Context
PR #10901 was approved by an AI maintainer despite failing CodeQL / Security checks because the pr-review skill lacked a mandatory check for CI status. The agent relied solely on local test execution, which skips CI-only checks like security bots.
The Problem
The pr-review skill focuses heavily on depth floors, provenance, and tests execution, but relies entirely on the agent running local tests. It misses automated CI checks (like CodeQL and GitHub security bots) that run asynchronously on GitHub. Approving a PR with failing security checks is a severe failure mode.
The Architectural Reality
The pr-review skill (.agents/skills/pr-review/references/pr-review-guide.md) needs a new section. However, per the Progressive Disclosure "Map vs World Atlas" constraint, we must not bloat the high-level guide with tool-specific edge cases. The detailed audit protocol belongs in a dedicated file within .agents/skills/pr-review/audits/.
The Fix
- Extract the detailed CI / Security Checks Audit protocol into
.agents/skills/pr-review/audits/ci-security-audit.md (World Atlas).
- Add a one-line trigger in
pr-review-guide.md §7.6 pointing to the new audit file (The Map).
- Update
pr-review-guide.md §7.7 Anti-Patterns.
- Ensure the
pr-review-template.md and pr-review-followup-template.md templates have a dedicated section for this audit.
Acceptance Criteria
Out of Scope
Adding mechanical auto-rejection hooks or Webhooks. This is discipline-only enforcement for now.
Related
Origin Session ID
Origin Session ID: d4129f93-807b-4c2e-beee-c63cd5462a94
Context PR #10901 was approved by an AI maintainer despite failing CodeQL / Security checks because the
pr-reviewskill lacked a mandatory check for CI status. The agent relied solely on local test execution, which skips CI-only checks like security bots.The Problem The
pr-reviewskill focuses heavily on depth floors, provenance, and tests execution, but relies entirely on the agent running local tests. It misses automated CI checks (like CodeQL and GitHub security bots) that run asynchronously on GitHub. Approving a PR with failing security checks is a severe failure mode.The Architectural Reality The
pr-reviewskill (.agents/skills/pr-review/references/pr-review-guide.md) needs a new section. However, per the Progressive Disclosure "Map vs World Atlas" constraint, we must not bloat the high-level guide with tool-specific edge cases. The detailed audit protocol belongs in a dedicated file within.agents/skills/pr-review/audits/.The Fix
.agents/skills/pr-review/audits/ci-security-audit.md(World Atlas).pr-review-guide.md§7.6 pointing to the new audit file (The Map).pr-review-guide.md§7.7 Anti-Patterns.pr-review-template.mdandpr-review-followup-template.mdtemplates have a dedicated section for this audit.Acceptance Criteria
.agents/skills/pr-review/audits/ci-security-audit.mdis created with the full audit requirements.pr-review-guide.mdhas a one-line trigger under7.6 CI / Security Checks Audit.pr-review-guide.mdanti-patterns table flags approving a PR with failing CI checks.pr-review-template.mdandpr-review-followup-template.mdhave aCI / Security Checks Auditcheckbox.Out of Scope Adding mechanical auto-rejection hooks or Webhooks. This is discipline-only enforcement for now.
Related
Origin Session ID Origin Session ID: d4129f93-807b-4c2e-beee-c63cd5462a94