approve-exempt
Approve Exemption
Approve one or more Pending STO security exemptions. This skill covers the approval
workflow after someone has requested an exemption (see /exempt-vuln for creation).
Pending scope is only PROJECT, PIPELINE, or TARGET. Exemptions are requested at
project, pipeline, or target scope only (All Issues → project; Vulnerabilities tab → project,
pipeline, or target). STO does not create pending requests at org or account scope — those
wider scopes exist only after elevation on approve (body.scope ORG or ACCOUNT). You
will not see scope: ORG or scope: ACCOUNT on rows from status: Pending in normal flows.
If a list row shows ORG/ACCOUNT, it is already approved/widened (re-approve or a different
workflow), not a fresh pending request this skill targets.
Harness exposes two different "scope" ideas — do not mix them up:
| Concept | What it controls | How you use it |
|---|---|---|
| Listing scope | Which project's exemption queue you read | Always list at project scope. Never pass resource_scope='account' or 'org' to harness_list. |
| Approval scope | Where the exemption becomes effective after approval | Passed as body.scope on harness_execute — CURRENT, PROJECT, ORG, or ACCOUNT. |