Skip to content

llm: link dependency review findings to the approval process doc#157

Merged
withinfocus merged 3 commits into
mainfrom
llm/link-dependency-review-approval-doc
Jul 1, 2026
Merged

llm: link dependency review findings to the approval process doc#157
withinfocus merged 3 commits into
mainfrom
llm/link-dependency-review-approval-doc

Conversation

@withinfocus

Copy link
Copy Markdown
Contributor

🎟️ Tracking

No Jira ticket. I noticed this while working in the reviewing-dependency-changes skill.

📔 Objective

The reviewing-dependency-changes skill emits findings that mention Bitwarden's "Dependency Review and Approval" process, but the text didn't link anywhere. A reviewer reading a posted comment had no direct path to the documentation.

This links the process name to its Confluence page in the Area 1 finding text, and adds an instruction so any finding that references the process carries the link into the posted comment.

Also bumps bitwarden-code-review to 1.13.1 and adds a changelog entry.

The reviewing-dependency-changes skill now links the Dependency Review
and Approval process name to its Confluence page in emitted findings, so
posted review comments point reviewers to the canonical documentation.

Bump bitwarden-code-review to 1.13.1 with changelog entry.
@withinfocus withinfocus added the ai-review Request a Claude code review label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🔍 Plugin Validation Report — PR #157

Plugin: bitwarden-code-review · Version: 1.13.0 → 1.13.1 (PATCH)

Result: ✅ PASS — No critical, major, or blocking issues. Two optional/minor observations below.

Changed files reviewed

  • plugins/bitwarden-code-review/.claude-plugin/plugin.json (version bump)
  • plugins/bitwarden-code-review/CHANGELOG.md (new 1.13.1 entry)
  • plugins/bitwarden-code-review/skills/reviewing-dependency-changes/SKILL.md (added Confluence link + emit-time linking instruction)

1. Plugin Structure (plugin-validator)

Check Status
plugin.json valid JSON, required fields, kebab-case name
SemVer version 1.13.1 valid
Version consistency: plugin.json = marketplace.json = CHANGELOG top entry (all 1.13.1)
CHANGELOG follows Keep a Changelog; 1.13.1 entry dated 2026-07-01 under ### Changed, accurately describes the change
Directory layout / auto-discovery (8 skills, 2 commands, 1 agent)
Skill frontmatter (name, description) present on all skills
README.md present
No hooks / plugin-level MCP configs (not required)
No hardcoded credentials in plugin files

ℹ️ Informational — AGENT.md version. agents/bitwarden-code-reviewer/AGENT.md:3 remains at version: 1.13.0 while the plugin is at 1.13.1. This is intentional: commit ba76204 ("llm: keep code-reviewer agent version unchanged") deliberately decoupled it, and the PR is a skill-only documentation change with no agent-behavior impact. Not a defect — noted for traceability.


2. Skill Review (skill-reviewer) — reviewing-dependency-changes

Check Status
YAML frontmatter valid (name, description)
Description quality: third-person, specific triggers (manifest files, bot PRs), scoped vs. sibling plugin
Writing style: consistently imperative/infinitive
Word count ~879 (below 1,000 target, appropriate for a checklist/rubric skill)
Progressive disclosure: lean self-contained file, inline finding templates as examples
Confluence URL consistent across all 3 occurrences (lines 21, 39, 41)
PR change placement (linking instruction moved under ### Severity, line 39) appropriate & clear

🟡 Minor (should-fix, optional). SKILL.md:39 — the instruction says to "always link the process name" when emitting a finding, but the QUESTION finding on line 42 references "AppSec approval" without naming/linking the process. The "always" reads slightly ambiguously against that template. Consider rewording to make the rule conditional, e.g. "When a finding names the Dependency Review and Approval process, link it to …". Cosmetic clarity only — not blocking.


3. Security Validation (reviewing-claude-config)

Check Status
Committed secrets / API keys / tokens / passwords ✅ None
Hardcoded credentials in changed files ✅ None
settings.local.json committed ✅ N/A (not touched)
Permission scoping / dangerous auto-approvals / broad file access ✅ N/A — no settings, hooks, or tool-permission changes in this PR
External references added ✅ Only a Bitwarden Confluence URL (non-sensitive, safe)

All three changed files are documentation/manifest only. No security concerns.


Summary

  • Errors (must fix): none
  • Warnings (should fix): none blocking; 1 optional wording tweak at SKILL.md:39
  • Version & changelog: correct and consistent (1.13.1 across all files)

The PATCH bump is appropriate for this documentation-only enhancement. The change is safe to merge.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed a documentation-only change to the reviewing-dependency-changes skill that links the "Dependency Review and Approval" process name to its Confluence page and adds an instruction so any emitted finding referencing the process carries that link into the posted comment. The Confluence URL is identical across all four occurrences (changelog, Area 1 intro, the new instruction line, and the finding text). Verified the patch bump (1.13.0 → 1.13.1) is consistent across marketplace.json, plugin.json, and README.md, with a changelog entry that follows Keep a Changelog format under "Changed" for 2026-07-01. The earlier reviewer concern about bumping the agent file was already addressed and AGENT.md is not part of this diff.

No security, correctness, or breaking-change concerns.

@withinfocus withinfocus marked this pull request as ready for review July 1, 2026 15:27
@withinfocus withinfocus requested a review from a team as a code owner July 1, 2026 15:27

@SaintPatrck SaintPatrck left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. One minor note about the agent version.

Comment thread plugins/bitwarden-code-review/agents/bitwarden-code-reviewer/AGENT.md Outdated
The agent file itself didn't change, so revert its version bump per PR review.
@withinfocus withinfocus requested a review from SaintPatrck July 1, 2026 15:38
Per PR review, the emit-time linking instruction reads more naturally
next to the findings it governs.
@withinfocus withinfocus merged commit 5169f0f into main Jul 1, 2026
10 checks passed
@withinfocus withinfocus deleted the llm/link-dependency-review-approval-doc branch July 1, 2026 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-review Request a Claude code review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants