Skip to content

fix(pr-management-triage): generalise security-list coupling and anonymise historical dev-list reference#696

Merged
potiuk merged 2 commits into
apache:mainfrom
justinmclean:generalize-pr-triage-asf-references
Jul 3, 2026
Merged

fix(pr-management-triage): generalise security-list coupling and anonymise historical dev-list reference#696
potiuk merged 2 commits into
apache:mainfrom
justinmclean:generalize-pr-triage-asf-references

Conversation

@justinmclean

Copy link
Copy Markdown
Member

Summary

  • comment-templates.md: replace hardcoded security@apache.org with <security-list> placeholder; remove ASF-specific URL from security vulnerability-handling prose; remove internal "dev@ thread with Elad" cross-reference
  • rationale.md: anonymise motivating-problem paragraph — project-specific mailing list name and individual names replaced with generic phrasing
  • SKILL.md: remove "dev@ thread with Elad" reference from triage_feedback_channel description
  • specs/project-agnosticism.md: extend Known Gaps entry to document the specific fixes made in this pass

The validator already produces 0 asf-coupling warnings (org-scoped skills are suppressed by the organization: ASF frontmatter added in 0073ae8). The real coupling was in sub-documents not checked by the validator — comment-templates.md is posted verbatim to GitHub PRs, so a hardcoded security@apache.org was a genuine blocker for non-ASF adopters. <security-list> resolves from <project-config>/project.mdmailing_lists.security at run time.

Generated-by: Claude (Opus 4.7)

Type of change

  • Skill change (.claude/skills/<name>/) — eval fixtures updated below
  • Tool / bridge contract (tools/<system>/*.md)
  • Python package (tools/*/ with pyproject.toml)
  • Groovy reference impl
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)
  • Project template (projects/_template/)
  • CI / dev loop (prek, workflows, validators)
  • Other:

Test plan

  • prek run --all-files passes
  • For Python packages touched: uv run pytest / ruff check / mypy passes
  • For Groovy bridges touched: command-line invocation tested end-to-end
  • For skill changes: eval suite passes for the affected skill
    (PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/<skill>/)
  • For skill behaviour changes: a new or updated eval fixture is included in this PR
    (a regression test for the bug fixed / the behaviour added — see CONTRIBUTING.md)
  • Other:

…ymise historical dev-list reference

Low-confidence asf-coupling pass (spec-loop work item apache#4).

- comment-templates.md: replace hardcoded `security@apache.org` with
  `<security-list>` placeholder; remove ASF-specific URL from security
  vulnerability-handling prose; remove internal "dev@ thread with Elad"
  cross-reference
- rationale.md: anonymise motivating-problem paragraph — project-specific
  mailing list name and individual names replaced with generic phrasing
- SKILL.md: remove "dev@ thread with Elad" reference from triage_feedback_channel description
- specs/project-agnosticism.md: extend Known Gaps entry to document
  the specific fixes made in this pass

The validator already produces 0 asf-coupling warnings (org-scoped
skills are suppressed by the `organization: ASF` frontmatter added in
0073ae8). The real coupling was in sub-documents not checked by the
validator — `comment-templates.md` is posted verbatim to GitHub PRs, so
a hardcoded `security@apache.org` was a genuine blocker for non-ASF
adopters. `<security-list>` resolves from `<project-config>/project.md`
→ `mailing_lists.security` at run time.

Generated-by: Claude (Opus 4.7)
@justinmclean justinmclean self-assigned this Jul 3, 2026
@potiuk potiuk merged commit 232949f into apache:main Jul 3, 2026
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants