Summary

Vigilante should support Python repositories with a dedicated Python-focused issue-implementation skill that teaches coding agents to work idiomatically in Python, use the repository's existing Python toolchain correctly, and apply current Python security guidance during feature work and bug fixes.

Problem

• Vigilante currently has no Python-specific implementation skill, so coding agents approach Python repos as generic codebases instead of following Python-specific conventions and validation workflows.
• That makes agents more likely to miss important Python tooling and security practices such as virtual-environment isolation, dependency auditing, subprocess safety, deserialization risks, secure randomness, and repo-standard formatting, linting, and typing workflows.
• Python repos vary widely in tooling, so the skill needs to guide the agent toward the repository's actual stack rather than forcing one universal toolchain.

Context

• The official Python security considerations document warns about unsafe pickle usage, subprocess security concerns, and using secrets instead of random for security-sensitive values.
• The standard library venv documentation reflects the continued expectation that Python development happens inside isolated environments.
• Modern Python repos frequently standardize on pytest for testing, ruff or black for formatting/linting, mypy or pyright-style typing, and package-audit tooling such as pip-audit, but Vigilante should prefer repo-defined tools rather than inventing a stack.
• This repository already expresses implementation policy through skills and generated prompts; the Python skill should fit that model.

Reference Material

• Python security considerations: https://docs.python.org/3/library/security_warnings.html
• Python venv: https://docs.python.org/3/library/venv.html
• pip user guide: https://pip.pypa.io/en/stable/
• pip-audit: https://pypi.org/project/pip-audit/
• Ruff docs: https://docs.astral.sh/ruff/
• Black docs: https://black.readthedocs.io/
• mypy docs: https://mypy.readthedocs.io/
• pytest docs: https://docs.pytest.org/

Desired Outcome

• Vigilante can detect Python repositories and attach a Python-specific implementation skill or equivalent prompt layer.
• The guidance tells the coding agent to follow repo-standard Python tooling for formatting, linting, typing, testing, dependency management, and security checks.
• The guidance is concise and actionable; it should not dump large style guides or force repo-wide cleanup unrelated to the issue.
• Existing GitHub issue-comment, validation-reporting, push/PR, and vigilante commit policies remain intact.

Implementation Notes

• Detect Python repositories using signals such as pyproject.toml, requirements*.txt, setup.py, setup.cfg, tox.ini, noxfile.py, or common Python package layout.
• Distill Python-specific execution rules for coding agents. Required areas to cover include:
  • using the repository's existing environment/bootstrap workflow first, and otherwise preferring isolated environments rather than ad hoc global installs
  • formatting and linting with repo-standard tools; default to ruff format / ruff check, black, or equivalent only when the repository already uses them or the issue explicitly standardizes them
  • type-checking with mypy, pyright-style tooling, or repo-standard typing checks when present
  • testing with targeted pytest or repo-standard test commands first, then broader scope when needed
  • dependency and package-security checks such as pip-audit or repo-standard audit tooling when available and relevant
  • Python security guidance such as avoiding unsafe pickle patterns, being careful with subprocess, using secrets for security-sensitive randomness, and handling untrusted input and file paths defensively
• Preserve the rule that repository-specific instructions override generic Python guidance when they are more specific.
• Preserve commit-path constraints: any commit-related instructions must continue to require vigilante commit only rather than git commit or GitHub CLI commit flows.

Acceptance Criteria

• Vigilante can recognize Python repositories well enough to attach Python-specific implementation guidance.
• A dedicated Python-focused implementation skill or equivalent prompt layer exists.
• The Python guidance covers environment isolation, repo-standard formatting/linting, typing, testing, and dependency-security validation.
• The Python guidance includes security considerations grounded in the official Python security docs.
• Existing issue-comment, validation-reporting, push/PR, and vigilante commit policies continue to apply.

Testing Expectations

• Add or update tests for repository detection and skill or prompt selection so Python repositories receive the Python-specific guidance and non-Python repositories do not.
• Add or update tests for prompt content so the Python workflow includes formatting, testing, typing, and security guidance without dropping existing operational instructions.
• Cover regressions where Python repositories miss the dedicated guidance or unrelated repositories receive it incorrectly.

Operational / UX Considerations

• Prefer repo-standard Python tools over a forced universal stack.
• Do not assume optional tools such as pip-audit, mypy, or ruff are installed unless the repository already uses them.
• Keep the skill focused on issue implementation, not repo-wide modernization.