Table of Contents generated with DocToc

Velox Stream — project manifest (non-ASF fixture)

This is a fictional, non-ASF project used as a test fixture to verify that the framework‘s skills work without any ASF-specific configuration. See README.md for the fixture’s purpose.

Identity

KeyValue
organizationindependent (organizations/independent/) — the no-formal-governing-body baseline.
project_nameVelox Stream
vendorVelox Community
short_namevelox-stream
product_family_urlhttps://velox-stream.example.io/

This fixture shows the minimal per-project configuration a real independent adopter would declare — only values that override or extend the organizations/independent/ defaults. Org-level values (cve_authority, forwarders, mail_provider, project_metadata, and most of archive_system and release_process) are inherited from that manifest and not repeated here. See projects/_template/project.md for the full schema and field descriptions.

Repositories

KeyValuePurpose
tracker_repovelox-community/velox-stream-securityPrivate security tracker
tracker_repo_urlhttps://github.com/velox-community/velox-stream-security
tracker_default_branchmainDefault PR target
tracker_project_board_url(none — no project board)
upstream_repovelox-community/velox-streamPublic codebase
upstream_repo_urlhttps://github.com/velox-community/velox-stream
upstream_default_branchmain
upstream_contributing_docs_urlhttps://github.com/velox-community/velox-stream/blob/main/CONTRIBUTING.md
upstream_security_policy_urlhttps://github.com/velox-community/velox-stream/security/policy

Mailing lists

None. This project uses GitHub Discussions for community communication and has no public mailing lists.

KeyValueNotes
security_list(none — uses GHSA intake)Security reports via GitHub Security Advisories
dev_list(none — uses GitHub Discussions)
announce_list(none — uses GitHub Releases)

Tools enabled

CapabilityToolNotes
Issue tracking + source controlgithubvelox-community/velox-stream
Security advisory intakeghsaGitHub Security Advisories (no mail backend)
CVE allocation + record mgmtmitre-formDirect MITRE submission form
Distributiongithub-releasesNo dist.apache.org or closer.lua

Security workflow configuration

The blocks below declare only per-project values — overrides and extensions of what organizations/independent/organization.md already provides. Inherited keys (forwarders, mail_provider, project_metadata, and the base CVE/governance/inbox defaults) are omitted; the framework resolves them from the organization manifest automatically.

CVE authority

cve_authority:
  # Override the independent-org 2-stop state machine: Velox uses MITRE's
  # extended 4-stop sequence and polls for publication rather than waiting
  # for manual notification.
  states: [allocated, review-ready, publish-ready, public]
  publication_propagation: poll

Governance

governance:
  # Per-project: escalation handle and public roster URL.
  escalation_contact: "@velox-lead"
  roster_url: https://github.com/orgs/velox-community/people

Security inbox

security_inbox:
  # Per-project: the concrete GHSA inbox URL for this repo.
  address: https://github.com/velox-community/velox-stream/security/advisories

Archive system

archive_system:
  # Per-project: where public advisories and release notes surface.
  advisory_publication_signal_url: https://github.com/velox-community/velox-stream/releases

Tracker

tracker:
  platform: github
  board: none
  visibility: private
  reporter_has_access: false
  project_board_enabled: false
  skill_url_template: "https://github.com/velox-community/velox-stream-security/blob/main/.claude/skills/<skill>/SKILL.md"

  body_fields:
    cve_link: "CVE link"
    mailing_thread: "Security advisory URL"
    affected_versions: "Affected versions"

  labels:
    security_marker: "security"
    needs_triage: "needs triage"
    pr_open: "pr created"
    pr_merged: "pr merged"
    cve_allocated: "cve allocated"
    not_cve_worthy: "not cve worthy"
    rejections_ledger: "rejections-ledger"

Scope detection

scope_detection:
  # Single-artifact project; no scope sub-products.
  enabled: false
  labels: {}

Release process

release_process:
  # Override: PyPI only (independent-org default is []).
  artifact_registries: [pypi]

  # Per-project: this project has no overdue milestones to track.
  stale_milestones: []

  # Per-project: newsfragments tool.
  newsfragments:
    enabled: true
    tool: towncrier

Roster

roster:
  # Per-project: name → handle map and release-manager list.
  # roster.source is inherited from organizations/independent (roster-file).
  bare_name_handles:
    "Alex": "@alex-velox"
    "Robin": "@robin-velox"

  release_managers:
    - "@alex-velox"

Product

product:
  name: velox-stream
  package_name: velox-stream
  code_pointer_path_prefix: "^src/"
  subject_prefix_strip:
    - "[SECURITY]"
    - "[Security Report]"
    - "Re:"
    - "Fwd:"
    - "velox-stream:"
  affected_version_extract_prefix: "velox-stream"

Pointers to sibling files