diff --git a/.claude/skills/allocate-cve/SKILL.md b/.claude/skills/allocate-cve/SKILL.md index 98b1d18a..b6c6c6db 100644 --- a/.claude/skills/allocate-cve/SKILL.md +++ b/.claude/skills/allocate-cve/SKILL.md @@ -4,7 +4,7 @@ description: | Walk a security team member through allocating a CVE for an tracking issue. Prints the ASF Vulnogram allocation URL and a CVE-ready title (the issue title stripped of - redundant `Apache Airflow:`, `[ Security Report ]`, trailing + redundant `: :` (e.g. `Apache Airflow:`), `[ Security Report ]`, trailing version parens and similar noise), waits for the allocated CVE ID (allocation is PMC-gated — non-PMC triagers relay to a PMC member), and then updates the tracker in place: fills in the diff --git a/.claude/skills/import-security-issue-from-pr/SKILL.md b/.claude/skills/import-security-issue-from-pr/SKILL.md index a4f0197d..560e3f03 100644 --- a/.claude/skills/import-security-issue-from-pr/SKILL.md +++ b/.claude/skills/import-security-issue-from-pr/SKILL.md @@ -277,7 +277,7 @@ Start from `pr.title`. Strip: - `[skip ci]`, `[ci-skip]`, `[skip-ci]` markers. - Trailing `(#NNNN)` and `[#NNNN]`. -Do **not** add `Apache Airflow:` prefix — that lives in the CVE +Do **not** add `: :` (e.g. `Apache Airflow:`) prefix — that lives in the CVE title, not the tracker title (the [`allocate-cve`](../allocate-cve/SKILL.md) skill normalises for the CVE record). Tracker titles in `` are diff --git a/.claude/skills/import-security-issue/SKILL.md b/.claude/skills/import-security-issue/SKILL.md index ff90a833..5d04fca5 100644 --- a/.claude/skills/import-security-issue/SKILL.md +++ b/.claude/skills/import-security-issue/SKILL.md @@ -191,7 +191,7 @@ report: Use the canonical candidate-listing query template from [`tools/gmail/search-queries.md`](../../../tools/gmail/search-queries.md#import-security-issue--candidate-listing-query); substitute the adopting project's `` (Airflow: -`security.airflow.apache.org`) and the project's GitHub-notification +``) and the project's GitHub-notification exclusions — both declared in [`/project.md`](../../..//project.md#gmail-and-ponymail). @@ -427,7 +427,7 @@ fuzzy-match search against existing issues on three orthogonal keys: some other tracker already discusses the same code surface — often a partial overlap, possibly a duplicate. 3. **Subject root-cause keywords**: strip `[SECURITY]`, `[Security - Report]`, `Re:`, `Fwd:`, `FW:`, `Airflow:` / `Apache Airflow:` + Report]`, `Re:`, `Fwd:`, `FW:`, `Airflow:` / `: :` (e.g. `Apache Airflow:`) prefixes from the root message's subject, then take the remaining 3–5 noun-phrase tokens (for example `"RCE BaseSerialization.deserialize next_kwargs"`) and search: diff --git a/.claude/skills/invalidate-security-issue/SKILL.md b/.claude/skills/invalidate-security-issue/SKILL.md index 02c6b5f0..71e0d99d 100644 --- a/.claude/skills/invalidate-security-issue/SKILL.md +++ b/.claude/skills/invalidate-security-issue/SKILL.md @@ -197,7 +197,7 @@ Scan `tracker.comments[]` for posts that argue **why** the report is not a security issue. Strong signals: - Citations of the - [Apache Airflow Security Model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html) + [Apache Airflow Security Model]() (full URL, anchor links, paraphrases). - Phrases like *"this is by design"*, *"out of scope"*, *"documented behavior"*, *"requires X privileges already"*, diff --git a/.claude/skills/sync-security-issue/SKILL.md b/.claude/skills/sync-security-issue/SKILL.md index 165253fe..b2e1cfb5 100644 --- a/.claude/skills/sync-security-issue/SKILL.md +++ b/.claude/skills/sync-security-issue/SKILL.md @@ -701,7 +701,7 @@ before the archive indexes it. **Search recipe.** Use the CVE-review-comment query templates in [`tools/gmail/search-queries.md`](../../../tools/gmail/search-queries.md#sync-security-issue--cve-review-comment-search); substitute the adopting project's `` (Airflow: -`security.airflow.apache.org`, declared in +``, declared in [`/project.md`](../../..//project.md#gmail-and-ponymail)) and run via `search_threads` per [`tools/gmail/operations.md`](../../../tools/gmail/operations.md#search-threads). @@ -1480,7 +1480,7 @@ the actual person, in this order: ``` mcp__ponymail__search_list( list: "dev", - domain: "airflow.apache.org", + domain: "", subject: "[RESULT][VOTE]", query: "", timespan: "lte=14d" @@ -1517,7 +1517,7 @@ line so the handoff is unambiguous: > Allocate a CVE via the [`allocate-cve`](../allocate-cve/SKILL.md) > skill. It opens the ASF Vulnogram form at > , pre-computes a CVE-ready -> title (stripped of `Apache Airflow:` / `[ Security Report ]` / version +> title (stripped of `: :` (e.g. `Apache Airflow:`) / `[ Security Report ]` / version > noise), and — once you paste back the allocated `CVE-YYYY-NNNNN` ID — > wires it into the tracker (body field, label, status comment, CVE > JSON embed). @@ -1849,7 +1849,7 @@ finalising the recap. [`AGENTS.md`](../../../AGENTS.md) for the full rationale. - **Never paraphrase the Security Model** in the draft email. Link to the relevant chapter on - `https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html` + `` instead, following the editorial guidance in [`AGENTS.md`](../../../AGENTS.md). - **Never name or describe other ASF projects' vulnerabilities** in any tracker-destined surface — rollup entry bodies, status comments, issue diff --git a/README.md b/README.md index 5803334d..5b0ca103 100644 --- a/README.md +++ b/README.md @@ -1067,7 +1067,7 @@ for the `` placeholder used throughout the framework (see | Project | Directory | Index | Manifest | |---|---|---|---| -| [Apache Airflow](https://airflow.apache.org/) | [`projects/airflow/`](projects/airflow/) | [`/README.md`](/README.md) | [`/project.md`](/project.md) | +| [Apache Airflow](/) | [`projects/airflow/`](projects/airflow/) | [`/README.md`](/README.md) | [`/project.md`](/project.md) | Add a new project by copying [`projects/_template/`](projects/_template/) into diff --git a/tools/gmail/operations.md b/tools/gmail/operations.md index 4c7844da..288b1bd7 100644 --- a/tools/gmail/operations.md +++ b/tools/gmail/operations.md @@ -54,7 +54,7 @@ mcp__claude_ai_Gmail__search_threads( Substitute the `` with the domain suffix of the project manifest's `security_list` (for ``, the value is -`security.airflow.apache.org`). +``). A non-empty result means Gmail is connected and indexed; an empty result means either the account does not subscribe, or the MCP is diff --git a/tools/gmail/ponymail-archive.md b/tools/gmail/ponymail-archive.md index 77b8a213..8efaa259 100644 --- a/tools/gmail/ponymail-archive.md +++ b/tools/gmail/ponymail-archive.md @@ -44,7 +44,7 @@ Placeholder convention: *Mailing lists* section). - `` — the list's domain component (for ``, the value is - `security.airflow.apache.org`); used inside the URL's query + ``); used inside the URL's query string. ## URL shapes @@ -75,7 +75,7 @@ https://lists.apache.org/api/thread.lua?list=&domain=&q ``` Where `` is the portion before the `@` (e.g. `users`) -and `` is the portion after (e.g. `airflow.apache.org`). +and `` is the portion after (e.g. ``). Request via `gh api ` (authenticates as the user — helpful for private lists if they ever open up) or plain `curl -s ` for diff --git a/tools/gmail/search-queries.md b/tools/gmail/search-queries.md index 09ff13af..b777ea41 100644 --- a/tools/gmail/search-queries.md +++ b/tools/gmail/search-queries.md @@ -32,7 +32,7 @@ Placeholder convention: [`../..//project.md`](../..//project.md#mailing-lists)). - `` — the domain suffix of that list (for ``, the value is - `security.airflow.apache.org`). Gmail's `list:` operator uses the + ``). Gmail's `list:` operator uses the domain form, not the plain address. - `` — the project's public release-vote list (for Airflow, ``). @@ -41,7 +41,7 @@ Placeholder convention: | Operator | Purpose | |---|---| -| `list:` | Match messages sent to a mailing list. Domain form — `list:security.airflow.apache.org`, not `list:`. | +| `list:` | Match messages sent to a mailing list. Domain form — `list:`, not `list:`. | | `from:` / `-from:` | Match (or exclude) a sender. | | `to:` / `cc:` | Match a recipient / copy-recipient. | | `subject:""` | Match a substring in the subject line (quoted for multi-word). | diff --git a/tools/ponymail/operations.md b/tools/ponymail/operations.md index f80d3d7b..41002a3d 100644 --- a/tools/ponymail/operations.md +++ b/tools/ponymail/operations.md @@ -39,12 +39,12 @@ Placeholder convention used below: - `` — list prefix without the `@` (e.g. `security`, `dev`, `users`, `announce`, `private`). -- `` — list domain (e.g. `airflow.apache.org`, - `security.airflow.apache.org`). The PonyMail API treats +- `` — list domain (e.g. ``, + ``). The PonyMail API treats `` as `list: "security"` + `domain: - "airflow.apache.org"`; a few private lists use a dedicated - subdomain (`security.airflow.apache.org`), in which case `list: - "security"` + `domain: "security.airflow.apache.org"` is the + ""`; a few private lists use a dedicated + subdomain (``), in which case `list: + "security"` + `domain: ""` is the right split. - `` — opaque PonyMail thread identifier, returned by `search_list` and `get_email`. @@ -121,7 +121,7 @@ Returns the full `{ domain → { list → message_count } }` map the MCP can see with the current session. Use cases: - **Sanity-check** that the session sees the private lists the - project relies on (e.g. `security.airflow.apache.org` → + project relies on (e.g. `` → `security`). If an expected list is missing, the session's LDAP groups do not include membership for that list and downstream queries will return empty. diff --git a/tools/ponymail/tool.md b/tools/ponymail/tool.md index bf4bbe7b..0cec818c 100644 --- a/tools/ponymail/tool.md +++ b/tools/ponymail/tool.md @@ -183,7 +183,7 @@ mcp__ponymail__list_lists() The result is a `{ domain → { list → message_count } }` map. For an Airflow security-team triager, you should see -`security.airflow.apache.org` → `{ security: }` — proof that +`` → `{ security: }` — proof that the session has PMC-level LDAP access. If you only see public lists (`dev`, `users`, `announce`), the LDAP group membership is not being recognised; contact ASF Infra. diff --git a/tools/vulnogram/allocation.md b/tools/vulnogram/allocation.md index ae1e4e95..1df69ab2 100644 --- a/tools/vulnogram/allocation.md +++ b/tools/vulnogram/allocation.md @@ -68,7 +68,7 @@ source is the ASF project page, | Vulnogram form field | Source in the tracker | |---|---| -| **Title** | Tracker title, passed through the project's title-normalisation cascade (for Airflow, `/title-normalization.md`). The CNA container already scopes the title to the product, so any project prefix (`Apache Airflow:` etc.) must be stripped before pasting. | +| **Title** | Tracker title, passed through the project's title-normalisation cascade (for Airflow, `/title-normalization.md`). The CNA container already scopes the title to the product, so any project prefix (`: :` (e.g. `Apache Airflow:`) etc.) must be stripped before pasting. | | **Product** | Derived from the tracker's scope label via the per-project scope → product mapping (for Airflow, `/scope-labels.md`). | | **CWE** | Tracker body's *cwe* field (role-name — `/project.md` declares the concrete GitHub heading for this project). `_No response_` → the allocator fills it at form time. | | **Affected versions** | Tracker body's *affected-versions* field. | diff --git a/tools/vulnogram/generate-cve-json/SKILL.md b/tools/vulnogram/generate-cve-json/SKILL.md index 3de60777..18fb83eb 100644 --- a/tools/vulnogram/generate-cve-json/SKILL.md +++ b/tools/vulnogram/generate-cve-json/SKILL.md @@ -50,7 +50,7 @@ diff the two to see what the tool has added / what you changed by hand. `CVE tool link` field has not yet been filled in, or retarget the JSON to a different CVE ID. - `--title "Apache Airflow: …"` — override the CVE title. Default is - the GitHub issue title with an `Apache Airflow: ` prefix when it + the GitHub issue title with an `: :` (e.g. `Apache Airflow:`) prefix when it does not already start with that phrase. - `--version-start X.Y.Z` — override the start of the affected version range (the `affected[].versions[].version` field). Default is the