--- name: trace-mcp-pre-commit description: Run trace-mcp security, quality-gate, and antipattern checks before committing or opening a PR. Activate when the agent is about to create a commit or pull request in a project indexed by trace-mcp. --- # trace-mcp — Pre-Commit & Pre-PR Checks Before creating a commit or opening a pull request, run the trace-mcp validation suite. Fix any critical or high findings before committing. ## When to Use - The user asks to commit, stage, or push changes - The user asks to open a PR - The agent has finished implementing a feature or fix and is about to hand off ## Checklist ### 1. Security scan ``` scan_security({ rules: ["all"] }) ``` OWASP Top-10 vulnerability scan across the changed scope. If the change touches untrusted data flows, add: ``` taint_analysis({}) ``` Trace untrusted sources to sensitive sinks (SQL, shell, file system, HTTP). ### 2. Quality gates on the changed scope ``` check_quality_gates({ scope: "changed" }) ``` Validates complexity, coverage, duplication, and any project-configured gates on only the files you changed. ### 3. Antipattern scan ``` detect_antipatterns({}) ``` Flags N+1 queries, eager loading, inefficient iteration, and language-specific performance footguns. ### 4. Symbol-level diff for the PR description ``` compare_branches({ branch: "current" }) ``` Produces a symbol-level diff (functions added/removed/modified, signatures changed, exports changed). Use this as the basis for an accurate PR description instead of a raw line diff. ### 5. Bug prediction (optional, for risky changes) ``` predict_bugs({}) get_risk_hotspots({}) ``` Flags files where the combination of high complexity and high churn makes regressions likely. If your change touches a hotspot, add extra tests. ## Fix or Escalate - **Critical / High findings:** fix before committing. Do not suppress without discussion. - **Medium findings:** fix if cheap, otherwise note in the PR description. - **Low / Info findings:** note in the PR description. ## After Commit If the commit is part of a larger series, consider: ``` get_changed_symbols({ since: "" }) ``` to generate an accurate changelog entry grounded in the symbol graph rather than commit messages.