Skip to content

DEMO Beat 1: drop secure-baseline pin (expect required-packages fail)#10

Draft
danielmeppiel wants to merge 4 commits into
mainfrom
d2-demo/beat1-drop-secure-baseline
Draft

DEMO Beat 1: drop secure-baseline pin (expect required-packages fail)#10
danielmeppiel wants to merge 4 commits into
mainfrom
d2-demo/beat1-drop-secure-baseline

Conversation

@danielmeppiel
Copy link
Copy Markdown
Contributor

@danielmeppiel danielmeppiel commented May 7, 2026

Demo PR — D2 Governance. Removes the explicit secure-baseline pin from apm.yml. Expected: apm audit fires required-packages violation, ruleset blocks merge.

Org policy: dependencies.require: [DevExpGbb/zava-agent-config/plugins/secure-baseline]

@danielmeppiel danielmeppiel force-pushed the d2-demo/beat1-drop-secure-baseline branch 3 times, most recently from 7ab686a to 6a5b04d Compare May 7, 2026 23:55
@danielmeppiel
demo(beat 1): drop secure-baseline pin
53fb1f1 
Required by org policy (apm-policy.yml dependencies.require).
Expected: apm audit --ci fails on required-packages check.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel force-pushed the d2-demo/beat1-drop-secure-baseline branch from 6a5b04d to 53fb1f1 Compare May 8, 2026 00:01
@danielmeppiel
Copy link
Copy Markdown
Contributor Author

danielmeppiel commented May 8, 2026

Closing as DO-NOT-MERGE demo artifact. PR is wired for D2 governance demo (PLATFORM.md §D2) — kept open as a reference; closing to avoid accidental merge. Re-open from the same branch for the live demo.

@danielmeppiel danielmeppiel reopened this May 8, 2026
@github-actions github-actions Bot mentioned this pull request May 11, 2026
Open
chore(workflows): regenerate gh-aw lock files
978dd84 
Frontmatter of pr-review-panel.md and triage-panel.md changed but
the .lock.yml files were not recompiled, causing 'Check workflow
lock file' to fail with ERR_CONFIG on PR #10.

Run gh aw compile (v0.71.5) to bring locks back in sync.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel mentioned this pull request May 11, 2026
Merged
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🏛️ Architect review

What I see

This PR removes the explicit secure-baseline plugin pin from apm.yml and its corresponding lock entry, which as a side-effect deletes three foundational files: the security agent persona, the docs style guide, and the secure-coding baseline instructions. The remaining changes are CI housekeeping — an apm-action bump (v1.6.0 → v1.7.2, correctly SHA-pinned) and a cron schedule shift in the triage-panel workflow.

Concerns

  • [design-flaw] secure-coding-base.instructions.md is tagged enforced: true and scoped to **. Removing it strips the non-negotiable security floor from every agent and every PR in this repo going forward. The comment in apm.yml that was deleted explicitly warned against this: "APM's first-wins resolution would silently downgrade the security floor on a transitive conflict." That warning was about exactly this scenario. — Restore the secure-baseline pin.
  • [coupling] The panel-review skill (which remains in the repo) calls security.agent.md and references secure-coding-base.instructions.md in its process steps. Removing those files without updating the skill leaves it broken by definition. — Either restore the files or update the skill manifest to remove the dead references.
  • [inconsistent] The PR description is transparent that this is an intentional governance demo — but as a real change it is the precise scenario the deleted comment warned against: losing the explicit pin means the baseline can be silently dropped by a transitive conflict. The repo's own documentation explained why the pin existed.

Looks good

  • apm-action bump is correctly pinned to SHA in both lock files — no floating version.
  • The cron change (10:22 → 18:23) is minor and benign.

🛡️ Security review

What I see

This diff removes the secure-baseline plugin, which deployed three files: the enforced: true secure-coding baseline (applied to all files in the repo), the security reviewer persona used by panel-review, and the docs style guide. The remaining diff is CI lock maintenance.

Findings

  • [BLOCKER] Secure-coding baseline deletedsecure-coding-base.instructions.md (enforced: true, applyTo: "**") is removed. This eliminates the repo-wide non-negotiable rules covering: no secrets in code, input validation at boundary, authN/authZ default-deny, parameterized queries, dependency pinning discipline, PII masking in logs, and fail-closed error handling. Any subsequent PR in this repo will have no enforcement floor. — Required fix: restore the secure-baseline pin before merge.
  • [BLOCKER] Security review persona deletedsecurity.agent.md is removed. The panel-review skill explicitly invokes this persona; without it, future panel reviews will be broken or incomplete, silently removing the security review layer from all future PRs. — Required fix: restore via secure-baseline pin.
  • [WARNING] Docs style guide removeddocs-style-guide.instructions.md (applyTo: "**/*.md,...") is deleted. Not a direct security risk, but removes documentation quality enforcement across the repo.
  • [INFO] microsoft/apm-action bumped from v1.6.0 to v1.7.2 — pinned to SHA, no concern.

Checklist

  • No new secrets in diff
  • No new HTTP handlers (n/a)
  • No new DB queries (n/a)
  • Dependencies justifiedsecure-baseline removed without a governance waiver; org policy dependencies.require lists it as required
  • PII masked in logs (n/a)

⚖️ Panel verdict: REJECT

2 blockers (security) · 1 design flaw (architect). This PR intentionally drops the secure-baseline plugin to demonstrate the required-packages governance gate — and the panel confirms the gate is warranted. The panel aligns with the expected outcome: apm audit should fire a required-packages violation and the ruleset should block merge.

Do not merge until secure-baseline is restored or an explicit governance waiver is recorded.

Generated by PR Review Panel for issue #10 · ● 339.3K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

panel-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmeppiel