update risk mgmt

mcp-release-bot · mcp-release-bot · commit 793316688160 · 2025-09-23T12:21:21.000+03:00
diff --git a/src/mcp_as_a_judge/prompts/system/judge_coding_plan.md b/src/mcp_as_a_judge/prompts/system/judge_coding_plan.md
@@ -166,7 +166,16 @@ Output mapping requirement: Populate these fields in current_task_metadata for d
 
 **⚠️ Risk Analysis:**
 - Validate that potential risks are properly identified and addressed
-- Required risk categories to consider: OAuth/authentication misconfiguration, insecure cookie/session settings, CSRF vulnerabilities, open redirect attacks, session fixation, secret leakage, database migration failures, XSS from external data, dependency vulnerabilities, rate limiting absence, environment mismatches
+- Required risk categories to consider:
+  - **Security risks**: Authentication/authorization vulnerabilities, data exposure, input validation gaps, session management issues, dependency vulnerabilities, configuration security
+  - **Performance degradation**: Memory leaks, inefficient algorithms, database query performance, resource exhaustion
+  - **Breaking changes**: API compatibility issues, backward compatibility problems, migration path failures
+  - **Code maintainability**: Technical debt accumulation, tight coupling, SOLID principle violations, architectural degradation
+  - **System reliability**: Error handling gaps, race conditions, concurrent access issues, failure recovery problems
+  - **Data integrity**: Inconsistent state management, validation gaps, data corruption risks
+  - **User experience**: Response time degradation, accessibility regressions, usability issues
+  - **Testing coverage**: Reduced test coverage, flaky tests, missing edge cases, test maintenance issues
+  - **Documentation drift**: Outdated documentation, missing API docs, unclear error messages
 - Are identified risks realistic and comprehensive?
 - Do mitigation strategies adequately address the risks (one-to-one mapping)?
 - Does the plan include appropriate safeguards and rollback mechanisms?
diff --git a/src/mcp_as_a_judge/prompts/system/workflow_guidance.md b/src/mcp_as_a_judge/prompts/system/workflow_guidance.md
@@ -103,7 +103,7 @@ When recommending judge_coding_plan, your preparation_needed MUST include compre
 **STRUCTURE REQUIREMENTS:**
 - "Ensure library_plan includes ALL dependencies: framework, auth, database, styling, testing, linting, validation"
 - "Ensure design_patterns specifies concrete patterns: Singleton, Factory, Adapter, Strategy, etc."
-- "Ensure identified_risks covers: security, configuration, data loss, authorization, secrets, dependencies"
+- "Ensure identified_risks covers: security vulnerabilities, performance degradation, breaking changes, maintainability issues, system reliability, data integrity, user experience, testing coverage, documentation drift"
 - "Ensure each risk has corresponding mitigation strategy in same order"
 - "Include comprehensive testing strategy with specific test files and mocking approach"
 - "Map SOLID principles explicitly to components and files"
diff --git a/src/mcp_as_a_judge/workflow/workflow_guidance.py b/src/mcp_as_a_judge/workflow/workflow_guidance.py
@@ -943,15 +943,15 @@ def _generate_plan_required_fields(
                     description="Areas that could be harmed by the proposed changes",
                     required=True,
                     conditional_on="risk_assessment_required",
-                    example_value='["OAuth misconfiguration", "CSRF attacks", "Session fixation"]',
+                    example_value='["Authentication vulnerabilities", "Performance degradation from inefficient queries", "Breaking API changes"]',
                 ),
                 PlanRequiredField(
                     name="risk_mitigation_strategies",
                     type="list[str]",
                     description="Strategies to mitigate identified risks (same order as identified_risks)",
                     required=True,
                     conditional_on="risk_assessment_required",
-                    example_value='["Use Auth.js secure defaults", "Enable CSRF protection", "Rotate sessions on login"]',
+                    example_value='["Implement secure authentication patterns", "Add database indexing and query optimization", "Use versioned APIs with deprecation notices"]',
                 ),
             ]
         )
@@ -1105,7 +1105,7 @@ def _load_plan_evaluation_criteria() -> str:
 - Development tooling included (linting, formatting, type checking)
 
 ### 4. Security & Risk Management
-- Comprehensive risk enumeration: OAuth misconfiguration, secret leakage, insecure cookies, CSRF, session attacks
+- Comprehensive risk enumeration: security vulnerabilities, performance degradation, breaking changes, maintainability issues, system reliability, data integrity
 - One-to-one risk mitigation strategies
 - Security headers and protection mechanisms
 - Environment variable security and validation
