Table of Contents generated with DocToc
<Project Name> — project manifestThis is the project configuration for TODO: <project-name>. Every skill under ../../.claude/skills/ reads the project name from ../../config/active-project.md and then loads this manifest to resolve project-specific identity, repositories, mailing lists, and references to the other files in this directory.
Grep for TODO to see every field you still need to fill in:
grep -n TODO projects/<name>/project.md
| Key | Value |
|---|---|
project_name | TODO: e.g. Apache Foo |
vendor | TODO: e.g. Apache Software Foundation |
short_name | TODO: e.g. Foo |
product_family_url | TODO: e.g. https://foo.apache.org/ |
The vendor / project_name pair is what lands in the vendor and product fields of the CVE 5.x record the CVE-JSON generator produces.
| Key | Value | Purpose |
|---|---|---|
tracker_repo | TODO: e.g. foo-s/foo-s | Private security tracker (this repo) |
tracker_repo_url | TODO | |
tracker_default_branch | TODO: e.g. main | Default PR target for the tracker repo |
tracker_project_board_url | TODO: URL of the GitHub Project V2 board, if any | Security board |
upstream_repo | TODO: e.g. apache/foo | Public codebase where fixes land |
upstream_repo_url | TODO | |
upstream_agents_md_url | TODO: https://github.com/<upstream>/blob/main/AGENTS.md | Conventions this repo mirrors |
upstream_contributing_docs_url | TODO | |
upstream_genai_disclosure_anchor | TODO: URL + anchor for the project's Gen-AI disclosure guideline | |
upstream_security_policy_url | TODO: https://github.com/<upstream>/security/policy |
| Key | Value | Notes |
|---|---|---|
security_list | TODO: e.g. security@foo.apache.org | Inbound reports; not publicly archived |
private_list | TODO: e.g. private@foo.apache.org | PMC escalation; not publicly archived |
users_list | TODO: e.g. users@foo.apache.org | Public advisories end up here; publicly archived |
dev_list | TODO: e.g. dev@foo.apache.org | Release [RESULT][VOTE] threads; publicly archived |
announce_list | TODO: e.g. announce@apache.org | Cross-project announcement list; publicly archived |
commits_list | TODO: e.g. commits@foo.apache.org | Publicly archived |
asf_security_list | security@apache.org | ASF-wide security team; relays some inbound reports |
Public archives typically live at https://lists.apache.org/list.html?<list>. Private lists on lists.apache.org/thread/<id> 404 for non-members. Only URLs on publicly archived lists may appear in CVE references[] as vendor-advisory; see ../../AGENTS.md and security-model.md.
| Capability | Tool | Adapter directory | Config knobs declared here |
|---|---|---|---|
| Issue tracking + source control + project board | github | ../../tools/github/ | tracker_repo, upstream_repo, github_project_board_*, issue_template_fields |
| Inbound email / drafts | gmail | ../../tools/gmail/ | security_list subscription; PonyMail archive URL templates below |
| CVE allocation + record mgmt | vulnogram | ../../tools/vulnogram/ | see CVE tooling below |
| Release voting / announce | TODO: ASF mailing lists — or replace with the project's release-comms backend | — | via dev_list / announce_list / users_list |
To replace a tool (e.g. swap GitHub issues for JIRA), declare an alternate tool in the table above, add a tools/<name>/ adapter directory, and make sure the values the generic skills need are still reachable from this manifest.
TODO: describe which CNA tool the project uses. For ASF projects the default is ASF's Vulnogram; other CNAs will substitute their own equivalents. The Vulnogram-side mechanics live under ../../tools/vulnogram/; the per-project values below are what the generic recipes substitute in.
| Key | Value |
|---|---|
cve_tool | TODO: e.g. vulnogram (ASF-hosted) |
cve_tool_allocate_url | TODO: e.g. https://cveprocess.apache.org/allocatecve |
cve_tool_record_url_template | TODO: e.g. https://cveprocess.apache.org/cve5/<CVE-ID> |
cve_tool_source_tab_url_template | TODO |
cve_allocation_gated_by | TODO: e.g. Foo PMC membership (ASF OAuth) |
asf_org_id | TODO: project's CNA org UUID (for ASF projects: f0158376-9dc2-43b6-827c-5f631a4d8d09) |
cna_private_owner | TODO: e.g. foo (CNA_private.owner — identifies the project slug inside the ASF CNA queue) |
cna_private_projecturl | TODO: e.g. https://foo.apache.org/ |
cna_private_userslist | TODO: e.g. users@foo.apache.org |
If the project uses a Projects V2 board for its security-issue view, declare the node IDs below. Fetch with the introspection query in ../../tools/github/project-board.md. If the project does not run a board, leave the table blank — skills treat missing board config as “no board reconciliation”.
| Key | Value |
|---|---|
project_board_url | TODO |
project_board_number | TODO |
project_board_node_id | TODO |
status_field_node_id | TODO |
Status column → option-ID mapping (re-fetch if any write returns not found):
| Column | Option ID |
|---|---|
Needs triage | TODO |
Assessed | TODO |
CVE allocated | TODO |
PR created | TODO |
PR merged | TODO |
Fix released | TODO |
Announced | TODO |
Gmail-side mechanics (MCP call shapes, threading rule, search-query patterns, archive URL construction) live under ../../tools/gmail/; the concrete per-project values below are what the generic recipes substitute in.
| Key | Value |
|---|---|
security_list_domain | TODO: e.g. security.foo.apache.org — Gmail list: operator uses the domain form |
ponymail_private_search_url_template | TODO |
ponymail_public_search_url_template | TODO |
ponymail_api_url_template | TODO |
ponymail_thread_url_template | https://lists.apache.org/thread/<hash>?<list> |
The skills' body-field roles map to the following concrete ### headings in the project‘s issue template at ../../.github/ISSUE_TEMPLATE/issue_report.yml (or the project’s equivalent). The generic role → GitHub-field contract lives in ../../tools/github/issue-template.md; the concrete names below are what skills read and write for this project.
| Role (generic) | Field name | Template type | Required? |
|---|---|---|---|
issue-description | TODO | textarea | TODO |
public-summary | TODO | textarea | TODO |
affected-versions | TODO | input | TODO |
security-thread | TODO | input | TODO |
public-advisory-url | TODO | input | TODO |
reporter-credit | TODO | input | TODO |
pr-with-fix | TODO | input | TODO |
cwe | TODO | input | TODO |
severity | TODO | dropdown | TODO |
cve-tool-link | TODO | input | TODO |
release-trains.md — fast-moving release state, release-manager attribution, security-team roster.milestones.md — milestone naming conventions.scope-labels.md — scope label → CVE product mapping.security-model.md — Security-Model URL + anchors.title-normalization.md — CVE title strip cascade.fix-workflow.md — fork / toolchain / commit-trailer specifics.naming-conventions.md — project-specific editorial rules.canned-responses.md — reporter-facing reply templates.README.md — project file index + onboarding checklist.