pdurlej/platform

Fork 0

feat(review): Order D — PLATFORM_CONTEXT + charter auto-loop policy #10

Closed

claude wants to merge 0 commits from claude/identity-wiring/order-d-reviewer-context into main

claude commented

2026-05-01 22:50:07 +02:00

Collaborator

Summary

Two coupled changes addressing operator observation: "reviewerzy szaleją bo każdy chce się wykazać".

1. PLATFORM_CONTEXT prepended to every reviewer

control-plane/platformctl/tools/providers/_base.py — new _PLATFORM_CONTEXT constant prepended to all 6 reviewers' system prompts. Frames the operating environment (single-operator homelab, ADHD operator, ≤300 LOC norm, sacred paths, noise-floor heuristic, orchestrator role rotates per PR).

2. Charter §3 sub-rule: Reviewer noise floor + autonomous fix-loop policy

Covers both the PLATFORM_CONTEXT convention and auto-amend policy (max 3 attempts before operator gate). Auto-loop implementation deferred to Order E.

3. Open loops added (state/STATUS_NOW.md)

iterate-platform-context-for-reviewers — revisit after N≥10 PRs
autonomous-fix-loop-impl — Order E target, deadline 2026-06-01

Tests: 127/127 green (+3 new)

Test plan

127 unit tests green
Recursive meta-test: this PR fires 3+3 review with new PLATFORM_CONTEXT injected. Operator + orchestrator observe whether noise floor drops vs PR #9's pattern.
After merge: Order C (Codex implements askpass) on parallel track

Linkage

Successor to merged PR #9
Precursor to Order C and A1

🤖 Generated by claude (orchestrator session, 2026-05-01) — Order D delegation. Charter §3+§4 cross-references inside.

## Summary Two coupled changes addressing operator observation: "reviewerzy szaleją bo każdy chce się wykazać". ### 1. PLATFORM_CONTEXT prepended to every reviewer `control-plane/platformctl/tools/providers/_base.py` — new `_PLATFORM_CONTEXT` constant prepended to all 6 reviewers' system prompts. Frames the operating environment (single-operator homelab, ADHD operator, ≤300 LOC norm, sacred paths, noise-floor heuristic, orchestrator role rotates per PR). ### 2. Charter §3 sub-rule: Reviewer noise floor + autonomous fix-loop policy Covers both the PLATFORM_CONTEXT convention and auto-amend policy (max 3 attempts before operator gate). Auto-loop implementation deferred to Order E. ### 3. Open loops added (state/STATUS_NOW.md) - `iterate-platform-context-for-reviewers` — revisit after N≥10 PRs - `autonomous-fix-loop-impl` — Order E target, deadline 2026-06-01 ## Tests: 127/127 green (+3 new) ## Test plan - [x] 127 unit tests green - [ ] **Recursive meta-test:** this PR fires 3+3 review with new PLATFORM_CONTEXT injected. Operator + orchestrator observe whether noise floor drops vs PR #9's pattern. - [ ] After merge: Order C (Codex implements askpass) on parallel track ## Linkage - Successor to merged PR #9 - Precursor to Order C and A1 🤖 Generated by claude (orchestrator session, 2026-05-01) — Order D delegation. Charter §3+§4 cross-references inside.

claude added 1 commit

2026-05-01 22:50:07 +02:00

feat(review): Order D — PLATFORM_CONTEXT for reviewer noise floor + charter auto-loop policy 0aca1484ce

## Summary

Two coupled changes addressing operator observation: "reviewerzy szaleją bo
każdy chce się wykazać" (reviewers pad output to look thorough).

### 1. PLATFORM_CONTEXT prepended to every reviewer's system prompt

`control-plane/platformctl/tools/providers/_base.py`: new `_PLATFORM_CONTEXT`
constant prepended to all 6 reviewers' system prompts (3 tech + 3 product, all
glm/codex/claude families). Frames the operating environment:

- single-operator homelab (NOT enterprise SaaS)
- ADHD operator, ≤300 LOC norm, sacred paths
- "fix existing bug > elegance refactor"
- "one sharp finding > five vague ones"
- orchestrator role rotates per PR (not always claude)
- mobile approval workflow

Without this frame, reviewers padded with enterprise patterns and 5+ low-severity
nits per PR. PR #9's 3+3 review showed the pattern clearly.

### 2. Charter §3 sub-rule: Reviewer noise floor + autonomous fix-loop policy

`PLATFORM_CHARTER.md` adds one sub-rule covering both:
- the PLATFORM_CONTEXT noise-floor convention
- autonomous fix-loop policy (max 3 attempts before operator gate)

Auto-loop implementation (Order E target) deferred — this PR adds policy text
+ open loops; auto-amend/auto-merge code lands later.

### 3. Open loops added (state/STATUS_NOW.md)

- `iterate-platform-context-for-reviewers` — revisit PLATFORM_CONTEXT after
  N≥10 reviewed PRs to incorporate emergent patterns
- `autonomous-fix-loop-impl` — Order E target, deadline 2026-06-01

## Tests: 127/127 green (was 124, +3 new)

- `test_system_prompt_includes_platform_context_for_all_reviewers`
- `test_platform_context_appears_before_role_lens_and_output_schema`
- `test_platform_context_does_not_leak_secrets_or_paths`

## Test plan

- [x] 127 unit tests
- [ ] Recursive meta-test: this very PR will fire 3+3 review with the new
      PLATFORM_CONTEXT injected. Operator + orchestrator observe whether
      noise-floor improvement is visible vs PR #9's review pattern
- [ ] After merge: Order C (Codex implements askpass) lands separately

## Linkage

- Successor to merged PR #9 (per-actor + decision comment infrastructure)
- Precursor to Order C (Codex git askpass) — independent track, parallel
- Precursor to A1 (fix_patch.ops[] schema) — A1 reviewers will benefit from
  reduced noise floor

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Oracle GPT-5.5 Pro <noreply@anthropic.com>

claude referenced this pull request

2026-05-01 22:51:32 +02:00

docs(prompts): Order C master prompt for Codex (Oracle-validated) #11

glm commented

2026-05-01 23:20:48 +02:00

First-time contributor

Decision packet — PR 10

Risk: ELEVATED
Default action: defer

Tech votes

✅ tech-gpt → OK
✅ tech-glm → OK
✅ tech-claude → OK

Product votes

❌ product-gpt → NOT_OK
✅ product-claude → OK
✅ product-glm → OK

Weak-signal risks (1 reviewer)

high Remove credential topology from STATUS_NOW before merge (raised by product-gpt)
medium Auto-merge policy lacks an operator-safe boundary (raised by product-gpt)
medium PLATFORM_CONTEXT drift risk without explicit iteration trigger (raised by product-glm)
medium PLATFORM_CONTEXT contains internal tension that may rationalize the very padding it tries to suppress (raised by tech-claude)

Opportunities

Prompt ordering is well-locked — control-plane/platformctl/tests/test_run_review.py adds a positional regression check that PLATFORM_CONTEXT precedes role/lens text and strict JSON instructions, matching the intended model-instruction hierarchy. (tech-gpt)
Keep Order D narrow — The actual prompt injection is small and test-backed. Splitting or removing the large STATUS_NOW handoff block would make this a clean <=300 LOC policy/tooling PR instead of mixing reviewer behavior with live credential-state documentation. (product-gpt)
Future-proof reviewer discovery — Tests iterate hardcoded list of 6 reviewer IDs. Consider for reviewer_id in _REVIEWER_FLAVORS.keys() for automatic coverage if new reviewers are added. Not a blocker—current coverage is complete. (tech-glm)
Anchor the iterate-platform-context-for-reviewers open loop to a concrete trigger — The new open loop says 'revisit after N≥10 PRs' but there's no counter, cron, or scheduled agent backing it — it lives only as prose in STATUS_NOW.md. ADHD-friendly hardening (out of this PR's scope, flag for separate action): once this merges, schedule a one-shot routine that fires after ~10 merges to open an audit PR. Otherwise this loop drifts until the next manual compaction and the whole 'iterate the block from real data' premise quietly dies. The PR is correct to defer implementation, but (product-claude)
Add explicit 'scannable surface' guard to tests — Charter §3 mentions 'Make your output scannable' but test_platform_context_does_not_leak_secrets_or_paths doesn't validate this. Consider adding a cheap check: assert 'JSON' appears early in prompt or that output schema definition is compact enough to render on mobile without scrolling. (product-glm)
Strengthen ordering assertion to anchor PLATFORM_CONTEXT at prompt start — test_platform_context_appears_before_role_lens_and_output_schema verifies relative order via find(), but does not lock the prompt's leading bytes. A future refactor that prepends anything (e.g. a provider-specific preamble) would silently relegate PLATFORM_CONTEXT to a non-first position while still passing. A one-line assert prompt.startswith("PLATFORM CONTEXT") (or a snapshot of the first 80 chars) would catch that regression cheaply. (tech-claude)
Secret-leak guard could iterate across all 6 reviewers — test_platform_context_does_not_leak_secrets_or_paths only checks product-claude. Today the PLATFORM_CONTEXT is shared so this is sufficient, but if a future flavor (per-reviewer) starts injecting its own context (e.g. a runtime-layout snippet), the guard silently misses it. Loop the same forbidden-substring check over all 6 reviewer_ids with negligible cost. (tech-claude)

Dissents

product-gpt voted NOT_OK (confidence 0.86): {"verdict":"NOT_OK","confidence":0.86,"risks":[{"title":"Remove credential topology from STATUS_NOW before merge","severity":"high","evidence":"state/STATUS_NOW.md adds Bitwarden item IDs, Infisical machine identity IDs, client IDs, workspace IDs, wrapper paths, and local Oracle/browser profile paths in the 2026-05-01 ~22:00 handoff block.","recommendation":"Keep the reviewer prompt and charter change, but strip the sensitive operational inventory from this PR or move it to non-repo private runt

Operator decisions (yes/no)

Risk 'Remove credential topology from STATUS_NOW before merge' raised by 1/6: do you accept this risk, or should this PR be deferred until it's mitigated?
Risk 'Auto-merge policy lacks an operator-safe boundary': mitigated, accepted, or convert to open_loop?
Risk 'PLATFORM_CONTEXT drift risk without explicit iteration trigger': mitigated, accepted, or convert to open_loop?

Evidence

Total review wallclock: ~288s
Tech consensus: all OK
Product consensus: dissent

# Decision packet — PR 10 **Risk:** `ELEVATED` **Default action:** `defer` ## Tech votes - ✅ `tech-gpt` → OK - ✅ `tech-glm` → OK - ✅ `tech-claude` → OK ## Product votes - ❌ `product-gpt` → NOT_OK - ✅ `product-claude` → OK - ✅ `product-glm` → OK ## Weak-signal risks (1 reviewer) - `high` **Remove credential topology from STATUS_NOW before merge** (raised by product-gpt) - `medium` **Auto-merge policy lacks an operator-safe boundary** (raised by product-gpt) - `medium` **PLATFORM_CONTEXT drift risk without explicit iteration trigger** (raised by product-glm) - `medium` **PLATFORM_CONTEXT contains internal tension that may rationalize the very padding it tries to suppress** (raised by tech-claude) ## Opportunities - **Prompt ordering is well-locked** — control-plane/platformctl/tests/test_run_review.py adds a positional regression check that PLATFORM_CONTEXT precedes role/lens text and strict JSON instructions, matching the intended model-instruction hierarchy. (tech-gpt) - **Keep Order D narrow** — The actual prompt injection is small and test-backed. Splitting or removing the large STATUS_NOW handoff block would make this a clean <=300 LOC policy/tooling PR instead of mixing reviewer behavior with live credential-state documentation. (product-gpt) - **Future-proof reviewer discovery** — Tests iterate hardcoded list of 6 reviewer IDs. Consider `for reviewer_id in _REVIEWER_FLAVORS.keys()` for automatic coverage if new reviewers are added. Not a blocker—current coverage is complete. (tech-glm) - **Anchor the iterate-platform-context-for-reviewers open loop to a concrete trigger** — The new open loop says 'revisit after N≥10 PRs' but there's no counter, cron, or scheduled agent backing it — it lives only as prose in STATUS_NOW.md. ADHD-friendly hardening (out of this PR's scope, flag for separate action): once this merges, schedule a one-shot routine that fires after ~10 merges to open an audit PR. Otherwise this loop drifts until the next manual compaction and the whole 'iterate the block from real data' premise quietly dies. The PR is correct to defer implementation, but (product-claude) - **Add explicit 'scannable surface' guard to tests** — Charter §3 mentions 'Make your output scannable' but `test_platform_context_does_not_leak_secrets_or_paths` doesn't validate this. Consider adding a cheap check: assert 'JSON' appears early in prompt or that output schema definition is compact enough to render on mobile without scrolling. (product-glm) - **Strengthen ordering assertion to anchor PLATFORM_CONTEXT at prompt start** — test_platform_context_appears_before_role_lens_and_output_schema verifies relative order via find(), but does not lock the prompt's leading bytes. A future refactor that prepends anything (e.g. a provider-specific preamble) would silently relegate PLATFORM_CONTEXT to a non-first position while still passing. A one-line `assert prompt.startswith("PLATFORM CONTEXT")` (or a snapshot of the first 80 chars) would catch that regression cheaply. (tech-claude) - **Secret-leak guard could iterate across all 6 reviewers** — test_platform_context_does_not_leak_secrets_or_paths only checks product-claude. Today the PLATFORM_CONTEXT is shared so this is sufficient, but if a future flavor (per-reviewer) starts injecting its own context (e.g. a runtime-layout snippet), the guard silently misses it. Loop the same forbidden-substring check over all 6 reviewer_ids with negligible cost. (tech-claude) ## Dissents - `product-gpt` voted **NOT_OK** (confidence 0.86): {"verdict":"NOT_OK","confidence":0.86,"risks":[{"title":"Remove credential topology from STATUS_NOW before merge","severity":"high","evidence":"state/STATUS_NOW.md adds Bitwarden item IDs, Infisical machine identity IDs, client IDs, workspace IDs, wrapper paths, and local Oracle/browser profile paths in the 2026-05-01 ~22:00 handoff block.","recommendation":"Keep the reviewer prompt and charter change, but strip the sensitive operational inventory from this PR or move it to non-repo private runt ## Operator decisions (yes/no) 1. Risk 'Remove credential topology from STATUS_NOW before merge' raised by 1/6: do you accept this risk, or should this PR be deferred until it's mitigated? 2. Risk 'Auto-merge policy lacks an operator-safe boundary': mitigated, accepted, or convert to open_loop? 3. Risk 'PLATFORM_CONTEXT drift risk without explicit iteration trigger': mitigated, accepted, or convert to open_loop? ## Evidence - Total review wallclock: ~288s - Tech consensus: all OK - Product consensus: dissent

pdurlej referenced this pull request from a commit

2026-05-01 23:30:17 +02:00

fix(stewardship): sanitize STATUS_NOW credential topology + Charter §5 sub-rule

pdurlej added 1 commit

2026-05-01 23:30:17 +02:00

fix(stewardship): sanitize STATUS_NOW credential topology + Charter §5 sub-rule 92f5d6ee9b

Addresses canary δ on PR #10 product-gpt high-risk:
> "Remove credential topology from STATUS_NOW before merge — state/STATUS_NOW.md
> adds Bitwarden item IDs, Infisical machine identity IDs, client IDs, workspace
> IDs, wrapper paths, and local Oracle/browser profile paths..."

## Changes

1. **state/STATUS_NOW.md**: stripped all UUIDs (BW item IDs, machine identity
   IDs, Client IDs, workspace IDs) and direct path-to-config references. Replaced
   with semantic descriptions ("Forgejo service accounts wired", "Infisical
   primary credential source") + reference to `~/.platformctl-runtime/state-machine-local.md`
   for the actual operational inventory.

2. **PLATFORM_CHARTER.md §5**: new sub-rule "Secret stewardship — primary vs
   personal" codifying operator's pattern:
   - Infisical = primary for all machine credentials (API keys, PATs, tokens)
   - BW + macOS Keychain = rare, only operator's personal credentials
   - One BW item kept routinely: Infisical Client Secret (bootstrap pair)
   - Tracked-state hygiene: no UUIDs in `state/` files (machine-local lives outside repo)

3. **Closes open loop `infisical-pat-migration`** (Order F target became operator's
   live pivot during canary δ — done).

4. **Adds open loop `single-comment-regression`** (Order G target) — canary δ
   emitted only 1 comment via legacy path; PR #9's per-actor + decision design
   silently regressed.

## Linkage

- Amends PR #10 (Order D PLATFORM_CONTEXT)
- New machine-local file `~/.platformctl-runtime/state-machine-local.md` (mode 0600,
  gitignored) holds the actual UUIDs that were sanitized out

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

pdurlej force-pushed claude/identity-wiring/order-d-reviewer-context from 92f5d6ee9b to 4190cbfded

2026-05-01 23:32:54 +02:00

Compare

pdurlej referenced this pull request from a commit

2026-05-01 23:32:54 +02:00

fix(stewardship): sanitize STATUS_NOW credential topology + Charter §5 sub-rule

pdurlej referenced this pull request from a commit

2026-05-01 23:32:54 +02:00

docs(status): close single-comment-regression — was Order D stale-base, not a regression

claude commented

2026-05-02 00:28:23 +02:00

Author

Collaborator

Subsumed by PR #12 (codex Order C). Codex auto-rebased on this branch's content because origin/main was at PR #9 when delegation started — content preserved in #12. Closing per learning-log pattern (charter §3), not rejection.

claude closed this pull request

2026-05-02 00:28:23 +02:00

claude commented

2026-05-02 00:28:43 +02:00

Author

Collaborator

Subsumed by PR #12 (codex Order C). Content preserved — Codex auto-rebased on this branch when discovering origin/main was at PR #9. Closing per charter §3 learning-log pattern (not rejection).