Skip to content

Governance Model

江河 edited this page Jul 1, 2026 · 1 revision

Governance Model

mqgov uses the fail-closed mqclass classifier. Broker differences are reported through capabilities and unsupported operations return NOT_IMPLEMENTED rather than a fake success.

Tier Meaning Required Authorization
R0 Reads and previews: topic describe, group lag, message peek/tail, DLQ peek, ACL list, schema list/describe/check, fleet reads, dry-run None, but audited
R1 Ordinary writes such as topic create, message produce, schema register for a new subject --yes or interactive confirmation
R2 Elevated mutations such as topic alter, ACL grant, schema register for existing subject --yes and non-empty --ticket
R3 Destructive/irreversible operations such as offset reset, topic purge/delete, schema delete, DLQ redrive/purge, broad ACL change, internal produce R2 authorization plus the exact --allow-* flag

R3 Allow Flags

--allow-offset-reset, --allow-topic-purge, --allow-topic-delete, --allow-destructive-acl, --allow-internal-produce, --allow-schema-delete.

Protected contexts, protected topics, and internal/system topics raise the tier by one.

AI Agent Rules

  1. Run mqgov capabilities -o json first because broker support differs.
  2. Use -o json everywhere for integration paths.
  3. Use --dry-run or --plan as the source of blast radius.
  4. Stop and ask a human when a command requires ticket, allow flag, or high-risk confirmation.

Clone this wiki locally