generated from coulomb/repo-seed
tegwick
827ef9c1a0
T51: ContextResolver ABC + CONTEXT_RESOLVER_REGISTRY; resolve_context activity
updated to dispatch via registry (warns + binds {} on failure, never aborts run).
T52: RepoScopingContextResolver with 5-min in-process cache.
T53: StateHubContextResolver (no cache) for domain_summary and repo_sbom_status.
T54: activity-definitions/weekly-sbom-staleness.md (Monday 09:00 Berlin, cron
trigger, flag-stale-sbom rule at >30 days) + tasks/sbom-rescan.md template.
T55: 51 parametrized evaluator tests — all whitelisted operators, unsafe
expression rejection, empty condition, missing attribute, nested context access.
T56: 15 executor safety tests — UntrustedFieldError, object-type rejection,
injection fixture, LLM retry on bad JSON, review_required field.
T57: 6 integration tests — parses real definition, evaluates rule per-repo
(stale/fresh boundary), emits via NullSink, verifies spawn log entries.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
35 lines
774 B
Markdown
35 lines
774 B
Markdown
---
|
|
id: weekly-sbom-staleness
|
|
name: Weekly SBOM Staleness Check
|
|
enabled: true
|
|
owner: custodian-agent
|
|
governance: custodian
|
|
status: active
|
|
trigger:
|
|
type: cron
|
|
cron_expression: "0 9 * * 1"
|
|
timezone: Europe/Berlin
|
|
misfire_policy: skip
|
|
context_sources:
|
|
- type: state-hub
|
|
query: repo_sbom_status
|
|
params:
|
|
repos: all
|
|
bind_to: context.repos
|
|
---
|
|
|
|
# Weekly SBOM Staleness Check
|
|
|
|
Runs every Monday at 09:00 Berlin time. Checks all tracked repositories for
|
|
SBOM staleness and flags any repository whose SBOM is older than 30 days.
|
|
|
|
```rule
|
|
id: flag-stale-sbom
|
|
condition: 'context.repos.sbom_age_days > 30'
|
|
action:
|
|
task_template: tasks/sbom-rescan.md
|
|
target_repo: context.repos.repo_slug
|
|
priority: medium
|
|
labels: ["sbom", "security", "automated"]
|
|
```
|