title: Security-issue lifecycle (end-to-end) status: stable kind: feature mode: Triage source: > MISSION.md § Rationale (“Security-issue handling is a load-bearing use case”). README.md § Skill families (security). The security skill family + tools/cve-tool-vulnogram + tools/gmail + tools/ponymail + tools/privacy-llm. acceptance:
The framework's flagship, highest-procedure flow: handle an inbound ASF security report end-to-end, from security@ import through CVE publication, with a human gate and an audit-log entry at every step.
security-issue-import (+ -from-pr, -from-md, -from-scan, -via-forwarder), security-issue-triage, security-issue-deduplicate, security-cve-allocate, security-issue-fix, security-issue-sync, security-issue-invalidate. security-issue-import-from-scan is the scanner on-ramp: it ingests multi-finding scan output through a pluggable scan-format adapter (tools/scan-format/), buckets each finding for operator review, and creates trackers only after per-finding confirmation. security-issue-import-via-forwarder is the relay sub-skill: handles reports relayed by an upstream broker (ASF security team or a third-party disclosure platform) by applying preamble-detect, credit-extract, and routing rules declared in tools/forwarder-relay/; never mutates tracker state on its own.tools/cve-tool-vulnogram/generate-cve-json (CVE 5.x JSON), tools/cve-org, tools/gmail + tools/ponymail (mail), and the tools/privacy-llm gate/redactor (the privacy gate).AGENTS.md): tracker URLs and #NNN are public-safe identifiers; tracker contents are private; the security framing of a public PR is embargoed until the advisory ships.credits[] only after the reporter confirms on the thread.uv run --project tools/skill-and-tool-validator --group dev skill-and-tool-validate uv run --project tools/cve-tool-vulnogram/generate-cve-json --group dev pytest
stable; gaps surface as drift between a skill‘s documented steps and the adapters it calls — the loop’s plan pass catches those.