This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 8a1a481 update specs (#469)
8a1a481 is described below
commit 8a1a481df6121b155e72d89f2911841f69d07c11
Author: Justin Mclean <[email protected]>
AuthorDate: Mon Jun 8 16:30:46 2026 +1000
update specs (#469)
---
tools/spec-loop/.last-sync | 1 +
tools/spec-loop/specs/cve-tooling.md | 11 +++++++++++
tools/spec-loop/specs/overview.md | 8 ++++----
tools/spec-loop/specs/pairing-mode.md | 22 +++++++++++++---------
4 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/tools/spec-loop/.last-sync b/tools/spec-loop/.last-sync
new file mode 100644
index 0000000..52b6b76
--- /dev/null
+++ b/tools/spec-loop/.last-sync
@@ -0,0 +1 @@
+043b48d5e56e30ab84f83da92c50566f471e18fe
diff --git a/tools/spec-loop/specs/cve-tooling.md
b/tools/spec-loop/specs/cve-tooling.md
index e578af0..83d05c6 100644
--- a/tools/spec-loop/specs/cve-tooling.md
+++ b/tools/spec-loop/specs/cve-tooling.md
@@ -34,6 +34,13 @@ reviewable.
issue's template fields (multiple credits, multiple reference URLs,
`>= X, < Y` version ranges) and emits `containers.cna` JSON matching
Vulnogram's export shape, plus the Vulnogram `#json` paste URL.
+- `tools/cve-tool-vulnogram/oauth-api/` — a `uv` project exposing three
+ console scripts (`vulnogram-api-setup`, `vulnogram-api-record-update`,
+ `vulnogram-api-check`) that POST CVE 5.x JSON to the Vulnogram HTTP
+ API via an ASF-OAuth session cookie, replacing the copy-paste-into-`#source`
+ flow. The skill detects session expiry via `vulnogram-api-check` and
+ falls back to the manual paste path when the session is not configured
+ or expired.
- `tools/cve-org/` — CVE.org / CVE-services helpers.
- Skill: `security-cve-allocate` — walks the (PMC-gated) allocation form,
then updates the tracker and regenerates the attached JSON via
@@ -66,9 +73,13 @@ reviewable.
```bash
uv run --project tools/cve-tool-vulnogram/generate-cve-json --group dev pytest
+uv run --project tools/cve-tool-vulnogram/oauth-api --group dev pytest
```
## Known gaps
- `stable`; drift appears if the CVE 5.x schema or Vulnogram export shape
changes upstream — caught by the tool's own tests.
+- The oauth-api's session-cookie approach is a workaround for the ASF
+ Vulnogram instance's lack of a Bearer-token API; if ASF Infra adds
+ a proper API token surface, the tool will migrate to it.
diff --git a/tools/spec-loop/specs/overview.md
b/tools/spec-loop/specs/overview.md
index 9d4881a..294b268 100644
--- a/tools/spec-loop/specs/overview.md
+++ b/tools/spec-loop/specs/overview.md
@@ -31,9 +31,9 @@ Each mode is an independently toggleable set of skills.
Maturity mirrors
| Mode | Spec | Maturity |
|---|---|---|
| Triage | [triage-mode.md](triage-mode.md) | stable (security) / experimental
(PR, issue, contributor-nomination) |
-| Mentoring | [mentoring-mode.md](mentoring-mode.md) | experimental (1 skill) |
-| Drafting | [drafting-mode.md](drafting-mode.md) | stable (security) /
experimental (issue) |
-| Pairing | [pairing-mode.md](pairing-mode.md) | experimental (1 skill) |
+| Mentoring | [mentoring-mode.md](mentoring-mode.md) | experimental (2 skills)
|
+| Drafting | [drafting-mode.md](drafting-mode.md) | stable (security) /
experimental (issue, audit-finding-fix) |
+| Pairing | [pairing-mode.md](pairing-mode.md) | experimental (2 skills) |
> **Auto-merge** is the fifth MISSION mode but is deliberately **off** by
> sequencing policy (`.asf.yaml` `allow_auto_merge: false`) — it has no
@@ -50,7 +50,7 @@ Each mode is an independently toggleable set of skills.
Maturity mirrors
| CVE tooling | [cve-tooling.md](cve-tooling.md) |
| Security reporting & dashboards |
[security-reporting.md](security-reporting.md) |
| Adoption & setup | [adoption-and-setup.md](adoption-and-setup.md) |
-| Adapters (Gmail / PonyMail / Jira / GitHub / mail-source) |
[adapters.md](adapters.md) |
+| Adapters (Gmail / PonyMail / Jira / GitHub / mail-source / forwarder-relay /
mail-archive / github-body-field / github-rollup) | [adapters.md](adapters.md) |
| Meta & quality tooling |
[meta-and-quality-tooling.md](meta-and-quality-tooling.md) |
## The non-negotiables every area inherits
diff --git a/tools/spec-loop/specs/pairing-mode.md
b/tools/spec-loop/specs/pairing-mode.md
index da48e3f..a82edd8 100644
--- a/tools/spec-loop/specs/pairing-mode.md
+++ b/tools/spec-loop/specs/pairing-mode.md
@@ -9,7 +9,7 @@ mode: Pairing
source: >
MISSION.md § Technical scope (Pairing) and § Initial Goals ("Ship at
least one Pairing skill family in v1"). docs/modes.md § Pairing
- (experimental, 1 skill).
+ (experimental, 2 skills).
acceptance:
- At least one Pairing skill exists and validates (v1 goal).
- Pairing skills run in the developer's OWN dev loop and make no state
@@ -35,10 +35,12 @@ protecting the ASF contribution path (contributor →
committer → PMC).
- Skill: `pairing-self-review` — structured pre-flight self-review of
local changes before opening a PR. Read-only; returns a structured
report with no external writes. Ships `mode: Pairing` + `experimental`.
-- Planned follow-on: a **multi-agent review** pipeline (fans the diff
- through independent review passes, shares the self-review report
- format) — tracked as a work item in
- [`../IMPLEMENTATION_PLAN.md`](../IMPLEMENTATION_PLAN.md).
+- Skill: `pairing-multi-agent-review` — fans the diff through three
+ independent, axis-focused sub-agents (correctness, security,
+ conventions); merges findings with deduplication and severity ranking
+ into a report in the same format as `pairing-self-review`. Each pass
+ is isolated so findings from one axis cannot suppress or bias the
+ others. Read-only; no state change. Ships `mode: Pairing` + `experimental`.
## Behaviour & contract
@@ -59,16 +61,18 @@ protecting the ASF contribution path (contributor →
committer → PMC).
1. ≥1 Pairing skill exists, validates, and is read-only/hand-back.
2. `docs/modes.md` Pairing row reflects the shipped count and status.
+3. `pairing-multi-agent-review` fans through three independent passes
+ and merges findings without cross-pass anchoring.
## Validation
```bash
-ls .claude/skills/ | grep -q '^pairing-' && echo "pairing skill present" ||
echo "GAP: no pairing skill"
+ls .claude/skills/ | grep -q '^magpie-pairing-' && echo "pairing skills
present" || echo "GAP: no pairing skills"
uv run --project tools/skill-and-tool-validator --group dev
skill-and-tool-validate
```
## Known gaps
-- **`experimental` — no adopter pilot has run.** `pairing-self-review`
- shipped; the multi-agent review pipeline is the next planned skill.
- No contributor-sentiment evaluation has run yet; shape may change.
+- **`experimental` — no adopter pilot has run.** Both `pairing-self-review`
+ and `pairing-multi-agent-review` shipped; no contributor-sentiment
+ evaluation has run yet; shape may change.
