Skip to content

chore: remove CODEOWNERS file#968

Merged
EmmaLouise2018 merged 1 commit into
mainfrom
EmmaLouise2018/remove-codeowners-file
Jul 2, 2026
Merged

chore: remove CODEOWNERS file#968
EmmaLouise2018 merged 1 commit into
mainfrom
EmmaLouise2018/remove-codeowners-file

Conversation

@EmmaLouise2018

Copy link
Copy Markdown
Contributor

Summary

Removes the .github/CODEOWNERS file.

Changes

  • Deleted .github/CODEOWNERS

Testing

N/A — non-code config file removal.

@EmmaLouise2018 EmmaLouise2018 requested a review from bokelley as a code owner July 2, 2026 17:31

@aao-ipr-bot aao-ipr-bot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes. Removes the one enforceable, mechanical gate standing behind a set of soft LLM prompt rules — in a repo that runs attacker-influenced automated PRs — with nothing put in its place. security-reviewer: High, with a concrete attack path.

This is a security-governance regression, not a config-file cleanup, and the PR body treats it as the latter ("N/A — non-code config file removal").

Why this blocks

.github/CODEOWNERS was added deliberately by the maintainer in cbafef5c ("feat(agents): security + product review fixes for triage routine") with a stated purpose: so agent-authored PRs touching .agents/, .github/, deps, and release tooling require human review before merge. The file's own header names the threat model — "Prevents prompt-injection rewrites of agent behavior, workflow hijacking, or dep-chain tampering from ever reaching main."

That threat model is live here:

  • The issue-triage bot (.github/workflows/claude-issue-triage.yml) opens claude/issue-N PRs driven by attacker-controlled issue/comment bodies (<<<UNTRUSTED_ISSUE_BODY>>>).
  • The only other guardrails on .github/**, .agents/**, pyproject.toml are the "Never edit" prompt rules in .agents/routines/triage-prompt.md:510 / :562 — instructions to an LLM that ingests untrusted input, and :510 even carries a "...without explicit issue directive" caveat an attacker-supplied body can satisfy. Not enforceable.
  • The AI reviewer (this bot) can --approve and is itself injectable via the PR diff.
  • There is no workflow-level path guard in this repo — adcp-go has claude-bot-path-guard.yml to fail bot PRs touching sensitive paths; the Python repo does not. CODEOWNERS was the sole mechanical backstop.

Failure mode in one sentence: with CODEOWNERS gone, an attacker-influenced triage-bot PR editing .github/workflows/*.yml (secret exfil — CLAUDE_ROUTINE_TRIAGE_TOKEN, TRIAGE_DISPATCH_PAT live there) or pyproject.toml (malicious dep pin / entry point = supply chain) can reach main on automated LLM approval, with no human owner in the loop.

On the "dead config" escape hatch — it isn't one

The owner handle is not misspelled. @bokelley in CODEOWNERS byte-matches the maintainer handle documented at .github/ai-review/expert-adcp-reviewer.md:3. It was pointing at a valid owner and enforcing. (And an invalid owner under "Require review from Code Owners" makes matching PRs unmergeable, not a silent pass — so there's no reading where this file was a no-op.)

The self-referential tell

This PR touches /.github/ and is authored by a non-owner. Under the CODEOWNERS it deletes, #968 itself requires bokelley's approval. That's also the acceptance test:

  • If #968 can merge without bokelley, branch protection isn't enforcing code-owner review — the file was your only tripwire and it's being deleted blind.
  • If it cannot, then bokelley approving is the correct path — and that approval is exactly what unblocks this.

What flips this to approve

  1. Explicit approval from the actual maintainer (bokelley), not the AI reviewer — the change is in-scope for the very gate it removes.
  2. A stated replacement control on .github/**, .agents/**, pyproject.toml in the PR body — a branch-protection rule that still forces human review on those paths, or a workflow path-guard equivalent to adcp-go's. "Removed, nothing added" is the block.

If branch protection already enforces owner review independently and CODEOWNERS is genuinely redundant, say so in the PR body with a one-line rationale and get the owner's ack — that's a two-minute unblock, not a rewrite.

Not blocking on the chore: prefix — semver-neutral is correct for a config file. The gap is the missing rationale and replacement, not the wording.

@EmmaLouise2018 EmmaLouise2018 merged commit a79e29a into main Jul 2, 2026
26 checks passed
@EmmaLouise2018 EmmaLouise2018 deleted the EmmaLouise2018/remove-codeowners-file branch July 2, 2026 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant