This is an automated email from the ASF dual-hosted git repository.

orpiske pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git

commit 1c268d382d83b524c47e0b82d88d165b53191efd
Author: Otavio Rodolfo Piske <[email protected]>
AuthorDate: Thu Jun 25 15:49:52 2026 +0200

    Add OSS Helper project rules for AI-assisted contributions
    
    Add .oss-ai-helper-rules/ directory with project-specific rules
    (project info, guidelines, standards, and security) for use with the
    OSS Helper toolset. These files provide AI coding assistants with
    project-specific context so that AI-assisted contributions follow the
    same standards as manual ones.
---
 .oss-ai-helper-rules/project-guidelines.md | 18 +++++++++++++++
 .oss-ai-helper-rules/project-info.md       | 15 +++++++++++++
 .oss-ai-helper-rules/project-security.md   | 35 ++++++++++++++++++++++++++++++
 .oss-ai-helper-rules/project-standards.md  | 16 ++++++++++++++
 4 files changed, 84 insertions(+)

diff --git a/.oss-ai-helper-rules/project-guidelines.md 
b/.oss-ai-helper-rules/project-guidelines.md
new file mode 100644
index 00000000000..6d57937e99f
--- /dev/null
+++ b/.oss-ai-helper-rules/project-guidelines.md
@@ -0,0 +1,18 @@
+# Project Guidelines
+
+This rule file contains branching, commit, PR, and task-finding conventions 
for the project. Commands read this file to determine how to name branches, 
format commits, and search for tasks.
+
+- **Fix branch:** `fix/<ISSUE_ID>`
+- **Feature branch:** `feature/<ISSUE_ID>-<short-slug>`
+- **Bugfix branch:** `bugfix/<ISSUE_ID>`
+- **Quick-fix branch:** `quick-fix/<short-slug>`
+- **Commit format (fix):** `<ISSUE_ID>: <brief description of fix>`
+- **Commit format (quick-fix):** `chore: <brief description>`
+- **CI-issue branch:** `ci-issue/<short-slug>`
+- **Commit format (ci-issue):** `ci: <brief description>`
+- **PR creation:** always
+- **Find-task source:** Jira
+- **Find-task beginner JQL:** `project = CAMEL AND status = Open AND labels = 
good-first-issue` (maxResults=10)
+- **Find-task intermediate:** Filter 12352792 (easy issues)
+- **Find-task experienced JQL:** `project = CAMEL AND status = Open AND labels 
= help-wanted` (maxResults=10)
+- **Scope-too-large redirect:** create a Jira issue directly
diff --git a/.oss-ai-helper-rules/project-info.md 
b/.oss-ai-helper-rules/project-info.md
new file mode 100644
index 00000000000..ba3b536fd63
--- /dev/null
+++ b/.oss-ai-helper-rules/project-info.md
@@ -0,0 +1,15 @@
+# Project Information
+
+This rule file contains project-specific metadata used by OSS Helper commands. 
Commands detect the current project by matching `git remote get-url origin` 
against the remote pattern below.
+
+- **Remote pattern:** `apache/camel-spring-boot`
+- **GitHub repo:** `apache/camel-spring-boot`
+- **Issue tracker:** Jira
+- **Issue tracker URL:** `https://issues.apache.org/jira/browse/`
+- **Issue ID format:** alphanumeric (e.g., `CAMEL-20410`)
+- **SonarCloud component key:** _(none)_
+- **Documentation URL:** _(none)_
+- **Related repositories:**
+  - `apache/camel` - Apache Camel core
+- **Jira project key:** `CAMEL`
+- **Create-issue supported:** yes
diff --git a/.oss-ai-helper-rules/project-security.md 
b/.oss-ai-helper-rules/project-security.md
new file mode 100644
index 00000000000..e724c3a5228
--- /dev/null
+++ b/.oss-ai-helper-rules/project-security.md
@@ -0,0 +1,35 @@
+# Project Security
+
+This rule file contains the security and CVE-handling workflow for the project 
— how a vulnerability is reported, triaged, fixed, assigned a CVE, and 
published. Commands read this file to determine the private reporting channel, 
the CVE Numbering Authority (CNA), the advisory format and publication 
location, and the supported release lines a fix must be backported to.
+
+This file is **optional**. Commands that do not deal with security ignore it; 
the security commands (`/oss-triage-security-report`, 
`/oss-create-security-advisory`, `/oss-draft-cve`, 
`/oss-analyze-third-party-cve`) read it when present and fall back to 
interactive prompts when it is absent.
+
+Apache Camel Spring Boot is part of the Apache Camel project and follows the 
same PMC, CNA, and disclosure process as Camel core; the differences below are 
the issue tracker (Jira) and that releases track Camel core's version numbers.
+
+- **Private reporting channel:** `[email protected]` — the ASF Security 
Team. Apache Camel does not operate a dedicated `[email protected]` 
list, so reports go to the foundation address per 
https://www.apache.org/security/. Never use Jira, GitHub issues/PRs, or any 
public mailing list to report an undisclosed vulnerability.
+- **GitHub private vulnerability reporting:** not used. Coordination happens 
on `[email protected]`, not GitHub Security Advisories. 
`/oss-create-security-advisory` should direct reporters to 
`[email protected]` rather than the GitHub `/reports` endpoint for this 
project.
+- **CVE Numbering Authority (CNA):** The Apache Software Foundation Security 
Team — the only body that can allocate CVE IDs for ASF projects. Reserve an ID 
through the internal portal https://cveprocess.apache.org (or email 
`[email protected]` with subject `CVE request for ...`). The portal also 
generates draft announcement text and provides a REVIEW state for Security-Team 
sign-off. The OSS Helper never reserves, requests, or generates CVE IDs; it 
only drafts against an already-reserved ID.
+- **Severity:** the advisory's `Severity` field is a qualitative rating (Low / 
Medium / High / Critical). Camel advisory pages do **not** publish a CVSS score 
or vector string — only the qualitative rating. Compute a CVSS vector solely 
for the CNA/NVD record if one is required there.
+- **Advisory source format:** a Hugo Markdown page named `CVE-YYYY-NNNNN.md`, 
plus a PGP-clearsigned plaintext `CVE-YYYY-NNNNN.txt.asc` linked from the 
advisory's `References` section. `/oss-draft-cve` should emit the `.md` page 
and the matching `.txt` body; the maintainer signs the `.txt` into `.txt.asc` 
after review.
+- **Advisory section structure (exact labels, in order):** `Severity`, 
`Summary`, `Versions affected`, `Versions fixed`, `Description`, `Notes`, 
`Mitigation`, `Credit`, `References`. Reproduce these labels exactly when 
drafting.
+- **Advisory template (reference):** 
https://camel.apache.org/security/CVE-2025-27636.html (rendered) or its source 
https://github.com/apache/camel-website/blob/main/content/security/CVE-2025-27636.md.
 The advisory format is shared across all Camel sub-projects. Pass either as 
the `/oss-draft-cve template=` argument.
+- **Publication location:** advisories for all Camel sub-projects are 
published centrally — commit to `apache/camel-website` under 
`content/security/` (`CVE-YYYY-NNNNN.md` + `CVE-YYYY-NNNNN.txt.asc`); it 
renders live at `https://camel.apache.org/security/CVE-YYYY-NNNNN.html`.
+- **Signing key:** the Camel release/PMC GPG key published in 
https://downloads.apache.org/camel/KEYS. `gpg --clearsign CVE-YYYY-NNNNN.txt` 
produces `CVE-YYYY-NNNNN.txt.asc`. The OSS Helper never runs `gpg` — the 
maintainer signs after review.
+- **Supported release lines / backport branches:** Camel Spring Boot is 
released in lockstep with Camel core and shares its version numbers, so its 
supported lines match core — **4.14.x** and **4.18.x** as of May 2026 (4.10.x 
and all 3.x releases are EOL). Backport the fix to every supported line in 
`apache/camel-spring-boot`, then derive fixed versions with `git tag --contains 
<fix-commit> | sort -V`. Confirm the current lines against 
https://camel.apache.org/categories/Roadmap/ before  [...]
+- **Disclosure & announcement:** publish only after the fixed releases are 
available. Announce to `[email protected]` and `[email protected]`, 
notify the reporter, and post to `[email protected]`; the CVE is 
pushed to MITRE/NVD through the ASF CNA. The post to `oss-security` is the 
first public mention of the issue — never disclose specifics before the fix is 
released.
+- **Third-party CVE notes ("not affected" rationale):** where 
`/oss-analyze-third-party-cve` should record a verified exposure analysis. 
(TODO: decide whether to track these in release notes, a dedicated security 
page, or a private PMC tracking issue.)
+
+## CVE Handling Workflow
+
+End-to-end process. The OSS Helper command that assists each step is named in 
brackets; steps marked *(manual)* are maintainer/PMC actions with no command.
+
+1. **Receipt & confidentiality** — a report arrives privately on 
`[email protected]`. Treat all specifics as confidential and acknowledge 
receipt to the reporter. *(manual)*
+2. **Triage** — verify each claim against the current code and git history; 
assess scope and severity. Decide: valid / invalid / duplicate. 
[`/oss-triage-security-report`]
+3. **Reserve a CVE** — if valid, the PMC reserves a CVE ID through the ASF 
Security Team via https://cveprocess.apache.org. *(manual — the OSS Helper 
never reserves IDs)*
+4. **Fix privately** — develop the fix without referencing the vulnerability 
in public commits/PRs; backport to every supported line.
+5. **Release** — cut and vote the fixed releases through the normal ASF 
release process so the patched versions are available before disclosure. 
*(manual)*
+6. **Draft & sign the advisory** — draft `CVE-YYYY-NNNNN.md` and the matching 
`.txt` body from the triage notes and fix PR, then GPG-clearsign the `.txt` 
into `.txt.asc`. [`/oss-draft-cve` for the draft; signing is manual]
+7. **Publish** — commit the `.md` page and `.txt.asc` to 
`apache/camel-website` under `content/security/` so the advisory appears at 
`https://camel.apache.org/security/CVE-YYYY-NNNNN.html`. *(manual)*
+8. **Announce & register** — announce to `[email protected]`, 
`[email protected]`, and `[email protected]`, and push the 
CVE to MITRE/NVD via the ASF CNA. *(manual)*
+
+For a CVE in a third-party dependency (rather than in Camel Spring Boot's own 
code), use [`/oss-analyze-third-party-cve`] to decide exposure and whether a 
dependency bump or a documented "not affected" note is the right outcome.
diff --git a/.oss-ai-helper-rules/project-standards.md 
b/.oss-ai-helper-rules/project-standards.md
new file mode 100644
index 00000000000..4e1d6a08242
--- /dev/null
+++ b/.oss-ai-helper-rules/project-standards.md
@@ -0,0 +1,16 @@
+# Project Standards
+
+This rule file contains build tools, commands, and code style constraints for 
the project. Commands read this file to determine how to build, test, and 
format code.
+
+- **Build tool:** Maven
+- **Build command:** `mvn verify`
+- **Test command:** `mvn verify`
+- **Format command:** `cd <module> && mvn -DskipTests install`
+- **Module-specific build:** yes (always run `mvn` in the module directory 
where changes occurred)
+- **Parallelized Maven:** no (resource intensive, do NOT parallelize Maven 
jobs)
+- **Code style restrictions:**
+  - Do NOT use Lombok (unless already present in the file)
+  - Records are allowed for internal/non-API classes; do NOT convert existing 
public API classes to Records
+  - Do NOT change public API signatures without justification
+  - Do NOT add new dependencies without justification
+  - Maintain backwards compatibility for public APIs

Reply via email to