Skip to content

Feat/postgresql sql optimization#158

Closed
seba3567 wants to merge 4 commits into
midudev:mainfrom
seba3567:feat/postgresql-sql-optimization
Closed

Feat/postgresql sql optimization#158
seba3567 wants to merge 4 commits into
midudev:mainfrom
seba3567:feat/postgresql-sql-optimization

Conversation

@seba3567

@seba3567 seba3567 commented Jun 15, 2026

Copy link
Copy Markdown

What Changed

  • Añadidas Skills de PostgreSQL y Optimización de SQL:
    • Se integró postgres-best-practices de Neon Database para cubrir diseño de esquemas, índices y configuración de pools de conexión.
    • Se integró una skill dedicada de sql-optimization (proveniente de github/awesome-copilot) para guiar en la optimización universal de rendimiento, índices GIN y patrones de refactorización de consultas.
  • Mejora en el Mapeo de Tecnologías:
    • Se registraron ambas habilidades bajo el ID de tecnología postgresql en skills-map.ts.
    • Se mantuvo postgres-ruby como un ID de tecnología independiente (detectando la gema pg de Ruby) para evitar colisiones de configuración con los controladores de bases de datos de JavaScript/TypeScript (pg, sequelize, typeorm, etc.).
  • Actualización del Manifiesto de Registro:
    • Se añadieron los hashes exactos, archivos y metadatos de crédito correspondientes en skills-registry/index.json.

Why This Change

Instrucciones de BD Explícitas: Los agentes de IA carecían de pautas precisas para optimizar bases de datos relacionales al trabajar en servicios backend. Esta adición garantiza que los asistentes escriban consultas seguras y configuren correctamente los pools de conexión.

  • Aislamiento por Lenguaje: Mantener las librerías de PostgreSQL de JS/TS separadas de las de Ruby (postgres-ruby) asegura que la CLI detecte las dependencias correctas según el lenguaje del proyecto y no cargue skills redundantes.

Summary by CodeRabbit

Summary by CodeRabbit

Notas de Lanzamiento

  • Nuevas Funcionalidades
    • Detección mejorada de PostgreSQL, incluyendo variantes (Ruby y PostgreSQL) según las dependencias presentes.
    • Selección correcta de habilidades para proyectos Svelte con shadcn, evitando estilos de shadcn no aplicables.
  • Correcciones de Errores
    • Se mejora la carga de variables de entorno en entornos donde no están disponibles ciertas utilidades.
  • Documentación
    • Nuevas guías: PostgreSQL Best Practices, SQL Performance Optimization y documentación completa de shadcn-svelte (CLI, reglas y personalización).
  • Otros
    • Ajuste para soportar estados adicionales en el registro de revisiones.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Se añaden tres nuevas skills al registro (shadcn-svelte, postgres-best-practices, sql-optimization), se divide la detección de PostgreSQL en dos entradas separadas (Ruby y JS/npm), se agrega el combo svelte-shadcn que excluye la skill React de shadcn en proyectos Svelte, se actualiza el tipo RegistryEntry.review.status para incluir "skipped", y se corrige la carga condicional de variables de entorno en el script de sincronización.

Cambios

Autoskills: nuevas skills, detección PostgreSQL mejorada y combo svelte-shadcn

Layer / File(s) Resumen
Mapa de skills actualizado: PostgreSQL y svelte-shadcn
packages/autoskills/skills-map.ts
SKILLS_MAP divide la entrada PostgreSQL en postgres-ruby (detectada por gema pg sin skills) y postgresql (detectada por múltiples paquetes npm con dos skills). COMBO_SKILLS_MAP agrega svelte-shadcn que requiere Svelte y shadcn/ui.
Lógica de colección de skills con combo svelte-shadcn
packages/autoskills/lib.ts
En collectSkills, se calcula la presencia del combo svelte-shadcn y se omite la skill shadcn/ui/shadcn (React) cuando ese combo está activo, permitiendo que se use la skill específica de Svelte desde el combo.
Tests para detección de PostgreSQL y exclusión de skill shadcn
packages/autoskills/tests/collect.test.ts, packages/autoskills/tests/detect.test.ts
Se añaden pruebas unitarias que validan la detección de postgresql vía dependencia npm pg, y que verifican la exclusión correcta de shadcn/ui/shadcn mientras se incluye huntabyte/shadcn-svelte/shadcn-svelte en el combo Svelte+shadcn.
Actualización de tipos: RegistryEntry.review.status
packages/autoskills/installer.ts
Se amplía la unión de tipos del campo RegistryEntry.review.status para aceptar el valor "skipped" además de "approved" y "flagged".
Skill shadcn-svelte: documentación completa, reglas y evaluaciones
packages/autoskills/skills-registry/shadcn-svelte/*
Se crea la skill shadcn-svelte con metadatos del agente OpenAI, SKILL.md principal con contexto del proyecto y flujo de trabajo, guías de reglas para composición, formularios, iconos y estilos, documentación de CLI y personalización, y evaluaciones con prompts y expectativas de componentes.
Skills postgres-best-practices y sql-optimization
packages/autoskills/skills-registry/postgres-best-practices/..., packages/autoskills/skills-registry/sql-optimization/SKILL.md
Se añade postgres-best-practices con documentación de diseño de esquemas (recomendaciones sobre tipos de datos). Se añade sql-optimization con guía extensiva de optimización SQL: análisis de rendimiento, índices, subconsultas, JOIN, paginación, agregaciones, anti-patrones y monitoreo.
Actualización del índice del registro y script de sincronización
packages/autoskills/skills-registry/index.json, packages/autoskills/scripts/sync-skills.mjs
index.json actualiza generatedAt e incorpora metadatos completos para las nuevas skills. sync-skills.mjs protege process.loadEnvFile() con verificación de tipo para evitar errores en entornos que no la soporten.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hop, hop, un combo nuevo llegó,
Svelte y shadcn ya no se confundirán,
Postgres se divide con cuidado y amor,
SQL se optimiza con mágico ardor.
El índice crece, el conejo saltó,
¡Nuevas skills al mundo llegaron hoy! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed El título describe parcialmente los cambios principales: añade soporte para PostgreSQL, pero omite las habilidades de optimización SQL y la nueva combinación svelte-shadcn que también se incluyen en el PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (6)
packages/autoskills/skills-registry/postgres-best-practices/SKILL.md (1)

6-14: ⚖️ Poor tradeoff

Considerar expandir el contenido introductorio del SKILL.md.

El archivo es muy minimal, con solo una tabla de referencias. Para mejorar la experiencia del usuario y darle contexto inmediato sin necesidad de navegar a referencias externas, sería recomendable agregar al menos una breve descripción de cuándo se debe usar esta skill, casos de uso comunes, o un flujo de trabajo sugerido en las secciones iniciales.

Comparar con otros SKILL.md en el registro para verificar si este patrón es consistente con el resto.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/skills-registry/postgres-best-practices/SKILL.md` around
lines 6 - 14, The SKILL.md file for Postgres Best Practices contains only a
minimal references table without introductory context. Expand the content after
the header to include: a brief description of when this skill should be used,
common use cases, and a suggested workflow before the references table. Review
other SKILL.md files in the skills-registry to ensure the added content follows
a consistent structure and pattern with the rest of the registry, then apply
that same pattern to the postgres-best-practices/SKILL.md file to maintain
consistency across the documentation.
packages/autoskills/skills-registry/sql-optimization/SKILL.md (2)

207-212: ⚡ Quick win

Aclarar la sintaxis de covering indexes específica para cada base de datos.

La línea 210 usa INCLUDE que es sintaxis específica de SQL Server y no funcionará en PostgreSQL o MySQL. El comentario en línea 211 ("Other databases") es vago. Debería ser explícito:

  • SQL Server: Use INCLUDE para covering indexes
  • PostgreSQL/MySQL: Use múltiples columnas en el índice (no hay INCLUDE)

Ejemplo mejorado:

-- SQL Server
CREATE INDEX idx_orders_covering ON orders(customer_id, created_at) 
INCLUDE (total_amount, status);

-- PostgreSQL / MySQL
CREATE INDEX idx_orders_covering ON orders(customer_id, created_at, total_amount, status);

Esto evita confusión a desarrolladores que usen PostgreSQL o MySQL.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/skills-registry/sql-optimization/SKILL.md` around lines
207 - 212, The covering index example in the SKILL.md file uses SQL Server's
INCLUDE syntax which is not compatible with PostgreSQL or MySQL, and the inline
comment referencing "Other databases" is too vague. Replace the current single
example with clear, database-specific examples that explicitly show the syntax
differences: for SQL Server use the INCLUDE clause syntax, and for PostgreSQL
and MySQL show the syntax using multiple columns in the index without the
INCLUDE keyword. This will eliminate confusion for developers using different
database systems.

224-249: ⚡ Quick win

Agregar requisitos previos para las queries de monitoreo.

Las queries de ejemplo para MySQL, PostgreSQL y SQL Server son técnicamente correctas, pero asumen que las herramientas de monitoreo están habilitadas:

  • MySQL: Requiere slow_query_log = 1 en my.cnf
  • PostgreSQL: Requiere pg_stat_statements en shared_preload_libraries (requiere reinicio)
  • SQL Server: Está habilitado por defecto

Sería útil agregar una nota sobre estos requisitos previos para que el desarrollador sepa si necesita configuración adicional antes de ejecutar estas queries.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/skills-registry/sql-optimization/SKILL.md` around lines
224 - 249, The Query Performance Analysis section provides example SQL queries
for MySQL, PostgreSQL, and SQL Server but does not document the prerequisite
configuration required for these queries to function correctly. Add a
prerequisites or requirements note before the code block examples that clearly
states: for MySQL that slow_query_log must be enabled in my.cnf, for PostgreSQL
that pg_stat_statements extension must be added to shared_preload_libraries and
requires a database restart, and for SQL Server that monitoring is enabled by
default. This helps developers understand what setup steps may be needed before
executing these monitoring queries.
packages/autoskills/skills-registry/postgres-best-practices/references/schema-design.md (1)

7-9: ⚡ Quick win

Agregar contexto sobre trade-offs y excepciones a las recomendaciones.

Las recomendaciones de tipos de datos son técnicamente sólidas, pero carecen de contexto sobre:

  • text vs varchar(n): Mencionar que varchar(n) sigue siendo apropiado cuando hay una restricción de dominio explícita (ej. códigos de país, códigos de estado).
  • uuid: Aclarar los trade-offs (mayor tamaño de almacenamiento: 16 vs 8 bytes; peor rendimiento en índices comparado con secuenciales; pérdida de ordenamiento natural). Ayuda a que el desarrollador sepa cuándo usar uuid y cuándo preferir bigint.
  • timestamptz: Buena recomendación; quizás mencionar que siempre debe usar timestamptz a menos que haya una razón muy específica para no hacerlo.

Esto haría la guía más equilibrada y ayudaría a evitar decisiones de diseño poco óptimas.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/autoskills/skills-registry/postgres-best-practices/references/schema-design.md`
around lines 7 - 9, Expand the three schema design recommendations in the
schema-design.md file to include context about trade-offs and exceptions. For
the text vs varchar(n) guideline, add examples of when varchar(n) remains
appropriate such as domain-constrained values like country codes or state codes.
For the uuid recommendation, add a dedicated section explaining the trade-offs
including larger storage footprint (16 bytes vs 8 bytes for sequential
integers), potential index performance degradation compared to sequential IDs,
and loss of natural ordering, then clarify when developers should consider
bigint as an alternative. For the timestamptz recommendation, reinforce it as
the default choice while noting that exceptions exist only in rare specific
cases. This will transform the guide from prescriptive rules into balanced
guidance that helps developers make context-aware decisions.
packages/autoskills/tests/detect.test.ts (1)

1385-1389: ⚡ Quick win

Añade aserción negativa para validar la separación postgresql vs postgres-ruby.

El caso nuevo verifica inclusión de postgresql, pero no comprueba que no entre postgres-ruby en el flujo npm.

✅ Propuesta de test
   it("detects PostgreSQL from pg npm package", () => {
     writePackageJson(tmp.path, { dependencies: { pg: "^8.0.0" } });
     const { detected } = detectTechnologies(tmp.path);
     ok(detected.some((t) => t.id === "postgresql"));
+    ok(!detected.some((t) => t.id === "postgres-ruby"));
   });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/tests/detect.test.ts` around lines 1385 - 1389, The test
case "detects PostgreSQL from pg npm package" verifies that the postgresql
technology is detected when the pg npm package is present, but it does not check
that postgres-ruby (which is a Ruby-specific technology) is NOT detected in an
npm context. Add a negative assertion after the existing assertion in this test
to verify that detected does not include postgres-ruby, ensuring proper
separation between the postgresql and postgres-ruby technology detection paths.
packages/autoskills/skills-registry/index.json (1)

3-3: Los commit SHAs de los repositorios fuente son válidos.

Los valores commitSha han sido verificados y apuntan a commits válidos en los repositorios indicados (huntabyte/shadcn-svelte, neondatabase/postgres-skills, github/awesome-copilot).

Sin embargo, los hashes sha256 y bundleHash para las tres nuevas skills aún requieren validación. Sin acceso a los archivos de skill reales, no es posible confirmar que estos hashes coincidan con el contenido actual de los artefactos en los commits especificados.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/skills-registry/index.json` at line 3, The commit SHAs in
the skills registry have been verified as valid, but the sha256 and bundleHash
values for the three new skills require validation against the actual artifact
contents. Locate the three new skill entries in the index.json file and verify
that each sha256 and bundleHash value accurately matches the content of the
corresponding artifacts in their specified commits (huntabyte/shadcn-svelte,
neondatabase/postgres-skills, and github/awesome-copilot). Update these hash
values to ensure they correctly represent the current artifact contents, which
is critical for integrity verification when these skills are downloaded and
used.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/autoskills/skills-map.ts`:
- Around line 926-931: The PostgreSQL skill detection is too broad and causes
false positives in projects using other databases. Remove sequelize, typeorm,
and mikro-orm from the packages array in the detect object of the PostgreSQL
skill definition (around line 930). These are multi-database ORMs that support
MySQL and SQLite too, so they should not be used as signals for
PostgreSQL-specific skill installation. Keep only the PostgreSQL-specific
packages like pg, postgres, and pg-promise in the detection list.

In `@packages/autoskills/skills-registry/index.json`:
- Around line 13022-13121: The three new skills in
packages/autoskills/skills-registry/index.json have contradictory review
metadata where review.status is marked as "approved" but the review.summary
indicates the review was skipped with --no-review flag. For shadcn-svelte
(review field around line 13053-13059), change review.status from "approved" to
"skipped" and update review.summary from "review skipped (--no-review)" to
accurately reflect that no review was performed. Apply the same fix to
postgres-best-practices (review field around line 13081-13087) and
sql-optimization (review field around line 13107-13113). This ensures the review
metadata is truthful and consistent with downstream code that validates skills
based on review.status === "approved".

---

Nitpick comments:
In `@packages/autoskills/skills-registry/index.json`:
- Line 3: The commit SHAs in the skills registry have been verified as valid,
but the sha256 and bundleHash values for the three new skills require validation
against the actual artifact contents. Locate the three new skill entries in the
index.json file and verify that each sha256 and bundleHash value accurately
matches the content of the corresponding artifacts in their specified commits
(huntabyte/shadcn-svelte, neondatabase/postgres-skills, and
github/awesome-copilot). Update these hash values to ensure they correctly
represent the current artifact contents, which is critical for integrity
verification when these skills are downloaded and used.

In
`@packages/autoskills/skills-registry/postgres-best-practices/references/schema-design.md`:
- Around line 7-9: Expand the three schema design recommendations in the
schema-design.md file to include context about trade-offs and exceptions. For
the text vs varchar(n) guideline, add examples of when varchar(n) remains
appropriate such as domain-constrained values like country codes or state codes.
For the uuid recommendation, add a dedicated section explaining the trade-offs
including larger storage footprint (16 bytes vs 8 bytes for sequential
integers), potential index performance degradation compared to sequential IDs,
and loss of natural ordering, then clarify when developers should consider
bigint as an alternative. For the timestamptz recommendation, reinforce it as
the default choice while noting that exceptions exist only in rare specific
cases. This will transform the guide from prescriptive rules into balanced
guidance that helps developers make context-aware decisions.

In `@packages/autoskills/skills-registry/postgres-best-practices/SKILL.md`:
- Around line 6-14: The SKILL.md file for Postgres Best Practices contains only
a minimal references table without introductory context. Expand the content
after the header to include: a brief description of when this skill should be
used, common use cases, and a suggested workflow before the references table.
Review other SKILL.md files in the skills-registry to ensure the added content
follows a consistent structure and pattern with the rest of the registry, then
apply that same pattern to the postgres-best-practices/SKILL.md file to maintain
consistency across the documentation.

In `@packages/autoskills/skills-registry/sql-optimization/SKILL.md`:
- Around line 207-212: The covering index example in the SKILL.md file uses SQL
Server's INCLUDE syntax which is not compatible with PostgreSQL or MySQL, and
the inline comment referencing "Other databases" is too vague. Replace the
current single example with clear, database-specific examples that explicitly
show the syntax differences: for SQL Server use the INCLUDE clause syntax, and
for PostgreSQL and MySQL show the syntax using multiple columns in the index
without the INCLUDE keyword. This will eliminate confusion for developers using
different database systems.
- Around line 224-249: The Query Performance Analysis section provides example
SQL queries for MySQL, PostgreSQL, and SQL Server but does not document the
prerequisite configuration required for these queries to function correctly. Add
a prerequisites or requirements note before the code block examples that clearly
states: for MySQL that slow_query_log must be enabled in my.cnf, for PostgreSQL
that pg_stat_statements extension must be added to shared_preload_libraries and
requires a database restart, and for SQL Server that monitoring is enabled by
default. This helps developers understand what setup steps may be needed before
executing these monitoring queries.

In `@packages/autoskills/tests/detect.test.ts`:
- Around line 1385-1389: The test case "detects PostgreSQL from pg npm package"
verifies that the postgresql technology is detected when the pg npm package is
present, but it does not check that postgres-ruby (which is a Ruby-specific
technology) is NOT detected in an npm context. Add a negative assertion after
the existing assertion in this test to verify that detected does not include
postgres-ruby, ensuring proper separation between the postgresql and
postgres-ruby technology detection paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a242f8ae-c2f1-496a-b051-2955b67726c7

📥 Commits

Reviewing files that changed from the base of the PR and between 7ebf5ce and ca555eb.

⛔ Files ignored due to path filters (2)
  • packages/autoskills/skills-registry/shadcn-svelte/assets/shadcn-svelte-small.png is excluded by !**/*.png
  • packages/autoskills/skills-registry/shadcn-svelte/assets/shadcn-svelte.png is excluded by !**/*.png
📒 Files selected for processing (18)
  • packages/autoskills/lib.ts
  • packages/autoskills/scripts/sync-skills.mjs
  • packages/autoskills/skills-map.ts
  • packages/autoskills/skills-registry/index.json
  • packages/autoskills/skills-registry/postgres-best-practices/SKILL.md
  • packages/autoskills/skills-registry/postgres-best-practices/references/schema-design.md
  • packages/autoskills/skills-registry/shadcn-svelte/SKILL.md
  • packages/autoskills/skills-registry/shadcn-svelte/agents/openai.yml
  • packages/autoskills/skills-registry/shadcn-svelte/cli.md
  • packages/autoskills/skills-registry/shadcn-svelte/customization.md
  • packages/autoskills/skills-registry/shadcn-svelte/evals/evals.json
  • packages/autoskills/skills-registry/shadcn-svelte/rules/composition.md
  • packages/autoskills/skills-registry/shadcn-svelte/rules/forms.md
  • packages/autoskills/skills-registry/shadcn-svelte/rules/icons.md
  • packages/autoskills/skills-registry/shadcn-svelte/rules/styling.md
  • packages/autoskills/skills-registry/sql-optimization/SKILL.md
  • packages/autoskills/tests/collect.test.ts
  • packages/autoskills/tests/detect.test.ts

Comment thread packages/autoskills/skills-map.ts
Comment thread packages/autoskills/skills-registry/index.json

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/autoskills/installer.ts`:
- Line 35: The new `"skipped"` status value added to the status type definition
is not being handled explicitly in the `securityCheckForEntry` security check
fallback logic, which currently uses binary checking (only checking for
`"flagged"` and treating all other cases as `"ok"`). Update the
`securityCheckForEntry` function to implement exhaustive mapping that explicitly
handles all three status values: `"approved"`, `"flagged"`, and `"skipped"`,
ensuring that skipped checks do not implicitly receive an `"ok"` security status
and instead are mapped to an appropriate security signal that reflects the lack
of security review.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 018aa3f5-e4ac-4981-bca6-33c7007906fb

📥 Commits

Reviewing files that changed from the base of the PR and between ca555eb and feda5b9.

📒 Files selected for processing (3)
  • packages/autoskills/installer.ts
  • packages/autoskills/skills-map.ts
  • packages/autoskills/skills-registry/index.json
✅ Files skipped from review due to trivial changes (1)
  • packages/autoskills/skills-registry/index.json

bundleHash: string;
review: {
status: "approved" | "flagged";
status: "approved" | "flagged" | "skipped";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

"skipped" queda clasificado implícitamente como "ok" en el fallback de seguridad.

Al añadir "skipped" en Line 35, el fallback de securityCheckForEntry (Lines 232-240) sigue siendo binario ("flagged" vs resto), por lo que una skill no revisada puede terminar con estado "ok" cuando falta securityCheck. Esto degrada la señal de seguridad.

Propuesta de ajuste (mapeo exhaustivo)
 function securityCheckForEntry(skillName: string, entry: RegistryEntry): InstallSecurityCheck {
   if (entry.securityCheck) {
     return {
       name: skillName,
       status: entry.securityCheck.status,
       summary: entry.securityCheck.summary,
       findings: entry.securityCheck.findings,
     };
   }

+  const reviewStatus = entry.review?.status;
+  const status: InstallSecurityCheck["status"] =
+    reviewStatus === "flagged" || reviewStatus === "skipped" ? "warning" : "ok";
+
   return {
     name: skillName,
-    status: entry.review?.status === "flagged" ? "warning" : "ok",
+    status,
     summary:
       entry.review?.summary ||
-      (entry.review?.status === "flagged"
+      (reviewStatus === "flagged" || reviewStatus === "skipped"
         ? "The sync review found issues that should be checked."
         : "The sync review did not find security issues."),
     findings: entry.review?.flags || [],
   };
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
status: "approved" | "flagged" | "skipped";
function securityCheckForEntry(skillName: string, entry: RegistryEntry): InstallSecurityCheck {
if (entry.securityCheck) {
return {
name: skillName,
status: entry.securityCheck.status,
summary: entry.securityCheck.summary,
findings: entry.securityCheck.findings,
};
}
const reviewStatus = entry.review?.status;
const status: InstallSecurityCheck["status"] =
reviewStatus === "flagged" || reviewStatus === "skipped" ? "warning" : "ok";
return {
name: skillName,
status,
summary:
entry.review?.summary ||
(reviewStatus === "flagged" || reviewStatus === "skipped"
? "The sync review found issues that should be checked."
: "The sync review did not find security issues."),
findings: entry.review?.flags || [],
};
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/autoskills/installer.ts` at line 35, The new `"skipped"` status
value added to the status type definition is not being handled explicitly in the
`securityCheckForEntry` security check fallback logic, which currently uses
binary checking (only checking for `"flagged"` and treating all other cases as
`"ok"`). Update the `securityCheckForEntry` function to implement exhaustive
mapping that explicitly handles all three status values: `"approved"`,
`"flagged"`, and `"skipped"`, ensuring that skipped checks do not implicitly
receive an `"ok"` security status and instead are mapped to an appropriate
security signal that reflects the lack of security review.

@seba3567 seba3567 closed this Jun 15, 2026
@seba3567 seba3567 deleted the feat/postgresql-sql-optimization branch June 15, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant