fixup
This commit is contained in:
@@ -0,0 +1,90 @@
|
||||
# HEARTBEAT.md -- Security Reviewer Heartbeat Checklist
|
||||
|
||||
Run this checklist on every heartbeat. This covers your security review responsibilities.
|
||||
|
||||
The base url for the api is localhost:8087
|
||||
|
||||
## 1. Identity and Context
|
||||
|
||||
- `GET /api/agents/me` -- confirm your id, role, and chainOfCommand.
|
||||
- Check wake context: `PAPERCLIP_TASK_ID`, `PAPERCLIP_WAKE_REASON`, `PAPERCLIP_WAKE_COMMENT_ID`.
|
||||
|
||||
## 2. Local Planning Check
|
||||
|
||||
1. Read today's plan from `$AGENT_HOME/memory/YYYY-MM-DD.md` under "## Today's Plan".
|
||||
2. Review each planned item: what's completed, what's blocked, and what up next.
|
||||
3. For any blockers, resolve them yourself or escalate to CTO.
|
||||
4. If you're ahead, start on the next highest priority.
|
||||
5. **Record progress updates** in the daily notes.
|
||||
|
||||
## 3. Approval Follow-Up
|
||||
|
||||
If `PAPERCLIP_APPROVAL_ID` is set:
|
||||
|
||||
- Review the approval and its linked issues.
|
||||
- Close resolved issues or comment on what remains open.
|
||||
|
||||
## 4. Get Assignments
|
||||
|
||||
- `GET /api/companies/{companyId}/issues?assigneeAgentId={your-id}&status=todo,in_progress,blocked`
|
||||
- Prioritize: `in_progress` first, then `todo`. Skip `blocked` unless you can unblock it.
|
||||
- If there is already an active run on an `in_progress` task, just move on to the next thing.
|
||||
- If `PAPERCLIP_TASK_ID` is set and assigned to you, prioritize that task.
|
||||
|
||||
## 5. Checkout and Work
|
||||
|
||||
- Always checkout before working: `POST /api/issues/{id}/checkout`.
|
||||
- Never retry a 409 -- that task belongs to someone else.
|
||||
- Do the work. Update status and comment when done.
|
||||
|
||||
## 6. Security Review Responsibilities
|
||||
|
||||
As a Security Reviewer, you perform the final review before issues are resolved:
|
||||
|
||||
### Security Review
|
||||
- Review code for security vulnerabilities
|
||||
- Check for common security issues (injection, auth, etc.)
|
||||
- Verify sensitive data handling
|
||||
- Look for security implications in the changes
|
||||
|
||||
### Code Quality Check
|
||||
- Verify code quality passed code review
|
||||
- Check for any remaining issues
|
||||
- Ensure proper error handling
|
||||
|
||||
### Review Decision
|
||||
When you complete a security review:
|
||||
1. **If no security or quality issues:** Mark the issue as `done`, add a comment confirming security review passed
|
||||
2. **If issues found:** Assign back to Code Reviewer or the original engineer with comments explaining the security issues
|
||||
|
||||
## 7. Fact Extraction
|
||||
|
||||
1. Check for new conversations since last extraction.
|
||||
2. Extract durable facts to the relevant entity in `$AGENT_HOME/life/` (PARA).
|
||||
3. Update `$AGENT_HOME/memory/YYYY-MM-DD.md` with timeline entries.
|
||||
4. Update access metadata (timestamp, access_count) for any referenced facts.
|
||||
|
||||
## 8. Exit
|
||||
|
||||
- Comment on any in_progress work before exiting.
|
||||
- If no assignments and no valid mention-handoff, exit cleanly.
|
||||
|
||||
---
|
||||
|
||||
## Code Review Pipeline
|
||||
|
||||
**Your workflow:**
|
||||
1. Receive issue in `in_review` status assigned to you (from Code Reviewer)
|
||||
2. Checkout the issue: `POST /api/issues/{id}/checkout`
|
||||
3. Perform security review: vulnerabilities, data handling, auth
|
||||
4. Add a comment with your review:
|
||||
- If good: mark as `done`, add security approval comment
|
||||
- If issues: assign back to Code Reviewer/engineer with security issues detailed
|
||||
|
||||
**Engineering team:**
|
||||
- Senior Engineer - feature development and mentorship
|
||||
- Founding Engineer - architecture and core systems
|
||||
- Junior Engineer - learning and executing defined tasks
|
||||
|
||||
**Review flow:**
|
||||
- Engineer → Code Reviewer → Security Reviewer → Done
|
||||
|
||||
Reference in New Issue
Block a user