CivicTechWR · BreakableHoodie · Jun 4, 2026 · Jun 4, 2026
@@ -16,90 +16,126 @@
 
 ## Critical
 
-- [ ] **1. Enable 2FA requirement** — Settings → Authentication security → "Require two-factor authentication"
-  - _Prerequisite: post Slack announcement and give 1–2 weeks notice before enabling_
-  - _Impact: members without 2FA are auto-removed from org on enforcement date_
+- ⏳ **1. Enable 2FA requirement** — Settings → Authentication security → "Require two-factor authentication"
+  - _Post Slack announcement first; give 1–2 weeks notice before enabling_
+  - _Table for Saturday org meeting_
 
 ---
 
 ## High
 
 - [ ] **2. Revoke Travis CI GitHub App** — Settings → GitHub Apps → Travis CI → Revoke
-  - _Zero repos use it. No breakage risk. Can be done immediately._
+  - _Zero repos use it. No breakage risk. Do before Saturday._
 
-- [ ] **3. Scope Slack app permissions** — Settings → GitHub Apps → Slack → Configure
+- [ ] **3. Scope Slack app permissions** — Must be done via UI
   - _Currently: `repository_selection: all` with `contents: write` + `workflows: write`_
-  - _Target: restrict to specific repos it posts from, OR replace with official GitHub-for-Slack integration_
-  - _Needs coordination: confirm which repos/channels are actively using the integration_
-
-- [ ] **4. Restrict GitHub Actions to trusted sources** — Settings → Actions → General → "Allow select actions"
-  - _Currently: `allowed_actions: "all"`_
-  - _Target settings:_
-    - ✅ Allow actions created by GitHub
-    - ✅ Allow Marketplace-verified creators
-    - Patterns: `peaceiris/*`, `ruby/*`
-  - _Used non-GitHub actions: `peaceiris/actions-gh-pages` (2 repos), `ruby/setup-ruby` (1 repo)_
-
-- [ ] **5. Enable secret scanning + push protection org-wide** — Settings → Code security and analysis
-  - _Currently enabled on only 6 of 35 repos_
-  - _Target: "Enable all" for both secret scanning and push protection_
+  - _Go to: github.com/organizations/CivicTechWR/settings/installations → Slack → Configure_
+  - _Change to "Only select repositories" — run `/github subscriptions` in Slack to see what's active_
+  - _Table for Saturday (needs coordination)_
+
+- [ ] **4. Restrict GitHub Actions to trusted sources** — Settings → Actions → General
+  - _Target: GitHub-owned + Marketplace-verified + `peaceiris/*`, `ruby/*`_
+  - _Can do before Saturday — no breakage_
+
+- [ ] **5. Enable secret scanning + push protection org-wide** — Settings → Code security and analysis → "Enable all"
   - _Include in Slack announcement_
 
-- [ ] **6. Enable Dependabot alerts org-wide** — Settings → Code security and analysis
-  - _Currently enabled on only 4 repos_
-  - _Target: "Enable all"_
+- [ ] **6. Enable Dependabot alerts org-wide** — Settings → Code security and analysis → "Enable all"
   - _Include in Slack announcement_
 
 ---
 
-## Medium (requires human judgment)
+## Medium
 
 - [x] **7. Stale membership audit — first pass (2026-06-04)**
   - _Removed from org:_ `jeffwoods`, `KristinaTaylor`, `ToddTurnbull`
-  - _Demoted from Organizers team (still org members):_ `hjroaf`, `middlekidd`, `coleWesterveld`
-  - _~50 inactive low-risk members remain — batch removal pending 2FA notice window (item 1)_
+  - _Demoted from Organizers team:_ `hjroaf`, `middlekidd`, `coleWesterveld`
+  - _Cleaned up:_ `BreakableHoodie` removed from project teams they didn't contribute to
+  - _~50 inactive low-risk members remain — batch removal after 2FA notice window_
   - _TODO: document offboarding cadence in `CTWR-Organization-Documentation`_
 
 - [x] **8. Outside collaborator review (2026-06-04)**
-  - _Removed:_ `aulakhznavreen`, `gohbi`, `JohnBuni`, `Kyle-Hawkins`, `msmel01`, `sarayyjaan`, `keriwarr`, `lcik`
-  - _Converted:_ `aleeeeeeeena` — admin access on `project-union-coop` revoked; invited to `project-union-coop` team (push). **Invite pending acceptance.**
-  - _Kept:_ `sae-br` — only remaining outside collab; active on `accessible-housing-portal`. Invite to org and add to team. **Tabled for Saturday.**
-
-- [x] **9. Assign project teams to repos + RBAC cleanup (2026-06-04)**
-  - _Added_ `wrvotes(push)` → `WRVotesMunicipal2022`, `WRVotesProv2025`, `WRVotesFed2025`, `WRvotesMunicipal2018`
-  - _Added_ `project-union-coop(push)` → `project-union-coop`
-  - _Added_ `website(push)` → `blog`, `ctwr-web`
-  - _Created_ `accessible-housing-portal` team (push) with `adinschmidt`, `jliu1016`, `ehharvey`
-  - _Renamed_ `project-lomo-admins` → `project-lomo-leads`; permission Admin → Maintain
-  - _Renamed_ `project-ploughshares-leads` permission Admin → Maintain
-  - _Removed_ 29 redundant direct user-to-repo assignments
-  - _Removed_ `BreakableHoodie` from `project-lomo-leads` (not a project contributor)
-  - _No team yet:_ `project-pech`, `epwr_case_management` — tabled for Saturday
+  - _Removed (8):_ `aulakhznavreen`, `gohbi`, `JohnBuni`, `Kyle-Hawkins`, `msmel01`, `sarayyjaan`, `keriwarr`, `lcik`
+  - _Converted:_ `aleeeeeeeena` — admin revoked; invited to `project-union-coop` team (push). **Invite pending.**
+  - _Invited to org:_ `sae-br` — active contributor on `accessible-housing-portal`; added to team. **Invite pending.**
+  - _Remaining outside collabs:_ `sae-br` (will resolve on invite acceptance)
+
+- [x] **9. RBAC model + team restructure (2026-06-04)**
+
+  **Permission fixes:**
+  - `project-lomo-admins` renamed → `project-lomo-leads`, Admin → Maintain
+  - `project-ploughshares-leads` Admin → Maintain
+  - `midtown-radio-app` Maintain → Write (push)
+  - `go-train-pass-project-team` Maintain → Write (push)
+
+  **Leads teams created (Maintain):**
+  | Team | Repo(s) | Lead(s) |
+  |------|---------|---------|
+  | `wrvotes-leads` | All 7 WRvotes repos | acant, pnijjar |
+  | `go-train-leads` | `go-train-group-pass` | jliu1016 |
+  | `project-union-coop-leads` | `project-union-coop` | jliu1016 |
+  | `accessible-housing-portal-leads` | `accessible-housing-portal` | jliu1016 |
+  | `epwr-case-management-leads` | `epwr_case_management` | jliu1016, indyng (pending) |
+  | `project-pech-leads` | `project-pech` | indyng (pending) |
+
+  **New contributor teams created (Write):**
+  - `accessible-housing-portal` — adinschmidt, jliu1016, ehharvey
+  - `project-pech` — j2fyi, writingindy, NipunGrover
+  - `epwr-case-management` — jliu1016
+
+  **Team-to-repo assignments added:**
+  - `wrvotes(push)` → WRVotesMunicipal2022, WRVotesProv2025, WRVotesFed2025, WRvotesMunicipal2018
+  - `project-union-coop(push)` → project-union-coop
+  - `website(push)` → blog, ctwr-web
+
+  **Direct assignments cleaned up:** 29+ redundant direct user-to-repo grants removed
+
+  **Pending invites:**
+  - `aleeeeeeeena` — project-union-coop team
+  - `sae-br` — accessible-housing-portal team
+  - `indyng` — project-pech-leads + epwr-case-management-leads
 
 - [ ] **10. Open issue: branch protection coverage**
-  - _Active repos with no branch protection:_
-    - `WRvotes`, `CTWR-Organization-Documentation`, `WRVotesMunicipal2022`, `ctwr-member-directory`
-    - `MidtownRadioApp`, `WRVotesFed2025`, `WRVotesProv2025`, `project-pech`, `blog`
-    - `go-train-group-pass`, `project-union-coop`, `WRVotesPlaceholder`, `WRvotesMunicipal2018`
-    - `CTWR-Template`, `accessible-housing-portal` (partial — 1 review required, no enforce_admins)
-  - _Open a tracking issue linking to `docs/governance/codeowners-branch-protection.md`_
+  - _Most active repos still have no branch protection_
+  - _Open tracking issue linking to `docs/governance/codeowners-branch-protection.md`_
   - _Invite opt-in; revisit enforcement next quarter_
 
 - [ ] **11. Review ChatGPT Codex Connector scope** — Settings → GitHub Apps → Codex Connector
-  - _Currently `repository_selection: all`_
-  - _Identify repos actively used with Codex and restrict to those_
+  - _Currently `repository_selection: all` — acting as PR reviewer org-wide_
+  - _Table for Saturday: confirm which projects want automated Codex reviews_
+
+---
+
+## Still Needs Leads Teams
+
+These projects have contributor teams but no leads team yet. Identify leads and create:
+
+| Project | Contributor team | Leads team needed |
+|---------|-----------------|-------------------|
+| Midtown Radio | `midtown-radio-app` | `midtown-radio-leads` |
+| Connected KW | `connected-kw` | `connected-kw-leads` |
+| Website | `website` | `website-leads` (team depleted — review membership first) |
+| ZoneChanges | `zonechanges` | `zonechanges-leads` (small team, low priority) |
 
 ---
 
 ## Low / Optional
 
 - [ ] **12. Enable `delete_branch_on_merge` org-wide** _(optional)_
-  - _Not a security risk — cleanliness only. Merged branches accumulate in the branch list._
-  - _Can enable in repo settings or org default_
 
-- ❌ **13. Rename `master` → `main`** — Deferred. New repos already use `main`. Legacy repos not worth the disruption.
+- ❌ **13. Rename `master` → `main`** — Deferred.
 
-- ❌ **14. Restrict `members_can_create_teams`** — Left as-is. Risk is low (teams need admin to get repo access). Restricting would prevent organizers from creating teams.
+- ❌ **14. Restrict `members_can_create_teams`** — Left as-is.
+
+---
+
+## Pending Invites (as of 2026-06-04)
+
+| User | Invited by | Queued teams |
+|------|-----------|--------------|
+| `aleeeeeeeena` | BreakableHoodie | `project-union-coop` (push) |
+| `sae-br` | BreakableHoodie | `accessible-housing-portal` (push) |
+| `indyng` | BreakableHoodie | `project-pech-leads` (maintain), `epwr-case-management-leads` (maintain) |
 
 ---
 
@@ -112,17 +148,11 @@ Draft at `/tmp/ctwr-slack-announcement.md`. Post to `#general` before enabling 2
 ## Verification Commands
 
 ```bash
-# Check 2FA status
 gh api orgs/CivicTechWR --jq '.two_factor_requirement_enabled'
-
-# Confirm Travis CI is gone
 gh api orgs/CivicTechWR/installations --jq '[.installations[].app_slug]'
-
-# Check Actions policy
-gh api orgs/CivicTechWR/actions/permissions --jq '.'
-
-# List remaining outside collaborators
+gh api orgs/CivicTechWR/actions/permissions --jq '.allowed_actions'
 gh api orgs/CivicTechWR/outside_collaborators --paginate --jq '.[].login'
+gh api orgs/CivicTechWR/invitations --paginate --jq '.[].login'
 ```
 
 ---