feat: add /request-audit skill for preparing Slack audit requests#1761
Open
mirooon wants to merge 37 commits into
Open
feat: add /request-audit skill for preparing Slack audit requests#1761mirooon wants to merge 37 commits into
mirooon wants to merge 37 commits into
Conversation
Adds a Claude Code skill (`/request-audit <PR> [--urgent]`) that fetches a PR, extracts scope and context (including optional Slack thread background), drafts a structured audit request message, and outputs it ready to send to the Sujith or burrasec audit channels. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR adds a complete Slack-based audit request workflow for smart contract PRs, including command documentation, webhook message poster script, environment configuration, and a new foundational rule governing authoring constraints for all agent rules and commands. ChangesRequest-audit Slack Workflow
Authoring Constraints Framework
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.agents/commands/request-audit.md (1)
31-31: ⚡ Quick winFlow can be simplified: known-restricted channels should skip API attempt
The doc says these channels always fail via API, but Step 6 still attempts
slack_send_messagefirst. Consider short-circuiting directly to Step 6b for these channel IDs to avoid guaranteed failures and noisy error handling.Also applies to: 313-340
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.agents/commands/request-audit.md at line 31, Modify the audit flow to short-circuit API calls for known-restricted Slack channels: when the target channel ID is in the list of known-restricted channel IDs (the ones documented around lines 31 and 313-340), do not call the slack_send_message tool and instead directly branch to Step 6b (the manual/post-failure path). Update the code that orchestrates the Step 6 send (the function that invokes slack_send_message) to check the channel against the KNOWN_RESTRICTED_CHANNELS set first and immediately skip to the Step 6b handling routine if matched, avoiding the attempted API call and noisy error handling.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agents/commands/request-audit.md:
- Around line 337-370: Step 6b’s manual fallback currently writes to a single
fixed path (/tmp/audit-request-{pr_number}.md) and can overwrite content when
the user selects "Both channels"; update the behavior so both channel drafts are
preserved by either (a) appending each channel block to the same file with a
clear separator and channel header, or (b) writing separate files per channel
(e.g. /tmp/audit-request-{pr_number}-external.md and -internal.md) and adjust
the user message accordingly; ensure the text around slack_send_message and the
warning block explicitly documents which file(s) were written and that both
channel blocks are preserved when "Both channels" is chosen.
- Around line 160-170: The documentation's `scope_summary` rule mandates
wrapping contract+version in backticks but the example messages (e.g., "Audit:
DeBridgeDlnFacet v1.1.0 :thread:") omit backticks, causing inconsistency; update
the examples so they follow the rule (e.g., use `` `GenericSwapFacetV3 v2.0.0`
`` and pluralized forms like `` `GenericSwapFacetV3 v2.0.0` + 6 more ``) and
ensure the `urgency_suffix` example shows both states (with and without `
(urgent)`) so `scope_summary` and `urgency_suffix` are consistently demonstrated
across all sample lines.
---
Nitpick comments:
In @.agents/commands/request-audit.md:
- Line 31: Modify the audit flow to short-circuit API calls for known-restricted
Slack channels: when the target channel ID is in the list of known-restricted
channel IDs (the ones documented around lines 31 and 313-340), do not call the
slack_send_message tool and instead directly branch to Step 6b (the
manual/post-failure path). Update the code that orchestrates the Step 6 send
(the function that invokes slack_send_message) to check the channel against the
KNOWN_RESTRICTED_CHANNELS set first and immediately skip to the Step 6b handling
routine if matched, avoiding the attempted API call and noisy error handling.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 870a4f96-fee3-434d-a177-f15fc7c401a8
📒 Files selected for processing (3)
.agents/commands/request-audit.md.claude/skills/request-audit/SKILL.md.cursor/commands/request-audit.md
…l file overwrite - Example parent messages now use backtick-wrapped scope_summary to match the formatting rule (were showing plain text, causing implementer confusion) - Step 6b now builds the full file content for all chosen channels before writing once, preventing the second channel from overwriting the first Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…limitation scope_summary and full_scope_list backtick rules now explicitly state they apply to API posting only. File output (the actual path for Slack Connect channels) is consistently plain text throughout, resolving the contradiction with the documented known limitation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the manual /tmp copy-paste fallback in /request-audit with a direct post via incoming webhooks read from .env. Reuses the existing SlackNotifier (script/utils/slack-notifier.ts) behind a small generic CLI so any future skill can post to a Slack channel the same way. Convention: webhook_<channel-name>=<incoming-webhook-url> in .env. Helper exits 0 on success, 2 if the webhook env var is unset (skill falls back to the existing /tmp manual file for that channel only), and 1 on Slack/network error. Also fixes the channel names in the skill table: #lifi-external-sujith -> #dev-sc-audit #lifi-external-burrasec -> #dev-sc-audit-burrasec Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8 tasks
…ck-post feat: post audit requests directly to Slack via webhook helper
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agents/commands/request-audit.md:
- Around line 359-367: The Step 6b description is inconsistent: it mixes the
trigger "helper exit 2" with fallback behavior for a legacy slack_send_message
error and contradicts whether actions are per-channel or aggregated; update the
text so the flow is unambiguous — either (A) keep "helper exit 2" as a
per-channel manual fallback and remove the "write all chosen channels"
requirement, or (B) state that on helper exit 2 you should still attempt
slack_send_message and if it fails with mcp_externally_shared_channel_restricted
then build a single aggregated content containing display-name mentions for all
chosen channels and write that content once to
/tmp/audit-request-{pr_number}.md; explicitly reference Step 6b, helper exit 2,
slack_send_message and the file /tmp/audit-request-{pr_number}.md so the
implementer knows which symbols to change.
- Around line 269-284: Update the outdated preview channel names shown as
"#lifi-external-sujith" and "#lifi-external-burrasec" in the Options block to
the current routing channels "#dev-sc-audit" and "#dev-sc-audit-burrasec" so the
displayed parent/thread labels match the actual command routing; specifically
replace the strings "Option 1: Sujith (`#lifi-external-sujith`)" and "Option 2:
Burrasec (`#lifi-external-burrasec`)" with "Option 1: Sujith (`#dev-sc-audit`)" and
"Option 2: Burrasec (`#dev-sc-audit-burrasec`)" respectively to avoid user
confusion.
In `@script/utils/send-slack-webhook-message.ts`:
- Around line 26-36: The channel string returned by parseArgs retains user
casing but main constructs the env key using webhook_${channel}, causing
mismatches; update parseArgs (or immediately after parseArgs in main) to
normalize channel to lowercase after removing the leading '#' (e.g., set channel
= channel.toLowerCase()) so the env lookup (envVar = `webhook_${channel}`) uses
a lowercase key; keep the existing validation (the /^[a-z0-9._-]+$/i test)
intact so it still accepts mixed-case input but store/return the normalized
lowercase channel from parseArgs (or convert right before building envVar in
main).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 617473e9-7c99-4c5e-8ba6-f8b90f79b5de
📒 Files selected for processing (3)
.agents/commands/request-audit.md.env.examplescript/utils/send-slack-webhook-message.ts
gvladika
reviewed
May 7, 2026
Changed the naming convention for Slack webhook environment variables in `.env.example` and related documentation to use uppercase and underscores instead of lowercase and hyphens. This includes updates to the `request-audit` command documentation and the webhook message sending utility to ensure consistency across the codebase.
…tation Changed the Slack channel references in the `request-audit` command documentation from `#lifi-external-sujith` to `#dev-sc-audit` and from `#lifi-external-burrasec` to `#dev-sc-audit-burrasec` for consistency with the new naming convention.
Updated the `request-audit` command documentation to clarify the conditions under which manual fallback is triggered. Specified that only channels with exit code `2` (missing webhook env var) will receive fallback blocks, and emphasized the need to build the full file content before writing to avoid overwriting. Adjusted formatting instructions for clarity and consistency.
Corrected the display name for the Burrasec auditor from `Josip Vuković` to `Josip Koncurat` in the `request-audit` command documentation. Enhanced the Slack ID note for clarity regarding the importance of verifying IDs to prevent incorrect mentions.
Skill was carrying ~30% redundancy that cost tokens on every invocation without changing behavior. Each loaded line is read on every /request-audit run, so duplicate or stale guidance is pure overhead. Removed: - **Quality Checklist (~21 lines)** — every bullet restated a rule already given in Steps 1–6. The model just read those rules ~200 lines earlier; repeating them as a checklist doesn't improve compliance, it doubles the token cost of the same guidance. - **Historical note about legacy MCP path (~3 lines)** — told the model to ignore an error string (`mcp_externally_shared_channel_restricted`) it would never see, since the MCP path was removed in PR #1765. Pure noise with no actionable content. - **Standalone "Webhook posting note" callout between Step 3a and 3b (~3 lines)** — duplicated guidance already encoded in Step 6 step 1 ("drop the 🧵 suffix … incoming webhooks can't thread"). Removing the standalone callout improves locality: the rule now lives only where it is applied. - **"File output exception" callout in Step 3 (~5 lines)** — Step 6b already states the same rule ("plain text — Slack does not render backtick inline code from pasted content"). Replaced with a one-clause parenthetical pointing to Step 6b instead of a separate quote block. - **Two redundant rows in Error Handling table (~2 lines)** — the "Helper exits 0/1/2" rows duplicated the exit-code table already shown in Step 6. Replaced with a one-line pointer; kept the rows that are unique to Error Handling (PR not found, no commits, scope undetermined, invalid 1–4 input). - **Examples block in usage callout (~4 lines)** — line above already shows the canonical usage form; the three example invocations added no information. Compressed: - **"Slack ID note" warning** — 4 sentences of prose → 2. Kept the actionable claim (re-verify Burrasec ID before relying on it) and the reason (webhooks paste IDs verbatim, wrong ID renders as @unknown). Dropped meta-commentary about how the IDs were inherited. - **"Context (reason for audit)" preamble** — 3 paragraphs of prose + 5 numbered points → 1 sentence + 4-bullet list. Same rules, no prose loss; cut ~8 lines. What was deliberately NOT removed: - The worked PR #1715 example stays inline. It is the only place the skill calibrates prose density ("5–7 sentences" is abstract; the example shows what that actually looks like). Splitting it into a sibling file was tested and reverted — the model reads it anyway, so splitting just adds a Read round-trip without saving real tokens. - Step-by-step structure, exact templates with placeholders, exit-code → action table in Step 6, blocking-interaction guards ("Stop here. Wait for the user's reply"), and the `--urgent` flag rules. Net: 480 → 440 lines (-8%) with no operational rule lost. Skill ran PR #1715 successfully end-to-end in the same session that produced this trim, so the removed content was demonstrably not load-bearing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…mmand table - add-new-rule.md: added "Modifying an Existing Rule" section (edits apply the same principles as creation) and a comprehensive "Skill Authoring Principles" section derived from the Anthropic best-practices guide + session learnings: concise-is-key, size/redundancy rules, naming/description conventions, helper exit-code contract, and a note on progressive disclosure (avoid splitting content the model always reads) - 200-typescript.md: added env-var naming rule — UPPERCASE with underscores, .env.example must stay in sync; captures the regression from this session where webhook vars were introduced in lowercase - README.md: added missing commands (add-network, deprecate-network, request-audit) to the Custom Commands table; all 7 commands now listed - context.md: corrected stale "6 command files" count to 7 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agents/commands/request-audit.md:
- Around line 384-386: Update the fallback message to use an explicit env-var
placeholder and examples so readers won't misname the variable: replace the
ambiguous WEBHOOK_{CHANNEL_UPPER} with a clearer token like
WEBHOOK_{CHANNEL_ENV_KEY} and include concrete examples showing the
normalization rule (e.g., channel "dev-sc-audit" → env key "DEV_SC_AUDIT" so var
becomes WEBHOOK_DEV_SC_AUDIT) and/or list both channel examples; adjust the
message that mentions #{channel} and /tmp/audit-request-{pr_number}.md
accordingly so the placeholder and examples are consistent with the
hyphens→underscores rule.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 7be1158e-5c49-4d28-893f-61ebf65f4b4e
📒 Files selected for processing (7)
.agents/commands/add-new-rule.md.agents/commands/request-audit.md.agents/context.md.agents/rules/200-typescript.md.agents/rules/README.md.env.examplescript/utils/send-slack-webhook-message.ts
✅ Files skipped from review due to trivial changes (3)
- .agents/rules/200-typescript.md
- .agents/context.md
- .agents/rules/README.md
🚧 Files skipped from review as they are similar to previous changes (2)
- .env.example
- script/utils/send-slack-webhook-message.ts
…/ constraints Previously the authoring constraints (no-dup, size limits, naming, validation) lived only in the add-new-rule command and required explicit /add-new-rule invocation. They would silently not apply on casual "edit this rule" requests. New rule 010-agents-authoring activates automatically via paths matching .agents/rules/*.md and .agents/commands/*.md, so constraints are enforced on every edit without needing the command. add-new-rule.md trimmed from 222 → 138 lines by removing the sections now covered by the rule (no-dup, cross-refs, size/focus, naming, skill authoring principles, modifying section). Only procedural content remains: symlink setup, hybrid frontmatter examples, step-by-step creation workflows, helper exit codes, validation steps, and SC department checklist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Incorrectly removed when trimming duplicates — the "Rule interaction" block contains procedural steps unique to the add-new-rule workflow (identify which rules apply via globs, check for conflicts with higher-priority rules) that are not covered by the 010-agents-authoring auto-rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Items 1/3/4 from Best Practices (focused, specific globs, minimize alwaysApply) duplicated constraints already enforced by 010-agents-authoring. Kept only the two items not covered elsewhere ([CONV:*] anchors, self-contained) and added a pointer to the rule. Replaced the manual Adding New Rules step-list with a one-liner pointing to /add-new-rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… concrete var names The placeholder was ambiguous — could be read as uppercase-only with hyphens (e.g. WEBHOOK_DEV-SC-AUDIT), conflicting with the hyphens→underscores normalization rule. Now shows the actual var names (WEBHOOK_DEV_SC_AUDIT / WEBHOOK_DEV_SC_AUDIT_BURRASEC) so there's no room for misinterpretation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… clarity Revised the documentation in the `request-audit` command to specify the correct path for the webhook environment variable in 1Password. The previous reference was ambiguous, and this change aims to enhance clarity for users setting up the webhook integration.
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.agents/commands/request-audit.md (1)
384-386:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUse the exact missing env var name per fallback channel (not an “or” placeholder).
This text is still ambiguous for single-channel fallback and can lead to users setting the wrong variable. Print the concrete missing key(s) for the channel(s) that exited
2(e.g., onlyWEBHOOK_DEV_SC_AUDIT_BURRASECwhen Burrasec alone fell back).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.agents/commands/request-audit.md around lines 384 - 386, The fallback message currently prints an ambiguous “(or WEBHOOK_DEV_SC_AUDIT_BURRASEC)” placeholder for missing env vars; change the logic that emits the fallback line (the code that writes the message about WEBHOOK_DEV_SC_AUDIT / WEBHOOK_DEV_SC_AUDIT_BURRASEC and the manual fallback path /tmp/audit-request-{pr_number}.md and the #{channel} placeholder) so it prints the exact missing environment variable name(s) for the channel(s) that returned exit code 2 (e.g., emit only WEBHOOK_DEV_SC_AUDIT_BURRASEC when Burrasec failed), rather than an “or” combined placeholder; ensure the message uses the concrete key(s) for clarity.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.agents/commands/request-audit.md:
- Around line 165-166: The markdown has leading spaces inside code spans for the
contract suffix and urgency suffix—replace occurrences of the code spans '` + N
more`' and '` (urgent)`' so the spaces sit outside the backticks (e.g., "`+ N
more`" becomes " + `N more`" or better " + N more" with only the token in
backticks), and update any usage of the urgency_suffix rendering (symbol
urgency_suffix) to output the backticks without the leading space inside them so
the spaces are outside the code span; this will remove the
leading-space-in-code-span and satisfy markdownlint MD038.
---
Duplicate comments:
In @.agents/commands/request-audit.md:
- Around line 384-386: The fallback message currently prints an ambiguous “(or
WEBHOOK_DEV_SC_AUDIT_BURRASEC)” placeholder for missing env vars; change the
logic that emits the fallback line (the code that writes the message about
WEBHOOK_DEV_SC_AUDIT / WEBHOOK_DEV_SC_AUDIT_BURRASEC and the manual fallback
path /tmp/audit-request-{pr_number}.md and the #{channel} placeholder) so it
prints the exact missing environment variable name(s) for the channel(s) that
returned exit code 2 (e.g., emit only WEBHOOK_DEV_SC_AUDIT_BURRASEC when
Burrasec failed), rather than an “or” combined placeholder; ensure the message
uses the concrete key(s) for clarity.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 15e14df2-7272-426f-8cc6-a612d8f9822d
📒 Files selected for processing (6)
.agents/commands/add-new-rule.md.agents/commands/request-audit.md.agents/rules/010-agents-authoring.md.agents/rules/README.md.claude/rules/010-agents-authoring.md.cursor/rules/010-agents-authoring.mdc
✅ Files skipped from review due to trivial changes (2)
- .cursor/rules/010-agents-authoring.mdc
- .claude/rules/010-agents-authoring.md
🚧 Files skipped from review as they are similar to previous changes (1)
- .agents/rules/README.md
The README covered both rules and commands but lived under .agents/rules/, making it the wrong home for the commands index. Moving it one level up to .agents/README.md reflects its true scope. Updated all references in 010-agents-authoring.md and add-new-rule.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…nts to 010-agents-authoring These were dropped from README Best Practices without being added to the rule, leaving a gap: they only existed in add-new-rule.md (command, explicit-invoke only) so they weren't auto-enforced on casual edits to .agents/ files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three things were dropped when condensing from add-new-rule.md: - Split/Merge guidance (when to split vs merge rules/commands) - Implementation details section (what belongs in rules vs what to exclude) - Circular reference warning in cross-references Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lifi-action-bot
changed the title
0xDEnYO
reviewed
May 18, 2026
|
|
||
| ## Step 1b — Gather Additional Context (Always Ask) | ||
|
|
||
| **After fetching the PR but before drafting the message**, always ask the user: |
Contributor
There was a problem hiding this comment.
I am not sure if this is really required (it stops the automatic flow).
I would say in most cases we just post the audit and enough context can be derived from the PR itself (and maybe the linear ticket?).
Would suggest to not force a user question here
Contributor
Author
There was a problem hiding this comment.
tbh I’d keep it as a reminder. In general, it seems easier for skill to connect PRs with tickets than with Slack threads. Also, Slack conversations tend to get fragmented. For example, with Tron USDT I had to link 2–3 different threads already. So I think it’s better to keep it as a reminder to avoid losing context
0xDEnYO
reviewed
May 18, 2026
|
|
||
| Always prefer sources 1–3 over fallback 4. | ||
|
|
||
| ### Context (reason for audit) |
Contributor
There was a problem hiding this comment.
the whole skill would benefit from reading the linear ticket. High likelihood for finding relevant context
Contributor
Author
There was a problem hiding this comment.
good point! How could I forget about it...
commit: 809c3c2
0xDEnYO
reviewed
May 18, 2026
Reduce request-audit skill from 433 to 356 lines (~18%) without changing behavior. Main consolidations: - Merge the two near-identical thread-reply templates (3b + 3c) into one parameterized template with a 2-row variant table; the only real difference was greeting position. - Flatten Step 2 sub-headers (Scope / Context / Urgency) to inline bold labels with bullet lists — same content, less heading noise. - Collapse the Setup section while keeping the .env example, the WEBHOOK_<CHANNEL> convention, and the 1Password reference verbatim. - In the worked PR #1715 example, keep the full Tron context paragraph (it is the prose-density calibration) but collapse the Burrasec block to a single sentence since the variant table now defines the diff. Nothing functional removed: all 4 scope sources, all 4 context extract sources, all 3 urgency triggers, exit-code semantics, manual-fallback transforms, code-style rule, and the worked example are preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
…hten refactor(skill): tighten request-audit, merge Sujith/Burrasec templates
Removes the residual re-verify-Slack-IDs callout and teaches the request-audit skill to auto-fetch the linked Linear ticket (EXSC team) as another source for the context paragraph. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Updated the urgency section to include additional conditions for flagging requests as urgent, specifically incorporating Linear ticket priority and due date considerations. This change aims to improve the clarity and effectiveness of the request-audit process. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Updated the README and command documentation to specify that authoring constraints are enforced when editing `.agents/rules/*.md` or `.agents/commands/*.md`, enhancing clarity on the scope of the `010-agents-authoring` rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lifi-action-bot
changed the title
Collaborator
Test Coverage ReportLine Coverage: 90.00% (3249 / 3610 lines) |
Step 1b no longer halts to ask for a Slack thread. It now enriches from Slack only when readily available (Linear-linked thread or context passed in the invocation) and otherwise drafts straight from PR + Linear context. Addresses review feedback that the mandatory prompt was over-engineered. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CodeRabbit: command descriptions must be third person, present tense, and state when to use the command (rule 010-agents-authoring). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CodeRabbit: line 27 named vault "Engineering"/item "slack-webhooks" but the fallback message references "Developers Smart Contract -> Webhooks SC Channels" (the real location). Aligned line 27 to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Which Linear task belongs to this PR?
N/A — internal tooling improvement.
Why did I implement it this way?
Preparing audit requests for Sujith or the burrasec team was a manual, error-prone process: finding the latest commit hash, extracting the scope from the PR title/body, writing consistent context, and formatting the Slack message correctly. This skill automates all of that.
Beyond the skill itself, this PR encodes the learnings from building it into the repo's agent infrastructure — so future skills are written to the same standard automatically, without needing to remember to check a doc.
What changed
/request-auditskillgh pr viewand extracts scope (contract names + versions) from the title brackets, PR body table, or changedsrc/files as fallbackMerge ordersections) and surfaces the audit step number so auditors know what is and isn't in scope#dev-sc-auditand#dev-sc-audit-burrasec, with correct auditor mentionsWEBHOOK_DEV_SC_AUDIT/WEBHOOK_DEV_SC_AUDIT_BURRASECfrom.env); falls back to a/tmpfile if the env var is unsetSkill authoring infrastructure
Building the skill surfaced best practices from the Anthropic skill authoring docs that weren't yet enforced anywhere in the repo. Rather than leaving them as tribal knowledge, they are now encoded as a rule that auto-activates whenever anyone edits
.agents/rules/or.agents/commands/files:010-agents-authoring.md(new rule, auto-loaded on.agents/edits): enforces ≤500 line limit, no redundant quality checklists, consistent terminology, no duplicate guidance, numeric prefix uniqueness, symlink integrityadd-new-rule.mdtrimmed from ~220 → 138 lines: duplicate constraints removed (now owned by the rule); only procedural how-to content remains.agents/README.mdmoved from.agents/rules/README.md— it covers both rules and commands so it belongs one level up; Best Practices section trimmed of items now enforced by010-agents-authoringOther fixes made during the session
WEBHOOK_DEV_SC_AUDIT, notwebhook_dev-sc-audit) in the helper script,.env.example, and skill doc — convention added to200-typescript.mdso it's enforced going forward#dev-sc-audit/#dev-sc-audit-burrasec)add-network,deprecate-network,request-auditwere missingKnown limitations
1. Flat message instead of threaded
Incoming webhooks cannot return a
ts(message timestamp), so it's impossible to post a reply to a parent message — both parts are sent as a single combined message. The previous MCP-based path usedchat.postMessagewhich supports threading. A follow-up ticket covers replacing the webhook helper with a proper Slack bot token (SLACK_AUDIT_BOT_TOKEN) to restore threading.2. Backtick code formatting does not survive copy-paste from a file
Slack renders inline code correctly when posted via API but shows literal backtick characters when content is pasted from an external file. The
/tmpfallback file uses plain text for this reason.Checklist before requesting a review
Checklist for reviewer (DO NOT DEPLOY and contracts BEFORE CHECKING THIS!!!)