Vague filter drops security findings; feedback confidence adjustment never applied in pipeline #79
Description
Found during deep review of filters
1. Vague filter drops security findings (MEDIUM-HIGH)
`src/review/filters/vague.rs`, lines 5-14:
Vague prefixes: "ensure", "verify", "validate", "consider", "review", "confirm", "check", "make sure"
A legitimate security finding like:
- "Verify that the JWT signature is checked before trusting claims"
- "Ensure the SQL query uses parameterized statements"
...is dropped because it starts with a vague prefix. No exemption by severity or category. An Error-severity Security finding is treated the same as a Suggestion-severity Style comment.
Fix: Skip vague filtering for comments with severity >= Warning or category == Security.
2. Feedback confidence adjustment never runs in the standard pipeline (MEDIUM)
`src/review/filters/run.rs`, lines 10-24:
`apply_feedback_confidence_adjustment` is exported and tested but never called inside `apply_review_filters`. The feedback-learned confidence adjustments don't take effect.
Additionally, `apply_confidence_threshold` runs BEFORE any hypothetical feedback adjustment, so demoted comments would never be filtered. The adjustment must run FIRST.
3. Comment type classification is substring-based (LOW-MEDIUM)
The word "token" in "This JWT token is exposed in client-side code" causes classification as `Syntax` instead of `Logic`. If syntax comments have been rejected enough, this security finding gets adaptively suppressed.
Acceptance
- Vague filter exempts severity >= Warning and category == Security
- `apply_feedback_confidence_adjustment` called in `apply_review_filters`, before threshold
- Comment type classification uses word boundaries or more specific patterns
🤖 Generated with Claude Code