launch-agent: flexible repo naming (suggest-with-override) + GO-2026-5932 suppression#37
Conversation
Add GO-2026-5932 to the govulncheck jq ignore list and .osv-scanner.toml (.trivyignore already had it). The advisory deprecates the unmaintained golang.org/x/crypto/openpgp package; no fix will ship and the code path is unreachable. Unblocks a green precommit.
Replace the forced bborbe/agent-<name> scheme with suggest-with-override: normalize the role to a slug, suggest <slug>-agent (or github-<slug>-agent for GitHub-triggered), and let the user overwrite with any valid repo name (e.g. github-dark-factory-agent). Aligns with the post-split fleet convention (github-pr-review-agent, github-releaser-agent) and the /github-* command naming. Placeholder <name> now means the full repo basename across SKILL.md, the command, and all reference templates; template source (agent-<shape>) unchanged.
There was a problem hiding this comment.
Now I have enough information. Let me analyze the key concerns:
1. GO-2026-5932 suppression - ✅ Verified consistent
.osv-scanner.toml:id = "GO-2026-5932"Makefilejq filter:.finding.osv != "GO-2026-5932"- Both match. The golang.org/x/crypto/openpgp package is unmaintained per the suppression reason — appropriate.
2. Double-suffix bug (Must Fix candidate)
In SKILL.md step 2a: "If <slug> already ends in -agent, use it as-is." If user says "pr-review" → slug=pr-review-agent → suggested=pr-review-agent (no -agent appended). But if user says "pr-review-agent" → slug=pr-review-agent → suggested=pr-review-agent → bborbe/pr-review-agent-agent ❌ double suffix
3. GitHub github- prefix not rejected (Should Fix candidate)
SKILL.md step 2b suggests github-<slug>-agent for GitHub-triggered agents. But GitHub repo names cannot start with github- (reserved namespace). The validation in step 4 rejects /, $, etc., but does NOT reject github- prefix. gh repo create bborbe/github-pr-review-agent would fail.
4. Interview flow changes - ✅ Correct
Part 2 now asks "Role" then "Repo name (suggest-with-override)" per SKILL.md. The wording is consistent.
{
"verdict": "request-changes",
"summary": "The GO-2026-5932 suppression is correctly applied in both osv-scanner.toml and Makefile. However, the suggest-with-override naming logic in SKILL.md has two bugs: (1) if a user inputs a role already ending in '-agent', the double-suffix is not prevented, producing e.g. 'pr-review-agent-agent'; (2) the 'github-' prefix is suggested for GitHub-triggered agents but is not validated against GitHub's reserved namespace, which would cause 'gh repo create' to fail for names like 'github-api-agent'.",
"comments": [
{
"file": "skills/launch-agent/SKILL.md",
"line": 45,
"severity": "major",
"message": "Should Fix: Step 2a 'If <slug> already ends in -agent, use it as-is' causes double-suffix when user inputs a role that already has the -agent suffix. Example: role='pr-review-agent' → slug='pr-review-agent' → suggested='pr-review-agent' → final name 'bborbe/pr-review-agent-agent'. Fix: either (a) strip trailing -agent before computing the suggestion, or (b) always append -agent and let the override handle cases where user wants something different."
},
{
"file": "skills/launch-agent/SKILL.md",
"line": 50,
"severity": "major",
"message": "Should Fix: Validation in Step 4 does not reject names starting with 'github-'. GitHub reserves the 'github-' prefix at the org level — 'gh repo create bborbe/github-pr-review-agent' fails with 'HTTP 422: repository name invalid'. The suggest-with-override flow in Step 2b produces 'github-<slug>-agent' for GitHub-triggered agents, which would always fail. Fix: add 'github-' as a rejected prefix in the validation, or change the suggestion pattern to use a different prefix (e.g. 'gh-') that doesn't conflict with GitHub's reserved namespaces."
}
],
"concerns_addressed": [
"security: GO-2026-5932 suppression is correctly applied in both .osv-scanner.toml and Makefile — IDs match, and the suppression is appropriate for an unmaintained package with no fix",
"correctness: suggest-with-override naming logic partially implemented — slug normalization is correct, but double-suffix bug exists (see comment #1)",
"correctness: dangerous char validation is correctly implemented — validation rejects $, backtick, ;, |, <, >, &, (, ), \\, .., /",
"correctness: double-suffix issue — SKILL.md step 2a causes pr-review-agent → pr-review-agent-agent (see comment #1)",
"correctness: GitHub 'github-' prefix not validated — would cause gh repo create to fail (see comment #2)",
"correctness: interview flow correctly changed from 'Name' to 'Role' then 'Repo name (suggest-with-override)'"
]
}Address PR review: (1) strip a trailing -agent before appending so an already-suffixed role can't produce a double suffix (pr-review-agent stays pr-review-agent); (2) drop the auto github- suggestion (user adds it via override) and document that github- IS a valid repo-name prefix — bborbe/ github-pr-review-agent and github-releaser-agent already exist; GitHub reserves 'github' only for account names, not repos — so validation must not reject it.
superseded by new automated review
There was a problem hiding this comment.
Worktree cleaned up. Now compiling the consolidated report.
Step 5: Consolidated Report
Must Fix (Critical): None.
Should Fix (Important): None.
Nice to Have (Optional):
- The GO-2026-5932 suppression (
.osv-scanner.toml+Makefilevulncheck) is correctly implemented — however,golang.org/x/crypto/openpgpdoes not appear ingo.modorgo.sum, suggesting the vulnerability is not currently present in the dependency tree. The suppression is harmless but may be unnecessary; worth confirming intent during merge.
Verification of key correctness claims from the plan:
- ✅
.osv-scanner.toml—GO-2026-5932correctly added toIgnoredVulnswith descriptive reason - ✅
Makefilevulncheck jq filter —GO-2026-5932correctly added to exclusion chain, filter logic is sound - ✅
SKILL.mdnaming algorithm — idempotent-agentsuffix stripping (core extraction then re-suffix); validation rejects shell-unsafe chars;github-prefix correctly allowed - ✅
interview.mdQ2 — matches SKILL.md behavior (suggest-with-override,github-prefix allowed) - ✅
commands/launch-agent.md— argument hint updated to[role or repo-name]reflecting the new flexibility
Selector mode clean — no adjudication needed.
{
"verdict": "approve",
"summary": "PR #37 is a clean documentation/template update implementing flexible repo naming for /launch-agent (suggest-with-override with -agent suffix convention) plus a preemptive suppression of the unfixable GO-2026-5932 advisory. All changes are self-consistent across 11 files; no correctness bugs identified in the naming algorithm, jq filter, or template references. The suppressed vulnerability (golang.org/x/crypto/openpgp) is not present in the current dependency tree, making the suppression unnecessary but harmless.",
"comments": [
{
"file": ".osv-scanner.toml",
"line": 34,
"severity": "nit",
"message": "GO-2026-5932 suppression added correctly, but golang.org/x/crypto/openpgp does not appear in go.mod or go.sum — the vulnerability is not currently in the dependency tree. Confirm this suppression is intentional even without the dep present (e.g., future-proofing or prior removal)."
}
],
"concerns_addressed": [
"security: GO-2026-5932 suppression verified in both .osv-scanner.toml and Makefile vulncheck jq filter — correctly formed",
"correctness: jq filter correctly includes .finding.osv != \"GO-2026-5932\" in the exclusion chain",
"correctness: suggest-with-override naming algorithm is idempotent (strips -agent once, then re-suffixes), shell-unsafe validation is applied to user override, github- prefix correctly allowed",
"correctness: interview.md Q2 wording matches SKILL.md behavior (suggest-with-override, github- prefix allowed)"
]
}
Two changes:
bborbe/agent-<name>scheme with suggest-with-override: normalize the role to a slug, suggest<slug>-agent(orgithub-<slug>-agentfor GitHub-triggered), and let the user overwrite with any valid repo name (e.g.github-dark-factory-agent). Aligns with the post-split fleet convention (github-pr-review-agent,github-releaser-agent) and the/github-*command naming.<name>now means the full repo basename across the skill, command, and reference templates; template source (agent-<shape>) unchanged.golang.org/x/crypto/openpgpadvisory (no fix will ship, unreachable) added to the govulncheck ignore +.osv-scanner.toml(.trivyignorealready had it), so precommit is green.make precommitpasses.🤖 Generated with Claude Code