Table of Contents generated with DocToc
New project — TODO: replace with <Project Name>
Skeleton directory for a new project under this framework. Do not edit the template in place; copy it to projects/<name>/ and fill in every TODO placeholder:
# From the repo root:
cp -R projects/_template projects/<name>
$EDITOR projects/<name>/project.md
grep -rn TODO projects/<name> # work through the remaining TODOs
The _template prefix keeps this directory out of the way of the active-project resolver (the skills only load projects/<active>/, so a directory that starts with _ is never accidentally picked up).
What each file is for
Once you have copied the template into <project-config>/ in your tracker repo, update this README.md to be your project's file index. Delete the sections your project does not need and fill in the rest.
Authoritative manifest (fill this in first)
| File | Purpose |
|---|
project.md | Project manifest. Identity, repositories, mailing lists, tools enabled, CVE tooling, GitHub project-board + issue-template field declarations. The single file every skill reads to resolve project-scoped references. |
Release state
| File | Purpose |
|---|
release-trains.md | Active release branches, release-manager attribution per cut, rotation rosters, security-team roster. |
milestones.md | Milestone naming conventions + create-and-assign recipe. |
Scope + product mapping
| File | Purpose |
|---|
scope-labels.md | Scope label → CVE product / packageName / collection-URL mapping. Exactly one scope label per tracker. |
Security-model references
| File | Purpose |
|---|
security-model.md | Authoritative URL for the project's Security Model + known-useful anchors + drafting rule. |
CVE-allocation mechanics
| File | Purpose |
|---|
title-normalization.md | Regex cascade the allocate-cve skill applies to tracker titles before pasting them into the CVE-tool allocation form. |
Remediation workflow
| File | Purpose |
|---|
fix-workflow.md | Fork / clone / toolchain specifics, backport-label policy, commit-trailer wording, PR scrubbing, private-PR fallback. |
Editorial + reporter-facing
Checklist after copying
- [ ]
cp -R projects/_template projects/<name> done. - [ ] Every
TODO in project.md resolved (grep: grep -n TODO projects/<name>/project.md). - [ ]
scope-labels.md lists at least one scope label (exactly-one-of rule). - [ ]
security-model.md points at the project's authoritative Security-Model URL. - [ ]
release-trains.md has at least one current release branch + its RM. - [ ]
canned-responses.md has at least the “Confirmation of receiving the report” template filled in (the import-security-issue skill sends this verbatim). - [ ]
config/active-project.md updated to the new directory name if this working tree should target the new project. - [ ] Root
README.md “Current projects” table updated with a row for the new project + a link to this README.md. - [ ]
prek run --all-files passes.
Cross-references
../README.md — framework-level “Adopting the framework” view + bootstrap walk-through.../../AGENTS.md — the placeholder convention that lets skills resolve <project-config>/ to the adopter's path at agent runtime.
