Skip to content

launch-agent: flexible repo naming (suggest-with-override) + GO-2026-5932 suppression#37

Merged
bborbe merged 3 commits into
masterfrom
feature/launch-agent-flexible-naming
Jul 12, 2026
Merged

launch-agent: flexible repo naming (suggest-with-override) + GO-2026-5932 suppression#37
bborbe merged 3 commits into
masterfrom
feature/launch-agent-flexible-naming

Conversation

@bborbe

@bborbe bborbe commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Two changes:

  1. launch-agent flexible naming — replace the forced bborbe/agent-<name> scheme with suggest-with-override: normalize the role to a slug, suggest <slug>-agent (or github-<slug>-agent for GitHub-triggered), and let the user overwrite with any valid repo name (e.g. github-dark-factory-agent). Aligns with the post-split fleet convention (github-pr-review-agent, github-releaser-agent) and the /github-* command naming. <name> now means the full repo basename across the skill, command, and reference templates; template source (agent-<shape>) unchanged.
  2. Suppress GO-2026-5932 — the unmaintained golang.org/x/crypto/openpgp advisory (no fix will ship, unreachable) added to the govulncheck ignore + .osv-scanner.toml (.trivyignore already had it), so precommit is green.

make precommit passes.

🤖 Generated with Claude Code

bborbe added 2 commits July 12, 2026 18:46
Add GO-2026-5932 to the govulncheck jq ignore list and .osv-scanner.toml
(.trivyignore already had it). The advisory deprecates the unmaintained
golang.org/x/crypto/openpgp package; no fix will ship and the code path is
unreachable. Unblocks a green precommit.
Replace the forced bborbe/agent-<name> scheme with suggest-with-override:
normalize the role to a slug, suggest <slug>-agent (or github-<slug>-agent
for GitHub-triggered), and let the user overwrite with any valid repo name
(e.g. github-dark-factory-agent). Aligns with the post-split fleet convention
(github-pr-review-agent, github-releaser-agent) and the /github-* command
naming. Placeholder <name> now means the full repo basename across SKILL.md,
the command, and all reference templates; template source (agent-<shape>)
unchanged.

@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I have enough information. Let me analyze the key concerns:

1. GO-2026-5932 suppression - ✅ Verified consistent

  • .osv-scanner.toml: id = "GO-2026-5932"
  • Makefile jq filter: .finding.osv != "GO-2026-5932"
  • Both match. The golang.org/x/crypto/openpgp package is unmaintained per the suppression reason — appropriate.

2. Double-suffix bug (Must Fix candidate)
In SKILL.md step 2a: "If <slug> already ends in -agent, use it as-is." If user says "pr-review" → slug=pr-review-agent → suggested=pr-review-agent (no -agent appended). But if user says "pr-review-agent" → slug=pr-review-agent → suggested=pr-review-agentbborbe/pr-review-agent-agentdouble suffix

3. GitHub github- prefix not rejected (Should Fix candidate)
SKILL.md step 2b suggests github-<slug>-agent for GitHub-triggered agents. But GitHub repo names cannot start with github- (reserved namespace). The validation in step 4 rejects /, $, etc., but does NOT reject github- prefix. gh repo create bborbe/github-pr-review-agent would fail.

4. Interview flow changes - ✅ Correct
Part 2 now asks "Role" then "Repo name (suggest-with-override)" per SKILL.md. The wording is consistent.


{
  "verdict": "request-changes",
  "summary": "The GO-2026-5932 suppression is correctly applied in both osv-scanner.toml and Makefile. However, the suggest-with-override naming logic in SKILL.md has two bugs: (1) if a user inputs a role already ending in '-agent', the double-suffix is not prevented, producing e.g. 'pr-review-agent-agent'; (2) the 'github-' prefix is suggested for GitHub-triggered agents but is not validated against GitHub's reserved namespace, which would cause 'gh repo create' to fail for names like 'github-api-agent'.",
  "comments": [
    {
      "file": "skills/launch-agent/SKILL.md",
      "line": 45,
      "severity": "major",
      "message": "Should Fix: Step 2a 'If <slug> already ends in -agent, use it as-is' causes double-suffix when user inputs a role that already has the -agent suffix. Example: role='pr-review-agent' → slug='pr-review-agent' → suggested='pr-review-agent' → final name 'bborbe/pr-review-agent-agent'. Fix: either (a) strip trailing -agent before computing the suggestion, or (b) always append -agent and let the override handle cases where user wants something different."
    },
    {
      "file": "skills/launch-agent/SKILL.md",
      "line": 50,
      "severity": "major",
      "message": "Should Fix: Validation in Step 4 does not reject names starting with 'github-'. GitHub reserves the 'github-' prefix at the org level — 'gh repo create bborbe/github-pr-review-agent' fails with 'HTTP 422: repository name invalid'. The suggest-with-override flow in Step 2b produces 'github-<slug>-agent' for GitHub-triggered agents, which would always fail. Fix: add 'github-' as a rejected prefix in the validation, or change the suggestion pattern to use a different prefix (e.g. 'gh-') that doesn't conflict with GitHub's reserved namespaces."
    }
  ],
  "concerns_addressed": [
    "security: GO-2026-5932 suppression is correctly applied in both .osv-scanner.toml and Makefile — IDs match, and the suppression is appropriate for an unmaintained package with no fix",
    "correctness: suggest-with-override naming logic partially implemented — slug normalization is correct, but double-suffix bug exists (see comment #1)",
    "correctness: dangerous char validation is correctly implemented — validation rejects $, backtick, ;, |, <, >, &, (, ), \\, .., /",
    "correctness: double-suffix issue — SKILL.md step 2a causes pr-review-agent → pr-review-agent-agent (see comment #1)",
    "correctness: GitHub 'github-' prefix not validated — would cause gh repo create to fail (see comment #2)",
    "correctness: interview flow correctly changed from 'Name' to 'Role' then 'Repo name (suggest-with-override)'"
  ]
}

Address PR review: (1) strip a trailing -agent before appending so an
already-suffixed role can't produce a double suffix (pr-review-agent stays
pr-review-agent); (2) drop the auto github- suggestion (user adds it via
override) and document that github- IS a valid repo-name prefix — bborbe/
github-pr-review-agent and github-releaser-agent already exist; GitHub
reserves 'github' only for account names, not repos — so validation must
not reject it.
@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot dismissed their stale review July 12, 2026 17:03

superseded by new automated review

@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worktree cleaned up. Now compiling the consolidated report.

Step 5: Consolidated Report

Must Fix (Critical): None.

Should Fix (Important): None.

Nice to Have (Optional):

  • The GO-2026-5932 suppression (.osv-scanner.toml + Makefile vulncheck) is correctly implemented — however, golang.org/x/crypto/openpgp does not appear in go.mod or go.sum, suggesting the vulnerability is not currently present in the dependency tree. The suppression is harmless but may be unnecessary; worth confirming intent during merge.

Verification of key correctness claims from the plan:

  1. .osv-scanner.tomlGO-2026-5932 correctly added to IgnoredVulns with descriptive reason
  2. Makefile vulncheck jq filter — GO-2026-5932 correctly added to exclusion chain, filter logic is sound
  3. SKILL.md naming algorithm — idempotent -agent suffix stripping (core extraction then re-suffix); validation rejects shell-unsafe chars; github- prefix correctly allowed
  4. interview.md Q2 — matches SKILL.md behavior (suggest-with-override, github- prefix allowed)
  5. commands/launch-agent.md — argument hint updated to [role or repo-name] reflecting the new flexibility

Selector mode clean — no adjudication needed.


{
  "verdict": "approve",
  "summary": "PR #37 is a clean documentation/template update implementing flexible repo naming for /launch-agent (suggest-with-override with -agent suffix convention) plus a preemptive suppression of the unfixable GO-2026-5932 advisory. All changes are self-consistent across 11 files; no correctness bugs identified in the naming algorithm, jq filter, or template references. The suppressed vulnerability (golang.org/x/crypto/openpgp) is not present in the current dependency tree, making the suppression unnecessary but harmless.",
  "comments": [
    {
      "file": ".osv-scanner.toml",
      "line": 34,
      "severity": "nit",
      "message": "GO-2026-5932 suppression added correctly, but golang.org/x/crypto/openpgp does not appear in go.mod or go.sum — the vulnerability is not currently in the dependency tree. Confirm this suppression is intentional even without the dep present (e.g., future-proofing or prior removal)."
    }
  ],
  "concerns_addressed": [
    "security: GO-2026-5932 suppression verified in both .osv-scanner.toml and Makefile vulncheck jq filter — correctly formed",
    "correctness: jq filter correctly includes .finding.osv != \"GO-2026-5932\" in the exclusion chain",
    "correctness: suggest-with-override naming algorithm is idempotent (strips -agent once, then re-suffixes), shell-unsafe validation is applied to user override, github- prefix correctly allowed",
    "correctness: interview.md Q2 wording matches SKILL.md behavior (suggest-with-override, github- prefix allowed)"
  ]
}

@bborbe bborbe merged commit 0537eaa into master Jul 12, 2026
1 check passed
@bborbe bborbe deleted the feature/launch-agent-flexible-naming branch July 12, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant