Files
wehub-resource-sync 41cb1c0170
OpenSSF Scorecard / scorecard (push) Failing after 0s
DCO / dco (push) Failing after 0s
CodeQL SAST / analyze (push) Failing after 1s
Deploy Pages / deploy (push) Failing after 1s
chore: import upstream snapshot with attribution
2026-07-13 12:28:05 +08:00

149 lines
8.8 KiB
Markdown

# Maintainers
This document defines how maintainer responsibility, review routing, and
operational authority work in this project.
codebase-memory-mcp is currently a user-owned repository. Because GitHub teams
are not available here, all delegated ownership is expressed with individual
GitHub handles.
## Authority Model
| Role | Scope | Authority in this project |
| --- | --- | --- |
| Project owner | Entire repository | Final roadmap, security, release, workflow, and merge authority. |
| Release operator | Dry-run and release preparation | Prepares release notes, runs checklists, and operates delegated dry runs. Release publication remains owner-gated. |
| Area reviewer | One technical area | Reviews, tests, reproduces, and recommends merge for that area. Approval is advisory until the project owner approves. |
| Triage collaborator | Issues and discussions | Labels, deduplicates, reproduces, and requests information. This role has no merge or release authority. |
The binding rule is intentionally simple: all pull requests require
`@DeusData` approval before merge. `MAINTAINERS.md` routes review; it does not
override `.github/CODEOWNERS`.
## Project Owner
| Handle | Responsibilities |
| --- | --- |
| `@DeusData` | Final authority for merge decisions, releases, security handling, CI policy, repository settings, and maintainer promotion. |
## Area Review Map
Review requests follow this map. Entries marked `TBD` are currently unassigned
review areas for future co-maintainers.
| Area | Paths | Advisory reviewers | Owner gate |
| --- | --- | --- | --- |
| MCP protocol and tool surface | `src/mcp/`, `tests/test_mcp.c` | TBD | `@DeusData` |
| CLI, install, update, editor integration | `src/cli/`, `src/git/`, `install.sh`, `install.ps1`, `tests/test_cli.c` | TBD | `@DeusData` |
| Indexing pipeline and graph construction | `src/pipeline/`, `src/discover/`, `src/watcher/`, `tests/test_pipeline.c`, `tests/test_incremental.c` | TBD | `@DeusData` |
| Language extraction and LSP resolution | `internal/cbm/`, `tools/`, `tests/test_*_lsp.c`, `tests/test_extraction.c`, `tests/test_grammar_*.c` | TBD | `@DeusData` |
| Store, query, and graph buffers | `src/store/`, `src/cypher/`, `src/graph_buffer/`, `src/simhash/`, `src/semantic/`, `tests/test_store_*.c`, `tests/test_cypher.c` | TBD | `@DeusData` |
| Foundation/runtime portability | `src/foundation/`, `vendored/`, `tests/test_*` foundation coverage | TBD | `@DeusData` |
| Graph UI backend and frontend | `src/ui/`, `graph-ui/`, `tests/test_ui.c`, `tests/test_httpd.c` | TBD | `@DeusData` |
| Tests, repro, smoke, and soak infrastructure | `tests/`, `tests/repro/`, `test-infrastructure/`, `scripts/test.sh`, `scripts/smoke-test.sh`, `scripts/soak-test.sh` | TBD | `@DeusData` |
| Packaging and distribution | `pkg/`, `install.sh`, `install.ps1`, `server.json`, `glama.json`, `flake.nix`, `flake.lock`, `THIRD_PARTY.md`, `scripts/gen-third-party-notices.sh`, `scripts/gen-ui-licenses.py`, release archive contents | TBD | `@DeusData` |
| Security and supply chain | `SECURITY.md`, `docs/SECURITY-DISCLOSURE.md`, `scripts/security-*`, `scripts/*license*`, `scripts/*allowlist*`, `.github/workflows/codeql.yml`, `.github/workflows/scorecard.yml` | `@DeusData` only initially | `@DeusData` |
| CI and release operations | `.github/workflows/`, `scripts/ci/`, `Makefile.cbm` | `@DeusData` only initially | `@DeusData` |
| Governance and contribution policy | `.github/CODEOWNERS`, `MAINTAINERS.md`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `DCO`, `LICENSE`, `.github/pull_request_template.md`, issue templates | `@DeusData` only initially | `@DeusData` |
## Operational Authority
Operational authority is stricter than code review authority.
| Operation | Current authority | Project rule |
| --- | --- | --- |
| PR validation (`pr.yml`, DCO, CodeQL) | Automatic | Anyone may trigger it by opening or updating a PR. Required checks must pass. |
| Dry run (`dry-run.yml`) | `@DeusData` | Delegated release operators may run dry runs after promotion. Dry-run delegation does not imply release authority. |
| Smoke/soak/repro manual runs | `@DeusData` | Area reviewers may operate these runs when delegated for diagnosis. Results are advisory. |
| Release workflow (`release.yml`) | `@DeusData` only | Owner-only until a release operator is explicitly promoted. Publishing, replacing releases, and tag movement remain owner-gated. |
| Package registry publishing | `@DeusData` only | Owner-only initially because registry credentials and public packages are irreversible operational surfaces. |
| Security advisory handling | `@DeusData` only | Do not delegate across advisories. Keep private reports isolated. |
| Workflow, ruleset, CODEOWNERS, and branch protection changes | `@DeusData` only | Owner-only because these define authority itself. |
## Release Preparation Checklist
Release preparation is a checklist-driven operation. A release is not ready
until each required gate is green or explicitly waived by the project owner in
the release notes.
- `dry-run.yml` completes successfully with the release candidate commit.
- Local performance benchmarks are run on the release operator's machine using
the release candidate binary and CLI indexing, not test-only shortcuts.
- `scripts/benchmark-index.sh` records results for the Linux kernel and for at
least one large open-source project per supported Hybrid LSP family.
- Benchmark results are compared against the previous release's benchmark logs
using the same machine class, same repository revisions, same indexing mode,
and same benchmark script when available.
- Indexing time must not materially regress compared with the previous release.
An unexplained slowdown greater than 15% on the same benchmark input is a
release blocker until investigated or explicitly owner-waived.
- Node and edge counts must not materially diverge from the previous release
unless the release intentionally changes extraction behavior. Unexpected
graph-size shifts require investigation before publishing.
- Benchmark logs, repository revisions, binary version, machine details, and
release decision are retained with the release preparation notes.
The current Hybrid LSP release benchmark matrix is:
| LSP family | Required large OSS benchmark |
| --- | --- |
| C / C++ | Linux kernel |
| Go | Kubernetes |
| Python | CPython or Django |
| TypeScript / JavaScript / JSX / TSX | TypeScript or VS Code |
| PHP | Laravel framework |
| C# | Roslyn |
| Java | Spring Framework or Elasticsearch |
| Kotlin | Kotlin compiler or Ktor |
| Rust | Rust compiler |
The matrix may be updated by PR as the project evolves, but every supported
Hybrid LSP family keeps at least one large OSS indexing benchmark before a
release is published.
Repository access follows the same authority model:
- `Triage` is the default collaborator role for issue-only delegation.
- `Write` access is reserved for collaborators whose operational access has
been approved by `@DeusData`.
- Release authority is separate from code review authority.
- Protected branches, required code-owner review, required status checks, and
protected release environments are part of the project control model where
GitHub supports them.
## Promotion Path
Promotion is gradual, explicit, and reversible.
| Stage | Requirements | Capabilities |
| --- | --- | --- |
| Trusted contributor | Focused PRs, clean DCO, responsive review cycles. | No elevated access. |
| Triage collaborator | Consistent issue reproduction and respectful scope control. | Issue triage and review requests. |
| Area reviewer | Sustained, technically accurate reviews in one area. | Advisory review listing in this file. |
| Release operator | Proven reliability on dry runs, packaging, and release checklists. | May run delegated dry runs and prepare releases. |
| Full maintainer | Long-term trust across code, security, release, and governance. | Only after explicit owner decision and updated policy. |
Maintainer promotions are recorded in this file. Binding authority changes are
recorded in `.github/CODEOWNERS` and repository settings.
## High-Risk Change Rules
These changes always require project-owner review, even if an area reviewer
approves:
- MCP tool behavior, tool outputs, or protocol capabilities.
- New process execution, shell invocation, network access, or file access.
- CI, release, package publishing, installer, or updater changes.
- Vendored dependency changes, generated grammar changes, or license policy.
- Security disclosure process, advisories, allowlists, and audit scripts.
- Repository governance, branch protection, CODEOWNERS, or maintainer roles.
## Review Expectations
- Keep PRs scoped to one issue or one logical change.
- Reproduce bugs with a failing test before fixing.
- Treat area-reviewer approval as a technical recommendation, not final merge
authority.
- Do not self-approve high-risk changes.
- Resolve conflicts of interest by asking another reviewer and the owner.