tree: bdfeea26065e37056a4dc07902e38bb6e0d6c3a0
  1. canned-responses.md
  2. fix-workflow.md
  3. milestones.md
  4. naming-conventions.md
  5. pr-management-code-review-criteria.md
  6. pr-management-config.md
  7. pr-management-triage-ci-check-map.md
  8. pr-management-triage-comment-templates.md
  9. privacy-llm.md
  10. project.md
  11. README.md
  12. release-trains.md
  13. scope-labels.md
  14. security-model.md
  15. title-normalization.md
projects/_template/README.md

Table of Contents generated with DocToc

New project — TODO: replace with <Project Name>

Skeleton directory for a new project under this framework. Do not edit the template in place; copy it to projects/<name>/ and fill in every TODO placeholder:

# From the repo root:
cp -R projects/_template projects/<name>
$EDITOR projects/<name>/project.md
grep -rn TODO projects/<name>     # work through the remaining TODOs

The _template prefix keeps this directory out of the way of the active-project resolver (the skills only load projects/<active>/, so a directory that starts with _ is never accidentally picked up).

What each file is for

Once you have copied the template into <project-config>/ in your tracker repo, update this README.md to be your project's file index. Delete the sections your project does not need and fill in the rest.

Authoritative manifest (fill this in first)

FilePurpose
project.mdProject manifest. Identity, repositories, mailing lists, tools enabled, CVE tooling, GitHub project-board + issue-template field declarations. The single file every skill reads to resolve project-scoped references.

Release state

FilePurpose
release-trains.mdActive release branches, release-manager attribution per cut, rotation rosters, security-team roster.
milestones.mdMilestone naming conventions + create-and-assign recipe.

Scope + product mapping

FilePurpose
scope-labels.mdScope label → CVE product / packageName / collection-URL mapping. Exactly one scope label per tracker.

Security-model references

FilePurpose
security-model.mdAuthoritative URL for the project's Security Model + known-useful anchors + drafting rule.

CVE-allocation mechanics

FilePurpose
title-normalization.mdRegex cascade the security-cve-allocate skill applies to tracker titles before pasting them into the CVE-tool allocation form.

Remediation workflow

FilePurpose
fix-workflow.mdFork / clone / toolchain specifics, backport-label policy, commit-trailer wording, PR scrubbing, private-PR fallback.

Editorial + reporter-facing

FilePurpose
naming-conventions.mdProject-specific editorial rules. Keep only the ones that differ from the generic rules in ../../AGENTS.md.
canned-responses.mdReusable reporter-facing reply templates.

PR triage and review

These files configure the pr-management-triage, pr-management-stats, and pr-management-code-review skills. Adopters who only use the security skills can delete these four files; adopters running maintainer-side PR-queue management fill them in.

FilePurpose
pr-management-config.mdCommitters team handle, area-label prefix, project-specific labels (ready for maintainer review, etc.), grace windows. Used by pr-management-triage and pr-management-stats.
pr-management-triage-comment-templates.mdComment-body URLs (PR quality criteria, two-stage triage rationale), AI-attribution footer wording, project display name. Used by pr-management-triage.
pr-management-triage-ci-check-map.mdCI-check name pattern → category name + doc-URL mapping for the violations comment. Used by pr-management-triage.
pr-management-code-review-criteria.mdList of project's review-criteria source files (repo-wide AGENTS.md, code-review docs, per-area AGENTS.md), security-model calibration doc, backport-branch pattern, section-anchor URLs. Used by pr-management-code-review.

Each PR-skill reads its project-specific content exclusively from the files listed below. No defaults are baked into the framework — every adopter provides their own values in <project-config>/. See projects/_template/pr-management-*.md for concrete examples (filled in with the Apache Airflow project's values, which new adopters can use as a reference when drafting their own configuration).

Checklist after copying

  • [ ] cp -R projects/_template projects/<name> done.
  • [ ] Every TODO in project.md resolved (grep: grep -n TODO projects/<name>/project.md).

Security workflow (delete this group if not using the security skills):

  • [ ] scope-labels.md lists at least one scope label (exactly-one-of rule).
  • [ ] security-model.md points at the project's authoritative Security-Model URL.
  • [ ] release-trains.md has at least one current release branch + its RM.
  • [ ] canned-responses.md has at least the “Confirmation of receiving the report” template filled in (the security-issue-import skill sends this verbatim).

PR triage and review (delete this group if not using the pr-* skills):

  • [ ] pr-management-config.md — committers team handle and area-label prefix filled in.
  • [ ] pr-management-triage-comment-templates.md<quality_criteria_url>, <two_stage_triage_rationale_url>, and <project_display_name> filled in.
  • [ ] pr-management-triage-ci-check-map.md — at least one CI-check pattern row filled in (or the catch-all row pointing at the project's static-checks doc).
  • [ ] pr-management-code-review-criteria.md — at least one repo-wide review-criteria source file declared.

Common finishers:

  • [ ] config/active-project.md updated to the new directory name if this working tree should target the new project.
  • [ ] Root README.md “Current projects” table updated with a row for the new project + a link to this README.md.
  • [ ] prek run --all-files passes.

Cross-references

  • ../../README.md — framework-level “Adopting the framework” view + bootstrap walk-through.
  • ../../AGENTS.md — the placeholder convention that lets skills resolve <project-config>/ to the adopter's path at agent runtime.