From 83b6119ca68794f84a630775f1eee8ef2080dae8 Mon Sep 17 00:00:00 2001
From: Danijel Martinek <danijel@fraqtal.xyz>
Date: Thu, 14 May 2026 18:03:36 +0000
Subject: [PATCH] docs(sandcastle): add CI security checks section to reviewer
 prompt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instructs the reviewer agent to inspect Socket critical findings and
CodeQL error-severity findings via gh run view before issuing a verdict.
Composes with the existing library-trace check — all three must pass for
approval.
---
 .sandcastle/reviewer.prompt.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.sandcastle/reviewer.prompt.md b/.sandcastle/reviewer.prompt.md
index b5b18e9..15f2d10 100644
--- a/.sandcastle/reviewer.prompt.md
+++ b/.sandcastle/reviewer.prompt.md
@@ -90,6 +90,36 @@ node scripts/library-decisions/check.mjs --staged-against <base-branch>
 
 where `<base-branch>` is the PR's base branch (typically `main`). If the command exits non-zero, **reject** the slice: a new runtime dependency in a feature- or core-tier package is missing an approved library-decision trace. The implementer must run the evaluate-library skill (`.claude/skills/evaluate-library/SKILL.md`) and add the resulting `docs/library-decisions/*.md` trace before the slice can be approved.
 
+## CI security checks
+
+Before issuing your verdict, retrieve the CI run logs for the PR and scan for security findings:
+
+```bash
+gh run view <run-id> --log
+```
+
+where `<run-id>` is the most recent workflow run for the PR's head commit (find it via `gh pr checks <pr-number>`).
+
+**Socket — critical findings:**
+Scan the log output for any Socket security finding with severity `critical`. These appear in the "Socket Security" check step output. If any `critical` finding is present:
+
+- **Reject** the slice.
+- Name the specific finding (package name + finding label) in your notes.
+- Cite the failure-mode hierarchy in `docs/guides/ci-security.md` for remediation guidance.
+
+Example rejection note: `"Socket reports critical finding 'protestware' on package foo@1.2.3. See docs/guides/ci-security.md for the failure-mode hierarchy."`
+
+**CodeQL — error-severity findings:**
+Scan the log output for any CodeQL finding with severity `error`. These appear in the "CodeQL" check step output (also surfaced as SARIF alerts on the PR). If any `error`-severity finding is present:
+
+- **Reject** the slice.
+- Name the specific finding (rule ID + file + line) in your notes.
+- Cite the failure-mode hierarchy in `docs/guides/ci-security.md` for remediation guidance.
+
+Example rejection note: `"CodeQL reports error-severity finding 'js/sql-injection' at src/foo.ts:42. See docs/guides/ci-security.md for the failure-mode hierarchy."`
+
+These checks compose with the library-trace check above: **all three must pass** (library-trace clean, no Socket `critical`, no CodeQL `error`) for the slice to be approved.
+
 ## Signal completion (required)
 
 After you have returned the structured JSON decision, emit the literal string `<promise>COMPLETE</promise>` as the final line of your response.