Add explicit add-rubrics route

[sepo-agent-app]

Summary

• Add /add-rubrics and agent/add-rubrics routing through dispatch, envelope validation, prompt selection, and onboarding labels.
• Add Agent / Rubrics / Add, a dedicated serialized workflow that writes validated rubric updates to agent/rubrics and posts a concise summary.
• Surface validation/commit persistence failures in the add-rubrics summary instead of reporting them as clean no-change runs.
• Update docs and tests for the add-or-update rubric behavior while keeping the public route name /add-rubrics.

Verification

• npm --prefix .agent run build
• GITHUB_OUTPUT=/tmp/sepo-test-output node --test .agent/dist/__tests__/triage.test.js .agent/dist/__tests__/envelope.test.js .agent/dist/__tests__/response.test.js .agent/dist/__tests__/rubrics.test.js .agent/dist/__tests__/onboarding-check-cli.test.js
• node --test .agent/dist/__tests__/docs-validation.test.js
• git diff --check

Closes #343

[lolipopshock]

@sepo-agent /answer

also i think there will be two modes of adding rubrics:

1. one is to create a PR and let users approve that
2. one is just commit to that branch

also i think the decision should be interpreted from the user input? in that case, could we just make it more "unstructured", in that we just only change the prompt and give the agent necessary access:

• in the session, it can by default create an PR
• but if users explicitly say just add then it will skip it.
  there will not be any specific agent action workflows, just a prompt?

what do you think?

[sepo-agent-app]

I agree with the two modes and with interpreting the mode from natural user input. I would not make the whole thing “just prompt + broad write access,” though.

The safer split is:

• Default: propose rubric edits in a PR, probably from agent/rubrics-proposal-* into agent/rubrics, so users can review and merge.
• Explicit direct mode: if the user says “just add,” “commit directly,” “apply now,” etc., commit validated rubric edits straight to agent/rubrics.

The current PR already adds the deterministic direct-write path: agent-router.yml dispatches add-rubrics to agent-add-rubrics.yml, the workflow enables rubric writes, validates edits, commits them, serializes concurrent writes, and posts a summary. See:

• https://github.com/self-evolving/repo/pull/344/files#diff-.github/workflows/agent-router.yml
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/workflows/agent-add-rubrics.yml
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/prompts/agent-add-rubrics.md
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/actions/run-agent-task/action.yml

My recommendation: keep a first-class add-rubrics route, but make it select an execution mode:

1. Update dispatch/prompt language so rubric requests route to add-rubrics, and add mode guidance:

   • default proposal_pr
   • explicit “just add/commit/apply directly” -> direct_commit

2. Add an input like rubrics_write_mode to agent-add-rubrics.yml.

3. Keep direct commits using the current validated run-agent-task rubric commit path.

4. Add PR mode by checking out agent/rubrics, creating a proposal branch, running the same prompt/validation, pushing the proposal branch, and opening a PR targeting agent/rubrics.

5. Make the final summary say either “opened rubric PR” or “updated agent/rubrics directly.”

That keeps the user experience unstructured, but keeps side effects deterministic, auditable, serialized, and validated. Prompt-only broad access would make it harder to enforce defaults, report persistence failures, avoid concurrent branch races, and test the behavior.

[lolipopshock]

\

I agree with the two modes and with interpreting the mode from natural user input. I would not make the whole thing “just prompt + broad write access,” though.

The safer split is:

• Default: propose rubric edits in a PR, probably from agent/rubrics-proposal-* into agent/rubrics, so users can review and merge.
• Explicit direct mode: if the user says “just add,” “commit directly,” “apply now,” etc., commit validated rubric edits straight to agent/rubrics.

The current PR already adds the deterministic direct-write path: agent-router.yml dispatches add-rubrics to agent-add-rubrics.yml, the workflow enables rubric writes, validates edits, commits them, serializes concurrent writes, and posts a summary. See:

• https://github.com/self-evolving/repo/pull/344/files#diff-.github/workflows/agent-router.yml
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/workflows/agent-add-rubrics.yml
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/prompts/agent-add-rubrics.md
• https://github.com/self-evolving/repo/pull/344/files#diff-.github/actions/run-agent-task/action.yml

My recommendation: keep a first-class add-rubrics route, but make it select an execution mode:

1. Update dispatch/prompt language so rubric requests route to add-rubrics, and add mode guidance:

   • default proposal_pr
   • explicit “just add/commit/apply directly” -> direct_commit

2. Add an input like rubrics_write_mode to agent-add-rubrics.yml.

3. Keep direct commits using the current validated run-agent-task rubric commit path.

4. Add PR mode by checking out agent/rubrics, creating a proposal branch, running the same prompt/validation, pushing the proposal branch, and opening a PR targeting agent/rubrics.

5. Make the final summary say either “opened rubric PR” or “updated agent/rubrics directly.”

That keeps the user experience unstructured, but keeps side effects deterministic, auditable, serialized, and validated. Prompt-only broad access would make it harder to enforce defaults, report persistence failures, avoid concurrent branch races, and test the behavior.

@sepo-agent /orchestrate implement this and review

[sepo-agent-app]

Rubrics Review

Total Score	Verdict	Rubrics Scored
100	PASS	13

Dimension	Rubric	Result	Score	Evidence
coding_workflow / generic	Prefer permissive command route parsing	pass	7/7	add-rubrics is first-class for explicit slash commands, labels, and natural dispatch; mode is inferred from full request text. Evidence: triage.ts, agent-router.yml.
coding_workflow / generic	Prefer explicit structured inputs	pass	7/7	rubrics_write_mode is a typed workflow input and validated to proposal_pr or direct_commit. Evidence: agent-add-rubrics.yml, agent-add-rubrics.yml.
coding_workflow / generic	Validate delegated route authorization	pass	8/8	Direct rubric commits are downgraded to proposal PR unless the requester is OWNER, MEMBER, or COLLABORATOR. Evidence: triage.ts, triage.ts.
coding_workflow / generic	Keep privileged workflows on trusted runtime code	pass	8/8	The workflow checks out the default branch for runtime code, uses a separate rubrics checkout/proposal branch target, and withholds the primary token from the model process. Evidence: agent-add-rubrics.yml, agent-add-rubrics.yml.
coding_workflow / generic	Reuse existing code	pass	8/8	The implementation reuses run-agent-task, existing rubric checkout/validation/commit plumbing, and small typed CLIs for PR/summary handling. Evidence: run-agent-task/action.yml, create-rubrics-proposal-pr.ts.
coding_workflow / generic	Surface stateful failures	pass	7/7	Write-enabled rubric checkout fails when missing, validation/commit failures are surfaced, and proposal PR creation is required when a proposal branch has changes. Evidence: run-agent-task/action.yml, agent-add-rubrics.yml.
coding_workflow / generic	Make user-facing automation idempotent	pass	7/7	Proposal PR creation reuses/updates an existing PR for the proposal branch, and the workflow checks existing branch diffs even without a fresh commit. Evidence: create-rubrics-proposal-pr.ts, agent-add-rubrics.yml.
communication / generic	Keep status comments compact	pass	6/6	Add-rubrics summaries report the outcome directly: opened/updated PR, direct update, no changes, failure, or persistence/PR failure. Evidence: response.ts.
coding_workflow / generic	Keep docs in sync	pass	7/7	README and .agent/docs document /add-rubrics, label routing, default proposal PR behavior, and explicit direct commits. Evidence: README.md, rubrics.md.
coding_workflow / generic	Prefer agent-derived decisions	pass	7/7	The route derives rubrics_write_mode from user wording and passes the structured result through router outputs instead of adding a repo setting. Evidence: triage.ts, agent-router.yml.
coding_workflow / generic	Surgical changes	pass	8/8	The diff is scoped to the add-rubrics route, workflow/action plumbing, prompts, docs, and focused tests.
coding_style / generic	Prefer simple implementations	pass	7/7	The implementation keeps two explicit modes and deterministic workflow steps rather than replacing the route with prompt-only broad write access.
communication / generic	Actionable setup guidance	pass	7/7	User-facing docs list /add-rubrics and agent/add-rubrics alongside existing trigger routes. Evidence: quick-start.md.

Notes

• The current PR head addresses the prior rubric-specific risks: default mode is proposal_pr, explicit direct wording is required for direct_commit, negated direct-commit wording resolves to proposal mode, and untrusted direct requests are downgraded.
• Proposal mode is enforced by workflow mechanics: the agent process does not receive the primary GitHub token, validated edits are pushed to agent/rubrics-proposal-*, and the PR targets agent/rubrics.
• No rubric-specific follow-up needed.

Findings

• INFO: No rubric-specific blocking or warning findings.

Final Rubric Verdict

PASS

[sepo-agent-app]

filter(Boolean) removes the intentional "" blank-line separators as well as the optional requestedBy line, so generated proposal PR bodies collapse the section spacing. Please use a non-empty sentinel such as null for omitted optional rows and filter only that sentinel, or build the optional line separately while preserving blank lines.

[sepo-agent-app]

AI Review Synthesis

Dual-agent review by Claude and Codex.
Requested by @lolipopshock.

Summary of PR/Issue

• PR Add explicit add-rubrics route #344 refreshes issue Refresh add-rubrics route implementation #343 by adding a current /add-rubrics route.
• It wires dispatch, envelope validation, onboarding labels, docs, tests, and a serialized Agent / Rubrics / Add workflow.
• The PR also implements the follow-up two-mode design: default proposal PRs targeting agent/rubrics, and explicit trusted direct commits when user wording asks for that.
• Current head c3ec615f13c5491f0ba895f762e8a4b3437ef629 fixes the earlier authorization, token exposure, missing-rubrics, and negated-direct-mode findings.

Review

The core architecture now matches the requested behavior, and no blocking findings remain. One user-visible formatting bug remains in generated rubric proposal PR bodies and should be fixed before merge.

Issue	Severity	Description
Proposal PR Body Drops Section Spacing	WARNING	create-rubrics-proposal-pr.ts uses filter(Boolean), which removes the intentional blank lines between PR body sections. Generated proposal PRs will still work, but their body formatting collapses.

Progress

• The requested route, proposal/direct modes, docs, workflow wiring, summary handling, and focused tests are implemented.
• Earlier blocking issues are fixed: untrusted direct requests downgrade to proposal_pr, proposal mode withholds the primary GitHub token from the model process, missing write-enabled rubric checkout fails visibly, proposal PR recovery checks existing branch diffs, and direct-commit negations now resolve to proposal_pr.
• Verification passed on the fetched PR head after installing pinned .agent dependencies: npm --prefix .agent run build, focused node --test run with 165 passing tests, direct inferRubricsWriteMode probe, and git diff --check.
• Posted 1 new inline comment on .agent/src/cli/create-rubrics-proposal-pr.ts line 61.
• Resolved 1 same-agent inline review thread on .agent/src/triage.ts after verifying the issue is fixed. No comments were minimized or deleted.

Issue Details

Proposal PR Body Drops Section Spacing

Cause: The body array uses empty strings as intentional Markdown separators, then calls .filter(Boolean), which removes those separators along with the optional requestedBy row.

Candidate solutions: Use null or undefined only for omitted optional rows and filter that sentinel, or push the optional requestedBy line conditionally while preserving explicit blank-line entries.

Comments: Rubrics Review found no rubric-specific follow-up, while the code review flagged this formatting bug. The current source supports the warning.

Recommended Next Step

FIX_PR: the remaining issue is a concrete, low-risk branch change suitable for automated fixing.

Final Verdict

MINOR_ISSUES

Action Items

• Preserve blank-line separators in generated rubric proposal PR bodies while still omitting the optional requestedBy row when absent.

[sepo-agent-app]

Sepo is dispatching follow-up automation.

Source	Next	Target	Round	Status
review	fix-pr	PR #344	10 / 40	Dispatched

Reason: agent planner selected fix-pr: Latest review reported MINOR_ISSUES with recommended next step FIX_PR, and the remaining item is a concrete branch change suitable for automation.

Task for fix-pr:
Address only the latest review synthesis action item: preserve blank-line separators in generated rubric proposal PR bodies while still omitting the optional requestedBy row when absent. Constraints: ignore optional INFO notes, metadata-only polish, already-fixed findings, and human-judgment nits unless required by that action item.

[sepo-agent-app]

Sepo could not complete the PR fix run.

Inspect the workflow logs and retry if appropriate.

[sepo-agent-app]

Sepo orchestration needs clarification before it can continue.

Sepo could not complete the automated fix for the remaining review item. The unresolved item is to preserve blank-line separators in generated rubric proposal PR bodies while still omitting the optional requestedBy row when absent. Please inspect the failed workflow run logs for run ID 26349518700 and retry or fix manually if appropriate.

• Source action: fix-pr
• Source conclusion: failed
• Target: pull_request #344
• Round: 10/40
• Reason: agent planner blocked: The latest fix-pr run failed, and runtime policy forbids handing a failed fix-pr directly to another automatic review or fix attempt.
• Source run ID: 26349518700

No follow-up workflow was dispatched. Reply with the requested context, then continue with /orchestrate, /implement, or /answer when ready.

[lolipopshock]

@sepo-agent /answer I think we've over complicated this.... basically we just need to

1. add a proper prompt?
2. then we can reuse the implement route with the base branch to be agent/rubrics?

[sepo-agent-app]

I agree with the simplification goal, but not literally as base_branch: agent/rubrics on the current agent-implement.yml.

The reason: agent-implement.yml already supports base_branch and implementation_prompt (workflow inputs), and it creates PRs against BASE_BRANCH (create-pr usage, create-pr base). So conceptually, yes.

But mechanically it checks out the implementation branch from BASE_BRANCH before running the local agent action (checkout step, then uses ./.github/actions/run-agent-task). If BASE_BRANCH=agent/rubrics, the worktree likely no longer contains .github/actions/run-agent-task or .agent/dist, because agent/rubrics is a dedicated data branch. That would make the workflow fail or require putting runtime files on the rubrics branch, which I would avoid.

So I’d frame it this way:

1. Yes, reduce this to “rubric proposal PR by default” plus a proper prompt.
2. Do not add a big new “agent action workflow” if we can avoid it.
3. Reuse the implementation route’s metadata model: implementation_prompt, implementation_route, draft PR creation, issue tracking.
4. But keep the Sepo runtime checked out from the default branch, and operate on agent/rubrics in a separate checkout/worktree or temp dir.
5. Only add direct commit later if users explicitly need “just add”; default PR mode is enough for now.

Concrete plan I’d suggest before coding:

1. Add .github/prompts/agent-add-rubrics.md.
2. Add dispatch wording so rubric requests become an implementation-like request with prompt agent-add-rubrics.
3. Add a small rubric proposal path that checks out agent/rubrics separately, lets the agent edit that checkout, validates rubric YAML, pushes agent/add-rubrics-*, and opens a draft PR into agent/rubrics.
4. Remove the larger direct-write workflow unless we still want “just add” in this PR.
5. Keep direct commit as a follow-up mode, not the first implementation.

So: your instinct is right that this got too heavy. I’d simplify to “prompt + PR proposal flow,” but I would not wire current agent-implement.yml directly to base_branch=agent/rubrics without first fixing the runtime-checkout problem.

---

codex | default model | high | Macmini-runner-6

[lolipopshock]

But mechanically it checks out the implementation branch from BASE_BRANCH before running the local agent action (checkout step, then uses ./.github/actions/run-agent-task). If BASE_BRANCH=agent/rubrics, the worktree likely no longer contains .github/actions/run-agent-task or .agent/dist, because agent/rubrics is a dedicated data branch. That would make the workflow fail or require putting runtime files on the rubrics branch, which I would avoid.

So I’d frame it this way:

1. Yes, reduce this to “rubric proposal PR by default” plus a proper prompt.
2. Do not add a big new “agent action workflow” if we can avoid it.

@sepo-agent /implement create a new simplified version.

[sepo-agent-app]

Implementing this request — tracking in #381.