By name: focus-on-fix-validity-over-pr-process description: Prioritize fix validity (threat model, exploitability, coverage, residual risk) over PR process status when reviewing security changes.
Goal
Evaluate whether a security fix actually mitigates the intended risk before discussing CI/check status.
When to Use
- User asks whether a security PR/fix is valid.
- User distinguishes process validity from fix validity.
- Review context includes SSRF/auth/security hardening.
Rules
- Start with fix validity: what attack path is blocked, what remains open, and severity.
- Provide code-based evidence with file and line references for each finding.
- Report process status (CI, checks, mergeability) only as secondary context unless explicitly requested first.
- If fix is partial, explicitly describe residual risk and required follow-up.
- Keep recommendations scoped to the target security mechanism (do not broaden to unrelated subsystems).
Output Pattern
- Findings ordered by severity.
- Verdict on fix validity (complete, partial, or invalid).
- Secondary process note (optional).