# Pitfall Log

Project: The-PR-Agent/pr-agent

Summary: Found 38 potential pitfall items; 5 are high/blocking. Highest priority: installation - 来源证据：Allow specifying a custom branch for locating `.pr_agent.toml`.

## 1. installation · 来源证据：Allow specifying a custom branch for locating `.pr_agent.toml`

- Severity: high
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：Allow specifying a custom branch for locating `.pr_agent.toml`
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_6aa2027573564d778bdccf1c0e603a0f | https://github.com/The-PR-Agent/pr-agent/issues/1977 | 来源类型 github_issue 暴露的待验证使用条件。

## 2. security_permissions · 失败模式：security_permissions: Add support for Databricks hosted models

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: Add support for Databricks hosted models
- User impact: Developers may expose sensitive permissions or credentials: Add support for Databricks hosted models
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Add support for Databricks hosted models. Context: Observed when using python, docker
- Guardrail action: Do not recommend enabling privileged or credential-bearing paths until the source-backed risk is reviewed: https://github.com/The-PR-Agent/pr-agent/issues/2246
- Evidence: failure_mode_cluster:github_issue | fmev_63e7f7511bd7314419df2ded4a1a20e9 | https://github.com/The-PR-Agent/pr-agent/issues/2246 | Add support for Databricks hosted models

## 3. security_permissions · 来源证据：Add support for Databricks hosted models

- Severity: high
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：Add support for Databricks hosted models
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_6b5b4692165240e5a79137dc9335bd50 | https://github.com/The-PR-Agent/pr-agent/issues/2246 | 来源讨论提到 docker 相关条件，需在安装/试用前复核。

## 4. security_permissions · 来源证据：GITLAB 404 project not found

- Severity: high
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：GITLAB 404 project not found
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_04774e9f24034b56b080d2af0875b7fd | https://github.com/The-PR-Agent/pr-agent/issues/2282 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 5. security_permissions · 来源证据：Incorrect Inline Code Suggestion Formatting in Azure DevOps

- Severity: high
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：Incorrect Inline Code Suggestion Formatting in Azure DevOps
- User impact: 可能影响升级、迁移或版本选择。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_d01349d41e8a48db89a80ebdb4ca9bde | https://github.com/The-PR-Agent/pr-agent/issues/2110 | 来源讨论提到 docker 相关条件，需在安装/试用前复核。

## 6. installation · 失败模式：installation: Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental supp...

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider
- User impact: Developers may fail before the first successful local run: Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider. Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_f812843570a304cde8d165f9bd42e8dc | https://github.com/The-PR-Agent/pr-agent/issues/2379 | Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider

## 7. installation · 失败模式：installation: feat: support agent skills for context-aware review guidance

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: feat: support agent skills for context-aware review guidance
- User impact: Developers may fail before the first successful local run: feat: support agent skills for context-aware review guidance
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: feat: support agent skills for context-aware review guidance. Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_6fae5a58920d170992e268f4837b86a9 | https://github.com/The-PR-Agent/pr-agent/issues/2384 | feat: support agent skills for context-aware review guidance

## 8. installation · 失败模式：installation: v0.35.0

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v0.35.0
- User impact: Upgrade or migration may change expected behavior: v0.35.0
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: v0.35.0. Context: Observed when using python, docker, windows
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_release | fmev_c8b7b30719c4160c5c0104029f83e764 | https://github.com/The-PR-Agent/pr-agent/releases/tag/v0.35.0 | v0.35.0

## 9. installation · 来源证据：CORS error on Azure DevOps when displaying "Work in progress" loading GIF

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：CORS error on Azure DevOps when displaying "Work in progress" loading GIF
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源显示可能已有修复、规避或版本变化，说明书中必须标注适用版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_befb1a7b72d44beba27f8ffc0e2646ca | https://github.com/The-PR-Agent/pr-agent/issues/2223 | 来源讨论提到 docker 相关条件，需在安装/试用前复核。

## 10. installation · 来源证据：Publish linux/arm64 Docker image for github_app tag

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：Publish linux/arm64 Docker image for github_app tag
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_8cb9e552d2e2452cbe958628f6e800b6 | https://github.com/The-PR-Agent/pr-agent/issues/2386 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 11. installation · 来源证据：[Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：[Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering
- User impact: 可能阻塞安装或首次运行。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_52bd470b7b5e4be6858b290e41c93036 | https://github.com/The-PR-Agent/pr-agent/issues/2380 | 来源讨论提到 docker 相关条件，需在安装/试用前复核。

## 12. installation · 来源证据：[Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：[Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic
- User impact: 可能影响升级、迁移或版本选择。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_14856949ca534836a7f707e2c1333b17 | https://github.com/The-PR-Agent/pr-agent/issues/2400 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 13. installation · 来源证据：v0.34.2

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：v0.34.2
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源显示可能已有修复、规避或版本变化，说明书中必须标注适用版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_4bc22335937e44c0b529ab84d1e69a60 | https://github.com/The-PR-Agent/pr-agent/releases/tag/v0.34.2 | 来源讨论提到 docker 相关条件，需在安装/试用前复核。

## 14. configuration · 失败模式：configuration: /improve on GitLab duplicates the persistent suggestions thread on every push once the previo...

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: /improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply
- User impact: Developers may misconfigure credentials, environment, or host setup: /improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: /improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply. Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_f4643954c8dbe2f730d31cefbeaa8c78 | https://github.com/The-PR-Agent/pr-agent/issues/2402 | /improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply

## 15. configuration · 失败模式：configuration: Allow specifying a custom branch for locating `.pr_agent.toml`

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: Allow specifying a custom branch for locating `.pr_agent.toml`
- User impact: Developers may misconfigure credentials, environment, or host setup: Allow specifying a custom branch for locating `.pr_agent.toml`
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Allow specifying a custom branch for locating `.pr_agent.toml`. Context: Source discussion did not expose a precise runtime context.
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_339ee91f6568996765e72eae51a899dd | https://github.com/The-PR-Agent/pr-agent/issues/1977 | Allow specifying a custom branch for locating `.pr_agent.toml`

## 16. configuration · 失败模式：configuration: AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_a...

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml
- User impact: Developers may misconfigure credentials, environment, or host setup: AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml. Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_08e02634b8266f9592093717f3fcb5ac | https://github.com/The-PR-Agent/pr-agent/issues/2376 | AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml

## 17. configuration · 失败模式：configuration: CORS error on Azure DevOps when displaying "Work in progress" loading GIF

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: CORS error on Azure DevOps when displaying "Work in progress" loading GIF
- User impact: Developers may misconfigure credentials, environment, or host setup: CORS error on Azure DevOps when displaying "Work in progress" loading GIF
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: CORS error on Azure DevOps when displaying "Work in progress" loading GIF. Context: Observed when using python, docker, linux
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_683820f79c6410463ae03829a7e5eb54 | https://github.com/The-PR-Agent/pr-agent/issues/2223 | CORS error on Azure DevOps when displaying "Work in progress" loading GIF

## 18. configuration · 失败模式：configuration: GITLAB 404 project not found

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: GITLAB 404 project not found
- User impact: Developers may misconfigure credentials, environment, or host setup: GITLAB 404 project not found
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: GITLAB 404 project not found. Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_b2e82742d50cf2a8c0c2c182eb4f3928 | https://github.com/The-PR-Agent/pr-agent/issues/2282 | GITLAB 404 project not found

## 19. configuration · 失败模式：configuration: Incorrect Inline Code Suggestion Formatting in Azure DevOps

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: Incorrect Inline Code Suggestion Formatting in Azure DevOps
- User impact: Developers may misconfigure credentials, environment, or host setup: Incorrect Inline Code Suggestion Formatting in Azure DevOps
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Incorrect Inline Code Suggestion Formatting in Azure DevOps. Context: Observed when using python, docker, linux
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_abf700a9dc4cdcc58a9bdae1a8ee37c0 | https://github.com/The-PR-Agent/pr-agent/issues/2110 | Incorrect Inline Code Suggestion Formatting in Azure DevOps

## 20. configuration · 失败模式：configuration: OSS build silently ignores best_practices.md (currently SaaS-only)

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: OSS build silently ignores best_practices.md (currently SaaS-only)
- User impact: Developers may misconfigure credentials, environment, or host setup: OSS build silently ignores best_practices.md (currently SaaS-only)
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: OSS build silently ignores best_practices.md (currently SaaS-only). Context: Observed when using python
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_6490ac18c4cc673d33dcc567f7b6f466 | https://github.com/The-PR-Agent/pr-agent/issues/2377 | OSS build silently ignores best_practices.md (currently SaaS-only)

## 21. configuration · 失败模式：configuration: [Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filt...

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: [Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering
- User impact: Developers may misconfigure credentials, environment, or host setup: [Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: [Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering. Context: Observed when using docker
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_e66caf8bd4ddcbc747835f854317ef45 | https://github.com/The-PR-Agent/pr-agent/issues/2380 | [Bug] UnicodeDecodeError in gitea_provider.py when parsing binary files before extension filtering

## 22. configuration · 失败模式：configuration: [Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: [Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic
- User impact: Developers may misconfigure credentials, environment, or host setup: [Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: [Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic. Context: Observed when using python, docker
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_48f61c9074aaf84acadaada17c3514fa | https://github.com/The-PR-Agent/pr-agent/issues/2400 | [Bug] `temperature` parameter sent to claude-opus-4-7 causes 400 from Anthropic

## 23. configuration · 失败模式：configuration: v0.33

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: v0.33
- User impact: Upgrade or migration may change expected behavior: v0.33
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: v0.33. Context: Source discussion did not expose a precise runtime context.
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_release | fmev_3a2819a8993abeddf308dd2a4c20c5d1 | https://github.com/The-PR-Agent/pr-agent/releases/tag/v0.33 | v0.33

## 24. configuration · 失败模式：configuration: v0.34

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: v0.34
- User impact: Upgrade or migration may change expected behavior: v0.34
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: v0.34. Context: Source discussion did not expose a precise runtime context.
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_release | fmev_57bd9625e730f20342967abef2739c49 | https://github.com/The-PR-Agent/pr-agent/releases/tag/v0.34 | v0.34

## 25. configuration · 来源证据：AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题：AzureDevopsProvider.get_repo_settings drops chunks after the first, silently truncating .pr_agent.toml
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_4ee2a84ba307469b9b329a043a70a224 | https://github.com/The-PR-Agent/pr-agent/issues/2376 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 26. configuration · 来源证据：Ticket context not scoped per PR in long-lived deployments — stale tickets leak between unrelated PRs

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个配置相关的待验证问题：Ticket context not scoped per PR in long-lived deployments — stale tickets leak between unrelated PRs
- User impact: 可能增加新用户试用和生产接入成本。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_a9b90b0cfbbf4529b60d65f564f4592e | https://github.com/The-PR-Agent/pr-agent/issues/2383 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 27. capability · 能力判断依赖假设

- Severity: medium
- Evidence strength: source_linked
- Finding: README/documentation is current enough for a first validation pass.
- User impact: 假设不成立时，用户拿不到承诺的能力。
- Suggested check: 将假设转成下游验证清单。
- Guardrail action: 假设必须转成验证项；没有验证结果前不能写成事实。
- Evidence: capability.assumptions | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | README/documentation is current enough for a first validation pass.

## 28. runtime · 失败模式：runtime: Publish linux/arm64 Docker image for github_app tag

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this runtime risk before relying on the project: Publish linux/arm64 Docker image for github_app tag
- User impact: Developers may hit a documented source-backed failure mode: Publish linux/arm64 Docker image for github_app tag
- Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Publish linux/arm64 Docker image for github_app tag. Context: Observed when using python, docker, linux
- Guardrail action: State this as source-backed community evidence, not as Doramagic reproduction.
- Evidence: failure_mode_cluster:github_issue | fmev_0fdc283afd24a3b8b85d15520113c789 | https://github.com/The-PR-Agent/pr-agent/issues/2386 | Publish linux/arm64 Docker image for github_app tag, failure_mode_cluster:github_issue | fmev_5d0d8e693d605019991cbe932edb560a | https://github.com/The-PR-Agent/pr-agent/issues/2386 | Publish linux/arm64 Docker image for github_app tag

## 29. maintenance · 维护活跃度未知

- Severity: medium
- Evidence strength: source_linked
- Finding: 未记录 last_activity_observed。
- User impact: 新项目、停更项目和活跃项目会被混在一起，推荐信任度下降。
- Suggested check: 补 GitHub 最近 commit、release、issue/PR 响应信号。
- Guardrail action: 维护活跃度未知时，推荐强度不能标为高信任。
- Evidence: evidence.maintainer_signals | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | last_activity_observed missing

## 30. security_permissions · 下游验证发现风险项

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: 下游已经要求复核，不能在页面中弱化。
- Suggested check: 进入安全/权限治理复核队列。
- Guardrail action: 下游风险存在时必须保持 review/recommendation 降级。
- Evidence: downstream_validation.risk_items | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | no_demo; severity=medium

## 31. security_permissions · 存在评分风险

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: 风险会影响是否适合普通用户安装。
- Suggested check: 把风险写入边界卡，并确认是否需要人工复核。
- Guardrail action: 评分风险必须进入边界卡，不能只作为内部分数。
- Evidence: risks.scoring_risks | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | no_demo; severity=medium

## 32. security_permissions · 来源证据：/improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：/improve on GitLab duplicates the persistent suggestions thread on every push once the previous one has any reply
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_8bf58f5468884b5eab533349076803f3 | https://github.com/The-PR-Agent/pr-agent/issues/2402 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 33. security_permissions · 来源证据：Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：Bug + feature: `-i` (incremental review) crashes on Azure DevOps; needs full incremental support in AzureDevopsProvider
- User impact: 可能阻塞安装或首次运行。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_e65762126ba84855a8440bd9e5a685bb | https://github.com/The-PR-Agent/pr-agent/issues/2379 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 34. security_permissions · 来源证据：OSS build silently ignores best_practices.md (currently SaaS-only)

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：OSS build silently ignores best_practices.md (currently SaaS-only)
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_f51f28cf40b14b7ca80598af4527661a | https://github.com/The-PR-Agent/pr-agent/issues/2377 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 35. security_permissions · 来源证据：feat: support agent skills for context-aware review guidance

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：feat: support agent skills for context-aware review guidance
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_59ad4ca55ca248f989c91ce40068cc6d | https://github.com/The-PR-Agent/pr-agent/issues/2384 | 来源类型 github_issue 暴露的待验证使用条件。

## 36. security_permissions · 来源证据：litellm success/cost callbacks never fire from pr-agent's async run loop

- Severity: medium
- Evidence strength: source_linked
- Finding: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：litellm success/cost callbacks never fire from pr-agent's async run loop
- User impact: 可能影响授权、密钥配置或安全边界。
- Suggested check: 来源问题仍为 open，Pack Agent 需要复核是否仍影响当前版本。
- Guardrail action: 不得脱离来源链接放大为确定性结论；需要标注适用版本和复核状态。
- Evidence: community_evidence:github | cevd_42f0b36e0c434c939c49c91fc7ccb82a | https://github.com/The-PR-Agent/pr-agent/issues/2378 | 来源讨论提到 python 相关条件，需在安装/试用前复核。

## 37. maintenance · issue/PR 响应质量未知

- Severity: low
- Evidence strength: source_linked
- Finding: issue_or_pr_quality=unknown。
- User impact: 用户无法判断遇到问题后是否有人维护。
- Suggested check: 抽样最近 issue/PR，判断是否长期无人处理。
- Guardrail action: issue/PR 响应未知时，必须提示维护风险。
- Evidence: evidence.maintainer_signals | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | issue_or_pr_quality=unknown

## 38. maintenance · 发布节奏不明确

- Severity: low
- Evidence strength: source_linked
- Finding: release_recency=unknown。
- User impact: 安装命令和文档可能落后于代码，用户踩坑概率升高。
- Suggested check: 确认最近 release/tag 和 README 安装命令是否一致。
- Guardrail action: 发布节奏未知或过期时，安装说明必须标注可能漂移。
- Evidence: evidence.maintainer_signals | github_repo:662766482 | https://github.com/The-PR-Agent/pr-agent | release_recency=unknown