Skip to content

feat(validator): add branch-name confidentiality check#692

Merged
potiuk merged 3 commits into
apache:mainfrom
justinmclean:branch-name-confidentiality-validation
Jul 3, 2026
Merged

feat(validator): add branch-name confidentiality check#692
potiuk merged 3 commits into
apache:mainfrom
justinmclean:branch-name-confidentiality-validation

Conversation

@justinmclean

Copy link
Copy Markdown
Member

Summary

Adds check #17 to skill-and-tool-validator: scans git checkout -b and
git switch -c examples inside fenced code blocks (across skills/ and docs/)
and flags any concrete branch name that contains an embargo-breaking term
— CVE IDs (CVE-YYYY-NNNNN), security, vulnerability/vuln, or advisory.

Pre-disclosure public branch names must not reveal embargo context;
neutral descriptive slugs are the safe alternative. Lines explicitly
marked as bad examples (bad, bad:) are exempt, and placeholder
branch names (, $VAR) are silently skipped.

The check is SOFT-advisory only (never blocks the run). 14 unit tests
cover CVE IDs, security framing, vuln/advisory terms, placeholder
exemptions, neutral names, and bad-example exemptions. The full
codebase currently produces zero new violations.

Generated-by: Claude (Opus 4.7)

Type of change

  • Skill change (.claude/skills/<name>/) — eval fixtures updated below
  • Tool / bridge contract (tools/<system>/*.md)
  • Python package (tools/*/ with pyproject.toml)
  • Groovy reference impl
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)
  • Project template (projects/_template/)
  • CI / dev loop (prek, workflows, validators)
  • Other:

Test plan

  • prek run --all-files passes
  • For Python packages touched: uv run pytest / ruff check / mypy passes
  • For Groovy bridges touched: command-line invocation tested end-to-end
  • For skill changes: eval suite passes for the affected skill
    (PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/<skill>/)
  • For skill behaviour changes: a new or updated eval fixture is included in this PR
    (a regression test for the bug fixed / the behaviour added — see CONTRIBUTING.md)
  • Other:

…FT advisory)

Adds check apache#17 to skill-and-tool-validator: scans git checkout -b and
git switch -c examples inside fenced code blocks (across skills/ and docs/)
and flags any concrete branch name that contains an embargo-breaking term
— CVE IDs (CVE-YYYY-NNNNN), security, vulnerability/vuln, or advisory.

Pre-disclosure public branch names must not reveal embargo context;
neutral descriptive slugs are the safe alternative.  Lines explicitly
marked as bad examples (**bad**, bad:) are exempt, and placeholder
branch names (<fix-slug>, $VAR) are silently skipped.

The check is SOFT-advisory only (never blocks the run).  14 unit tests
cover CVE IDs, security framing, vuln/advisory terms, placeholder
exemptions, neutral names, and bad-example exemptions.  The full
codebase currently produces zero new violations.

Generated-by: Claude (Opus 4.7)
@justinmclean justinmclean self-assigned this Jul 3, 2026
@potiuk potiuk merged commit 100b85f into apache:main Jul 3, 2026
33 checks passed
potiuk pushed a commit to potiuk/magpie that referenced this pull request Jul 3, 2026
collect_tool_dirs (added in apache#692) filters the tools/ scan through git so
gitignored artifact directories are not treated as tools, but the
tracked-only `git ls-files` filter silently drops a freshly-authored
tool directory that has not been `git add`ed yet — exactly when a new
tool most needs validating. Switch to `git ls-files --cached --others
--exclude-standard` so untracked-but-not-ignored dirs are still checked;
gitignored artifact directories remain excluded. Add a regression test.
potiuk added a commit that referenced this pull request Jul 3, 2026
…704)

collect_tool_dirs (added in #692) filters the tools/ scan through git so
gitignored artifact directories are not treated as tools, but the
tracked-only `git ls-files` filter silently drops a freshly-authored
tool directory that has not been `git add`ed yet — exactly when a new
tool most needs validating. Switch to `git ls-files --cached --others
--exclude-standard` so untracked-but-not-ignored dirs are still checked;
gitignored artifact directories remain excluded. Add a regression test.

Co-authored-by: Tester <t@example.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants