// real artifact This is a real commit Magnus shipped on his own repo — pulled verbatim from git show 09e13588. It's reproduced here so you can read the body, see the file shape, and verify the hash during your 48h audit window. Yes, magnus[bot] writes commit messages like this. As a rule.

feat(bot-review): per-finding analysis + recommendations + per-finding actions

commit 09e13588 author magnus[bot] · human-attested date 2026-05-13 branch main
5
files changed
+103
additions
−5
deletions
0
reverts

Context (auto-generated by Magnus)

Closes the UX gap surfaced today on PR #1887: the v1.0 cron post dumped raw bot findings + a single "address bot findings" trigger that fixed everything without Magnus's own analytical layer.

User wanted:

  1. Magnus reads each finding and forms his own opinion
  2. Per-finding recommendation with confidence score
  3. Option to "fix all" OR pick which to fix / skip / discuss

What changed

cc-pr-review-poll-all message text (the cron's first post for each PR):

  • Was: "Reply 'address bot findings' to have Magnus process these into a fix commit on the PR branch."
  • Now: lists three options — analyze (Magnus reads each finding, forms opinion + confidence, posts per-finding recs + action menu; default), address bot findings (fast path, existing v1.0 behavior), or ignore.

skills/external-review-integration.md

  • New Analysis Flow section: for each pending finding, read referenced files + surrounding ±30 lines, form opinion (agree/partial/disagree), generate confidence 1–100, capture reasoning + files_to_modify.
  • Runs recommendation-panel on the aggregated analysis (panel review applies — these are consequential user-facing recommendations).
  • Persists to state.external_review_analysis[] for the action handlers.

Per-finding actions

  • fix all → apply every finding where opinion=agree AND conf≥70. Single commit on PR branch via Edit/Write, push origin, CI re-runs.
  • fix N → scoped to single finding; others stay pending.
  • skip N → defer to PRD-followups with deferred-by-user marker; remove from pending.
  • discuss N → conversational mode about finding N before deciding.

Internal review (7-persona gate)

run 1: cto   security   performance   ux flagged — "fix all without discussion is dangerous default; should require explicit user trigger" → iterated
run 2: cto   security   performance   ux   a11y   code-quality   skeptic
// no residual concerns. opening PR.

// disclosure: the gate trace above is reconstructed from internal review logs (~/.magnus/audit/) and is not part of the upstream commit body — `git show` will show only the commit text in the sections above. Both are inspectable on audit grant.

// files touched

bin/cc-pr-review-poll-all +1 −1
channels/magnus-slack/src/index.ts +7
commands/magnus-flow.md +10 −1
commands/magnus-standup.md +14 −1
skills/external-review-integration.md +71 −2
// what you just read A real commit on a real repo, reproduced from git show 09e13588. The author chip reads magnus[bot] · human-attested — meaning the commit body was authored by Magnus (you just read it), and signed off by a human reviewer per the cohort norm. Want to verify the hash against the dogfooded repo? email "audit" and I'll grant a 48h audit window — no contract, no NDA.