Replace filter with JQL search and add auto-triaged label for idempotency

janisz · claude · janisz · commit ab0cb0c71c9d · 2026-04-30T17:09:22.000+02:00
Changes:
- Replace JIRA filter 103399 with explicit JQL search in ambient.json
- Add auto-triaged label exclusion to JQL query
- Update Phase 7 to add auto-triaged label after posting comment
- Remove duplicate comment detection (replaced by label exclusion)
- Update workflow description to explain label-based idempotency

This enables safe hourly automated runs - only new untriaged issues are processed.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/workflows/acs-triage/.ambient/ambient.json b/workflows/acs-triage/.ambient/ambient.json
@@ -4,11 +4,12 @@
   "config": {
     "jira": {
       "project": "ROX",
-      "filter": 103399
+      "jql": "project = ROX AND (type = Bug OR type = Vulnerability OR type = Weakness OR type = Ticket) AND status = New AND parent is EMPTY AND Team is EMPTY AND assignee is EMPTY AND labels NOT IN (auto-triaged) ORDER BY created",
+      "autoTriagedLabel": "auto-triaged"
     },
     "timeout": 300,
     "maxIssues": 20
   },
-  "systemPrompt": "You are an ACS/StackRox Triage Specialist. Execute the `/triage` command for complete end-to-end pipeline (setup → fetch → classify → analyze → assign → report) or `/triage --comment` to post results to JIRA.\n\n**Key Commands:** `/triage` (filter 103399), `/triage ROX-12345` (specific issue), `/triage --comment` (writes to JIRA), `/comment-issues` (standalone commenting)\n\n**Early Exit:** If filter 103399 returns 0 issues, exit immediately with \"No untriaged issues found\" (don't proceed with empty pipeline).\n\n**Duplicate Prevention:** Before posting comments (--comment flag), check if issue already has a triage comment (search for \"🤖 Automated Triage Analysis\" or \"_Generated by ACS Triage Workflow_\"). Skip if already triaged.\n\n**Workflow Details:** See `.claude/commands/triage.md` for complete 7-phase pipeline. **CRITICAL:** Phases 1a+1b run in parallel, Phase 4 analysis MUST use parallel tool calls (saves 60-80s).\n\n**Domain Knowledge:** Consult `reference/*.md` files for teams, error patterns, CODEOWNERS mappings, vulnerability decision trees, and confidence thresholds. Team assignment uses 5-strategy priority system (95%-70% confidence).\n\n**Performance:** Load files once and cache. Primary JIRA query in Phase 1b. Max 3-5 additional batched queries for similar issue searches. See triage.md Performance Optimization Guidelines.\n\n**Constraints:** 300s timeout, 10-20 issues max, ≥80% confidence for auto-assignment, READ-ONLY by default.\n\n**Outputs:** All artifacts in `artifacts/acs-triage/` (setup-info.json, issues.json, triage-report.md, summary.json).\n\nFor complete documentation, see `CLAUDE.md`.",
-  "startupPrompt": "Greet the user and introduce yourself as an ACS Triage Specialist. Briefly explain that you execute automated triage for StackRox/ACS JIRA issues from filter 103399 (CI failures, vulnerabilities, flaky tests) and generate comprehensive reports with intelligent team assignments using confidence scoring. Explain the available commands: `/triage` (complete pipeline, READ-ONLY), `/triage --comment` (pipeline + post to JIRA), `/comment-issues` (standalone comment posting). Mention the workflow is streamlined into a single command that handles everything: fetch → classify → analyze → assign → report."
+  "systemPrompt": "You are an ACS/StackRox Triage Specialist. Execute the `/triage` command for complete end-to-end pipeline (setup → fetch → classify → analyze → assign → report) or `/triage --comment` to post results to JIRA.\n\n**Key Commands:** `/triage` (JQL search for untriaged), `/triage ROX-12345` (specific issue), `/triage --comment` (writes to JIRA + adds auto-triaged label), `/comment-issues` (standalone commenting)\n\n**JQL Search:** Fetches issues matching: `project = ROX AND (type = Bug OR type = Vulnerability OR type = Weakness OR type = Ticket) AND status = New AND parent is EMPTY AND Team is EMPTY AND assignee is EMPTY AND labels NOT IN (auto-triaged) ORDER BY created`\n\n**Early Exit:** If JQL search returns 0 issues, exit immediately with \"No untriaged issues found\" (don't proceed with empty pipeline).\n\n**Label-Based Idempotency:** After posting triage comment, add `auto-triaged` label to issue. This prevents re-processing on subsequent runs. Workflow is fully idempotent and safe to run frequently.\n\n**Workflow Details:** See `.claude/commands/triage.md` for complete 7-phase pipeline. **CRITICAL:** Phases 1a+1b run in parallel, Phase 4 analysis MUST use parallel tool calls (saves 60-80s).\n\n**Domain Knowledge:** Consult `reference/*.md` files for teams, error patterns, CODEOWNERS mappings, vulnerability decision trees, and confidence thresholds. Team assignment uses 5-strategy priority system (95%-70% confidence).\n\n**Performance:** Load files once and cache. Primary JIRA query in Phase 1b. Max 3-5 additional batched queries for similar issue searches. See triage.md Performance Optimization Guidelines.\n\n**Constraints:** 300s timeout, 10-20 issues max, ≥80% confidence for auto-assignment, READ-ONLY by default.\n\n**Outputs:** All artifacts in `artifacts/acs-triage/` (setup-info.json, issues.json, triage-report.md, summary.json).\n\nFor complete documentation, see `CLAUDE.md`.",
+  "startupPrompt": "Greet the user and introduce yourself as an ACS Triage Specialist. Briefly explain that you execute automated triage for StackRox/ACS JIRA issues (CI failures, vulnerabilities, flaky tests) and generate comprehensive reports with intelligent team assignments using confidence scoring. Explain the available commands: `/triage` (complete pipeline, READ-ONLY), `/triage --comment` (pipeline + post to JIRA + add auto-triaged label), `/comment-issues` (standalone comment posting). Mention the workflow uses JQL search to find new untriaged issues (excludes issues with auto-triaged label), making it safe to run repeatedly."
 }
diff --git a/workflows/acs-triage/.claude/commands/triage.md b/workflows/acs-triage/.claude/commands/triage.md
@@ -5,15 +5,16 @@
 Complete end-to-end triage workflow for StackRox/ACS JIRA issues. Fetches untriaged issues, classifies by type, performs specialized analysis, assigns teams with confidence scoring, and generates comprehensive reports.
 
 **Options:**
-- `/triage` - Full triage pipeline for filter 103399 (READ-ONLY, no JIRA writes)
-- `/triage --comment` - Full triage + post comments to JIRA issues
+- `/triage` - Full triage pipeline using JQL search (READ-ONLY, no JIRA writes)
+- `/triage --comment` - Full triage + post comments to JIRA + add auto-triaged label
 - `/triage ROX-12345` - Triage a specific issue by key
-- `/triage ROX-12345 --comment` - Triage specific issue and post comment
+- `/triage ROX-12345 --comment` - Triage specific issue, post comment, and add label
 
 ## Prerequisites
 
 - JIRA MCP connection configured
-- Access to JIRA filter 103399 (current untriaged)
+- JIRA search capability (mcp__mcp-atlassian__jira_search)
+- JIRA update capability (mcp__mcp-atlassian__jira_update_issue) for label application
 - GitHub MCP for CODEOWNERS (optional, improves accuracy)
 
 ## Workflow Pipeline
@@ -45,10 +46,22 @@ Query JIRA for untriaged issues or fetch a specific issue.
 - Validate issue exists, exit with error if not found
 
 **If no issue key (default behavior):**
-- Query JIRA filter 103399 (ONE query, order by priority DESC then created ASC)
+- Query JIRA using JQL (ONE query):
+  ```jql
+  project = ROX AND
+  (type = Bug OR type = Vulnerability OR type = Weakness OR type = Ticket) AND
+  status = New AND
+  parent is EMPTY AND
+  Team is EMPTY AND
+  assignee is EMPTY AND
+  labels NOT IN (auto-triaged)
+  ORDER BY created ASC
+  ```
 - Limit to 10-20 issues (timeout constraint: 300s)
 - Extract: key, summary, description, labels, components, priority, status, created, updated, affectedVersions, fixVersions, comments
-- **CRITICAL:** If filter returns 0 issues, exit immediately with message: "No untriaged issues found in filter 103399. Triage complete."
+- **CRITICAL:** If JQL search returns 0 issues, exit immediately with message: "No untriaged issues found. All issues either have auto-triaged label or don't match criteria. Triage complete."
+
+**Label Exclusion:** Issues with `auto-triaged` label are excluded from search, ensuring idempotent workflow execution.
 
 **Output:** Raw issue data in `artifacts/acs-triage/issues.json`
 
@@ -190,21 +203,25 @@ Create output reports in two formats.
 }
 ```
 
-### Phase 7: Comment to JIRA (Optional)
+### Phase 7: Comment to JIRA and Add Label (Optional)
 Only if `--comment` flag is provided.
 
 **Actions:**
 - For each issue with confidence ≥80%:
-  - **Check if already triaged:** Search issue comments for "🤖 Automated Triage Analysis" or "_Generated by ACS Triage Workflow_"
-  - **Skip if already triaged:** If existing triage comment found, do not post duplicate
-  - **Post comment:** If not previously triaged, post structured comment with team recommendation, confidence, reasoning
-  - Use comment format from `templates/jira-comment.md`
+  - **Post comment:** Post structured comment with team recommendation, confidence, reasoning
+    - Use comment format from `templates/jira-comment.md`
+    - Use `mcp__mcp-atlassian__jira_add_comment`
+  - **Add label:** After successful comment post, add `auto-triaged` label to the issue
+    - Use `mcp__mcp-atlassian__jira_update_issue` with `labels` parameter
+    - Append to existing labels (don't replace)
+    - Example: `{"labels": ["auto-triaged"]}`
+  - **Log:** Record issue key, team, confidence, comment status, and label status
 - Skip issues with low confidence (<80%)
-- Log all posted comments and skipped issues (with reason)
+- Log all posted comments, labels added, and skipped issues (with reason)
 
 **Comment Template:** See `templates/jira-comment.md` for format and variable substitution.
 
-**Duplicate Prevention:** Never post multiple triage comments to the same issue. Check existing comments first.
+**Idempotency:** Issues with `auto-triaged` label are excluded in Phase 1b search. This workflow is safe to run repeatedly - only new untriaged issues will be processed.
 
 ## Output
 
@@ -249,9 +266,9 @@ After running this command, you should have:
 
 ## Error Handling
 
-- **Empty filter results**: Exit immediately with "No untriaged issues found" message (don't proceed)
+- **Empty search results**: Exit immediately with "No untriaged issues found" message (don't proceed)
 - **Issue not found**: If specific issue key provided but doesn't exist, exit with error
-- **Already triaged**: If `--comment` flag and issue already has triage comment, skip posting (log as "Already triaged")
+- **Label application failure**: If comment posted but label add fails, log warning (issue may be re-triaged on next run - safe idempotency)
 - **JIRA timeout**: Process what you have, note incomplete in report
 - **Unknown issue type**: Mark as UNKNOWN, include raw description for manual triage
 - **No team match**: Use "Needs Manual Assignment" with evidence summary
@@ -266,8 +283,9 @@ After running this command, you should have:
 - Load reference files (CODEOWNERS, error-signatures.md, etc.) once and cache in memory
 
 **JIRA Queries:**
-- Primary fetch: ONE query for filter 103399 (Phase 1b)
+- Primary fetch: ONE JQL search query (Phase 1b) - excludes auto-triaged issues
 - Similar issue searches (Phase 5): Batch by component, cache results (max 3-5 batched queries)
+- Label updates (Phase 7): One update per issue (only when --comment flag used)
 - Do NOT query JIRA separately for each issue
 
 **Parallel Execution:**
diff --git a/workflows/acs-triage/CLAUDE.md b/workflows/acs-triage/CLAUDE.md
@@ -18,11 +18,13 @@ This is a **single-purpose workflow** for automated triage of StackRox/ACS JIRA
 The workflow provides 2 main commands:
 
 - `/triage` - Complete end-to-end triage pipeline: setup → fetch → classify → analyze → assign → report (READ-ONLY)
-- `/triage --comment` - Full triage pipeline + post analysis comments to JIRA (⚠️ WRITES to JIRA)
+- `/triage --comment` - Full triage pipeline + post analysis comments to JIRA + add auto-triaged label (⚠️ WRITES to JIRA)
 - `/comment-issues` - Standalone command to add triage comments to JIRA (requires prior /triage run)
 
 **Simplified Design:** All triage steps are consolidated into a single `/triage` command for ease of use.
 
+**Idempotent Execution:** The workflow uses JQL search with `labels NOT IN (auto-triaged)` exclusion. After triaging an issue and posting a comment, the `auto-triaged` label is added. This makes the workflow safe to run repeatedly - only new untriaged issues will be processed.
+
 ## Directory Structure
 
 ```
@@ -75,7 +77,8 @@ The workflow is configured in `.ambient/ambient.json`:
   "config": {
     "jira": {
       "project": "ROX",
-      "filter": 103399
+      "jql": "project = ROX AND (type = Bug OR type = Vulnerability OR type = Weakness OR type = Ticket) AND status = New AND parent is EMPTY AND Team is EMPTY AND assignee is EMPTY AND labels NOT IN (auto-triaged) ORDER BY created",
+      "autoTriagedLabel": "auto-triaged"
     },
     "timeout": 300,
     "maxIssues": 20
@@ -85,6 +88,8 @@ The workflow is configured in `.ambient/ambient.json`:
 
 **Simplified Execution**: The `/triage` command internally handles all phases sequentially, with parallel execution for type-specific analysis (CI/vuln/flaky) to save 60-80 seconds.
 
+**Idempotent Design**: Uses JQL search to exclude issues with `auto-triaged` label. After triage+comment, label is added to prevent re-processing.
+
 ## Version Mismatch Handling
 
 The triage workflow clones latest `main` branch from StackRox repo. Issues with older `affectedVersions` may have:
