Simplify add-rubrics to proposal PR flow

[sepo-agent-app]

Summary

• Add /add-rubrics and agent/add-rubrics routing for rubric proposal requests.
• Add a focused rubric-editing prompt and a small workflow that keeps runtime code on the default branch, edits a separate agent/rubrics checkout, validates YAML, and opens a draft PR targeting agent/rubrics.
• Update docs and tests for the simplified proposal-only behavior.

Verification

• npm --prefix .agent run build
• GITHUB_OUTPUT=/tmp/sepo-test-output node --test .agent/dist/__tests__/triage.test.js .agent/dist/__tests__/envelope.test.js .agent/dist/__tests__/response.test.js .agent/dist/__tests__/rubrics.test.js .agent/dist/__tests__/onboarding-check-cli.test.js
• node --test .agent/dist/__tests__/docs-validation.test.js
• GITHUB_OUTPUT=/tmp/sepo-test-output node --test .agent/dist/__tests__/envelope.test.js .agent/dist/__tests__/triage.test.js
• git diff --check

Closes #381

[lolipopshock]

@sepo-agent /orchestrate review and fix any potential bugs

[sepo-agent-app]

I have enough evidence for the rubric score. The remaining tradeoff is not a bug: the route is proposal-only and well-guarded, but it still uses a sizable dedicated workflow and has generic fallback PR metadata when the model omits structured fields.## Rubrics Review

Total Score	Verdict	Rubrics Scored
95	PARTIAL	18

Dimension	Rubric	Result	Score	Evidence
coding_workflow / generic	Validate delegated route authorization	pass	8/8	agent-router.yml resolves the route through dispatch with AUTHOR_ASSOCIATION and ACCESS_POLICY, then delegates the validated add-rubrics route with requested_by and target context. dispatch, handoff
coding_workflow / generic	Generate context-derived artifact metadata	partial	5/7	The prompt requires structured pr_title and pr_body, and fallback metadata is route-specific, but missing model metadata still falls back to generic “Propose rubric updates” content. prompt, fallback
coding_workflow / generic	Prefer agent-derived decisions	pass	7/7	Route selection is encoded in triage/dispatch policy rather than adding a repo-level knob. routes, policy
coding_workflow / generic	Minimal defaults, native escape hatches	partial	7/8	The behavior is proposal-only and avoids direct rubric writes, but still adds a large dedicated workflow despite #381 preferring a smaller implementation-style path if feasible. workflow, issue context
coding_workflow / generic	Reuse existing code	pass	7/8	The route reuses shared auth, provider resolution, run-agent-task, response parsing, validation, commit, PR creation, and posting helpers; new CLIs are narrow. workflow
coding_workflow / generic	Separate decision gates from action authorization	pass	8/8	Access policy is applied before route dispatch; deterministic post-processing owns privileged push/PR creation after validation. policy, commit path
coding_workflow / generic	Prefer explicit structured inputs	pass	7/7	Workflow inputs are separate typed fields, and the model response contract is explicit JSON. inputs, contract
coding_workflow / generic	Validate preview contracts	pass	7/7	Current head validates the model-edited checkout, enforces an allowlist for committed files, rejects symlinks, then validates the trusted checkout again before commit. allowlist, tests
communication / generic	Keep status comments compact	pass	6/6	Summary output is short, state-specific, and only includes branch/PR fields when useful. summary CLI
coding_workflow / generic	Make surgical changes	pass	8/8	Changes are scoped to the new add-rubrics route, prompt, workflow, docs, helpers, labels, and focused tests. file list
coding_workflow / generic	Keep docs in sync	pass	7/7	Usage and architecture docs describe the new route, trusted runtime checkout, read-only model mode, validation, and proposal PR target. usage, architecture
coding_workflow / generic	Keep privileged workflows on trusted runtime code	pass	8/8	Main checkout stays on the default branch; the model does not receive the write token; mounted memory/rubric remotes are unauthenticated; privileged commit uses a fresh trusted checkout. checkout/token, trusted checkout
coding_workflow / generic	Make user-facing automation idempotent	pass	7/7	Proposal branches are stable from target/request context and PR creation reuses an existing PR for the branch. branch derivation, PR reuse
coding_workflow / generic	Permissive command route parsing	pass	7/7	Supports explicit slash route, label route, and triaged rubric requests. slash routes, label route
coding_workflow / generic	Surface stateful failures	pass	7/7	Summary distinguishes missing rubrics, generation failure, setup failure, validation failure, commit/push failure, and PR creation failure. summary logic, tests
coding_workflow / generic	Comment on accepted workflow stops	pass	6/6	The workflow always prepares and posts a concise route summary on completion or failure paths. post summary
coding_workflow / generic	Name config by capability	pass	6/6	New action inputs are capability-named, such as agent_github_token, expose_github_token_to_agent, and persist_credentials. run-agent-task inputs, rubrics checkout input
coding_style / generic	Prefer simple implementations	partial	5/7	The proposal-only path is simpler than direct writes, but the implementation still adds a 380-line dedicated workflow and several new CLIs/tests. workflow

Notes

• The latest PR head fixes the prior rubric-specific concerns: write credentials are withheld from the model process, authenticated remotes are stripped from mounted checkouts, proposal PR branches are stable/reused, failure summaries are explicit, and the trusted commit path now enforces a YAML/README allowlist.
• The remaining score loss is not a blocking bug. It is mostly about polish and architecture tradeoff: fallback PR metadata is still generic, and the route remains a sizable dedicated workflow despite the simplification goal.
• Smallest useful follow-up: require pr_title/pr_body for successful add-rubrics proposal PR creation, or generate a context-derived fallback from target/request metadata.

Findings

• INFO: Add-rubrics PR metadata is route-specific but not fully context-derived when the model omits pr_title or pr_body. This is a partial miss for Generate context-derived artifact metadata, not a blocker.
• INFO: The implementation satisfies the proposal-only behavior, but the dedicated workflow size keeps Prefer simple implementations and Minimal defaults, native escape hatches short of full credit.

Final Rubric Verdict

PARTIAL

---

codex | gpt-5.5/xhigh | Macmini-runner-6

[sepo-agent-app]

Rubrics Review

Total Score	Verdict	Rubrics Scored
97	PASS	18

Dimension	Rubric	Result	Score	Evidence
coding_workflow / generic	Validate delegated route authorization	pass	8/8	agent-router.yml dispatches only after portal routing/policy and passes requester/target context into the add-rubrics workflow. router
coding_workflow / generic	Generate context-derived artifact metadata	partial	6/7	Prompt requires structured pr_title/pr_body; fallback is route-specific and avoids implement wording, but fallback title/body are still generic. prompt, fallback
coding_workflow / generic	Prefer agent-derived decisions	pass	7/7	Route selection is encoded in dispatch/slash/label routing rather than a new repo setting. triage
coding_workflow / generic	Keep privileged lifecycle routes out of rubric steering	pass	8/8	Rubric route names include ordinary work/rubric routes and exclude privileged install/update/self-merge routes. rubrics
coding_workflow / generic	Minimal defaults, native escape hatches	pass	8/8	Add-rubrics is proposal-only: read-only rubric mode during generation, then validated draft PR targeting agent/rubrics. workflow
coding_workflow / generic	Reuse existing code	pass	7/8	Reuses shared run-agent-task, parse-response, validation, commit, PR, and post-response helpers; new CLIs are narrowly scoped. workflow
coding_workflow / generic	Separate decision gates from action authorization	pass	8/8	Model gets no primary write token; write-token actions run later in deterministic post-processing. workflow
coding_workflow / generic	Prefer explicit structured inputs	pass	7/7	Workflow inputs are typed/separate, and model output has a JSON contract. inputs, prompt
communication / generic	Keep status comments compact	pass	6/6	Summary is concise and state-specific, with branch/PR fields only when useful. summary
coding_workflow / generic	Make surgical changes	pass	8/8	Changes stay scoped to add-rubrics routing, prompt, workflow, docs, helpers, and focused tests.
coding_workflow / generic	Keep docs in sync	pass	7/7	Docs describe the new route, proposal behavior, trusted checkout, and token boundary. docs
coding_workflow / generic	Keep privileged workflows on trusted runtime code	pass	8/8	Model job and post-process job both check out default-branch runtime; privileged post-processing runs in a fresh job. workflow
coding_workflow / generic	Make user-facing automation idempotent	pass	7/7	Proposal branch is stable from target/request context; existing PR lookup reuses by branch. branch, PR lookup
coding_workflow / generic	Permissive command route parsing	pass	7/7	Supports explicit /add-rubrics, agent/add-rubrics, and triaged natural rubric requests while passing full request text. slash, label
coding_workflow / generic	Surface stateful failures	pass	7/7	Summary distinguishes unavailable rubrics, generation failure, validation failure, trusted setup failure, commit failure, and PR failure; tests cover these paths. summary, tests
coding_workflow / generic	Comment on accepted workflow stops	pass	6/6	Workflow prepares and posts a summary on success/failure paths. post
coding_workflow / generic	Name config by capability	pass	6/6	New inputs are capability-oriented: token exposure and checkout credential persistence. inputs
coding_style / generic	Prefer simple implementations	partial	5/7	Proposal-only behavior is simpler than PR #344’s two-mode design, but still requires a dedicated workflow and several helper CLIs to preserve trusted-runtime boundaries. workflow

Notes

• The current head satisfies the main rubric-sensitive constraints from Simplify add-rubrics to proposal PR flow #381/Add explicit add-rubrics route #344: proposal PRs only, default-branch runtime, separate agent/rubrics checkout, no primary write token in the model process, validated trusted-copy post-processing, stable proposal branches, and visible failure summaries.
• Verification passed in a PR-head worktree: npm --prefix .agent run build, focused add-rubrics/workflow tests with 85 passing tests, docs validation, and git diff --check.
• Smallest useful follow-up: make fallback add-rubrics PR title/body derive from the request text when model metadata is missing.

Findings

• INFO: No rubric-specific blocking or warning findings. The remaining partial scores are for generic fallback metadata and implementation size, not correctness blockers.

Final Rubric Verdict

PASS

---

codex | gpt-5.5/xhigh | Macmini-runner-3

[sepo-agent-app]

The model job still inherits the workflow-level write and OIDC permissions. Even though run-agent-task withholds GH_TOKEN, an approve-all model step can use the job OIDC request environment to mint a hosted App token through the same auth broker path, so proposal mode still has a direct write-token bypass before validated post-processing. Please scope permissions per job: keep add-rubrics read-only with no id-token: write, and grant write/OIDC permissions only to add-rubrics-post-process.

[sepo-agent-app]

AI Review Synthesis

Dual-agent review by Claude and Codex.
Requested by @lolipopshock.

Summary of PR/Issue

• PR Simplify add-rubrics to proposal PR flow #382 implements Simplify add-rubrics to proposal PR flow #381 by simplifying /add-rubrics into a proposal-PR flow for rubric changes.
• The target behavior is to keep Sepo runtime code on the default branch, let the model edit a separate agent/rubrics checkout, validate the proposal, and open or reuse a draft PR targeting agent/rubrics.
• The latest head fixes earlier token exposure, same-workspace post-processing, idempotency, failure-summary, trusted-copy, and .gitkeep findings.
• One current trust-boundary issue remains because the model job still inherits workflow-level write/OIDC authority.

Review

The PR still needs rework before merge. Claude and the rubrics review consider the split post-process architecture mostly sound, but Codex’s current blocker is supported by the live workflow permissions.

Issue	Severity	Description
Model Job Inherits Write/OIDC Permissions	BLOCKING	agent-add-rubrics.yml grants workflow-level write and OIDC permissions to both jobs, including the approve-all model job. With id-token: write, the model can use the OIDC request environment to mint hosted App credentials before validated post-processing.
Trusted Copy Is Coupled To Current Rubrics File Types	WARNING	prepare-add-rubrics-trusted-copy.ts throws on any non-.gitkeep/YAML file under rubrics/, which could make future proposals fail if the rubrics branch later gains legitimate metadata files.

Progress

• Existing same-agent inline threads for earlier token exposure, summary states, runtime ordering, .gitkeep, and mutable post-processing findings are fixed or already resolved.
• Posted 1 new inline comment on .github/workflows/agent-add-rubrics.yml line 100 for the remaining job-permission boundary issue.
• Resolved 1 stale same-agent inline thread on .github/workflows/agent-add-rubrics.yml line 434 because the split add-rubrics-post-process job supersedes that finding.
• No inline replies or comment minimizations were performed.

Issue Details

Model Job Inherits Write/OIDC Permissions

Cause: Workflow-level permissions apply to both add-rubrics and add-rubrics-post-process. The model job runs run-agent-task at agent-add-rubrics.yml#L171-L208, and the repo’s auth action can exchange ACTIONS_ID_TOKEN_REQUEST_* for hosted App auth.

Candidate solutions: Move permissions to job scope. Keep add-rubrics read-only with no id-token: write, avoid resolving write auth there, and grant write/OIDC permissions only to add-rubrics-post-process.

Comments: This is distinct from the older line 434 mutable-workspace thread; that issue was addressed by the second job. The remaining problem is the first job’s own authority.

Trusted Copy Is Coupled To Current Rubrics File Types

Cause: The trusted-copy CLI recursively scans the source rubrics/ tree and fails the whole proposal when it sees an otherwise legitimate non-YAML file.

Candidate solutions: Either document that rubrics/ may only contain .gitkeep, .yml, and .yaml, or skip unknown base files with a clear warning while still refusing symlinks and unsafe paths.

Comments: This is a liveness hardening concern, not the merge blocker.

Recommended Next Step

FIX_PR: the unresolved permission boundary requires a concrete workflow change and is safe for an automated fix-pr pass.

Final Verdict

NEEDS_REWORK

Action Items

• Scope agent-add-rubrics.yml permissions so the model job has read-only/no-OIDC authority and only the post-process job can mint or use write credentials.

---

codex | gpt-5.5/xhigh | Macmini-runner-5

[sepo-agent-app]

Sepo is dispatching follow-up automation.

Source	Next	Target	Round	Status
review	fix-pr	PR #382	19 / 40	Dispatched

Reason: agent planner selected fix-pr: Latest review synthesis reported needs_rework with Recommended Next Step: FIX_PR, and the remaining item is a concrete workflow permissions bug suitable for an automated PR fix.

Task for fix-pr:
Address only the latest review synthesis action items:

• Scope agent-add-rubrics.yml permissions so the model job has read-only/no-OIDC authority and only the post-process job can mint or use write credentials.

Constraints: Ignore optional INFO notes, metadata-only polish, already-fixed findings, and human-judgment nits unless required by those action items.

[sepo-agent-app]

Sepo pushed fixes for this PR. Branch: agent/implement-issue-381/codex-26705106631. Requested by @sepo-agent.

• Scoped agent-add-rubrics.yml permissions so the model job is contents: read only and has no OIDC/write-token auth resolver.
• Kept write/OIDC permissions only on add-rubrics-post-process, where deterministic commit/PR/posting steps run.
• Added envelope.test.ts regression coverage for the job-scoped permission boundary.

Verification

• npm --prefix .agent run build
• GITHUB_OUTPUT=/tmp/sepo-add-rubrics-test-output node --test .agent/dist/__tests__/envelope.test.js .agent/dist/__tests__/prepare-add-rubrics-proposal-cli.test.js .agent/dist/__tests__/prepare-add-rubrics-proposal-summary-cli.test.js .agent/dist/__tests__/prepare-add-rubrics-trusted-copy-cli.test.js .agent/dist/__tests__/create-pr-cli.test.js
• git diff --check

---

codex | gpt-5.5 | xhigh | Macmini-runner-3