Skip to content

Prompt agents to read project instruction files during reviews#636

Open
shoyer wants to merge 2 commits intoroborev-dev:mainfrom
shoyer:claude-md-subdir-context
Open

Prompt agents to read project instruction files during reviews#636
shoyer wants to merge 2 commits intoroborev-dev:mainfrom
shoyer:claude-md-subdir-context

Conversation

@shoyer
Copy link
Copy Markdown
Contributor

@shoyer shoyer commented Apr 9, 2026

Summary

  • Adds an instruction to the review prompt (noSkillsInstruction) telling agents to read project instruction files (e.g., CLAUDE.md, AGENTS.md) from the repo root and from directories containing changed files before reviewing.
  • I've been seeing review agents clearly not following guidance from my CLAUDE.md files. In print mode (-p), agents focus on responding to the provided prompt and don't proactively explore the filesystem for instruction files the way they would in an interactive session. This is the simplest fix I could think of — just tell them to look. Open to other approaches if there's a better way.

🤖 Generated with Claude Code

Stephan Hoyer and others added 2 commits April 8, 2026 17:52
@claude
feat: prompt agents to read CLAUDE.md/AGENTS.md during reviews
0ee7fa6 
Agents running in print mode often skip reading project instruction
files because they focus on the provided prompt rather than exploring
the filesystem. Add an explicit instruction to noSkillsInstruction
telling agents to read CLAUDE.md and AGENTS.md from the repo root
and from directories containing changed files before reviewing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix: use "e.g." for instruction file examples in review prompt
cff96da 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@roborev-ci
Copy link
Copy Markdown

roborev-ci bot commented Apr 9, 2026

roborev: Combined Review (cff96da)

Verdict: changes to internal/prompt/prompt.go introduce high-risk trust/safety issues and should not merge as-is.

High

  • internal/prompt/prompt.go:35
    Treating repository-controlled instruction files (AGENTS.md, CLAUDE.md, or similar) as authoritative prompt input creates a prompt-injection path. A malicious PR can add or edit one of these files to suppress findings, manipulate agent behavior, or attempt secret/tool/network exfiltration.
    Suggested fix: Do not trust repo-provided instruction files directly. If this feature is required, load only a sanitized subset from a trusted source (for example, local config or the default branch), ignore instruction files modified by the PR, and explicitly disallow repo-originated directives about tool use, filesystem access, network access, or secrets.

  • internal/prompt/prompt.go:35
    Directing the agent to read instruction files from the working tree also introduces a local file disclosure risk via symlinks. A repo can commit AGENTS.md/CLAUDE.md as a symlink to an arbitrary host path, and the agent is then instructed to open it.
    Suggested fix: Resolve and read instruction files inside roborev instead of delegating discovery to the agent. Reject symlinks and non-regular files with Lstat, enforce that the canonical path stays under the repo root, or read tracked blob contents from git rather than the working tree.

  • internal/prompt/prompt.go:35
    Telling the agent to “read” instruction files can break tool-less review runs: agents without file-read/tool capability may fail or spend turns apologizing instead of reviewing.
    Suggested fix: Read and inject the relevant instruction-file contents in Go, rather than asking the agent to discover and open files itself.

Medium

  • internal/prompt/prompt.go:38
    The current prompt only covers the repo root and the exact directories of changed files, so it misses hierarchical ancestor instruction files such as pkg/AGENTS.md for a change under pkg/foo/bar.go. That means the feature does not actually support common subtree-level instruction layouts.
    Suggested fix: Walk each changed file’s ancestor directories from the repo root down to the file’s directory and include any matching instruction files found there, or resolve and inject them directly when building the prompt.

  • internal/prompt/prompt.go
    Asking the agent to search directories for instruction files can cause unnecessary tool churn for PRs touching many directories, increasing latency and risking turn exhaustion.
    Suggested fix: Resolve the relevant instruction files in Go and inject them into the prompt, or strictly limit discovery scope.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
Copy link
Copy Markdown
Collaborator

wesm commented Apr 9, 2026

Aside from the spurious security concerns, does this actually improve behavior conformance? I would think that codex exec or claude -p in the repository would automatically read the AGENTS.md/CLAUDE.md

@shoyer
Copy link
Copy Markdown
Contributor Author

shoyer commented Apr 9, 2026

I think the problem is that reviewer agents will see diffs, but not necessarily read CLAUDE.md files that cover the files in those diffs.

I haven't tested this new prompt enough yet to know if it works. But certainly I've found it really annoying to be working on a project where my CLAUDE.md says "this is experimental code, don't worry about backwards compatibility" and every roborev review says "add backwards compat!"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shoyer @wesm