HubPublic

Governance

Latest Promotion Governance

Use workspace approval before moving the latest pointer to a published rawctx package version.

Docs homeSearch packagesInstall CLI

Governance

Promote approved versions to latest without editing the artifact

Goal: let private workspaces publish immutable versions first, then move latest only after the team has reviewed and approved that pointer change.

A rawctx package version is a release artifact. Once published, consumers should treat it as immutable: published versions remain immutable even when governance is enabled. Governance does not approve publish and does not mutate the version. It only controls whether the mutable latest pointer can move to a published version.

When approval is disabled, maintainers can promote latest directly. When approval is enabled, publish still creates the version, but maintainers request latest promotion from the package version page and reviewers approve or reject the request in Hub.

rawctx
# publish creates an immutable version
rawctx publish ./my-package

# governance review happens in rawctx Hub
# Settings -> Latest promotion governance
# Package -> Versions -> Request latest promotion

# consumers can still pin the exact artifact
rawctx snapshot-download @scope/name@1.2.3

# or resolve the workspace-approved latest pointer
rawctx to-prompt @scope/name@latest --max-tokens 1200
Policy controls
  • Require approval before promoting a package version to latest.
  • Set the number of required reviewers.
  • Choose whether the requester can approve their own request.
  • Require semantic diff review, with prompt preview support shown when available.
Request lifecycle
  • The request snapshots the current latest version and target version at creation time.
  • Approvals are counted against the requirement captured on the request.
  • If latest changes before approval completes, the request becomes stale instead of moving the pointer.
  • Rejected, canceled, approved, and stale requests are final states.
Resolution contract
  • @scope/name@latest resolves to one concrete published version.
  • Metadata can expose the requested ref, resolved ref, and snapshot SHA-256 so audit and automation can record what was actually used.
  • Use exact version pins in CI when the job must be independent of future latest promotions.

Where to operate

Use Hub UI for request and approval, CLI/SDK for consumption

Governance actions live in the authenticated workspace UI. CLI and Python consumers resolve approved latest refs and can always use exact version pins.

Open Workspace settingsPublish guideDiff guide