anthropics · yarikoptic · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.claude/commands/security-review.md b/.claude/commands/security-review.md
@@ -69,7 +69,7 @@ SECURITY CATEGORIES TO EXAMINE:
 - Certificate validation bypasses
 
 **Injection & Code Execution:**
-- Remote code execution via deseralization
+- Remote code execution via deserialization
 - Pickle injection in Python
 - YAML deserialization vulnerabilities
 - Eval injection in dynamic code execution

diff --git a/.codespellrc b/.codespellrc
@@ -0,0 +1,7 @@
+[codespell]
+# Ref: https://github.com/codespell-project/codespell#using-a-config-file
+skip = .git*,.codespellrc,.npm,.cache
+check-hidden = true
+# Ignore camelCase and PascalCase identifiers (common in code)
+ignore-regex = \b[a-z]+[A-Z]\w*\b|\b[A-Z][a-z]+[A-Z]\w*\b
+# ignore-words-list =
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -0,0 +1,23 @@
+# Codespell configuration is within .codespellrc
+---
+name: Codespell
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Codespell
+        uses: codespell-project/actions-codespell@v2
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,7 @@
 # Cache directories
 .cache/
+.npm/
+.local/
 
 # Python
 __pycache__/

diff --git a/claudecode/claude_api_client.py b/claudecode/claude_api_client.py
@@ -252,7 +252,7 @@ def _generate_single_finding_prompt(self,
 9. Vulnerabilities related to outdated third-party libraries. These are managed separately and should not be reported here.
 10. Memory safety issues such as buffer overflows or use-after-free-vulnerabilities are impossible in rust. Do not report memory safety issues in rust code.
 11. Files that are only unit tests or only used as part of running tests.
-12. Log spoofing concerns. Outputing un-sanitized user input to logs is not a vulnerability.
+12. Log spoofing concerns. Outputting un-sanitized user input to logs is not a vulnerability.
 13. SSRF vulnerabilities that only control the path. SSRF is only a concern if it can control the host or protocol.
 14. Including user-controlled content in AI system prompts is not a vulnerability. In general, the inclusion of user input in an AI prompt is not a vulnerability.
 15. Do not report issues related to adding a dependency to a project that is not available from the relevant package repository. Depending on internal libraries that are not publicly available is not a vulnerability.

diff --git a/claudecode/prompts.py b/claudecode/prompts.py
@@ -88,7 +88,7 @@ def get_security_audit_prompt(pr_data, pr_diff=None, include_diff=True, custom_s
 - Certificate validation bypasses
 
 **Injection & Code Execution:**
-- Remote code execution via deseralization
+- Remote code execution via deserialization
 - Pickle injection in Python
 - YAML deserialization vulnerabilities
 - Eval injection in dynamic code execution