chore: remove CODEOWNERS file#968
Conversation
There was a problem hiding this comment.
Requesting changes. Removes the one enforceable, mechanical gate standing behind a set of soft LLM prompt rules — in a repo that runs attacker-influenced automated PRs — with nothing put in its place. security-reviewer: High, with a concrete attack path.
This is a security-governance regression, not a config-file cleanup, and the PR body treats it as the latter ("N/A — non-code config file removal").
Why this blocks
.github/CODEOWNERS was added deliberately by the maintainer in cbafef5c ("feat(agents): security + product review fixes for triage routine") with a stated purpose: so agent-authored PRs touching .agents/, .github/, deps, and release tooling require human review before merge. The file's own header names the threat model — "Prevents prompt-injection rewrites of agent behavior, workflow hijacking, or dep-chain tampering from ever reaching main."
That threat model is live here:
- The issue-triage bot (
.github/workflows/claude-issue-triage.yml) opensclaude/issue-NPRs driven by attacker-controlled issue/comment bodies (<<<UNTRUSTED_ISSUE_BODY>>>). - The only other guardrails on
.github/**,.agents/**,pyproject.tomlare the "Never edit" prompt rules in.agents/routines/triage-prompt.md:510/:562— instructions to an LLM that ingests untrusted input, and:510even carries a "...without explicit issue directive" caveat an attacker-supplied body can satisfy. Not enforceable. - The AI reviewer (this bot) can
--approveand is itself injectable via the PR diff. - There is no workflow-level path guard in this repo — adcp-go has
claude-bot-path-guard.ymlto fail bot PRs touching sensitive paths; the Python repo does not. CODEOWNERS was the sole mechanical backstop.
Failure mode in one sentence: with CODEOWNERS gone, an attacker-influenced triage-bot PR editing .github/workflows/*.yml (secret exfil — CLAUDE_ROUTINE_TRIAGE_TOKEN, TRIAGE_DISPATCH_PAT live there) or pyproject.toml (malicious dep pin / entry point = supply chain) can reach main on automated LLM approval, with no human owner in the loop.
On the "dead config" escape hatch — it isn't one
The owner handle is not misspelled. @bokelley in CODEOWNERS byte-matches the maintainer handle documented at .github/ai-review/expert-adcp-reviewer.md:3. It was pointing at a valid owner and enforcing. (And an invalid owner under "Require review from Code Owners" makes matching PRs unmergeable, not a silent pass — so there's no reading where this file was a no-op.)
The self-referential tell
This PR touches /.github/ and is authored by a non-owner. Under the CODEOWNERS it deletes, #968 itself requires bokelley's approval. That's also the acceptance test:
- If #968 can merge without
bokelley, branch protection isn't enforcing code-owner review — the file was your only tripwire and it's being deleted blind. - If it cannot, then
bokelleyapproving is the correct path — and that approval is exactly what unblocks this.
What flips this to approve
- Explicit approval from the actual maintainer (
bokelley), not the AI reviewer — the change is in-scope for the very gate it removes. - A stated replacement control on
.github/**,.agents/**,pyproject.tomlin the PR body — a branch-protection rule that still forces human review on those paths, or a workflow path-guard equivalent to adcp-go's. "Removed, nothing added" is the block.
If branch protection already enforces owner review independently and CODEOWNERS is genuinely redundant, say so in the PR body with a one-line rationale and get the owner's ack — that's a two-minute unblock, not a rewrite.
Not blocking on the chore: prefix — semver-neutral is correct for a config file. The gap is the missing rationale and replacement, not the wording.
Summary
Removes the
.github/CODEOWNERSfile.Changes
.github/CODEOWNERSTesting
N/A — non-code config file removal.