fix: trim security heuristics to policy directives#2046
Conversation
Site previewPreview: https://ab67c02e-site.fullsend-ai.workers.dev Commit: |
|
🤖 Review · Started 8:22 PM UTC |
|
🤖 Retro · Started 8:25 PM UTC |
Retro: PR #2046 —
|
|
🤖 Finished Retro · ✅ Success · Started 8:25 PM UTC · Completed 8:30 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:22 PM UTC · Completed 8:32 PM UTC |
E2E tests are runningAuthorization passed for this commit. See the E2E Tests workflow for results. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
The heuristics were re-teaching security concepts (fail-open, least privilege) that Claude already knows. Trim to policy directives and severity thresholds — what to always flag and at what severity — which is the novel content the model needs. Also merge the redundant "Permission manifest changes" and "Workflow permission and role auditing" sections into a single "Permission and role changes" section, eliminating duplicate permissions: block guidance that could cause the sub-agent to produce duplicate findings. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
The parenthetical enumeration in the Own block duplicated the canonical list in the "Permission and role changes" section. Keep one list to prevent drift. Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
af94b99 to
51c0f75
Compare
|
/fs-review |
|
🤖 Finished Review · ✅ Success · Started 4:29 PM UTC · Completed 4:39 PM UTC |
ben-alkov
left a comment
There was a problem hiding this comment.
Good stuff
- Dedupe and eliminate redundancy
- Remove the parenthetical file-type list from the "Own:" paragraph; it's misplaced in this section
- Provide policy thresholds and severity assignments without re-teaching the concept
ReviewFindingsMedium
Low
Info
|
|
🤖 Finished Retro · ✅ Success · Started 5:39 PM UTC · Completed 5:47 PM UTC |
Retro: PR #2046 —
|
Summary
These commits were pushed to #2038's branch but the merge queue picked up the prior head before they landed.
Toward #898
Test plan
make lintpasses