Table of Contents generated with DocToc
This is a fictional, non-ASF project used as a test fixture to verify that the framework‘s skills work without any ASF-specific configuration. See README.md for the fixture’s purpose.
| Key | Value |
|---|---|
organization | independent (organizations/independent/) — the no-formal-governing-body baseline. |
project_name | Velox Stream |
vendor | Velox Community |
short_name | velox-stream |
product_family_url | https://velox-stream.example.io/ |
This fixture shows the minimal per-project configuration a real independent adopter would declare — only values that override or extend the organizations/independent/ defaults. Org-level values (cve_authority, forwarders, mail_provider, project_metadata, and most of archive_system and release_process) are inherited from that manifest and not repeated here. See projects/_template/project.md for the full schema and field descriptions.
| Key | Value | Purpose |
|---|---|---|
tracker_repo | velox-community/velox-stream-security | Private security tracker |
tracker_repo_url | https://github.com/velox-community/velox-stream-security | |
tracker_default_branch | main | Default PR target |
tracker_project_board_url | (none — no project board) | |
upstream_repo | velox-community/velox-stream | Public codebase |
upstream_repo_url | https://github.com/velox-community/velox-stream | |
upstream_default_branch | main | |
upstream_contributing_docs_url | https://github.com/velox-community/velox-stream/blob/main/CONTRIBUTING.md | |
upstream_security_policy_url | https://github.com/velox-community/velox-stream/security/policy |
None. This project uses GitHub Discussions for community communication and has no public mailing lists.
| Key | Value | Notes |
|---|---|---|
security_list | (none — uses GHSA intake) | Security reports via GitHub Security Advisories |
dev_list | (none — uses GitHub Discussions) | |
announce_list | (none — uses GitHub Releases) |
| Capability | Tool | Notes |
|---|---|---|
| Issue tracking + source control | github | velox-community/velox-stream |
| Security advisory intake | ghsa | GitHub Security Advisories (no mail backend) |
| CVE allocation + record mgmt | mitre-form | Direct MITRE submission form |
| Distribution | github-releases | No dist.apache.org or closer.lua |
The blocks below declare only per-project values — overrides and extensions of what organizations/independent/organization.md already provides. Inherited keys (forwarders, mail_provider, project_metadata, and the base CVE/governance/inbox defaults) are omitted; the framework resolves them from the organization manifest automatically.
cve_authority: # Override the independent-org 2-stop state machine: Velox uses MITRE's # extended 4-stop sequence and polls for publication rather than waiting # for manual notification. states: [allocated, review-ready, publish-ready, public] publication_propagation: poll
governance: # Per-project: escalation handle and public roster URL. escalation_contact: "@velox-lead" roster_url: https://github.com/orgs/velox-community/people
security_inbox: # Per-project: the concrete GHSA inbox URL for this repo. address: https://github.com/velox-community/velox-stream/security/advisories
archive_system: # Per-project: where public advisories and release notes surface. advisory_publication_signal_url: https://github.com/velox-community/velox-stream/releases
tracker: platform: github board: none visibility: private reporter_has_access: false project_board_enabled: false skill_url_template: "https://github.com/velox-community/velox-stream-security/blob/main/.claude/skills/<skill>/SKILL.md" body_fields: cve_link: "CVE link" mailing_thread: "Security advisory URL" affected_versions: "Affected versions" labels: security_marker: "security" needs_triage: "needs triage" pr_open: "pr created" pr_merged: "pr merged" cve_allocated: "cve allocated" not_cve_worthy: "not cve worthy" rejections_ledger: "rejections-ledger"
scope_detection: # Single-artifact project; no scope sub-products. enabled: false labels: {}
release_process: # Override: PyPI only (independent-org default is []). artifact_registries: [pypi] # Per-project: this project has no overdue milestones to track. stale_milestones: [] # Per-project: newsfragments tool. newsfragments: enabled: true tool: towncrier
roster: # Per-project: name → handle map and release-manager list. # roster.source is inherited from organizations/independent (roster-file). bare_name_handles: "Alex": "@alex-velox" "Robin": "@robin-velox" release_managers: - "@alex-velox"
product: name: velox-stream package_name: velox-stream code_pointer_path_prefix: "^src/" subject_prefix_strip: - "[SECURITY]" - "[Security Report]" - "Re:" - "Fwd:" - "velox-stream:" affected_version_extract_prefix: "velox-stream"
issue-tracker-config.md — general-issue tracker.stale-sweep-config.md — stale-sweep thresholds.