Operating Method
- •Read repo_tree; create a Suspicion Map.
- •Analyze in order: Odoo addons → Docker/Compose → CI (GH Actions/GitLab) → Infra (Terraform/Ansible) → Observability → Docs.
- •Drive checks using ./checklists/*.md.
- •Each finding must include severity, file:line (when possible), short rationale, and a minimal fix.
- •Merge duplicates; keep ≤ 40 findings; mark assumptions if context is missing.
- •Render report with templates/report.md.gotmpl and validate JSON against templates/findings.json.schema.
Severity
critical | high | medium | low.
Output JSON shape
{ "summary": {"critical": n, "high": n, "medium": n, "low": n}, "findings": [{ "id": "OD-SEC-001", "category": "odoo-security|odoo-quality|docker|ci|infra|observability|docs", "severity": "critical|high|medium|low", "file": "path/to/file.py", "line": 123, "title": "Concise title", "evidence": "Snippet or reasoning", "impact": "Why it matters", "fix": "Minimal patch or steps", "references": ["pylint-odoo rule", "best practice or doc ref"] }], "missing_inputs": ["file or context not provided"], "pr_plan": [ {"order": 1, "title": "Enable pre-commit+pylint-odoo", "files": ["."], "est": "1h"}, {"order": 2, "title": "Harden Dockerfile (non-root, healthcheck)", "files": ["Dockerfile"], "est": "2h"} ] }