t4585: Add finding-to-task rule to Completion and quality discipline

[alex-solovyev]

Summary

• Adds a finding-to-task rule to the # Completion and quality discipline section in .agents/prompts/build.txt
• Every actionable finding from any multi-finding report (security audit, code review, SEO scan, accessibility check, performance review, etc.) must become a tracked task (TODO.md entry + GitHub issue) before the report is declared complete
• Findings fixed in the current PR are tracked by the PR itself; findings deferred for later each get their own task ID
• A report with untracked actionable findings is incomplete
• Applies to all agent types and all report-producing workflows

Root cause addressed

Agents were treating the report itself as the deliverable rather than treating each actionable finding as a task requiring tracking. This caused deferred findings to silently drop out of the task queue (observed in ILDS t068 security audit session).

Change

Single rule added to .agents/prompts/build.txt:66 in the Completion and quality discipline section — framework-level, applies on every agent update/deploy via setup.sh.

Closes #4585

Summary by CodeRabbit

• Chores
  • Updated internal guidelines for handling multi-finding reports and task tracking procedures across all agent workflows.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• no-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b3d90eb1-df53-4b86-a8bb-2f389c32d1b4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

A new rule is added to the framework's build prompts requiring that every actionable finding from multi-finding reports (security audits, code reviews, etc.) must be converted into tracked tasks (TODO.md entries or GitHub issues) before a report is declared complete.

Changes

Cohort / File(s)	Summary
Build Prompts Configuration .agents/prompts/build.txt	Added framework-level rule enforcing conversion of all actionable findings from multi-finding reports into tracked tasks (TODO.md + GitHub issue) before report completion. Applies universally to all agent types and report-producing workflows.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• t1281: Deduplicate shared rules across context chain (pass 1) #2039 — Both PRs modify prompts/build.txt completion and self-check rules; this PR adds the findings-to-tasks rule while that PR centralizes completion discipline rules.
• t1283: Context optimisation pass 3 — tighten language across always-loaded files #2048 — Both PRs refine rules and language within .agents/prompts/build.txt to strengthen agent discipline.
• chore: audit and improve TODO.md and PLANS.md quality #355 — This PR's finding-tracking requirement directly relates to extensive TODO.md task creation and backlog management in that PR.

Suggested labels

needs-review

Poem

📋 A finding floating free is a task not yet born,
Each audit's truth must track, not lost or worn,
From report to TODO, from issue to deed,
No actionable finding left untraced—that's the creed! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t4585-finding-to-task-rule

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 413 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 14 04:35:26 UTC 2026: Code review monitoring started
Sat Mar 14 04:35:27 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 413

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 413
• VULNERABILITIES: 0

Generated on: Sat Mar 14 04:35:29 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[alex-solovyev]

Duplicate PR — PR #4593 was created for the same issue (#4585) and is further along in CI. Closing this PR in favour of #4593.

[alex-solovyev]

Closing as duplicate of PR #4593 which addresses the same issue #4585.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud