refactor: tighten pr-review-appsec-vendored to match repo conventions#2826
refactor: tighten pr-review-appsec-vendored to match repo conventions#2826nick-inkeep merged 1 commit intomainfrom
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
TL;DR — Adds the Key changes
Summary | 1 file | 4 commits | base:
The skill follows the same frontmatter conventions as
|
There was a problem hiding this comment.
Clean refactor — all 13 items preserved, structure now matches accessibility-checklist conventions (§N headers, multi-line description, inline bold-lead items, "Loaded by" tag). One minor note inline about a dropped detection hint; otherwise no issues.
There was a problem hiding this comment.
Approving — clean refactor with no content loss. All 13 security items and severity calibration preserved.
|
Verified the fix and resolved the thread. The |
- Multi-line description with "Loaded by pr-review-appsec" - §N section headers, inline bold-lead items (matches accessibility-checklist) - Removed fabricated CVE, MCP/Vercel Edge dead-weight sections - Added severity calibration table and usage guide - 82 lines, same 13 items, tighter prose Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
8e1994e to
22995d4
Compare
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This PR refactors the pr-review-appsec-vendored skill to match the repo's accessibility-checklist conventions. After verification:
✅ Convention Alignment Verified
| Convention | Status |
|---|---|
§N section headers |
✅ §1 better-auth, §2 SpiceDB / AuthZed, §3 Security Operations, §4 Next.js / React Server Components |
| Multi-line description in frontmatter | ✅ Present with pipe YAML syntax |
| "Loaded by" tag | ✅ "Loaded by pr-review-appsec" added |
| Inline bold-lead items | ✅ **Item name**: description format |
user-invocable: false |
✅ Preserved |
disable-model-invocation: true |
✅ Preserved |
✅ Content Preservation Verified
All 13 security items preserved with detection patterns:
§1 better-auth (4): SSO session org context, SSO auto-provisioning bypasses hooks, triple onboarding duplicates, social providers per-tenant
§2 SpiceDB (2): LookupResources unbounded, intersection operator latency
§3 Security Operations (2): Re-authentication missing, security event logging absent
§4 Next.js RSC (5): Secrets in Server Functions, closure captures server vars, RSC prop serialization, NEXT_PUBLIC_ on secrets, ISR caches sensitive data
✅ Prior Feedback Addressed
The next.config.* detection pattern is present on line 60 as confirmed by the author.
✅ Severity Calibration Table Preserved
All 13 items present with abbreviated descriptions — severity ratings unchanged (3 CRITICAL, 8 MAJOR, 2 MINOR).
✅ APPROVE
Summary: Clean refactor achieving the stated goal — same 13 security items, tighter prose (82 lines from 118), consistent with accessibility-checklist conventions. No content loss, no changeset needed (internal AI tooling change per CLAUDE.md).
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
orchestrator |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: No subagent reviewers dispatched — this is a small formatting refactor of an internal skill file with clear acceptance criteria verified via direct inspection.
Summary
accessibility-checklistskill conventions:§Nsection headers, inline bold-lead items, multi-line descriptionTest plan
🤖 Generated with Claude Code