Feat: Implement governance approval workflow (#15)

Author: rian-be

.github/workflows/publish-attested.yml

@@ -2,6 +2,11 @@ name: Publish Attested
 
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: Release version without the leading "v"
+        required: false
+        type: string
 
 permissions:
   contents: write
@@ -12,6 +17,8 @@ permissions:
 jobs:
   publish:
     uses: ./.github/workflows/publish-artifacts.yml
+    with:
+      package_version: ${{ inputs.version }}
 
   release:
     name: Upload artifacts to draft release

.github/workflows/release-drafter.yml

@@ -37,6 +37,8 @@ jobs:
   publish:
     needs: update-release-draft
     uses: ./.github/workflows/publish-artifacts.yml
+    with:
+      package_version: ${{ needs.update-release-draft.outputs.tag_name }}
 
   upload-release-assets:
     name: Upload artifacts to release draft

Docs/Decision/Adr/ADR_025_Governance_Approval_Workflow.md

@@ -4,7 +4,7 @@
 #adr_025
 
 ## Status
-Proposed
+Accepted
 
 ## Date
 2026-06-22

Examples/Governance/ApprovalWorkflow/ApprovalWorkflow.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\..\src\ModularityKit.Mutator.Governance.csproj" />
+    </ItemGroup>
+
+</Project>

Examples/Governance/ApprovalWorkflow/Program.cs

@@ -0,0 +1,3 @@
+using ApprovalWorkflow.Scenarios;
+
+await GovernanceApprovalWorkflowScenario.Run();

Examples/Governance/ApprovalWorkflow/README.md

@@ -0,0 +1,23 @@
+# Governance ApprovalWorkflow
+
+This example shows the governance approval workflow built on top of `MutationRequest.PendingApproval(...)` and `MutationRequestApprovalWorkflowManager`.
+
+It demonstrates:
+
+- mapping `PolicyRequirement` into request-level approval requirements
+- multi-actor approvals in the same step
+- ordered approval steps
+- transition from `Pending` to `Approved` after the final approval
+
+## Key files
+
+- [`Program.cs`](Program.cs)
+- [`Scenarios/GovernanceApprovalWorkflowScenario.cs`](Scenarios/GovernanceApprovalWorkflowScenario.cs)
+- [`src/Governance/Runtime/Approval/MutationRequestApprovalWorkflowManager.cs`](../../../src/Governance/Runtime/Approval/MutationRequestApprovalWorkflowManager.cs)
+- [`src/Governance/Abstractions/Approval/MutationApprovalRequirement.cs`](../../../src/Governance/Abstractions/Approval/MutationApprovalRequirement.cs)
+
+## Run
+
+```bash
+dotnet run --project Examples/Governance/ApprovalWorkflow/ApprovalWorkflow.csproj
+```

Examples/Governance/ApprovalWorkflow/Scenarios/GovernanceApprovalWorkflowScenario.cs

@@ -0,0 +1,111 @@
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Policies;
+using ModularityKit.Mutator.Governance.Abstractions.Requests.Model;
+using ModularityKit.Mutator.Governance.Runtime.Approval.Execution;
+using ModularityKit.Mutator.Governance.Runtime.Storage;
+
+namespace ApprovalWorkflow.Scenarios;
+
+internal static class GovernanceApprovalWorkflowScenario
+{
+    public static async Task Run()
+    {
+        var store = new InMemoryMutationRequestStore();
+        var manager = new MutationRequestApprovalWorkflowManager(store);
+
+        PrintSection("Submit Pending Approval Request");
+        var request = await store.Create(CreateApprovalRequest());
+        PrintRequest(request);
+
+        PrintSection("Approve Step 1");
+        var aliceApproval = request.ApprovalRequirements.Single(requirement => requirement.ApproverId == "alice");
+        var afterAlice = await manager.ApproveRequirement(
+            request.RequestId,
+            aliceApproval.ApprovalId,
+            MutationContext.User("alice", "Alice", "Manager approved"));
+        PrintRequest(afterAlice);
+
+        PrintSection("Approve Step 1 - Second Actor");
+        var bobApproval = afterAlice.ApprovalRequirements.Single(requirement => requirement.ApproverId == "bob");
+        var afterBob = await manager.ApproveRequirement(
+            request.RequestId,
+            bobApproval.ApprovalId,
+            MutationContext.User("bob", "Bob", "Security approved"));
+        PrintRequest(afterBob);
+
+        PrintSection("Approve Step 2");
+        var carolApproval = afterBob.ApprovalRequirements.Single(requirement => requirement.ApproverId == "carol");
+        var afterCarol = await manager.ApproveRequirement(
+            request.RequestId,
+            carolApproval.ApprovalId,
+            MutationContext.User("carol", "Carol", "Finance approved"));
+        PrintRequest(afterCarol);
+    }
+
+    private static MutationRequest CreateApprovalRequest()
+    {
+        return MutationRequest.PendingApproval(
+            stateId: "tenant-42:roles",
+            stateType: "IamRoleState",
+            mutationType: "GrantRoleMutation",
+            intent: new MutationIntent
+            {
+                OperationName = "GrantRole",
+                Category = "Security",
+                Description = "Grant elevated role to tenant operator"
+            },
+            context: MutationContext.User("requester", "Requester", "Need elevated access for incident"),
+            requirements:
+            [
+                PolicyRequirement.Approval("alice", "Manager approval"),
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Security review",
+                    Data = new
+                    {
+                        Approver = "bob",
+                        StepOrder = 1,
+                        Reason = "Security sign-off"
+                    }
+                },
+                new PolicyRequirement
+                {
+                    Type = "Approval",
+                    Description = "Finance review",
+                    Data = new
+                    {
+                        Approver = "carol",
+                        StepOrder = 2,
+                        Reason = "Budget sign-off"
+                    }
+                }
+            ],
+            expectedStateVersion: "v10");
+    }
+
+    private static void PrintSection(string title)
+    {
+        Console.WriteLine();
+        Console.WriteLine($"=== {title} ===");
+    }
+
+    private static void PrintRequest(MutationRequest request)
+    {
+        Console.WriteLine($"Request status: {request.Status}");
+        Console.WriteLine($"Pending reason: {request.PendingReason?.ToString() ?? "-"}");
+        Console.WriteLine($"Revision: {request.Revision}");
+        Console.WriteLine("Approval requirements:");
+
+        foreach (var requirement in request.ApprovalRequirements.OrderBy(requirement => requirement.StepOrder).ThenBy(requirement => requirement.ApproverId))
+        {
+            Console.WriteLine(
+                $"  - Step {requirement.StepOrder}: {requirement.ApproverId} => {requirement.Status}");
+        }
+
+        var lastDecision = request.Decisions[^1];
+        Console.WriteLine($"Last decision: {lastDecision.Type} by {lastDecision.Context.ActorId ?? "system"}");
+        Console.WriteLine($"Reason: {lastDecision.Reason ?? "-"}");
+    }
+}

Examples/Governance/DecisionTaxonomy/DecisionTaxonomy.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\..\src\ModularityKit.Mutator.Governance.csproj" />
+    </ItemGroup>
+
+</Project>

Examples/Governance/DecisionTaxonomy/Program.cs

@@ -0,0 +1,3 @@
+using DecisionTaxonomy.Scenarios;
+
+GovernanceDecisionTaxonomyScenario.Run();

Examples/Governance/DecisionTaxonomy/README.md

@@ -0,0 +1,29 @@
+# Governance DecisionTaxonomy
+
+This example shows why governance request decisions are split into separate categories instead of being kept in one flat enum.
+
+It demonstrates:
+
+- lifecycle decisions such as `Submitted` and `Approved`
+- approval decisions such as `Requested`, `Granted`, and `Rejected`
+- version-resolution decisions such as `Validated` and `RejectedAsStale`
+- the shared `MutationRequestDecisionType` wrapper with:
+  - `Category`
+  - `Code`
+  - `ToString()`
+
+## Key files
+
+- [`Program.cs`](Program.cs)
+- [`Scenarios/GovernanceDecisionTaxonomyScenario.cs`](Scenarios/GovernanceDecisionTaxonomyScenario.cs)
+- [`src/Governance/Abstractions/Requests/Decisions/MutationRequestDecisionType.cs`](../../../src/Governance/Abstractions/Requests/Decisions/MutationRequestDecisionType.cs)
+- [`src/Governance/Abstractions/Requests/Decisions/MutationRequestDecisionCategory.cs`](../../../src/Governance/Abstractions/Requests/Decisions/MutationRequestDecisionCategory.cs)
+- [`src/Governance/Abstractions/Requests/Decisions/MutationRequestLifecycleDecisionType.cs`](../../../src/Governance/Abstractions/Requests/Decisions/MutationRequestLifecycleDecisionType.cs)
+- [`src/Governance/Abstractions/Requests/Decisions/MutationRequestApprovalDecisionType.cs`](../../../src/Governance/Abstractions/Requests/Decisions/MutationRequestApprovalDecisionType.cs)
+- [`src/Governance/Abstractions/Requests/Decisions/MutationRequestVersionResolutionDecisionType.cs`](../../../src/Governance/Abstractions/Requests/Decisions/MutationRequestVersionResolutionDecisionType.cs)
+
+## Run
+
+```bash
+dotnet run --project Examples/Governance/DecisionTaxonomy/DecisionTaxonomy.csproj
+```