andrewmusselman commented on issue #33: URL: https://github.com/apache/tooling-agents/issues/33#issuecomment-4491672708
Closing — this is fixed in both `asvs_bundle.py` and `asvs_audit.py`. Verified the per-namespace load loop now matches the proposed contract: - `namespaces[0]` is treated as primary and gets the `include_files` filter - Subsequent namespaces load fully without filtering - The "No files found" guard checks `primary_file_count` rather than the combined `all_files` size, so an audit can't proceed with only guidance docs loaded - Per-namespace log lines emit on every run, naming each ns as `primary`, `supplemental-guidance`, or `supplemental-code` with key counts The implementation went a bit further than the original proposal: **Supplemental namespaces are now sub-classified.** `audit_guidance:*` namespaces are recognized specifically and their keys flow into a separate `guidance_keys` set. Other supplemental namespaces (vendored libs, related-repo overlays, config) flow into `supplemental_keys` and are rendered as source code in the Opus prompt. Both bypass `include_files` / SKIP / relevance filters. **Guidance docs render in a dedicated prompt section.** Rather than appearing alongside source files, files from `audit_guidance:*` namespaces are pulled out of the regular `relevant_files` rendering and inserted under a `## Project Security Guidance (Authoritative)` heading. This is the prompt-edit change mentioned as "probably worth it but lives in its own issue" — it ended up bundled here because the sub-classification made it cheap to wire up. **Filter-exempt across the pipeline.** The `supplemental_keys` set is also threaded into the relevance filter (line ~581 and onward in `asvs_audit.py`) and the include_files re-check (~603), so a supplemental file can't be dropped at a later stage either. **Fallback when discovery emits bad include_files patterns.** If the primary namespace has files but `include_files` matches zero of them (e.g., Sonnet hallucinated paths, repo-layout drift, `**` quirk), the bundle now falls back to the unfiltered key list with a clear log warning naming the first 5 bad patterns. Costs more tokens than ideal but avoids the previous "No files found" abort that produced empty stubs. Per-namespace log lines look like: ``` [bundle] namespace 'files:apache/airflow' (primary): 412 keys after include_files filter [bundle] namespace 'audit_guidance:airflow' (supplemental-guidance): 4 keys (no filter) ``` This is in production — recent airflow-core and task-sdk runs show the `(supplemental-guidance)` lines on every bundle call, and the previously contradicted-by-AGENTS.md findings (DFP/Triggerer DB access, Scheduler-runs-user-code, multi-team isolation) are no longer surfacing. Two follow-up items mentioned in the original issue that remain open as separate work, not blocking close: 1. Per-section filtering of supplemental namespaces (only load certain guidance keys for certain ASVS sections). Not needed yet; all keys load for every call. 2. There's a separate live observation that prompted three additional `audit_guidance:*` files this week — `external_auth_manager_credential_lifecycle.md`, `airflow_ui_bearer_token_no_cookies.md` for airflow, plus the log4net `configuration_trust_boundary.md` and `adonet_appender_legacy_sql.md`. Those work because of this fix. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
