feat(prompts): add security review dimension to code-quality sub-agent#370
Merged
Conversation
Extend buildCodeQualityLlmReviewPrompt's system prompt so the code-quality review sub-agent actively flags common web security vulnerabilities (XSS via unsanitized innerHTML/dangerouslySetInnerHTML, command/SQL injection, secrets hardcoded in client code, unsafe eval/dynamic code or unvalidated URL/redirect handling) alongside the existing SDD-constraint and maintainability dimensions. This is the review-layer counterpart to the codegen security discipline added in #366: generate-safely + review-for-safety defense in depth. Reuses the existing CodeQualityIssue shape (rule "security/<kind>", severity), so no schema or subagent-logic change. Learned from the Claude Code agentic prompt. Closes #369 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
代码评审报告: feat(prompts): add security review dimension to code-quality sub-agent风险等级: 中 级联分析
问题发现模型未返回可结构化的问题发现;已提取可用的决策字段,原始非契约内容未附在评论中。 行级发现
Karpathy 评审
缺失覆盖
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue Or Context
Closes #369.
Summary
buildCodeQualityLlmReviewPrompt's system prompt (packages/core/src/sub-agents/code-quality-prompt.ts) so the code-quality review sub-agent actively flags common web security vulnerabilities — XSS (unsanitized data intoinnerHTML/dangerouslySetInnerHTML), command/SQL injection, secrets hardcoded in client code, and unsafeeval/dynamic code or unvalidated URL/redirect handling — alongside its existing SDD-constraint and maintainability dimensions.CodeQualityIssueshape (rule: "security/<kind>",severity), so there is no schema or subagent-logic change.Learned from the Claude Code agentic prompt's security-as-first-class-review-dimension pattern.
Impact Scope
Prompt-only change to the review sub-agent's
systemstring, plus a focused assertion update incode-quality-prompt.test.ts. No schema, subagent execution logic, rule-based fallback, codegen, or planner changes.GitNexus Impact Summary
impact(buildCodeQualityLlmReviewPrompt, upstream)returned LOW (0 direct callers — invoked dynamically).detect_changesrated MEDIUM because the symbol participates as a step in 3 internal prompt-building processes (Main → TruncateFileContent / BuildSddSummary / SummarizeSharedFacts). The change is confined to thesystemprompt string content: the function signature, return shape ({ system, userPrompt }), and call edges are unchanged, so those 3 processes' contracts are unaffected — the only behavioral delta is that the review LLM now also reports security findings.detect_changes(scope=unstaged) reported changed_count=1 (buildCodeQualityLlmReviewPrompt), affected_count=3 (the prompt-building processes above), risk_level=medium.Verification
pnpm --filter @frontagent/core test -- code-quality-prompt.test.ts— 2/2 pass (updated exact-system assertion + security-phrase checks).pnpm exec biome checkon the 2 changed files — clean.pnpm quality:precommit(lint + typecheck + test + test:workflows) — green (25 turbo tasks successful, workflows 32/32).gitnexus impact+gitnexus detect_changes— see summary above.Checklist