Problem statement
The public Flow repository does not currently publish a repository license, security reporting policy, or code of conduct. This leaves legal reuse unclear and gives security reporters no repository-local channel despite Flow defining vulnerability response targets.
Desired outcome
Complete the public repository stewardship surface through the governed Bootstrap migration, with an explicit license decision and actionable security reporting instructions.
Scope
- Select and add the approved repository license.
- Add
SECURITY.md with supported versions, private reporting route, acknowledgment/triage expectations, and disclosure policy.
- Add a code of conduct and enforcement/contact route.
- Ensure generated ownership records declare which stewardship files Bootstrap manages.
- Confirm GitHub recognizes the resulting community-health files.
Non-goals
- Publishing private contact details or credentials.
- Changing Flow's security response clocks without a versioned policy change.
- Applying stewardship changes fleet-wide before Flow dogfooding succeeds.
Acceptance criteria
Test expectations
- Run Bootstrap plan/golden tests and repository conformance checks.
- Verify GitHub community-profile metadata after merge.
Security implications
The reporting route must not require public disclosure of vulnerabilities or embed a machine credential. Contact and escalation handling must be maintainable.
Documentation implications
Add links from README or CONTRIBUTING where appropriate and keep response targets sourced from the released policy.
Dependencies
Human decision points
- License selection or change
- Public security contact and code-of-conduct enforcement authority
Problem statement
The public Flow repository does not currently publish a repository license, security reporting policy, or code of conduct. This leaves legal reuse unclear and gives security reporters no repository-local channel despite Flow defining vulnerability response targets.
Desired outcome
Complete the public repository stewardship surface through the governed Bootstrap migration, with an explicit license decision and actionable security reporting instructions.
Scope
SECURITY.mdwith supported versions, private reporting route, acknowledgment/triage expectations, and disclosure policy.Non-goals
Acceptance criteria
LICENSEis present and detected by GitHub.SECURITY.mdprovides a private reporting route without exposing secrets.CODE_OF_CONDUCT.mdand its enforcement/contact route are present.Test expectations
Security implications
The reporting route must not require public disclosure of vulnerabilities or embed a machine credential. Contact and escalation handling must be maintainable.
Documentation implications
Add links from README or CONTRIBUTING where appropriate and keep response targets sourced from the released policy.
Dependencies
Human decision points