docs: remove public GHSA fix mechanism details

steipete · steipete · commit 79e733cc34a3 · 2026-05-28T16:30:39.000+01:00
diff --git a/.agents/skills/openclaw-ghsa-maintainer/SKILL.md b/.agents/skills/openclaw-ghsa-maintainer/SKILL.md
@@ -85,4 +85,4 @@ jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
 - Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
 - A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
 - Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
-- Public hardening/no-publish comments and draft text should avoid raw commit hashes. Prefer release versions, PRs, patched-version fields, or "the fix on main"; keep full SHAs in internal evidence unless publishing a real CVE/GHSA needs them.
+- Public hardening/no-publish comments and draft text should avoid raw commit hashes, PR titles/numbers, and fix-mechanism summaries. Prefer patched-version fields or release-only wording; keep SHAs, PRs, and implementation notes in internal evidence.
diff --git a/.agents/skills/security-triage/SKILL.md b/.agents/skills/security-triage/SKILL.md
@@ -94,9 +94,10 @@ Keep tone firm, specific, non-defensive.
 
 ## Public Wording Hygiene
 
-- Keep raw commit hashes out of hardening/no-publish close comments and public advisory text. Use the shipped version, planned patched version, PR, or "the fix on main" instead.
-- Keep exact commit SHAs in internal notes and verification files. Include raw SHAs in a public advisory only when publishing a real vulnerability and the SHA materially helps downstream tracking.
-- For hardening/no-publish outcomes, do not add exploit-heavy details or a "Fix Commit(s)" section. Thank reporters, preserve credit, state the `SECURITY.md` boundary, and say clearly that the GHSA will close without publication.
+- Keep raw commit hashes, PR titles/numbers, and fix-mechanism summaries out of public advisory text. Use the patched release/version field only.
+- Keep exact commit SHAs, PRs, and implementation notes in internal notes and verification files.
+- For hardening/no-publish outcomes, do not add exploit-heavy details, "Fixed by" text, or a "Fix Commit(s)" section. Thank reporters, preserve credit, state the `SECURITY.md` boundary, and say clearly that the GHSA will close without publication.
+- For published CVE/GHSA text, prefer `### Patched Versions` with the fixed release. Do not explain how the patch works unless Peter explicitly asks for that public detail.
 - Keep GHSA ids out of changelog and release-note wording unless Peter explicitly asks.
 
 ## Discussion Mode
