From 2b19a26b57a866a7730c3359d612ee0189600485 Mon Sep 17 00:00:00 2001 From: Selfeer Date: Mon, 9 Mar 2026 17:26:00 +0400 Subject: [PATCH 1/2] change the audit report to short form --- .cursor/skills/audit-review/SKILL.md | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/.cursor/skills/audit-review/SKILL.md b/.cursor/skills/audit-review/SKILL.md index 7903a7c3924e..69300e9264f2 100644 --- a/.cursor/skills/audit-review/SKILL.md +++ b/.cursor/skills/audit-review/SKILL.md @@ -113,14 +113,16 @@ For ClickHouse-style multithreaded systems, prioritize these checks before lower 9. Confidence rating and confidence-raising evidence 10. Residual risks and untested paths -## Standard Audit Report Template (Default: Pointed PR Style) +## Standard Audit Report Template (Default: Short PR Comment Form) -Default report style should match concise PR review comments: -- fail-first and action-oriented, -- only confirmed defects (no pass-by-pass narrative), -- one short summary line when there are no confirmed defects. +Default report style should mirror this pattern: +- `Audit update for PR # ():` +- `Confirmed defects:` +- short defect bullets by severity +- `Coverage summary:` -Use the compact template below by default. Use the full 10-section canonical format only when explicitly requested. +Use this short form by default unless the user explicitly asks for the full canonical report. +Keep wording concise and action-oriented. Do not include long narrative sections in short form. ```markdown Audit update for PR # (): @@ -136,7 +138,7 @@ Confirmed defects: - Regression test direction (short): <2-4 bullets or sentences including positive and edge/failure cases> - Evidence: ```start:end:path - // minimal proving snippet + // minimal proving snippet from code under review ``` Medium -> Low> @@ -148,6 +150,16 @@ Coverage summary: - Assumptions/limits: ``` +### Short-form constraints (required) + +- Report confirmed defects only (High/Medium/Low order). +- Keep each defect concise (target: 6-10 lines excluding snippet). +- Include at least one code snippet per confirmed defect. +- Snippet must directly show the defect condition or branch inconsistency. +- If no confirmed defects: + - output one line: `No confirmed defects in reviewed scope.` + - still include `Coverage summary` with assumptions/limits. + ## Severity Rubric - High: realistic trigger can cause crash/UB/data corruption/auth bypass/deadlock. From 1c740addac1d969a8b8f1d3c422047da891e1936 Mon Sep 17 00:00:00 2001 From: Selfeer Date: Tue, 10 Mar 2026 15:41:36 +0400 Subject: [PATCH 2/2] refire rules and skills for shorter output - while still preserving the deep audit analysis --- .cursor/rules/audit-review.mdc | 43 ++++++------ .cursor/skills/audit-review/SKILL.md | 98 ++++++++-------------------- 2 files changed, 50 insertions(+), 91 deletions(-) diff --git a/.cursor/rules/audit-review.mdc b/.cursor/rules/audit-review.mdc index b57ce4650e31..849525f52ce7 100644 --- a/.cursor/rules/audit-review.mdc +++ b/.cursor/rules/audit-review.mdc @@ -9,20 +9,27 @@ Use this format when the user asks for a deep audit, fault injection, or review ## Required Output -- Report **confirmed defects only** first. -- Classify each finding as **High**, **Medium**, or **Low**. -- For each finding include: +The audit process must remain deep (all analysis dimensions below are still required), but the final user-visible report must include only: + +1. **Confirmed defects** +2. **Coverage summary** + +Output rules: + +- Report **confirmed defects only** (no hypotheticals). +- Classify each defect as **High**, **Medium**, or **Low**. +- For each confirmed defect include: - short title, - concrete impact, - exact file/function reference, - brief proof sketch tied to code path, - - at least one **code snippet** that demonstrates the defect condition. -- Include an **Assumptions & Limits** section for static reasoning: - - what was not executed at runtime, - - what could not be proven without dynamic testing. -- Include **audit confidence**: - - overall confidence (High/Medium/Low), - - what additional evidence would raise confidence. + - code snippet(s) **only when needed** to prove the defect condition. +- If no defects are confirmed, explicitly output `No confirmed defects in reviewed scope.` +- Include a concise **Coverage summary** with: + - scope reviewed, + - categories failed, + - categories passed, + - assumptions/limits (single concise line). ## Severity Rubric (Required) @@ -119,18 +126,10 @@ Use this format when the user asks for a deep audit, fault injection, or review - one primary defect per root cause, with secondary manifestations listed under it. - If no defects are found, explicitly report residual risks and untested paths. -## Canonical Report Order (Required) - -1. Scope and partitions (if large PR) -2. Call graph -3. Transition matrix -4. Logical code-path testing summary -5. Fault categories and category-by-category injection results -6. Confirmed defects (High/Medium/Low) -7. Coverage accounting + stop-condition status -8. Assumptions & Limits -9. Confidence rating and confidence-raising evidence -10. Residual risks and untested paths +## Report Order (Required) + +1. Confirmed defects (High/Medium/Low) +2. Coverage summary ## Multithreaded DB Priority diff --git a/.cursor/skills/audit-review/SKILL.md b/.cursor/skills/audit-review/SKILL.md index 69300e9264f2..cf92e91c4a01 100644 --- a/.cursor/skills/audit-review/SKILL.md +++ b/.cursor/skills/audit-review/SKILL.md @@ -77,88 +77,48 @@ For ClickHouse-style multithreaded systems, prioritize these checks before lower 4. Concurrent container mutation + iterator/reference use. 5. Exception/cancellation paths that can leave locks/state inconsistent. -## Output Contract - -- Start with confirmed defects only. -- Group by severity: High, Medium, Low. -- For each defect include: - - title, - - impact, - - file/function anchor, - - fault-injection trigger, - - transition mapping, - - why it is a defect (not a design preference), - - smallest logical repro steps, - - likely fix direction (short, concrete: 2-4 bullets or sentences), - - regression test direction (short, concrete: 2-4 bullets or sentences), - - affected subsystem and blast radius, - - at least one code snippet proving the defect. -- Separate “not confirmed” or “needs runtime proof” from confirmed defects. -- Include an **Assumptions & Limits** section for static reasoning. -- Include an overall **confidence rating** and what additional evidence would raise confidence. -- If no defects are found, include residual risks and untested paths. -- For large PRs, include per-partition findings/coverage and final cross-partition risk summary. -- Include a fault-category completion matrix for every deep audit. - -### Canonical report order - -1. Scope and partitions (if large PR) -2. Call graph -3. Transition matrix -4. Logical code-path testing summary -5. Fault categories and category-by-category injection results -6. Confirmed defects (High/Medium/Low) -7. Coverage accounting + stop-condition status -8. Assumptions & Limits -9. Confidence rating and confidence-raising evidence -10. Residual risks and untested paths - -## Standard Audit Report Template (Default: Short PR Comment Form) - -Default report style should mirror this pattern: -- `Audit update for PR # ():` -- `Confirmed defects:` -- short defect bullets by severity -- `Coverage summary:` - -Use this short form by default unless the user explicitly asks for the full canonical report. -Keep wording concise and action-oriented. Do not include long narrative sections in short form. +## Output Contract (Required) + +Always perform the full deep analysis workflow above, but keep the final user-visible report short and limited to: + +1. `Confirmed defects` +2. `Coverage summary` ```markdown +AI audit note: This review comment was generated by AI (gpt-5.3-codex). + Audit update for PR # (): Confirmed defects: -- **: ** - - Impact: - - Anchor: `` / `` - - Trigger: - - Why defect: <1-2 lines, behavior not preference> - - Fix direction (short): <2-4 bullets or sentences> - - Regression test direction (short): <2-4 bullets or sentences including positive and edge/failure cases> - - Evidence: - ```start:end:path - // minimal proving snippet from code under review - ``` + : + Impact: + Anchor: / + Trigger: + Why defect: <1-2 lines, behavior not preference> + Fix direction (short): <1 line> + Regression test direction (short): <1 line> - Medium -> Low> + Medium -> Low> Coverage summary: -- Scope reviewed: -- Categories failed: -- Categories passed: -- Assumptions/limits: + + Scope reviewed: + Categories failed: + Categories passed: + Assumptions/limits: ``` +If no confirmed defects: +- output `No confirmed defects in reviewed scope.` +- still include `Coverage summary`. + ### Short-form constraints (required) -- Report confirmed defects only (High/Medium/Low order). -- Keep each defect concise (target: 6-10 lines excluding snippet). -- Include at least one code snippet per confirmed defect. -- Snippet must directly show the defect condition or branch inconsistency. -- If no confirmed defects: - - output one line: `No confirmed defects in reviewed scope.` - - still include `Coverage summary` with assumptions/limits. +- Keep each defect compact and actionable. +- Include only confirmed defects. +- Use snippets only when needed to prove a defect, or when the user asks. +- Do not include full workflow narrative sections in the report. ## Severity Rubric