From a22d523087b0624bd525f4a9d9398a62119ed91f Mon Sep 17 00:00:00 2001
From: mblanke <mblanke@gmail.com>
Date: Wed, 24 Dec 2025 13:19:52 -0500
Subject: [PATCH] Add BAD_EXAMPLES.md for common pitfalls

Document common mistakes to avoid for humans and AI agents.
---
 governance/BAD_EXAMPLES.md | 57 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 governance/BAD_EXAMPLES.md

diff --git a/governance/BAD_EXAMPLES.md b/governance/BAD_EXAMPLES.md
new file mode 100644
index 0000000..2221407
--- /dev/null
+++ b/governance/BAD_EXAMPLES.md
@@ -0,0 +1,57 @@
+# Bad Examples (What Not to Do)
+
+This document exists to prevent common mistakes by humans and AI agents.
+If something resembles an example below, it is likely wrong.
+
+---
+
+## Bad Example: Duplicate Concepts
+
+❌ Defining a new "Issue", "Signal", or "Event" object inside an app  
+✅ Use Finding or Alert as defined in goose-core
+
+---
+
+## Bad Example: Hidden Alerts
+
+❌ Treating high-severity findings as implicit alerts  
+❌ Triggering actions without explicit alert creation  
+✅ Alerts are explicit and traceable
+
+---
+
+## Bad Example: Analysis in GooseStrike
+
+❌ Adding detection or correlation logic to GooseStrike  
+✅ GooseStrike consumes analysis, it does not perform it
+
+---
+
+## Bad Example: Execution in ThreatHunt
+
+❌ Triggering tools, scripts, or remediation from ThreatHunt  
+✅ ThreatHunt analyzes and explains only
+
+---
+
+## Bad Example: UI Drift
+
+❌ Different severity colors per application  
+❌ Different table behavior per application  
+✅ Shared UX patterns apply everywhere
+
+---
+
+## Bad Example: Over-Automation
+
+❌ Autonomous action without review  
+❌ Long-running background agents acting independently  
+✅ Human intent and approval are always present
+
+---
+
+## Bad Example: Breaking Contracts
+
+❌ Adding fields to Findings without updating goose-core  
+❌ Ignoring shared terminology  
+✅ Shared contracts are authoritative