Rule severity tuning and Cursor agent setup#186
Conversation
Allow rules to set SeverityOverride so one rule can emit Block, Warn, and Info findings. Disable GCI0054/GCI0055 by default to avoid duplicate coverage, narrow GCI0057 to sync file I/O, and align default severities with the active rule catalog.
Wire Cursor with context-mode MCP and hooks, graphify/context-mode skills, and Copilot-migrated build and efficiency playbooks. Update gitignore so .cursor rules and skills can be committed.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
GauntletCI found the following issues:
These findings reference lines outside the PR diff, so they appear here instead of inline. Expand each entry for full evidence, rationale, and suggested action.
GCI0001: Diff Integrity: Diff contains mixed scope: code and non-code files changed together.
GCI0001: Diff Integrity
Diff contains mixed scope: code and non-code files changed together.
Evidence:
Non-code files in diff: .cursor/hooks.json, .cursor/mcp.json, .cursor/rules/context-mode.mdc, .cursor/rules/gauntletci-build-instructions.mdc, .cursor/rules/gauntletci-efficiency-playbook.mdc, .cursor/skills/context-mode/SKILL.md, .cursor/skills/graphify/SKILL.md, .github/hooks/context-mode.json, .gitignore
💡 Suggested action: Split into separate PRs: one for code changes, one for docs/config updates.
Confidence: Medium | Severity: Warn
There was a problem hiding this comment.
Pull request overview
Adds per-finding severity overrides to support multi-tier findings within a single rule run, tunes default rule severities/enabled set to reduce duplicate noise, and introduces Cursor/context-mode/graphify agent configuration intended to be committable in-repo.
Changes:
- Add
Finding.SeverityOverride+ plumb it throughRuleBase.CreateFinding()andRuleOrchestratorso orchestrator respects per-finding severity. - Retune rule defaults (notably disabling GCI0054/GCI0055 by default and narrowing GCI0057 to sync File I/O only) and update tests to expect 34 enabled rules.
- Add
.cursor/+ hooks/skills/rules docs and update.gitignoreto allow committing Cursor agent config.
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/GauntletCI.Core.Tests/Rules/GCI0057_BlockingAsyncViolationTests.cs | Updates tests to match GCI0057’s narrowed scope (sync File I/O only). |
| src/GauntletCI.Tests/Rules/GCI0003Tests.cs | Asserts new SeverityOverride tiers emitted by GCI0003. |
| src/GauntletCI.Tests/Phase5IntegrationTests.cs | Updates expected enabled-rule count to 34 and adjusts test naming/commentary. |
| src/GauntletCI.Tests/OrchestratorTests.cs | Updates expected enabled-rule count to 34. |
| src/GauntletCI.Tests/ConfigurationServiceTests.cs | Expands default severity expectations, including disabled-by-default rules. |
| src/GauntletCI.Core/Rules/RuleOrchestrator.cs | Applies SeverityOverride when setting final Finding.Severity. |
| src/GauntletCI.Core/Rules/RuleBase.cs | Extends CreateFinding overloads to accept optional severity override. |
| src/GauntletCI.Core/Rules/Implementations/GCI0057_BlockingAsyncViolation.cs | Removes blocking-async detection; keeps only sync File.* I/O detection. |
| src/GauntletCI.Core/Rules/Implementations/GCI0055_MethodSignatureChange.cs | Updates docstring to reflect disabled-by-default status. |
| src/GauntletCI.Core/Rules/Implementations/GCI0054_AsyncVoidAbuse.cs | Updates docstring to reflect disabled-by-default status. |
| src/GauntletCI.Core/Rules/Implementations/GCI0004_BreakingChangeRisk.cs | Adds a per-finding Block override for obsolete-removal finding. |
| src/GauntletCI.Core/Rules/Implementations/GCI0003_BehavioralChangeDetection.cs | Emits per-finding severity tiers for signature changes. |
| src/GauntletCI.Core/Model/Finding.cs | Adds nullable SeverityOverride property. |
| src/GauntletCI.Core/Configuration/DefaultSeverities.cs | Retunes defaults; disables GCI0054/GCI0055 by default; adds/organizes mappings. |
| .gitignore | Un-ignores .cursor/ content so it can be committed despite global *.md ignore policy. |
| .github/hooks/context-mode.json | Adds context-mode hook config (currently hardcoded to a specific Windows install). |
| .cursor/skills/graphify/SKILL.md | Adds graphify skill documentation. |
| .cursor/skills/context-mode/SKILL.md | Adds context-mode skill documentation. |
| .cursor/rules/gauntletci-efficiency-playbook.mdc | Adds always-on Cursor rule for prompt efficiency workflow. |
| .cursor/rules/gauntletci-build-instructions.mdc | Adds always-on Cursor rule describing GauntletCI architecture/build instructions. |
| .cursor/rules/context-mode.mdc | Adds always-on Cursor rule for routing large outputs through context-mode. |
| .cursor/mcp.json | Adds Cursor MCP server definition for context-mode. |
| .cursor/hooks.json | Adds Cursor hook wiring for context-mode lifecycle hooks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "hooks": { | ||
| "PreToolUse": [ | ||
| { | ||
| "matcher": "", | ||
| "hooks": [ | ||
| { | ||
| "type": "command", | ||
| "command": "\"C:/Users/ericc/AppData/Local/Programs/cursor/resources/app/resources/helpers/node.exe\" \"C:/Users/ericc/AppData/Roaming/npm/node_modules/context-mode/hooks/vscode-copilot/pretooluse.mjs\"" | ||
| } |
| GauntletCI is a pre-commit developer tool that runs every changeset through | ||
| an 18-rule LLM-driven audit before it is committed. It behaves like the best | ||
| senior engineer you know reading your diff with full attention and no | ||
| obligation to be polite about what they find. | ||
|
|
||
| The name is the product promise: you run the gauntlet before you ship. You | ||
| do not get through by looking good. You get through by actually holding up. | ||
|
|
||
| This is NOT a static heuristic engine. Do not build pattern-matching rules. | ||
| Do not build a classifier. Do not build a confidence scoring system. The model | ||
| does the judgment. Your job is context assembly, prompt structure, and | ||
| delivery. |
| @@ -19,16 +19,7 @@ public GCI0057_BlockingAsyncViolation(IPatternProvider patterns) : base(patterns | |||
| } | |||
|
|
|||
| public override string Id => "GCI0057"; | |||
| public override string Name => "Blocking Async Pattern Violation"; | |||
|
|
|||
| private static readonly Regex BlockingResultPattern = | |||
| new(@"\.\s*Result\s*(?:[;\,\)\]])", RegexOptions.Compiled); | |||
|
|
|||
| private static readonly Regex BlockingWaitPattern = | |||
| new(@"\.\s*Wait\s*\(\s*(?:\)|[^)]*\))", RegexOptions.Compiled); | |||
|
|
|||
| private static readonly Regex BlockingGetResultPattern = | |||
| new(@"\.GetAwaiter\s*\(\s*\)\s*\.GetResult\s*\(\s*\)", RegexOptions.Compiled); | |||
| public override string Name => "Synchronous File I/O"; | |||
|
|
|||
| try | ||
| { | ||
| var findings = await rule.EvaluateAsync(context, ruleCts.Token).ConfigureAwait(false); | ||
| foreach (var f in findings) f.Severity = severity; | ||
| foreach (var f in findings) | ||
| f.Severity = f.SeverityOverride ?? severity; | ||
| allFindings.AddRange(findings); |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0540eaedc5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| continue; | ||
|
|
||
| CheckBlockingAsyncCalls(file, findings); | ||
| CheckSyncFileIo(file, findings); |
There was a problem hiding this comment.
This change drops CheckBlockingAsyncCalls entirely, so GCI0057 no longer catches .Result/.Wait() patterns and relies on GCI0016 for that coverage. In GCI0016_ConcurrencyAndStateRisk.IsLegitimateAsyncPattern (lines 205-209), any line containing markers like "intentional" or "by design" is skipped, which means a real blocking call such as GetDataAsync().Result // by design can now evade both rules. Before this commit, GCI0057 would still report these lines, so this introduces a false-negative path for deadlock-prone sync-over-async code.
Useful? React with 👍 / 👎.
Summary
SeverityOverrideso rules like GCI0003 can emit Block, Warn, and Info findings in one pass; orchestrator respects overrides..cursor/content.Test plan
dotnet test— all tests passing locally before commitctx doctorto verify context-mode MCP reconnects.cursor/mcp.jsonloads