potiuk opened a new pull request, #165: URL: https://github.com/apache/airflow-steward/pull/165
## Summary - Rename the triage disposition `NOT-CVE-WORTHY` → `INVALID` across `.claude/skills/security-issue-triage/`, `.claude/skills/security-issue-invalidate/`, `AGENTS.md`, `docs/security/process.md`, `docs/security/README.md` (33 occurrences across 5 files). - No semantic change — `INVALID` is the same bucket, with the same chained skill (`/security-issue-invalidate`) and the same `invalid` GitHub label as before. ## Rationale Surfaced in Slack discussion (raboof flagged the asymmetry). Three reasons to rename: 1. **Symmetry** — `VALID` / `INVALID` reads cleaner than `VALID` / `NOT-CVE-WORTHY`; the other classes (DEFENSE-IN-DEPTH, INFO-ONLY, PROBABLE-DUP) all describe what they *are*, not what they *aren't*. 2. **Matches the chained skill name** (`/security-issue-invalidate`) and the resulting `invalid` label. 3. **More precise** — `DEFENSE-IN-DEPTH` and `INFO-ONLY` are *also* "not CVE-worthy"; what distinguishes this bucket is that the **report is wrong / by-design / out-of-scope**, i.e. invalid. ## Test plan - [x] `prek run --files <changed-files>` — all hooks green (markdownlint, typos, skill-validate, …). - [x] No remaining occurrences of `NOT-CVE-WORTHY` anywhere in the tree (`grep -r` returns empty). - [ ] Read-through review — confirm the new name reads naturally everywhere it appears (especially the canned-response precedent tables in `security-issue-triage/SKILL.md` Step 2.x). Generated-by: Claude Code (Claude Opus 4.7) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
