lukaszlenart opened a new pull request, #1722: URL: https://github.com/apache/struts/pull/1722
## Summary Adds a new agent skill — `.claude/skills/triaging-security-reports/SKILL.md` — that guides triage of privately-disclosed security reports. It fits alongside the existing `.claude/agents` and `.claude/commands` tooling and complements the process defined in [`SECURITY.md`](../blob/main/SECURITY.md). The skill enforces **unbiased, source-grounded** triage: - **Treat the report as a claim to test, not a finding to confirm or rebut.** Re-derive every assertion (line numbers, severity, "no mitigation exists", call paths) from current source. - **Iron rule:** no statement in a security response without a `file:line` read this session — applies to the reporter's claims *and the maintainer's own*. - **Effective-default trap:** verify runtime defaults through the full chain (field initializer → `@Inject` setter → `default.properties` → struts.xml), not a single source. - **Vulnerability vs. operator responsibility** framing instead of the "in the default configuration" crutch. - Rationalization table + red-flags list drawn from real failure modes. ## How it was developed (test-first, per `superpowers:writing-skills`) - **RED:** baseline agents triaging a deliberately false report produced **contradictory, unverified claims** about a default (`requireAnnotations`) and were ready to send them to a reporter. - **GREEN:** with the skill, the agent stated the *effective* default correctly (`default.properties` overrides the field initializer), cited `file:line` per claim, and added no unverified facts. - **REFACTOR:** verified the skill does **not** over-correct — given a report whose code facts were *true*, the agent confirmed them and conceded valid points rather than reflexively rejecting. ## Notes - No JIRA ticket — agent tooling/docs, so a ticketless conventional commit is used per the project commit guideline. - No framework code changes; nothing security-sensitive is disclosed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
