Skip to content

Commit 81675e9

Browse files
committed
updating plan on labels.
1 parent 8b7f8a2 commit 81675e9

1 file changed

Lines changed: 30 additions & 0 deletions

File tree

.squad/agents/securityexpert/history.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,3 +47,33 @@
4747
**Overall Plan Assessment:** Strong security posture. Plan defends against all documented CVEs (CVE-2025-30066, CVE-2026-33634). No blockers. The 3 "Required" findings above were gaps specific to Squad governance, now resolved.
4848

4949
**Decision:** Wrote team decision to `.squad/decisions/inbox/securityexpert-squad-protection.md` documenting maintainer-only access requirement for `.squad/` files.
50+
51+
### 2026-05-15 — Two-Tier Auto-Labeling Policy
52+
53+
**Context:** User requested update to branch-maintenance-plan.adoc to replace blanket "no auto-labeling" ban with a two-tier policy. SecurityExpert had previously recommended this approach.
54+
55+
**Decision:** Two-tier auto-labeling policy adopted:
56+
57+
* **Tier 1 (Informational labels):** `question`, `bug`, `feature-request`, `documentation`, `duplicate` — MAY be auto-applied by bot with strict guardrails
58+
* **Tier 2 (Policy labels):** `squad:*`, `go:*`, `priority:*`, `override:*`, `needs-human-review`, `external-contribution` — MUST remain human-only always
59+
60+
**Tier-1 Guardrails (all required):**
61+
62+
1. Content-only triggers — pattern matching on issue title/body only
63+
2. No workflow triggers — no workflow may use Tier-1 label application as event trigger
64+
3. Dedicated bot — GitHub App `apiops-bot` with label-only permissions
65+
4. Circuit breaker — if >3 labels applied per issue → stop and alert
66+
5. Human override — human can remove; bot MUST NOT re-apply
67+
6. Audit logging — bot posts comment explaining why label was applied
68+
69+
**Changes Made:**
70+
71+
1. Updated "Foundational Principles" — changed "No auto-labeling" bullet to reflect two-tier policy (line 20, 37)
72+
2. Added new "Auto-Labeling Policy" subsection (lines 66-107) with tier table, guardrails, and Tier-2 exclusions
73+
3. Updated "Decision Authority" table — Labels row now shows Tier-1 bot applies (advisory) vs Tier-2 human-only (line 302)
74+
4. Updated "Human-Only Actions" list — changed to "Applying Tier-2 labels" instead of "all labels" (line 310)
75+
5. Updated "Safety Gates" section — added Tier-1 auto-labeling to advisory list with guardrails note (line 481)
76+
6. Updated "Human-Only (Never Automated)" in Safety Gates — changed "Label application" to "Tier-2 label application" (line 487)
77+
7. Updated "Appendix C: What Changed" — updated Triage row to reflect Tier-1 auto-apply capability (line 753)
78+
79+
**Security Rationale:** Tier-1 labels are purely informational and cannot trigger workflows or affect routing/priority. Guardrails prevent abuse (circuit breaker, audit trail, no re-application). Tier-2 labels control governance and must remain under human authority to prevent privilege escalation or routing manipulation.

0 commit comments

Comments
 (0)