general-audit: fold lessons #628#629
Merged
Merged
Conversation
Applied: - Pass 1 sub-pattern (d): validator scope creep — single-variant validators (PR #583's `Content::File`-only caps) almost always need to extend to all sibling variants. Caught 5 findings this run. - Verification subagent has access to `mcp__github__issue_read` — closed-issue check should not return `partially-verified` when GH MCP can confirm. - Don't dispatch dedup until ALL sweep agents land; recompute raw count just before dispatch. The 2026-05-04 run's `general` agent landed F9/F10 (relay docker break + stale port docs) AFTER initial dedup brief was prepared. - Authority-spec drift = architecture concern, not security. The architecture lane owns events emitted outside `apply_event` (e.g. invite-mint side channels). Security-auth lane should look but architecture lane catches. - Agent prompts: 8 min budget for broad-scope agents (`general`, `sibling-of-closed`); per-concern agents stay at 6 min. - Agent final-summary rule: report path + one-line strongest finding only, never echo finding bodies. Saves orchestrator context. - Pre-fetch available severity-label set before filing child issues. Don't guess `security`/`robustness` exist — verify against recent audit issues' `labels` field. Skipped: - "Reiterate master-body keep-dedup-metadata-minimal" — already codified at the existing "Master issue body" paragraph; second copy would just drift over time. https://claude.ai/code/session_01H1t1f3KpZuQfXV3CmG1JhS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #628.
Folds the 2026-05-04
/general-auditlessons (issue #628) into.claude/skills/general-audit/SKILL.md. Mechanical application of each suggested edit from the lessons issue.Edits applied
Content::File-only caps surfaced 5 sibling findings this run (F11–F15:Content::Text/Reply/Edit/System/Reaction,SealedContent.ciphertext, allEventKindString fields).mcp__github__issue_readis available; don't returnpartially-verifiedfor "could not verify issue closed via gh CLI." This run had to close one such finding (F06,TODO(#119)stale closed-issue ref) post-hoc in the orchestrator.generalagent landed two findings (F9 docker relay break, F10 stale README ports) AFTER the initial dedup brief had been prepared, requiring a manual second-pass dedup.apply_event(e.g. invite-mint as out-of-band side channel) belong in the architecture lane. The 2026-05-04 audit caught the invite-mint authority issue ONLY in the architecture-backfill agent — security-auth's framing assumed all authority is inapply_event.general+sibling-of-closed. 8 min instead of 6 min default; both consistently brush against the 6-min cap.security/robustnesslabels exist; verify against recent audit issues'labelsarrays. This run filed all child issues withauditonly (andtech-debtwhere confirmed) because severity-label existence wasn't verified upfront.Edits skipped
just devto start all services for local development #7) —skipped: already codified. The existing "Master issue body" paragraph in the Synthesis section already states this rule. A second copy would just drift over time.Auto-generated by
/general-audit. Human review required before merge.Generated by Claude Code