chore: prepare for OSS release (CONTRIBUTING, SECURITY, COC, templates)#2
Merged
Conversation
This is the housekeeping pass before going public. A separate audit (stored privately at ~/.roundhouse/workspace/loki-permissions-private/ OSS_PREP_FINDINGS.md) found no PII, no AWS-internal references, no private URLs, no proprietary terms in the repo \u2014 only documented placeholder account IDs (123456789012) and placeholder ARNs. Adds standard public-repo conventions: - CONTRIBUTING.md \u2014 contribution guide framed around the repo's opinionated threat model - SECURITY.md \u2014 private vuln disclosure (security@inceptionstack.dev), scoped to what counts as a real bypass vs noise - CODE_OF_CONDUCT.md \u2014 Contributor Covenant 2.1 - .github/ISSUE_TEMPLATE/bug_report.yml \u2014 deployment-path-aware bug form - .github/ISSUE_TEMPLATE/feature_request.yml \u2014 with threat-model fit gate - .github/PULL_REQUEST_TEMPLATE.md \u2014 with JSON\u2194Terraform parity checklist No code or policy changes \u2014 docs and templates only. Per Roy's instruction: this PR is for review, not merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-public-release housekeeping. Do not merge until you've reviewed the audit summary and confirmed the policy on emails/contact addresses.
Audit summary
A separate audit (kept private at
~/.roundhouse/workspace/loki-permissions-private/OSS_PREP_FINDINGS.md, deliberately NOT in this repo) scanned for:@amazon.com,@amzn.com, Isengard, Midway, Conduit, Brazil, paste/sim/tt/wiki.amazon)Result: Repo is clean. No PII, no AWS-internal references, no private URLs, no proprietary terms. All AWS placeholders use the documented example account ID
123456789012. Only public refs in README areopenclaw/openclaw(public OSS) and self-referenceinceptionstack/loki-permissions.What this PR adds
Standard public-repo conventions only — no policy or code changes:
CONTRIBUTING.md— contribution guide framed around the threat model; explicitly calls out the JSON↔Terraform dual-update rule andscripts/check_parity.pylint flow; service list (cloudtrail/config/guardduty/securityhub/s3/kms) for new deny additionsSECURITY.md— private vuln disclosure (security@inceptionstack.dev); scoped to what counts as a real bypass (e.g.,DenySelfEscalationbypass, scope widening, JSON↔TF drift) vs noiseCODE_OF_CONDUCT.md— Contributor Covenant 2.1 (conduct@inceptionstack.dev).github/ISSUE_TEMPLATE/bug_report.yml— deployment-path-aware (CLI vs Terraform).github/ISSUE_TEMPLATE/feature_request.yml— with explicit threat-model fit checkbox.github/PULL_REQUEST_TEMPLATE.md— with parity-check + dual-update reminderAction items before going public
security@inceptionstack.devandconduct@inceptionstack.devare routable inboxes (DNS / forwarding set up)OSS_PREP_FINDINGS.mdin private workspace or delete it (audit log; useful as decision record)Per Roy's instruction
This PR is for review only — do not merge. Once you've signed off on the contact addresses and any wording changes, you can merge it manually.