Skip to content

feat(pr): add --a auto-approve mode and pre-build dist cleanup to /pr command#3679

Open
its-mitesh-kumar wants to merge 1 commit into
redhat-developer:mainfrom
its-mitesh-kumar:feat/pr-command-auto-approve-and-dist-cleanup
Open

feat(pr): add --a auto-approve mode and pre-build dist cleanup to /pr command#3679
its-mitesh-kumar wants to merge 1 commit into
redhat-developer:mainfrom
its-mitesh-kumar:feat/pr-command-auto-approve-and-dist-cleanup

Conversation

@its-mitesh-kumar

Copy link
Copy Markdown
Member

Description

Enhances the Cursor /pr custom command with two improvements:

  1. Adds --a (auto-approve) flag that skips all approval gates (branch creation, staging, commit) for faster unattended PR workflows.
  2. Adds a pre-build cleanup step that removes stale dist/ directories scoped to plugins/*/dist and packages/*/dist only, with automatic sudo escalation on permission errors — preventing the previous issue where a broad find -name dist would accidentally nuke dist/ inside node_modules.

Fixed

  • TODO: Add Jira link
  • A changeset describing the change and affected packages. (more info)
  • Added or Updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)

…r command

Signed-off-by: its-mitesh-kumar <itsmiteshkumar98@gmail.com>
@its-mitesh-kumar its-mitesh-kumar requested review from a team as code owners July 3, 2026 14:36
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

@its-mitesh-kumar

Copy link
Copy Markdown
Member Author

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 2:40 PM UTC · Completed 2:53 PM UTC
Commit: d69d6d6 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

High

  • [protected-path] .cursor/commands/pr.md — This PR modifies a file under the protected .cursor/ path without a linked issue. The PR body explicitly states "TODO: Add Jira link" in the Fixed section, indicating authorization is not yet established. Protected-path changes always require human approval and explicit authorization.
    Remediation: Link a tracking issue or Jira ticket that authorizes modifications to .cursor/commands/pr.md before merging.

Medium

  • [privilege-escalation] .cursor/commands/pr.md:56 — The pre-build cleanup step instructs the AI agent to automatically escalate to sudo rm -rf if the initial rm -rf fails with a permission error. A symlink at plugins/<name>/dist pointing to an arbitrary directory could trick the sudo rm into deleting files outside the intended scope. Combined with the --a (auto-approve) flag, the entire flow from cleanup through commit runs without any human oversight.
    Remediation: Remove the automatic sudo escalation. When rm -rf fails with EACCES, instruct the agent to stop and ask the user to resolve the permission issue manually. Consider adding symlink checks before deletion.

  • [numbering-convention] .cursor/commands/pr.md:45 — The pre-build cleanup sub-step is numbered "0" while every other ordered list in the file uses 1-based numbering. This breaks the file's consistent convention and may confuse LLM consumers that parse numbered lists ordinally.
    Remediation: Renumber the cleanup sub-step to "1" and shift existing sub-steps (install, prettier, tsc, build, test, api-reports) to 2–7.

Low

  • [logic-error] .cursor/commands/pr.md:4 — The --a mode description lists Steps 3, 7, and 8 as skipped approval gates, but Step 1 also contains an approval gate (multi-workspace confirmation: "Are you sure you want to proceed?"). Its behavior under --a mode is unspecified — either document that it is intentionally always-interactive, or add it to the skip list.

  • [authorization-bypass] .cursor/commands/pr.md:6 — The --a flag bypasses all human approval gates (Steps 3, 7, and 8), removing human-in-the-loop review of branch names, staged files, and commit messages. In a supply-chain attack scenario where build output is manipulated, auto-approve mode would stage and push those files without human review.

  • [scope-creep] .cursor/commands/pr.md — The PR uses feat conventional commit type but modifies developer tooling configuration (.cursor/commands/), not a product feature. Consider chore(tooling) instead.

  • [naming-convention] .cursor/commands/pr.md — The flag --a uses unconventional CLI naming. Single-letter flags typically use a single dash (-a); double-dash flags use full words (--auto-approve). Consider -a or --auto-approve for clarity.

  • [heading-convention] .cursor/commands/pr.md — The (APPROVAL REQUIRED unless \--a`)` suffix is added to Steps 3, 7, and 8 headings, but Step 1's inline approval gate uses a different pattern. Consider making approval gate marking consistent.

  • [pattern-inconsistency] .cursor/commands/pr.md:19 — Step cross-references (e.g., "Step 2", "Step 5") use plain text with no anchors, making renumbering fragile if steps are added or reordered.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant