feat(security): docs lift + final scrub (PR5/5)#399
Merged
potiuk merged 1 commit intoMay 30, 2026
Conversation
Fifth and final PR of the security genericization series. Lifts the remaining 4 docs in docs/security/ to read config knobs from projects/_template/project.md and the contract docs from PR1-PR4 (cve_authority.*, governance.*, security_inbox.*, forwarders.*, archive_system.*, scope_detection.*). Plus a final scrub of 4 skills for leftover ASF/Vulnogram literals. Byte-equivalent for the airflow-s adopter: every ASF/Airflow/ Vulnogram-specific value either resolves through a config knob whose ASF default matches today's behaviour, OR stays as one named-example aside in generic prose. Per-target lifts: - docs/security/threat-model.md (+107/-77) — Purpose/Scope/ Assumptions reframed from "ASF"/"PMC" to governance-knob terms. STRIDE matrix rows A.6/A.7/C.1-C.4/E.1-E.2 lifted: Vulnogram -> <cve-tool>; security@apache.org -> <security-list>; DRAFT/REVIEW/READY/PUBLIC -> cve_authority.states sequence (allocated -> review-ready -> publish-ready -> public). Mitigations M.10/M.16/M.18/M.19/M.27 + residual risks apache#3/apache#8/apache#10/apache#11 + re-audit cadence ownership generalised. - docs/security/forwarder-routing-policy.md (+42/-27) — references the optional security-issue-import-via-forwarder sub-skill from PR3 (apache#387) and the tools/forwarder-relay/README.md contract. Replaces "ASF-security relay" / "security@apache.org" with forwarders.enabled / <security-list> / foundation_security_address. ASF-Airflow shown as a named-example aside per concept. - docs/security/how-to-fix-a-security-issue.md (+20/-8) — "governance-authorised member of the adopting project (per governance.cve_allocation_gate)" replaces "PMC member of apache/airflow"; <cve-tool> + cve_authority.* replaces Vulnogram- specific URLs and state names; archive_system.advisory_publication_signal_url replaces the lists.apache.org users-list URL. - docs/security/new-members-onboarding.md (+26/-13) — onboarding- style register preserved. "PMC members and committers" reframed as "governance body that satisfies governance.cve_allocation_gate"; per-user-config "PMC status" steps reference the governance knob; Vulnogram steps reference <cve-tool> via cve_authority.record_url_template. - Final scrub of 4 skills (+17/-15 net): security-issue-import, security-issue-import-via-forwarder, security-issue-invalidate, security-issue-fix — leftover literal references caught and lifted to roster.bare_name_handles / governance.escalation_contact / forwarders.<adapter>.contact_handle. Aggregate: 8 files, +240/-156 lines. That closes the series. Five PRs (apache#381, apache#386, apache#387, apache#388, this) transitioned the security skill family from Airflow/ASF-coupled to a generic framework with ASF as the default-configured option. The airflow-s adopter, with the ASF defaults baked into project.md, sees byte-equivalent behaviour throughout. Non-ASF adopters override specific dimensions (CVE authority, mail provider, archive system, governance gate, scope axis) by changing only their <project-config>/ files. Generated-by: Claude Code (Opus 4.7)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fifth and final PR of the security genericization series.
Lifts the remaining 4 docs in
docs/security/to read config knobsfrom
projects/_template/project.mdand the contract docs fromPR1-PR4 (
cve_authority.*,governance.*,security_inbox.*,forwarders.*,archive_system.*,scope_detection.*). Plus afinal scrub of 4 skills for leftover ASF/Vulnogram literals that
survived earlier passes.
Byte-equivalent for the airflow-s adopter. Every ASF/Airflow/
Vulnogram-specific value either resolves through a config knob
whose ASF default matches today's behaviour, OR stays as one
named-example aside in generic prose.
Per-target lifts
docs/security/threat-model.md<cve-tool>;security@apache.org→<security-list>;DRAFT/REVIEW/READY/PUBLIC→cve_authority.statessequence); mitigations M.10/M.16/M.18/M.19/M.27 + residual risks #3/#8/#10/#11 + re-audit cadence ownership generalised.docs/security/forwarder-routing-policy.mdsecurity-issue-import-via-forwardersub-skill (PR3 #387) and thetools/forwarder-relay/README.mdcontract.forwarders.enabled/forwarders.<adapter>.contact_handle/foundation_security_addressreplace the inlined ASF-Security relay shape.docs/security/how-to-fix-a-security-issue.mdgovernance.cve_allocation_gate)" replaces "PMC member of apache/airflow";<cve-tool>+cve_authority.*replaces Vulnogram-specific URLs and state names.docs/security/new-members-onboarding.mdgovernance.cve_allocation_gate"; per-user-config "PMC status" steps reference the governance knob.security-issue-import,-via-forwarder,-invalidate,-fix(scrub)roster.bare_name_handles/governance.escalation_contact/forwarders.<adapter>.contact_handle.Aggregate: 8 files, +240 / -156 lines.
The series, end-to-end
After this PR merges, the security skill family is generic by
default:
For ASF projects (like airflow-s, the reference adopter):
the ASF defaults in
projects/_template/project.mdresolve everyknob to today's behaviour. Vulnogram URLs, PMC-only allocation,
security@apache.orginbox, PonyMail archive, ASF-Securityforwarder,
airflow | providers | chartscope cascade — allunchanged at runtime.
For non-ASF adopters: override specific dimensions in
<project-config>/project.mdto plug in alternativeCVE authorities (CVE.org direct submission, MITRE form, GHSA-only),
mail providers (IMAP, Outlook, Discourse), archive systems
(Hyperkitty, Discourse, Google Groups, GitHub Discussions),
governance gates, scope axes, and roster sources. Adapter
contracts in
tools/cve-tool/README.md,tools/mail-archive/README.md, andtools/forwarder-relay/README.mddescribe the interface.Test plan
uv run --project tools/skill-and-tool-validator skill-and-tool-validateclean (5 advisory soft warnings, none hard, all on files
outside PR5 scope).
pytestclean for the validator (218 tests).airflow-s named-example asides land where they should and the
generic prose reads cleanly.
unchanged, still gets the same security-flow behaviour as
before (byte-equivalence invariant — the closing test for the
series).