fix: rewrite cve-fixer startupPrompt as agent directive#93
Merged
jwm4 merged 2 commits intoambient-code:mainfrom Mar 30, 2026
Merged
fix: rewrite cve-fixer startupPrompt as agent directive#93jwm4 merged 2 commits intoambient-code:mainfrom
jwm4 merged 2 commits intoambient-code:mainfrom
Conversation
startupPrompt is sent TO the agent as a hidden user message, not displayed to the user. Rewrite it as an instruction telling the agent how to greet the user rather than a canned greeting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughThe startup prompt message in the CVE Remediation workflow configuration was updated to provide clearer instructions for users, introducing the assistant's purpose, referencing available commands ( Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Take upstream's updated systemPrompt (adds component mapping note and team onboarding reference) and our startupPrompt rewrite (directive style). Also incorporated the onboarding reference into the directive. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workflows/cve-fixer/.ambient/ambient.json`:
- Line 5: The startupPrompt value should be made more readable and slightly
clearer: update the "startupPrompt" string to use explicit bullet-like line
breaks for the command list and change "If this is their first time" to "If this
is their first time using this workflow"; modify the startupPrompt entry (the
"startupPrompt" JSON property) to include newline-separated sentences and a
short bulleted list for the commands (/cve.find, /cve.fix) and the clarified
phrase so the agent can parse and present instructions more clearly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: b56f8440-a8e5-421f-b7ab-730446b6ed65
📒 Files selected for processing (1)
workflows/cve-fixer/.ambient/ambient.json
| "description": "Automate remediation of CVE issues reported by ProdSec team in Jira by creating pull requests with dependency updates and patches", | ||
| "systemPrompt": "You are a CVE remediation assistant for the Ambient Code Platform. Your role is to help users remediate CVE issues that have been reported by the ProdSec team in Jira by automatically creating pull requests with fixes.\n\nKEY RESPONSIBILITIES:\n- Guide users through the CVE remediation workflow for Jira-tracked vulnerabilities\n- Execute slash commands to perform specific security tasks\n- Find CVE issues opened by ProdSec team in Jira\n- Implement secure fixes that resolve vulnerabilities without breaking functionality\n- Create pull requests with dependency updates, patches, and comprehensive test results\n\nWORKFLOW METHODOLOGY:\n1. FIND - Find CVEs already reported in Jira for a component\n2. FIX - Implement remediation strategies (dependency updates, patches, code changes, PR creation)\n\nAVAILABLE COMMANDS:\n/cve.find - Find CVEs reported in Jira for a specific component\n/cve.fix - Implement fixes for discovered CVEs and create pull requests\n\nOUTPUT LOCATIONS:\n- Create all Jira CVE findings in: artifacts/cve-fixer/find/\n- Create all fix implementations in: artifacts/cve-fixer/fixes/\n\nNote: Commands will guide you through required setup steps on first use. If the user's component is not in component-repository-mappings.json, direct them to the \"Team Onboarding\" section in README.md.", | ||
| "startupPrompt": "Welcome! I'm your CVE Remediation assistant.\n\n🎯 WHAT I DO:\nI help you remediate CVE issues reported by the ProdSec team in Jira by automatically creating pull requests with dependency updates, patches, and code changes.\n\n📋 WORKFLOW PHASES:\n1. **Find** - Discover CVE issues opened by ProdSec in Jira for a component\n2. **Fix** - Implement secure remediations and create pull requests\n\n🚀 AVAILABLE COMMANDS:\n/cve.find - Find CVE issues reported by ProdSec in Jira\n/cve.fix - Implement security fixes and create PRs\n\n💡 GETTING STARTED:\nRun /cve.find to discover CVE issues from ProdSec in Jira for a specific component, then use /cve.fix to automatically remediate them with pull requests.\n\nFirst time? See README.md → \"Team Onboarding\" for setup requirements.\n\nWhat would you like to accomplish today?", | ||
| "startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests. Mention the two commands: /cve.find to discover CVEs and /cve.fix to implement fixes. If this is their first time, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on.", |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
LGTM! Successfully converted to an agent directive.
The startupPrompt now correctly instructs the agent how to greet rather than being a direct greeting, which aligns perfectly with the PR objective. The content is comprehensive, references the correct commands (/cve.find, /cve.fix), and points to the appropriate onboarding documentation.
Optional suggestions for enhanced readability:
-
Consider breaking the directive into bullet points for easier parsing by the agent:
"startupPrompt": "Greet the user and introduce yourself as a CVE remediation assistant. Explain that you help remediate CVE issues reported by ProdSec in Jira by creating pull requests.\n\nMention these commands:\n- /cve.find to discover CVEs\n- /cve.fix to implement fixes\n\nFor first-time users, point them to README.md Team Onboarding for setup. Suggest starting with /cve.find and ask what they'd like to work on."
-
Minor clarity improvement: "If this is their first time" could be "If this is their first time using this workflow" for specificity.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workflows/cve-fixer/.ambient/ambient.json` at line 5, The startupPrompt value
should be made more readable and slightly clearer: update the "startupPrompt"
string to use explicit bullet-like line breaks for the command list and change
"If this is their first time" to "If this is their first time using this
workflow"; modify the startupPrompt entry (the "startupPrompt" JSON property) to
include newline-separated sentences and a short bulleted list for the commands
(/cve.find, /cve.fix) and the clarified phrase so the agent can parse and
present instructions more clearly.
vmrh21
approved these changes
Mar 30, 2026
Contributor
|
Lgtm! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
startupPromptfrom a canned greeting into an agent directivestartupPromptis sent TO the agent as a hidden user message (role: "user",hidden: true), not displayed to the user — so it should instruct the agent how to greet, not be a greeting itselfChanges
workflows/cve-fixer/.ambient/ambient.json: RewritestartupPromptas a directiveTest plan
/cve.findand/cve.fixcommands still work as expectedCustom Workflow Testing
https://github.com/jwm4/workflows.gitfix/cve-fixer-startup-promptworkflows/cve-fixer🤖 Generated with Claude Code under the supervision of Bill Murdock.