Skip to content

fix(security-guidance): allow null findings in StructuredOutput schema#74021

Open
sourabharsh wants to merge 1 commit into
anthropics:mainfrom
sourabharsh:fix/security-guidance-null-findings-schema
Open

fix(security-guidance): allow null findings in StructuredOutput schema#74021
sourabharsh wants to merge 1 commit into
anthropics:mainfrom
sourabharsh:fix/security-guidance-null-findings-schema

Conversation

@sourabharsh

Copy link
Copy Markdown

Summary

The agentic commit reviewer's FINDINGS_SCHEMA required findings to be type array. When the model found no vulnerabilities it sometimes emitted null instead of [], causing a schema rejection that wasted an extra turn retrying. Observed in 31 review sessions across 7 repos.

The consuming code already handles null via inv.get("findings") or [] in llm.py (lines 1324, 1368), so only the schema was too strict.

Changes

  • plugins/security-guidance/hooks/review_api.py: Changed findings type from "array" to ["array", "null"] (1 line)
  • plugins/security-guidance/hooks/test_findings_schema.py: Added 6 regression tests covering null, empty array, populated array, missing key, and consumer-side handling

Validation

All 6 tests pass:

test_findings_schema.py::test_empty_array_validates PASSED
test_findings_schema.py::test_null_findings_validates PASSED
test_findings_schema.py::test_populated_array_validates PASSED
test_findings_schema.py::test_missing_findings_rejected PASSED
test_findings_schema.py::test_consumer_handles_null PASSED
test_findings_schema.py::test_consumer_handles_empty_array PASSED

Fixes #73270

The agentic commit reviewer's FINDINGS_SCHEMA required 'findings' to be
type 'array'. When the model found no vulnerabilities it sometimes
emitted null instead of [], causing a schema rejection that wasted an
extra turn retrying. Observed in 31 review sessions across 7 repos.

The consuming code already handles null via 'inv.get("findings") or []'
in llm.py, so only the schema was too strict.

Fixes anthropics#73270
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security-guidance plugin: agentic commit review StructuredOutput rejected with '/findings: must be array' when review has no findings

1 participant