claude-engineering-plugin/plugins/compound-engineering/skills/ce-review-beta/references/findings-schema.json

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Code Review Findings",
  "description": "Structured output schema for code review sub-agents",
  "type": "object",
  "required": ["reviewer", "findings", "residual_risks", "testing_gaps"],
  "properties": {
    "reviewer": {
      "type": "string",
      "description": "Persona name that produced this output (e.g., 'correctness', 'security')"
    },
    "findings": {
      "type": "array",
      "description": "List of code review findings. Empty array if no issues found.",
      "items": {
        "type": "object",
        "required": [
          "title",
          "severity",
          "file",
          "line",
          "why_it_matters",
          "autofix_class",
          "owner",
          "requires_verification",
          "confidence",
          "evidence",
          "pre_existing"
        ],
        "properties": {
          "title": {
            "type": "string",
            "description": "Short, specific issue title. 10 words or fewer.",
            "maxLength": 100
          },
          "severity": {
            "type": "string",
            "enum": ["P0", "P1", "P2", "P3"],
            "description": "Issue severity level"
          },
          "file": {
            "type": "string",
            "description": "Relative file path from repository root"
          },
          "line": {
            "type": "integer",
            "description": "Primary line number of the issue",
            "minimum": 1
          },
          "why_it_matters": {
            "type": "string",
            "description": "Impact and failure mode -- not 'what is wrong' but 'what breaks'"
          },
          "autofix_class": {
            "type": "string",
            "enum": ["safe_auto", "gated_auto", "manual", "advisory"],
            "description": "Reviewer's conservative recommendation for how this issue should be handled after synthesis"
          },
          "owner": {
            "type": "string",
            "enum": ["review-fixer", "downstream-resolver", "human", "release"],
            "description": "Who should own the next action for this finding after synthesis"
          },
          "requires_verification": {
            "type": "boolean",
            "description": "Whether any fix for this finding must be re-verified with targeted tests or a follow-up review pass"
          },
          "suggested_fix": {
            "type": ["string", "null"],
            "description": "Concrete minimal fix. Omit or null if no good fix is obvious -- a bad suggestion is worse than none."
          },
          "confidence": {
            "type": "number",
            "description": "Reviewer confidence in this finding, calibrated per persona",
            "minimum": 0.0,
            "maximum": 1.0
          },
          "evidence": {
            "type": "array",
            "description": "Code-grounded evidence: snippets, line references, or pattern descriptions. At least 1 item.",
            "items": { "type": "string" },
            "minItems": 1
          },
          "pre_existing": {
            "type": "boolean",
            "description": "True if this issue exists in unchanged code unrelated to the current diff"
          }
        }
      }
    },
    "residual_risks": {
      "type": "array",
      "description": "Risks the reviewer noticed but could not confirm as findings",
      "items": { "type": "string" }
    },
    "testing_gaps": {
      "type": "array",
      "description": "Missing test coverage the reviewer identified",
      "items": { "type": "string" }
    }
    },

  "_meta": {
    "confidence_thresholds": {
      "suppress": "Below 0.60 -- do not report. Finding is speculative noise.",
      "flag": "0.60-0.69 -- include only when the persona's calibration says the issue is actionable at that confidence.",
      "report": "0.70+ -- report with full confidence."
    },
    "severity_definitions": {
      "P0": "Critical breakage, exploitable vulnerability, data loss/corruption. Must fix before merge.",
      "P1": "High-impact defect likely hit in normal usage, breaking contract. Should fix.",
      "P2": "Moderate issue with meaningful downside (edge case, perf regression, maintainability trap). Fix if straightforward.",
      "P3": "Low-impact, narrow scope, minor improvement. User's discretion."
    },
    "autofix_classes": {
      "safe_auto": "Local, deterministic code or test fix suitable for the in-skill fixer in autonomous mode.",
      "gated_auto": "Concrete fix exists, but it changes behavior, permissions, contracts, or other sensitive areas that deserve explicit approval.",
      "manual": "Actionable issue that should become residual work rather than an in-skill autofix.",
      "advisory": "Informational or operational item that should be surfaced in the report only."
    },
    "owners": {
      "review-fixer": "The in-skill fixer can own this when policy allows.",
      "downstream-resolver": "Turn this into residual work for later resolution.",
      "human": "A person must make a judgment call before code changes should continue.",
      "release": "Operational or rollout follow-up; do not convert into code-fix work automatically."
    }
  }
}