Table of Contents generated with DocToc
<Project Name>Skeleton directory for a new project under this framework. Do not edit the template in place; copy it to projects/<name>/ and fill in every TODO placeholder:
# From the repo root: cp -R projects/_template projects/<name> $EDITOR projects/<name>/project.md grep -rn TODO projects/<name> # work through the remaining TODOs
The _template prefix keeps this directory out of the way of the active-project resolver (the skills only load projects/<active>/, so a directory that starts with _ is never accidentally picked up).
Once you have copied the template into <project-config>/ in your tracker repo, update this README.md to be your project's file index. Delete the sections your project does not need and fill in the rest.
| File | Purpose |
|---|---|
project.md | Project manifest. Identity, repositories, mailing lists, tools enabled, CVE tooling, GitHub project-board + issue-template field declarations. The single file every skill reads to resolve project-scoped references. |
| File | Purpose |
|---|---|
release-trains.md | Active release branches, release-manager attribution per cut, rotation rosters, security-team roster. |
milestones.md | Milestone naming conventions + create-and-assign recipe. |
| File | Purpose |
|---|---|
scope-labels.md | Scope label → CVE product / packageName / collection-URL mapping. Exactly one scope label per tracker. |
| File | Purpose |
|---|---|
security-model.md | Authoritative URL for the project's Security Model + known-useful anchors + drafting rule. |
| File | Purpose |
|---|---|
title-normalization.md | Regex cascade the security-cve-allocate skill applies to tracker titles before pasting them into the CVE-tool allocation form. |
| File | Purpose |
|---|---|
fix-workflow.md | Fork / clone / toolchain specifics, backport-label policy, commit-trailer wording, PR scrubbing, private-PR fallback. |
| File | Purpose |
|---|---|
naming-conventions.md | Project-specific editorial rules. Keep only the ones that differ from the generic rules in ../../AGENTS.md. |
canned-responses.md | Reusable reporter-facing reply templates. |
These files configure the pr-management-triage, pr-management-stats, and pr-management-code-review skills. Adopters who only use the security skills can delete these four files; adopters running maintainer-side PR-queue management fill them in.
| File | Purpose |
|---|---|
pr-management-config.md | Committers team handle, area-label prefix, project-specific labels (ready for maintainer review, etc.), grace windows. Used by pr-management-triage and pr-management-stats. |
pr-management-triage-comment-templates.md | Comment-body URLs (PR quality criteria, two-stage triage rationale), AI-attribution footer wording, project display name. Used by pr-management-triage. |
pr-management-triage-ci-check-map.md | CI-check name pattern → category name + doc-URL mapping for the violations comment. Used by pr-management-triage. |
pr-management-code-review-criteria.md | List of project's review-criteria source files (repo-wide AGENTS.md, code-review docs, per-area AGENTS.md), security-model calibration doc, backport-branch pattern, section-anchor URLs. Used by pr-management-code-review. |
Each PR-skill reads its project-specific content exclusively from the files listed below. No defaults are baked into the framework — every adopter provides their own values in
<project-config>/. Seeprojects/_template/pr-management-*.mdfor concrete examples (filled in with the Apache Airflow project's values, which new adopters can use as a reference when drafting their own configuration).
cp -R projects/_template projects/<name> done.TODO in project.md resolved (grep: grep -n TODO projects/<name>/project.md).Security workflow (delete this group if not using the security skills):
scope-labels.md lists at least one scope label (exactly-one-of rule).security-model.md points at the project's authoritative Security-Model URL.release-trains.md has at least one current release branch + its RM.canned-responses.md has at least the “Confirmation of receiving the report” template filled in (the security-issue-import skill sends this verbatim).PR triage and review (delete this group if not using the pr-* skills):
pr-management-config.md — committers team handle and area-label prefix filled in.pr-management-triage-comment-templates.md — <quality_criteria_url>, <two_stage_triage_rationale_url>, and <project_display_name> filled in.pr-management-triage-ci-check-map.md — at least one CI-check pattern row filled in (or the catch-all row pointing at the project's static-checks doc).pr-management-code-review-criteria.md — at least one repo-wide review-criteria source file declared.Common finishers:
config/active-project.md updated to the new directory name if this working tree should target the new project.README.md “Current projects” table updated with a row for the new project + a link to this README.md.prek run --all-files passes.../../README.md — framework-level “Adopting the framework” view + bootstrap walk-through.../../AGENTS.md — the placeholder convention that lets skills resolve <project-config>/ to the adopter's path at agent runtime.