.ToString() ?? "-"}");
+        Console.WriteLine($"Revision: {request.Revision}");
+        Console.WriteLine("Approval requirements:");
+
+        foreach (var requirement in request.ApprovalRequirements.OrderBy(requirement => requirement.StepOrder).ThenBy(requirement => requirement.ApproverId))
+        {
+            Console.WriteLine(
+                $"  - Step {requirement.StepOrder}: {requirement.ApproverId} => {requirement.Status}");
+        }
+
+        var lastDecision = request.Decisions[^1];
+        Console.WriteLine($"Last decision: {lastDecision.Type} by {lastDecision.Context.ActorId ?? "system"}");
+        Console.WriteLine($"Reason: {lastDecision.Reason ?? "-"}");
+    }
+}

Examples/Governance/RequestLifecycle/Scenarios/GovernanceRequestLifecycleScenario.cs

@@ -1,9 +1,9 @@
 using ModularityKit.Mutator.Abstractions.Context;
 using ModularityKit.Mutator.Abstractions.Intent;
 using ModularityKit.Mutator.Abstractions.Policies;
-using ModularityKit.Mutator.Governance.Abstractions.Lifecycle;
-using ModularityKit.Mutator.Governance.Abstractions.Requests;
-using ModularityKit.Mutator.Governance.Runtime.Lifecycle;
+using ModularityKit.Mutator.Governance.Abstractions.Lifecycle.Model;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Model;
+using ModularityKit.Mutator.Governance.Runtime.Lifecycle.Execution;
 using ModularityKit.Mutator.Governance.Runtime.Storage;
 
 namespace RequestLifecycle.Scenarios;

Examples/Governance/VersionedResolution/Scenarios/GovernanceVersionedResolutionScenario.cs

@@ -1,8 +1,9 @@
 using ModularityKit.Mutator.Abstractions.Context;
 using ModularityKit.Mutator.Abstractions.Intent;
-using ModularityKit.Mutator.Governance.Abstractions.Requests;
-using ModularityKit.Mutator.Governance.Abstractions.Resolution;
-using ModularityKit.Mutator.Governance.Runtime.Resolution;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Model;
+using ModularityKit.Mutator.Governance.Abstractions.Resolution.Model;
+using ModularityKit.Mutator.Governance.Abstractions.Resolution.Strategies;
+using ModularityKit.Mutator.Governance.Runtime.Resolution.Execution;
 using ModularityKit.Mutator.Governance.Runtime.Storage;
 
 namespace VersionedResolution.Scenarios;

Tests/ModularityKit.Mutator.Governance.Tests/Approval/MutationRequestApprovalWorkflowTests.cs

@@ -0,0 +1,188 @@
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Policies;
+using ModularityKit.Mutator.Governance.Abstractions.Approval.Model;
+using ModularityKit.Mutator.Governance.Abstractions.Exceptions.Approval;
+using ModularityKit.Mutator.Governance.Abstractions.Lifecycle.Model;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Decisions;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Model;
+using ModularityKit.Mutator.Governance.Runtime.Approval.Execution;
+using ModularityKit.Mutator.Governance.Runtime.Storage;
+using Xunit;
+
+namespace ModularityKit.Mutator.Governance.Tests.Approval;
+
+public sealed class MutationRequestApprovalWorkflowTests
+{
+    [Fact]
+    public void PendingApproval_maps_policy_requirements_into_visible_request_approval_requirements()
+    {
+        var request = MutationRequest.PendingApproval(
+            stateId: "tenant-42:roles",
+            stateType: "IamRoleState",
+            mutationType: "GrantRoleMutation",
+            intent: CreateIntent(),
+            context: MutationContext.User("requester", "Requester", "Needs privileged access"),
+            requirements:
+            [
+                PolicyRequirement.Approval("alice", "Manager approval"),
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Security and finance approval",
+                    Data = new
+                    {
+                        Approvers = new[] { "bob", "carol" },
+                        StepOrder = 2,
+                        Reason = "Cross-functional sign-off"
+                    }
+                }
+            ],
+            expectedStateVersion: "v10");
+
+        Assert.Equal(MutationRequestStatus.Pending, request.Status);
+        Assert.Equal(PendingMutationReason.Approval, request.PendingReason);
+        Assert.Equal(3, request.ApprovalRequirements.Count);
+        Assert.Collection(
+            request.ApprovalRequirements.OrderBy(requirement => requirement.StepOrder).ThenBy(requirement => requirement.ApproverId),
+            first =>
+            {
+                Assert.Equal("alice", first.ApproverId);
+                Assert.Equal(1, first.StepOrder);
+                Assert.Equal(MutationApprovalRequirementStatus.Pending, first.Status);
+            },
+            second =>
+            {
+                Assert.Equal("bob", second.ApproverId);
+                Assert.Equal(2, second.StepOrder);
+            },
+            third =>
+            {
+                Assert.Equal("carol", third.ApproverId);
+                Assert.Equal(2, third.StepOrder);
+            });
+    }
+
+    [Fact]
+    public async Task ApproveRequirement_enforces_step_order_and_marks_request_approved_after_final_approval()
+    {
+        var store = new InMemoryMutationRequestStore();
+        var manager = new MutationRequestApprovalWorkflowManager(store);
+        var request = await store.Create(CreateMultiStepApprovalRequest());
+
+        var stepTwoApproval = request.ApprovalRequirements.Single(requirement => requirement.ApproverId == "carol");
+        var invalidStep = await Assert.ThrowsAsync<InvalidMutationApprovalActionException>(() =>
+            manager.ApproveRequirement(
+                request.RequestId,
+                stepTwoApproval.ApprovalId,
+                MutationContext.User("carol", "Carol", "Approve too early")));
+
+        Assert.Equal(stepTwoApproval.ApprovalId, invalidStep.ApprovalId);
+
+        var aliceApproval = request.ApprovalRequirements.Single(requirement => requirement.ApproverId == "alice");
+        var afterAlice = await manager.ApproveRequirement(
+            request.RequestId,
+            aliceApproval.ApprovalId,
+            MutationContext.User("alice", "Alice", "Manager approved"));
+
+        Assert.Equal(MutationRequestStatus.Pending, afterAlice.Status);
+        Assert.Equal(MutationApprovalRequirementStatus.Approved, afterAlice.ApprovalRequirements.Single(requirement => requirement.ApproverId == "alice").Status);
+
+        var bobApproval = afterAlice.ApprovalRequirements.Single(requirement => requirement.ApproverId == "bob");
+        var afterBob = await manager.ApproveRequirement(
+            request.RequestId,
+            bobApproval.ApprovalId,
+            MutationContext.User("bob", "Bob", "Security approved"));
+
+        Assert.Equal(MutationRequestStatus.Pending, afterBob.Status);
+
+        var finalCarolApproval = afterBob.ApprovalRequirements.Single(requirement => requirement.ApproverId == "carol");
+        var afterCarol = await manager.ApproveRequirement(
+            request.RequestId,
+            finalCarolApproval.ApprovalId,
+            MutationContext.User("carol", "Carol", "Finance approved"));
+
+        Assert.Equal(MutationRequestStatus.Approved, afterCarol.Status);
+        Assert.Null(afterCarol.PendingReason);
+        Assert.All(afterCarol.ApprovalRequirements, requirement => Assert.Equal(MutationApprovalRequirementStatus.Approved, requirement.Status));
+        Assert.Equal(
+            MutationRequestDecisionType.Lifecycle(MutationRequestLifecycleDecisionType.Approved),
+            afterCarol.Decisions[^1].Type);
+        Assert.Contains(
+            afterCarol.Decisions,
+            decision => decision.Type == MutationRequestDecisionType.Approval(MutationRequestApprovalDecisionType.Granted));
+    }
+
+    [Fact]
+    public async Task RejectRequirement_marks_request_rejected_and_records_explicit_history()
+    {
+        var store = new InMemoryMutationRequestStore();
+        var manager = new MutationRequestApprovalWorkflowManager(store);
+        var request = await store.Create(CreateMultiStepApprovalRequest());
+        var aliceApproval = request.ApprovalRequirements.Single(requirement => requirement.ApproverId == "alice");
+
+        var rejected = await manager.RejectRequirement(
+            request.RequestId,
+            aliceApproval.ApprovalId,
+            MutationContext.User("alice", "Alice", "Manager rejected"),
+            reason: "Insufficient justification");
+
+        Assert.Equal(MutationRequestStatus.Rejected, rejected.Status);
+        Assert.Null(rejected.PendingReason);
+        Assert.Equal(MutationApprovalRequirementStatus.Rejected, rejected.ApprovalRequirements.Single(requirement => requirement.ApprovalId == aliceApproval.ApprovalId).Status);
+        Assert.Equal(
+            MutationRequestDecisionType.Lifecycle(MutationRequestLifecycleDecisionType.Rejected),
+            rejected.Decisions[^1].Type);
+        Assert.Contains(
+            rejected.Decisions,
+            decision => decision.Type == MutationRequestDecisionType.Approval(MutationRequestApprovalDecisionType.Rejected));
+        Assert.Contains(rejected.Decisions, decision => decision.Reason == "Insufficient justification");
+    }
+
+    private static MutationRequest CreateMultiStepApprovalRequest()
+    {
+        return MutationRequest.PendingApproval(
+            stateId: "tenant-42:roles",
+            stateType: "IamRoleState",
+            mutationType: "GrantRoleMutation",
+            intent: CreateIntent(),
+            context: MutationContext.User("requester", "Requester", "Needs privileged access"),
+            requirements:
+            [
+                PolicyRequirement.Approval("alice", "Manager approval"),
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Security review",
+                    Data = new
+                    {
+                        Approver = "bob",
+                        StepOrder = 1,
+                        Reason = "Security sign-off"
+                    }
+                },
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Finance review",
+                    Data = new
+                    {
+                        Approver = "carol",
+                        StepOrder = 2,
+                        Reason = "Budget sign-off"
+                    }
+                }
+            ],
+            expectedStateVersion: "v10");
+    }
+
+    private static MutationIntent CreateIntent()
+    {
+        return new MutationIntent
+        {
+            OperationName = "GrantRole",
+            Category = "Security",
+            Description = "Grant elevated role to tenant operator"
+        };
+    }
+}

Tests/ModularityKit.Mutator.Governance.Tests/Lifecycle/MutationRequestLifecycleAtomicityTests.cs

@@ -1,7 +1,7 @@
 using ModularityKit.Mutator.Abstractions.Context;
-using ModularityKit.Mutator.Governance.Abstractions.Exceptions;
-using ModularityKit.Mutator.Governance.Abstractions.Lifecycle;
-using ModularityKit.Mutator.Governance.Runtime.Lifecycle;
+using ModularityKit.Mutator.Governance.Abstractions.Exceptions.Storage;
+using ModularityKit.Mutator.Governance.Abstractions.Lifecycle.Model;
+using ModularityKit.Mutator.Governance.Runtime.Lifecycle.Execution;
 using ModularityKit.Mutator.Governance.Tests.TestSupport;
 using Xunit;