Skip to content

Commit d200ed8

Browse files
frankbriaTest User
andauthored
docs: launch-prep — SECURITY.md, licensing clarity, beta issue templates (#622)
Adds the public-beta launch docs and routes support/feature traffic: - SECURITY.md: private vulnerability reporting path + response expectations (3-day ack / 7-day assessment), beta supported-versions, scope. - LICENSING.md: plain-language AGPL-3.0 for individuals, internal company use, and embedding; commercial/hosted path with a contact route. - .github/ISSUE_TEMPLATE/: bug_report.yml (version/OS/engine/repro/logs) + config.yml routing feature ideas → Discussions/Ideas, Q&A, Show & Tell, Coming from ralph, and security → private advisories. - CONTRIBUTING.md: beta expectations (what's stable vs in flux, propose via Discussions). - README.md: "Security, licensing & support" section linking all of the above. Repo settings applied out of band: private vulnerability reporting enabled, Discussions enabled. Manual follow-ups (no clean API) tracked in the PR: create the "Coming from ralph" category and pin the early-access Discussion. Closes #617 Closes #618 Co-authored-by: Test User <test@example.com>
1 parent 670c910 commit d200ed8

6 files changed

Lines changed: 289 additions & 2 deletions

File tree

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: Bug report
2+
description: Report something that is broken or behaving incorrectly in CodeFRAME.
3+
title: "[Bug]: "
4+
labels: ["bug"]
5+
body:
6+
- type: markdown
7+
attributes:
8+
value: |
9+
Thanks for taking the time to file a bug report. Please fill in the
10+
details below so we can reproduce and fix it quickly.
11+
12+
**Security issue?** Do not file it here — use [private vulnerability
13+
reporting](https://github.com/frankbria/codeframe/security) instead. See
14+
[SECURITY.md](https://github.com/frankbria/codeframe/blob/main/SECURITY.md).
15+
- type: textarea
16+
id: what-happened
17+
attributes:
18+
label: What happened?
19+
description: A clear description of the bug, including what you expected to happen instead.
20+
placeholder: "Running `cf work start` exits with ... but I expected ..."
21+
validations:
22+
required: true
23+
- type: input
24+
id: version
25+
attributes:
26+
label: CodeFRAME version
27+
description: "Output of `cf --version` (or the commit hash if running from source)."
28+
placeholder: "e.g. 0.x.y or commit 670c910"
29+
validations:
30+
required: true
31+
- type: dropdown
32+
id: os
33+
attributes:
34+
label: Operating system
35+
options:
36+
- Linux
37+
- macOS
38+
- Windows (WSL)
39+
- Windows (native)
40+
- Other
41+
validations:
42+
required: true
43+
- type: dropdown
44+
id: engine
45+
attributes:
46+
label: Execution engine
47+
description: Which agent engine were you using when the bug occurred?
48+
options:
49+
- built-in (ReAct)
50+
- claude-code
51+
- codex
52+
- opencode
53+
- kilocode
54+
- "N/A — not running an agent"
55+
validations:
56+
required: true
57+
- type: textarea
58+
id: repro
59+
attributes:
60+
label: Steps to reproduce
61+
description: The exact commands or actions, in order, that trigger the bug.
62+
placeholder: |
63+
1. cf init ...
64+
2. cf tasks generate
65+
3. cf work start <id> --execute
66+
4. See error
67+
validations:
68+
required: true
69+
- type: textarea
70+
id: logs
71+
attributes:
72+
label: Relevant logs or output
73+
description: Paste any error output or stack traces. This is automatically formatted as code, so no backticks needed. Do not paste API keys or secrets.
74+
render: shell
75+
validations:
76+
required: false

.github/ISSUE_TEMPLATE/config.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
blank_issues_enabled: false
2+
contact_links:
3+
- name: 💡 Feature request or idea
4+
url: https://github.com/frankbria/codeframe/discussions/categories/ideas
5+
about: During the beta, feature requests live in Discussions → Ideas so we can shape them together before they become issues.
6+
- name: 🙋 Questions & help
7+
url: https://github.com/frankbria/codeframe/discussions/categories/q-a
8+
about: Ask how to do something, share setup problems, or get unstuck in Discussions → Q&A.
9+
- name: 🛠️ Show & Tell
10+
url: https://github.com/frankbria/codeframe/discussions/categories/show-and-tell
11+
about: Show what you built with CodeFRAME.
12+
- name: 👋 Coming from ralph?
13+
url: https://github.com/frankbria/codeframe/discussions/categories/coming-from-ralph
14+
about: Migrating from ralph-claude-code? Start here for migration help and feature conversations.
15+
- name: 🔒 Report a security vulnerability
16+
url: https://github.com/frankbria/codeframe/security/advisories/new
17+
about: Privately report a security issue. Please do not open a public issue.

CONTRIBUTING.md

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,40 @@
22

33
Thank you for your interest in contributing to CodeFRAME!
44

5+
## Beta expectations
6+
7+
CodeFRAME is in **public beta**. The product vision — Think → Build → Prove →
8+
Ship — is stable, but the surface area is still moving. Knowing what's settled
9+
and what isn't will save you time before you open a PR.
10+
11+
**Stable enough to build on:**
12+
13+
- The **Golden Path CLI** (`cf init/prd/tasks/work/proof/pr`) and its core
14+
modules in `codeframe/core/`.
15+
- The **v2 REST API** and its authentication model.
16+
- The PROOF9 quality system and the agent/LLM adapter interfaces.
17+
18+
**Still in flux (expect change):**
19+
20+
- **Web UI** surfaces and components — pages are actively being added and
21+
reworked; coordinate before large UI changes.
22+
- Anything behind a phase that is "in progress" in
23+
[`docs/PRODUCT_ROADMAP.md`](docs/PRODUCT_ROADMAP.md).
24+
- Database schemas and on-disk `.codeframe/` formats may change between betas.
25+
26+
**How to propose a change:** open a thread in
27+
[**Discussions → Ideas**](https://github.com/frankbria/codeframe/discussions/categories/ideas)
28+
*before* writing code for anything non-trivial. During the beta, feature
29+
requests are routed to Discussions (not the issue tracker) so we can shape them
30+
together; the issue tracker is reserved for confirmed bugs and accepted work.
31+
Bug reports go through the [bug report
32+
template](https://github.com/frankbria/codeframe/issues/new/choose). Security
33+
issues follow [SECURITY.md](SECURITY.md) — never a public issue or PR.
34+
35+
Every change must support the Think → Build → Prove → Ship pipeline. If it
36+
doesn't, it likely won't be merged regardless of quality — see
37+
[`CLAUDE.md`](CLAUDE.md) and [`docs/VISION.md`](docs/VISION.md).
38+
539
## Development Setup
640

741
```bash
@@ -134,4 +168,5 @@ See `codeframe/tasks/test_runner.py` for test runner configuration.
134168

135169
## Questions?
136170

137-
Open an issue or start a discussion on GitHub.
171+
Ask in [Discussions → Q&A](https://github.com/frankbria/codeframe/discussions/categories/q-a).
172+
For licensing or commercial questions, see [LICENSING.md](LICENSING.md).

LICENSING.md

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# Licensing
2+
3+
CodeFRAME is released under the [GNU Affero General Public License v3.0
4+
(AGPL-3.0)](LICENSE). This page explains, in plain language, what that means for
5+
you — and what to do if the AGPL doesn't fit your situation.
6+
7+
> This is a practical summary, not legal advice. The [LICENSE](LICENSE) file is
8+
> the binding text. When in doubt, consult a lawyer.
9+
10+
## Why AGPL-3.0
11+
12+
CodeFRAME is **open core**: the project is fully open source, and we intend to
13+
keep the core that way. The AGPL is a deliberate choice. It guarantees that
14+
CodeFRAME — and improvements to it — stay open, including when the software is
15+
offered to others as a network service. This protects the community from a
16+
closed fork being run as a competing hosted product without giving anything
17+
back.
18+
19+
## What it means for you
20+
21+
### Individuals and teams using CodeFRAME
22+
23+
You can **use, run, modify, and self-host** CodeFRAME for any purpose, including
24+
commercial work, at no cost. If you run it for yourself or your team and don't
25+
distribute it or offer it to outside users as a service, the AGPL asks nothing
26+
further of you. Use it freely.
27+
28+
### Companies using it internally
29+
30+
The same applies to internal company use. Running CodeFRAME on your own
31+
infrastructure to deliver software for your own organization is fine and creates
32+
no source-disclosure obligation, even if you modify it — as long as those
33+
modified versions are not conveyed to outside parties or exposed to outside
34+
users over a network.
35+
36+
### Companies offering it to others (the AGPL trigger)
37+
38+
The AGPL's defining clause is **Section 13**: if you run a modified version of
39+
CodeFRAME and let users interact with it **over a network** (for example, a
40+
hosted SaaS built on or embedding CodeFRAME), you must offer those users the
41+
**complete corresponding source code** of your modified version, under the
42+
AGPL. The same applies if you distribute CodeFRAME or a derivative work: the
43+
recipient gets the source under the AGPL.
44+
45+
In short:
46+
47+
| Your situation | AGPL obligation |
48+
| ----------------------------------------------------------- | ------------------------------------------------ |
49+
| Run it for yourself / your team, unmodified or modified | None beyond keeping the notices |
50+
| Internal company use, not exposed to outside users | None beyond keeping the notices |
51+
| Offer it (or a derivative) to outside users over a network | Publish your complete source under AGPL-3.0 |
52+
| Distribute it or embed it in software you ship | Recipients get source under AGPL-3.0 |
53+
54+
## Commercial licensing and hosted offering (planned)
55+
56+
If the AGPL's network-source-disclosure requirement doesn't work for your
57+
business — for example, you want to **embed CodeFRAME in a closed-source
58+
product** or offer a hosted service **without** publishing your modifications —
59+
we plan to offer:
60+
61+
- **Commercial / OEM licenses** that release you from the AGPL's copyleft
62+
obligations for embedding and redistribution.
63+
- A **hosted CodeFRAME** offering for teams that would rather not self-host.
64+
65+
Pricing and terms are still being finalized, but the path exists. If you have a
66+
commercial need, **tell us now** — early conversations shape what we build.
67+
68+
## Get in touch
69+
70+
- **Commercial licensing / OEM / hosted interest:** start a thread in the
71+
[**Commercial & Licensing** discussion](https://github.com/frankbria/codeframe/discussions)
72+
(look for the pinned *Early access & commercial interest* post) so we can
73+
follow up. This is the capture point for launch — even before pricing is
74+
published.
75+
- **Design partners & early access:** the same pinned discussion is where we
76+
collect early-access signups. Reply there to be included.
77+
78+
We read every one.

README.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -395,11 +395,24 @@ cd web-ui && npm run build # Production build verification
395395

396396
Code standards: PEP 8, `ruff` for linting, type hints required, 85%+ test coverage.
397397

398+
During the beta, feature ideas go to [Discussions -> Ideas](https://github.com/frankbria/codeframe/discussions/categories/ideas) before code. See [CONTRIBUTING.md](CONTRIBUTING.md) for what's stable, what isn't, and how to propose changes.
399+
400+
---
401+
402+
## Security, licensing & support
403+
404+
CodeFRAME is in **public beta**.
405+
406+
- **Security:** found a vulnerability? Report it privately via [GitHub private vulnerability reporting](https://github.com/frankbria/codeframe/security/advisories/new) -- never a public issue. See [SECURITY.md](SECURITY.md) for scope and response expectations.
407+
- **Licensing:** CodeFRAME is [AGPL-3.0](LICENSE), an open-core stance. [LICENSING.md](LICENSING.md) explains what that means for individuals, internal company use, and embedding -- and how to reach us about **commercial licensing or a hosted offering** (both planned).
408+
- **Early access / design partners:** we're capturing early-access interest in a pinned [Discussion](https://github.com/frankbria/codeframe/discussions). Reply there to be included.
409+
- **Help & community:** [Discussions -> Q&A](https://github.com/frankbria/codeframe/discussions/categories/q-a) for questions, [Ideas](https://github.com/frankbria/codeframe/discussions/categories/ideas) for feature requests, and [bug reports](https://github.com/frankbria/codeframe/issues/new/choose) for confirmed bugs.
410+
398411
---
399412

400413
## License
401414

402-
[AGPL-3.0](LICENSE) -- Free to use, modify, and distribute. Derivative works and network services must release source code under the same license.
415+
[AGPL-3.0](LICENSE) -- Free to use, modify, and distribute. Derivative works and network services must release source code under the same license. See [LICENSING.md](LICENSING.md) for a plain-language explanation and commercial options.
403416

404417
---
405418

SECURITY.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# Security Policy
2+
3+
CodeFRAME is in public beta. We take security seriously and appreciate reports
4+
that help us protect users before and during launch.
5+
6+
## Supported versions
7+
8+
During the beta, only the latest release on the `main` branch receives security
9+
fixes. Pin to a tagged release for stability, but report against the most recent
10+
version when you can — older betas are not patched individually.
11+
12+
| Version | Supported |
13+
| ------------------ | ------------------ |
14+
| `main` (latest) | :white_check_mark: |
15+
| Older beta builds | :x: |
16+
17+
## Reporting a vulnerability
18+
19+
**Do not open a public issue, discussion, or pull request for security
20+
problems.** Public disclosure before a fix is available puts every user at risk.
21+
22+
Report privately through GitHub's private vulnerability reporting:
23+
24+
1. Go to the [**Security** tab](https://github.com/frankbria/codeframe/security)
25+
of this repository.
26+
2. Click **Report a vulnerability**.
27+
3. Fill in the advisory form with as much detail as you can (see below).
28+
29+
This opens a private channel visible only to the maintainers. If you cannot use
30+
GitHub's private reporting for any reason, open a regular issue titled
31+
**"Security — request a private channel"** with **no technical details** and a
32+
maintainer will follow up privately.
33+
34+
### What to include
35+
36+
- A description of the vulnerability and its impact.
37+
- The CodeFRAME version or commit, your OS, and the execution engine in use
38+
(`claude-code`, `codex`, `opencode`, or the built-in ReAct agent).
39+
- Step-by-step reproduction, including any configuration, environment variables,
40+
or sample input required.
41+
- Proof-of-concept code or screenshots where applicable.
42+
43+
### Response expectations
44+
45+
- **Acknowledgement within 3 business days** of your report.
46+
- A first assessment (severity, whether we can reproduce it, and likely next
47+
steps) **within 7 business days**.
48+
- Regular updates at least every 7 days until the issue is resolved.
49+
- We will coordinate a disclosure timeline with you and credit you in the
50+
advisory unless you ask us not to.
51+
52+
## Scope
53+
54+
In scope: the CodeFRAME CLI, core orchestration, the FastAPI server, the web UI,
55+
and the LLM/agent adapters in this repository.
56+
57+
Out of scope: vulnerabilities in upstream coding agents (Claude Code, Codex,
58+
OpenCode, Kilocode) or third-party LLM providers — please report those to their
59+
respective maintainers. Issues that require a user to run an untrusted PRD,
60+
task, or repository are expected behavior for an agent that executes code on
61+
your behalf; sandbox-escape findings, however, are in scope.
62+
63+
## Handling secrets
64+
65+
Never include API keys, tokens, or other credentials in a report. CodeFRAME
66+
stores provider keys via the machine-wide credential manager and never returns
67+
them in API responses; if you believe a key is being leaked, say so without
68+
pasting the key itself.

0 commit comments

Comments
 (0)