Add AGENTS.md with AI security-audit guidelines#5397
Conversation
Generated with Claude Code
There was a problem hiding this comment.
Pull request overview
Adds a new AGENTS.md document that standardizes how AI coding agents should conduct and route security audits for this repository, including a two-pass verification workflow, issue filing conventions, and a catalog of previously dismissed audit patterns to prevent duplicate/rejected findings.
Changes:
- Introduces the two-repository model (
zeroc-ice/icepublic vszeroc-ice/ice-auditprivate) and severity-based routing rules for findings. - Documents a mandatory two-independent-pass audit workflow with a defined verdict vocabulary and commit-pinned citation requirements.
- Defines issue-filing conventions (titles/labels/milestones/body template) and lists dismissed audit patterns with canonical references.
| gh issue list --repo zeroc-ice/ice-audit --label ai-audit --state all --search "is:closed reason:not-planned" | ||
| gh issue list --repo zeroc-ice/ice --label ai-audit --state all --search "is:closed reason:not-planned" |
|
|
||
| ## Dismissed audit patterns | ||
|
|
||
| The reasoning behind `ai-audit` findings closed as "Not planned" is captured here. Before opening a |
Generated with Claude Code
|
Since an agent can only run such an audit when it has access to both repos (ice and ice-audit), should we put this AGENTS.md in the ice-audit repo? |
There was a problem hiding this comment.
If I understand how AGENTS.md is supposed to work. See also https://agents.md
- I think this is too bloated. AGENTS.md is meant to be read by agentic agents per session. it should be relatively lean to limit token usage.
- It's not just about security audits.
We should have something more like Homebrew's:
- https://github.com/Homebrew/brew/blob/main/AGENTS.md
- https://github.com/Homebrew/homebrew-core/blob/main/AGENTS.md
if we want something an agent reads when doing audit analytics I think belongs elsewhere.
| @@ -0,0 +1,209 @@ | |||
| # Repository Guidelines for AI Coding Agents — Security Audits | |||
There was a problem hiding this comment.
AGENTS.md is not just about security audits. I would just go with the typical # AGENTS.md
| # Repository Guidelines for AI Coding Agents — Security Audits | |
| # AGENTS.md |
| These conventions apply to all AI coding assistants (Claude Code, Codex, Copilot, etc.) performing | ||
| **security audits** of this repository. They cover how an audit is run, how findings are verified, | ||
| where issues are filed, and which findings have already been considered and dismissed. |
There was a problem hiding this comment.
Is this necessary? Seems like wasted tokens/context.
|
I will move this to ai-audit, and keep as a security audit recipe instead of as the general agents file |
Adds
AGENTS.md, with guidelines doc for AI coding agents (Codex, Claude Code, Copilot, etc.) running security audits of this repository. It documents:zeroc-ice/icepublic,zeroc-ice/ice-auditprivate);