# AetherSDR CODEOWNERS
#
# Three tiers, last-matching-pattern wins. Numbered by exclusivity, not by
# file position — Tier 1 is the smallest, most-exclusive owner set; Tier 3
# is the broadest. The file is laid out broad → specific so the more
# restrictive tiers override the broader defaults via CODEOWNERS'
# last-match-wins semantics:
#
#   Tier 3 (source code, broad default)       — top of file (the `*` line)
#   Tier 2 (project infrastructure)           — middle (specific paths)
#   Tier 1 (governance, security, bot policy) — bottom (most specific paths)
#
# Tier 1 — @aethersdr/maintainers (currently: @ten9876).
#         Project governance and direction (CONSTITUTION, GOVERNANCE,
#         CONTRIBUTING, CODE_OF_CONDUCT, LICENSE, ROADMAP), security
#         controls (SECURITY*, signing keys, CODEOWNERS itself, CodeQL
#         configs, CI workflow definitions), legal/compliance
#         (THIRD_PARTY_LICENSES), and bot/agent instruction
#         (AGENTS.md, CLAUDE.md, GEMINI.md, .claude/commands/).
# Tier 2 — @aethersdr/infrastructure (currently: @ten9876, @jensenpat).
#         Project infrastructure: CI/CD configuration not in T1
#         (dependabot, docker, issue templates), documentation
#         (docs/, *.md catchall, including README/CHANGELOG/SUPPORT
#         which fall through here from the *.md glob), tests, and
#         build configuration (CMakeLists.txt). Narrower owner set
#         than Tier 3 because infrastructure changes need deeper
#         repo context than routine source review.
# Tier 3 — @aethersdr/reviewers (currently: @ten9876, @jensenpat, @NF0T, @rfoust, @chibondking).
#         AetherSDR source code and anything else not enumerated
#         above (src/, third_party/, plugins/, hal-plugin/,
#         resources/, packaging/, scripts/). Broadest collaborator
#         roster because routine source review benefits from more
#         eyes.
#
# Team rosters are managed in the GitHub org settings:
#   https://github.com/orgs/aethersdr/teams
# Adding or removing a code owner is a single team-membership change
# rather than an edit to this file. The roster lists above are
# documentation only — the live source of truth is the org team.
#
# All approvals are human-only. @AetherClaude (the project's machine
# user) is intentionally NOT a member of any team — bot-generated PRs
# still need a human reviewer regardless of which paths they touch.
#
# CODEOWNERS has no permission hierarchy — each path matches exactly one
# line (last wins) and that line's owners completely replace any earlier
# match. The numbering above is documentary; the operative semantics
# come from the file's pattern order plus last-match-wins.
#
# Self-approval is hard-blocked by GitHub regardless of CODEOWNERS
# membership, so a contributor cannot approve their own PR even on
# paths they own.

# ── Tier 3: source code, broad default — catches anything not enumerated ───
*                            @aethersdr/reviewers

# ── Tier 2: project infrastructure — narrower owner set than Tier 3 ────────
# CI/CD configuration not in Tier 1, documentation, tests, build config.

# Documentation & tests
tests/                       @aethersdr/infrastructure
docs/                        @aethersdr/infrastructure
*.md                         @aethersdr/infrastructure

# GitHub-specific tooling
.github/dependabot.yml       @aethersdr/infrastructure
.github/docker/              @aethersdr/infrastructure
.github/ISSUE_TEMPLATE/      @aethersdr/infrastructure

# Build configuration
CMakeLists.txt               @aethersdr/infrastructure

# ── Tier 1: governance, security, bot policy — maintainer-only ────────────
# Project governance & direction
AGENTS.md                    @aethersdr/maintainers
CLAUDE.md                    @aethersdr/maintainers
CODE_OF_CONDUCT.md           @aethersdr/maintainers
CONSTITUTION.md              @aethersdr/maintainers
CONTRIBUTING.md              @aethersdr/maintainers
GEMINI.md                    @aethersdr/maintainers
GOVERNANCE.md                @aethersdr/maintainers
LICENSE                      @aethersdr/maintainers
ROADMAP.md                   @aethersdr/maintainers

# Security & compliance
SECURITY.md                  @aethersdr/maintainers
SECURITY-AUDIT.md            @aethersdr/maintainers
THIRD_PARTY_LICENSES         @aethersdr/maintainers
.github/CODEOWNERS           @aethersdr/maintainers
.github/codeql/              @aethersdr/maintainers
docs/RELEASE-SIGNING-KEY.pub.asc  @aethersdr/maintainers

# CI runtime — release artifacts, registry pushes, GITHUB_TOKEN scopes.
# Kept at Tier 1 despite the framework's CI/CD-in-T2 default because a
# malicious workflow change can exfiltrate secrets or publish unsigned
# releases. Workflow-config sensitivity outweighs the categorical match.
.github/workflows/           @aethersdr/maintainers

# Bot / agent instruction (source of truth for AI tool behaviour)
.claude/commands/            @aethersdr/maintainers
