Add BAD_EXAMPLES.md for common pitfalls

Document common mistakes to avoid for humans and AI agents.

governance/BAD_EXAMPLES.md

@@ -0,0 +1,57 @@
+# Bad Examples (What Not to Do)
+
+This document exists to prevent common mistakes by humans and AI agents.
+If something resembles an example below, it is likely wrong.
+
+---
+
+## Bad Example: Duplicate Concepts
+
+❌ Defining a new "Issue", "Signal", or "Event" object inside an app  
+✅ Use Finding or Alert as defined in goose-core
+
+---
+
+## Bad Example: Hidden Alerts
+
+❌ Treating high-severity findings as implicit alerts  
+❌ Triggering actions without explicit alert creation  
+✅ Alerts are explicit and traceable
+
+---
+
+## Bad Example: Analysis in GooseStrike
+
+❌ Adding detection or correlation logic to GooseStrike  
+✅ GooseStrike consumes analysis, it does not perform it
+
+---
+
+## Bad Example: Execution in ThreatHunt
+
+❌ Triggering tools, scripts, or remediation from ThreatHunt  
+✅ ThreatHunt analyzes and explains only
+
+---
+
+## Bad Example: UI Drift
+
+❌ Different severity colors per application  
+❌ Different table behavior per application  
+✅ Shared UX patterns apply everywhere
+
+---
+
+## Bad Example: Over-Automation
+
+❌ Autonomous action without review  
+❌ Long-running background agents acting independently  
+✅ Human intent and approval are always present
+
+---
+
+## Bad Example: Breaking Contracts
+
+❌ Adding fields to Findings without updating goose-core  
+❌ Ignoring shared terminology  
+✅ Shared contracts are authoritative