You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
9 parallel sweep agents fanned out cleanly. No timeouts. All under 6 min budget. Stream-append-as-found discipline (one finding per Write) held — no batched-write loss.
Concern split kept noise low. Security split into 4 sub-areas (validation, auth, web, supply) prevented one agent owning too much. Tech-debt + arch + testcov + general-review filled the rest.
Dedup subagent caught 7 dups + 6 supersedes out of 53. Narrow search_issues queries (file path, symbol name) avoided 78k-char overflow.
Verification subagent caught 2 false-premise findings (F28, F52) that survived dedup. Spot-checking the cited line saved us from filing inaccurate child issues.
What didn't
Broad search_issues query overflowed 78k cap twice. Query like is:issue "general-audit" returns every prior audit master + lessons + child = ~66k chars. Always pin a narrowing keyword.
cargo audit first run failed with "advisory-db not found" because -n (no-fetch) was used before db was cached. Second run without -n worked. SKILL.md says -n always — should note the first-run case.
F28 + F52 false premises snuck past dedup because keywords matched plausibly. Body of F28 said "missing lock-ok marker" but marker was at line 23 (the finding cited line 31). Body of F52 said "no aria-live for chat" but chat.rs:387 has it. Lesson: sweep agent must Read ±10 lines around the cited line before asserting "missing"/"absent".
Suggested edits to .claude/skills/general-audit/SKILL.md
Pass 2 sweep agents must read ±10 lines around any cited line before asserting "missing"/"absent"/"no X exists". Prevents F28/F52-class false positives.
Dedup subagent prompt: never use bare is:issue "general-audit"-style queries. Always pin a file path, symbol name, or RUSTSEC ID. Add to "Hard Rules" → "Synthesis".
Pass 3 cargo-audit: drop the -n flag from the documented one-liner OR document a one-time cargo audit (no -n) prefetch step. First run after toolchain rebuild always fails with -n.
Verification subagent should drop any finding marked partially-verified whose body claim contradicts the verification spot-check, not just FAILED. Currently the rule says "drop FAILED" only — partial-correctness still made it to filing without F28/F52 manual override by the orchestrator.
Sibling-of-closed agent: prefer commit-prefix filter (fix:/feat:/perf:) over PR-by-PR drill when N merged PRs > 5. Auto-fix-batch PRs especially benefit.
Add explicit note: 38 issues × 4 API calls each (create + sub-issue + 2 reads) = 150+ MCP calls — budget for that. Suggest issue creation in batches of 8-10 in parallel; sub-issue link in batches of 14.
caveman lessons. master: #513. 53 raw → 38 filed. cargo audit clean.
What worked
0.01msflunksis_zero_duration). High-yield pass — keep first.search_issuesqueries (file path, symbol name) avoided 78k-char overflow.What didn't
search_issuesquery overflowed 78k cap twice. Query likeis:issue "general-audit"returns every prior audit master + lessons + child = ~66k chars. Always pin a narrowing keyword.cargo auditfirst run failed with "advisory-db not found" because-n(no-fetch) was used before db was cached. Second run without-nworked. SKILL.md says-nalways — should note the first-run case.chat.rs:387has it. Lesson: sweep agent must Read ±10 lines around the cited line before asserting "missing"/"absent".fix:/feat:/perf:) before drilling.Suggested edits to
.claude/skills/general-audit/SKILL.mdis:issue "general-audit"-style queries. Always pin a file path, symbol name, or RUSTSEC ID. Add to "Hard Rules" → "Synthesis".-nflag from the documented one-liner OR document a one-timecargo audit(no-n) prefetch step. First run after toolchain rebuild always fails with-n.partially-verifiedwhose body claim contradicts the verification spot-check, not justFAILED. Currently the rule says "drop FAILED" only — partial-correctness still made it to filing without F28/F52 manual override by the orchestrator.fix:/feat:/perf:) over PR-by-PR drill when N merged PRs > 5. Auto-fix-batch PRs especially benefit.Stats
SyncBatch.eventshas no element cap #233, [SEC-V-05]ProfileState.names/ChatMetaState.typing_peersaccept unbounded attacker-supplied strings #234, [GEN-01] Deploy workflow usessshpass -pwith password +root@+StrictHostKeyChecking=no#227, [DEP-04] CI Rust toolchain and install-action use mutable tags (including in deploy.yml) #248, F5-intra, [GEN-10] HLCwall_clock_mspanics on backwards system clock (SystemTime < UNIX_EPOCH) #270)_ =>arms inmaterialize.rssilently absorb newEventKindvariants #230, [security] XSS-prone js_sys::eval() in pinned message jump #171, [TD-04].ok()silently swallows ~16 errors inlisteners.rsevent-pump hot loop #253, [TD-14] anyhow used in 8 library crates contradicts CLAUDE.md convention #332, [TD-02] 1521 unwrap()/expect() call sites; 18 in network/mem.rs production path #321, [ARCH-07]crates/client/src/lib.rsis 1,941 LOC with 18pub modentries — unbounded public surface #259)