feat(#898): add security heuristics to review sub-agent#2038
Conversation
Site previewPreview: https://e4036467-site.fullsend-ai.workers.dev Commit: |
|
🤖 Review · Started 6:09 PM UTC |
ReviewFindingsLow
Info
Previous runReviewFindingsLow
Info
Previous run (2)ReviewFindingsMedium
Low
Info
|
|
🤖 Finished Review · ✅ Success · Started 6:09 PM UTC · Completed 6:16 PM UTC |
|
/fs-fix |
|
🤖 Fix · Started 6:56 PM UTC |
🔧 Fix agent — iteration 1 (human-triggered)Addressed 3 of 6 review findings with code changes: added routing table categories to SKILL.md, added explicit category annotations to each new security.md section, and added an exploration budget section. Disagreed with 3 info-level findings (scope-exceeded premise is incorrect — PR already says 'Toward' not 'Closes'; design-direction and architectural-conflict are observational and require no changes). Fixed (3):
Disagreed (3):
Tests: passed Updated by fullsend fix agent |
…stics Add six new category strings (fail-open, permission-expansion, permission-reduction, role-escalation, workflow-permission, secret-exposure) to the security row of the orchestrator routing table in SKILL.md so re-review anchoring routes findings correctly. Add explicit Category annotations to each new section in security.md so the sub-agent emits consistent category strings for deduplication. Add an Exploration budget section to security.md, matching the pattern used by intent-coherence and style-conventions sub-agents. Addresses review feedback on #2038
|
🤖 Finished Fix · ✅ Success · Started 6:56 PM UTC · Completed 7:01 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 7:03 PM UTC · Completed 7:10 PM UTC |
The security sub-agent definition was 17 lines of high-level domain listing without specific detection heuristics. This caused it to miss critical findings like fail-open auth bugs and unjustified role escalations on PR #792. Add three concrete review sections to the security sub-agent: - Fail-open/fail-closed evaluation checklist: instructs the sub-agent to check what happens when env vars, allowlists, and config values are unset, empty, or malformed. Defaults must deny, not permit. - Permission manifest audit guidance: ported from the standalone code-review skill. Any permission expansion requires a finding; expansions without linked justification are high severity. - Workflow permission and role auditing: flags role escalations, permissions block changes, and secrets block modifications in workflow files. These heuristics directly target the four findings a human reviewer caught on PR #792 that the bot missed across 9 review rounds. Note: make lint could not run due to sandbox Go module cache permissions. The change is markdown-only and does not affect Go compilation. Closes #898
…stics Add six new category strings (fail-open, permission-expansion, permission-reduction, role-escalation, workflow-permission, secret-exposure) to the security row of the orchestrator routing table in SKILL.md so re-review anchoring routes findings correctly. Add explicit Category annotations to each new section in security.md so the sub-agent emits consistent category strings for deduplication. Add an Exploration budget section to security.md, matching the pattern used by intent-coherence and style-conventions sub-agents. Addresses review feedback on #2038
04df0c6 to
91378a6
Compare
|
🤖 Finished Review · ✅ Success · Started 7:20 PM UTC · Completed 7:29 PM UTC |
|
🤖 Retro · Started 7:40 PM UTC |
Retro: PR #2038 — Add security heuristics to review sub-agentWorkflow quality: Good. The end-to-end cycle (code → review → fix → re-review → merge) completed in ~1.5 hours with minimal human intervention. The review agent caught a real structural issue (missing routing table categories), the fix agent resolved it, and the re-review confirmed the fix. Key observations
ProposalsNo new proposals — all identified improvement opportunities are already tracked by existing open issues. The most impactful ones to prioritize for this class of workflow are #1309 and #1736 (preventing self-referential review approval on agent definition changes). |
|
🤖 Finished Retro · ✅ Success · Started 7:40 PM UTC · Completed 7:45 PM UTC |
ralphbean
left a comment
There was a problem hiding this comment.
I pushed a couple commits — 93ddb44 trims the heuristics down to policy directives (severity thresholds, "always flag" rules) and drops the domain-knowledge explanations that Claude already knows. 7dd318d deduplicates the permission file-type list between the Own block and the new section. LGTM with those in.
|
eek, I didn't mean to merge this one... I hadn't reviewed it yet. |
The security sub-agent definition was 17 lines of high-level domain listing without specific detection heuristics. This caused it to miss critical findings like fail-open auth bugs and unjustified role escalations on PR #792.
Add three concrete review sections to the security sub-agent:
sub-agent to check what happens when env vars, allowlists,
and config values are unset, empty, or malformed. Defaults
must deny, not permit.
code-review skill. Any permission expansion requires a finding;
expansions without linked justification are high severity.
permissions block changes, and secrets block modifications in
workflow files.
These heuristics directly target the four findings a human reviewer caught on PR #792 that the bot missed across 9 review rounds.
Note: make lint could not run due to sandbox Go module cache permissions. The change is markdown-only and does not affect Go compilation.
Toward #898
Post-script verification
agent/898-security-subagent-heuristics)4cd660565f8abfc3bd1f0f697488a2e8e408101f..HEAD)