potiuk opened a new pull request, #387: URL: https://github.com/apache/airflow-steward/pull/387
## Summary Third of 5 PRs converting the security skill family from Airflow/ASF-coupled to a generic framework with ASF as the default-configured option. PR1 ([#381](https://github.com/apache/airflow-steward/pull/381)) landed the adapter contracts. PR2 ([#386](https://github.com/apache/airflow-steward/pull/386)) lifted 6 config-driven skills. **This PR extracts the ASF-Security forwarder + PonyMail archive specifics out of the generic skill bodies** into: - a new optional sub-skill that the generic intake / invalidate / sync skills invoke when `forwarders.enabled` is non-empty - explicit cross-references from the adapter-contract READMEs to their default-ASF implementations **Byte-equivalent for the airflow-s adopter.** Every behaviour the ASF-relay row + Step 5d + Step 2b previously produced is now reachable via the sub-skill, which the airflow-s adopter installs by default (`forwarders.enabled: [asf-security]`). ## New optional sub-skill `.claude/skills/security-issue-import-via-forwarder/SKILL.md` (+620 lines). Adapter-agnostic body — no `asf-security` / `huntr-relay` / `hackerone-relay` string in control flow. The body reads enabled adapters from `forwarders.enabled` in `project.md` and dispatches via `detect()` / `extract_credit()` / `reporter_addressing_block()` from [`tools/forwarder-relay/README.md`](https://github.com/apache/airflow-steward/blob/main/tools/forwarder-relay/README.md). | Step | What it does | |---|---| | Step 0 — Pre-flight check | `forwarders.enabled` non-empty? | | Step 1 — Detect adapter match | Run each registered forwarder's `preamble_match` regex | | Step 2 — Extract reporter credit | Per adapter's `credit_extraction_rule` (bot/AI policy applied to the extracted string) | | Step 3 — Route reporter-facing drafts | Use adapter's `contact_handle` + `reporter_addressing_block` | | Step 4 — Hand back to parent skill | With extracted credit + routing decision | Frontmatter: `capability: capability:intake`. ## Skill lifts (existing bodies) | Skill | Lines | What was lifted | |---|---|---| | `security-issue-import` | -60/+54 (net -6) | Step 3 classification table: dropped the **ASF-security relay** row; added a pre-classification paragraph pointing at the sub-skill when `forwarders.enabled` is non-empty. Step 7 receipt-of-confirmation routing generalized. Golden-rule prose, Step 4 field-extraction header, Step 5 proposal grouping, Step 6 default-disposition, rollup provenance template, Hard Rules — all `Report` / `ASF-security relay` pairings collapsed to a single generalized treatment with the ASF case as a named example. | | `security-issue-invalidate` | -49/+93 (+44) | Step 5d ASF-relay inline logic replaced with adapter-aware routing through the sub-skill. Four touch-points lifted: GHSA-relay-no-write-access bullet, Step 5d.1 via-forwarder recipients, Step 5d.2 reporter-addressing-block, the worked-example. ASF retained as a named example in the worked-example sections. | | `security-issue-sync` | -20/+20 (±0) | **Scoped Step 2b lift only.** The big Vulnogram-state-machine rewrite at Steps 5b/5c (~600 lines) stays for PR4. Draft routing in Step 2b now reads adapter metadata from the sub-skill's hand-back; no inline `Dear PMC` preamble match. | ## Adapter-contract README cross-references | File | Change | |---|---| | `tools/forwarder-relay/README.md` | +24 — explicit *"Implementation: tools/gmail/asf-relay.md"* pointer for the asf-security adapter + sub-skill consumer link | | `tools/mail-archive/README.md` | +19 — explicit *"Implementation: tools/ponymail/"* pointer + the skills that consume PonyMail today (intake / sync / invalidate) | ## Doc table `docs/labels-and-capabilities.md` gets a new row for `security-issue-import-via-forwarder` → `capability:intake` (satisfies the capability-sync check landed in #340). ## Aggregate 7 files changed, **+795 / -116 lines**. ## What is *not* in this PR - **`tools/vulnogram/`, `tools/gmail/asf-relay.md` bodies are not modified.** Only cross-references TO them are updated. The CVE-authority sub-tool extract is PR4. - **`tools/ponymail/` body is not modified.** Same reasoning. - **`security-issue-sync` Steps 5b/5c** — the ~600-line CVE- state-machine section — is PR4. - **`security-cve-allocate`** Vulnogram-specific body is PR4. - **`docs/security/process.md`, `forwarder-routing-policy.md`, `roles.md`, `threat-model.md`** are PR5. ## Test plan - [x] `uv run --project tools/skill-and-tool-validator skill-and-tool-validate` clean (5 soft advisory warnings, none hard). - [x] `pytest` clean for the validator (218 tests). - [x] All pre-commit hooks pass. - [ ] Spot-read the new sub-skill on GitHub to confirm the adapter-agnostic body reads correctly and the Step 1-4 hand-back contract is unambiguous. - [ ] Confirm the airflow-s adopter, with `forwarders.enabled: [asf-security]`, still gets the same behaviour as today (byte-equivalence invariant). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
