Skip to content

Complete public repository stewardship and security reporting surfaces #26

Description

@jmcte

Problem statement

The public Flow repository does not currently publish a repository license, security reporting policy, or code of conduct. This leaves legal reuse unclear and gives security reporters no repository-local channel despite Flow defining vulnerability response targets.

Desired outcome

Complete the public repository stewardship surface through the governed Bootstrap migration, with an explicit license decision and actionable security reporting instructions.

Scope

  • Select and add the approved repository license.
  • Add SECURITY.md with supported versions, private reporting route, acknowledgment/triage expectations, and disclosure policy.
  • Add a code of conduct and enforcement/contact route.
  • Ensure generated ownership records declare which stewardship files Bootstrap manages.
  • Confirm GitHub recognizes the resulting community-health files.

Non-goals

  • Publishing private contact details or credentials.
  • Changing Flow's security response clocks without a versioned policy change.
  • Applying stewardship changes fleet-wide before Flow dogfooding succeeds.

Acceptance criteria

  • A maintainer-approved LICENSE is present and detected by GitHub.
  • SECURITY.md provides a private reporting route without exposing secrets.
  • Security response timing matches the versioned Flow policy.
  • CODE_OF_CONDUCT.md and its enforcement/contact route are present.
  • Generated-file ownership and Bootstrap conformance pass.
  • GitHub's community profile recognizes the new files.

Test expectations

  • Run Bootstrap plan/golden tests and repository conformance checks.
  • Verify GitHub community-profile metadata after merge.

Security implications

The reporting route must not require public disclosure of vulnerabilities or embed a machine credential. Contact and escalation handling must be maintainable.

Documentation implications

Add links from README or CONTRIBUTING where appropriate and keep response targets sourced from the released policy.

Dependencies

Human decision points

  • License selection or change
  • Public security contact and code-of-conduct enforcement authority

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securitySecurity, auth, secret, permission, or policy surface.autonomy:review-gatedClass 2; autonomous work allowed, review/gate required.kind:governancePolicy, flow, bootstrap, or governance work.lane:pheidonOrchestration, gate, governance, and controller action.priority:P2Codex Connector P2; blocks execution until Athena validates.review:legalNeeds legal review.state:blocked-infraBlocked by tool, auth, runner, or infrastructure failure.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions