[spec-review] Update Safe Outputs conformance checker for recent spec changes#32956
Merged
pelikhan merged 1 commit intoMay 18, 2026
Merged
Conversation
- Update script version from 1.19.0 to 1.20.0 - Update EXEC-002 section reference from Section 10.5 → Section 10.6 (zero-max edge case moved to 10.6 when 10.5 became warn-mode policy) - Add WTD-001: check reviewable annotation (caution block, 'agentic threat - Add WTD-002: check push_to_pull_request_branch convertible fallback to create_pull_request under warn-mode threat detection per WTD2 - Add WTD-003: check abort-class outputs produce threat-detected error outcomes and are not applied per WTD3 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
automation
documentation
Closed
Contributor
Author
|
Please re-run the safe-outputs conformance checker and post the result.
|
pelikhan
approved these changes
May 18, 2026
pelikhan
deleted the
fix/safe-outputs-conformance-v1-20-0-64dbfad503626ece
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the Safe Outputs conformance checker script to align with the spec v1.20.0 changes introduced in the recent commit.
Specification Changes Reviewed
c2a2a94: Addeddocs/src/content/docs/reference/safe-outputs-specification.mdat v1.20.0📋 Script Updates & Testing Details
Script Updates
Version Updated
1.19.0to1.20.0to track the spec versionSection Reference Updated
10.5→10.6(zero-max edge case moved when Section 10.5 became the warn-mode policy section)New Checks Added
[!CAUTION]block, visibleagentic threat detectedlabel string, and<!-- gh-aw-threat-detected -->XML comment marker are all present. Checksgenerate_footer.cjsdirectly and via the centralisedthreat_detection_warning.cjshelper.push_to_pull_request_branch(WTD2): the handler must detectGH_AW_DETECTION_CONCLUSION=warningand fall back to a review pull request with the WTD1 annotations. Also checks the handler manager registers the type as Convertible.THREAT_WARNING_ABORT_TYPESset exists, abort policy branch stops execution, and a machine-readablethreat_detected_abort_policyerror outcome is returned. Traceability check for WTD3 requirement ID reference.Testing
Ran the updated script — all checks passed:
Related Files
docs/src/content/docs/reference/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.sh