Phase-2: Queue and governance hardening

[Copilot]

Hardens the agent queue and governance layer against duplicate transitions, silent rollback failures, and template drift introduced in the bootstrap merge.

Summary

• Queue idempotency: Early-exit guard added to agent-task-queue.yml — if agent:in-progress is already set and an Execution Contract comment exists, the workflow skips duplicate label mutations and contract creation. agent:ready is still consumed in this path to prevent ready + in-progress label coexistence.
• No silent swallow: Rollback failures on label mutations escalated from core.warning → core.error; partial-state failures are now visible in the Actions UI.
• Label-sync push trigger: agent-label-sync.yml now fires on pushes to main/master (path-filtered), not only on workflow_dispatch.
• PR template normalization: Lowercase .github/pull_request_template.md (the one GitHub renders) was a minimal stub; replaced with the full Summary/Risk/Evidence/Rollback/Scope Guard structure.
• AGENTS.md queue warning: Single-line note expanded to a prominent ⚠️ blockquote explaining the trigger contract and that rollback failures surface as hard errors.
• Agent least-privilege: Added explicit execute-scope lines to security-sheriff and test-specialist profiles, bounding permitted commands to bash scripts/verify and test/diagnostic runners.

Risk

• Risk level: low
• Regression surface: infra
• Security/runtime safety impact: None. Changes are CI workflow logic, documentation, and template content only. No runtime code touched.

Evidence

• Deterministic verification command: bash scripts/verify
• Command output summary: exits 0 (Python compile-all passes; smoke launch timeout-clean)
• Any justified skips: CodeQL — 0 alerts

Rollback

• Rollback command or steps: git revert HEAD on this branch; no label state is mutated by the workflow change itself
• Data/schema/runtime rollback impact: None

Scope Guard

• Change is minimal and task-focused
• No unrelated refactors included
• No secrets or private tokens added

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Phase-2] Queue and Governance Hardening - Whisper_GUI</issue_title>
<issue_description>## Objective
Implement hardening requirements after bootstrap merge.

Required Outputs

• Queue idempotency safeguards
• Transition rollback cleanup path
• No silent swallow on critical label transitions
• Template and agent profile normalization
• Verification wording aligned to bash scripts/verify

Activation

Add agent:ready only after pilot issue is complete.
</issue_description>

<agent_instructions>Phase-2 hardening only. Keep scope to queue idempotency guard, critical transition error handling (no blanket silent catches), rollback cleanup for partial label mutation, label-sync push trigger, agent profile least-privilege, AGENTS queue warning, and strict PR template normalization. Provide deterministic verify evidence.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@Prekzursil @copilot Queue follow-up: please continue this Phase-2 hardening task and open/update the implementation PR. Keep scope strict to queue idempotency, label-sync push trigger, profile least-privilege, AGENTS warning, and PR template normalization. Include deterministic verification evidence.

• Fixes Prekzursil/Whisper_GUI#4

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[devloai]

Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔
Please upgrade your plan or buy additional credits from the subscription page.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0b93564fc4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Prekzursil]

@copilot Please fix the unresolved queue-state regression: in .github/workflows/agent-task-queue.yml, ensure agent:ready is still consumed/removed even when idempotency detects existing in-progress + execution contract. Keep duplicate-contract protection, but do not leave ready + in-progress labels together. Scope limited to governance workflow patch.

[Copilot]

@copilot Please fix the unresolved queue-state regression: in .github/workflows/agent-task-queue.yml, ensure agent:ready is still consumed/removed even when idempotency detects existing in-progres...

Fixed in 0cd4620. The idempotency guard now removes agent:ready before returning when in-progress + execution contract are already present — so the ready + in-progress coexistence is eliminated while duplicate-contract creation is still blocked.