ASF Policy MCP
MCP server for answering questions about Apache Software Foundation policies.
Covers the full set of policies listed at https://www.apache.org/board/policies — releases, licensing, branding, security, infrastructure, incubator, and more.
Policy pages are cached locally for 30 days. Use force_refresh=true on read tools to bypass the cache for a single call.
Install
python3 -m venv .venv
. .venv/bin/activate
pip install -e .
Run
asf-policy-mcp
For local development:
python -m asf_policy_mcp.server
Test
pip install -e ".[dev]"
make check
Configure with Claude Desktop or Codex
{
"mcpServers": {
"asf-policy": {
"command": "<path to PolicyMCP>/.venv/bin/python",
"args": ["-m", "asf_policy_mcp.server"]
}
}
}
Tools
list_policies— list all available policy documents organised by section, with cache status.get_policy— retrieve the full text of a policy document by key (e.g.release_policy,branding,incubator).search_policies— keyword search across all policy documents, returning ranked excerpts with context.refresh_cache— force re-fetch of one or all policy documents from the ASF website.
Example questions
Releases
- What files must be included in a release artifact for it to be valid?
- Can we ship a release with only one +1 vote from the PMC?
- Where must release artifacts be published — can we use GitHub Releases as the primary download?
Incubator
- What does a podling need to do before it can graduate?
- Can a podling cut a release before graduating, and what extra requirements apply?
- Who can vote on a podling release, and whose votes are binding?
Licensing
- Is the MIT licence compatible with Apache 2.0 for bundling in a release?
- Can we include a library licensed under LGPL 2.1?
- What is a Category X licence and why does it matter?
- Do we need a CLA from every contributor, or only committers?
- What licence headers are required in source files?
Security
- If someone reports a vulnerability privately, how long before we must disclose?
- Should security issues be discussed on the public dev list?
Branding
- Can a company call its commercial product "Apache Foo Enterprise Edition"?
- Can a third party use "Apache Foo" in the name of their commercial product?
- What must appear on a project website for trademark compliance?
Infrastructure, press, privacy, and reporting
- Can a project use an external Git host like GitLab as its primary code repository?
- Can a project host its website on GitHub Pages?
- Can a company issue a press release announcing new features they've added support for in an Apache project?
- Are Apache mailing list archives public, and what does that mean for personal data posted to them?
- If a PMC discovers a company misusing their project's trademark, who handles it and what should they do first?
- Can a project list corporate affiliations next to committer names on a "Who We Are" page?
- What fields are required in every PMC board report?
Apache Foo scenarios
- Apache Foo wants to publish container images, nightly builds, and release candidates from the same Docker Hub namespace. Which parts are allowed, and what labels or warnings are needed?
- ExampleCo donated most of Apache Foo's original code and still employs most committers. What website, branding, and project independence issues should the PMC watch for?
- A security researcher privately reports a vulnerability in Apache Foo, but a downstream vendor wants to publish a fix immediately. How should the PMC coordinate disclosure, release voting, and public communication?
- Apache Foo wants to accept a large generated code contribution produced with AI tooling and containing third-party snippets. Which licensing, provenance, and source-header checks apply?
- The Apache Foo PMC wants to run an in-person "FooCon" with paid sponsors, project swag, and talks by vendors. Which event branding, merchandise, press, and conduct policies apply?
- A former Apache Foo committer asks for their name and email to be removed from old mailing list archives and Git commits. What do the privacy, public archive, and repository policies imply?
- Apache Foo has not released in two years, has no recent PMC additions, and depends on infrastructure that Infra wants to retire. What should the next board report include?
Policy documents
| Key | Title | Section |
|---|---|---|
pmc |
PMC Guide | Community And Project Oversight |
code_of_conduct |
Code of Conduct | Community And Project Oversight |
anti_harassment |
Anti-Harassment Policy | Community And Project Oversight |
public_archives |
Public Forum Archive Policy | Community And Project Oversight |
project_independence |
Project Independence | Independence |
board_reporting |
Board Reporting Requirements | Reporting |
release_policy |
Release Policy | Release |
voting |
Apache Voting Process | Release |
release_distribution |
Release Distribution Policy | Release |
docker_hub |
Docker Hub Policy | Release |
release_download_pages |
Release Download Pages Policy | Release |
nightlies |
Project Use of nightlies.apache.org | Release |
security |
Security Team Guidance | Security |
security_committers |
Vulnerability Handling for Committers | Security |
licenses |
Contributor License Agreements | Licensing |
apply_license |
Applying the Apache License, Version 2.0 | Licensing |
cla_faq |
CLA FAQ | Licensing |
source_headers |
Apache Source Headers | Licensing |
resolved_licenses |
Approved/Resolved Third-Party Licenses | Licensing |
crypto_policy |
Handling Cryptography within an ASF Release | Licensing |
generative_tooling |
Generative Tooling Guidance | Licensing |
branding |
Project Branding Requirements | Branding |
trademark_maintenance |
Trademark Maintenance Responsibilities | Branding |
website_linking |
Website Linking Policy | Branding |
event_branding |
Third-Party Event Branding Policy | Branding |
merchandise_branding |
Non-Software Merchandise Branding Policy | Branding |
domain_name_branding |
Domain Name Branding Policy | Branding |
downstream_distribution |
Apache Software Downstream Distribution Policy | Branding |
podling_branding |
Incubator Podling Branding Guide | Branding |
event_code_of_conduct |
Event Code of Conduct | Events |
trademark_policy |
ASF Trademark Policy | Branding |
repo_policy |
Repository Policy | Infrastructure |
infra_site_ban |
Site-Wide Ban | Infrastructure |
committer_outreach |
Outreach to Committers | Infrastructure |
content_moderation |
Content Moderation | Infrastructure |
mail_rejection |
Mail Rejection Policy | Infrastructure |
spam_reporting |
Dealing with Spam in Your ASF Email Account | Infrastructure |
password_policy |
Password Requirements | Infrastructure |
third_party_services |
Policy on Issues in Third-Party Services | Infrastructure |
slack_policy |
Policy for Using ASF Slack | Infrastructure |
sensitive_information |
Policy on Sharing Sensitive Information with Infra | Infrastructure |
github_actions |
GitHub Actions | Infrastructure |
website_policy |
Website Policy | Infrastructure |
content_security_policy |
Content Security Policy | Infrastructure |
app_upgrade_policy |
Application Upgrades | Infrastructure |
backup_policy |
Backups | Infrastructure |
os_upgrade_policy |
Operating System Upgrades | Infrastructure |
vm_policy |
Virtual Machines for Projects | Infrastructure |
jira_account_approval |
Approving Jira Account Requests | Infrastructure |
jira_account_retention |
Jira Account Retention Policy | Infrastructure |
press |
Press & Marketing Policy | Press |
sponsorship |
Sponsorship Requirements | Fundraising |
privacy |
Privacy Policy | Privacy |
privacy_contributors |
Privacy Policy for Contributors | Privacy |
privacy_committers |
Privacy Policy for Committers | Privacy |
privacy_project_websites |
Privacy Policy for Project Websites | Privacy |
privacy_downloadable_products_high |
Privacy Policy for ASF Downloadable Applications (High Privacy Standards) | Privacy |
privacy_downloadable_products_medium |
Privacy Policy for Products with Medium Privacy Standards | Privacy |
privacy_mailing_lists |
Mailing List Policy | Privacy |
incubator |
Incubator Podling Policies | Incubator |
incubator_ip_clearance |
Incubator IP Clearance | Incubator |
