)]}'
{
  "log": [
    {
      "commit": "7764748fa9b46913f3ab7cbaeee6dc42d6962ee0",
      "tree": "65cd0fb21257270980a760260f88c38aeb5a2e86",
      "parents": [
        "45a5d6f44e6034a0638e9da6ee2787f7d1cc68df"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jul 10 17:48:56 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jul 10 17:48:56 2026 -0700"
      },
      "message": "Fix maintainer count for foundation/org-named packages\n\nPyPI, npm, and crates.io now use max(registry_count,\ntotal_contributors) matching Go/Maven/RubyGems. Prevents\norg names like \u0027Pallets\u0027 or \u0027NumPy Developers\u0027 from counting\nas 1 maintainer when the GitHub repo has 30 contributors.\n"
    },
    {
      "commit": "45a5d6f44e6034a0638e9da6ee2787f7d1cc68df",
      "tree": "9cc0f4f29adf2cf37429aaaa458551cba20a048d",
      "parents": [
        "6b068f6a95eeaeb96e8d8140ff78275c3ca11180"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jul 10 17:14:11 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jul 10 17:14:11 2026 -0700"
      },
      "message": "Bernies: redirects, Go resolution, Gradle/SBT, stability, polish\n\nFix HTTP 301 redirects — follow_redirects\u003dTrue on all GitHub API\ncalls. junit-team/junit5, eclipse-ee4j/*, casbin/*, protobuf,\nreact, docker now resolve correctly.\n\nGo vanity URL resolution — gopkg.in/*, sigs.k8s.io/*, k8s.io/*\nresolved via go-import meta tag. Static map for golang.org/x,\ngo.uber.org, google.golang.org.\n\nGradle and SBT support — build.gradle, build.gradle.kts, build.sbt\nparsed for Maven coordinates. Covers Kafka, Flink, Scala projects.\n\nStability algorithm: max(active, total) for maintainer count.\nPackages with 1 active but 10+ total classified LOW (stable).\nGitHub repo dedup via _gh_repo_cache cuts API calls ~50%.\n\nReport: methodology section, uncheckable dependencies table.\nHealth cache: api_success tracking, smart validation, on-load\nrecalculation.\n"
    },
    {
      "commit": "6b068f6a95eeaeb96e8d8140ff78275c3ca11180",
      "tree": "41fba6f826124f97a02dcc9599a4eb09d5ee123b",
      "parents": [
        "2e7829477ee809cd62b620759091eee41a8fdd94"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jul 09 15:59:24 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jul 09 15:59:24 2026 -0700"
      },
      "message": "Bernies: org.apache exemption, active counting, PMC integration, rescan\n\norg.apache.* Maven deps excluded from risk flags (ASF-maintained,\n3+ PMC members by policy). GitHub contributor counting now filters\nbots and counts past-year active contributors only.\n\nSecurity agent reads per-PMC dep risk data from bernies and adds\nDependency Risks section to each PMC page. PMC pages generated for\nprojects with only dep risks too.\n\nCache-aware rescan input on bernies and action_health. Orchestrator\nbatch push concurrency lowered to Semaphore(5) for secondary rate\nlimits.\n"
    },
    {
      "commit": "2e7829477ee809cd62b620759091eee41a8fdd94",
      "tree": "7d45d49c1e56a66de228b31740bc50aa6b8417d9",
      "parents": [
        "6ad8f979af211f2c9e61c601b6be5e1078d2cecc"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 18:27:14 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 18:27:14 2026 -0700"
      },
      "message": "Fix bernies maintainer accuracy, add Go/Maven/RubyGems checkers\n\nPyPI fix: parse maintainer_email and author_email fields (comma-\nseparated Name \u003cemail\u003e format) instead of the free-text author/\nmaintainer fields which are usually empty. When email parsing\nyields ≤1 person and a GitHub URL is available in project_urls,\nfalls back to GitHub contributors API. Fixes requests showing\n1 maintainer instead of 3, pydantic showing 1 instead of 12, etc.\n\nNew ecosystem checkers:\n- RubyGems: /owners.json endpoint, falls back to GitHub via\n  source_code_uri\n- Go: module path → GitHub repo (github.com/* paths direct,\n  vanity URLs for golang.org/x, go.uber.org, google.golang.org)\n- Maven: POM from Maven Central, extracts GitHub URL from \u003cscm\u003e\n  and \u003curl\u003e tags, falls back to apache/{project} guess for\n  org.apache.* groupIds\n\nAll six checkers share get_github_maintainers() helper for\nconsistent GitHub fallback. Previously only PyPI/npm/crates.io\nwere checked (334+533+413 deps), leaving Maven (1407) and Go\n(857) with zero maintainer data.\n"
    },
    {
      "commit": "6ad8f979af211f2c9e61c601b6be5e1078d2cecc",
      "tree": "a4e7f2b495bec68591cc60f72c536c6c645e71c5",
      "parents": [
        "8dd8abd9c6cac176cf62ef419fbf754bc28270e9"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 17:46:20 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 17:46:20 2026 -0700"
      },
      "message": "Fix publishing model ID, batch push, real bernies agent\n\nFix publishing agent model ID: us.anthropic.claude-sonnet-4.6 (dot)\nwas invalid Bedrock ID. Changed to us.anthropic.claude-sonnet-4-6\n(hyphen). Root cause of empty publishing report (0 workflows).\n\nBatch push: orchestrator collects all files during pipeline, pushes\nin single commit via GitHub Git Data API. No more per-file commits\nor asvs_push_github dependency.\n\nRename gha_bernies to gha_action_health (GitHub Actions bus factor).\nNew gha_bernies does project dependency analysis: parses manifests\n(pyproject.toml, package.json, pom.xml, Cargo.toml, go.mod, Gemfile),\nqueries PyPI/npm/crates.io for maintainer counts, flags packages\nwith low bus factor.\n"
    },
    {
      "commit": "8dd8abd9c6cac176cf62ef419fbf754bc28270e9",
      "tree": "481e8ddba8be86a14414d2b4438aefa74f5931db",
      "parents": [
        "9f884c89fd892f187ad4d254cccf4d45ae5b3ddb"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 14:57:10 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 14:57:10 2026 -0700"
      },
      "message": "Add gha_bernies agent for CI supply chain bus factor analysis\n\nNew agent scans all third-party GitHub Actions used across the org\n(excludes actions/*, github/*, apache/*) and checks each for:\n- Last commit date (staleness)\n- Active contributors in the past year (bus factor)\n- Top contributor commit share (single-maintainer risk)\n- Archived/deleted status\n\nRisk classification: CRITICAL (archived, deleted, 2+ years stale),\nHIGH (1-2 years stale, zero recent contributors, \u003e80% single\ncontributor), MEDIUM (1-2 active contributors), LOW (3+ active,\nhealthy). Each risky action shows blast radius (which ASF repos\ndepend on it).\n\nReads action refs from cached workflow YAML (same 10K list_keys\nfix as security/publishing). Queries GitHub API concurrently\n(Semaphore 10). Generates bernies.md report.\n\nOrchestrator updated: runs bernies after publishing_detail,\npushes bernies.md, clears ci-bernies namespace on fresh.\nREADME updated with bernies.md link.\n\nAddresses apache/tooling-trusted-releases#1235 (automated review\nof dependencies with few maintainers).\n"
    },
    {
      "commit": "9f884c89fd892f187ad4d254cccf4d45ae5b3ddb",
      "tree": "5cb373cfd62f20c229bab658d3ad2bf531d7e932",
      "parents": [
        "8313055f393a91eeb568d6dd30ffca73cb0f709b"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 12:59:21 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 12:59:21 2026 -0700"
      },
      "message": "Removing codeowners findings and sorting review by severity\n"
    },
    {
      "commit": "8313055f393a91eeb568d6dd30ffca73cb0f709b",
      "tree": "c75636cf438b42ac7d83e96b2605f07b1a62f67b",
      "parents": [
        "71809b00cc662d80383d275099599a9a664f0566"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 12:29:12 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 12:29:12 2026 -0700"
      },
      "message": "Fix list_keys 10K cap truncating L-Z repos in security and publishing\n\nci-workflows:apache has ~12,500 keys. list_keys() caps at 10,000,\nreturning all __prefetch__/__composites__/__extras__ metadata keys\n(7,500) plus YAML content keys only for repos A through K (~2,500).\nL-Z repos were invisible to any agent scanning list_keys for YAML keys.\n\nBoth gha_security and gha_publishing now discover repos from\n__prefetch__:* metadata (always within the cap) and build explicit\nYAML key lists from the metadata workflow names, then get_many those\ndirectly. Same pattern gha_publishing_detail already used.\n\nOther agents (brief, review, json_export) read from smaller namespaces\n(ci-security at ~630 keys, ci-classification at ~3,000) and are\nunaffected.\n"
    },
    {
      "commit": "71809b00cc662d80383d275099599a9a664f0566",
      "tree": "abcb87bdf5523b704510e16ff9b50efca7d11ec8",
      "parents": [
        "d267383d841a61ea41ab11b75ba5018bf6701801"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 11:41:59 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 11:41:59 2026 -0700"
      },
      "message": "Updating gha readmes\n"
    },
    {
      "commit": "d267383d841a61ea41ab11b75ba5018bf6701801",
      "tree": "f749d1aa82eb980a4cdfc48d84af4ffe93d2c40c",
      "parents": [
        "896e186e0a9994abc2202117248cd2f02379c1db"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 11:22:56 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jul 08 11:22:56 2026 -0700"
      },
      "message": "Restructure reports into channels/ and pmcs/ directories\n\nDirectory layout:\n- Channel reports move from flat gha_channel_{name}.md to channels/{name}.md\n- Per-PMC security pages generated at pmcs/{pmc}.md (88 projects)\n- channels/README.md and pmcs/README.md as directory indexes\n- Drop gha_ prefix from all output filenames\n- Drop atr_catalog.json\n\nSecurity agent (major rewrite):\n- Returns multi-file JSON: security.md + pmc-{name}.md + pmcs-index.md\n- Main security.md is severity-grouped summary linking to PMC pages\n- PMC pages have findings grouped by severity with workflow links\n  including #L{line} line numbers\n- Progress tracking via ci-security-history namespace: diffs finding\n  hashes across runs, resolved findings noted on PMC pages\n- Projects at zero findings get all-clear page with resolved history\n- missing_codeowners removed from report output (kept in scan data)\n\nPublishing detail:\n- Fix (none) category display: shows trigger type instead\n- Channel table split into Production and Staging sections\n- Channel names link to channels/{name}.md\n- Generates channels-index.md (routed to channels/README.md)\n- Publishing risks: findings link to GitHub workflow URLs and\n  publishing_detail anchors\n- npm_staging channel detection added (--staging flag, npm.pkg.github.com,\n  verdaccio)\n\nArtifact verify:\n- Wildcard package name matching across all channels: 5-7 candidate\n  names per channel using ASF naming patterns (apache-*, PMC fallback,\n  underscore/PascalCase variants)\n- atr_catalog generation dropped\n\nBrief:\n- Links updated for new structure\n- missing_codeowners removed from systemic issues\n- Full Analysis references channels/ and pmcs/ directories\n\nReview:\n- Links updated for new structure\n\nOrchestrator:\n- Routes channel-* to channels/, pmc-* to pmcs/, indexes to */README.md\n- Security handled via push_multi_file_output (was single file)\n- Generates and pushes README.md as report landing page\n"
    },
    {
      "commit": "896e186e0a9994abc2202117248cd2f02379c1db",
      "tree": "5788605a37de7e333e61ef2ba4eec23ec76347ef",
      "parents": [
        "8dfc893f4492e76047039756acf02318142e1210"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 20:23:10 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 20:23:10 2026 -0700"
      },
      "message": "Removing hard coded project name\n"
    },
    {
      "commit": "8dfc893f4492e76047039756acf02318142e1210",
      "tree": "a9fd1367d853c39289319d96f7dbdbc58b2e456c",
      "parents": [
        "517b1035bbaceb00803e55db5826355d58d39bab"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:39:45 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:39:45 2026 -0700"
      },
      "message": "Moving imports\n"
    },
    {
      "commit": "517b1035bbaceb00803e55db5826355d58d39bab",
      "tree": "d89910991a25a8ff6728106795c51f038b81dcc9",
      "parents": [
        "a60b72e17ce87390de78f41f9fb7382183f1dfe2"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:31:53 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:31:53 2026 -0700"
      },
      "message": "Moving constants\n"
    },
    {
      "commit": "a60b72e17ce87390de78f41f9fb7382183f1dfe2",
      "tree": "d857152d695682de33fd4df8c91a79431c3dc196",
      "parents": [
        "425a7dc986e1788105f7b9c8ec0cbfd8ea05e96f"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:23:11 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 09:23:11 2026 -0700"
      },
      "message": "Moving parse_workflow into run()\n"
    },
    {
      "commit": "425a7dc986e1788105f7b9c8ec0cbfd8ea05e96f",
      "tree": "991fd9b4ff19c40b9372622285f4fbfd0fe59af6",
      "parents": [
        "8de61e1fac4a9af8581c775c49827c7472cbd2a2"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 08:57:48 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 08:57:48 2026 -0700"
      },
      "message": "Fix gha_publishing_detail and gha_artifact_verify runtime errors\n\nThree bugs from first live run:\n\n1. Classification key format mismatch: publishing_detail looked for\n   classification:{repo} keys but publishing agent stores __meta__:{repo}\n   and {repo}:{wf_name}. Now bulk-reads all keys from ci-classification\n   namespace (same approach as gha_json_export). Also fixed\n   workflow_files -\u003e workflows in prefetch metadata access.\n\n2. Module-level function scoping: gofannon recompiles run() in a fresh\n   namespace at invocation time. Functions defined outside run() are not\n   visible. Moved _run_link, gen_overview, gen_risks, gen_channel_report\n   inside run() in publishing_detail. Moved query_registry,\n   gen_verification_report, gen_atr_catalog inside run() in\n   artifact_verify. parse_workflow stays module-level (only uses\n   constants and re, no closures over runtime state).\n"
    },
    {
      "commit": "8de61e1fac4a9af8581c775c49827c7472cbd2a2",
      "tree": "d9c886ce4fa12f8dde6e6cb090e0ad81deced151",
      "parents": [
        "7035e5b7f8f35fb56f2031ed9ba2fdff61d3b798"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 00:01:17 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 00:01:17 2026 -0700"
      },
      "message": "Putting github push agent in\n"
    },
    {
      "commit": "7035e5b7f8f35fb56f2031ed9ba2fdff61d3b798",
      "tree": "93964fe2aa09ce74f61d636988204bb9250e3c03",
      "parents": [
        "2882dcb557a4baccedd2d96f4f48108b1ff17cd1"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 00:00:47 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 30 00:00:47 2026 -0700"
      },
      "message": "Bumping to sonnet 4.6\n"
    },
    {
      "commit": "2882dcb557a4baccedd2d96f4f48108b1ff17cd1",
      "tree": "b575ad076d396908ec2e07a5dbd748562371be02",
      "parents": [
        "9c47711c81a83c7fa332e5eae19517169a6d4770"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 23:33:59 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 23:33:59 2026 -0700"
      },
      "message": "Replace skip_prefetch with fresh flag on orchestrator\n\nRemove skip_prefetch input (saved 1 second, risked missing new repos).\nPrefetch now always runs and relies on its cache-check logic to skip\nalready-fetched repos.\n\nAdd fresh input (default false). When true, clears all 7 CouchDB\nnamespaces for the owner before running the pipeline, eliminating\nstale data from archived repos, deleted workflows, and outdated\nclassifications. Namespaces cleared: ci-workflows, ci-classification,\nci-report, ci-security, ci-publishing-detail, ci-artifact-verify,\nci-combined.\n\nOrchestrator inputs are now: github_owner, read_pat, write_repo,\nwrite_directory, write_pat, fresh.\n"
    },
    {
      "commit": "9c47711c81a83c7fa332e5eae19517169a6d4770",
      "tree": "c5951ff9a321887c60c0a5bfef08ee4a3af53167",
      "parents": [
        "30a473c42ba63409fb29583d408ee4571be8d3db"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 22:57:44 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 22:57:44 2026 -0700"
      },
      "message": "Bulk-read prefetch cache-check keys at init\n\nhas_prefetch, has_composites, and has_extras were each calling\nworkflow_cache.get() per repo (~7,500 serial round trips on a\nwarm cache). Now bulk-reads all __prefetch__:*, __composites__:*,\nand __extras__:* keys in 3 get_many calls at startup, then checks\nthe in-memory dicts. Saves ~2.5 min on every cached run.\n"
    },
    {
      "commit": "30a473c42ba63409fb29583d408ee4571be8d3db",
      "tree": "998996ca962452f580ea96d47c64283c3397de72",
      "parents": [
        "b108d59a03603aef5c116bf15fd84160afebd0df"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 22:49:21 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 22:49:21 2026 -0700"
      },
      "message": "Bulk CouchDB operations and concurrent API calls across 7 agents\n\nReplace serial per-key get/set loops with get_many/set_many and\nsequential HTTP calls with asyncio.gather + Semaphore(10). Saves\nroughly 9-10 minutes per full pipeline run.\n\ngha_security: bulk-read all cached YAML at init via get_many (was\n~5,000 serial gets); accumulate findings in dict, flush with set_many\n(was ~1,200 serial sets); bulk-read cached findings in redacted mode.\n\ngha_publishing_detail: 3x get_many for prefetch/classification/YAML\nkeys (was ~7,400 serial gets); concurrent GitHub API run-history\nfetches with Semaphore(10) (was ~200 serial calls); set_many for\nreport writes.\n\ngha_artifact_verify: concurrent registry API queries with\nSemaphore(10) (was ~200 serial calls); set_many for results.\n\ngha_brief: get_many for all finding keys (was ~1,200 serial gets).\n\ngha_review: same get_many fix as brief.\n\ngha_json_export: get_many for classification keys and finding keys\n(was ~3,700 serial gets).\n\ngha_prefetch: fetch_single_yaml returns content instead of writing\nper-file; set_many batches all YAML + metadata per repo; composites\nand extras batched into single set_many per repo.\n"
    },
    {
      "commit": "b108d59a03603aef5c116bf15fd84160afebd0df",
      "tree": "de64360511a36ebdeabbf3c08726d8b49064da8e",
      "parents": [
        "fe983300b735a067ea761ab64bbc9cf49a83b83a"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 18:07:39 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 18:07:39 2026 -0700"
      },
      "message": "Add publishing-detail and artifact-verify agents; simplify orchestrator\n\nNew agents:\n- gha_publishing_detail: parses cached YAML for action SHAs, secret\n  inventory, test vs production target URLs, and workflow run history\n  via GitHub API. Generates per-channel reports (channel-pypi, channel-npm,\n  etc.) and dangerous-patterns analysis. Returns multi-file JSON.\n- gha_artifact_verify: queries registry APIs (PyPI, npm, Maven Central,\n  Docker Hub, crates.io, RubyGems, NuGet) to confirm what packages\n  actually exist. Cross-references with workflow claims to find verified,\n  phantom, and orphaned packages. Generates ATR catalog feed.\n\nOrchestrator rewrite:\n- Remove public/private split and Phase 3 redaction (was 8 inputs, now 5)\n- Single pass: prefetch -\u003e publishing + security -\u003e publishing-detail -\u003e\n  artifact-verify -\u003e review -\u003e brief -\u003e json-export\n- Add push_multi_file_output() for agents returning JSON with files dict\n- All output filenames prefixed gha_ with underscores\n\nAgent naming convention:\n- All agents renamed to gha_task.py (was mixed: pre-fetch.py, json-export.py)\n- Docstrings open with gha_task on the first line\n- Gofannon agent names match: gha_prefetch, gha_publishing, etc.\n- Orchestrator run_agent() calls updated from asf_gha_* to gha_*\n\nNew docs:\n- publishing-enrichment-plan.md: channel registry (22 channels with\n  test/prod targets), best practices per\n"
    },
    {
      "commit": "fe983300b735a067ea761ab64bbc9cf49a83b83a",
      "tree": "60e08047db9e77c4eb3d3556eaa0a15a41d5b68c",
      "parents": [
        "02658381ce7065ebfa2caea6d2415e810208112b"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 17:14:07 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 17:14:07 2026 -0700"
      },
      "message": "asvs_consolidate: flag same-CWE/same-area findings with divergent severities\n\nA Groovy audit rated an asSql() SQL-injection finding Critical while two\nsibling CWE-89 findings in the same subproject (groovy-sql) were rated Medium.\nThe finding was real and correctly kept by the relevance filter; only the\nseverity label was inflated by impact/CWE reflex. Nothing flagged the\ninconsistency for review.\n\nAdd a deterministic calibration check after global_id assignment: group\nfindings by (CWE, top-level code area \u003d first 3 path segments of the primary\naffected file), and flag any group with 2+ findings spanning 2+ severities.\nRender the flagged groups as a Severity Calibration Review section in\nconsolidated.md listing each group\u0027s findings and their severities.\n\nReview-only: does NOT change any severity (divergence is sometimes legitimate\non exploitability grounds) — it surfaces the groups so an inflated or deflated\nlabel gets a human second look. Pure grouping + comparison, no model judgment.\n\nTested against the Groovy finding set: flags the CWE-89 groovy-sql group\n(FINDING-001 Critical vs 003/004 Medium) and leaves the lone CWE-611 finding\nunflagged.\n\nThis is the deterministic backstop for severity inflation. The judgment-side\nfixes (exploitability-aware severity rubric in the auditor; threat-model\nseverity dampening) are tracked separately as enhancements.\n\nSingle-agent update (redeploy asvs_consolidate only; no service restart).\n"
    },
    {
      "commit": "02658381ce7065ebfa2caea6d2415e810208112b",
      "tree": "ea90678dc19c44c6652f15e985aef1db43d8e6f3",
      "parents": [
        "d951e5704bdc3fb4c43291d558e85bbd70b49352"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 15:27:28 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 15:27:28 2026 -0700"
      },
      "message": "asvs_push_github: stop forcing .md onto filenames that already have an extension\n\nThe push agent appended .md to any name not ending in .md, so metadata.yml\nbecame metadata.yml.md (and rendered as markdown, collapsing its newlines).\nDefault to .md only when the basename has no extension; leave explicit\nextensions (.yml, .txt) untouched.\n"
    },
    {
      "commit": "d951e5704bdc3fb4c43291d558e85bbd70b49352",
      "tree": "8165d0fd46c4614f3db9b7db568d43aafcd96888",
      "parents": [
        "437b3354983a6c0060483b65de388a3bc5fd1ef4"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 15:27:10 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 15:27:10 2026 -0700"
      },
      "message": "asvs_orchestrate: fix empty findings_total in metadata.yml\n\nThe findings_total regex looked for Total findings: N, which consolidate\nnever prints (it emits Total consolidated findings ..., Total extracted\nfindings ..., or -\u003e N findings), so the value rendered empty. Read the\nauthoritative count from the persisted consolidated_findings:{ns} structured\ndata, with a corrected regex fallback. Render empty/None yml values as null so\na missing value can\u0027t fuse with the next line.\n"
    },
    {
      "commit": "437b3354983a6c0060483b65de388a3bc5fd1ef4",
      "tree": "2723dac7baba5d98cd5b0767c5f892427bc55d6a",
      "parents": [
        "5c12e53503f970f1a75d59e78f0542a2a83b11a4"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 14:33:55 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 14:33:55 2026 -0700"
      },
      "message": "asvs_relevance_filter: match hyphenated and well-known security-doc names\n\nDiscovery patterns and the _doc_priority tier-1 list were missing common\nreal-world naming variants, so a project\u0027s threat model could be skipped or\ndemoted purely by filename. Add (both to SOURCE_DOC_PATTERNS and tier-1):\n- hyphenated threat models: threat-model.md/.rst, threat-modeling.md/.rst\n  (root and any depth) alongside the existing threatmodel / threat_model forms\n- security-policy.md/.rst (root and any depth)\n- RFC 9116 security.txt and .well-known/security.txt\n\nTier-2 substring match also broadened to catch threat-model. Matching is\nlowercased on both sides, so case variants (THREAT_MODEL.md, SECURITY-POLICY.md)\nare covered. This complements the link-follower (5ed3678): link-following\nrescues docs a policy file points to, these patterns catch well-named docs\nnobody links to. Names joined by hyphen, underscore, or concatenation are now\nfound and tier-1-promoted; a doc reachable by neither a pattern nor a link\nremains out of scope (see the content-based-discovery follow-up.\n"
    },
    {
      "commit": "5c12e53503f970f1a75d59e78f0542a2a83b11a4",
      "tree": "b3701f1c52c3f68ec00080dda25ab1b70b932b1f",
      "parents": [
        "03fdf054c470ec62ae2de79c17e6bf8c677f78f6"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 14:33:29 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 29 14:33:29 2026 -0700"
      },
      "message": "asvs_orchestrate: restore issue/PR cross-reference wiring dropped in 7833bff\n\nThe scans-style path + metadata.yml change (7833bff) inadvertently deleted\nboth cross-reference wiring blocks. They sat immediately adjacent to the two\nregions that commit rewrote: the issue/PR snapshot fetch was right before the\nold repo_path_segment line that the new path layout replaced, and the\ncompare-and-push block was right after Consolidation done where the metadata.yml\nwriter was inserted. Each edit swallowed one block as collateral, so runs since\n7833bff produced no snapshot and no issues_cross_reference.md (caught on the\ngroovy run: no Issue/PR snapshot line in the log, grep -c asvs_fetch_issues_prs\nreturned 0).\n\nRestores both blocks to their pre-7833bff form, keeping all of 7833bff\u0027s\npath/metadata work:\n- Fetch (after commit-hash resolution): snapshot open issues + PRs pinned to\n  commit_hash into issues_prs:{repo}@{sha}, with the issue/PR count logging.\n- Compare (after consolidation, before the metadata writer): asvs_compare_open_issues_prs\n  returns report_md, which the orchestrator pushes as issues_cross_reference.md\n  via asvs_push_github, with the tracked/addressed/unaddressed summary logging.\n  Ordered before the metadata writer so the file exists when supporting_files\n  is enumerated, and sets cross_reference_done so that branch is no longer dead.\n"
    },
    {
      "commit": "03fdf054c470ec62ae2de79c17e6bf8c677f78f6",
      "tree": "2dc9328a8cb82903c09d71786904251aabb8e493",
      "parents": [
        "7833bffc377a8d06cb3cec73651a912033745d56"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 28 19:20:09 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 28 19:20:09 2026 -0700"
      },
      "message": "Comment fix\n"
    },
    {
      "commit": "7833bffc377a8d06cb3cec73651a912033745d56",
      "tree": "cb7ec64f9e5291275703424e91850176880ad4e8",
      "parents": [
        "5ed367898b65fc9f36569d69fbb83535d3e111b0"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sat Jun 27 13:01:49 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sat Jun 27 13:01:49 2026 -0700"
      },
      "message": "asvs_orchestrate: write reports in scans-style path layout with metadata.yml\n\nReplace the {project}/{subpath}/{hash} output tail with a nested layout that\nmirrors the repo path under the org and carries scan identity in the leaf dir,\nplus a per-scan metadata.yml manifest. outputDirectory is now just the base\n(e.g. scans); the pipeline builds the rest.\n\nPath: {base}/{repo}[/{sub-path}]/{leaf}\n  leaf \u003d {repo}[-{sub-path-segments}]-{YYYY-MM-DD}-{short_sha}\nThe model leaves the path (it is recorded in metadata.yml instead).\n\nNaming reflects the REAL path only, never synthesized:\n- all of fineract        -\u003e scans/fineract/fineract-DATE-SHA\n- all of superset        -\u003e scans/superset/superset-DATE-SHA\n- superset/superset      -\u003e scans/superset/superset/superset-superset-DATE-SHA\n- airflow providers/google -\u003e scans/airflow/providers/google/airflow-providers-google-DATE-SHA\nA whole-repo run is single; doubling happens only when a sub-path genuinely\nexists.\n\nmetadata.yml is written into the leaf dir after consolidation via\nasvs_push_github (best-effort; never fails the run): project, repo, head_sha,\nshort_sha, scan_date, audit_models, asvs_level, threat_model URL,\nfindings_total, the supporting_files actually present, and sanity_check\nfields defaulting to PENDING/UNSET.\n\nNote: reports_namespace is derived from the constructed output_directory, so\nnew runs key off the longer scans-style path; existing reports stay at the old\nlayout. audit_models is currently a fallback list (no model constant in the\norchestrator); wire an auditModels input if per-run accuracy is needed.\n\nSingle-agent update (redeploy asvs_orchestrate only; no service restart).\n"
    },
    {
      "commit": "5ed367898b65fc9f36569d69fbb83535d3e111b0",
      "tree": "a81a30a69b9d203e026e3430c54b5c4b12465234",
      "parents": [
        "4921b73e4587cdcb8f6407d2cd74ba1e9f809774"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 25 15:11:15 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 25 15:11:15 2026 -0700"
      },
      "message": "asvs_relevance_filter: follow links from policy docs to their targets\n\nSECURITY.md often points to the real threat model rather than containing it\n(e.g. see docs/reference/security.md for trust boundaries and design\ndecisions). Discovery was filename-pattern-bound and priority was basename-\nbound, so a linked threat model was found and tier-1-promoted only by luck of\nits filename; the explicit link was ignored. Phase 1 now extracts relative\nlinks from discovered policy docs (tiers 1-3) to repo-local .md/.rst/.txt\nfiles, fetches them (local source namespace, then GitHub), and adds each at\nthe SAME priority as the linking doc, so a doc SECURITY.md designates as the\nthreat model inherits tier 1 by designation, not filename. One hop, capped at\n12, deduped, rejects external/anchor/mailto links, fail-soft. Single-agent\nupdate, no service restart.\n"
    },
    {
      "commit": "4921b73e4587cdcb8f6407d2cd74ba1e9f809774",
      "tree": "7b04fb44ef47ad0749f886ccd8003ee60581e190",
      "parents": [
        "895fc67b9389818565dd3c32aed9915ebdd9f8d4"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jun 19 00:02:05 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Fri Jun 19 00:02:05 2026 -0700"
      },
      "message": "Update AI Tooling readout\n"
    },
    {
      "commit": "895fc67b9389818565dd3c32aed9915ebdd9f8d4",
      "tree": "5a851436a0dcf48208c95bb754bec015ead48425",
      "parents": [
        "b19c721f2d7cae64e1b2de392daad8956b1a77c6"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 18 23:58:59 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 18 23:58:59 2026 -0700"
      },
      "message": "Adding AI Tooling readout\n"
    },
    {
      "commit": "b19c721f2d7cae64e1b2de392daad8956b1a77c6",
      "tree": "d7bc9155c37a8a72d2da3aaed701bc6eed5015e7",
      "parents": [
        "a3fafe80fde90be246656e41722c924d757eb6da"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 18 14:19:45 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Thu Jun 18 14:19:45 2026 -0700"
      },
      "message": "asvs_discover: handle domain-generation JSON truncation on large repos\n\nDomain generation hit max_tokens\u003d32000 and truncated mid-JSON on large\nrepos (hadoop), so json.loads failed with a cryptic Expecting , delimiter\nerror and the whole run aborted with Failed to generate security domains.\nThe output scales with repo file count, not domain count — the per-domain\nfiles arrays echo every path — so the biggest repos overflow first.\n\n- Raise domain-gen max_tokens 32000 -\u003e 64000 (near Sonnet\u0027s practical output\n  ceiling; covers large repos but is NOT unbounded — a big enough repo can\n  still overflow, which the salvage below handles).\n- Truncation-tolerant parse: call_llm returns only (content, thoughts) with no\n  finish_reason, so truncation is detected structurally. Try parse as-is; on\n  failure attempt _repair_truncated_json (close unterminated strings/arrays/\n  objects, drop the dangling partial element) and re-parse; recovered domains\n  proceed and the orchestrator\u0027s chapter-pass fallback covers any unassigned\n  sections. If repair also fails, log a precise diagnostic naming truncation\n  plus the offset instead of the cryptic delimiter error.\n\n_repair_truncated_json is nested inside run() per the gofannon recompile\nconvention. Tested against mid-string, mid-array, and dangling-comma\ntruncation: recovers all complete domains, trims the partial last one to its\ncomplete files, leaves valid JSON intact.\n\nSingle-agent update (redeploy asvs_discover only; no service restart). The\nrare unrecoverable case still fails the run, but loudly and diagnosably.\n"
    },
    {
      "commit": "a3fafe80fde90be246656e41722c924d757eb6da",
      "tree": "297f12e51e6c50402e96ef04938c0d43dad68090",
      "parents": [
        "0f68f09698ccd27d961206b68d8cdb70bdcc2bf1"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 17 09:23:05 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 17 09:23:05 2026 -0700"
      },
      "message": "asvs_compare_open_issues_prs: move _parse_findings/_render_md inside run()\n\ngofannon recompiles run() in a fresh namespace; module-level helpers aren\u0027t\nin scope at call time (NameError: _render_md not defined). Nest both helpers\ninside run() like the other agents. Verified by compiling run() in isolation.\n"
    },
    {
      "commit": "0f68f09698ccd27d961206b68d8cdb70bdcc2bf1",
      "tree": "09580f20d68b514b245fe70de47e721376b2f0c5",
      "parents": [
        "b558748366a855c8ddd1ba8a6e257bceb8db4d05"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 16:11:23 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 16:11:23 2026 -0700"
      },
      "message": "asvs: cross-reference findings against open issues/PRs\n\nAfter consolidation, cross-reference each finding against a commit-pinned\nsnapshot of the repo\u0027s open issues and PRs, so already-tracked or\nin-flight-fix findings are flagged. Writes issues_cross_reference.md\nalongside consolidated.md / issues.md (additive; does not modify them).\n\nNew agents:\n- asvs_fetch_issues_prs (no model): snapshots open issues + open PRs (with\n  changed files) to issues_prs:{repo}@{sha}, pinned to the audit\u0027s commit so\n  the comparison is against a fixed point. GitHub GraphQL, paginated, no\n  coverage cap, rate-limit aware. Requires a token.\n- asvs_compare_open_issues_prs (Sonnet 4.6, temp 0.7, max_tokens 4096): reads\n  the structured findings, deterministic pre-filter (file-path / CWE /\n  keyword) to candidates per finding, Sonnet adjudicates survivors\n  (TRACKS / ADDRESSES / RELATED / UNRELATED). Annotates and links, never\n  deletes.\n\nUpdated:\n- asvs_consolidate: persist structured findings to\n  consolidated_findings:{reports_namespace} (additive, best-effort) so the\n  compare agent reads clean JSON instead of parsing markdown.\n- asvs_orchestrate: wire the snapshot fetch after commit-hash resolution and\n  the compare after consolidation succeeds; both best-effort, never abort the\n  run. Always-on, no flag.\n"
    },
    {
      "commit": "b558748366a855c8ddd1ba8a6e257bceb8db4d05",
      "tree": "9a42fef84013a7c986c453bbcbe21189b7832121",
      "parents": [
        "7f89a0e44a373f4033c723d0541eb309843fbaf4"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:59:58 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:59:58 2026 -0700"
      },
      "message": "Adding links to implementations\n"
    },
    {
      "commit": "7f89a0e44a373f4033c723d0541eb309843fbaf4",
      "tree": "f02d5951d21d969cba2468ac4c464aa0cb6c5a6b",
      "parents": [
        "e83efa312b9fffa5135122564d31fe75bc823ec0"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:53:08 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:53:08 2026 -0700"
      },
      "message": "Clarifying clients\n"
    },
    {
      "commit": "e83efa312b9fffa5135122564d31fe75bc823ec0",
      "tree": "3b4472e3b996b157aef494034a72b5c18d57f2c1",
      "parents": [
        "acdd0233e04012a4da248a585c878a9022983982"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:51:11 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 14:51:11 2026 -0700"
      },
      "message": "Clarifying clients\n"
    },
    {
      "commit": "acdd0233e04012a4da248a585c878a9022983982",
      "tree": "78edfde6256475991dbf6237f4b0550f9872817b",
      "parents": [
        "1f35396b760260eec7d4680c2ff076d8c9753bff"
      ],
      "author": {
        "name": "Jarek Potiuk",
        "email": "jarek@potiuk.com",
        "time": "Tue Jun 16 17:19:53 2026 -0400"
      },
      "committer": {
        "name": "GitHub",
        "email": "noreply@github.com",
        "time": "Tue Jun 16 14:19:53 2026 -0700"
      },
      "message": "Add security-team processing report for the opus-4.8 Airflow ASVS scans (#45)\n\nCross-scan overview of how the Airflow security team triaged the three\nopus-4.8 scans (airflow-core, task-sdk, providers/google): per-scan\noutcomes, disposition percentages, severity-vs-reality analysis, and an\nassessment of what the scanner is and isn\u0027t good for. Per-finding triage\ndiscussion remains on issues #23, #24, and #34."
    },
    {
      "commit": "1f35396b760260eec7d4680c2ff076d8c9753bff",
      "tree": "615eb1edff7af380262e5c203367f8aca73b6def",
      "parents": [
        "2eae6b3118abc3b3717ca91b33b88c7b7a181757"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 13:36:44 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 13:36:44 2026 -0700"
      },
      "message": "Clarifying boxes in readme\n"
    },
    {
      "commit": "2eae6b3118abc3b3717ca91b33b88c7b7a181757",
      "tree": "212cce73014c248aec12bc9de5b27dc2ab86bea4",
      "parents": [
        "b2497eb744d62b7c19fdd7bacf64b8725486cae6"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 12:54:24 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 12:54:24 2026 -0700"
      },
      "message": "docs: reorganize around RAI\n"
    },
    {
      "commit": "b2497eb744d62b7c19fdd7bacf64b8725486cae6",
      "tree": "99bcb5b2d453d5e749e505291312084300a8ab8b",
      "parents": [
        "e6d22ec8a8ffd7f38dd11b1e2c60bb7de457b9ca"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 20:20:39 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 20:20:39 2026 -0700"
      },
      "message": "Aligning input/output schemata\n"
    },
    {
      "commit": "e6d22ec8a8ffd7f38dd11b1e2c60bb7de457b9ca",
      "tree": "95e3e9935e9126f2f0a003346b9b10fa2ab87de9",
      "parents": [
        "0c2583d5e0da8e70abcf8b2036af766ea3ff05e4"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 19:28:57 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 19:28:57 2026 -0700"
      },
      "message": "asvs_job_runner: convert from imported class to job-state agent\n\ngofannon has no importable modules, so  fails at runtime. Make the job runner an agent and move the\nconcurrency loop into the orchestrator.\n\n- asvs_job_runner: state-oracle agent over audit_state:{run_id}, dispatched\n  on input_dict[op] (init/claim/complete/fail/summary). Returns JSON; no\n  LLM call.\n- asvs_orchestrate: holds the semaphore and pipeline closures, calls\n  asvs_job_runner by name for each decision. Backoff sleeps outside the\n  semaphore; re-claim is a loop, not recursion.\n\nResume, concurrency cap, and deadlock-safe retry are unchanged. Register\nasvs_job_runner with no model/params. Only MULTI_COMPONENT_MODE is affected.\n"
    },
    {
      "commit": "0c2583d5e0da8e70abcf8b2036af766ea3ff05e4",
      "tree": "6a0c87bc21e8a257584d67b69008749cd25458c1",
      "parents": [
        "84d36f062e13d4f69243dcb7bcc6b97d44bc93e2"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 16 00:37:38 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:26:02 2026 -0700"
      },
      "message": "asvs_audit: cache the Opus analysis prefix across a section\u0027s batches\n\nPass the stable analysis prefix (system prompt + code inventory) as\ncall_llm\u0027s cache_prefix on all three Opus deep-analysis call sites (main,\nsplit-half, single-oversized). Within one ASVS section every Opus batch\nshares that prefix and only the source files vary, so Bedrock caches it\n(ephemeral ~5min TTL) and bills it at ~10% on intra-section hits. The\nper-batch user message now carries only the volatile source + the small\nuser template; token accounting still counts the full assembled prompt\nsince the prefix is sent in full on a cache miss.\n\nScope: intra-section only (multiple batches per section within the TTL).\nAcross sections the prefix differs (different requirement text + inventory)\nso it does not cache between sections. Requires the llm_service cache_prefix\nchange; apply that first.\n"
    },
    {
      "commit": "84d36f062e13d4f69243dcb7bcc6b97d44bc93e2",
      "tree": "9752d5672f2c6b398a20c99418b252fa07571089",
      "parents": [
        "9dafef8d4205beacdd072836a2d5fb4d712e585e"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 20:36:50 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:20:24 2026 -0700"
      },
      "message": "asvs_orchestrate: integrate opt-in MULTI_COMPONENT_MODE flow\n\nFold the multi-component decomposition (previously only a sketch in\nasvs_orchestrate_patches.py) into the real orchestrator. Gated behind\nMULTI_COMPONENT_MODE (default false) so the single-namespace path is\nunchanged for everyone not opting in.\n\nWhen enabled, after download the orchestrator: detects components\n(asvs_components), materializes each into its sub-namespace with the\nnested-component fix and bulk set_many, runs per-component pipelines under\nJobRunner up to MAX_COMPONENT_CONCURRENCY, then aggregates\n(asvs_aggregate). Helpers are defined inside run() so they close over the\ngofannon-injected data_store / gofannon_client globals. The per-component\npipeline reuses the existing downstream agents scoped via\nprimary_namespace.\n\nNOTE: this is the integration scaffold — the per-component audit/bundle/\nfilter phases are invoked through the existing single-namespace path\nagainst primary_namespace\u003dsub_ns. Validate end-to-end on a known\nmulti-component repo (e.g. superset) before relying on it at scale.\n"
    },
    {
      "commit": "9dafef8d4205beacdd072836a2d5fb4d712e585e",
      "tree": "46990182d482076cd0b1c960304b5a700dfcd5fb",
      "parents": [
        "192cf505c28e9732b51088b2e99c03c72cbe938d"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 20:34:52 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:20:16 2026 -0700"
      },
      "message": "Sonnet 4.5 -\u003e 4.6 everywhere: 1M context + 64K output headroom\n\nMove every Sonnet usage off claude-sonnet-4-5-20250929-v1:0 onto the\ndateless inference-profile id us.anthropic.claude-sonnet-4-6 (verified\nagainst AWS/Anthropic docs: 1M context window, 64K max output, same\n$3/$15 pricing). Because every SONNET_CONTEXT / CONTEXT_WINDOW budget is\nderived via get_context_window (which reads context_window from the\nprovider config \u003d 1,000,000), the larger input window propagates to all\nbatch-sizing automatically — discover packs far more files per\nclassification call, and the inventory batchers in audit/bundle get a\n400K input budget (0.40 * 1M).\n\nmax_tokens retuned toward the new 64K output ceiling (4.5 capped at 32K):\n- audit/bundle SONNET_PARAMS inventory: 16384 -\u003e 32768\n- audit/bundle single-pass consolidation: 32000 -\u003e 48000\n- audit/bundle multi-round consolidation: 16384 -\u003e 32768\n- consolidate FAST_PARAMS default: 16384 -\u003e 32768 (big report calls\n  already passed an explicit 64000, valid on 4.6)\n- discover PARAMS: 16384 -\u003e 32768\n\nAll Sonnet max_tokens kept at or under 64000; only Opus uses 128000.\nFiles touched: asvs_audit, asvs_bundle, asvs_consolidate, asvs_discover.\n"
    },
    {
      "commit": "192cf505c28e9732b51088b2e99c03c72cbe938d",
      "tree": "6e5fb002686a134de1b1fd3b7bbe83c621f48c68",
      "parents": [
        "e900d30932445312586a8322d4a0f507fd6e53a9"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 06:20:57 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:20:11 2026 -0700"
      },
      "message": "asvs_consolidate: bump consolidation model Sonnet 4.5 -\u003e 4.6\n\nSame price ($3/$15), better instruction-following on the merge/dedup/\nseverity-recompute logic. Consolidation is the stage where the\napache/openoffice run\u0027s malformed single-pass output surfaced. Uses the\ndateless Bedrock inference-profile id us.anthropic.claude-sonnet-4-6\n(verified). Leaves the inventory-stage Sonnet calls in asvs_audit/\nasvs_bundle on 4.5 deliberately — cost-neutral, no observed problem there.\nConfirm the profile is enabled in your Bedrock region before deploying.\n"
    },
    {
      "commit": "e900d30932445312586a8322d4a0f507fd6e53a9",
      "tree": "15ae4e8862f55beda808dc64b90acd510c22458c",
      "parents": [
        "77fc7f2136d0e1080f0dfd0dfce73afa6078a916"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 06:19:23 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:19:51 2026 -0700"
      },
      "message": "asvs_components: size components from the index, not full body reads\n\nThe sizing loop called ns.get(key) on every file purely to measure its\nlength, pulling full document bodies from CouchDB — the monolithic-I/O\npattern multi-component mode is meant to avoid. Read the files_meta:{repo}\nsize index instead (written by asvs_download_repo); byte_count is advisory\nso fall back to 0 when the index is absent. Pairs with the download\nsize-index commit.\n"
    },
    {
      "commit": "77fc7f2136d0e1080f0dfd0dfce73afa6078a916",
      "tree": "a3f3848e1923bec525fc5656798311e831ac427d",
      "parents": [
        "dcd0f5ad634eaa675a483face0343c25bea59854"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 06:18:47 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:19:43 2026 -0700"
      },
      "message": "asvs_job_runner: fix retry deadlock and summary miscount\n\nrun_job recursed into itself while holding self.semaphore and slept during\nbackoff inside the held semaphore. asyncio.Semaphore is not reentrant, so\nat concurrency \u003e\u003d max_concurrent, N simultaneously-retrying jobs each held\na slot while awaiting a slot -\u003e deadlock; and a backing-off job uselessly\noccupied a slot for up to 60s. Replace the recursion with an internal\nretry loop that holds the semaphore only for each attempt and sleeps after\nreleasing it.\n\nAlso tighten run_all\u0027s summary: it folded skipped-done into \u0027succeeded\u0027\nand miscounted raised exceptions. Count each bucket explicitly.\n"
    },
    {
      "commit": "dcd0f5ad634eaa675a483face0343c25bea59854",
      "tree": "58d6f886dc6050ed3bdbdc1965d69b96391fa547",
      "parents": [
        "0320195d0b09d1b6d07c9feddef052514a7a4da6"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:19:33 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:19:33 2026 -0700"
      },
      "message": "Add monster-repo agents (job_runner, components, aggregate), pre-patch bases\n"
    },
    {
      "commit": "0320195d0b09d1b6d07c9feddef052514a7a4da6",
      "tree": "6ff0e696512fcbf0079c1b22eead1857dfbd0ecd",
      "parents": [
        "b842b0ed8efc7813d6ef63715c4b529f2de9eea2"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:06:42 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 18:06:42 2026 -0700"
      },
      "message": "asvs_job_runner: bounded-concurrency job runner with deadlock-safe retry\n\nNew agent module for the multi-component orchestration path. Holds the\nsemaphore only per attempt and backs off after release (no reentrant-\nsemaphore deadlock); run_all counts status buckets explicitly. Equivalent\nto applying patch 0005 on a committed base.\n"
    },
    {
      "commit": "b842b0ed8efc7813d6ef63715c4b529f2de9eea2",
      "tree": "cb60d5f9b406a5b6b64bd0b84246b3ce5ac81552",
      "parents": [
        "05e1df1d0a3d886cb15a5c0e095e4e1d88596452"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 06:18:06 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 17:58:07 2026 -0700"
      },
      "message": "asvs_download_repo: persist per-file size index at ingest\n\nWrite a files_meta:{repo} namespace with a single \"sizes\" key mapping path\n-\u003e character length, accumulated during the tarball walk. Lets\nasvs_components total per-component sizes without re-reading every file\nbody from CouchDB (the monolithic-I/O pattern multi-component mode exists\nto avoid). Non-fatal if the write fails; consumers fall back to 0.\n"
    },
    {
      "commit": "05e1df1d0a3d886cb15a5c0e095e4e1d88596452",
      "tree": "c0d6c44d1e54f3327310a53733ee9ccfa3ad5bee",
      "parents": [
        "3a0c423a54818d5c1acf72e3c7d1120c41dcc709"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 21:38:47 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 17:58:00 2026 -0700"
      },
      "message": "Lower Haiku relevance concurrency for default Bedrock quota\n\nTwo changes targeting the Haiku throttling (retries hitting 4/5 and 5/5\non the default account quota):\n\n- asvs_bundle had the same bug asvs_audit originally had: its Haiku\n  relevance filter_batch was gated by sonnet_semaphore (5-wide) with no\n  stagger, so it fired Haiku calls 5-at-once into the same instant. Give\n  it a dedicated haiku_semaphore (default 2) and the same jittered startup\n  stagger audit uses.\n- Lower asvs_audit HAIKU_CONCURRENCY default 3 -\u003e 2 to match.\n\nBoth tunable via the HAIKU_CONCURRENCY env var; raise after a Bedrock\nquota increase. This reduces collisions but does NOT raise the ceiling —\non default quota a quota-increase request is still the real fix, and\nHAIKU_CONCURRENCY\u003d1 is the most aggressive software lever.\n"
    },
    {
      "commit": "3a0c423a54818d5c1acf72e3c7d1120c41dcc709",
      "tree": "5f341f23eda729492f34ab808aaa915041131e9e",
      "parents": [
        "8044ae2477e499af9d73c85080e25fd25eaf4404"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 21:43:36 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 17:57:52 2026 -0700"
      },
      "message": "asvs_bundle: token-bound relevance previews and oversized inventory files\n\nPort the same per-file token caps patch 0001 applied to asvs_audit into\nasvs_bundle, which has the identical batchers and was still uncapped:\n\n- Relevance previews were sliced at 200 lines with no token bound, so a\n  single file could carry a Haiku batch past the 200K window. This is the\n  source of the observed \u0027prompt is too long: 201122 tokens \u003e 200000\u0027 on\n  a Haiku relevance call when the run goes through the bundle path. Cap\n  each preview to preview_budget // 4 tokens.\n- Inventory isolated an oversized file into its own batch but did not\n  truncate it; truncate to fit the Sonnet budget with a marker.\n\nBoth mirror the asvs_audit fixes so the audit and bundle paths behave\nidentically under huge single files.\n"
    },
    {
      "commit": "8044ae2477e499af9d73c85080e25fd25eaf4404",
      "tree": "0a4802a8cdb1d08394a43ab9ec3511b8513e8072",
      "parents": [
        "c407ccbbef58d054d268977607383d65dca0d686"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 06:17:48 2026 +0000"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Mon Jun 15 17:57:44 2026 -0700"
      },
      "message": "asvs_audit: token-bound relevance previews and oversized inventory files\n\nCap each Haiku relevance preview and each Sonnet inventory entry by token\ncount, not just line count. On 2M-LOC repos a single file (or its 200-line\nslice) can exceed the model context window on its own; the batchers cannot\nsplit a single entry, so an oversized lone file produced a Bedrock 400\n\"prompt is too long\" (relevance batches 130/131) or \"Input is too long\"\neven after the inventory split-in-half fallback. Both now truncate the\noffending unit to fit, with a marker, rather than failing the batch.\n\nFixes the context_window_exceeded failures seen on apache/openoffice.\n"
    },
    {
      "commit": "c407ccbbef58d054d268977607383d65dca0d686",
      "tree": "a5aadc3deafb61d752c88b953f24763eabcae478",
      "parents": [
        "e4b127e49e6aca07bbe7c3702b801c08bc0db039"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 09 10:16:07 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 09 10:16:07 2026 -0700"
      },
      "message": "Removing old superset reports\n"
    },
    {
      "commit": "e4b127e49e6aca07bbe7c3702b801c08bc0db039",
      "tree": "72d27c443f72eab069d3db522fec8a77aed20d39",
      "parents": [
        "cd1f174af3cc63fc4959f1cfe8b75c270e4583d8"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 15:05:08 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 15:05:08 2026 -0700"
      },
      "message": "asvs_audit: isolate Haiku relevance-scoring concurrency\n\nHaiku relevance scoring borrowed sonnet_semaphore (effectively 5-wide),\nwhich saturated the Bedrock Haiku per-minute quota and throttled nearly\nevery call, surviving only via call_llm\u0027s retry/backoff. Give it a\ndedicated haiku_semaphore (HAIKU_CONCURRENCY env var, default 3) and a\njittered startup stagger applied before the semaphore is acquired, so the\ninitial asyncio.gather() burst spreads across a few seconds instead of\nhitting Bedrock all at once. Tune HAIKU_CONCURRENCY down on a constrained\nquota or up after a quota increase.\n"
    },
    {
      "commit": "cd1f174af3cc63fc4959f1cfe8b75c270e4583d8",
      "tree": "1b3843ec5d18c41ced7188c301a8ae228e2a79e5",
      "parents": [
        "80117bc00599c4ee02d59d53b51d4de21ba3ebb9"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 15:04:51 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sun Jun 07 15:04:51 2026 -0700"
      },
      "message": "Remove report redaction/carve-out; publish single unredacted report\n\nCollapse the dual-destination carve-out into one publish target. Reports\nnow go to outputRepo/outputToken only; the previous split (full report to\na private repo, redacted report to a public repo) is removed.\n\nDeletes Step 5 (redact-and-publish), the redact_consolidated and\nredact_issues helpers, _redact_and_push, the leak-quarantine path, and the\nemail notification — ~1600 lines of now-dead redaction machinery. The\nconsolidate agent already pushes the full report to the push target, which\nis now unconditionally outputRepo/outputToken.\n\nDrops the privateRepo, privateToken, and notifyEmail inputs. Hardcodes\nclearCache and cleanStaleReports to True (previously UI-toggleable). Note\ncleanStaleReports\u0027 default flips false -\u003e true: a fully successful run now\nprunes prior-run reports in the output directory.\n\nWARNING: reports are now published UNREDACTED to outputRepo. Point it at a\nprivate repo — redaction was the only thing that made the old public\noutput safe to share.\n"
    },
    {
      "commit": "80117bc00599c4ee02d59d53b51d4de21ba3ebb9",
      "tree": "cc8102dee677e3d0394d14bc0a1329d682ed1dde",
      "parents": [
        "ac525a10006d3807ac6228d6729033f7b6e53304"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sat Jun 06 15:28:05 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Sat Jun 06 15:28:16 2026 -0700"
      },
      "message": "Refactoring data store calls to use bulk calls\n"
    },
    {
      "commit": "ac525a10006d3807ac6228d6729033f7b6e53304",
      "tree": "27e7eb231be3643c8193cb063a61debfa6e48aba",
      "parents": [
        "a5ead8c973022b52fb89c604b99c8a186650ad6d"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 23:30:08 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 23:30:08 2026 +0200"
      },
      "message": "ASVS L1 audit: issues (redacted) [source: apache/mahout @ 38916d3]"
    },
    {
      "commit": "a5ead8c973022b52fb89c604b99c8a186650ad6d",
      "tree": "80a5a7879777a523b992eca65a5bd948bf59c77f",
      "parents": [
        "01ec29ea78ce56b5aee82c56c7a5dac8b0e0532a"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 23:30:07 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 23:30:07 2026 +0200"
      },
      "message": "ASVS L1 audit: consolidated report (redacted) [source: apache/mahout @ 38916d3]"
    },
    {
      "commit": "01ec29ea78ce56b5aee82c56c7a5dac8b0e0532a",
      "tree": "854dae665d0458581979cd26a694c92debfa1abe",
      "parents": [
        "29df42a0af8bcac6c9ca2ba3cba8da160f4415da"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 06:29:35 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 06:29:35 2026 +0200"
      },
      "message": "ASVS L1 audit: issues (redacted) [source: apache/mahout @ cf043a2]"
    },
    {
      "commit": "29df42a0af8bcac6c9ca2ba3cba8da160f4415da",
      "tree": "5dd56d48862e8a7223747d22e9b4a8c7f41a0721",
      "parents": [
        "e287281b98c8096c64ee9c44774e662dffa4d676"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 06:29:34 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Fri Jun 05 06:29:34 2026 +0200"
      },
      "message": "ASVS L1 audit: consolidated report (redacted) [source: apache/mahout @ cf043a2]"
    },
    {
      "commit": "e287281b98c8096c64ee9c44774e662dffa4d676",
      "tree": "362d9b410bcaac58149d5c35cfd8f31b5b37942d",
      "parents": [
        "ff1bb0d858f8bde7923fa52d279a6b076e7ad5b9"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Thu Jun 04 20:40:43 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Thu Jun 04 20:40:43 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/airflow/providers/google @ 7d95a3c]"
    },
    {
      "commit": "ff1bb0d858f8bde7923fa52d279a6b076e7ad5b9",
      "tree": "54f536c80702d452c8ddc1bf1842a75450743d1f",
      "parents": [
        "6836cdc6d0f624a347a0013a3669eae8d74b57d0"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Thu Jun 04 20:40:41 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Thu Jun 04 20:40:41 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/airflow/providers/google @ 7d95a3c]"
    },
    {
      "commit": "6836cdc6d0f624a347a0013a3669eae8d74b57d0",
      "tree": "c4653c9c6a140544bde554e89f7fdb5fcbb8b059",
      "parents": [
        "453cb1c8bcc574131edd78f8447e0141162f63ce"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 23:48:59 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 23:48:59 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/airflow/task-sdk @ b82b881]"
    },
    {
      "commit": "453cb1c8bcc574131edd78f8447e0141162f63ce",
      "tree": "6a6d661e98990052979193936cc51a4739cce937",
      "parents": [
        "f7ba7c52abee9d29cdb11351d40b4ea225be2031"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 23:48:57 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 23:48:57 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/airflow/task-sdk @ b82b881]"
    },
    {
      "commit": "f7ba7c52abee9d29cdb11351d40b4ea225be2031",
      "tree": "4d8f561215dd008b8015ca1e6a7893f3ae029324",
      "parents": [
        "7bc7948d65f09983a2ecd986fbd8e5180d8d4279"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 22:35:05 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 22:35:05 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/airflow/airflow-core @ cc63c83]"
    },
    {
      "commit": "7bc7948d65f09983a2ecd986fbd8e5180d8d4279",
      "tree": "09d8c41bcd604a3672757c3b5eedf72bd4d6dfe8",
      "parents": [
        "6fee512117a05315b51b0e63b64f987daa7cb3ed"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 22:35:04 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 22:35:04 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/airflow/airflow-core @ cc63c83]"
    },
    {
      "commit": "6fee512117a05315b51b0e63b64f987daa7cb3ed",
      "tree": "8efbf32ebc0b2b9dee403f4a127510b47bc177f3",
      "parents": [
        "78c473fed3c703963fd62688a22bae72f77a47ea"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 12:03:41 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 12:03:41 2026 -0700"
      },
      "message": "Pruning old reports\n"
    },
    {
      "commit": "78c473fed3c703963fd62688a22bae72f77a47ea",
      "tree": "0ebce3e15c27303733e9b805e9b45fd798281930",
      "parents": [
        "956becc61edf816b66bfc1126d6805c9bc7bb951"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 20:57:42 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 20:57:42 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset @ f4dfb7f]"
    },
    {
      "commit": "956becc61edf816b66bfc1126d6805c9bc7bb951",
      "tree": "aca3aca34972986da78e1fa3bd98fc2897e2f24a",
      "parents": [
        "1252c86b9015a7d5c0066f7b794e48a99d8e1cb0"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 20:57:41 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 20:57:41 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset @ f4dfb7f]"
    },
    {
      "commit": "1252c86b9015a7d5c0066f7b794e48a99d8e1cb0",
      "tree": "487e07391c9b7d8a877a537ab9d29616d38ea021",
      "parents": [
        "e822123acdd4bda4ab4ad533fe77efdc6d9b001f"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 19:30:02 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 19:30:02 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-frontend @ cb2a56d]"
    },
    {
      "commit": "e822123acdd4bda4ab4ad533fe77efdc6d9b001f",
      "tree": "4fb701612a091d082a6f3b151a93eeb2e872ddcb",
      "parents": [
        "64d493aca0978ff1c45a7f4df484ae663fa24542"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 19:30:00 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 19:30:00 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-frontend @ cb2a56d]"
    },
    {
      "commit": "64d493aca0978ff1c45a7f4df484ae663fa24542",
      "tree": "c4952f9617983cc76d9f87432dda0dc10c05fc4c",
      "parents": [
        "b161fc9ca2596112a5242c0f05bd5067e5f24c19"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 09:57:42 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 09:57:42 2026 -0700"
      },
      "message": "Pruning old reports\n"
    },
    {
      "commit": "b161fc9ca2596112a5242c0f05bd5067e5f24c19",
      "tree": "06ab576477fe4062f34c56ebb0876f2eceadae01",
      "parents": [
        "7845422b61fcf54ca1c7cb1b9fe23e89901e99e3"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 09:17:35 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 09:17:41 2026 -0700"
      },
      "message": "asvs filter: drop the no-files heuristic in _is_informational_absence\n\nThe structural check \u0027if files array empty -\u003e absence\u0027 over-fires on\nreal-defect-no-exploit findings that reference code inline (function\nname in prose, sanitizer config line, etc.) rather than in a\nstructured field. The absence-phrase set and the no-X-in-Y regex are\nsufficient to catch genuine absences without these false positives.\n\nSurfaced by the superset-frontend rerun: dropped two legitimate\nInformational findings (showFailureMessage innerHTML usage, sanitizer\nallowlist permitting target without rel\u003dnoopener) that should have\nsurvived as downgrade-from-Low Informationals.\n"
    },
    {
      "commit": "7845422b61fcf54ca1c7cb1b9fe23e89901e99e3",
      "tree": "b5fb2b1eb57078d3902ea2124b7a9edb5feadac7",
      "parents": [
        "2a68ff8f4dd8e081f79a2430abf96e5ff278a797"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 17:42:23 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 17:42:23 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-websocket @ accc94d]"
    },
    {
      "commit": "2a68ff8f4dd8e081f79a2430abf96e5ff278a797",
      "tree": "312ef2afbe6f6eb708470ad1c97681e6f643a335",
      "parents": [
        "400434f07d443572d3e061ddc18cccd2397d91f2"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 17:42:21 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 17:42:21 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-websocket @ accc94d]"
    },
    {
      "commit": "400434f07d443572d3e061ddc18cccd2397d91f2",
      "tree": "6e8627114c8d8e9255b71b9dfcfa095ea80e4fd0",
      "parents": [
        "78a98378239a5576d48ca4043c780310be1f82e8"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 11:15:03 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 11:15:03 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-frontend @ b9dc9d7]"
    },
    {
      "commit": "78a98378239a5576d48ca4043c780310be1f82e8",
      "tree": "80f1231e469e1a50bef675dd8ff4900810a1a69b",
      "parents": [
        "946b4a69f7bb31501a003217d61b0c7f5513c147"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 11:15:01 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 11:15:01 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-frontend @ b9dc9d7]"
    },
    {
      "commit": "946b4a69f7bb31501a003217d61b0c7f5513c147",
      "tree": "71f8046819ed623246af078ad2a766af74f3d495",
      "parents": [
        "2553402965459fa8dc8a5afb6ef186742ae04fdc"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 01:33:42 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Wed Jun 03 01:33:47 2026 -0700"
      },
      "message": "asvs: tighten Informational severity, generalize scope check, cite files for positive patterns\n\n* Scope Check (bundle, audit): replaced enumerated ASVS examples\n  (7.2.3, V10.4.x, 4.4.x, 1.5.1, V5.2.x) with a generic three-question\n  evaluation framework plus an anti-stretching warning. Models\n  over-index on enumerated cases; principles generalize. Absences now\n  route to N/A coverage rather than generating Informational findings.\n\n* Informational definition (bundle): restricted to the downgrade-from-Low\n  case -- a real, concrete code defect with file:line references but no\n  clear attack scenario. Findings whose body would contain \u0027not\n  applicable\u0027, \u0027feature absent\u0027, \u0027delegated to\u0027, or \u0027no X in this\n  codebase\u0027 belong in N/A coverage, not findings.\n\n* Filter safety net (relevance_filter): added _is_informational_absence\n  next to _is_did_escape_hatch. Drops Info findings matching absence\n  phrases, no-X-in-Y regex, or missing file references. High-confidence\n  drops, routed to drop log rather than review queue.\n\n* Positive pattern file refs (bundle, audit): output format now requires\n  a file:line citation per positive pattern. The consolidator\u0027s\n  Supporting Files column populates from these references; previously\n  sparse because the prompts never required them.\n\nValidated on extensions-cli rerun: 12 Informational -\u003e 0, Low\ncalibration unchanged, review queue empty, supporting-files column\nnow sources from the audit output.\n"
    },
    {
      "commit": "2553402965459fa8dc8a5afb6ef186742ae04fdc",
      "tree": "3494ef30218c33a4a3c6e1c963359f90961f88ca",
      "parents": [
        "dd474cb3e618c6c00a1e0ce499c7813aa8aa73d6"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 10:01:08 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 10:01:08 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-extensions-cli @ b9dc9d7]"
    },
    {
      "commit": "dd474cb3e618c6c00a1e0ce499c7813aa8aa73d6",
      "tree": "b2165381126596ce7a27b3b1ddaa2f58c17be7e8",
      "parents": [
        "46904cd3547905d86fcd212f1512dc9ec07201ad"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 10:01:07 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 10:01:07 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-extensions-cli @ b9dc9d7]"
    },
    {
      "commit": "46904cd3547905d86fcd212f1512dc9ec07201ad",
      "tree": "05cd12b1fb0e2a14aac82f226c47ef43c3dee34f",
      "parents": [
        "5930ca9db64e6b4d80a3c384c055cf45827b39ca"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 01:02:37 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 01:02:37 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-extensions-cli @ 6abee02]"
    },
    {
      "commit": "5930ca9db64e6b4d80a3c384c055cf45827b39ca",
      "tree": "32935b24e8477783ba33e1b1e4397a8dc63fd7e7",
      "parents": [
        "af2a0c46f979c82c46ad6a4105f70eea83246bac"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 01:02:36 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 01:02:36 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-extensions-cli @ 6abee02]"
    },
    {
      "commit": "af2a0c46f979c82c46ad6a4105f70eea83246bac",
      "tree": "cbe5c7837d82658b2a02e981172deeae1fe6456b",
      "parents": [
        "24e8954265af9d8cf52232940298f91d4d55ee94"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 00:04:32 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 00:04:32 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-embedded-sdk @ 17d1a45]"
    },
    {
      "commit": "24e8954265af9d8cf52232940298f91d4d55ee94",
      "tree": "9d9000e95498c7ea8a0bd94b0a86d9e0fd742b59",
      "parents": [
        "3b088e11d602bc0f8faf45db061b181acf14acb1"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 00:04:30 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Wed Jun 03 00:04:30 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-embedded-sdk @ 17d1a45]"
    },
    {
      "commit": "3b088e11d602bc0f8faf45db061b181acf14acb1",
      "tree": "b0f010611c97093b78e40ccfe624e449e3d87c5e",
      "parents": [
        "33334939e6da46b9f31e47314a67f60f7f074894"
      ],
      "author": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 02 14:56:02 2026 -0700"
      },
      "committer": {
        "name": "Andrew Musselman",
        "email": "akm@apache.org",
        "time": "Tue Jun 02 14:56:02 2026 -0700"
      },
      "message": "Fixing audit guidance filter\n"
    },
    {
      "commit": "33334939e6da46b9f31e47314a67f60f7f074894",
      "tree": "e281433447eec626635ac36e5030ac6046e72911",
      "parents": [
        "b5af494e3ecb0469fd04037eb24994263bf607ee"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 23:07:11 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 23:07:11 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-core @ 8508af3]"
    },
    {
      "commit": "b5af494e3ecb0469fd04037eb24994263bf607ee",
      "tree": "dd58d6b3c9a580f5ffed7cd010b1cc0a77269a56",
      "parents": [
        "3c7784879864d8af6b0a9cbffecb5c0170e83b83"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 23:07:09 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 23:07:09 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-core @ 8508af3]"
    },
    {
      "commit": "3c7784879864d8af6b0a9cbffecb5c0170e83b83",
      "tree": "0aae9f40aca7de34bf56f70f408680abdcc60d4f",
      "parents": [
        "d4c49d829747fbb194dddb715c3bc32ea64d40c3"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 06:01:04 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 06:01:04 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-websocket @ 41da35e]"
    },
    {
      "commit": "d4c49d829747fbb194dddb715c3bc32ea64d40c3",
      "tree": "f935b827cc0ec0cd08a9b8824efc4250dd24d2dc",
      "parents": [
        "4ede44cd6129225fea7e1ce959844d3440befec4"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 06:01:02 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 06:01:02 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-websocket @ 41da35e]"
    },
    {
      "commit": "4ede44cd6129225fea7e1ce959844d3440befec4",
      "tree": "8e6dd29eace41c111fecc917e59c058e4fb3b985",
      "parents": [
        "e479536b9f000c6201b6673db3c83dfcba4bd040"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:55:53 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:55:53 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-embedded-sdk @ 41da35e]"
    },
    {
      "commit": "e479536b9f000c6201b6673db3c83dfcba4bd040",
      "tree": "a1e45fcaab22f39b36bdb88da73cef9f2b869db6",
      "parents": [
        "8c517be9d29c5e33524ecc8c5e512d7a98e2157a"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:55:52 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:55:52 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-embedded-sdk @ 41da35e]"
    },
    {
      "commit": "8c517be9d29c5e33524ecc8c5e512d7a98e2157a",
      "tree": "b33127f1527b456c6cf7d220dd8787a80771a5a1",
      "parents": [
        "c71068b56ea734c8699dcf8f347bd01e1b19007d"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:10:04 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:10:04 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-extensions-cli @ 41da35e]"
    },
    {
      "commit": "c71068b56ea734c8699dcf8f347bd01e1b19007d",
      "tree": "b33127f1527b456c6cf7d220dd8787a80771a5a1",
      "parents": [
        "f16f2859689f8cf716dc6549e3822e5b034a7961"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:10:03 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 04:10:03 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-extensions-cli @ 41da35e]"
    },
    {
      "commit": "f16f2859689f8cf716dc6549e3822e5b034a7961",
      "tree": "83d5b9bf604d776f72162f210147483dac228b2e",
      "parents": [
        "d5594792be486c60844a63de91d9d9a4f4ade76c"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 03:19:04 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 03:19:04 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-extensions-cli @ 41da35e]"
    },
    {
      "commit": "d5594792be486c60844a63de91d9d9a4f4ade76c",
      "tree": "f6f09265b8279f0621ad49546ed7075f712db69f",
      "parents": [
        "eadc927d63ce3aa7d2555dbd986ff7aaa95477ce"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 03:19:02 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 03:19:02 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-extensions-cli @ 41da35e]"
    },
    {
      "commit": "eadc927d63ce3aa7d2555dbd986ff7aaa95477ce",
      "tree": "f7537982532afba7b52e2f1c2ca081b422f379db",
      "parents": [
        "85a625c19e3eda98be64ad3b6178182662a6fef5"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 01:22:57 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 01:22:57 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-embedded-sdk @ 1523d79]"
    },
    {
      "commit": "85a625c19e3eda98be64ad3b6178182662a6fef5",
      "tree": "ea5c7dde8ac8fa96d3dd9734d453e5b1e540e81c",
      "parents": [
        "44311ba0a6647ce1f247ec1c4713b8c6ada32015"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 01:22:56 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Tue Jun 02 01:22:56 2026 +0200"
      },
      "message": "ASVS L3 audit: consolidated report (redacted) [source: apache/superset/superset-embedded-sdk @ 1523d79]"
    },
    {
      "commit": "44311ba0a6647ce1f247ec1c4713b8c6ada32015",
      "tree": "89a4298daa99671b3d4422e694d50ff657208bba",
      "parents": [
        "3affb3b290e6a4c14af47f4e3e2c35b38c1c6b34"
      ],
      "author": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Mon Jun 01 23:27:25 2026 +0200"
      },
      "committer": {
        "name": "ASF Tooling Team",
        "email": "root-asf-tooling@apache.org",
        "time": "Mon Jun 01 23:27:25 2026 +0200"
      },
      "message": "ASVS L3 audit: issues (redacted) [source: apache/superset/superset-frontend @ 97be689]"
    }
  ],
  "next": "3affb3b290e6a4c14af47f4e3e2c35b38c1c6b34"
}
