pattern-reviewer-pythonlisted

# pattern-reviewer-python ## When to activate - Reviewing a diff that includes `.py` files. - A user says "review the Python code / type hints / bandit findings". ## Project memory overlay After loading this skill, also check `$MAIN_ROOT/.claude/memory/patterns/pattern-reviewer-python.md` in the consuming project (resolve `MAIN_ROOT="$(dirname "$(git rev-parse --path-format=absolute --git-common-dir)")"`). If present, load it as an **additive overlay** to the rules below; if absent, skip silently. See `memory-convention` for the full contract (additivity, severity floor, conflict surfacing). ## Iron rules - **>80% confidence filter.** Report only when you are >80% confident. Consolidate similar findings. - **Cite `path/to/file.ext:line`.** Quote the offending snippet in a BAD block; show the fix in a GOOD block. - **Severity is load-bearing.** CRITICAL / HIGH block the gate; MEDIUM / LOW are informational. Use the per-pattern severity assigned below. - **Never refer to a finding as `#N`** — GitHub auto-links those to issues. Use a non-numeric handle (quoted title, `F1` / `F2`, `Finding 1`). ## Patterns to review ### Bandit-banned APIs (HIGH — pre-push hook blocks them) | Code | API | What to flag | Fix | |------|-----|--------------|-----| | B310 | `urllib.request.urlopen` | Any usage on untrusted input — historically accepted `file://` / `ftp://`. | `http.client.HTTPSConnection` (stdlib) or `httpx` (preferred). | | B602 | `subprocess.Popen(..., shell=True)` (or `sub