You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- <which architecture/ docs will need updating, or "None expected">
188
+
- <docs expected per AGENTS.md, or "None expected">
189
189
190
190
---
191
191
*Revision 1 — initial plan*
@@ -431,18 +431,9 @@ Do not proceed to PR creation if E2E verification is not green.
431
431
432
432
### Step 11: Update Documentation
433
433
434
-
Use the `arch-doc-writer` sub-agent to update architecture documentation. Use the Task tool:
435
-
436
-
```
437
-
Task tool with subagent_type="arch-doc-writer"
438
-
```
439
-
440
-
In the prompt, provide:
441
-
- Which files were changed and why (from the plan + any deviations)
442
-
- The issue context (what was built/fixed)
443
-
- Which architecture docs in `architecture/` are likely affected
444
-
445
-
Launch one `arch-doc-writer` instance per documentation file that needs updating. If no documentation changes are needed, the `arch-doc-writer` will make that determination.
434
+
Review the documentation requirements in `AGENTS.md` and update any affected
435
+
docs as part of the implementation. Keep documentation changes scoped to the
436
+
behavior or subsystem that changed.
446
437
447
438
### Step 12: Commit and Push
448
439
@@ -502,10 +493,9 @@ Closes #<issue-id>
502
493
## Checklist
503
494
- [x] Follows Conventional Commits
504
495
- [x] Commits are signed off (DCO)
505
-
- [x] Architecture docs updated (if applicable)
506
496
507
497
**Documentation updated:**
508
-
- `<architecture/doc.md>`: <what was updated>
498
+
- `<doc path>`: <what was updated, or "None needed">
Copy file name to clipboardExpand all lines: .agents/skills/fix-security-issue/SKILL.md
+7-21Lines changed: 7 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -157,24 +157,10 @@ If the review identified a specific exploit scenario, verify that it is no longe
157
157
158
158
## Step 7: Update Documentation
159
159
160
-
Use the `arch-doc-writer` sub-agent to update any architecture documentation affected by the fix. Use the Task tool:
161
-
162
-
```
163
-
Task tool with subagent_type="arch-doc-writer"
164
-
```
165
-
166
-
In the prompt, provide:
167
-
- Which files were changed and why
168
-
- The security context (what vulnerability was fixed)
169
-
- Which architecture docs in `architecture/` are likely affected
170
-
171
-
The `arch-doc-writer` will determine which docs need updating and make the changes. Common cases include:
172
-
- A new validation layer or middleware was added
173
-
- An API contract changed (new required headers, changed error responses, etc.)
174
-
- Access control or authentication flow was modified
175
-
- Network or infrastructure security boundaries changed
176
-
177
-
If the fix is purely internal (e.g., switching to parameterized queries with no external behavior change), documentation updates may not be needed -- let the `arch-doc-writer` make that determination.
160
+
Review the documentation requirements in `AGENTS.md` and update any affected
161
+
docs as part of the security fix. If the fix is purely internal, such as
162
+
switching to parameterized queries with no external behavior change,
163
+
documentation updates may not be needed.
178
164
179
165
## Step 8: Commit, Push, and Open PR
180
166
@@ -232,7 +218,7 @@ Closes #<issue-id>
232
218
- **Integration/E2E:** <test file and what it covers, or "N/A" if not applicable>
233
219
234
220
### Documentation Updated
235
-
- `<architecture/doc.md>`: <what was updated>
221
+
- `<doc path>`: <what was updated, or "None needed">
236
222
237
223
### Verification
238
224
<how the fix was verified -- tests passed, exploit scenario tested, etc.>
@@ -281,7 +267,7 @@ User says: "Fix security issue #42"
-**Private IP Access via `allowed_ips`** — CIDR allowlist for private IP space
168
168
-**Validation Rules** — what combinations are valid/invalid
169
169
170
-
Also read the example policy for real-world patterns. The default policy is baked into the community base image (`ghcr.io/nvidia/openshell-community/sandboxes/base:latest`). For reference, consult the policy schema documentation:
170
+
Also read the architecture overview for enforcement context. The default policy is baked into the community base image (`ghcr.io/nvidia/openshell-community/sandboxes/base:latest`). For reference, consult:
171
171
172
172
```
173
173
Read architecture/security-policy.md
@@ -567,7 +567,8 @@ private_services:
567
567
568
568
## Additional Resources
569
569
570
-
- Full policy schema: [architecture/security-policy.md](../../../architecture/security-policy.md)
570
+
- Full policy schema: [docs/reference/policy-schema.mdx](../../../docs/reference/policy-schema.mdx)
Copy file name to clipboardExpand all lines: AGENTS.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -196,6 +196,17 @@ ocsf_emit!(event);
196
196
- Fern PR previews run through `.github/workflows/branch-docs.yml`, and production publish runs through the `publish-fern-docs` job in `.github/workflows/release-tag.yml`.
197
197
- Use the `update-docs` skill to scan recent commits and draft doc updates.
198
198
199
+
### Architecture Docs
200
+
201
+
- Architecture docs are short canonical subsystem overviews, not exhaustive implementation notes.
202
+
- Update one of the existing top-level architecture docs before adding a new file.
203
+
- Put useful crate-specific details in the relevant crate `README.md`.
204
+
- Add a new top-level architecture doc only when explicitly requested or when an RFC-level design needs a stable home.
205
+
- Keep architecture docs focused on stable boundaries, data/control flow, invariants, and operational constraints.
206
+
- Remove stale detail instead of preserving it by default.
207
+
- Do not include testing transcripts, historical debugging notes, long source-file inventories, or field-by-field schema references.
208
+
- Put user-facing instructions in `docs/`, broad design proposals in `rfc/`, and temporary plans in ignored `architecture/plans/`.
209
+
199
210
## Security
200
211
201
212
- Never commit secrets, API keys, or credentials. If a file looks like it contains secrets (`.env`, `credentials.json`, etc.), do not stage it.
0 commit comments