# Stella Ops Project Governance *Lazy Consensus • Maintainer Charter • Transparent Veto* > **Scope** – applies to **all** repositories under > `https://git.stella-ops.org/stella-ops/*` unless a sub‑project overrides it > with its own charter approved by the Core Maintainers. --- ## 1 · Decision‑making workflow 🗳️ | Stage | Default vote | Timer | |-------|--------------|-------| | **Docs / non‑code PR** | `+1` | **48 h** | | **Code / tests PR** | `+1` | **7 × 24 h** | | **Security‑sensitive / breaking API** | `+1` + explicit **`security‑LGTM`** | **7 × 24 h** | **Lazy‑consensus** – silence = approval once the timer elapses. * **Veto `‑1`** must include a concrete concern **and** a path to resolution. * After 3 unresolved vetoes the PR escalates to a **Maintainer Summit** call. --- ## 2 · Maintainer approval thresholds 👥 | Change class | Approvals required | Example | |--------------|-------------------|---------| | **Trivial** | 0 | Typos, comment fixes | | **Non‑trivial** | **2 Maintainers** | New API endpoint, feature flag | | **Security / breaking** | Lazy‑consensus **+ `security‑LGTM`** | JWT validation, crypto swap | Approval is recorded via Git forge review or a signed commit trailer `Signed-off-by: `. --- ## 3 · Becoming (and staying) a Maintainer 🌱 1. **3 + months** of consistent, high‑quality contributions. 2. **Nomination** by an existing Maintainer via issue. 3. **7‑day vote** – needs ≥ **⅔ majority** “`+1`”. 4. Sign `MAINTAINER_AGREEMENT.md` and enable **2FA**. 5. Inactivity > 6 months → automatic emeritus status (can be re‑activated). --- ## 4 · Release authority & provenance 🔏 * Every tag is **co‑signed by at least one Security Maintainer**. * CI emits a **signed SPDX SBOM** + **Cosign provenance**. * Release cadence is fixed – see [public Road‑map](../roadmap/README.md). * Security fixes may create out‑of‑band `x.y.z‑hotfix` tags. --- ## 5 · Escalation lanes 🚦 | Situation | Escalation | |-----------|------------| | Technical deadlock | **Maintainer Summit** (recorded & published) | | Security bug | Follow [Security Policy](../security/01_SECURITY_POLICY.md) | | Code of Conduct violation | See `12_CODE_OF_CONDUCT.md` escalation ladder | --- ## 6 · Contribution etiquette 🤝 * Draft PRs early – CI linting & tests help you iterate. * “There are no stupid questions” – ask in **Matrix #dev**. * Keep commit messages in **imperative mood** (`Fix typo`, `Add SBOM cache`). * Run the `pre‑commit` hook locally before pushing. --- ## 7 · Licence reminder 📜 Stella Ops is **AGPL‑3.0‑or‑later**. By contributing you agree that your patches are released under the same licence. --- ### Appendix A – Maintainer list 📇 *(Generated via `scripts/gen-maintainers.sh` – edit the YAML, **not** this section directly.)* | Handle | Area | Since | |--------|------|-------| | `@alice` | Core scanner • Security | 2025‑04 | | `@bob` | UI • Docs | 2025‑06 | ---