diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 33a4ef6..f23dec3 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,87 +1,110 @@ - -# Code of Conduct -## 1. Purpose +## Code of Conduct -The purpose of this Code of Conduct is to ensure a safe, inclusive, and respectful environment for all contributors and participants in Moko Consulting projects. This applies to all interactions, whether in repositories, issue trackers, documentation, meetings, or community spaces. +This Code of Conduct establishes expectations for behavior within the Moko-Cassiopeia project community. The objective is to maintain a professional, inclusive, and respectful environment aligned with open source governance best practices. -## 2. Our Standards +## Scope -Participants are expected to uphold behaviors that strengthen our community, including: +This Code of Conduct applies to all project spaces, including: - Demonstrating empathy and respect toward others. - Being inclusive of diverse viewpoints and backgrounds. - Gracefully accepting constructive feedback. - Prioritizing collaboration over conflict. - Showing professionalism in all interactions. +* GitHub repositories, issues, pull requests, discussions, and security advisories. +* Project documentation, workflows, and release processes. +* Any communication channels officially associated with the project. -### Unacceptable behavior includes: +## Our Standards - Harassment, discrimination, or derogatory comments. - Threatening or violent language or actions. - Disruptive, aggressive, or intentionally harmful behavior. - Publishing others’ private information without permission. - Any behavior that violates applicable laws. +Participants are expected to: -## 3. Responsibilities of Maintainers +* Communicate professionally and respectfully. +* Provide constructive feedback focused on technical merit and project objectives. +* Respect differing viewpoints, experience levels, and backgrounds. +* Follow documented contribution, security, and governance policies. -Maintainers are responsible for: +Unacceptable behavior includes: - Clarifying acceptable behavior. - Taking appropriate corrective action when unacceptable behavior occurs. - Removing, editing, or rejecting contributions that violate this Code. - Temporarily or permanently banning contributors who engage in repeated or severe violations. +* Harassment, discrimination, or exclusionary conduct. +* Personal attacks, insults, or inflammatory comments. +* Publishing private information without consent. +* Disruptive behavior that materially interferes with project operations. -## 4. Scope +## Enforcement Responsibilities -This Code applies to: +Project maintainers are responsible for: - All Moko Consulting repositories. - All documentation and collaboration platforms. - Public and private communication related to project activities. - Any representation of Moko Consulting in online or offline spaces. +* Clarifying standards when questions arise. +* Taking appropriate and proportionate corrective action when violations occur. +* Maintaining confidentiality to the extent practical during investigations. -## 5. Enforcement +## Reporting -Instances of misconduct may be reported to: -**[hello@mokoconsulting.tech](mailto:hello@mokoconsulting.tech)** +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported through: -All reports will be reviewed and investigated promptly and fairly. Maintainers are obligated to maintain confidentiality where possible. +* Email: `hello@mokoconsulting.tech` with subject `CODE OF CONDUCT: Moko-Cassiopeia`. -Consequences may include: +Reports should include relevant context, links, screenshots, or other supporting information. - A warning. - Required training or mediation. - Temporary or permanent bans. - Escalation to legal authorities when required. +## Enforcement Guidelines -## 6. Acknowledgements +Corrective actions may include, but are not limited to: -This Code of Conduct is inspired by widely adopted community guidelines, including the Contributor Covenant and major open-source collaboration standards. +* Private warning or request for corrective action. +* Temporary or permanent restriction from project participation. +* Removal of content that violates this Code of Conduct. -## 7. Related Documents +Decisions are made based on impact, severity, and pattern of behavior. - [Governance Guide](./docs-governance.md) - [Contributor Guide](./docs-contributing.md) - [Documentation Index](./docs-index.md) +## No Retaliation -This Code of Conduct is a living document and may be updated following the established Change Management process. +Retaliation against individuals who report concerns in good faith is not tolerated. Any retaliatory behavior will be treated as a separate violation. + +## Jurisdiction + +This project is managed from Tennessee, USA. This statement is informational and does not constitute legal advice. + +--- + +## Metadata + +* **Document:** CODE_OF_CONDUCT.md +* **Repository:** [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* **Path:** /CODE_OF_CONDUCT.md +* **Owner:** Moko Consulting +* **Version:** 03.05.00 +* **Status:** Active +* **Effective Date:** 2025-12-18 +* **Last Reviewed:** 2025-12-18 + +## Revision History + +| Date | Change Summary | Author | +| ---------- | ----------------------------------------------------------------------------- | --------------- | +| 2025-12-18 | Initial publication of contributor conduct standards and enforcement process. | Moko Consulting | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d379419..281a25d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -3,27 +3,138 @@ This file is part of a Moko Consulting project. - SPDX-LICENSE-IDENTIFIER: GPL-3.0-or-later + SPDX-License-Identifier: GPL-3.0-or-later - This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. - This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the IMPLIED WARRANTY of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU General Public License (./LICENSE). + You should have received a copy of the GNU General Public License (./LICENSE.md). # FILE INFORMATION - DEFGROUP: Joomla.Template.Site - INGROUP: Moko-Cassiopeia.Documentation + DEFGROUP: Joomla.Template + INGROUP: Moko-Cassiopeia.Governance REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia + FILE: CONTRIBUTING.md VERSION: 03.05.00 - PATH: ./CONTRIBUTING.md - BRIEF: How to contribute; commit, PR, testing and security policies - --> + BRIEF: Contribution guidelines for the Moko-Cassiopeia project. + PATH: /CONTRIBUTING.md + NOTE: This document defines contribution workflow, standards, and governance alignment. +--> -# Contributing +## Contributing -1. Fork and branch: feat/ or fix/* -2. Conventional Commits; sign off using DCO line -3. Open a PR with tests/docs and linked issues +This document defines how to contribute to the Moko-Cassiopeia project. The goal is to ensure changes are reviewable, auditable, and aligned with project governance and release processes. -**Types**: build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test +## Scope + +These guidelines apply to all contributions, including: + +* Source code changes +* Documentation updates +* Workflow and automation changes +* Bug reports and enhancement proposals + +## Prerequisites + +Contributors are expected to: + +* Have a working understanding of Joomla template structure. +* Be familiar with Git and GitHub pull request workflows. +* Review repository governance documents prior to submitting changes. + +## Contribution Workflow + +1. Fork the repository. +2. Create a branch from the active development branch. +3. Make focused, minimal changes that address a single concern. +4. Ensure changes pass existing CI checks. +5. Submit a pull request with a clear description of intent and impact. + +Direct commits to protected branches are not permitted. + +## Branching and Versioning + +* Development work occurs on designated development branches. +* Releases are produced from versioned branches following repository standards. +* Contributors should not bump version numbers unless explicitly requested. + +## Coding and Formatting Standards + +All contributions must: + +* Follow Joomla coding standards where applicable. +* Conform to Moko Consulting repository standards for headers, metadata, and file structure. +* Avoid introducing tabs, inconsistent path separators, or non portable assumptions. + +Automated checks may reject changes that do not meet these requirements. + +## Documentation Standards + +Documentation changes must: + +* Include required metadata and revision history sections. +* Avoid embedding version numbers in revision history tables. +* Preserve existing structure unless a structural change is explicitly proposed. + +## Commit Messages + +Commit messages should: + +* Be concise and descriptive. +* Focus on what changed and why. +* Avoid referencing internal issue trackers unless required. + +## Reporting Issues + +Bug reports and enhancement requests should be filed as GitHub issues and include: + +* Clear reproduction steps or use cases. +* Expected versus actual behavior. +* Relevant environment details. + +Security related issues must follow the process defined in SECURITY.md and must not be reported publicly. + +## Review Process + +All pull requests are subject to review. Review criteria include: + +* Technical correctness +* Alignment with project goals +* Maintainability and clarity +* Risk introduced to release and update processes + +Maintainers may request changes prior to approval. + +## License + +By contributing, you agree that your contributions will be licensed under GPL-3.0-or-later, consistent with the rest of the project. + +## Code of Conduct + +Participation in this project is governed by the Code of Conduct. Unacceptable behavior may result in contribution restrictions. + +--- + +## Metadata + +* **Document:** CONTRIBUTING.md +* **Repository:** [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* **Path:** /CONTRIBUTING.md +* **Owner:** Moko Consulting +* **Version:** 03.05.00 +* **Status:** Active +* **Effective Date:** 2025-12-18 +* **Last Reviewed:** 2025-12-18 + +## Revision History + +| Date | Change Summary | Author | +| ---------- | ------------------------------------------------------------------------- | --------------- | +| 2025-12-18 | Initial publication of contribution guidelines and workflow expectations. | Moko Consulting | diff --git a/GOVERNANCE.md b/GOVERNANCE.md index e663810..b18f99d 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -15,236 +15,113 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program. If not, see . + You should have received a copy of the GNU General Public License (./LICENSE.md). # FILE INFORMATION - DEFGROUP: Joomla.Template.Site - INGROUP: Moko-Cassiopeia.Documentation + DEFGROUP: Joomla.Template + INGROUP: Moko-Cassiopeia.Governance REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia - FILE: ./GOVERNANCE.md + FILE: GOVERNANCE.md VERSION: 03.05.00 - BRIEF: Governance for Moko-Cassiopeia template + BRIEF: Project governance model, roles, and decision processes for Moko-Cassiopeia. + PATH: /GOVERNANCE.md + NOTE: This document defines authority, decision making, and escalation paths. --> +## Governance Overview -# Governance Document Set +This document defines the governance framework for the Moko-Cassiopeia project. The objective is to ensure clear ownership, predictable decision making, and accountable stewardship across development, releases, and community interaction. -This document contains the canonical governance markdown files required for enterprise-grade open source project management within the Moko ecosystem. Each section represents an individual file. +## Project Ownership ---- +Moko-Cassiopeia is owned and maintained by **Moko Consulting**. Final authority for project direction, releases, and policy enforcement resides with the project owner. -## FILE: GOVERNANCE.md +## Roles and Responsibilities -# Governance +### Maintainers -This document defines the governance framework for this repository. It establishes authority, decision-making processes, escalation paths, and accountability mechanisms. +Maintainers are responsible for: -### Governance Model +* Setting technical direction and release priorities. +* Reviewing and approving pull requests. +* Managing releases and distribution artifacts. +* Enforcing repository policies, including security and conduct requirements. -This repository operates under a maintainer-led governance model. +### Contributors -Final authority resides with the designated Maintainers, who are responsible for technical direction, compliance, and release approval. +Contributors may: -### Roles and Responsibilities +* Submit pull requests and issues. +* Propose enhancements and report defects. +* Participate in technical discussions. -**Maintainers** -- Approve releases and version tags -- Enforce coding, documentation, and licensing standards -- Resolve disputes and merge conflicts -- Ensure audit and compliance readiness +Contributors do not have merge authority unless explicitly granted. -**Contributors** -- Submit changes via pull requests -- Adhere to all defined standards and workflows -- Respond to review feedback in a timely manner +## Decision Making -### Decision Making +Decisions are made using a maintainers led model: -Decisions are made through documented pull requests and issues. -All material decisions must be traceable via Git history. +* Routine changes are approved through pull request review. +* Material changes affecting architecture, branding, licensing, or release processes require maintainer consensus. +* The project owner retains final decision authority if consensus cannot be reached. -### Amendments +## Change Management -Changes to governance require Maintainer approval and must be recorded in the CHANGELOG. +Significant changes should: ---- +* Be documented through issues or pull requests with clear rationale. +* Consider backward compatibility and upgrade impact. +* Include documentation updates when behavior or usage changes. -## FILE: CODE_OF_CONDUCT.md +## Release Authority -# Code of Conduct +Only maintainers may: -This project adheres to a professional, inclusive, and respectful code of conduct. +* Cut releases and publish artifacts. +* Update version numbers and manifests. +* Publish update metadata or advisories. -### Expected Behavior +Release processes follow documented workflows and automation standards. -- Professional and respectful communication -- Constructive feedback -- Focus on technical merit and documented standards +## Security Governance -### Unacceptable Behavior +Security issues are governed by the SECURITY.md policy. Maintainers are responsible for confidential handling, coordinated disclosure, and publication of advisories when appropriate. -- Harassment or discrimination -- Hostile or abusive language -- Disruptive behavior in issues or pull requests +## Conduct Enforcement -### Enforcement +Behavior within the project is governed by CODE_OF_CONDUCT.md. Maintainers are responsible for enforcement actions and escalation handling. -Maintainers are responsible for enforcement. -Violations may result in warnings, suspension, or removal. +## Conflict Resolution ---- +Conflicts are handled through: -## FILE: CONTRIBUTING.md +* Direct discussion between involved parties when appropriate. +* Maintainer mediation when necessary. +* Final determination by the project owner if required. -# Contributing +## External Dependencies -This document defines the contribution workflow and compliance requirements. +The project depends on Joomla core and other third party components. Governance of upstream projects remains outside the scope of this repository, but upstream changes may influence project decisions. -### Contribution Requirements +## Jurisdiction -- All changes must be submitted via pull request -- All CI checks must pass -- SPDX headers and FILE INFORMATION blocks are mandatory where applicable -- Documentation changes must include Metadata and Revision History sections - -### Commit Standards - -Commits must be atomic, descriptive, and traceable to an issue or change request. - -### Review Process - -- Maintainer review is required -- CI validation is mandatory -- Approval is required before merge - ---- - -## FILE: SECURITY.md - -# Security Policy - -This document defines the security posture and reporting process. - -### Supported Versions - -Only the latest released version and active development branches are supported. - -### Reporting Vulnerabilities - -Security issues must be reported privately to the Maintainers. -Public disclosure prior to resolution is prohibited. - -### Response Process - -- Acknowledge receipt within a reasonable timeframe -- Assess severity and impact -- Issue patches or mitigations as required - ---- - -## FILE: COMPLIANCE.md - -# Compliance - -This repository is designed to support audit and compliance requirements. - -### Licensing - -All code must comply with GPL-3.0-or-later licensing requirements. -SPDX identifiers are mandatory. - -### Documentation Compliance - -- Mandatory Metadata sections -- Mandatory Revision History sections -- Version traceability across manifests, changelogs, and releases - -### CI Enforcement - -Automated workflows enforce: -- Path consistency -- Formatting rules -- Manifest validation -- Changelog governance - ---- - -## FILE: RISK_REGISTER.md - -# Risk Register - -This document tracks identified risks and mitigation strategies. - -### Risk Categories - -- Technical debt -- Security vulnerabilities -- Compliance drift -- Dependency instability - -### Management - -Risks are reviewed during release cycles. -Mitigations must be documented and traceable. - ---- - -## FILE: CHANGE_MANAGEMENT.md - -# Change Management - -This document defines how changes are introduced, reviewed, and released. - -### Change Types - -- Patch -- Minor -- Major - -### Process - -- Documented pull request -- CI validation -- Version bump and changelog update -- Maintainer approval - -### Traceability - -All changes must be traceable through Git history and release artifacts. - ---- - -## FILE: GOVERNANCE_INDEX.md - -# Governance Index - -This file serves as the authoritative index of governance artifacts. - -### Governance Documents - -- GOVERNANCE.md -- CODE_OF_CONDUCT.md -- CONTRIBUTING.md -- SECURITY.md -- COMPLIANCE.md -- RISK_REGISTER.md -- CHANGE_MANAGEMENT.md +This project is managed from Tennessee, USA. This statement is informational and does not constitute legal advice. --- ## Metadata -- DEFGROUP: MokoStandards -- INGROUP: Governance -- REPO: https://github.com/mokoconsulting-tech -- JURISDICTION: Tennessee, United States -- LICENSE: GPL-3.0-or-later - ---- +* **Document:** GOVERNANCE.md +* **Repository:** [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* **Path:** /GOVERNANCE.md +* **Owner:** Moko Consulting +* **Version:** 03.05.00 +* **Status:** Active +* **Effective Date:** 2025-12-18 +* **Last Reviewed:** 2025-12-18 ## Revision History -| Version | Date | Description | -|--------:|------------|---------------------------------| -| 01.00.00 | 2025-12-18 | Initial governance document set | +| Date | Change Summary | Author | +| ---------- | ----------------------------------------------------------------------- | --------------- | +| 2025-12-18 | Initial publication of governance model, roles, and decision processes. | Moko Consulting | diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..74e69fb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,177 @@ + + +## Security Policy + +This document defines how Moko-Cassiopeia handles vulnerability intake, triage, remediation, and disclosure. The objective is to reduce risk, protect downstream users, and preserve operational continuity with a verifiable audit trail. + +## Scope + +This policy applies to: + +* Repository source code, workflows, scripts, and build artifacts. +* Release packaging (ZIP outputs) generated from the repository. +* Configuration and metadata used for distribution (for example manifests and update metadata). + +Out of scope: + +* Vulnerabilities in upstream Joomla core, third party extensions, or external infrastructure not controlled by this repository. +* Issues that require physical access to a host, compromised administrator credentials, or a compromised hosting provider, unless the repository materially increases impact. + +## Supported Versions + +Security fixes are prioritized for: + +* The latest released version. +* The current development line when it is actively used for release engineering. + +Backports may be provided based on impact, deployment footprint, and engineering capacity. + +## Reporting a Vulnerability + +Use one of the following channels: + +* GitHub Security Advisories (preferred): use the repository security tab to submit a private report. +* Email: send details to `hello@mokoconsulting.tech` with subject `SECURITY: Moko-Cassiopeia vulnerability report`. + +Do not file a public GitHub issue for suspected security vulnerabilities. + +### What to include + +Provide enough detail to reproduce and triage: + +* A clear description of the vulnerability and expected impact. +* A minimal proof of concept or reproduction steps. +* Affected versions, configuration assumptions, and environment details. +* Any proposed mitigation or patch. +* Your preferred contact details for follow up. + +## Triage and Response Targets + +The project operates with response targets aligned to practical delivery realities: + +* **Acknowledgement:** within 3 business days. +* **Initial triage:** within 10 business days. +* **Fix plan:** communicated once severity is confirmed. + +These targets are not guarantees. Complex issues, supply chain considerations, and coordination with upstream vendors may extend timelines. + +## Severity Assessment + +Issues are triaged based on business impact and technical exploitability, including: + +* Remote exploitability and required privileges. +* Data confidentiality, integrity, and availability impact. +* Likelihood of exploitation in typical Joomla deployments. +* Exposure surface (public endpoints, administrator area, installation flows, and update mechanisms). + +When appropriate, industry standard scoring such as CVSS may be used for internal prioritization. + +## Coordinated Disclosure + +The project follows coordinated vulnerability disclosure: + +* Reports are treated as confidential until remediation is available. +* A public advisory may be published once a fix is released. +* A reasonable embargo period is expected to enable patch distribution. + +If you believe disclosure is time sensitive due to active exploitation, include that assessment and any supporting indicators. + +## Security Updates and Advisories + +Security updates are distributed through: + +* GitHub releases for the repository. +* GitHub Security Advisories when applicable. + +Advisories may include: + +* Affected versions and fixed versions. +* Mitigations and workarounds when a fix is not immediately available. +* Upgrade guidance. + +## Dependencies and Supply Chain Controls + +The project aims to manage supply chain risk through: + +* Pinning and review of workflow dependencies where feasible. +* Minimizing privileged GitHub token permissions. +* Validating build inputs prior to packaging releases. + +If you identify a supply chain issue (for example compromised action, dependency confusion, or malicious upstream artifact), report it as a vulnerability. + +## Secure Development and CI Expectations + +Security posture is reinforced through operational controls: + +* CI validation for packaging inputs and manifest integrity. +* Consistent path normalization and whitespace hygiene checks where required for release correctness. +* Least privilege for GitHub Actions permissions. + +This policy does not guarantee that all vulnerabilities will be prevented. It defines how risk is managed when issues are discovered. + +## Safe Harbor + +The project supports good faith security research. When you: + +* Avoid privacy violations, data destruction, and service disruption. +* Limit testing to systems you own or have explicit permission to test. +* Provide a reasonable window for coordinated disclosure. + +Then the project will treat your report as a constructive security contribution. + +Jurisdiction note: this repository is managed from Tennessee, USA. This note is informational only and does not constitute legal advice. + +## Public Communications + +Only maintainers will publish security advisories or public statements for confirmed vulnerabilities. Public communication will focus on actionable remediation and operational risk reduction. + +## Acknowledgements + +If you want credit, include the name or handle to list in an advisory. If you prefer anonymity, state that explicitly. + +--- + +## Metadata + +* **Document:** SECURITY.md +* **Repository:** [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* **Path:** /SECURITY.md +* **Owner:** Moko Consulting +* **Version:** 03.05.00 +* **Status:** Active +* **Effective Date:** 2025-12-18 +* **Last Reviewed:** 2025-12-18 + +## Revision History + +| Date | Change Summary | Author | +| ---------- | ------------------------------------------------------------------------------------------------ | --------------- | +| 2025-12-18 | Initial publication of security policy, intake channels, triage targets, and disclosure process. | Moko Consulting |