Skip to content

Commit 6e163c5

Browse files
dj4oCphil-davis
andauthored
docs(ospo): community health rollout v2 — README, agents.md, health files (#227)
* docs(ospo): community health rollout v2 — README, agents.md, health files Introduced by the Kiteworks Open Source Program Office (OSPO) on May 5, 2026. Changes: - README.md: rewritten with OSPO v2 template — license-specific migration guidance, Community & Support section, Contributing workflow, Security section pointing to security.owncloud.com + YesWeHack bug bounty - agents.md: AI agent context file with architecture, build commands, and OSPO Policy Constraints (GitHub Actions, Dependabot, Git Workflow) - CODE_OF_CONDUCT.md: redirect to https://owncloud.com/contribute/code-of-conduct/ - CONTRIBUTING.md: redirect to https://owncloud.com/contribute/ - SECURITY.md: redirect to https://security.owncloud.com + YesWeHack - SUPPORT.md: redirect to https://owncloud.com/contact-us/ + channels OSPO: https://kiteworks.com/opensource Signed-off-by: David Walter <david.walter@kiteworks.com> * docs: add acceptance tests to agent information Co-authored-by: Phil Davis <phil@jankaritech.com> --------- Signed-off-by: David Walter <david.walter@kiteworks.com> Co-authored-by: Phil Davis <phil@jankaritech.com>
1 parent e032011 commit 6e163c5

6 files changed

Lines changed: 226 additions & 7 deletions

File tree

CODE_OF_CONDUCT.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# Code of Conduct
2+
3+
This project follows the ownCloud Code of Conduct.
4+
5+
Please read the full Code of Conduct at:
6+
**<https://owncloud.com/contribute/code-of-conduct/>**
7+
8+
By participating in this project, you agree to abide by its terms.

CONTRIBUTING.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# Contributing
2+
3+
Thank you for your interest in contributing to this project!
4+
5+
Please read the full contributing guidelines at:
6+
**<https://owncloud.com/contribute/>**
7+
8+
For development setup, coding standards, and pull request process,
9+
see the README in this repository.

README.md

Lines changed: 100 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,100 @@
1-
# Brute Force Protection App
2-
[![Build Status](https://drone.owncloud.com/api/badges/owncloud/brute_force_protection/status.svg)](https://drone.owncloud.com/owncloud/brute_force_protection)
3-
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=owncloud_brute_force_protection&metric=alert_status)](https://sonarcloud.io/dashboard?id=owncloud_brute_force_protection)
4-
[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=owncloud_brute_force_protection&metric=security_rating)](https://sonarcloud.io/dashboard?id=owncloud_brute_force_protection)
5-
[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=owncloud_brute_force_protection&metric=coverage)](https://sonarcloud.io/dashboard?id=owncloud_brute_force_protection)
6-
7-
The Brute Force Protection App temporarily blocks logins to user accounts, from the originating IP address, after a configurable number of failed login attempts have taken place. The time frame of the ban and the number of unsuccessful login attempts during a time period are all configurable by ownCloud administrators.
1+
# Brute Force Protection
2+
3+
<!-- OSPO-managed README | Generated: 2026-04-16 | v2 -->
4+
5+
[![License](https://img.shields.io/badge/License-GPL--2.0-blue.svg)](LICENSE) [![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource) [![Docker Hub](https://img.shields.io/docker/pulls/owncloud)](https://hub.docker.com/r/owncloud/server)
6+
7+
The Brute Force Protection app temporarily blocks login attempts to user accounts from the originating IP address after a configurable number of failed login attempts. Administrators can configure the ban duration and the threshold of unsuccessful login attempts within a given time period. This helps protect ownCloud instances against brute-force password attacks.
8+
9+
## Part of Classic (OC10)
10+
11+
Brute Force Protection is a security app for [ownCloud Server (Classic)](https://github.com/owncloud/core). It is available on [Docker Hub as part of the ownCloud Server image](https://hub.docker.com/r/owncloud/server).
12+
13+
## Getting Started
14+
15+
1. Clone this repository into the `apps/` directory of your ownCloud Server installation
16+
2. Run `make` to build the app
17+
3. Enable the app: `occ app:enable brute_force_protection`
18+
4. Configure the protection parameters in the ownCloud admin panel
19+
20+
## Documentation
21+
22+
- [ownCloud Server documentation](https://doc.owncloud.com)
23+
24+
## Community & Support
25+
26+
**[Star](https://github.com/owncloud/brute_force_protection)** this repo and **Watch** for release notifications!
27+
28+
- [ownCloud Website](https://owncloud.com)
29+
- [Community Discussions](https://github.com/orgs/owncloud/discussions)
30+
- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org)
31+
- [Documentation](https://doc.owncloud.com)
32+
- [Enterprise Support](https://owncloud.com/contact-us/)
33+
- [OSPO Home](https://kiteworks.com/opensource)
34+
35+
## Contributing
36+
37+
We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md)
38+
and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.
39+
40+
### Workflow
41+
42+
- **Rebase Early, Rebase Often!** We use a rebase workflow. Always rebase on the target branch before submitting a PR.
43+
- **Dependabot**: Automated dependency updates are managed via Dependabot. Review and merge dependency PRs promptly.
44+
- **Signed Commits**: All commits **must** be PGP/GPG signed. See [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification).
45+
- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line:
46+
```
47+
git commit -s -S -m "your commit message"
48+
```
49+
- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub Marketplace.
50+
51+
## Translations
52+
53+
Help translate this project on Transifex:
54+
**<https://explore.transifex.com/owncloud-org/owncloud/>**
55+
56+
Please submit translations via Transifex -- do not open pull requests for translation changes.
57+
58+
## Security
59+
60+
**Do not open a public GitHub issue for security vulnerabilities.**
61+
62+
Report vulnerabilities at **<https://security.owncloud.com>** -- see [SECURITY.md](SECURITY.md).
63+
64+
Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program)
65+
66+
## License
67+
68+
This project is licensed under the [GPL-2.0](LICENSE).
69+
70+
## About the ownCloud OSPO
71+
72+
The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under
73+
the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source
74+
ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance,
75+
community health, and sustainable collaboration between the open source community and
76+
[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023.
77+
78+
- **OSPO Home**: <https://kiteworks.com/opensource>
79+
- **GitHub**: <https://github.com/owncloud>
80+
- **ownCloud**: <https://owncloud.com>
81+
82+
For questions about the OSPO or licensing, contact ospo@kiteworks.com.
83+
84+
### License Migration to Apache 2.0
85+
86+
The OSPO is driving a strategic relicensing of ownCloud repositories toward the
87+
[Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0), following
88+
the [Apache Software Foundation's third-party license policy](https://www.apache.org/legal/resolved.html).
89+
90+
Individual repositories will migrate as their audit is completed. The LICENSE file
91+
in each repo reflects its **current** license status (not the target).
92+
93+
**Current license: GPL-2.0** (Category X per Apache policy -- cannot be included in Apache-2.0 works).
94+
95+
Migration prerequisites for this repository:
96+
97+
- **CLA/DCO coverage**: All past contributors must have signed agreements permitting relicensing
98+
- **Copyleft dependency audit**: All GPL dependencies must be replaced or isolated
99+
- **KDE heritage review**: Any code with KDE-era copyrights requires legal analysis
100+
- **Complete relicensing**: GPL-2.0 is a strong copyleft license; migration requires full relicensing of all files

SECURITY.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Security Policy
2+
3+
## Reporting a Vulnerability
4+
5+
**Do NOT open a public GitHub issue for security vulnerabilities.**
6+
7+
Please report security issues responsibly via:
8+
**<https://security.owncloud.com>**
9+
10+
You can also report vulnerabilities through our YesWeHack bug bounty program:
11+
**<https://yeswehack.com/programs/owncloud-bug-bounty-program>**

SUPPORT.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Support
2+
3+
For support with this project, please use the following channels:
4+
5+
- **Enterprise Support**: <https://owncloud.com/contact-us/>
6+
- **Community discussions**: https://github.com/orgs/owncloud/discussions
7+
- **Matrix Chat**: <https://app.element.io/#/room/#owncloud:matrix.org>
8+
- **Documentation**: <https://doc.owncloud.com>
9+
10+
Please do not use GitHub issues for general support questions.

agents.md

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
# AI Agent Guidelines for Brute Force Protection
2+
3+
This file provides context for AI coding agents (Claude Code, GitHub Copilot, Cursor, etc.) working in this repository.
4+
5+
## Repository Overview
6+
- **Product family:** Classic (OC10)
7+
- **Primary language(s):** PHP, JavaScript
8+
- **Build system:** Composer, Make
9+
- **Test framework:** PHPUnit
10+
- **CI system:** GitHub Actions
11+
12+
## Architecture & Key Paths
13+
- `lib/` - PHP application logic
14+
- `appinfo/` - ownCloud app metadata and registration
15+
- `templates/` - Server-side templates
16+
- `js/` - Frontend JavaScript
17+
- `l10n/` - Translations
18+
- `img/` - App icons
19+
- `screenshots/` - App screenshots
20+
- `tests/` - PHPUnit and acceptance test suite
21+
- `Makefile` - Build and test automation
22+
- `composer.json` - PHP dependencies
23+
- `phpcs.xml` - PHP_CodeSniffer configuration
24+
- `phpstan.neon` - PHPStan configuration
25+
- `phpunit.xml` - PHPUnit configuration
26+
27+
## Development Conventions
28+
- **Branching:** master
29+
- **Commit messages:** DCO sign-off required (`git commit -s`)
30+
- **Code style:** PHP_CodeSniffer (phpcs.xml), ownCloud coding standard
31+
- **PR process:** Open a PR against master. All CI checks must pass.
32+
33+
## Build & Test Commands
34+
```bash
35+
# Build
36+
make
37+
38+
# Test (PHPunit)
39+
make test-php-unit
40+
41+
# Test (API acceptance)
42+
make test-acceptance-api
43+
44+
# Test (WebUI acceptance)
45+
make test-acceptance-webui
46+
47+
48+
# Lint
49+
make test-php-style
50+
51+
# Fix code style
52+
make test-php-style-fix
53+
54+
# Static analysis
55+
make test-php-phpstan
56+
```
57+
58+
## Important Constraints
59+
- All code contributions must be compatible with the **GPL-2.0** license
60+
- Do not introduce new **copyleft-licensed dependencies** (GPL, AGPL, LGPL, MPL) without explicit discussion in an issue first. This is especially important for repos migrating to Apache 2.0.
61+
- Do not introduce new dependencies without discussion in an issue first
62+
- This is a security-sensitive app - changes should be reviewed carefully
63+
64+
65+
## OSPO Policy Constraints
66+
67+
### GitHub Actions
68+
- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), verified on the GitHub Marketplace, or verified by the ownCloud Maintainers.
69+
- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@<SHA> # vX.Y.Z`
70+
- Never introduce actions from unverified third parties.
71+
72+
### Dependency Management
73+
- Dependabot is configured for automated dependency updates.
74+
- Review and merge Dependabot PRs as part of regular maintenance.
75+
- Do not introduce new dependencies without discussion in an issue first.
76+
77+
### Git Workflow
78+
- **Rebase policy**: Always rebase; never create merge commits. Use `git pull --rebase` and `git rebase` before pushing.
79+
- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S -s`).
80+
- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`).
81+
- **Conventional Commits & Squash Merge**: Use the [Conventional Commits](https://www.conventionalcommits.org/) format where the repository enforces it. Many repos use squash merge, where the PR title becomes the commit message on the default branch — apply Conventional Commits format to PR titles as well. A reusable GitHub Actions workflow enforces this.
82+
83+
## Context for AI Agents
84+
- Match existing code style
85+
- Do not refactor unrelated code in the same PR
86+
- Write tests for new functionality
87+
- Keep PRs focused and atomic
88+
- Security-related code requires extra scrutiny

0 commit comments

Comments
 (0)