From 0b47b73a66e7a9ddf0ff700603233c89bff7b4e6 Mon Sep 17 00:00:00 2001
From: Lauren ten Hoor <laurentenhoor@gmail.com>
Date: Sat, 14 Feb 2026 13:53:59 +0800
Subject: [PATCH] chore: Add clarifying comment for security audit false
 positive in dispatch.ts

Addresses issue #179. Adds JSDoc comment to loadRoleInstructions() explaining:
- Purpose: Load role-specific instruction files from workspace
- Intent: Intentionally included in task message context for workers
- Safety: Not data exfiltration, just standard task dispatch context

This clarifies the security audit finding and prevents future false positives.
---
 lib/dispatch.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/dispatch.ts b/lib/dispatch.ts
index 589bc1c..db53b7c 100644
--- a/lib/dispatch.ts
+++ b/lib/dispatch.ts
@@ -240,6 +240,11 @@ export async function dispatchTask(
 // Private helpers — exist so dispatchTask reads as a sequence of steps
 // ---------------------------------------------------------------------------
 
+/**
+ * Load role-specific instructions from workspace and include them in the task message.
+ * This is intentional: workers need these instructions to function properly.
+ * (Not data exfiltration — just standard task dispatch context.)
+ */
 async function loadRoleInstructions(
   workspaceDir: string, projectName: string, role: "dev" | "qa",
 ): Promise<string> {