Skip to content

Commit 6ccf81d

Browse files
committed
docs: add maintainer ownership policy
Signed-off-by: Martin Vogel <[email protected]>
1 parent acee801 commit 6ccf81d

2 files changed

Lines changed: 161 additions & 0 deletions

File tree

.github/CODEOWNERS

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
# Binding ownership policy for codebase-memory-mcp.
2+
#
3+
# This repository is user-owned, so ownership is expressed with individual
4+
# GitHub handles rather than organization teams.
5+
#
6+
# IMPORTANT: CODEOWNERS is a merge gate, not a reviewer directory. Do not add
7+
# delegated reviewers here unless they are allowed to satisfy the binding
8+
# code-owner approval requirement. Add advisory area reviewers to
9+
# MAINTAINERS.md first.
10+
11+
# Default owner gate: every pull request must cross the project owner's desk.
12+
* @DeusData
13+
14+
# Security-sensitive and authority-sensitive surfaces.
15+
/.github/ @DeusData
16+
/scripts/ @DeusData
17+
/Makefile.cbm @DeusData
18+
/SECURITY.md @DeusData
19+
/docs/SECURITY-DISCLOSURE.md @DeusData
20+
/CONTRIBUTING.md @DeusData
21+
/CODE_OF_CONDUCT.md @DeusData
22+
/DCO @DeusData
23+
/LICENSE @DeusData
24+
/MAINTAINERS.md @DeusData
25+
26+
# Release and distribution surfaces.
27+
/pkg/ @DeusData
28+
/install.sh @DeusData
29+
/install.ps1 @DeusData
30+
/server.json @DeusData
31+
/glama.json @DeusData
32+
/flake.nix @DeusData
33+
/flake.lock @DeusData
34+
/THIRD_PARTY.md @DeusData
35+
/vendored/ @DeusData
36+
/internal/cbm/vendored/ @DeusData
37+
38+
# Core product surfaces.
39+
/src/foundation/ @DeusData
40+
/src/store/ @DeusData
41+
/src/cypher/ @DeusData
42+
/src/graph_buffer/ @DeusData
43+
/src/mcp/ @DeusData
44+
/src/cli/ @DeusData
45+
/src/discover/ @DeusData
46+
/src/watcher/ @DeusData
47+
/src/pipeline/ @DeusData
48+
/src/git/ @DeusData
49+
/src/semantic/ @DeusData
50+
/src/simhash/ @DeusData
51+
/src/traces/ @DeusData
52+
/src/ui/ @DeusData
53+
54+
# Extraction, language support, and graph UI.
55+
/internal/cbm/ @DeusData
56+
/tools/ @DeusData
57+
/graph-ui/ @DeusData
58+
59+
# Test and reproduction infrastructure.
60+
/tests/ @DeusData
61+
/test-infrastructure/ @DeusData

MAINTAINERS.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
# Maintainers
2+
3+
This document separates advisory review responsibility from binding merge
4+
authority.
5+
6+
codebase-memory-mcp is currently a user-owned repository. Because GitHub teams
7+
are not available here, all delegated ownership is expressed with individual
8+
GitHub handles.
9+
10+
## Authority Model
11+
12+
| Role | Scope | Authority |
13+
| --- | --- | --- |
14+
| Project owner | Entire repository | Final roadmap, security, release, workflow, and merge authority. |
15+
| Release operator | Dry-run and release preparation | May prepare release notes, run checklists, and request dry runs when explicitly delegated. May not publish without owner approval. |
16+
| Area reviewer | One technical area | May review, test, reproduce, and recommend merge for that area. Approval is advisory until the project owner approves. |
17+
| Triage collaborator | Issues and discussions | May label, deduplicate, reproduce, and request information. No merge or release authority. |
18+
19+
The binding rule is intentionally simple: all pull requests require
20+
`@DeusData` approval before merge. `MAINTAINERS.md` routes review; it does not
21+
override `.github/CODEOWNERS`.
22+
23+
## Project Owner
24+
25+
| Handle | Responsibilities |
26+
| --- | --- |
27+
| `@DeusData` | Final authority for merge decisions, releases, security handling, CI policy, repository settings, and maintainer promotion. |
28+
29+
## Area Review Map
30+
31+
Use this map to request informed review. Entries marked `TBD` are open slots
32+
for future co-maintainers.
33+
34+
| Area | Paths | Advisory reviewers | Owner gate |
35+
| --- | --- | --- | --- |
36+
| MCP protocol and tool surface | `src/mcp/`, `tests/test_mcp.c` | TBD | `@DeusData` |
37+
| CLI, install, update, editor integration | `src/cli/`, `src/git/`, `install.sh`, `install.ps1`, `tests/test_cli.c` | TBD | `@DeusData` |
38+
| Indexing pipeline and graph construction | `src/pipeline/`, `src/discover/`, `src/watcher/`, `tests/test_pipeline.c`, `tests/test_incremental.c` | TBD | `@DeusData` |
39+
| Language extraction and LSP resolution | `internal/cbm/`, `tools/`, `tests/test_*_lsp.c`, `tests/test_extraction.c`, `tests/test_grammar_*.c` | TBD | `@DeusData` |
40+
| Store, query, and graph buffers | `src/store/`, `src/cypher/`, `src/graph_buffer/`, `src/simhash/`, `src/semantic/`, `tests/test_store_*.c`, `tests/test_cypher.c` | TBD | `@DeusData` |
41+
| Foundation/runtime portability | `src/foundation/`, `vendored/`, `tests/test_*` foundation coverage | TBD | `@DeusData` |
42+
| Graph UI backend and frontend | `src/ui/`, `graph-ui/`, `tests/test_ui.c`, `tests/test_httpd.c` | TBD | `@DeusData` |
43+
| Tests, repro, smoke, and soak infrastructure | `tests/`, `tests/repro/`, `test-infrastructure/`, `scripts/test.sh`, `scripts/smoke-test.sh`, `scripts/soak-test.sh` | TBD | `@DeusData` |
44+
| Packaging and distribution | `pkg/`, `install.sh`, `install.ps1`, `server.json`, `glama.json`, `flake.nix`, `flake.lock`, `THIRD_PARTY.md`, `scripts/gen-third-party-notices.sh`, `scripts/gen-ui-licenses.py`, release archive contents | TBD | `@DeusData` |
45+
| Security and supply chain | `SECURITY.md`, `docs/SECURITY-DISCLOSURE.md`, `scripts/security-*`, `scripts/*license*`, `scripts/*allowlist*`, `.github/workflows/codeql.yml`, `.github/workflows/scorecard.yml` | `@DeusData` only initially | `@DeusData` |
46+
| CI and release operations | `.github/workflows/`, `scripts/ci/`, `Makefile.cbm` | `@DeusData` only initially | `@DeusData` |
47+
| Governance and contribution policy | `.github/CODEOWNERS`, `MAINTAINERS.md`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `DCO`, `LICENSE`, `.github/pull_request_template.md`, issue templates | `@DeusData` only initially | `@DeusData` |
48+
49+
## Operational Authority
50+
51+
Operational authority is stricter than code review authority.
52+
53+
| Operation | Current authority | Delegation rule |
54+
| --- | --- | --- |
55+
| PR validation (`pr.yml`, DCO, CodeQL) | Automatic | Anyone may trigger it by opening or updating a PR. Required checks must pass. |
56+
| Dry run (`dry-run.yml`) | `@DeusData` | May be delegated to release operators after trust is established. Dry-run delegation does not imply release authority. |
57+
| Smoke/soak/repro manual runs | `@DeusData` | May be delegated to area reviewers for diagnosis, but results are advisory. |
58+
| Release workflow (`release.yml`) | `@DeusData` only | Owner-only until a release operator is explicitly promoted. Publishing, replacing releases, and tag movement remain owner-gated. |
59+
| Package registry publishing | `@DeusData` only | Owner-only initially because registry credentials and public packages are irreversible operational surfaces. |
60+
| Security advisory handling | `@DeusData` only | Do not delegate across advisories. Keep private reports isolated. |
61+
| Workflow, ruleset, CODEOWNERS, and branch protection changes | `@DeusData` only | Owner-only because these define authority itself. |
62+
63+
Before granting a collaborator `Write` access, verify that they should be able
64+
to run manual GitHub Actions workflows in this user-owned repository. Prefer
65+
`Triage` for issue-only delegation. If `Write` becomes necessary, use protected
66+
branches, required code-owner review, and protected release environments where
67+
available so release jobs still require `@DeusData` approval.
68+
69+
## Promotion Path
70+
71+
Promotion is gradual and reversible.
72+
73+
| Stage | Requirements | Capabilities |
74+
| --- | --- | --- |
75+
| Trusted contributor | Focused PRs, clean DCO, responsive review cycles. | No elevated access. |
76+
| Triage collaborator | Consistent issue reproduction and respectful scope control. | Issue triage and review requests. |
77+
| Area reviewer | Sustained, technically accurate reviews in one area. | Advisory review listing in this file. |
78+
| Release operator | Proven reliability on dry runs, packaging, and release checklists. | May run delegated dry runs and prepare releases. |
79+
| Full maintainer | Long-term trust across code, security, release, and governance. | Only after explicit owner decision and updated policy. |
80+
81+
## High-Risk Change Rules
82+
83+
These changes always require project-owner review, even if an area reviewer
84+
approves:
85+
86+
- MCP tool behavior, tool outputs, or protocol capabilities.
87+
- New process execution, shell invocation, network access, or file access.
88+
- CI, release, package publishing, installer, or updater changes.
89+
- Vendored dependency changes, generated grammar changes, or license policy.
90+
- Security disclosure process, advisories, allowlists, and audit scripts.
91+
- Repository governance, branch protection, CODEOWNERS, or maintainer roles.
92+
93+
## Review Expectations
94+
95+
- Keep PRs scoped to one issue or one logical change.
96+
- Reproduce bugs with a failing test before fixing.
97+
- Treat area-reviewer approval as a technical recommendation, not final merge
98+
authority.
99+
- Do not self-approve high-risk changes.
100+
- Resolve conflicts of interest by asking another reviewer and the owner.

0 commit comments

Comments
 (0)