Skip to content

SECURITYREVIEW-2026-06-25-1: dual-agent review findings#44

Open
mnsmarko wants to merge 1 commit into
mobydeck:mainfrom
mnsmarko:SECURITYREVIEW-2026-06-25-1
Open

SECURITYREVIEW-2026-06-25-1: dual-agent review findings#44
mnsmarko wants to merge 1 commit into
mobydeck:mainfrom
mnsmarko:SECURITYREVIEW-2026-06-25-1

Conversation

@mnsmarko

Copy link
Copy Markdown

Automated dual-agent security review run by aireviewer.

  • Agent A: claude
  • Agent B: codex
  • Report: docs/reviews/2026-06/SECURITYREVIEW-2026-06-25-1.md
  • TODO: docs/reviews/2026-06/TODO-SECURITYREVIEW-2026-06-25-1.md

Repo admins: please examine the findings and act on the actionable TODO list. To reject or defer a finding, mark it WONTFIX or ONHOLD in the report file itself (edit it on this branch) — a GitHub comment alone is not enough.

Heads-up: only WONTFIX/ONHOLD findings are suppressed in future reviews. Any finding you leave unmarked is treated as still-live and will be re-reported by the next review if it's still present in the code — that's by design, not a bug.

Closing out this review

The scheduler will not open another security review of this repo while either this PR or its companion issue stays open — so resolve both when you're done. The PR has two valid exits:

  • Merge this PR (recommended) — lands the report, with your WONTFIX/ONHOLD markers, on the default branch. That merged report is the record future runs read to avoid repeating findings you deferred or rejected. Use this whenever you marked anything WONTFIX/ONHOLD, or just want the audit trail.
  • Close this PR without merging — for when you're abandoning this review cycle (e.g. you got stuck, moved on, and want a fresh review of newer code). Nothing is recorded, so every still-present finding comes back in the next review and any markers you set here are lost.

Either way, also close the companion issue to free the repo for its next review.

Handover prompt for an AI coding agent (click to expand — paste into Claude Code / Codex in a clone of this repo, with gh authenticated)

You are picking up a completed dual-agent review. There is this open review PR (it contains only the dated report + TODO — no source changes) and a companion issue. Act on the findings, record my defer/reject decisions in the report, then merge the PR and close the issue.

  • Report: docs/reviews/2026-06/SECURITYREVIEW-2026-06-25-1.md
  • TODO: docs/reviews/2026-06/TODO-SECURITYREVIEW-2026-06-25-1.md
  • Review branch: SECURITYREVIEW-2026-06-25-1 · PR base: the default branch

0. Orient. Read the report + TODO on the review branch. Each finding has an ID like 2026-06-03-1-7 and a severity. Check out the base branch and pull latest — the review was a snapshot and code may have moved since.

1. Re-anchor every finding against the CURRENT code (commits may have landed after the review). Report line numbers can be stale — locate each finding now by symbol/content, not by line number. Then: already fixed by a later commit → don't re-fix, leave it unmarked (it just won't be re-reported); no longer applicable → mark WONTFIX with a reason; still live → fix it. Never trust the report's line numbers blindly.

2. Fix the still-live findings via this repo's normal workflow (a fix branch off latest base, or direct commits per convention). Keep code fixes OUT of the review PR branch — it's report-only so it always merges cleanly. Reference the finding ID in commit messages.

3. Record defer/reject decisions IN THE REPORT FILE on the review branch (a GitHub comment is not enough — only the report is read by future runs): WONTFIX to reject, ONHOLD to defer, each with a brief reason. Anything left unmarked and still present will be re-reported next time. Commit + push these edits to the PR branch.

4. Close out with gh — the next review of this type is blocked while either the PR or issue is open, so resolve both:

  • gh pr merge <pr> --squash --delete-branch (recommended — lands the report + your markers; it's report-only so it merges into the advanced base. If GitHub says the branch is behind, gh pr update-branch <pr> first.)
  • gh issue close <issue> --comment "Fixed: <ids>. Deferred: <ids>. Rejected: <ids>. Already resolved by later commits: <ids>."

Abandoning instead? gh pr close <pr> (no merge) + close the issue — nothing is recorded, markers are lost, still-present findings come back. Only do this deliberately.

Report back: what you fixed, what you marked WONTFIX/ONHOLD (with reasons), what was already resolved by later commits, and the final PR/issue state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant