oscerd commented on PR #23282: URL: https://github.com/apache/camel/pull/23282#issuecomment-4477136436
@davsclaus thanks — good catch, and you're right that it deserves to be explicit. To answer the question directly: it *was* written, but only as a **hardening responsibility**, not as a **triage rule**: - *Deployment hardening* already says: "Stay on the default `prod` profile in production… Setting `camel.main.profile = dev` or `test` is an explicit opt-in to development-only behaviour (extra services, dev console, debug endpoints) and should not be used in production." - `proposals/security.adoc` documents the profile-aware policy defaults (`prod` → `fail`, `dev` → `warn`). What was missing is exactly your point — that `dev`/`test` is development-only **by design**, Camel may deliberately reveal configuration/route/Exchange detail there at a lower scrutiny level than `prod`, and therefore a finding that only manifests under `camel.main.profile = dev`/`test` is **out of scope**. I've added that as an explicit bullet in *Out of scope* (commit 9f32dc7ca8a), cross-referencing *Deployment hardening* and `proposals/security.adoc` so the hardening note and the triage rule stay consistent. This maps to the `OUT-OF-MODEL: non-default-build` triage disposition the automated scan uses. Re-requesting your review since the changeset changed after your approval. _Claude Code (Opus 4.7) on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
