Table of Contents generated with DocToc
The ASF organization: the default governance vocabulary, backend selections, and infrastructure values shared by every Apache project that adopts Magpie. A project under the ASF sets organization: ASF in <project-config>/project.md and inherits everything below; it overrides a key only where it genuinely differs (and supplies its own per-project values — security list address, scope labels, product name, roster — which are not org-level and stay in project.md).
Resolution: project.md → this file → framework default. See organizations/README.md and AGENTS.md.
The adapter contracts these blocks bind to live under tools/cve-tool/, tools/mail-archive/, tools/forwarder-relay/, and tools/mail-source/; the shipping ASF backends are tools/cve-tool-vulnogram/, tools/ponymail/, tools/apache-projects/, and the ASF-security forwarder shape in tools/gmail/asf-relay.md.
Brand / display metadata, surfaced by the website (and any skill that shows which organization a project belongs to). logo is the asset the site renders for projects under this organization.
organization_identity: id: ASF # matches the organizations/<id>/ dir name name: "Apache Software Foundation" # full name, longer than the id; shown on the website url: https://www.apache.org/ logo: https://www.apache.org/foundation/press/kit/asf_logo.svg
How the ASF names the roles and rules the skills speak about abstractly. These resolve the <governance-body> / <project-stage> placeholders and the contributor-intake mechanism flag.
governance_vocabulary: governance_body: "PMC" # <governance-body> — Project Management Committee governance_body_full: "Project Management Committee" member_role: "PMC member" committer_role: "committer" contributor_intake: icla # ICLA on file before first commit (vs dco / none) project_stage_vocab: [incubating, top-level] # <project-stage> — podling vs TLP private_governance_list: "private@<project>.apache.org"
cve_authority: tool: vulnogram # adapter under tools/cve-tool/ → tools/cve-tool-vulnogram/ allocate_url: https://cveprocess.apache.org/allocatecve record_url_template: https://cveprocess.apache.org/cve5/<CVE-ID> source_tab_url_template: https://cveprocess.apache.org/cve5/<CVE-ID>?tab=source email_preview_url_template: https://cveprocess.apache.org/cve5/<CVE-ID>?tab=email states: [allocated, review-ready, publish-ready, public] # Vulnogram DRAFT/REVIEW/READY/PUBLIC publication_propagation: poll # Vulnogram has no webhook emits_allocation_email: true # Vulnogram auto-emails the assigner list reviewer_channel: mailing-list # PMC reviews on the private list # Resolves the <cve-tool-url> placeholder used in agnostic skills: cve_tool_url: https://cveprocess.apache.org
governance: cve_allocation_gate: pmc-member # ASF PMC membership via OAuth into Vulnogram gate_label: "PMC" release_vote_gating: true # ASF release process gates on outstanding security work roster_url: https://projects.apache.org/committee.html?<project>
security_inbox: kind: mailing-list foundation_security_address: security@apache.org # ASF security team forwards reports here has_forwarder_relay: true list_filter_query: "list:<security-list-domain>"
forwarders: enabled: [asf-security] # ASF security team relays reports onto project lists asf-security: contact_handle: security@apache.org preamble_match: "^Dear PMC,\\s+The security vulnerability report" credit_extraction_rule: "first-line-matching:^Reported by:\\s+(.+)$"
mail_provider: primary: gmail-mcp # triager Gmail account via tools/gmail/ fallback: ponymail # read-only ASF archive backstop
archive_system: kind: ponymail # lists.apache.org list_domain: <project>.apache.org search_url_template: "https://lists.apache.org/list?{list}:{year}-{month}:{query}" api_query_url_template: "https://lists.apache.org/api/thread.lua?list={list}&domain={list_domain}&id={thread_id}" advisory_publication_signal_url: "https://lists.apache.org/list.html?<users-list>" # Resolves the <mail-archive-url> placeholder used in agnostic skills: mail_archive_url: https://lists.apache.org
project_metadata: kind: apache-projects-mcp # comdev MCP wrapping projects.apache.org/json mandatory: true # for ASF projects the MCP is a pre-flight prerequisite install_source: "apache/comdev @ main (mcp/apache-projects-mcp)"
release_process: release_manager_lookup_cascade: - kind: roster_file path: "release-trains.md" - kind: wiki_url url: "https://cwiki.apache.org/confluence/display/<PROJECT>/Release+Managers" - kind: mailing_list_vote_thread list: "<dev-list>" artifact_registries: [pypi, artifacthub] # Resolves agnostic-skill placeholders: release_dist: https://dist.apache.org/repos/dist # <release-dist> project_wiki: https://cwiki.apache.org/confluence/display/<PROJECT> # <project-wiki> announce_list: announce@apache.org # <announce-list>
roster: source: roster-file:release-trains.md # canonical security-team / RM source for ASF projects
tracker: visibility: private # ASF security tracker existence is itself confidential board: github-projects-v2