Fix PARTIAL audit items in template command files#172
Conversation
…late commands - go.md: Mention EnterPlanMode explicitly in step 3 - init.md: Add Plan Mode note and specify 6 labels in 2 namespaces - plan.md: Add Plan Mode note for Discussion/Planning stages - debug.md: Add Plan Mode note for symptom analysis phase - security.md: Add Agent to allowed-tools list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates MaxsimCLI command templates to address partial audit items, primarily by clarifying Plan Mode expectations and tool usage in command processes/frontmatter.
Changes:
- Added Plan Mode guidance to
/maxsim:plan,/maxsim:init, and/maxsim:debugcommand templates. - Made
/maxsim:goexplicitly referenceEnterPlanModeby tool name. - Added
Agentto theallowed-toolslist for/maxsim:security.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/commands/maxsim/security.md | Expands allowed-tools to include Agent for the security audit command. |
| templates/commands/maxsim/plan.md | Adds a Plan Mode note describing Enter/Exit Plan Mode usage. |
| templates/commands/maxsim/init.md | Adds a Plan Mode note and clarifies the standard GitHub label taxonomy in the process steps. |
| templates/commands/maxsim/go.md | Clarifies that entering Plan Mode should be done via the EnterPlanMode tool. |
| templates/commands/maxsim/debug.md | Adds a Plan Mode note for diagnosis presentation and exiting before spawning fix execution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Plan Mode: Call EnterPlanMode before presenting setup proposals to the user. Call ExitPlanMode after user approves. | ||
|
|
||
| Follow @.claude/maxsim/workflows/init.md end-to-end. |
There was a problem hiding this comment.
The Plan Mode guidance here doesn’t match the referenced init workflows: init-existing.md/new-project.md require calling EnterPlanMode immediately after prerequisites and keeping scanning + GitHub setup within Plan Mode, exiting only after the user approves the complete init plan. Update this note to align with the workflow so the command template doesn’t instruct a different Plan Mode lifecycle.
| Plan Mode: Call EnterPlanMode before presenting setup proposals to the user. Call ExitPlanMode after user approves. | |
| Follow @.claude/maxsim/workflows/init.md end-to-end. | |
| Plan Mode: After completing prerequisites, immediately call EnterPlanMode before starting repo scanning or proposing any setup. Keep scanning, user interview, GitHub setup, CLAUDE.md drafting, and roadmap proposals within Plan Mode. Call ExitPlanMode only after the user reviews and approves the complete init plan. | |
| Follow @.claude/maxsim/workflows/init-existing.md and @.claude/maxsim/workflows/new-project.md (via @.claude/maxsim/workflows/init.md) end-to-end. |
| </context> | ||
|
|
||
| <process> | ||
| Plan Mode: This command uses EnterPlanMode during the Discussion and Planning stages. Call ExitPlanMode before executing the approved plan. |
There was a problem hiding this comment.
This says EnterPlanMode is used during Discussion and Planning stages only, but the /maxsim:plan orchestrator workflow calls EnterPlanMode before any research or planning steps (i.e., it spans Discussion + Research + Planning). Please adjust this note to reflect the actual Plan Mode lifecycle used by templates/workflows/plan.md.
| Plan Mode: This command uses EnterPlanMode during the Discussion and Planning stages. Call ExitPlanMode before executing the approved plan. | |
| Plan Mode: This command enters Plan Mode before the Discussion stage and keeps it active through Discussion, Research, and Planning. Call ExitPlanMode before executing the approved plan. |
| description: Security audit — STRIDE + OWASP Top 10 + red-team analysis (read-only) | ||
| argument-hint: "[scope]" | ||
| allowed-tools: [Read, Bash, Grep, Glob, WebSearch, WebFetch] | ||
| allowed-tools: [Read, Bash, Grep, Glob, Agent, WebSearch, WebFetch] |
There was a problem hiding this comment.
allowed-tools now includes Agent, but the command explicitly claims it is READ-ONLY and that tools are restricted to read-only operations. Because Agent can spawn agents like executor (which has Write/Edit), this undermines the read-only guarantee; either remove Agent here or explicitly constrain any Agent usage to read-only agents (e.g., researcher) and state that write-capable agents must not be spawned from this command.
|
🎉 This PR is included in version 5.13.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Summary
EnterPlanModetool mention in step 3Agenttoallowed-toolslistTest plan
🤖 Generated with Claude Code