Synchronize translation catalogs across maintained Symfony branches: find messages that newer branches added to the English catalogs but that are still missing from the oldest maintained branch, then add them (with a translation per locale) on that oldest branch so they cascade up via merges. Use when the user says "synchronize translations", "sync new translations", "sync the translation catalogs", "add the missing translation messages", or "propagate new xlf messages".
Decide whether open Bug PRs target the correct branch. A bug must be fixed on the lowest maintained branch where it exists, then merged up. Use when the user says "triage bug PRs", "which PRs need retargeting", or "retarget triage".
Decide whether a recurring hardening invariant is worth a CI gate, and add it without hitting the traps. Covers PHPStan custom rules (implementation-shape checks) and the check-hardening-tests.php convention (test-presence checks). Use when the user says "write a PHPStan rule", "add a hardening rule", "gate this pattern", "catch this in CI", or wants to turn a finding into a durable check.
Cascade-merge maintained Symfony branches from oldest to newest (e.g. 6.4 → 7.4 → 8.0 → 8.1). Use when the user says "merge branches", "merge up", "cascade merge", "sync branches", or "update branches".
Review a change (a PR, the current branch diff, or a set of files) or audit a component or the whole tree for missing or incorrect security hardening. Reasons about trust boundaries from first principles, then checks the code against Symfony's hardening-invariant families and runs the .github/sa-tools gates. Use when the user says "security review", "security audit", "check hardening", "review this PR/branch for security", "audit <component> for <vuln class>", "is any hardening missing", or names a vulnerability class to hunt for.
Triage a reported security finding into a disposition: a private CVE (coordinated disclosure + advisory), a public hardening PR (fix in the open, no CVE), or not-a-security-issue (reply to reporter). Assigns severity and affected maintained branches, and routes to the next step. Use when the user says "does this need a CVE", "CVE or hardening", "triage this report", "is this a security issue", "classify this finding", or "how should we disclose this".