PowerShellOrg
diff --git a/‎docs/adoption-criteria.md‎
Lines changed: 116 additions & 0 deletions b/‎docs/adoption-criteria.md‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎docs/maintainer-onboarding.md‎
Lines changed: 137 additions & 0 deletions b/‎docs/maintainer-onboarding.md‎
Lines changed: 137 additions & 0 deletions
@@ -0,0 +1,116 @@
+# Adoption Criteria
+
+This document describes how PowerShellOrg evaluates tools for adoption, what we commit to when we adopt something, and what the submitter commits to.
+
+Read this before submitting a [Tool Adoption Request](https://github.com/PowerShellOrg/.github/issues/new?template=tool_adoption_request.yml).
+
+---
+
+## Must-be-true criteria
+
+All six of the following must be true before we will adopt a tool. These are not negotiable.
+
+### 1. Open-source license
+
+The tool must have an OSI-approved open-source license in place before or at the time of transfer. We strongly prefer MIT or Apache 2.0, which are compatible with the rest of the org's tooling and license stack.
+
+Tools with no license, or with proprietary or source-available licenses, are ineligible. If the original author is willing to relicense to MIT, that resolves the issue — we can help coordinate.
+
+### 2. Author consent or demonstrated abandonment
+
+We do not take over maintained projects without permission.
+
+- **If the original author is reachable and active:** We require explicit written consent (a GitHub comment, email, or issue) from the author or all current maintainers. This protects them and protects us.
+- **If the project appears abandoned:** We require documented evidence that we made a reasonable good-faith effort to reach the author (GitHub @-mention, issue opened, email to the address in the git log or package metadata) and received no response after at least 30 days.
+
+When in doubt, we wait. Burning bridges with the original author is not worth any single tool.
+
+### 3. Real user base
+
+The tool must have evidence of real-world use: PSGallery downloads, GitHub stars/forks, dependent projects, forum mentions, or other signals that someone besides the submitter relies on it.
+
+We will not adopt a tool that has no users outside its author, because there would be no one to maintain it for.
+
+### 4. Manageable scope
+
+The tool's maintenance burden must be sustainable given the org's current maintainer pool. We consider:
+
+- Lines of code and architectural complexity
+- Test coverage and CI state (a tool with no tests requires significant upfront investment)
+- Open issue and PR backlog
+- Dependency footprint
+
+We will not adopt a tool if doing so would overextend our maintainers. We would rather maintain a smaller number of tools well than a large number poorly.
+
+### 5. No unaddressed security issues
+
+We will not inherit a tool with known, unaddressed security vulnerabilities. Before adoption, the submitter must either:
+
+- Confirm there are no known security issues, or
+- Document all known issues and commit to addressing them in the first release cycle
+
+This is not about perfection — it is about not knowingly shipping something unsafe to our users.
+
+### 6. No legal encumbrance
+
+The tool must not carry legal risks that would expose PowerShellOrg or its maintainers. Examples of disqualifying encumbrances:
+
+- Copyright claims from a third party
+- Code copied from a non-compatible license without attribution
+- Trademark issues
+- Export control restrictions
+
+---
+
+## What PowerShellOrg commits to
+
+When we adopt a tool, we commit to:
+
+1. **Maintaining it actively** — responding to issues within our SLA, reviewing PRs, and cutting releases when there are meaningful changes
+2. **Not abandoning it silently** — if we decide we cannot maintain a tool, we will announce it publicly and give the community 90 days to find alternative stewardship before archiving
+3. **Keeping it open source** — the tool will remain under its existing OSI license (or a compatible one with explicit permission)
+4. **Not breaking the API or CLI interface without a major version bump** — we respect existing users' scripts and pipelines
+5. **Giving credit** — the original author's contributions remain in git history and are acknowledged in the CHANGELOG and package metadata
+6. **Handling security responsibly** — following our published security policy for vulnerability disclosure and response
+
+---
+
+## What the submitter commits to
+
+Adoption requests that do not include a maintainer commitment are evaluated more skeptically. A tool with no one willing to maintain it is a higher-risk adoption.
+
+If you are submitting a request and are willing to maintain the tool:
+
+1. **Minimum 6 months of active maintenance** — you will triage issues, review PRs, and be reachable for at least 6 months after adoption
+2. **On-boarding and knowledge transfer** — you will work with the PowerShellOrg maintainer team to document the tool's internals, known issues, and quirks before stepping back
+3. **Good-faith participation** — you will engage with the community, respond to review comments, and follow PowerShellOrg's contribution norms
+4. **Transparency about limitations** — if you know the tool has problems, you will document them upfront rather than letting us discover them post-adoption
+
+We understand life happens. If you need to step back before the 6 months are up, tell us early — we will work with you.
+
+---
+
+## The adoption workflow
+
+| Step | Owner | Timeline |
+|---|---|---|
+| Submitter files a Tool Adoption Request | Submitter | — |
+| Steward acknowledges the request and assigns it to the Council | Steward | 7 days |
+| Council members review and comment | Council | 30 days |
+| Steward makes a decision (adopt / decline / defer) | Steward | 30 days from submission |
+| If adopted: repo transfer initiated, onboarding begins | Steward + submitter | Week of decision |
+| Repo moves to `status-incoming`, Revival Playbook begins | Lead maintainer | Immediately after transfer |
+
+### What "declined" means
+
+A declined adoption request is not a judgment on the tool's quality or the submitter's intentions. Common reasons for declining:
+
+- The tool does not meet one of the must-be-true criteria
+- Our current maintainer pool cannot take it on right now
+- A better maintainer or org has already stepped up
+
+We will always explain the reason. Declined requests may be resubmitted when circumstances change.
+
+### What "deferred" means
+
+A deferred request means we are interested but there is a blocker we need to resolve first — usually the license, the author consent, or maintainer capacity. We will set a follow-up date and reopen the discussion then.
@@ -0,0 +1,137 @@
+# Maintainer Onboarding
+
+Welcome to PowerShellOrg. This checklist walks you through everything you need to be fully operational on day one and productive in the first week.
+
+---
+
+## Day 1: Access and accounts
+
+### GitHub org access
+
+- [ ] Accept the org invite from the Steward (check your GitHub notifications and email)
+- [ ] Verify you have **Write** access to your assigned repo(s) — navigate to the repo → **Settings** → **Collaborators and teams**
+- [ ] Enable **two-factor authentication** on your GitHub account if not already enabled — this is a hard requirement for org membership ([docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication))
+
+### Council channel
+
+- [ ] Introduce yourself in the Council channel: `<FILL IN: channel URL or invite link>`
+- [ ] Note your timezone and typical availability (helps set realistic review expectations)
+
+### PSGallery account
+
+- [ ] Confirm you have a [PowerShell Gallery](https://www.powershellgallery.com/) account
+- [ ] Share your PSGallery username with the Steward — you will need it for the API key issuance step below
+
+---
+
+## Day 1: Repo familiarization
+
+- [ ] Clone the repo locally
+- [ ] Read the repo's `README.md` and any existing `CONTRIBUTING.md`
+- [ ] Read `CHANGELOG.md` to understand recent history
+- [ ] Read open issues and PRs — look for anything labeled `needs-triage` or with recent activity
+
+---
+
+## Day 1: Branch protection verification
+
+Verify the repo's default branch has the following protections enabled. Navigate to the repo → **Settings** → **Branches** → branch protection rule for `main`.
+
+- [ ] **Require a pull request before merging** — enabled
+- [ ] **Require approvals** — at least 1 required reviewer
+- [ ] **Dismiss stale pull request approvals when new commits are pushed** — enabled
+- [ ] **Require status checks to pass before merging** — enabled; the CI workflow must be listed
+- [ ] **Require branches to be up to date before merging** — enabled
+- [ ] **Require linear history** — enabled
+- [ ] **Do not allow force pushes** — enabled
+- [ ] **Do not allow deletions** — enabled
+
+If any of these are missing, notify the Steward before merging anything.
+
+---
+
+## Day 1: PSGallery API key
+
+PowerShellOrg uses **per-repo scoped API keys** for PSGallery. You do not get an org-wide key.
+
+### Key issuance process (Steward action)
+
+The Steward creates the key with these parameters:
+
+| Parameter | Value |
+|---|---|
+| Key name | `PowerShellOrg-<RepoName>-<YYYY-MM>` (e.g., `PowerShellOrg-PSDepend-2025-11`) |
+| Glob pattern | The module name exactly (e.g., `PSDepend`) |
+| Expiration | 365 days (the PSGallery maximum) |
+
+The Steward then:
+1. Creates or updates the `PSGALLERY_API_KEY` Actions secret in the repo
+2. Adds a rotation reminder to the private key tracking issue (pinned to this repo)
+3. Notifies the maintainer that the key is in place
+
+### Maintainer steps
+
+- [ ] Confirm with the Steward that `PSGALLERY_API_KEY` is set in the repo's Actions secrets (**Settings** → **Secrets and variables** → **Actions**)
+- [ ] Note the key expiration month — the Steward will initiate rotation, but you may be asked to trigger it
+
+### Key rotation
+
+Keys expire after 365 days. The Steward tracks rotation in a private pinned issue. When rotation is due:
+1. Steward creates a new key on PSGallery with the same glob, new `YYYY-MM` suffix in the name
+2. Steward updates the `PSGALLERY_API_KEY` secret in the repo
+3. Old key is deleted from PSGallery
+4. Tracking issue is updated
+
+---
+
+## Day 1: CI bootstrap
+
+- [ ] Install the standard build stack locally:
+
+  ```powershell
+  Install-Module psake            -Scope CurrentUser -Force
+  Install-Module PowerShellBuild  -Scope CurrentUser -Force
+  Install-Module PSScriptAnalyzer -Scope CurrentUser -Force
+  Install-Module Pester           -Scope CurrentUser -Force -MinimumVersion '5.0' -MaximumVersion '5.99'
+  ```
+
+- [ ] Run `Invoke-psake ?` in the repo root — confirm the standard tasks are listed (Init, Clean, Build, Test, Analyze, Publish)
+- [ ] Run `Invoke-psake Test` — confirm all tests pass
+- [ ] Run `Invoke-psake Analyze` — confirm no PSScriptAnalyzer warnings
+- [ ] Navigate to the repo's **Actions** tab and confirm the CI workflow is running and green on `main`
+
+If the CI workflow is not present or not green, see the [Revival Playbook](revival-playbook.md) Phase 3 for modernization steps.
+
+---
+
+## First week: Communication norms
+
+### Issue and PR triage
+
+| Repo status | First-response target |
+|---|---|
+| `status-active` | 7 days |
+| `status-stable` | 30 days |
+
+First response means: a label applied, a comment acknowledging the issue, or a review comment on the PR — not necessarily a resolution.
+
+Set up GitHub notifications for your repo: **Watch** → **All activity**, or at minimum **Issues** and **Pull requests**.
+
+### Code review
+
+- Aim to complete (not just start) reviews within 30 days of assignment
+- Use GitHub's "Request changes" only when a change is genuinely blocking — a comment thread is sufficient for most feedback
+- When merging, prefer **Squash and merge** for single-commit PRs and **Merge commit** for multi-commit work where history is meaningful. Avoid **Rebase and merge** unless the branch is perfectly clean — it rewrites history and removes the merge traceability.
+
+### Releases
+
+- Announce releases in the Council channel when they go out
+- Tag the release commit with `vX.Y.Z` — this triggers the release workflow
+- The GitHub Release notes are auto-generated; add a brief human summary at the top if the automated notes are too sparse
+
+### Escalation
+
+- Blocked by a technical question? Post in the Council channel — another maintainer may know the answer.
+- Blocked by a process question? Ask the Steward.
+- Seeing behavior that might violate the Code of Conduct? Report to `conduct@powershellorg.example` or message the Steward directly.
+- Need to step down or take a break? Tell the Steward as early as possible — we would rather hand off gracefully than have a repo go dark unexpectedly.