This is an automated email from the ASF dual-hosted git repository.
orpiske pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-kafka-connector.git
The following commit(s) were added to refs/heads/main by this push:
new 01ca1e4c42 chore: add OSS Helper project rules for AI-assisted
contributions
01ca1e4c42 is described below
commit 01ca1e4c426f1246d14a8a6da80f4532807da9dd
Author: Otavio Rodolfo Piske <[email protected]>
AuthorDate: Fri Jun 26 10:35:05 2026 +0200
chore: add OSS Helper project rules for AI-assisted contributions
---
.oss-ai-helper-rules/project-guidelines.md | 19 ++++++++++++++++
.oss-ai-helper-rules/project-info.md | 14 ++++++++++++
.oss-ai-helper-rules/project-security.md | 36 ++++++++++++++++++++++++++++++
.oss-ai-helper-rules/project-standards.md | 17 ++++++++++++++
4 files changed, 86 insertions(+)
diff --git a/.oss-ai-helper-rules/project-guidelines.md
b/.oss-ai-helper-rules/project-guidelines.md
new file mode 100644
index 0000000000..761beb7f0c
--- /dev/null
+++ b/.oss-ai-helper-rules/project-guidelines.md
@@ -0,0 +1,19 @@
+# Project Guidelines
+
+This rule file contains branching, commit, PR, and task-finding conventions
for the project. Commands read this file to determine how to name branches,
format commits, and search for tasks.
+
+- **Fix branch:** `fix/<ISSUE_NUMBER>`
+- **Feature branch:** `feature/<ISSUE_NUMBER>-<short-slug>`
+- **Bugfix branch:** `bugfix/<ISSUE_NUMBER>`
+- **Quick-fix branch:** `quick-fix/<short-slug>`
+- **Commit format (fix):** `Fix #<ISSUE_NUMBER>: <brief description>`
+- **Commit format (quick-fix):** `chore: <brief description>`
+- **CI-issue branch:** `ci-issue/<short-slug>`
+- **Commit format (ci-issue):** `ci: <brief description>`
+- **PR creation:** always
+- **Find-task source:** GitHub labels
+- **Find-task beginner label:** `good first issue`
+- **Find-task experienced label:** `help wanted`
+- **Find-task intermediate:** _(none)_
+- **Scope-too-large redirect:** `/oss-create-issue`
+
diff --git a/.oss-ai-helper-rules/project-info.md
b/.oss-ai-helper-rules/project-info.md
new file mode 100644
index 0000000000..23f30ff609
--- /dev/null
+++ b/.oss-ai-helper-rules/project-info.md
@@ -0,0 +1,14 @@
+# Project Information
+
+This rule file contains project-specific metadata used by OSS Helper commands.
Commands detect the current project by matching `git remote get-url origin`
against the remote pattern below.
+
+- **Remote pattern:** `apache/camel-kafka-connector`
+- **GitHub repo:** `apache/camel-kafka-connector`
+- **Issue tracker:** GitHub
+- **Issue tracker URL:**
`https://github.com/apache/camel-kafka-connector/issues`
+- **Issue ID format:** numeric
+- **Documentation URL:** _(none)_
+- **Related repositories:**
+ - `apache/camel` - Apache Camel core
+- **Create-issue supported:** yes
+
diff --git a/.oss-ai-helper-rules/project-security.md
b/.oss-ai-helper-rules/project-security.md
new file mode 100644
index 0000000000..5e88ee24aa
--- /dev/null
+++ b/.oss-ai-helper-rules/project-security.md
@@ -0,0 +1,36 @@
+# Project Security
+
+This rule file contains the security and CVE-handling workflow for the project
— how a vulnerability is reported, triaged, fixed, assigned a CVE, and
published. Commands read this file to determine the private reporting channel,
the CVE Numbering Authority (CNA), the advisory format and publication
location, and the supported release lines a fix must be backported to.
+
+This file is **optional**. Commands that do not deal with security ignore it;
the security commands (`/oss-triage-security-report`,
`/oss-create-security-advisory`, `/oss-draft-cve`,
`/oss-analyze-third-party-cve`) read it when present and fall back to
interactive prompts when it is absent.
+
+Apache Camel Kafka Connector is part of the Apache Camel project and follows
the same PMC, CNA, and disclosure process as Camel core; the differences below
are the issue tracker (GitHub) and that releases track Camel core's version
numbers on their own, less frequent cadence.
+
+- **Private reporting channel:** `[email protected]` — the ASF Security
Team. Apache Camel does not operate a dedicated `[email protected]`
list, so reports go to the foundation address per
https://www.apache.org/security/. Never use Jira, GitHub issues/PRs, or any
public mailing list to report an undisclosed vulnerability.
+- **GitHub private vulnerability reporting:** not used.
`apache/camel-kafka-connector` is public, but coordination happens on
`[email protected]`, not GitHub Security Advisories.
`/oss-create-security-advisory` should direct reporters to
`[email protected]` rather than the GitHub `/reports` endpoint for this
project.
+- **CVE Numbering Authority (CNA):** The Apache Software Foundation Security
Team — the only body that can allocate CVE IDs for ASF projects. Reserve an ID
through the internal portal https://cveprocess.apache.org (or email
`[email protected]` with subject `CVE request for ...`). The portal also
generates draft announcement text and provides a REVIEW state for Security-Team
sign-off. The OSS Helper never reserves, requests, or generates CVE IDs; it
only drafts against an already-reserved ID.
+- **Severity:** the advisory's `Severity` field is a qualitative rating (Low /
Medium / High / Critical). Camel advisory pages do **not** publish a CVSS score
or vector string — only the qualitative rating. Compute a CVSS vector solely
for the CNA/NVD record if one is required there.
+- **Advisory source format:** a Hugo Markdown page named `CVE-YYYY-NNNNN.md`,
plus a PGP-clearsigned plaintext `CVE-YYYY-NNNNN.txt.asc` linked from the
advisory's `References` section. `/oss-draft-cve` should emit the `.md` page
and the matching `.txt` body; the maintainer signs the `.txt` into `.txt.asc`
after review.
+- **Advisory section structure (exact labels, in order):** `Severity`,
`Summary`, `Versions affected`, `Versions fixed`, `Description`, `Notes`,
`Mitigation`, `Credit`, `References`. Reproduce these labels exactly when
drafting.
+- **Advisory template (reference):**
https://camel.apache.org/security/CVE-2025-27636.html (rendered) or its source
https://github.com/apache/camel-website/blob/main/content/security/CVE-2025-27636.md.
The advisory format is shared across all Camel sub-projects. Pass either as
the `/oss-draft-cve template=` argument.
+- **Publication location:** advisories for all Camel sub-projects are
published centrally — commit to `apache/camel-website` under
`content/security/` (`CVE-YYYY-NNNNN.md` + `CVE-YYYY-NNNNN.txt.asc`); it
renders live at `https://camel.apache.org/security/CVE-YYYY-NNNNN.html`.
+- **Signing key:** the Camel release/PMC GPG key published in
https://downloads.apache.org/camel/KEYS. `gpg --clearsign CVE-YYYY-NNNNN.txt`
produces `CVE-YYYY-NNNNN.txt.asc`. The OSS Helper never runs `gpg` — the
maintainer signs after review.
+- **Supported release lines / backport branches:** Camel Kafka Connector
versions track Camel core, but it releases on its own (less frequent) cadence,
so its actively maintained lines may lag core. **Confirm the currently
maintained Camel Kafka Connector lines** via
https://camel.apache.org/categories/Roadmap/ and the project's GitHub releases
before choosing backport targets, then derive fixed versions with `git tag
--contains <fix-commit> | sort -V` in `apache/camel-kafka-connector`.
+- **Disclosure & announcement:** publish only after the fixed releases are
available. Announce to `[email protected]` and `[email protected]`,
notify the reporter, and post to `[email protected]`; the CVE is
pushed to MITRE/NVD through the ASF CNA. The post to `oss-security` is the
first public mention of the issue — never disclose specifics before the fix is
released.
+- **Third-party CVE notes ("not affected" rationale):** where
`/oss-analyze-third-party-cve` should record a verified exposure analysis.
(TODO: decide whether to track these in release notes, a dedicated security
page, or a private PMC tracking issue.)
+
+## CVE Handling Workflow
+
+End-to-end process. The OSS Helper command that assists each step is named in
brackets; steps marked *(manual)* are maintainer/PMC actions with no command.
+
+1. **Receipt & confidentiality** — a report arrives privately on
`[email protected]`. Treat all specifics as confidential and acknowledge
receipt to the reporter. *(manual)*
+2. **Triage** — verify each claim against the current code and git history;
assess scope and severity. Decide: valid / invalid / duplicate.
[`/oss-triage-security-report`]
+3. **Reserve a CVE** — if valid, the PMC reserves a CVE ID through the ASF
Security Team via https://cveprocess.apache.org. *(manual — the OSS Helper
never reserves IDs)*
+4. **Fix privately** — develop the fix without referencing the vulnerability
in public commits/PRs; backport to every supported line.
+5. **Release** — cut and vote the fixed releases through the normal ASF
release process so the patched versions are available before disclosure.
*(manual)*
+6. **Draft & sign the advisory** — draft `CVE-YYYY-NNNNN.md` and the matching
`.txt` body from the triage notes and fix PR, then GPG-clearsign the `.txt`
into `.txt.asc`. [`/oss-draft-cve` for the draft; signing is manual]
+7. **Publish** — commit the `.md` page and `.txt.asc` to
`apache/camel-website` under `content/security/` so the advisory appears at
`https://camel.apache.org/security/CVE-YYYY-NNNNN.html`. *(manual)*
+8. **Announce & register** — announce to `[email protected]`,
`[email protected]`, and `[email protected]`, and push the
CVE to MITRE/NVD via the ASF CNA. *(manual)*
+
+For a CVE in a third-party dependency (rather than in Camel Kafka Connector's
own code), use [`/oss-analyze-third-party-cve`] to decide exposure and whether
a dependency bump or a documented "not affected" note is the right outcome.
+
diff --git a/.oss-ai-helper-rules/project-standards.md
b/.oss-ai-helper-rules/project-standards.md
new file mode 100644
index 0000000000..70cd5af040
--- /dev/null
+++ b/.oss-ai-helper-rules/project-standards.md
@@ -0,0 +1,17 @@
+# Project Standards
+
+This rule file contains build tools, commands, and code style constraints for
the project. Commands read this file to determine how to build, test, and
format code.
+
+- **Build tool:** Maven
+- **Build command:** `mvn verify`
+- **Test command:** `mvn verify`
+- **Format command:** `cd <module> && mvn -DskipTests install`
+- **Module-specific build:** yes (always run `mvn` in the module directory
where changes occurred)
+- **Parallelized Maven:** no (resource intensive, do NOT parallelize Maven
jobs)
+- **Code style restrictions:**
+ - Do NOT use Lombok (unless already present in the file)
+ - Records are allowed for internal/non-API classes; do NOT convert existing
public API classes to Records
+ - Do NOT change public API signatures without justification
+ - Do NOT add new dependencies without justification
+ - Maintain backwards compatibility for public APIs
+