Skip to content

feat(security-issue-triage): fetch-all-upfront pattern (PR #346 analogue)#347

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-security-triage-full-queue-fetch
May 27, 2026
Merged

feat(security-issue-triage): fetch-all-upfront pattern (PR #346 analogue)#347
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat-security-triage-full-queue-fetch

Conversation

@potiuk

@potiuk potiuk commented May 27, 2026

Copy link
Copy Markdown
Member

Summary

  • Apply the flow discipline from feat(pr-management-triage): fetch all PRs upfront, classify in batch #346 (the pr-management-triage refactor) to security-issue-triage.
  • Add Golden rule 7: Steps 1–4 run uninterrupted, Step 5 is the single human checkpoint.
  • Bump gh issue list --limit 100--limit 1000 so Step 1 fetches the full needs-triage backlog in one call (security backlogs don't approach four-digit counts in practice).
  • Drop the "echo list and confirm before Step 2" prompt — it duplicated the Step 5 confirm screen.
  • Three narrow cases still stop and ask: empty result set, CVE selector matching multiple trackers, --retriage on 50+ trackers.

Why

The skill was already mostly batch-shaped (parallel enrichment, full-list Step 5 confirm), but the pre-Step-2 confirm interrupted the maintainer right when the long enrichment phase was about to start. Removing it lets the maintainer run the skill and walk away during the enrichment, mirroring the pattern from #346.

Test plan

  • skill-and-tool-validate exits 0 (verified locally; pre-existing soft warnings not introduced here).
  • Run /security-issue-triage on a small needs-triage queue (1–3 trackers) and confirm Steps 1–4 run without any prompt.
  • Run /security-issue-triage --retriage on a 50+ tracker selection and confirm the safety-stop fires.

…analogue)

Apply the same flow discipline `pr-management-triage` adopted in
PR apache#346 to the security tracker triage skill: fetch every
candidate up front, classify uninterrupted, then surface a
single batched confirm screen.

== What changes ==

Add Golden rule 7: Steps 1–4 run without a human checkpoint;
Step 5 is the single decision point. Explicit cross-reference
to `pr-management-triage`'s Golden rule 4.

Step 1: bump the `gh issue list` cap from `--limit 100` to
`--limit 1000` (security backlogs don't approach four-digit
needs-triage counts in practice, so one call is the full set).
A backlog that *does* exceed 1000 is the signal to escalate,
not silently page through. The list-echo becomes informational
only — the maintainer no longer has to answer a confirm prompt
before Step 2 fires. Three narrow cases still stop and ask
(empty result, CVE selector matching multiple trackers,
`--retriage` on 50+ trackers); outside those, proceed.

Step 2: framing now states "fires immediately after Step 1, no
human checkpoint in between."

Step 5: framing now states "the single human checkpoint" so
the maintainer knows Steps 6–7 will run sequentially without
re-prompting.

== Why ==

The security-issue-triage skill was already closer to the
batch pattern than pr-management-triage was (parallel
per-tracker enrichment via subagent fanout, full-list confirm
in Step 5), but it carried a redundant human checkpoint
between Step 1 and Step 2 — the "echo list and confirm before
gathering state" prompt. That checkpoint cost an attention
context-switch for a result that the Step 5 confirm screen
already covers. Removing it lets the maintainer run the skill
on a queue and walk away during the enrichment phase, same as
pr-management-triage.

== Verification ==

`skill-and-tool-validate` exits 0; pre-existing soft warnings
in unrelated rules (`gh-list-no-limit` on a `gh pr list` call
in this skill, plus three others) are not introduced here.

Generated-by: Claude Code (Opus 4.7)
@potiuk potiuk merged commit 5c211a4 into apache:main May 27, 2026
15 checks passed
potiuk added a commit to apache/airflow that referenced this pull request May 28, 2026
* Update apache-steward snapshot to 5c211a4

Bumps the local apache-steward snapshot from 339d3eb to 5c211a4 (22
upstream commits). The only committed change in this PR is a
1-line frontmatter addition (capability: capability:setup) to
.github/skills/setup-steward/SKILL.md, propagated from the new
framework version via /setup-steward upgrade. Everything else
lives in the gitignored .apache-steward/ snapshot.

Highlights from upstream (apache/airflow-steward):

- pr-management-triage: session-history gist persistence Step 6b
  (apache/magpie#343), four classifier heuristic fixes
  (apache/magpie#344), fetch-all-upfront pattern
  (apache/magpie#346)
- security-issue-triage: fetch-all-upfront analogue
  (apache/magpie#347)
- Framework labels + capability taxonomy (apache/magpie#340) —
  the source of the frontmatter line in this PR
- New skill pairing-self-review and tool spec-status-index
- claude-code pin 2.1.141 -> 2.1.150

/setup-steward upgrade ran cleanly locally: snapshot refreshed,
symlinks resolve, post-checkout hook in sync,
sandbox-add-project-root reconciled across 3 worktrees.
.apache-steward.local.lock updated to fetched_commit 5c211a4.
All .apache-steward-overrides/ files unchanged.

* Gitignore .apache-steward.session-state.json

Adds the per-machine session-state file to .gitignore. The file is
written by steward skills that maintain adopter-local persistence
anchors — currently pr-management-triage Step 6b's session-history
gist URL (apache/magpie#343), but the structure is
deliberately shared so other skills can add their own keys later.

The file is per-user, per-machine state; it should never be
committed even when a contributor stages everything with `git add -A`.
choo121600 pushed a commit to apache/airflow that referenced this pull request May 29, 2026
* Update apache-steward snapshot to 5c211a4

Bumps the local apache-steward snapshot from 339d3eb to 5c211a4 (22
upstream commits). The only committed change in this PR is a
1-line frontmatter addition (capability: capability:setup) to
.github/skills/setup-steward/SKILL.md, propagated from the new
framework version via /setup-steward upgrade. Everything else
lives in the gitignored .apache-steward/ snapshot.

Highlights from upstream (apache/airflow-steward):

- pr-management-triage: session-history gist persistence Step 6b
  (apache/magpie#343), four classifier heuristic fixes
  (apache/magpie#344), fetch-all-upfront pattern
  (apache/magpie#346)
- security-issue-triage: fetch-all-upfront analogue
  (apache/magpie#347)
- Framework labels + capability taxonomy (apache/magpie#340) —
  the source of the frontmatter line in this PR
- New skill pairing-self-review and tool spec-status-index
- claude-code pin 2.1.141 -> 2.1.150

/setup-steward upgrade ran cleanly locally: snapshot refreshed,
symlinks resolve, post-checkout hook in sync,
sandbox-add-project-root reconciled across 3 worktrees.
.apache-steward.local.lock updated to fetched_commit 5c211a4.
All .apache-steward-overrides/ files unchanged.

* Gitignore .apache-steward.session-state.json

Adds the per-machine session-state file to .gitignore. The file is
written by steward skills that maintain adopter-local persistence
anchors — currently pr-management-triage Step 6b's session-history
gist URL (apache/magpie#343), but the structure is
deliberately shared so other skills can add their own keys later.

The file is per-user, per-machine state; it should never be
committed even when a contributor stages everything with `git add -A`.
(cherry picked from commit c521078)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001 pushed a commit to apache/airflow that referenced this pull request May 29, 2026
* Update apache-steward snapshot to 5c211a4

Bumps the local apache-steward snapshot from 339d3eb to 5c211a4 (22
upstream commits). The only committed change in this PR is a
1-line frontmatter addition (capability: capability:setup) to
.github/skills/setup-steward/SKILL.md, propagated from the new
framework version via /setup-steward upgrade. Everything else
lives in the gitignored .apache-steward/ snapshot.

Highlights from upstream (apache/airflow-steward):

- pr-management-triage: session-history gist persistence Step 6b
  (apache/magpie#343), four classifier heuristic fixes
  (apache/magpie#344), fetch-all-upfront pattern
  (apache/magpie#346)
- security-issue-triage: fetch-all-upfront analogue
  (apache/magpie#347)
- Framework labels + capability taxonomy (apache/magpie#340) —
  the source of the frontmatter line in this PR
- New skill pairing-self-review and tool spec-status-index
- claude-code pin 2.1.141 -> 2.1.150

/setup-steward upgrade ran cleanly locally: snapshot refreshed,
symlinks resolve, post-checkout hook in sync,
sandbox-add-project-root reconciled across 3 worktrees.
.apache-steward.local.lock updated to fetched_commit 5c211a4.
All .apache-steward-overrides/ files unchanged.

* Gitignore .apache-steward.session-state.json

Adds the per-machine session-state file to .gitignore. The file is
written by steward skills that maintain adopter-local persistence
anchors — currently pr-management-triage Step 6b's session-history
gist URL (apache/magpie#343), but the structure is
deliberately shared so other skills can add their own keys later.

The file is per-user, per-machine state; it should never be
committed even when a contributor stages everything with `git add -A`.
(cherry picked from commit c521078)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
potiuk added a commit to potiuk/magpie that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the apache#410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (apache#386/apache#387/apache#388)
- out-of-context — read/PATCH one field without loading the body
  (apache#412 github-body-field, apache#424 github-rollup)
- fetch-upfront — batch per-item round-trips (apache#347)
- preflight-classifier — skip obvious no-ops before LLM passes (apache#414/apache#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
potiuk added a commit to potiuk/magpie that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the apache#410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (apache#386/apache#387/apache#388)
- out-of-context — read/PATCH one field without loading the body
  (apache#412 github-body-field, apache#424 github-rollup)
- fetch-upfront — batch per-item round-trips (apache#347)
- preflight-classifier — skip obvious no-ops before LLM passes (apache#414/apache#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
potiuk added a commit that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns (#427)

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the #410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (#386/#387/#388)
- out-of-context — read/PATCH one field without loading the body
  (#412 github-body-field, #424 github-rollup)
- fetch-upfront — batch per-item round-trips (#347)
- preflight-classifier — skip obvious no-ops before LLM passes (#414/#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant