ReddRadar
Agent skill
deferred-finding
Use when a review finding cannot be fixed in current PR - creates properly documented tracking issue with full context, linked to parent, following full issue-driven-development process
Install this agent skill to your Project
npx add-skill https://github.com/troykelly/codex-skills/tree/main/skills/deferred-finding
SKILL.md
Deferred Finding
Overview
Process for creating tracking issues when review findings cannot be addressed in the current PR.
Core principle: No finding disappears. Every deferral is tracked.
ABSOLUTE REQUIREMENT: Deferred findings MUST have tracking issues. There is no other option.
When to Defer
A finding may ONLY be deferred when:
| Valid Reason | Example |
|---|---|
| Out of scope | Finding requires architectural change beyond PR scope |
| External dependency | Requires infrastructure/config change |
| Breaking change | Would require major version bump |
| Separate concern | Logically independent from current work |
Never Defer Without Tracking
| Invalid Approach | Reality |
|---|---|
| "We'll fix it later" | Without tracking, later never comes |
| "It's minor" | Minor issues compound into major problems |
| "Not my problem" | You found it, you track it |
| "Good enough" | Good enough creates technical debt |
Deferral Process
Step 1: Verify Deferral is Appropriate
Ask yourself:
- Can this reasonably be fixed in this PR? If yes, FIX IT.
- Is there a valid reason from the "When to Defer" table?
- Have you tried to fix it first?
Step 2: Determine Finding Details
Document:
- What is the finding?
- Why is it a problem?
- Where in the code?
- What's the severity?
- Why can't it be fixed now?
Step 3: Create Tracking Issue
Use this template:
## [Finding] [Brief description] (from #[PARENT])
### Origin
This issue was created during code review of #[PARENT_ISSUE].
| Property | Value |
|----------|-------|
| Parent Issue | #[PARENT_ISSUE] |
| Parent PR | #[PARENT_PR] (if exists) |
| Finding ID | F-[PARENT]-[N] |
| Severity | [CRITICAL/HIGH/MEDIUM/LOW] |
| Review Criterion | [Which of 7 criteria OR OWASP category] |
| Depth | [N] |
### Finding Details
**What was found:**
[Detailed description of the issue - be specific]
**Location:**
- File: `[path/to/file.ts]`
- Line(s): [N-M]
- Function: `[functionName()]`
**Why it matters:**
[Impact if not addressed - be concrete]
**Evidence:**
```[language]
[Code snippet showing the issue]
Why Deferred
[Explain why this cannot be fixed in the parent PR]
| Reason | Details |
|---|---|
| Category | [out-of-scope / external-dependency / breaking-change / separate-concern] |
| Justification | [Specific explanation] |
Acceptance Criteria
- [Specific criterion 1 - must be verifiable]
- [Specific criterion 2]
- [How to verify the fix]
Links
- Parent Issue: #[PARENT_ISSUE]
- Review Comment: [Link to review artifact if applicable]
Labels: review-finding, spawned-from:#[PARENT], depth:[N], [severity]
This issue follows the full issue-driven-development process including its own code review.
### Step 4: Create Issue via CLI
```bash
gh issue create \
--title "[Finding] Rate limiting needed on auth endpoint (from #123)" \
--body "$(cat <<'EOF'
[Full template body here]
EOF
)" \
--label "review-finding" \
--label "depth:1" \
--label "high"
Note: Create the spawned-from:#N label if it doesn't exist:
gh label create "spawned-from:#123" --color "C2E0C6" --description "Spawned from issue #123" 2>/dev/null || true
gh issue edit [NEW_ISSUE] --add-label "spawned-from:#123"
Step 5: Update Review Artifact
Add the new issue to the "Findings Deferred" section:
### Findings Deferred (With Tracking Issues)
| # | Severity | Finding | Tracking Issue | Justification |
|---|----------|---------|----------------|---------------|
| 1 | HIGH | Rate limiting needed | #456 | Requires infrastructure changes |
Step 6: Update Parent Issue (If Deviation Required)
If the deferred finding BLOCKS the parent PR (e.g., critical security issue):
# Add awaiting label
gh issue edit 123 --add-label "status:awaiting-dependencies"
# Post deviation comment
gh issue comment 123 --body "$(cat <<'EOF'
## Deviation: Awaiting Dependencies
This issue cannot proceed until deferred findings are resolved.
| Property | Value |
|----------|-------|
| Blocked At | Step 9 (Code Review) |
| Dependencies | #456 |
| Reason | Critical deferred finding blocks PR |
Work will resume when #456 is complete.
EOF
)"
Tracking Issue Lifecycle
Once created, the tracking issue:
- Is a first-class issue - Full issue-driven-development process
- Gets its own review - Cannot skip comprehensive-review
- May create its own deferrals - Depth increments
- Closes independently - Does not auto-close with parent
Depth Tracking
| Depth | Meaning |
|---|---|
| 1 | Finding from original issue's review |
| 2 | Finding from a depth-1 issue's review |
| 3+ | Deeper nesting - flag for human attention |
At depth 3+:
**Deep Finding Chain Detected**
This issue is at depth [N]. Chain:
- #100 (original)
- #101 (depth 1)
- #102 (depth 2)
- #103 (depth 3) - Current
Consider: Is there a systemic issue requiring broader attention?
Labels
Required labels for tracking issues:
| Label | Purpose |
|---|---|
review-finding |
Identifies as born from review |
spawned-from:#N |
Links to parent issue |
depth:N |
Tracks nesting level |
[severity] |
critical/high/medium/low |
Optional labels:
security- Security-related findingstatus:pending- Ready for work
Checklist
Before marking finding as deferred:
- Verified cannot fix in current PR
- Valid deferral reason documented
- Tracking issue created with full template
- Issue has all required labels
- Issue linked to parent
- Review artifact updated with tracking issue number
- Parent issue updated (if deviation required)
Integration
This skill is called by:
apply-all-findings- When finding cannot be fixedcomprehensive-review- When documenting deferrals
This skill creates:
- New GitHub issues following full
issue-driven-developmentprocess - Deviation state on parent issue (if blocking)
This skill references:
issue-lifecycle- Issue managementissue-driven-development- Process for new issues
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
troykelly/codex-skills
hook-development
Use when the user wants to create Codex workflow hooks (pre/post run gates, tool-use validators, stop checks) or needs guidance on hook scripts and hooks.json configuration.
troykelly/codex-skills
sentry-setup-ai-monitoring
Setup Sentry AI Agent Monitoring in any project. Use this when asked to add AI monitoring, track LLM calls, monitor AI agents, or instrument OpenAI/Anthropic/Vercel AI/LangChain/Google GenAI. Automatically detects installed AI SDKs and configures the appropriate Sentry integration.
troykelly/codex-skills
agent-development
Use when the user wants to design Codex agent equivalents (specialized workers/profiles/prompt files), define triggering conditions, or build reusable agent prompts and validation tools.
troykelly/codex-skills
skill-development
Use when the user wants to create or refine Codex skills, improve skill descriptions, organize skill resources, or follow Codex skill best practices.
troykelly/codex-skills
sentry-setup-logging
Setup Sentry Logging in any project. Use this when asked to add Sentry logs, enable structured logging, setup console log capture, or integrate logging with Sentry. Supports JavaScript, TypeScript, Python, Ruby, React, Next.js, and other frameworks.
troykelly/codex-skills
frontend-design
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
Didn't find tool you were looking for?