Component: gofannon/webapp/packages/api/user-service/agent_factory/prompts.py
Severity: Medium
Lines: 500–570
Summary
The SKIP_DIRS, SKIP_FILES, and SKIP_EXTENSIONS lists in prompts.py — which are embedded into agent system prompts as file-filtering guidance — contain three categories of issues: dead-code entries that never match, overly broad exclusions that can hide security-relevant code, and a missing skip for build config files that signals the presence of auditable frontend code.
Issue 1: Compound Path Entries Are Dead Code
Severity: Medium
The should_skip_file function checks each individual path component against SKIP_DIRS:
for part in parts[:-1]: # all but filename
if part.lower() in SKIP_DIRS:
return True, f"directory: {part}"But SKIP_DIRS contains compound path entries:
'static/images', 'static/fonts', 'static/webfonts',
'public/images',
'.github/workflows',
A single path component like static will never equal 'static/images'. These entries never match anything. The individual entries ('images', 'fonts', 'webfonts') already handle the intended exclusions correctly.
Fix
Remove the compound entries:
SKIP_DIRS = {
'node_modules', 'vendor', 'third_party', 'third-party',
'dist', 'build', 'out', 'target',
'__pycache__', '.pytest_cache', '.mypy_cache', 'coverage', '.next', '.nuxt',
'assets', 'images', 'img',
'fonts', 'webfonts',
'venv', '.venv', 'env', '.env',
'.git', '.idea', '.vscode',
}If .github/workflows exclusion is desired, either add 'workflows' as a standalone entry (with a comment noting it only works when workflows is a directory name) or change the matching logic to support subpath matching.
Issue 2: Blanket test/tests Exclusion Hides Security-Relevant Code
Severity: Medium
'test', 'tests', 'spec', 'specs',
For security audits, test files frequently contain:
- Hardcoded credentials and tokens used in fixtures
- Auth bypass patterns that reveal how authentication is meant to work
- Integration tests that expose API surface area and expected security behavior
- Test credentials that may have leaked into production configuration
Blanket-skipping test directories means these patterns are never surfaced to the audit agent.
Fix
Remove 'test', 'tests', 'spec', 'specs' from SKIP_DIRS in the security audit context. If token savings are a concern, add these to a separate SKIP_DIRS_NON_SECURITY set and let agents choose which list to apply based on their task type. At minimum, add a comment documenting that this exclusion is intentional for non-security use cases and should be reconsidered for audit agents.
Issue 3: tsconfig.json in SKIP_FILES Removes a Frontend Signal
Severity: Low
'tsconfig.json', 'jsconfig.json', 'babel.config.js',
'webpack.config.js', 'rollup.config.js', 'vite.config.js', 'jest.config.js',
While these config files are rarely security-relevant themselves, tsconfig.json is the primary signal that a project contains TypeScript source code that should be audited. Skipping it means an agent has no easy way to discover that TypeScript exists in the project without scanning every file extension.
Fix
Either remove tsconfig.json from SKIP_FILES, or (preferred) add a note in the prompt template instructing agents to check for the existence of these config files as signals for what source code languages are present, even if the config file contents are skipped.
Acceptance Criteria
References
- Discovered via: #1131 root cause analysis
- File:
gofannon/webapp/packages/api/user-service/agent_factory/prompts.py, lines 500–570
Priority
Medium — Issue 1 is a correctness fix with no behavioral change (removing dead code). Issues 2 and 3 affect audit coverage quality.
Component:
gofannon/webapp/packages/api/user-service/agent_factory/prompts.pySeverity: Medium
Lines: 500–570
Summary
The
SKIP_DIRS,SKIP_FILES, andSKIP_EXTENSIONSlists inprompts.py— which are embedded into agent system prompts as file-filtering guidance — contain three categories of issues: dead-code entries that never match, overly broad exclusions that can hide security-relevant code, and a missing skip for build config files that signals the presence of auditable frontend code.Issue 1: Compound Path Entries Are Dead Code
Severity: Medium
The
should_skip_filefunction checks each individual path component againstSKIP_DIRS:But
SKIP_DIRScontains compound path entries:A single path component like
staticwill never equal'static/images'. These entries never match anything. The individual entries ('images','fonts','webfonts') already handle the intended exclusions correctly.Fix
Remove the compound entries:
If
.github/workflowsexclusion is desired, either add'workflows'as a standalone entry (with a comment noting it only works whenworkflowsis a directory name) or change the matching logic to support subpath matching.Issue 2: Blanket
test/testsExclusion Hides Security-Relevant CodeSeverity: Medium
For security audits, test files frequently contain:
Blanket-skipping test directories means these patterns are never surfaced to the audit agent.
Fix
Remove
'test','tests','spec','specs'fromSKIP_DIRSin the security audit context. If token savings are a concern, add these to a separateSKIP_DIRS_NON_SECURITYset and let agents choose which list to apply based on their task type. At minimum, add a comment documenting that this exclusion is intentional for non-security use cases and should be reconsidered for audit agents.Issue 3:
tsconfig.jsoninSKIP_FILESRemoves a Frontend SignalSeverity: Low
While these config files are rarely security-relevant themselves,
tsconfig.jsonis the primary signal that a project contains TypeScript source code that should be audited. Skipping it means an agent has no easy way to discover that TypeScript exists in the project without scanning every file extension.Fix
Either remove
tsconfig.jsonfromSKIP_FILES, or (preferred) add a note in the prompt template instructing agents to check for the existence of these config files as signals for what source code languages are present, even if the config file contents are skipped.Acceptance Criteria
SKIP_DIRS(or matching logic updated to support them)test/tests/spec/specsexclusion is either removed for security-context prompts or documented as intentional with a separate skip list for audit agentstsconfig.jsonhandling is reconsidered or documentedReferences
gofannon/webapp/packages/api/user-service/agent_factory/prompts.py, lines 500–570Priority
Medium — Issue 1 is a correctness fix with no behavioral change (removing dead code). Issues 2 and 3 affect audit coverage quality.