feat(validator): add branch-name confidentiality check#692
Merged
potiuk merged 3 commits intoJul 3, 2026
Conversation
…FT advisory) Adds check apache#17 to skill-and-tool-validator: scans git checkout -b and git switch -c examples inside fenced code blocks (across skills/ and docs/) and flags any concrete branch name that contains an embargo-breaking term — CVE IDs (CVE-YYYY-NNNNN), security, vulnerability/vuln, or advisory. Pre-disclosure public branch names must not reveal embargo context; neutral descriptive slugs are the safe alternative. Lines explicitly marked as bad examples (**bad**, bad:) are exempt, and placeholder branch names (<fix-slug>, $VAR) are silently skipped. The check is SOFT-advisory only (never blocks the run). 14 unit tests cover CVE IDs, security framing, vuln/advisory terms, placeholder exemptions, neutral names, and bad-example exemptions. The full codebase currently produces zero new violations. Generated-by: Claude (Opus 4.7)
potiuk
approved these changes
Jul 3, 2026
potiuk
pushed a commit
to potiuk/magpie
that referenced
this pull request
Jul 3, 2026
collect_tool_dirs (added in apache#692) filters the tools/ scan through git so gitignored artifact directories are not treated as tools, but the tracked-only `git ls-files` filter silently drops a freshly-authored tool directory that has not been `git add`ed yet — exactly when a new tool most needs validating. Switch to `git ls-files --cached --others --exclude-standard` so untracked-but-not-ignored dirs are still checked; gitignored artifact directories remain excluded. Add a regression test.
potiuk
added a commit
that referenced
this pull request
Jul 3, 2026
…704) collect_tool_dirs (added in #692) filters the tools/ scan through git so gitignored artifact directories are not treated as tools, but the tracked-only `git ls-files` filter silently drops a freshly-authored tool directory that has not been `git add`ed yet — exactly when a new tool most needs validating. Switch to `git ls-files --cached --others --exclude-standard` so untracked-but-not-ignored dirs are still checked; gitignored artifact directories remain excluded. Add a regression test. Co-authored-by: Tester <t@example.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds check #17 to skill-and-tool-validator: scans git checkout -b and
git switch -c examples inside fenced code blocks (across skills/ and docs/)
and flags any concrete branch name that contains an embargo-breaking term
— CVE IDs (CVE-YYYY-NNNNN), security, vulnerability/vuln, or advisory.
Pre-disclosure public branch names must not reveal embargo context;
neutral descriptive slugs are the safe alternative. Lines explicitly
marked as bad examples (bad, bad:) are exempt, and placeholder
branch names (, $VAR) are silently skipped.
The check is SOFT-advisory only (never blocks the run). 14 unit tests
cover CVE IDs, security framing, vuln/advisory terms, placeholder
exemptions, neutral names, and bad-example exemptions. The full
codebase currently produces zero new violations.
Generated-by: Claude (Opus 4.7)
Type of change
.claude/skills/<name>/) — eval fixtures updated belowtools/<system>/*.md)tools/*/withpyproject.toml)docs/,README.md,CONTRIBUTING.md)projects/_template/)prek, workflows, validators)Test plan
prek run --all-filespassesuv run pytest/ruff check/mypypasses(
PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/<skill>/)(a regression test for the bug fixed / the behaviour added — see CONTRIBUTING.md)