security-guidance plugin: agentic commit review StructuredOutput rejected with '/findings: must be array' when review has no findings
Open 💬 1 comment Opened Jul 2, 2026 by d56de
Environment
- Claude Code CLI: 2.1.198
- Plugin: security-guidance 2.0.6 (claude-plugins-official; latest available)
- Provider: 1P subscription (api.anthropic.com)
- OS: macOS (Darwin 25.5.0, Apple Silicon)
Bug
The agentic commit reviewer (layer 3) is forced to emit its result via a StructuredOutput tool, but the output is regularly rejected with:
Output does not match required schema: /findings: must be array
Observed in 31 distinct review sessions across 7 different repos over June 2026 (checked by grepping ~/.claude/projects/*/). It typically occurs when the review has no findings — the model appears to emit null/an object instead of an empty array, the tool call is rejected, and the reviewer burns an extra turn retrying.
Expected
Either the schema should tolerate the empty case, or the reviewer prompt/tool description should pin "findings": [] for the no-findings case, so clean reviews complete in one attempt.
Notes for repro
- Easiest trigger: a trivial, security-irrelevant diff (e.g. a one-line data/JSON change) that yields zero findings.
- The plugin's own
~/.claude/security/log.txtcontains no trace of these rejections (grep for "schema"/"must be array" returns nothing); the errors are only visible in the review sessions' transcripts asis_errortool_results. That makes the failure effectively silent — worth logging too.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗