1.3 KiB
Bad Examples (What Not to Do)
This document exists to prevent common mistakes by humans and AI agents. If something resembles an example below, it is likely wrong.
Bad Example: Duplicate Concepts
❌ Defining a new "Issue", "Signal", or "Event" object inside an app
✅ Use Finding or Alert as defined in goose-core
Bad Example: Hidden Alerts
❌ Treating high-severity findings as implicit alerts
❌ Triggering actions without explicit alert creation
✅ Alerts are explicit and traceable
Bad Example: Analysis in GooseStrike
❌ Adding detection or correlation logic to GooseStrike
✅ GooseStrike consumes analysis, it does not perform it
Bad Example: Execution in ThreatHunt
❌ Triggering tools, scripts, or remediation from ThreatHunt
✅ ThreatHunt analyzes and explains only
Bad Example: UI Drift
❌ Different severity colors per application
❌ Different table behavior per application
✅ Shared UX patterns apply everywhere
Bad Example: Over-Automation
❌ Autonomous action without review
❌ Long-running background agents acting independently
✅ Human intent and approval are always present
Bad Example: Breaking Contracts
❌ Adding fields to Findings without updating goose-core
❌ Ignoring shared terminology
✅ Shared contracts are authoritative