From 76a1076cd08fe918b04551b62926a4fbd585333e Mon Sep 17 00:00:00 2001 From: ProtocolWarden <32967198+ProtocolWarden@users.noreply.github.com> Date: Thu, 4 Jun 2026 16:24:53 -0400 Subject: [PATCH] fix(ci): declare reconcile_enforce via plugin_audit_keys to satisfy custodian-doctor --strict custodian-doctor --strict flagged audit.reconcile_enforce as an "unknown audit key" and exited 1, turning the CI "Custodian doctor" job red on main. reconcile_enforce is a genuine, core Custodian key consumed by the R1/R2 reconcile detectors (audit_kit/detectors/reconcile.py), but it is missing from doctor's _KNOWN_AUDIT_KEYS allowlist (even on Custodian@main). Rather than disabling the check, declare the key as intentional through the supported plugin_audit_keys escape hatch until the upstream allowlist catches up. No detector behavior changes. Co-Authored-By: Claude Opus 4.8 --- .custodian/config.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.custodian/config.yaml b/.custodian/config.yaml index cfba7c4..4122e45 100644 --- a/.custodian/config.yaml +++ b/.custodian/config.yaml @@ -9,6 +9,14 @@ tests_root: tests audit: reconcile_enforce: true + # `reconcile_enforce` is a core Custodian R1/R2 detector key + # (audit_kit/detectors/reconcile.py) but is not yet in custodian-doctor's + # _KNOWN_AUDIT_KEYS allowlist, so --strict flags it as an "unknown audit + # key". Declaring it here via the supported plugin_audit_keys escape hatch + # marks it as intentional until the upstream allowlist catches up. + plugin_audit_keys: + - reconcile_enforce + cross_repo: platform_manifest_repo: ../PlatformManifest