Reusable assets for the audit-pr subagent that reviews pull requests in
movementlabsxyz/aptos-core.
This repo holds only the contents the audit consumes:
| Path | Purpose |
|---|---|
agents/audit-pr.md |
Subagent definition (frontmatter + system prompt) for the FRESH-audit pipeline |
agents/audit-pr/ |
Analyzer references, taxonomy, risk scoring, scripts |
prompts/audit-pr-fresh.md |
Top-level prompt for AUDIT_MODE=fresh (label / reviewer / first-@claude trigger) — delegates to the audit-pr subagent |
prompts/audit-pr-follow-up.md |
Top-level prompt for AUDIT_MODE=follow-up (@claude comment on a PR that already has an audit summary) — answers the question directly, no subagent |
settings.json |
CI-time Claude Code permissions allow/deny list |
The GitHub Actions workflow that triggers the audit lives in aptos-core
itself (events only fire from a workflow committed to the same repo).
A consuming workflow must:
- Check out this repo to
.claude-reviewer/(or any path of its choice). - Stage the assets into the workspace where Claude Code discovers them:
mkdir -p .claude/agents cp -r .claude-reviewer/agents/audit-pr .claude/agents/ cp .claude-reviewer/agents/audit-pr.md .claude/agents/ cp .claude-reviewer/settings.json .claude/settings.json chmod +x .claude/agents/audit-pr/scripts/*.sh - Compute
AUDIT_MODE(freshorfollow-up) in a workflow step before loading the prompt. Then pass the matching prompt file as theprompt:input toanthropics/claude-code-action@v1:The two modes are separated into distinct files (not a single conditional prompt) because LLMs do not reliably gate oncat ".claude-reviewer/prompts/audit-pr-${AUDIT_MODE}.md"if AUDIT_MODE=fresh ...conditionals in natural-language prompts. A single file with both modes caused Claude to do a full re-audit on follow-up triggers in practice. - Export the env vars the subagent reads (see
agents/audit-pr.mdfor the full list — at minimum:PR_NUMBER,BASE_SHA,HEAD_SHA,REPO_PATH,AGENT_DIR,GITHUB_REPOSITORY,AUDIT_MODE).
AGENT_DIR is conventionally ${GITHUB_WORKSPACE}/.claude/agents/audit-pr —
the location the staging step above produces.
A reference caller workflow is committed in aptos-core at
.github/workflows/claude-audit-pr.yml.
| Tag | Meaning |
|---|---|
vX.Y.Z |
Immutable release — recommended pin for production callers |
vX |
Rolling pointer to latest vX.*.* — convenient but mutable |
Layout changes (moving/renaming agents/, prompts/, settings.json) are
breaking and require a major bump. Any change to file contents (prompts,
analyzers, scripts) is non-breaking and ships in the next minor or patch.
This repo is content-only — there is nothing to install or build. Edit, commit, tag, push. The next aptos-core PR audit will pick up the new tag (or rolling ref) on its next run.