docs: add <framework> placeholder; update Python invocations to use it#3
Merged
Conversation
After PR 2 ported the generate-cve-json Python implementation into
the framework, skill files invoke it from the path
`tools/vulnogram/generate-cve-json` — which resolves correctly in
framework standalone (where `cwd` is the repo root) but not in
adopting projects (where the framework is at the
`.apache-steward/apache-steward/` submodule path and `tools/` is
nowhere near `cwd`).
This commit introduces a `<framework>` placeholder that resolves
to:
- `.apache-steward/apache-steward/` in adopting projects (the
submodule path);
- `.` (the repo root) in framework standalone.
Skills now reference `uv run --project <framework>/tools/vulnogram/
generate-cve-json …`, which works in both contexts after the
agent's standard placeholder substitution.
Files updated:
- AGENTS.md — added a new row to the placeholder convention table
for `<framework>`.
- .claude/skills/{sync-security-issue,allocate-cve,deduplicate-
security-issue}/SKILL.md — 6 invocation sites updated.
- tools/vulnogram/generate-cve-json/SKILL.md — 3 invocation sites
updated; preamble note already in place from PR 2 calling out the
config-driven design.
- tools/vulnogram/generate-cve-json/README.md — documented the
dual-context invocation pattern with the placeholder.
Markdown LINKS to SKILL.md (e.g. `[generate-cve-json](../../../tools/
vulnogram/generate-cve-json/SKILL.md)`) are deliberately not
rewritten — those work via the .claude/skills/ symlink in adopters
because the kernel follows the symlink to the actual file location
and resolves the relative path from there.
Test plan:
- Pre-commit (`prek run --all-files`) passes after the changes.
- All 100 tests in the generate-cve-json package pass against the
test fixture config.
This is the framework-side counterpart to airflow-s PR 3
(delete-local-cve-json-after-port). After this lands and gets
merged, the airflow-s PR 3 needs a final commit to bump the
submodule pointer to this commit's SHA so adopting projects pick up
both PR 2 (the Python implementation) and this PR's skill text.
Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 tasks
This was referenced May 29, 2026
potiuk
added a commit
that referenced
this pull request
May 30, 2026
Fifth and final PR of the security genericization series. Lifts the remaining 4 docs in docs/security/ to read config knobs from projects/_template/project.md and the contract docs from PR1-PR4 (cve_authority.*, governance.*, security_inbox.*, forwarders.*, archive_system.*, scope_detection.*). Plus a final scrub of 4 skills for leftover ASF/Vulnogram literals. Byte-equivalent for the airflow-s adopter: every ASF/Airflow/ Vulnogram-specific value either resolves through a config knob whose ASF default matches today's behaviour, OR stays as one named-example aside in generic prose. Per-target lifts: - docs/security/threat-model.md (+107/-77) — Purpose/Scope/ Assumptions reframed from "ASF"/"PMC" to governance-knob terms. STRIDE matrix rows A.6/A.7/C.1-C.4/E.1-E.2 lifted: Vulnogram -> <cve-tool>; security@apache.org -> <security-list>; DRAFT/REVIEW/READY/PUBLIC -> cve_authority.states sequence (allocated -> review-ready -> publish-ready -> public). Mitigations M.10/M.16/M.18/M.19/M.27 + residual risks #3/#8/#10/#11 + re-audit cadence ownership generalised. - docs/security/forwarder-routing-policy.md (+42/-27) — references the optional security-issue-import-via-forwarder sub-skill from PR3 (#387) and the tools/forwarder-relay/README.md contract. Replaces "ASF-security relay" / "security@apache.org" with forwarders.enabled / <security-list> / foundation_security_address. ASF-Airflow shown as a named-example aside per concept. - docs/security/how-to-fix-a-security-issue.md (+20/-8) — "governance-authorised member of the adopting project (per governance.cve_allocation_gate)" replaces "PMC member of apache/airflow"; <cve-tool> + cve_authority.* replaces Vulnogram- specific URLs and state names; archive_system.advisory_publication_signal_url replaces the lists.apache.org users-list URL. - docs/security/new-members-onboarding.md (+26/-13) — onboarding- style register preserved. "PMC members and committers" reframed as "governance body that satisfies governance.cve_allocation_gate"; per-user-config "PMC status" steps reference the governance knob; Vulnogram steps reference <cve-tool> via cve_authority.record_url_template. - Final scrub of 4 skills (+17/-15 net): security-issue-import, security-issue-import-via-forwarder, security-issue-invalidate, security-issue-fix — leftover literal references caught and lifted to roster.bare_name_handles / governance.escalation_contact / forwarders.<adapter>.contact_handle. Aggregate: 8 files, +240/-156 lines. That closes the series. Five PRs (#381, #386, #387, #388, this) transitioned the security skill family from Airflow/ASF-coupled to a generic framework with ASF as the default-configured option. The airflow-s adopter, with the ASF defaults baked into project.md, sees byte-equivalent behaviour throughout. Non-ASF adopters override specific dimensions (CVE authority, mail provider, archive system, governance gate, scope axis) by changing only their <project-config>/ files. Generated-by: Claude Code (Opus 4.7)
Merged
2 tasks
potiuk
added a commit
that referenced
this pull request
May 30, 2026
…erns from session manual cleanups (#402) Per direct observations from the airflow-s 2026-05-29/30 bulk sync — two recurring title-noise patterns were cleaned manually that the existing cascade did not catch: 1. Trailing prior-CVE-relationship parentheticals — the cross-CVE relationship is structurally captured by the Gate #3 cross-CVE clause in the public summary; embedding the relationship in the title is noise to downstream advisory consumers. Catches every shape observed in this session: - `(CVE-YYYY-NNNNN)` - `(possible CVE-YYYY-NNNNN variant)` — from #345 - `(incomplete fix for CVE-YYYY-NNNNN)` — from #351 - `(fix-bypass of CVE-YYYY-NNNNN)` — from #352 - and any other `(... CVE-YYYY-NNNNN ...)` shape 2. Trailing reporter-name attribution parentheticals — reporter attribution lives in the credits field, never in the public title. Pattern matches `(<name> follow-up)` where `<name>` matches name-like tokens (word chars, dots, hyphens, single inline spaces) to avoid over-stripping substantive technical content. Catches: - `(Evan Ricafort follow-up)` — from #346 Substantive technical parentheticals stay intact — e.g. the operator- name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID and doesn't end in `follow-up`). The matching Step 1d signal row in security-issue-sync now enumerates the two new patterns so the proposal-time detector and the pre-push Gate #4 stay in lock-step with the cascade. Validated against 9 cases: 4 session-derived fixes (all pass), 3 synthetic CVE-relationship variants (all pass), 1 substantive technical parenthetical (preserved correctly), 1 "<word> follow-up" edge case (stripped as designed — narrow scope acceptable since "follow-up" titles in airflow-s are exclusively reporter-attribution). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 2 ported the
generate-cve-jsonPython implementation into the framework. Skills currently invoke it viauv run --project tools/vulnogram/generate-cve-json …— works in framework standalone (cwd=repo root), but not in adopting projects, where the framework lives at the.apache-steward/apache-steward/submodule path.This PR introduces a
<framework>placeholder. Adopting projects substitute it to.apache-steward/apache-steward/; framework-standalone substitutes to.. Skills now reference<framework>/tools/vulnogram/generate-cve-jsoneverywhere they invoke the tool, and the path resolves in either context after the agent's standard placeholder substitution.Files updated
<framework>.Files NOT changed
Markdown links to SKILL.md (e.g.
[generate-cve-json](../../../tools/vulnogram/generate-cve-json/SKILL.md)) — those work via the.claude/skills/symlink in adopters because the kernel follows the symlink to the file's actual location and resolves the relative path from there.Test plan
Coordination
This is the framework-side counterpart to airflow-s/airflow-s#363 (
delete-local-cve-json-after-port). After this PR lands, airflow-s PR 3 needs one more commit to bump the submodule pointer to this PR's merge SHA — only then do skills work end-to-end on airflow-s.🤖 Generated with Claude Code