change the audit report to short form

.cursor/rules/audit-review.mdc

@@ -9,20 +9,27 @@ Use this format when the user asks for a deep audit, fault injection, or review
 
 ## Required Output
 
-- Report **confirmed defects only** first.
-- Classify each finding as **High**, **Medium**, or **Low**.
-- For each finding include:
+The audit process must remain deep (all analysis dimensions below are still required), but the final user-visible report must include only:
+
+1. **Confirmed defects**
+2. **Coverage summary**
+
+Output rules:
+
+- Report **confirmed defects only** (no hypotheticals).
+- Classify each defect as **High**, **Medium**, or **Low**.
+- For each confirmed defect include:
   - short title,
   - concrete impact,
   - exact file/function reference,
   - brief proof sketch tied to code path,
-  - at least one **code snippet** that demonstrates the defect condition.
-- Include an **Assumptions & Limits** section for static reasoning:
-  - what was not executed at runtime,
-  - what could not be proven without dynamic testing.
-- Include **audit confidence**:
-  - overall confidence (High/Medium/Low),
-  - what additional evidence would raise confidence.
+  - code snippet(s) **only when needed** to prove the defect condition.
+- If no defects are confirmed, explicitly output `No confirmed defects in reviewed scope.`
+- Include a concise **Coverage summary** with:
+  - scope reviewed,
+  - categories failed,
+  - categories passed,
+  - assumptions/limits (single concise line).
 
 ## Severity Rubric (Required)
 
@@ -119,18 +126,10 @@ Use this format when the user asks for a deep audit, fault injection, or review
   - one primary defect per root cause, with secondary manifestations listed under it.
 - If no defects are found, explicitly report residual risks and untested paths.
 
-## Canonical Report Order (Required)
-
-1. Scope and partitions (if large PR)
-2. Call graph
-3. Transition matrix
-4. Logical code-path testing summary
-5. Fault categories and category-by-category injection results
-6. Confirmed defects (High/Medium/Low)
-7. Coverage accounting + stop-condition status
-8. Assumptions & Limits
-9. Confidence rating and confidence-raising evidence
-10. Residual risks and untested paths
+## Report Order (Required)
+
+1. Confirmed defects (High/Medium/Low)
+2. Coverage summary
 
 ## Multithreaded DB Priority
 

.cursor/skills/audit-review/SKILL.md

@@ -77,77 +77,49 @@ For ClickHouse-style multithreaded systems, prioritize these checks before lower
 4. Concurrent container mutation + iterator/reference use.
 5. Exception/cancellation paths that can leave locks/state inconsistent.
 
-## Output Contract
-
-- Start with confirmed defects only.
-- Group by severity: High, Medium, Low.
-- For each defect include:
-  - title,
-  - impact,
-  - file/function anchor,
-  - fault-injection trigger,
-  - transition mapping,
-  - why it is a defect (not a design preference),
-  - smallest logical repro steps,
-  - likely fix direction (short, concrete: 2-4 bullets or sentences),
-  - regression test direction (short, concrete: 2-4 bullets or sentences),
-  - affected subsystem and blast radius,
-  - at least one code snippet proving the defect.
-- Separate “not confirmed” or “needs runtime proof” from confirmed defects.
-- Include an **Assumptions & Limits** section for static reasoning.
-- Include an overall **confidence rating** and what additional evidence would raise confidence.
-- If no defects are found, include residual risks and untested paths.
-- For large PRs, include per-partition findings/coverage and final cross-partition risk summary.
-- Include a fault-category completion matrix for every deep audit.
-
-### Canonical report order
-
-1. Scope and partitions (if large PR)
-2. Call graph
-3. Transition matrix
-4. Logical code-path testing summary
-5. Fault categories and category-by-category injection results
-6. Confirmed defects (High/Medium/Low)
-7. Coverage accounting + stop-condition status
-8. Assumptions & Limits
-9. Confidence rating and confidence-raising evidence
-10. Residual risks and untested paths
-
-## Standard Audit Report Template (Default: Pointed PR Style)
-
-Default report style should match concise PR review comments:
-- fail-first and action-oriented,
-- only confirmed defects (no pass-by-pass narrative),
-- one short summary line when there are no confirmed defects.
-
-Use the compact template below by default. Use the full 10-section canonical format only when explicitly requested.
+## Output Contract (Required)
+
+Always perform the full deep analysis workflow above, but keep the final user-visible report short and limited to:
+
+1. `Confirmed defects`
+2. `Coverage summary`
 
 ```markdown
+AI audit note: This review comment was generated by AI (gpt-5.3-codex).
+
 Audit update for PR #<id> (<short title/scope>):
 
 Confirmed defects:
 
-- **<Severity>: <short defect title>**
-  - Impact: <concrete user/system impact>
-  - Anchor: `<file>` / `<function or code path>`
-  - Trigger: <smallest condition that triggers defect>
-  - Why defect: <1-2 lines, behavior not preference>
-  - Fix direction (short): <2-4 bullets or sentences>
-  - Regression test direction (short): <2-4 bullets or sentences including positive and edge/failure cases>
-  - Evidence:
-    ```start:end:path
-    // minimal proving snippet
-    ```
+    <Severity>: <short defect title>
+        Impact: <concrete user/system impact>
+        Anchor: <file> / <function or code path>
+        Trigger: <smallest realistic trigger condition>
+        Why defect: <1-2 lines, behavior not preference>
+        Fix direction (short): <1 line>
+        Regression test direction (short): <1 line>
 
-<repeat per defect, sorted High -> Medium -> Low>
+<repeat defects, sorted High -> Medium -> Low>
 
 Coverage summary:
-- Scope reviewed: <partitions or key areas, one line>
-- Categories failed: <count/list>
-- Categories passed: <count only>
-- Assumptions/limits: <one line>
+
+    Scope reviewed: <one line>
+    Categories failed: <short list>
+    Categories passed: <short list or count>
+    Assumptions/limits: <one line>
 ```
 
+If no confirmed defects:
+- output `No confirmed defects in reviewed scope.`
+- still include `Coverage summary`.
+
+### Short-form constraints (required)
+
+- Keep each defect compact and actionable.
+- Include only confirmed defects.
+- Use snippets only when needed to prove a defect, or when the user asks.
+- Do not include full workflow narrative sections in the report.
+
 ## Severity Rubric
 
 - High: realistic trigger can cause crash/UB/data corruption/auth bypass/deadlock.