blob: 50f37fd4a7a0926e4b77d3a3d4e6a1083f49e613 [file] [view]
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Velox Stream — project manifest (non-ASF fixture)](#velox-stream--project-manifest-non-asf-fixture)
- [Identity](#identity)
- [Repositories](#repositories)
- [Mailing lists](#mailing-lists)
- [Tools enabled](#tools-enabled)
- [Security workflow configuration](#security-workflow-configuration)
- [CVE authority](#cve-authority)
- [Governance](#governance)
- [Security inbox](#security-inbox)
- [Archive system](#archive-system)
- [Tracker](#tracker)
- [Scope detection](#scope-detection)
- [Release process](#release-process)
- [Roster](#roster)
- [Product](#product)
- [Pointers to sibling files](#pointers-to-sibling-files)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Velox Stream — project manifest (non-ASF fixture)
This is a **fictional, non-ASF project** used as a test fixture to verify
that the framework's skills work without any ASF-specific configuration.
See [`README.md`](README.md) for the fixture's purpose.
## Identity
| Key | Value |
|---|---|
| `organization` | `independent` ([`organizations/independent/`](../../organizations/independent/)) — the no-formal-governing-body baseline. |
| `project_name` | Velox Stream |
| `vendor` | Velox Community |
| `short_name` | velox-stream |
| `product_family_url` | https://velox-stream.example.io/ |
This fixture shows the **minimal per-project configuration** a real
independent adopter would declare — only values that override or extend the
[`organizations/independent/`](../../organizations/independent/) defaults.
Org-level values (`cve_authority`, `forwarders`, `mail_provider`,
`project_metadata`, and most of `archive_system` and `release_process`) are
inherited from that manifest and not repeated here. See
[`projects/_template/project.md`](../_template/project.md) for the full
schema and field descriptions.
## Repositories
| Key | Value | Purpose |
|---|---|---|
| `tracker_repo` | velox-community/velox-stream-security | Private security tracker |
| `tracker_repo_url` | https://github.com/velox-community/velox-stream-security | |
| `tracker_default_branch` | main | Default PR target |
| `tracker_project_board_url` | (none — no project board) | |
| `upstream_repo` | velox-community/velox-stream | Public codebase |
| `upstream_repo_url` | https://github.com/velox-community/velox-stream | |
| `upstream_default_branch` | main | |
| `upstream_contributing_docs_url` | https://github.com/velox-community/velox-stream/blob/main/CONTRIBUTING.md | |
| `upstream_security_policy_url` | https://github.com/velox-community/velox-stream/security/policy | |
## Mailing lists
None. This project uses GitHub Discussions for community communication
and has no public mailing lists.
| Key | Value | Notes |
|---|---|---|
| `security_list` | (none — uses GHSA intake) | Security reports via GitHub Security Advisories |
| `dev_list` | (none — uses GitHub Discussions) | |
| `announce_list` | (none — uses GitHub Releases) | |
## Tools enabled
| Capability | Tool | Notes |
|---|---|---|
| Issue tracking + source control | `github` | `velox-community/velox-stream` |
| Security advisory intake | `ghsa` | GitHub Security Advisories (no mail backend) |
| CVE allocation + record mgmt | `mitre-form` | Direct MITRE submission form |
| Distribution | `github-releases` | No `dist.apache.org` or `closer.lua` |
## Security workflow configuration
The blocks below declare only **per-project values** — overrides and
extensions of what `organizations/independent/organization.md` already
provides. Inherited keys (`forwarders`, `mail_provider`, `project_metadata`,
and the base CVE/governance/inbox defaults) are omitted; the framework
resolves them from the organization manifest automatically.
### CVE authority
```yaml
cve_authority:
# Override the independent-org 2-stop state machine: Velox uses MITRE's
# extended 4-stop sequence and polls for publication rather than waiting
# for manual notification.
states: [allocated, review-ready, publish-ready, public]
publication_propagation: poll
```
### Governance
```yaml
governance:
# Per-project: escalation handle and public roster URL.
escalation_contact: "@velox-lead"
roster_url: https://github.com/orgs/velox-community/people
```
### Security inbox
```yaml
security_inbox:
# Per-project: the concrete GHSA inbox URL for this repo.
address: https://github.com/velox-community/velox-stream/security/advisories
```
### Archive system
```yaml
archive_system:
# Per-project: where public advisories and release notes surface.
advisory_publication_signal_url: https://github.com/velox-community/velox-stream/releases
```
### Tracker
```yaml
tracker:
platform: github
board: none
visibility: private
reporter_has_access: false
project_board_enabled: false
skill_url_template: "https://github.com/velox-community/velox-stream-security/blob/main/.claude/skills/<skill>/SKILL.md"
body_fields:
cve_link: "CVE link"
mailing_thread: "Security advisory URL"
affected_versions: "Affected versions"
labels:
security_marker: "security"
needs_triage: "needs triage"
pr_open: "pr created"
pr_merged: "pr merged"
cve_allocated: "cve allocated"
not_cve_worthy: "not cve worthy"
rejections_ledger: "rejections-ledger"
```
### Scope detection
```yaml
scope_detection:
# Single-artifact project; no scope sub-products.
enabled: false
labels: {}
```
### Release process
```yaml
release_process:
# Override: PyPI only (independent-org default is []).
artifact_registries: [pypi]
# Per-project: this project has no overdue milestones to track.
stale_milestones: []
# Per-project: newsfragments tool.
newsfragments:
enabled: true
tool: towncrier
```
### Roster
```yaml
roster:
# Per-project: name → handle map and release-manager list.
# roster.source is inherited from organizations/independent (roster-file).
bare_name_handles:
"Alex": "@alex-velox"
"Robin": "@robin-velox"
release_managers:
- "@alex-velox"
```
### Product
```yaml
product:
name: velox-stream
package_name: velox-stream
code_pointer_path_prefix: "^src/"
subject_prefix_strip:
- "[SECURITY]"
- "[Security Report]"
- "Re:"
- "Fwd:"
- "velox-stream:"
affected_version_extract_prefix: "velox-stream"
```
## Pointers to sibling files
- [`issue-tracker-config.md`](issue-tracker-config.md) — general-issue tracker.
- [`stale-sweep-config.md`](stale-sweep-config.md) — stale-sweep thresholds.