|
| 1 | +# Maintainers |
| 2 | + |
| 3 | +This document separates advisory review responsibility from binding merge |
| 4 | +authority. |
| 5 | + |
| 6 | +codebase-memory-mcp is currently a user-owned repository. Because GitHub teams |
| 7 | +are not available here, all delegated ownership is expressed with individual |
| 8 | +GitHub handles. |
| 9 | + |
| 10 | +## Authority Model |
| 11 | + |
| 12 | +| Role | Scope | Authority | |
| 13 | +| --- | --- | --- | |
| 14 | +| Project owner | Entire repository | Final roadmap, security, release, workflow, and merge authority. | |
| 15 | +| Release operator | Dry-run and release preparation | May prepare release notes, run checklists, and request dry runs when explicitly delegated. May not publish without owner approval. | |
| 16 | +| Area reviewer | One technical area | May review, test, reproduce, and recommend merge for that area. Approval is advisory until the project owner approves. | |
| 17 | +| Triage collaborator | Issues and discussions | May label, deduplicate, reproduce, and request information. No merge or release authority. | |
| 18 | + |
| 19 | +The binding rule is intentionally simple: all pull requests require |
| 20 | +`@DeusData` approval before merge. `MAINTAINERS.md` routes review; it does not |
| 21 | +override `.github/CODEOWNERS`. |
| 22 | + |
| 23 | +## Project Owner |
| 24 | + |
| 25 | +| Handle | Responsibilities | |
| 26 | +| --- | --- | |
| 27 | +| `@DeusData` | Final authority for merge decisions, releases, security handling, CI policy, repository settings, and maintainer promotion. | |
| 28 | + |
| 29 | +## Area Review Map |
| 30 | + |
| 31 | +Use this map to request informed review. Entries marked `TBD` are open slots |
| 32 | +for future co-maintainers. |
| 33 | + |
| 34 | +| Area | Paths | Advisory reviewers | Owner gate | |
| 35 | +| --- | --- | --- | --- | |
| 36 | +| MCP protocol and tool surface | `src/mcp/`, `tests/test_mcp.c` | TBD | `@DeusData` | |
| 37 | +| CLI, install, update, editor integration | `src/cli/`, `src/git/`, `install.sh`, `install.ps1`, `tests/test_cli.c` | TBD | `@DeusData` | |
| 38 | +| Indexing pipeline and graph construction | `src/pipeline/`, `src/discover/`, `src/watcher/`, `tests/test_pipeline.c`, `tests/test_incremental.c` | TBD | `@DeusData` | |
| 39 | +| Language extraction and LSP resolution | `internal/cbm/`, `tools/`, `tests/test_*_lsp.c`, `tests/test_extraction.c`, `tests/test_grammar_*.c` | TBD | `@DeusData` | |
| 40 | +| Store, query, and graph buffers | `src/store/`, `src/cypher/`, `src/graph_buffer/`, `src/simhash/`, `src/semantic/`, `tests/test_store_*.c`, `tests/test_cypher.c` | TBD | `@DeusData` | |
| 41 | +| Foundation/runtime portability | `src/foundation/`, `vendored/`, `tests/test_*` foundation coverage | TBD | `@DeusData` | |
| 42 | +| Graph UI backend and frontend | `src/ui/`, `graph-ui/`, `tests/test_ui.c`, `tests/test_httpd.c` | TBD | `@DeusData` | |
| 43 | +| Tests, repro, smoke, and soak infrastructure | `tests/`, `tests/repro/`, `test-infrastructure/`, `scripts/test.sh`, `scripts/smoke-test.sh`, `scripts/soak-test.sh` | TBD | `@DeusData` | |
| 44 | +| Packaging and distribution | `pkg/`, `install.sh`, `install.ps1`, `server.json`, `glama.json`, `flake.nix`, `flake.lock`, `THIRD_PARTY.md`, `scripts/gen-third-party-notices.sh`, `scripts/gen-ui-licenses.py`, release archive contents | TBD | `@DeusData` | |
| 45 | +| Security and supply chain | `SECURITY.md`, `docs/SECURITY-DISCLOSURE.md`, `scripts/security-*`, `scripts/*license*`, `scripts/*allowlist*`, `.github/workflows/codeql.yml`, `.github/workflows/scorecard.yml` | `@DeusData` only initially | `@DeusData` | |
| 46 | +| CI and release operations | `.github/workflows/`, `scripts/ci/`, `Makefile.cbm` | `@DeusData` only initially | `@DeusData` | |
| 47 | +| Governance and contribution policy | `.github/CODEOWNERS`, `MAINTAINERS.md`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `DCO`, `LICENSE`, `.github/pull_request_template.md`, issue templates | `@DeusData` only initially | `@DeusData` | |
| 48 | + |
| 49 | +## Operational Authority |
| 50 | + |
| 51 | +Operational authority is stricter than code review authority. |
| 52 | + |
| 53 | +| Operation | Current authority | Delegation rule | |
| 54 | +| --- | --- | --- | |
| 55 | +| PR validation (`pr.yml`, DCO, CodeQL) | Automatic | Anyone may trigger it by opening or updating a PR. Required checks must pass. | |
| 56 | +| Dry run (`dry-run.yml`) | `@DeusData` | May be delegated to release operators after trust is established. Dry-run delegation does not imply release authority. | |
| 57 | +| Smoke/soak/repro manual runs | `@DeusData` | May be delegated to area reviewers for diagnosis, but results are advisory. | |
| 58 | +| Release workflow (`release.yml`) | `@DeusData` only | Owner-only until a release operator is explicitly promoted. Publishing, replacing releases, and tag movement remain owner-gated. | |
| 59 | +| Package registry publishing | `@DeusData` only | Owner-only initially because registry credentials and public packages are irreversible operational surfaces. | |
| 60 | +| Security advisory handling | `@DeusData` only | Do not delegate across advisories. Keep private reports isolated. | |
| 61 | +| Workflow, ruleset, CODEOWNERS, and branch protection changes | `@DeusData` only | Owner-only because these define authority itself. | |
| 62 | + |
| 63 | +Before granting a collaborator `Write` access, verify that they should be able |
| 64 | +to run manual GitHub Actions workflows in this user-owned repository. Prefer |
| 65 | +`Triage` for issue-only delegation. If `Write` becomes necessary, use protected |
| 66 | +branches, required code-owner review, and protected release environments where |
| 67 | +available so release jobs still require `@DeusData` approval. |
| 68 | + |
| 69 | +## Promotion Path |
| 70 | + |
| 71 | +Promotion is gradual and reversible. |
| 72 | + |
| 73 | +| Stage | Requirements | Capabilities | |
| 74 | +| --- | --- | --- | |
| 75 | +| Trusted contributor | Focused PRs, clean DCO, responsive review cycles. | No elevated access. | |
| 76 | +| Triage collaborator | Consistent issue reproduction and respectful scope control. | Issue triage and review requests. | |
| 77 | +| Area reviewer | Sustained, technically accurate reviews in one area. | Advisory review listing in this file. | |
| 78 | +| Release operator | Proven reliability on dry runs, packaging, and release checklists. | May run delegated dry runs and prepare releases. | |
| 79 | +| Full maintainer | Long-term trust across code, security, release, and governance. | Only after explicit owner decision and updated policy. | |
| 80 | + |
| 81 | +## High-Risk Change Rules |
| 82 | + |
| 83 | +These changes always require project-owner review, even if an area reviewer |
| 84 | +approves: |
| 85 | + |
| 86 | +- MCP tool behavior, tool outputs, or protocol capabilities. |
| 87 | +- New process execution, shell invocation, network access, or file access. |
| 88 | +- CI, release, package publishing, installer, or updater changes. |
| 89 | +- Vendored dependency changes, generated grammar changes, or license policy. |
| 90 | +- Security disclosure process, advisories, allowlists, and audit scripts. |
| 91 | +- Repository governance, branch protection, CODEOWNERS, or maintainer roles. |
| 92 | + |
| 93 | +## Review Expectations |
| 94 | + |
| 95 | +- Keep PRs scoped to one issue or one logical change. |
| 96 | +- Reproduce bugs with a failing test before fixing. |
| 97 | +- Treat area-reviewer approval as a technical recommendation, not final merge |
| 98 | + authority. |
| 99 | +- Do not self-approve high-risk changes. |
| 100 | +- Resolve conflicts of interest by asking another reviewer and the owner. |
0 commit comments