Add gated Sepo release publish workflow

[sepo-agent-app]

Summary

• Add Agent / Release / Publish for marked merged release PRs, plus manual version, target_sha, and dry_run recovery inputs.
• Add a typed publish CLI that validates release PR metadata, package version, changelog notes, target SHA, and tag absence before creating the GitHub Release/tag.
• Update the release prompt and versioning docs so future release PRs carry the publish marker.

Verification

• npm --prefix .agent run build
• node --test .agent/dist/__tests__/publish-release-cli.test.js .agent/dist/__tests__/release-version.test.js .agent/dist/__tests__/prepare-release-cli.test.js
• node --test .agent/dist/__tests__/docs-validation.test.js
• node -e "const fs=require('fs'); const YAML=require('./.agent/node_modules/yaml'); YAML.parse(fs.readFileSync('.github/workflows/agent-release-publish.yml','utf8')); console.log('workflow yaml ok')"
• git diff --check

Closes #408

[sepo-agent-app]

Sepo pushed fixes for this PR. Branch: agent/implement-issue-408/codex-26973791014. Requested by @sepo-agent.

• Manual release publish dispatch now checks out the trusted default branch instead of inputs.target_sha, so local actions and the publish CLI run from trusted runtime code.
• Publish CLI validates TARGET_SHA is reachable from the trusted checkout and reads package/changelog metadata from that target commit before tagging.
• Added regression coverage for manual recovery against an older default-branch commit and rejection of unmerged target SHAs.

Verification

• npm --prefix .agent run build
• node --test .agent/dist/__tests__/publish-release-cli.test.js .agent/dist/__tests__/release-version.test.js .agent/dist/__tests__/prepare-release-cli.test.js
• node -e "const fs=require('fs'); const YAML=require('./.agent/node_modules/yaml'); YAML.parse(fs.readFileSync('.github/workflows/agent-release-publish.yml','utf8')); console.log('workflow yaml ok')"
• git diff --check

---

codex | gpt-5.5/xhigh | Macmini-runner-2

[sepo-agent-app]

Sepo is dispatching follow-up automation.

Source	Next	Target	Round	Status
fix-pr	review	PR #411	5 / 40	Dispatched

Reason: agent planner selected review: fix-pr succeeded after a NEEDS_REWORK review; the PR needs a fresh automated review of the current head to verify the manual release publish trust-boundary fix and regression coverage.

[sepo-agent-app]

Rubrics Review

Total Score	Verdict	Rubrics Scored
100	PASS	10

Dimension	Rubric	Result	Score	Evidence
coding_workflow / generic	Read docs and linked context first	pass	6/6	PR #411 closes #408 and implements the issue’s recommended plan: publish after merged release PRs, use a marker plus required file checks, validate version/changelog/tag state, and provide version, target_sha, and dry_run recovery inputs.
coding_workflow / generic	Reuse existing code	pass	8/8	The publish CLI reuses existing helpers such as gh, setOutput, and parseReleaseVersion instead of adding separate GitHub, output, or SemVer parsing logic.
coding_workflow / generic	Make surgical changes	pass	8/8	The diff is limited to the release publish workflow, publish CLI/source, focused tests, release prompt marker, and versioning docs.
coding_style / generic	Prefer simple implementations	pass	7/7	The implementation is a single deterministic workflow plus typed CLI, with no new agent route, broad settings layer, or agent-driven release write path.
coding_workflow / generic	Keep docs in sync	pass	7/7	.agent/docs/technical-details/versioning.md now documents prepare vs. publish behavior, source-repo gating, and manual version / target_sha / dry_run recovery inputs.
coding_workflow / generic	Prefer explicit structured inputs	pass	7/7	workflow_dispatch exposes separate version, target_sha, and boolean dry_run inputs; the CLI validates version and target SHA independently.
coding_workflow / generic	Validate preview contracts	pass	7/7	Dry-run still validates PR marker/files, package version, changelog notes, target SHA, and tag absence, and tests assert it does not call gh release create.
coding_workflow / generic	Keep privileged workflows on trusted runtime code	pass	8/8	The workflow is hard-gated to self-evolving/repo; manual dispatch checks out the default branch, while the CLI rejects target SHAs not reachable from trusted HEAD before release-capable actions run.
coding_workflow / generic	Separate context from execution dependencies	pass	7/7	PR-triggered runs validate the merge commit against the PR metadata, and manual target_sha is treated as release target data only after reachability and version validation.
coding_workflow / generic	Surface stateful failures	pass	7/7	Existing tags, missing files, missing changelog notes, invalid target SHAs, version mismatches, and non-404 tag lookup failures fail or skip explicitly rather than reporting a clean publish.

Notes

• The earlier rubric concern around manual target_sha is addressed in the current head: manual runs use trusted default-branch runtime code, and ensureTargetShaReachableFromHead rejects unmerged target commits before any GitHub release call.
• I scored only rubrics that map to this PR’s changed behavior. Orchestrator/delegated-route rubrics were not scored because this PR does not change orchestration dispatch or route authorization.
• No rubric-specific follow-up needed.

Findings

• No rubric-specific findings.

Final Rubric Verdict

PASS

---

codex | gpt-5.5/xhigh | zucchini-m4-5

[sepo-agent-app]

AI Review Synthesis

Dual-agent review by Claude and Codex.
Requested by @lolipopshock.

Summary of PR/Issue

PR #411 closes #408 by adding a deterministic Sepo release publish path after marked release PRs merge to the default branch. It adds Agent / Release / Publish, a typed publish CLI, tests, release prompt marker guidance, and versioning docs. The core safety goal from #408 is that release tags point at merged default-branch commits, not unmerged PR heads. The current head is 48e1a1a2a35d28c621fa2bc3797627a4ff7c7ea4.

Review

The prior blocking manual target_sha trust-boundary issue is resolved in the current PR state. Reviewers agree the release-capable runtime now stays on trusted checkout code; remaining differences are severity only, with Claude rating two follow-ups as WARNING while Codex and the rubric review treat them as INFO/no required work.

Issue	Severity	Description
Release PR marker depends on prompt compliance	INFO	Release PR recognition depends on the hidden marker requested in the release prompt. Omission fails closed and manual recovery exists, so this is a hardening note rather than required work.
Remaining guard branches could use broader tests	INFO	Current tests cover the main publish paths and the manual target_sha trust boundary. Extra coverage for duplicate tags, missing changelog notes, PR mismatch, and prerelease flagging would reduce future regression risk.

Progress

• The current workflow no longer checks out inputs.target_sha; manual dispatch checks out the default branch and passes TARGET_SHA only as data.
• The publish CLI now validates target reachability with git merge-base --is-ancestor before target file reads or GitHub release calls.
• Review artifacts report focused regression coverage for rejecting unmerged manual target SHAs with zero gh calls.
• Resolved the stale same-agent inline review thread PRRT_kwDOSOhEMM6HLMeK; no new inline comments, replies, or minimizations were added.

Issue Details

Release PR marker depends on prompt compliance

Cause: The marker is requested in .github/prompts/agent-release.md, and the publish CLI skips unmarked PRs.

Candidate solutions: Future hardening could inject release intent deterministically at PR creation time, or derive it from release-prepare metadata plus required file changes.

Comments: Claude marked this WARNING; Codex and the rubric review treated it as non-blocking because omission skips publishing rather than mispublishing.

Remaining guard branches could use broader tests

Cause: .agent/src/__tests__/publish-release-cli.test.ts covers the core paths but not every defensive branch in .agent/src/release-publish.ts.

Candidate solutions: Add follow-up tests for existing tags, missing required files, missing changelog sections, PR merge-target mismatch, and prerelease releases.

Comments: This is useful test-depth work, but not required for the current fix because the highest-risk trust boundary is now covered.

Recommended Next Step

NO_AUTOMATED_ACTION: No unresolved required branch-change work remains; the remaining items are optional hardening notes.

Final Verdict

SHIP

Action Items

• No required branch-change work remains.

---

codex | gpt-5.5/xhigh | Macmini-runner-2