Table of Contents generated with DocToc
- Labels and capabilities
Labels and capabilities
This page is the canonical reference for the label taxonomy used on
issues and pull requests in this framework repository
(apache/airflow-steward). It also defines the capability model
that classifies what each skill or tool in the framework actually
does, independent of which subject area it sits under.
Every issue and pull request opened against this repository should
carry at least one area:* label and at least one
capability:* label. New tools and new skills must declare their
capability up front (see The rule).
Scope caveat. This taxonomy applies to this framework repository. Skills that create issues or PRs on an adopter’s tracker (e.g.
security-issue-import,security-issue-fix,issue-fix-workflow) use the adopter’s own label scheme — adopters are free to mirror this taxonomy in their own repo but are not required to.
Label dimensions
The repository’s labels fall into four orthogonal dimensions. An issue or PR typically carries one label from each dimension that applies.
1. area:* — subject
What part of the framework does this touch?
| Label | Covers |
|---|---|
area:pr-management | pr-management-* skills |
area:security | security-* skills, security-tracker-stats-dashboard |
area:setup | setup-* skills, framework adoption, agent-sandbox setup |
area:issue | issue-* skills (issue-triage, issue-fix-workflow, issue-reassess, issue-reassess-stats, issue-reproducer) |
area:tools | Substrate tools under tools/* (CLI bridges, agent-runtime adapters, mail-source backends) |
area:ci | .github/ workflows, prek, validators |
area:docs | docs/, MISSION.md, READMEs |
2. capability:* — what the tool does
Nine buckets. A tool or skill carries one or more capability:*
labels. Most map cleanly to a single bucket; dual-capability cases
are real and explicitly enumerated below. Issues and PRs follow the
same rule — apply every capability the change is implementing.
When a skill or tool spans multiple capabilities, list all of them in its frontmatter / README. Do not pick a single “primary” to be neat; that loses information the label system exists to surface.
| Label | Definition |
|---|---|
capability:triage | Sweep a queue, classify candidates, propose dispositions for human confirmation. |
capability:review | Deep per-item code review of a PR or local diff; also contributor mentoring (single-item teaching intervention). |
capability:fix | Implement a code change against an upstream repo to resolve a triaged issue. |
capability:intake | Import external signal (mailing list, scan report, public PR) into a tracker entry, or keep an existing entry reconciled with one of those sources. |
capability:reconciliation | Compare tracker state against an external inventory (e.g. ASF security dashboard, organization-wide issue registry); surface drift; propose corrections. Does not write to either source. |
capability:resolve | Close-out actions: invalidate, dedupe, CVE-allocate, post-announcement housekeeping. |
capability:reassess | Re-run resolved or end-of-life issues against current code to verify still-fixed / still-broken. |
capability:stats | Read-only dashboards, metrics, governance evidence, contributor nomination briefs. |
capability:setup | Framework / agent / substrate infrastructure: install, verify, update, doctor, override-upstream, write-skill, plus new tools under tools/*. |
The capability:* dimension is orthogonal to area:*. A single
query can answer “how is our triage stack doing across PR + issue +
security?” by filtering on capability:triage alone, without
enumerating per-area queries.
3. kind:* — change type (pre-existing)
| Label | Covers |
|---|---|
kind:dx | Maintainer dev-loop / CLI UX |
kind:policy | Rule changes (eligibility, thresholds, behaviour switches) |
kind:perf | Token / latency / API-call budget |
kind:adopter-config | Per-adopter knob |
4. mode:* — handling mode (pre-existing)
| Label | Covers |
|---|---|
mode:A | Mode A — triage |
mode:B | Mode B — mentoring |
mode:C | Mode C — agent-authored fix with human review |
mode:D | Mode D — narrowly-scoped auto-merge (off until A/B/C run 2 quarters) |
mode:cross-cutting | Spans multiple modes |
mode:platform | Substrate / infra — not a mode (sandbox, CI, validators) |
Standalone labels
marketing (branding artefacts), dependencies (dependency-update
PRs), python:uv (Python uv-managed code), plus the default GitHub
labels (bug, enhancement, documentation, good first issue,
etc.).
Capability to skill map
Capabilities for every skill currently in
.claude/skills/. Skills with two values
(separated by +) carry both labels.
| Skill | Capability / capabilities |
|---|---|
pr-management-triage | capability:triage |
issue-triage | capability:triage |
security-issue-triage | capability:triage |
pr-management-code-review | capability:review |
pairing-self-review | capability:review |
pr-management-mentor | capability:review |
issue-fix-workflow | capability:fix |
security-issue-fix | capability:fix + capability:resolve (opens the PR that closes the tracker — both phases) |
security-issue-import | capability:intake |
security-issue-import-from-md | capability:intake |
security-issue-import-from-pr | capability:intake |
security-issue-sync | capability:intake (+ capability:reconciliation once #337 lands the ASF-dashboard step) |
setup-shared-config-sync | capability:intake + capability:setup (reconciles user-scope config to a sync repo; the act is intake, the subject is setup) |
security-cve-allocate | capability:resolve |
security-issue-invalidate | capability:resolve |
security-issue-deduplicate | capability:resolve |
issue-reassess | capability:reassess |
issue-reproducer | capability:reassess |
pr-management-stats | capability:stats |
issue-reassess-stats | capability:stats |
security-tracker-stats-dashboard | capability:stats |
contributor-nomination | capability:stats |
list-steward-skills | capability:stats |
setup-steward | capability:setup |
setup-isolated-setup-install | capability:setup |
setup-isolated-setup-verify | capability:setup |
setup-isolated-setup-update | capability:setup |
setup-isolated-setup-doctor | capability:setup + capability:reassess (re-checks an installed sandbox against current spec — the phase is reassess on subject setup) |
setup-override-upstream | capability:setup |
write-skill | capability:setup |
Capability to tool map
Tools under tools/. Tools with two values (separated by
+) carry both labels — the dual role is explained in each row.
| Tool | Capability / capabilities | Role |
|---|---|---|
tools/agent-isolation | capability:setup | Secure-agent sandbox helpers |
tools/cve-org | capability:resolve + capability:intake | Publishes to CVE.org (resolve) and records the resulting CVE state back into the tracker (intake) |
tools/dashboard-generator | capability:stats | Self-contained HTML dashboard generator |
tools/dev | capability:setup | Framework dev-loop helpers |
tools/github | capability:setup | GitHub REST / GraphQL substrate (called by every lifecycle phase — pure substrate, no single phase) |
tools/gmail | capability:setup | Gmail API substrate |
tools/jira | capability:setup | JIRA REST substrate (read-only today; write subcommands tracked in #301) |
tools/mail-source | capability:setup + capability:intake | Mail-source backend abstraction (mbox / IMAP / Mailman 3); the abstraction is setup, every concrete read is part of the intake pipeline |
tools/ponymail | capability:setup + capability:intake | PonyMail archive substrate; same dual role as mail-source — substrate plus an intake-pipeline component |
tools/pr-management-stats | capability:stats | PR-backlog analytics engine |
tools/privacy-llm | capability:setup | Privacy-LLM PII-scrubbing gate |
tools/probe-templates | capability:setup | Sandbox-doctor probe templates |
tools/sandbox-lint | capability:setup | Sandbox settings linter |
tools/security-tracker-stats-dashboard | capability:stats | Security-tracker analytics engine |
tools/spec-loop | capability:setup | Spec-driven build loop runner (Ralph-style) for framework development |
tools/skill-evals | capability:setup + capability:stats | Eval harness for skills; the harness is setup infrastructure, the run output is governance evidence |
tools/skill-and-tool-validator | capability:setup | Skill-frontmatter and convention validator |
tools/spec-status-index | capability:setup + capability:stats | Index of spec / RFC implementation status — substrate that also doubles as a governance/stats view |
tools/spec-validator | capability:setup | Spec-frontmatter and body-section validator — counterpart to skill-and-tool-validator for tools/spec-loop/specs/ |
tools/vulnogram | capability:resolve | ASF Vulnogram CVE-allocation client |
A tool’s capabilities are determined by its use-case lifecycle
phases, not by which skills happen to consume it. tools/github is
called by every triage / intake / fix / resolve skill but is tagged
only capability:setup because it doesn’t encode any one lifecycle
phase — it is pure substrate. tools/cve-org, by contrast, exists
specifically to do CVE publication and to record that result; both
the resolve action and the intake of state into the tracker are
first-class jobs of the tool, so it carries both labels.
When a tool grows to serve a new lifecycle phase as a first-class
feature (rather than as generic substrate that other skills happen
to compose), add the new capability:* label to its README and to
the table above.
The rule
When you create any of the following on this repository, declare the capability:
A GitHub issue
Apply at least one area:* AND one capability:* label. If the issue
genuinely spans capabilities, apply both — for example,
#337 carries
both capability:reconciliation and capability:setup because it
covers a new substrate tool and a new sync-flow integration.
A pull request
Same: area:* AND capability:*. Match the capability the change is
implementing, not the file paths it happens to touch. A PR that
adjusts the validator config to support a new triage rule is
capability:triage (the change’s purpose), not capability:setup
(the file it edited).
A new tool under tools/
Declare the tool’s capability in the first paragraph of its README using the line:
**Capability:** capability:NAMEIf the tool serves more than one capability, list both. Substrate
bridges (tools/github, tools/gmail, …) default to
capability:setup unless they encode a specific lifecycle capability.
A new skill under .claude/skills/
Declare the capability in the skill’s frontmatter:
---
name: my-new-skill
description: |
...
capability: capability:NAME
---The write-skill skill
prompts for this on every new-skill scaffold.
A new doc under docs/
Capability-specific docs (e.g. a guide for a single skill family)
should link to this page and name the capability in their first
paragraph. Cross-cutting docs (MISSION.md, top-level READMEs) need
no capability marker.
Why this exists
The original area:* labels split issues by subject — useful for
“what part of the codebase is this?” but unable to answer “what kind
of thing is this?”. The capability:* dimension fills that gap and
is orthogonal: a triage-rule change in PR management
(area:pr-management + capability:triage) and a triage-rule change
in security (area:security + capability:triage) become trivially
findable as a cohort even though they live in different families.
Capability is also a forcing function for skill design: if a new skill doesn’t fit any of the nine buckets cleanly, that’s a signal worth inspecting before the skill ships.