Table of Contents generated with DocToc

TODO: <Project Name> — project manifest

This is the project configuration for TODO: <project-name>. Every skill under ../../.claude/skills/ reads the project name from ../../config/active-project.md and then loads this manifest to resolve project-specific identity, repositories, mailing lists, and references to the other files in this directory.

Grep for TODO to see every field you still need to fill in:

grep -n TODO projects/<name>/project.md

Identity

KeyValue
project_nameTODO: e.g. Apache Foo
vendorTODO: e.g. Apache Software Foundation
short_nameTODO: e.g. Foo
product_family_urlTODO: e.g. https://foo.apache.org/

The vendor / project_name pair is what lands in the vendor and product fields of the CVE 5.x record the CVE-JSON generator produces.

Repositories

KeyValuePurpose
tracker_repoTODO: e.g. foo-s/foo-sPrivate security tracker (this repo)
tracker_repo_urlTODO
tracker_default_branchTODO: e.g. mainDefault PR target for the tracker repo
tracker_project_board_urlTODO: URL of the GitHub Project V2 board, if anySecurity board
upstream_repoTODO: e.g. apache/fooPublic codebase where fixes land
upstream_repo_urlTODO
upstream_agents_md_urlTODO: https://github.com/<upstream>/blob/main/AGENTS.mdConventions this repo mirrors
upstream_contributing_docs_urlTODO
upstream_genai_disclosure_anchorTODO: URL + anchor for the project's Gen-AI disclosure guideline
upstream_security_policy_urlTODO: https://github.com/<upstream>/security/policy

Mailing lists

KeyValueNotes
security_listTODO: e.g. security@foo.apache.orgInbound reports; not publicly archived
private_listTODO: e.g. private@foo.apache.orgPMC escalation; not publicly archived
users_listTODO: e.g. users@foo.apache.orgPublic advisories end up here; publicly archived
dev_listTODO: e.g. dev@foo.apache.orgRelease [RESULT][VOTE] threads; publicly archived
announce_listTODO: e.g. announce@apache.orgCross-project announcement list; publicly archived
commits_listTODO: e.g. commits@foo.apache.orgPublicly archived
asf_security_listsecurity@apache.orgASF-wide security team; relays some inbound reports

Public archives typically live at https://lists.apache.org/list.html?<list>. Private lists on lists.apache.org/thread/<id> 404 for non-members. Only URLs on publicly archived lists may appear in CVE references[] as vendor-advisory; see ../../AGENTS.md and security-model.md.

Tools enabled

CapabilityToolAdapter directoryConfig knobs declared here
Issue tracking + source control + project boardgithub../../tools/github/tracker_repo, upstream_repo, github_project_board_*, issue_template_fields
Inbound email / draftsgmail../../tools/gmail/security_list subscription; PonyMail archive URL templates below
CVE allocation + record mgmtvulnogram../../tools/vulnogram/see CVE tooling below
Release voting / announceTODO: ASF mailing lists — or replace with the project's release-comms backendvia dev_list / announce_list / users_list

To replace a tool (e.g. swap GitHub issues for JIRA), declare an alternate tool in the table above, add a tools/<name>/ adapter directory, and make sure the values the generic skills need are still reachable from this manifest.

CVE tooling

TODO: describe which CNA tool the project uses. For ASF projects the default is ASF's Vulnogram; other CNAs will substitute their own equivalents. The Vulnogram-side mechanics live under ../../tools/vulnogram/; the per-project values below are what the generic recipes substitute in.

KeyValue
cve_toolTODO: e.g. vulnogram (ASF-hosted)
cve_tool_allocate_urlTODO: e.g. https://cveprocess.apache.org/allocatecve
cve_tool_record_url_templateTODO: e.g. https://cveprocess.apache.org/cve5/<CVE-ID>
cve_tool_source_tab_url_templateTODO
cve_allocation_gated_byTODO: e.g. Foo PMC membership (ASF OAuth)
asf_org_idTODO: project's CNA org UUID (for ASF projects: f0158376-9dc2-43b6-827c-5f631a4d8d09)
cna_private_ownerTODO: e.g. foo (CNA_private.owner — identifies the project slug inside the ASF CNA queue)
cna_private_projecturlTODO: e.g. https://foo.apache.org/
cna_private_userslistTODO: e.g. users@foo.apache.org

GitHub project board

If the project uses a Projects V2 board for its security-issue view, declare the node IDs below. Fetch with the introspection query in ../../tools/github/project-board.md. If the project does not run a board, leave the table blank — skills treat missing board config as “no board reconciliation”.

KeyValue
project_board_urlTODO
project_board_numberTODO
project_board_node_idTODO
status_field_node_idTODO

Status column → option-ID mapping (re-fetch if any write returns not found):

ColumnOption ID
Needs triageTODO
AssessedTODO
CVE allocatedTODO
PR createdTODO
PR mergedTODO
Fix releasedTODO
AnnouncedTODO

Gmail and PonyMail

Gmail-side mechanics (MCP call shapes, threading rule, search-query patterns, archive URL construction) live under ../../tools/gmail/; the concrete per-project values below are what the generic recipes substitute in.

KeyValue
security_list_domainTODO: e.g. security.foo.apache.org — Gmail list: operator uses the domain form
ponymail_private_search_url_templateTODO
ponymail_public_search_url_templateTODO
ponymail_api_url_templateTODO
ponymail_thread_url_templatehttps://lists.apache.org/thread/<hash>?<list>

Issue-template fields

The skills' body-field roles map to the following concrete ### headings in the project‘s issue template at ../../.github/ISSUE_TEMPLATE/issue_report.yml (or the project’s equivalent). The generic role → GitHub-field contract lives in ../../tools/github/issue-template.md; the concrete names below are what skills read and write for this project.

Role (generic)Field nameTemplate typeRequired?
issue-descriptionTODOtextareaTODO
public-summaryTODOtextareaTODO
affected-versionsTODOinputTODO
security-threadTODOinputTODO
public-advisory-urlTODOinputTODO
reporter-creditTODOinputTODO
pr-with-fixTODOinputTODO
cweTODOinputTODO
severityTODOdropdownTODO
cve-tool-linkTODOinputTODO

Pointers to sibling files