diff --git a/.claude/TEST-SCENARIOS.md b/.claude/TEST-SCENARIOS.md new file mode 100644 index 0000000000..229b519f9a --- /dev/null +++ b/.claude/TEST-SCENARIOS.md @@ -0,0 +1,525 @@ +# GitHub Issue Triage Test Scenarios + +This document provides specific test cases to validate all aspects of the improved issue triage system. + +--- + +## 🔒 Security Screening Tests + +### Test 1: Clean Issue (Should Pass) +**Title:** Documentation clarification for installation steps +**Body:** +``` +The installation guide mentions running `npm install` but doesn't specify which directory to run it in. Can you clarify this? + +Steps I followed: +1. Cloned the repository +2. Ran npm install in the root directory +3. Got some warnings about peer dependencies + +Expected: The guide should specify the correct directory. +``` + +**Expected Result:** +- ✅ Security screening: PASS +- ✅ Code of conduct: PASS +- ✅ Labels assigned based on content + +--- + +### Test 2: Issue with Security Vulnerability (Should Close) +**Title:** SQL injection vulnerability in login endpoint +**Body:** +``` +I found a SQL injection vulnerability in the login endpoint. + +Vulnerable code at `/api/auth/login.js` line 42: +``` +const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`; +``` + +Exploit: +Username: `admin' OR '1'='1' --` +Password: anything + +This bypasses authentication and logs you in as admin. +``` + +**Expected Result:** +- ❌ Security screening: FAIL — Issue closed +- 🏷️ Comment posted with security notice +- 🏷️ @netwrix/security tagged +- ⏹️ Pipeline stops (no conduct check or labeling) + +--- + +### Test 3: Clean Issue Edited to Add Vulnerability (Bypass Prevention) +**Initial Title:** Login page loading slowly +**Initial Body:** +``` +The login page takes about 5 seconds to load. This seems unusually slow. + +Browser: Chrome 120 +OS: Windows 11 + +Can you investigate? +``` + +**Initial Result:** +- ✅ Security screening: PASS +- ✅ Labels assigned + +**After Edit - Edit Body To:** +``` +The login page takes about 5 seconds to load because of a vulnerability. + +I found the issue - there's an XSS vulnerability at line 23: +``` +document.getElementById('welcome').innerHTML = userInput; +``` + +Inject: `` +``` + +**Expected Result:** +- ❌ Security screening: FAIL — Issue closed +- 🏷️ Security notice posted +- 🏷️ @netwrix/security tagged + +--- + +### Test 4: Security Vulnerability Posted in Comment +**Title:** Question about API authentication +**Body:** +``` +How does the API authentication work? I'm trying to integrate with your system. +``` + +**Initial Result:** +- ✅ Security screening: PASS + +**Then Add Comment:** +``` +Never mind, I figured it out by looking at the code. There's actually a security issue here - the API tokens are being logged in plain text in `/var/log/api.log`. + +Here's the vulnerable code in `auth.js`: +logger.info('Auth attempt with token: ' + token); + +This exposes all API tokens to anyone with log access. +``` + +**Expected Result:** +- ❌ Security screening: FAIL — Issue closed +- 🏷️ Security notice posted +- 🏷️ @netwrix/security tagged + +--- + +### Test 5: Clean Comment Edited to Add Vulnerability +**Title:** Performance optimization question +**Body:** +``` +What's the best way to optimize database queries in this codebase? +``` + +**Add Clean Comment:** +``` +Thanks for the question! I'd recommend looking at our caching documentation. +``` + +**Initial Result:** +- ✅ Security screening: PASS + +**Then Edit Comment To:** +``` +Thanks for the question! I'd recommend looking at our caching documentation. + +Actually, I found a critical issue - the database password is hardcoded in `config.js`: +db_password: "SuperSecret123!" + +This needs immediate attention. +``` + +**Expected Result:** +- ❌ Security screening: FAIL — Issue closed +- 🏷️ Security notice posted +- 🏷️ @netwrix/security tagged + +--- + +## 🤝 Code of Conduct Tests + +### Test 6: Clean Issue (Should Pass) +**Title:** Feature request for dark mode +**Body:** +``` +It would be great to have a dark mode option for the UI. Many users work in low-light environments and this would improve accessibility. + +Benefits: +- Reduced eye strain +- Better battery life on OLED screens +- Follows modern UI trends + +Thanks for considering! +``` + +**Expected Result:** +- ✅ Security screening: PASS +- ✅ Code of conduct: PASS +- ✅ Labels assigned + +--- + +### Test 7: Issue with Code of Conduct Violation (Should Sanitize) +**Title:** This feature is terrible +**Body:** +``` +The new dashboard is completely broken. The developers who built this are [offensive language - incompetent idiots who don't know how to code]. + +Here's how to reproduce the bug: +1. Navigate to /dashboard +2. Click "View Reports" +3. Page crashes + +This is unacceptable and someone should be fired. +``` + +**Expected Result:** +- ✅ Security screening: PASS +- ⚠️ Code of conduct: VIOLATION — Body sanitized +- 🏷️ Sanitized body: +``` +The new dashboard is completely broken. The developers who built this are [content removed — code of conduct violation]. + +Here's how to reproduce the bug: +1. Navigate to /dashboard +2. Click "View Reports" +3. Page crashes + +[content removed — code of conduct violation] +``` +- 🏷️ Code of conduct notice posted +- ✅ Labels assigned to sanitized content + +--- + +### Test 8: Conduct Violation Posted in Comment +**Title:** Bug in search functionality +**Body:** +``` +The search isn't returning results for products. +``` + +**Add Comment with Violation:** +``` +This is [expletive] ridiculous. How did this even get through QA? You [offensive personal attack] are clearly not competent. +``` + +**Expected Result:** +- ✅ Security screening: PASS +- ⚠️ Code of conduct: VIOLATION — Comment sanitized +- 🏷️ Sanitized comment: `[content removed — code of conduct violation] is ridiculous. How did this even get through QA? [content removed — code of conduct violation]` +- 🏷️ Code of conduct notice posted as reply to comment + +--- + +### Test 9: Clean Issue Edited to Add Violation +**Initial Body:** +``` +The export feature doesn't work with large datasets. +``` + +**Edit Body To:** +``` +The export feature doesn't work with large datasets. This is [offensive language] and whoever built this is [personal attack]. I'm extremely frustrated. + +Steps to reproduce: +1. Select 10,000+ records +2. Click export +3. Browser hangs +``` + +**Expected Result:** +- ✅ Security screening: PASS +- ⚠️ Code of conduct: VIOLATION — Body sanitized +- 🏷️ Offensive content replaced with `[content removed — code of conduct violation]` +- 🏷️ Code of conduct notice posted + +--- + +## 🏷️ Label Assignment Tests + +### Test 10: New Issue with Template Labels +**Use Template:** "Fix content" (assigns `["documentation", "fix"]`) +**Title:** Typo in API reference +**Body:** +``` +The API reference for Netwrix Auditor 10.8 has a typo on page 5. + +Current text: "authentification" +Should be: "authentication" + +URL: https://docs.netwrix.com/... +``` + +**Expected Result:** +- ✅ Template labels: `["documentation", "fix"]` +- ✅ Skill adds: `["auditor-10.8", "api"]` +- ✅ Final labels: `["documentation", "fix", "auditor-10.8", "api"]` + +--- + +### Test 11: Issue Edited to Change Product (Label Update) +**Use Template:** "Fix content" (assigns `["documentation", "fix"]`) +**Initial Title:** Installation issue with 1Secure +**Initial Body:** +``` +Can't install 1Secure on Windows Server 2022. + +Error message: "Installation failed at step 3" +``` + +**Initial Labels After Processing:** +`["documentation", "fix", "1secure", "installation"]` + +**User Manually Adds:** +`"urgent"` label + +**Labels Now:** +`["documentation", "fix", "1secure", "installation", "urgent"]` + +**Edit Issue Body To:** +``` +Can't install Password Secure 9.3 on Windows Server 2022. + +Error message: "Installation failed at step 3" +``` + +**Expected Result:** +- ✅ Keep template: `["documentation", "fix"]` +- ✅ Keep user-applied: `["urgent"]` +- ❌ Remove skill: `["1secure", "installation"]` (no longer applicable) +- ✅ Add skill: `["password-secure-9.3", "installation"]` +- ✅ Final: `["documentation", "fix", "urgent", "password-secure-9.3", "installation"]` + +--- + +### Test 12: Major Content Change (Template Labels Preserved) +**Use Template:** "Fix content" (assigns `["documentation", "fix"]`) +**Initial Title:** Documentation typo +**Initial Body:** +``` +Typo in the glossary: "recieve" should be "receive" +``` + +**Initial Labels:** +`["documentation", "fix", "glossary"]` + +**Edit to Completely Different Content:** +``` +Critical security flaw in authentication flow. The system allows bypass through... + +Wait, I shouldn't post this publicly. Please contact me directly. +``` + +**Expected Result:** +- ❌ Security screening: FAIL — Issue closed (before labeling runs) +- Note: This tests that security screening happens before label reassignment + +--- + +### Test 13: User Label Preserved Despite Content Change +**Use Template:** "Add content" (assigns `["enhancement", "documentation"]`) +**Title:** Add deployment guide +**Body:** +``` +Please add a deployment guide for Kubernetes environments. +``` + +**Initial Labels:** +`["enhancement", "documentation", "kubernetes"]` + +**User Manually Adds:** +`["priority-low", "api"]` (even though issue isn't about API) + +**Edit Issue:** +``` +Please add a deployment guide for Docker environments. +``` + +**Expected Result:** +- ✅ Keep template: `["enhancement", "documentation"]` +- ✅ Keep user: `["priority-low", "api"]` (even though "api" seems wrong) +- ❌ Remove skill: `["kubernetes"]` +- ✅ Add skill: `["docker"]` +- ✅ Final: `["enhancement", "documentation", "priority-low", "api", "docker"]` +- 📝 Note: User's "api" label is respected even though it doesn't match content + +--- + +### Test 14: Comment Event Doesn't Retrigger Labeling +**Title:** Question about authentication +**Body:** +``` +How does OAuth work in this system? +``` + +**Initial Labels:** +`["documentation", "question", "authentication", "oauth"]` + +**Add Comment:** +``` +Also curious about SAML integration! +``` + +**Expected Result:** +- ✅ Security screening: PASS (checks comment) +- ✅ Code of conduct: PASS (checks comment) +- ⏭️ Label assignment: SKIPPED (workflow configured to skip on comment events) +- ✅ Labels unchanged: `["documentation", "question", "authentication", "oauth"]` + +--- + +## 🔄 Combined Scenario Tests + +### Test 15: Multiple Issues in One +**Title:** Installation problem +**Body:** +``` +Can't install Auditor. The [mild profanity] installer keeps crashing. + +Also, I noticed there's a hardcoded password in the config file: +admin_password = "default123" +``` + +**Expected Result:** +1. ❌ Security screening: FAIL — Issue closed immediately +2. ⏭️ Code of conduct check: SKIPPED (issue already closed) +3. ⏭️ Label assignment: SKIPPED (issue already closed) +4. 🏷️ Security notice posted +5. 🏷️ @netwrix/security tagged + +**Key Test:** Security takes priority over conduct violations + +--- + +### Test 16: Clean → Violation → Security (Multiple Edits) +**Initial Body:** +``` +Feature works but could be improved. +``` + +**Edit 1 (Add conduct violation):** +``` +Feature works but could be improved. Actually, the developer who built this is [offensive content]. +``` + +**Expected:** +- ⚠️ Body sanitized +- 🏷️ Conduct notice posted + +**Edit 2 (Add security vulnerability):** +``` +Feature works but could be improved. [sanitized]. Actually, I found a vulnerability in auth.js line 52: password = req.body.password (no validation). +``` + +**Expected:** +- ❌ Issue closed for security +- 🏷️ Security notice posted +- 🏷️ @netwrix/security tagged + +--- + +## 📋 Test Execution Checklist + +### Setup +- [ ] Deploy all three improved skills +- [ ] Deploy improved workflow +- [ ] Verify @netwrix/security team exists +- [ ] Create test repository or use sandbox + +### Security Tests (5 tests) +- [ ] Test 1: Clean issue passes +- [ ] Test 2: Vulnerability in body closes issue +- [ ] Test 3: Edit to add vulnerability closes issue +- [ ] Test 4: Vulnerability in comment closes issue +- [ ] Test 5: Edit comment to add vulnerability closes issue + +### Code of Conduct Tests (4 tests) +- [ ] Test 6: Clean issue passes +- [ ] Test 7: Violation in body sanitizes +- [ ] Test 8: Violation in comment sanitizes +- [ ] Test 9: Edit to add violation sanitizes + +### Label Assignment Tests (5 tests) +- [ ] Test 10: Template labels applied correctly +- [ ] Test 11: Product change updates labels +- [ ] Test 12: Security issue closes before relabeling +- [ ] Test 13: User labels preserved despite mismatch +- [ ] Test 14: Comments don't retrigger labeling + +### Combined Tests (2 tests) +- [ ] Test 15: Security + conduct (security wins) +- [ ] Test 16: Multiple edits (conduct → security) + +### Validation Checks +- [ ] Check GitHub Actions logs for each test +- [ ] Verify issue states (open/closed) +- [ ] Verify comments posted correctly +- [ ] Verify labels applied correctly +- [ ] Verify @netwrix/security tagged when appropriate + +--- + +## 🐛 Expected Edge Cases + +### Edge Case 1: Issue Created with Template + Manual Labels +If a user creates an issue and immediately adds manual labels before the workflow runs: +- Workflow should treat quickly-applied labels as template labels +- Consider labels applied within first 10 seconds as "template" + +### Edge Case 2: Workflow Fails Mid-Pipeline +If security passes but conduct check fails (workflow error): +- Issue remains open +- No sanitization occurs +- Manual intervention needed + +### Edge Case 3: User Removes Template Label +If user manually removes a template label: +- Skill should not re-add it (respect removal) +- This requires checking for "unlabeled" events too + +### Edge Case 4: Concurrent Edits +If issue is edited while workflow is running: +- Workflow operates on stale content +- Next workflow run will catch the change +- Consider implementing issue locking or conflict detection + +--- + +## 📊 Success Criteria + +### Security Screening +- ✅ All vulnerabilities detected and closed +- ✅ Clean issues pass through +- ✅ Edits and comments trigger re-screening +- ✅ Consistent security notice posted + +### Code of Conduct +- ✅ Violations sanitized while preserving technical content +- ✅ Consistent conduct notice posted +- ✅ Both issues and comments handled + +### Label Assignment +- ✅ Template labels always preserved +- ✅ User labels always preserved +- ✅ Skill labels updated based on content +- ✅ Outdated skill labels removed +- ✅ New applicable labels added + +### Overall System +- ✅ No false positives for security +- ✅ No false negatives for security +- ✅ Technical content never lost in sanitization +- ✅ Labels stay current with content +- ✅ User intent respected diff --git a/.claude/skills/code-of-conduct-check/SKILL.md b/.claude/skills/code-of-conduct-check/SKILL.md index 2f693d8128..b061435ded 100644 --- a/.claude/skills/code-of-conduct-check/SKILL.md +++ b/.claude/skills/code-of-conduct-check/SKILL.md @@ -1,6 +1,6 @@ --- name: code-of-conduct-check -description: "Evaluate GitHub issues against the repository's code of conduct. Use when: (1) A new issue is created and needs conduct review, (2) Part of issue intake pipeline, (3) Evaluating whether issue content violates community guidelines. If violations are found, sanitizes offending content while preserving technical substance and notifies the author." +description: "Evaluate GitHub issues against the repository's code of conduct. Use when: (1) A new issue is created and needs conduct review, (2) Part of issue intake pipeline, (3) Evaluating whether issue content violates community guidelines. If violations are found, sanitizes offending content (including title, body, and comments) while preserving technical substance and notifies the author. Intelligently replaces titles when sanitization renders them meaningless." argument-hint: "[repo] [issue-number] [issue-title] [issue-body] [issue-author]" --- @@ -49,6 +49,58 @@ No violations detected in issue #{issue-number} or its comments. Continue pipeline with original issue body. +### If VIOLATION in Issue Title + +**1. Sanitize the issue title:** +- Replace offending content with `[content removed — code of conduct violation]` +- Preserve technical terms and meaningful content +- Only remove language that genuinely violates the code of conduct + +**2. Check if sanitization resulted in an empty or meaningless title:** +- If the title is empty, contains only the redaction text, or is otherwise meaningless after sanitization: + - Analyze the issue body to identify the core technical issue + - Generate a new professional title that accurately reflects the issue + - Keep it concise (under 60 characters when possible) + - Use the user's technical description from the body + +**Example:** +- Original: "The export feature sucks" +- Body: "The export feature is incorrectly exporting files..." +- After check: Title would be entirely redacted or meaningless +- New title: "Export feature incorrectly exporting files" + +**3. Update the issue title:** +```bash +gh issue edit $1 --repo $0 --title "NEW_SANITIZED_OR_REPLACED_TITLE" +``` + +**4. Post this exact comment on the issue:** + +```markdown +Thank you for your report. Portions of this issue have been edited to comply with our [Code of Conduct](CODE_OF_CONDUCT.md). The technical content of your submission has been preserved in full. + +Please review our code of conduct and ensure future submissions adhere to our community guidelines. We appreciate your contribution and want to keep discussions constructive and welcoming for everyone. + +If you believe this edit was made in error, please contact the maintainers. +``` + +**Implementation:** +```bash +gh issue comment $1 --repo $0 --body "Thank you for your report. Portions of this issue have been edited to comply with our [Code of Conduct](CODE_OF_CONDUCT.md). The technical content of your submission has been preserved in full. + +Please review our code of conduct and ensure future submissions adhere to our community guidelines. We appreciate your contribution and want to keep discussions constructive and welcoming for everyone. + +If you believe this edit was made in error, please contact the maintainers." +``` + +**5. Report:** +``` +Code of conduct check: VIOLATION FOUND — ISSUE TITLE SANITIZED +Issue #{issue-number} title has been updated. +New title: [new sanitized or replaced title] +Author notified via comment. +``` + ### If VIOLATION in Issue Body **1. Sanitize the issue body:** @@ -137,6 +189,7 @@ Author notified via comment reply. After checking all content, provide a summary: ``` Code of conduct check: COMPLETE +- Issue title: [PASS/SANITIZED/REPLACED] - Issue body: [PASS/SANITIZED] - Comments checked: {count} - Comments sanitized: {count} @@ -146,7 +199,11 @@ Code of conduct check: COMPLETE - **Preserve technical substance**: Every piece of technical information must remain intact - **Use exact comment**: Always post the identical notice—no variations or customization. This ensures consistent, professional communication. -- **Be proportionate**: Minor infractions warrant lighter handling than severe violations +- **Smart title replacement**: When a title becomes meaningless after sanitization, generate a new one that: + - Is concise (under 60 characters when possible) + - Accurately reflects the technical issue from the body + - Uses professional, neutral language + - Captures the core problem being reported - **Be professional**: Comments should be firm but empathetic, not punitive - **When uncertain**: If borderline, note in report but don't edit—let maintainers decide @@ -155,7 +212,9 @@ Code of conduct check: COMPLETE - The exact notice wording is intentional—always use it verbatim for both issues and comment replies - No additional explanation or personalization should be added to the notice - The sanitized body must be included in the report so subsequent pipeline steps receive the updated content -- If sanitization occurs, pass the UPDATED body to later steps, not the original +- If sanitization occurs, pass the UPDATED body and title to later steps, not the original - Comments are sanitized in place—the original comment content is replaced - The notice is posted as a reply to sanitized comments, not as a separate issue comment - Check all comments on every run to catch violations in older comments +- **Title replacement logic**: If sanitization removes the entire title or leaves it meaningless (e.g., only contains redaction text), analyze the issue body to generate a new title. The new title should be a concise, professional summary of the technical issue. +- **Title violations trigger the same notice**: Whether the title is sanitized, replaced, or left as-is, use the same code of conduct notice as body violations diff --git a/.claude/skills/identify-security-vuln-discussion/SKILL.md b/.claude/skills/identify-security-vuln-discussion/SKILL.md index 4d60795e57..92c1b05060 100644 --- a/.claude/skills/identify-security-vuln-discussion/SKILL.md +++ b/.claude/skills/identify-security-vuln-discussion/SKILL.md @@ -1,6 +1,6 @@ --- name: identify-security-vuln-discussion -description: "Screen GitHub issues and comments for inadvertent security vulnerability disclosure. Use when: (1) A new issue is created, (2) An issue body is edited, (3) A comment is added or edited, (4) Part of issue intake pipeline. Prevents bypass by editing clean issues to add vulnerabilities later. If a vulnerability is detected, tags @netwrix/security and closes the issue to prevent further public exposure." +description: "Screen GitHub issues and comments for inadvertent security vulnerability disclosure. Use when: (1) A new issue is created, (2) An issue body is edited, (3) A comment is added or edited, (4) Part of issue intake pipeline. Prevents bypass by editing clean issues to add vulnerabilities later. If a vulnerability is detected in title/body, closes the issue and tags @netwrix/security. If detected in a comment, deletes the comment and posts a security notice." argument-hint: "[repo] [issue-number] [issue-title] [issue-body] [issue-author]" --- @@ -44,12 +44,12 @@ Examine title, body, and all comments for: Report: ``` Security screening: PASS -No security vulnerability disclosure detected in issue #{issue-number} or its comments. +No security vulnerability disclosure detected in issue #{issue-number} title, body, or comments. ``` Pipeline continues normally. -### If SECURITY CONCERN +### If SECURITY CONCERN in Title or Body **1. Post this exact comment on the issue:** @@ -79,10 +79,47 @@ gh issue close $1 --repo $0 --reason "not planned" **3. Report:** ``` Security screening: FAIL — ISSUE CLOSED -Issue #{issue-number} closed due to potential security vulnerability disclosure. +Issue #{issue-number} closed due to potential security vulnerability disclosure in title/body. Security team (@netwrix/security) tagged for review. ``` +### If SECURITY CONCERN in Comment + +**1. Delete the comment:** + +First, get the comment ID from the comments you fetched in step 1, then delete it: + +```bash +gh api --method DELETE repos/$0/issues/comments/{comment-id} +``` + +**2. Post this exact reply comment:** + +```markdown +A comment on this issue contained security-sensitive information and has been removed to limit public exposure. + +@netwrix/security Please review the deleted comment for potential security vulnerabilities. + +If you have security concerns to report, please use the appropriate private security reporting channels. The security team will follow up as needed. +``` + +**Implementation:** +```bash +gh issue comment $1 --repo $0 --body "A comment on this issue contained security-sensitive information and has been removed to limit public exposure. + +@netwrix/security Please review the deleted comment for potential security vulnerabilities. + +If you have security concerns to report, please use the appropriate private security reporting channels. The security team will follow up as needed." +``` + +**3. Report:** +``` +Security screening: FAIL — COMMENT DELETED +Comment on issue #{issue-number} deleted due to potential security vulnerability disclosure. +Security team (@netwrix/security) tagged for review. +Issue remains open. +``` + ## Important Principles - **Err on side of caution**: When uncertain, treat as security concern. False positives are preferable to exposed vulnerabilities. @@ -90,17 +127,21 @@ Security team (@netwrix/security) tagged for review. - **Don't reproduce vulnerability details**: Never include vulnerability details in your report. The security team will review the issue directly. - **Be respectful**: Authors may not realize they're disclosing sensitive information. - **Trust the security team**: Your role is screening, not determining if something is truly a vulnerability. -- **Check everything**: Always check the issue body AND all comments—vulnerabilities can be added via edits or new comments. +- **Check everything**: Always check the issue title, body, AND all comments—vulnerabilities can be added via edits or new comments. ## Notes - The security team `@netwrix/security` must exist in the repository with issue triage permissions +- The GitHub Actions token must have permission to delete comments (included in default GITHUB_TOKEN permissions) - The exact comment wording is intentional—always use it verbatim -- No additional explanation or personalization should be added to the security notice -- After closing, do not proceed with remaining pipeline steps +- No additional explanation or personalization should be added to the security notices +- After closing an issue (title/body vulnerability), do not proceed with remaining pipeline steps +- After deleting a comment (comment vulnerability), the pipeline can continue normally—the issue itself is safe - **Check ALL comments every time** to catch vulnerabilities added via edits or new comments - This prevents bypass where someone creates a clean issue and edits it later to add vulnerability info -- If a vulnerability is found in a comment (not the issue body), still close the entire issue—vulnerabilities in comments are just as serious +- **Vulnerabilities in title/body**: Close the entire issue—the issue itself is compromised +- **Vulnerabilities in comments**: Delete only the problematic comment—the issue can remain open with the vulnerability removed +- **Issue titles are particularly sensitive** because they're displayed in issue lists, search results, and notifications—vulnerabilities in titles can be widely visible before being addressed ## Workflow Configuration