WoGu

Rules

How rules, categories, severities, and call-graph analysis fit together.

Rules, not validators

WoGu revolves around rules (WG001, WG002, ...), not validator implementations. A single validator commonly evaluates several rules in one pass over a project — sharing one parse of the source, one workflow scan, one call graph — because most of that setup is identical across rules for the same engine.

Each rule carries: an id, a title, a category, a severity, the engine it applies to, the version it shipped in, a documentation reference, and whether an automatic fix is available. Reports and future per-rule configuration key off this metadata, never off the validator implementation that happened to produce a result.

Categories and numbering

Every rule id is WG followed by three digits. Every category reserves a fixed numeric range, enforced at construction time — not just documented:

Range Category
WG001–WG099 Determinism
WG100–WG199 Activities
WG200–WG299 Versioning
WG300–WG349 Signals
WG350–WG399 Updates
WG400–WG499 Performance
WG500–WG599 Best Practices
WG600–WG699 Security
WG900–WG999 Organization Policies

Only the Determinism range is populated today — see the Roadmap for what's next.

Severity

Every rule shipped today reports at ERROR severity: a violation fails the build. WARNING and INFO are supported by the model for future rules that should surface in the report without failing the build.

Call graph analysis

WoGu doesn't just check a workflow class itself. Starting from a workflow's entry point — the implementation method matching an @WorkflowMethod-annotated interface method — it follows every method call it can resolve to source elsewhere in the project, however many hops deep, looking for the pattern each rule flags.

This traversal stops, without reporting anything past that point, at two kinds of boundary:

  • A call it cannot resolve to source it can see: a compiled dependency, or a call resolved only through reflection or dynamic dispatch.
  • A call that resolves into a Temporal Activity implementation. Activities are not replayed, so they're exempt from every determinism rule by design.

This means a rule can produce a false negative (a real violation hidden behind a call it can't see into) but is designed to avoid false positives — it only flags a call once it resolves to the exact method or constructor the rule is looking for.

Where rules are defined

Most rules are declarative: a YAML file naming the forbidden method calls and constructors to flag, executed by one generic rule type. See Custom Rules for how to add one, and the Rule Reference for the full, searchable list of what ships today.