一键导入
magpie-security-tracker-stats-dashboard
Generate a self-contained HTML dashboard of `<tracker>` repository statistics for security-team review.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Generate a self-contained HTML dashboard of `<tracker>` repository statistics for security-team review.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | magpie-security-tracker-stats-dashboard |
| family | security |
| mode | Meta |
| description | Generate a self-contained HTML dashboard of `<tracker>` repository statistics for security-team review. |
| when_to_use | Invoke when the user says "regenerate the tracker dashboard", "show monthly/quarterly stats", "tracker stats", "dashboard", or variations. Also when an existing dashboard at the configured output path is stale (older than ~24 h) and the user is reviewing tracker health. Read-only — the skill never modifies any tracker state. |
| capability | capability:stats |
| license | Apache-2.0 |
Read-only skill that renders a self-contained HTML page summarising
the state of <tracker> over time. The skill wraps the
tools/security-tracker-stats-dashboard/
runtime tool — both the slash-command path (this skill) and the
script path (run.sh) run the same fetch + render pipeline; the
skill adds invocation niceties (resolving cache paths, surfacing the
output URL, proposing a stale-cache refresh) but never mutates
anything.
The skill is read-only on GitHub — it does not create or modify
issues, comments, labels, or PRs. It only fetches data via gh and
renders an HTML file.
Before running the default behaviour documented
below, this skill consults
.apache-magpie-overrides/security-tracker-stats-dashboard.md
in the adopter repo if it exists, and applies any
agent-readable overrides it finds. See
docs/setup/agentic-overrides.md
for the contract — what overrides may contain, hard
rules, the reconciliation flow on framework upgrade,
upstreaming guidance.
Configuration for the renderer (bucket granularity, milestones,
categories, scope labels, triage keywords, …) lives in a separate
YAML file the adopter places at
.apache-magpie-overrides/security-tracker-stats.yaml (path is
adopter-configurable via tracker_stats_config: in
<project-config>/security-tracker-stats.md).
The agentic override file above is reserved for behavioural
overrides of this skill (when to propose a refresh, where to write
the HTML, etc.); renderer knobs go in the YAML config.
Hard rule: agents NEVER modify the snapshot under
<adopter-repo>/.apache-magpie/. Local modifications
go in the override file. Framework changes go via PR
to apache/magpie.
Also at the top of every run, this skill compares the
gitignored .apache-magpie.local.lock (per-machine
fetch) against the committed .apache-magpie.lock
(the project pin). On mismatch the skill surfaces the
gap and proposes
/magpie-setup upgrade.
The proposal is non-blocking — the user may defer if
they want to run with the local snapshot for now. See
docs/setup/install-recipes.md § Subsequent runs and drift detection
for the full flow.
Drift severity:
git-branch
local is behind upstream tip) -> ⚠ sync needed.svn-zip SHA-512 mismatches the committed
anchor -> ✗ security-flagged; investigate before
upgrading.gh authenticated with read access to <tracker> (and to
<upstream> for PR metadata, when configured).python3 (3.9+).jq (used by fetch_events.py via gh's --jq flag).api.github.com and (for viewing the output
HTML) Plotly's CDN.default-config.yaml and typical overlays.The skill accepts up to three optional arguments:
| Selector | Meaning |
|---|---|
| (no args) | render with all defaults — monthly buckets, default categories, the adopter's milestones |
quarterly / monthly | override the bucket granularity |
<output-path> | write the HTML to a specific path |
clear-cache | delete the fetch cache before fetching |
since:YYYY-MM / since:YYYY-Qn | override the start bucket |
If the adopter passes nothing, surface the resolved output path and cache state up front so they can interrupt before a 5-10 minute fetch.
Resolve config. Read
<project-config>/security-tracker-stats.md
for the project's per-renderer YAML config path (default:
<adopter-repo>/.apache-magpie-overrides/security-tracker-stats.yaml).
Surface to the user which config file will be applied and
what bucket granularity it resolves to. If the YAML file does
not exist, fall back silently to the framework's
default-config.yaml.
Check cache freshness. Inspect
${TRACKER_STATS_CACHE:-/tmp/tracker-stats-cache}/issues.json
mtime. If older than 24 h, propose a fresh fetch; if missing or
the user passed clear-cache, do a fresh fetch unconditionally.
Run the orchestrator. Substitute placeholders and invoke:
TRACKER_STATS_REPO=<tracker> \
TRACKER_STATS_UPSTREAM_REPO=<upstream> \
TRACKER_STATS_CONFIG=<adopter-repo>/.apache-magpie-overrides/security-tracker-stats.yaml \
bash <framework>/tools/security-tracker-stats-dashboard/run.sh <output-path>
When the user passed monthly / quarterly or
since:<start>, prepend the matching TRACKER_STATS_BUCKETS= /
TRACKER_STATS_START= env vars.
Report the result. Print the final HTML path and a short
summary (total trackers, open count, latest-bucket category
breakdown, triage-median, PR-merge-median when configured). The
pipeline already echoes most of this to stdout — pass it
through verbatim and add the clickable
file://<output-path> line at the end.
The full pipeline:
fetch_issues.py — gh issue list --state all --limit 1000 ->
<cache>/issues.json.fetch_roster.py — gh api repos/<tracker>/collaborators ->
<cache>/roster.txt.fetch_bodies.py — per-issue body +
closedByPullRequestsReferences -> <cache>/issue_extra.json.fetch_events.py — per-issue label-history events ->
<cache>/events/<N>.json.fetch_prs.py — per-PR createdAt / mergedAt / state from
<upstream> -> <cache>/prs.json. Silent no-op when
TRACKER_STATS_UPSTREAM_REPO is empty or none.render.py — reads cache + config, writes HTML to
$TRACKER_STATS_OUT.Each fetch script resumes from cache, so re-running after a partial failure (rate limit, transient HTTP error) only re-fetches what is missing.
See
tools/security-tracker-stats-dashboard/default-config.yaml
for the schema with inline documentation, and
tools/security-tracker-stats-dashboard/README.md
for the load order, predicate keys, and snapshot replay semantics.
The most-overridden knobs by adopters tend to be:
buckets: — monthly vs. quarterly. Smaller tracker repos
(<50 issues / year) read better at quarterly granularity.milestones: — vertical annotations marking process
changes the dashboard should highlight (skill adoption, team
handover, policy update). Set to [] to remove them.scope_labels: — the project's primary "what does this
affect" axis. Resolved from scope_detection.labels in
<project-config>/project.md
(and the matching rows of
<project-config>/scope-labels.md).
The framework default is [<scope-a>, <scope-b>, <scope-c>] —
adopters re-state this list in their overlay to
match their own scope set.categories: — the lifecycle-band classification rules.
Defaults match the framework's reference implementation
byte-for-byte; adopters with different label conventions
(e.g. triaged instead of no needs triage) re-state the
whole list. The label literals used in predicates come from
tracker.labels in
<project-config>/project.md.triage.keywords: / triage.bot_prefixes: — the
time-to-triage signal. Adopters whose security team uses
different phrasing in triage-proposal comments override these.Golden rule 1 — read only, never write. The skill must not post comments, add labels, close, edit, or otherwise mutate any tracker, PR, or upstream resource. If the user asks for stats and also wants an action, decline the mutation.
Golden rule 2 — proposal-before-fetch on stale cache. Before
running a fresh full fetch (which costs ~5-10 minutes of gh API
calls), surface the proposal and wait for explicit user
confirmation. Incremental re-renders against a warm cache (~30
seconds) can run without a prompt.
Golden rule 3 — never edit the snapshot. As with every other
skill, agentic overrides go in
.apache-magpie-overrides/security-tracker-stats-dashboard.md; renderer
overrides go in the project's tracker-stats YAML config file. The
gitignored snapshot under .apache-magpie/ is never modified.
Golden rule 4 — surface the config path on every run. The dashboard's output depends entirely on which YAML file the renderer loaded. Print the resolved config path (or "default") as the first line of skill output so the user can tell at a glance whether their overlay is being picked up.
| Symptom | Cause | Fix |
|---|---|---|
events/<N>.json missing for some N | gh transient failure during paginate | Re-run; fetch_events.py resumes from cache |
prs.json has {"error": ...} entries | False-positive body parse (PR# doesn't exist) | Silently filtered at render; safe to ignore |
c_rel median jumps after re-fetch | New advisory shipped since last run | Expected — re-render is correct |
Empty c_prc / c_prm / c_rel early buckets | No linked PR in those tracker buckets | Expected — not all early trackers had a fix PR |
| Three PR charts missing entirely | upstream_repo: null in config (or env override) | By design — set upstream_repo: if you want them |
ModuleNotFoundError: yaml | PyYAML missing | Bundled fallback parser handles default-config.yaml; install pyyaml for richer overlays |
Read-only pre-flight verification of a staged release candidate (RC) for `<upstream>`. Checks artefact integrity (GPG signatures and checksums), Apache RAT licence headers, NOTICE/LICENSE completeness, prohibited-binary absence (including `.pyc` / `__pycache__`), source-tree integrity (no dangling symlinks or broken internal references), and version-string consistency. Emits a structured PASS / PASS-WITH-WARNINGS / FAIL report. Makes no state change; a `--post-to <planning-issue>` flag proposes a comment for explicit RM confirmation before any posting.
Post-vote committer and PMC onboarding for Apache projects. Walks the nominator through every step from ICLA check to welcome announcement for both incubating podlings and graduated top-level projects.
Read-only license audit of a project's direct and transitive dependency tree. Detects the dependency manager(s), resolves each dependency's declared license from ecosystem metadata, classifies each against a configured policy (ASF three-category A/B/X model or a custom allowlist), and surfaces incompatible, forbidden, and unknown-license dependencies for maintainer review. Never modifies manifests or lock files.
Read-only dashboard over a directory of `verdict.json` files produced by `issue-reassess` campaigns. Surfaces a health rating, classification distribution, partial-fix surfaces, oldest-unresolved buckets, and per-component breakdowns. Output is HTML by default; markdown fallback available. Read-only on tracker state; consumes campaign artefacts.
For a single `<issue-tracker>` issue identifying a code-level bug, extract the reporter's example code from the issue body, adapt it to run on the current `<default-branch>`, execute via `<runtime>`, and compose a `verdict.json` describing the observed behaviour vs the expected failure. Read-only on the tracker — produces evidence, never posts. Invoked by `issue-triage` and `issue-reassess`; can also be run standalone.
Print a human-readable index of every skill in this repository, grouped by family prefix (`pr-management`, `security`, `setup`, …) with each skill's name and the first sentence of its `description`. The listing is generated on every run from the live `.claude/skills/*/SKILL.md` files, so it never goes stale when skills are added, removed, or rewritten.