fix: pin security-reviewer to sonnet, explicit model fields, drift test#39
Merged
Conversation
- security-reviewer: model inherit → sonnet (floor prevents Haiku runs) - cache-analyzer: add explicit model: inherit (was silent default) - session-execute: update agent table to match (security-reviewer sonnet) - test-docs.sh: Group 11 validates table ↔ frontmatter at test time - CLAUDE.md: session-skill coordination note, Phase 4 section, fix test count Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Local tests not yet uploadedThis repository runs macOS-dependent tests locally (not in CI) to keep
Results will appear either as a Check Run or a PR comment on this commit. |
Owner
Author
Local Tests (macOS)183/183 passed — Local Tests (macOS)
Posted by scripts/upload-test-results.sh — Check Run API unavailable. |
…ring
Root causes of ci-verify-local.yml always failing:
1. Check Runs API requires a GitHub App token (checks:write) — a regular PAT
always gets 403. Replaced with Commit Status API (POST /statuses/{sha})
which works with any repo-scoped PAT, no GitHub App needed.
2. Upload was called in /session-end before the commit existed, posting the
status on the wrong (previous) commit SHA.
3. Even the PR comment fallback missed because CI fires on pr:opened before
the upload had a chance to run.
Fix:
- upload-test-results.sh: POST to /statuses/{sha} instead of /check-runs
- ci-verify-local.yml: check commit status instead of Check Runs (Option 1)
- session-end SKILL.md: remove premature upload step (wrong SHA), add
post-commit callout: run upload after push, before creating PR
- Docs (CLAUDE.md, CONTRIBUTING.md, README.md, PR template): correct
ordering and wording throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
security-revieweragent frominherit→model: sonnetso security review never runs on Haiku even when the main session is in fast modemodel: inherittocache-analyzer(was a silent default — now visible in frontmatter)test-docs.sh: validates the agent model table in/session-executeagainst actual agent frontmatter at test time, preventing silent driftCLAUDE.md: session-skill coordination note, explicit Phase 4 section, corrected test count (16 → 18)Type of change
Testing checklist
make test-docs— Group 11 passes (18/18 tests)CLAUDE.mdupdated with session-skill semantics and Phase 4 noteRisk
No patching, backup/restore, or codesign changes. Docs and agent config only — the
model: sonnetpin is the only behavioral change, and only affects the security-reviewer agent (previously ran at session model, now floors at Sonnet).