fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docs(sandcastle): add CI security checks section to reviewer prompt

Browse Source 
Instructs the reviewer agent to inspect Socket critical findings and
CodeQL error-severity findings via gh run view before issuing a verdict.
Composes with the existing library-trace check — all three must pass for
approval.
This commit is contained in:
Danijel Martinek
2026-05-14 18:03:36 +00:00
parent 41bf107fc4
commit 83b6119ca6
1 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
.sandcastle/reviewer.prompt.md
View File

@@ -90,6 +90,36 @@ node scripts/library-decisions/check.mjs --staged-against <base-branch>
where `<base-branch>` is the PR's base branch (typically `main`). If the command exits non-zero, **reject** the slice: a new runtime dependency in a feature- or core-tier package is missing an approved library-decision trace. The implementer must run the evaluate-library skill (`.claude/skills/evaluate-library/SKILL.md`) and add the resulting `docs/library-decisions/*.md` trace before the slice can be approved.
## CI security checks
Before issuing your verdict, retrieve the CI run logs for the PR and scan for security findings:
```bash
gh run view <run-id> --log
```
where `<run-id>` is the most recent workflow run for the PR's head commit (find it via `gh pr checks <pr-number>`).
**Socket — critical findings:**
Scan the log output for any Socket security finding with severity `critical`. These appear in the "Socket Security" check step output. If any `critical` finding is present:
- **Reject** the slice.
- Name the specific finding (package name + finding label) in your notes.
- Cite the failure-mode hierarchy in `docs/guides/ci-security.md` for remediation guidance.
Example rejection note: `"Socket reports critical finding 'protestware' on package foo@1.2.3. See docs/guides/ci-security.md for the failure-mode hierarchy."`
**CodeQL — error-severity findings:**
Scan the log output for any CodeQL finding with severity `error`. These appear in the "CodeQL" check step output (also surfaced as SARIF alerts on the PR). If any `error`-severity finding is present:
- **Reject** the slice.
- Name the specific finding (rule ID + file + line) in your notes.
- Cite the failure-mode hierarchy in `docs/guides/ci-security.md` for remediation guidance.
Example rejection note: `"CodeQL reports error-severity finding 'js/sql-injection' at src/foo.ts:42. See docs/guides/ci-security.md for the failure-mode hierarchy."`
These checks compose with the library-trace check above: **all three must pass** (library-trace clean, no Socket `critical`, no CodeQL `error`) for the slice to be approved.
## Signal completion (required)
After you have returned the structured JSON decision, emit the literal string `<promise>COMPLETE</promise>` as the final line of your response.