diff --git a/.cursor/rules/audit-review.mdc b/.cursor/rules/audit-review.mdc index b57ce4650e31..849525f52ce7 100644 --- a/.cursor/rules/audit-review.mdc +++ b/.cursor/rules/audit-review.mdc @@ -9,20 +9,27 @@ Use this format when the user asks for a deep audit, fault injection, or review ## Required Output -- Report **confirmed defects only** first. -- Classify each finding as **High**, **Medium**, or **Low**. -- For each finding include: +The audit process must remain deep (all analysis dimensions below are still required), but the final user-visible report must include only: + +1. **Confirmed defects** +2. **Coverage summary** + +Output rules: + +- Report **confirmed defects only** (no hypotheticals). +- Classify each defect as **High**, **Medium**, or **Low**. +- For each confirmed defect include: - short title, - concrete impact, - exact file/function reference, - brief proof sketch tied to code path, - - at least one **code snippet** that demonstrates the defect condition. -- Include an **Assumptions & Limits** section for static reasoning: - - what was not executed at runtime, - - what could not be proven without dynamic testing. -- Include **audit confidence**: - - overall confidence (High/Medium/Low), - - what additional evidence would raise confidence. + - code snippet(s) **only when needed** to prove the defect condition. +- If no defects are confirmed, explicitly output `No confirmed defects in reviewed scope.` +- Include a concise **Coverage summary** with: + - scope reviewed, + - categories failed, + - categories passed, + - assumptions/limits (single concise line). ## Severity Rubric (Required) @@ -119,18 +126,10 @@ Use this format when the user asks for a deep audit, fault injection, or review - one primary defect per root cause, with secondary manifestations listed under it. - If no defects are found, explicitly report residual risks and untested paths. -## Canonical Report Order (Required) - -1. Scope and partitions (if large PR) -2. Call graph -3. Transition matrix -4. Logical code-path testing summary -5. Fault categories and category-by-category injection results -6. Confirmed defects (High/Medium/Low) -7. Coverage accounting + stop-condition status -8. Assumptions & Limits -9. Confidence rating and confidence-raising evidence -10. Residual risks and untested paths +## Report Order (Required) + +1. Confirmed defects (High/Medium/Low) +2. Coverage summary ## Multithreaded DB Priority diff --git a/.cursor/skills/audit-review/SKILL.md b/.cursor/skills/audit-review/SKILL.md index 7903a7c3924e..cf92e91c4a01 100644 --- a/.cursor/skills/audit-review/SKILL.md +++ b/.cursor/skills/audit-review/SKILL.md @@ -77,77 +77,49 @@ For ClickHouse-style multithreaded systems, prioritize these checks before lower 4. Concurrent container mutation + iterator/reference use. 5. Exception/cancellation paths that can leave locks/state inconsistent. -## Output Contract - -- Start with confirmed defects only. -- Group by severity: High, Medium, Low. -- For each defect include: - - title, - - impact, - - file/function anchor, - - fault-injection trigger, - - transition mapping, - - why it is a defect (not a design preference), - - smallest logical repro steps, - - likely fix direction (short, concrete: 2-4 bullets or sentences), - - regression test direction (short, concrete: 2-4 bullets or sentences), - - affected subsystem and blast radius, - - at least one code snippet proving the defect. -- Separate “not confirmed” or “needs runtime proof” from confirmed defects. -- Include an **Assumptions & Limits** section for static reasoning. -- Include an overall **confidence rating** and what additional evidence would raise confidence. -- If no defects are found, include residual risks and untested paths. -- For large PRs, include per-partition findings/coverage and final cross-partition risk summary. -- Include a fault-category completion matrix for every deep audit. - -### Canonical report order - -1. Scope and partitions (if large PR) -2. Call graph -3. Transition matrix -4. Logical code-path testing summary -5. Fault categories and category-by-category injection results -6. Confirmed defects (High/Medium/Low) -7. Coverage accounting + stop-condition status -8. Assumptions & Limits -9. Confidence rating and confidence-raising evidence -10. Residual risks and untested paths - -## Standard Audit Report Template (Default: Pointed PR Style) - -Default report style should match concise PR review comments: -- fail-first and action-oriented, -- only confirmed defects (no pass-by-pass narrative), -- one short summary line when there are no confirmed defects. - -Use the compact template below by default. Use the full 10-section canonical format only when explicitly requested. +## Output Contract (Required) + +Always perform the full deep analysis workflow above, but keep the final user-visible report short and limited to: + +1. `Confirmed defects` +2. `Coverage summary` ```markdown +AI audit note: This review comment was generated by AI (gpt-5.3-codex). + Audit update for PR # (): Confirmed defects: -- **: ** - - Impact: - - Anchor: `` / `` - - Trigger: - - Why defect: <1-2 lines, behavior not preference> - - Fix direction (short): <2-4 bullets or sentences> - - Regression test direction (short): <2-4 bullets or sentences including positive and edge/failure cases> - - Evidence: - ```start:end:path - // minimal proving snippet - ``` + : + Impact: + Anchor: / + Trigger: + Why defect: <1-2 lines, behavior not preference> + Fix direction (short): <1 line> + Regression test direction (short): <1 line> - Medium -> Low> + Medium -> Low> Coverage summary: -- Scope reviewed: -- Categories failed: -- Categories passed: -- Assumptions/limits: + + Scope reviewed: + Categories failed: + Categories passed: + Assumptions/limits: ``` +If no confirmed defects: +- output `No confirmed defects in reviewed scope.` +- still include `Coverage summary`. + +### Short-form constraints (required) + +- Keep each defect compact and actionable. +- Include only confirmed defects. +- Use snippets only when needed to prove a defect, or when the user asks. +- Do not include full workflow narrative sections in the report. + ## Severity Rubric - High: realistic trigger can cause crash/UB/data corruption/auth bypass/deadlock.