potiuk opened a new pull request, #374: URL: https://github.com/apache/airflow-steward/pull/374
## Summary Two behavioural additions to bulk-mode sync, both surfaced during a 24-tracker sync session this week: - **Per-CVE-change pause** — bulk mode buckets trackers into CVE-affecting (walked individually, one confirmation per record) vs non-CVE-affecting (bundled). Catches judgment drift the five pre-push gates can't catch. - **6th pre-push hygiene gate** — anonymise private-scanner product names and individual finder names from public-facing CVE fields when the report came in through a private channel. Audit trail stays untouched. New `projects/_template/scanner-products.md` declares the per-project private-scanner token list and anonymise-policy contract (HackerOne/huntr.dev/self-credit exempt-case rules). ## Test plan - [x] All eval cases discovered (28 total, +3 new bulk-orchestration cases) - [ ] `PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/security-issue-sync/` — run in `--cli` mode against a model under test to verify expected.json matches - [ ] Manual smoke: dry-run `sync all open` on `airflow-s/airflow-s` to confirm the bucket+walk surfaces correctly ## Notes for reviewers - The per-CVE-change pause has no \`--bundled\` override. That's intentional — the per-record round-trip cost is the point. - The anonymise gate's exempt cases (public HackerOne/huntr.dev URL, self-credit on \`security@\`, org-disclosed channel) are listed in [\`projects/_template/scanner-products.md\`](https://github.com/apache/airflow-steward/blob/main/projects/_template/scanner-products.md). Each adopter declares their own scanner-product token list. - Mode-economics impact: bulk mode now spends more confirmation round-trips per sync run (one per CVE-affecting tracker). The eval suite covers the bucketing logic; the round-trip cost is documented in the SKILL.md rationale but is intrinsic to the safety guarantee. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
