This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git


The following commit(s) were added to refs/heads/main by this push:
     new 03e7d168 docs(spec): sync security-issue-lifecycle to reflect 
-from-scan and -via-forwarder skills (#566)
03e7d168 is described below

commit 03e7d168dcd427b63833c8bf35a1218c15364087
Author: Justin Mclean <[email protected]>
AuthorDate: Sat Jun 27 06:10:10 2026 +1000

    docs(spec): sync security-issue-lifecycle to reflect -from-scan and 
-via-forwarder skills (#566)
    
    `security-issue-import-from-scan` (scanner on-ramp via pluggable 
scan-format adapter) and `security-issue-import-via-forwarder` (relay sub-skill 
for upstream-broker reports) both ship on main but were absent from the spec 
skill inventory.
    
    Generated-by: Claude (Opus 4.7)
---
 tools/spec-loop/specs/security-issue-lifecycle.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tools/spec-loop/specs/security-issue-lifecycle.md 
b/tools/spec-loop/specs/security-issue-lifecycle.md
index 6ada3763..c070206e 100644
--- a/tools/spec-loop/specs/security-issue-lifecycle.md
+++ b/tools/spec-loop/specs/security-issue-lifecycle.md
@@ -29,10 +29,20 @@ publication, with a human gate and an audit-log entry at 
every step.
 
 ## Where it lives
 
-- Skills: `security-issue-import` (+ `-from-pr`, `-from-md`),
+- Skills: `security-issue-import` (+ `-from-pr`, `-from-md`,
+  `-from-scan`, `-via-forwarder`),
   `security-issue-triage`, `security-issue-deduplicate`,
   `security-cve-allocate`, `security-issue-fix`, `security-issue-sync`,
   `security-issue-invalidate`.
+  `security-issue-import-from-scan` is the scanner on-ramp: it ingests
+  multi-finding scan output through a pluggable scan-format adapter
+  (`tools/scan-format/`), buckets each finding for operator review, and
+  creates trackers only after per-finding confirmation.
+  `security-issue-import-via-forwarder` is the relay sub-skill: handles
+  reports relayed by an upstream broker (ASF security team or a
+  third-party disclosure platform) by applying preamble-detect,
+  credit-extract, and routing rules declared in
+  `tools/forwarder-relay/`; never mutates tracker state on its own.
 - Tools: `tools/cve-tool-vulnogram/generate-cve-json` (CVE 5.x JSON),
   `tools/cve-org`, `tools/gmail` + `tools/ponymail` (mail), and the
   `tools/privacy-llm` gate/redactor ([the privacy gate](privacy-llm-gate.md)).

Reply via email to