From f62125d1f58aed83a510fada45c5e4090d5d41f1 Mon Sep 17 00:00:00 2001
From: Michael Pursifull <mike@arcaven.com>
Date: Fri, 6 Feb 2026 21:01:59 -0600
Subject: [PATCH] fix: add structured output format to adversarial review task
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add <output-format> and <example> blocks to Step 3 of
review-adversarial-general.xml so adversarial review findings
are presented with severity classification, ordering, and
consistent markdown formatting — matching the pattern used
by editorial-review-prose.xml and editorial-review-structure.xml.

Closes #1489
---
 src/core/tasks/review-adversarial-general.xml | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/core/tasks/review-adversarial-general.xml b/src/core/tasks/review-adversarial-general.xml
index 421719bb5..58c21e031 100644
--- a/src/core/tasks/review-adversarial-general.xml
+++ b/src/core/tasks/review-adversarial-general.xml
@@ -36,7 +36,35 @@
     </step>
 
     <step n="3" title="Present Findings">
-      <action>Output findings as a Markdown list (descriptions only)</action>
+      <action>Classify each finding by severity: CRITICAL, HIGH, MEDIUM, or LOW</action>
+      <action>Order findings by severity (CRITICAL first, LOW last)</action>
+      <action>Number findings sequentially</action>
+      <action>Include file path and line number where applicable</action>
+      <action>Output findings using the format below</action>
+
+      <output-format>
+        ## Adversarial Review Findings
+
+        **Findings:** {count}
+        - Critical: {n} | High: {n} | Medium: {n} | Low: {n}
+
+        1. **{SEVERITY}** - `{location}` - {description}
+        2. **{SEVERITY}** - {description}
+        ...
+      </output-format>
+
+      <example title="Correct output format">
+        ## Adversarial Review Findings
+
+        **Findings:** 5
+        - Critical: 0 | High: 2 | Medium: 2 | Low: 1
+
+        1. **HIGH** - `login.ts:47` - No rate limiting on failed authentication attempts allows brute force attacks
+        2. **HIGH** - Session token stored in localStorage instead of httpOnly cookie, vulnerable to XSS exfiltration
+        3. **MEDIUM** - Password validation only enforced client-side; server accepts any string
+        4. **MEDIUM** - Failed login attempts not written to audit log
+        5. **LOW** - Magic number `3600` should be named constant `SESSION_TIMEOUT_SECONDS`
+      </example>
     </step>
   </flow>