security-guidance plugin: agentic commit review StructuredOutput rejected with '/findings: must be array' when review has no findings

Open 💬 1 comment Opened Jul 2, 2026 by d56de

Environment

  • Claude Code CLI: 2.1.198
  • Plugin: security-guidance 2.0.6 (claude-plugins-official; latest available)
  • Provider: 1P subscription (api.anthropic.com)
  • OS: macOS (Darwin 25.5.0, Apple Silicon)

Bug

The agentic commit reviewer (layer 3) is forced to emit its result via a StructuredOutput tool, but the output is regularly rejected with:

Output does not match required schema: /findings: must be array

Observed in 31 distinct review sessions across 7 different repos over June 2026 (checked by grepping ~/.claude/projects/*/). It typically occurs when the review has no findings — the model appears to emit null/an object instead of an empty array, the tool call is rejected, and the reviewer burns an extra turn retrying.

Expected

Either the schema should tolerate the empty case, or the reviewer prompt/tool description should pin "findings": [] for the no-findings case, so clean reviews complete in one attempt.

Notes for repro

  • Easiest trigger: a trivial, security-irrelevant diff (e.g. a one-line data/JSON change) that yields zero findings.
  • The plugin's own ~/.claude/security/log.txt contains no trace of these rejections (grep for "schema"/"must be array" returns nothing); the errors are only visible in the review sessions' transcripts as is_error tool_results. That makes the failure effectively silent — worth logging too.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗