Skip to content

docs(agents): reconcile agent configs with actual validation policy, trailers, and review gate#1850

Merged
steilerDev merged 1 commit into
betafrom
fix/1818-agent-config-consistency
Jul 7, 2026
Merged

docs(agents): reconcile agent configs with actual validation policy, trailers, and review gate#1850
steilerDev merged 1 commit into
betafrom
fix/1818-agent-config-consistency

Conversation

@steilerDev

Copy link
Copy Markdown
Owner

Summary

  • Retires the fictional "pre-commit hook" referenced across 6 agent files (backend/frontend/product-architect/dev-team-lead/qa/e2e) — no such hook exists (.git/hooks/ has only .sample files). Replaced with CLAUDE.md's actual Local Validation Policy (implementing agents run lint:fix/format/lint before handback; CI Quality Gates own full validation).
  • Standardizes agent trailer version strings into one canonical table in CLAUDE.md (translator moved Sonnet 4.6→4.5 to match its actual recent usage and peer tier; dev-team-lead's PR-body template got a correctly-named, correctly-tiered trailer instead of a nameless Opus 4.6 line).
  • Reconciles wiki ownership: product-architect owns all wiki pages except Security-Audit.md (security-engineer) and Style-Guide.md (ux-designer) — previously contradicted three different ways.
  • Adds a single canonical PR Review Gate section to CLAUDE.md (product-architect always, security-engineer conditional on file patterns, product-owner for stories only, ux-designer for client-touching PRs), replacing four divergent definitions across backend/frontend/product-architect/CLAUDE.md.
  • Fixes frontend-developer.md's nonexistent features/work-items/ convention to match the actual pages//components/ structure.
  • Fixes the docs dev-server port collision: docs/package.json's dev script now runs on --port 3001 (was defaulting to 3000, colliding with the app server) — makes CLAUDE.md's already-documented port 3001 true instead of aspirational.
  • LOW-severity batch: stale §6/§8 cross-reference, incomplete agent list in dev-team-lead.md, stale frontmatter examples in security-engineer.md, stale "MEMORY.md is currently empty" footers (7 files, despite non-empty memory), ux-designer's self-contradictory edit-boundary, worktree-cleanup step conflicting with the (already-flipped, PR docs: flip worktree policy — clean up worktrees when work is complete #1825) worktree policy, e2e-test-engineer's malformed multiline frontmatter scalar, duplicated "persistent Persistent Agent Memory" wording + hardcoded absolute sandbox paths (10 files), and orphaned ### 8. numbering in qa/e2e (moved back into their Core Responsibilities blocks).

Fixes #1818

Test plan

  • All 18 verification greps from the reconciliation spec pass (confirmed during [MODE: review])
  • Diff spot-checked against the spec for all judgment items: trailer table, PR Review Gate, wiki ownership, e2e frontmatter collapse — byte-consistent
  • Two implementer-initiative additions verified correct: capital-P "Pre-commit hook quality gates" variant in dev-team-lead's PR-body template (would have been missed by the spec's case-sensitive grep), and stale-footer fix extended to backend/frontend/product-architect (required by grep EPIC-11: CI/CD Infrastructure with Semantic Release #12, omitted from the per-file list)
  • Agent-config/docs only — no production code, no tests needed
  • CI Quality Gates

Co-Authored-By: Claude dev-team-lead (Sonnet 4.6) noreply@anthropic.com

…trailers, and review gate

Fixes #1818

Co-Authored-By: Claude dev-team-lead (Sonnet 4.6) <noreply@anthropic.com>
@steilerDev

Copy link
Copy Markdown
Owner Author

[security-engineer]

Config-only review of #1850 (10 agent-config .md files + CLAUDE.md reconciliation + docs/package.json port change).

Scope confirmed: git diff origin/beta..HEAD — no server/, client/, shared/, Dockerfile, or dependency-manifest changes. Purely .claude/agents/*.md, .claude/agent-memory/dev-team-lead/sandbox-environment.md, CLAUDE.md, docs/package.json.

1. PR Review Gate conditionality — not a new weakening

The new CLAUDE.md "PR Review Gate" section makes security review conditional on file-pattern triggers (referenced from .claude/skills/develop/SKILL.md's existing "Security Review Trigger Rules"). I checked: .claude/skills/develop/SKILL.md has zero diff in this PR — the conditional trigger logic (routes/**, auth*/session* plugins, Dockerfile, package manifests, and path keyword matches for sql/crypto/cookie/session/token/auth/secret) already existed in beta before this PR. This PR only reconciles CLAUDE.md's prose (previously said "must review every story PR," contradicting the skill file that was already conditional) to match actual practice. So this is a documentation fix, not a scope reduction introduced by #1850.

That said, since this PR elevates the trigger rules to canonical status in CLAUDE.md, worth flagging as informational for a future PR (not blocking here): the trigger patterns don't catch server/src/services/** changes that don't also touch routes/** or match a keyword — e.g., a Paperless-ngx integration fix confined to paperlessService.ts (SSRF-relevant, explicitly in my audit domain) or a photo-storage path change wouldn't trigger review unless the filename happens to contain one of the listed keywords. Same gap for frontend-only PRs (XSS surface, e.g. a new dangerouslySetInnerHTML use) — those are explicitly skipped from per-PR security review under the current rules, relying solely on the /epic-close full audit to catch them. Recommend broadening the trigger patterns (add server/src/services/**, and a frontend keyword/pattern check) in a follow-up to SKILL.md. Non-blocking for this PR since it doesn't touch that file.

2. No unsafe instructions introduced

Reviewed all 10 agent files plus CLAUDE.md for anything resembling bypass-review language, protected-branch pushes, or credential handling changes. Found none — the diffs are: pre-commit-hook fiction replaced with the actual Local Validation Policy (lint:fix/format/lint before handback, CI owns full validation), canonical trailer table, wiki-ownership reconciliation, stale §6/§8 references fixed, and portable agent-memory path descriptions replacing hardcoded absolute local paths (e.g. /Users/franksteiler/Documents/Sandboxes/cornerstone/...) across 10 files. That last change is actually a minor positive fix — it removes a checked-in local username/filesystem path from tracked files.

The product-architect self-review skip clause ("orchestrator skips the product-architect review when product-architect is the PR's own author on an architecture-only change") is a reasonable, narrowly-scoped self-review exception and isn't new — it mirrors existing convention, just reworded.

3. docs/package.json port change

docusaurus start --port 3001 is dev-only tooling (Docusaurus dev server), not part of the production Docker image or any deployed surface. No security impact.

Verdict: No critical/high findings. One informational recommendation (broaden Security Review Trigger Rules coverage in SKILL.md in a future PR) — does not block this PR.

APPROVED

@steilerDev steilerDev merged commit 036ab7a into beta Jul 7, 2026
12 checks passed
@steilerDev steilerDev deleted the fix/1818-agent-config-consistency branch July 7, 2026 23:24
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.13.0-beta.19 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant