pdurlej/platform
1
1
Fork 0
Code Issues 44 Pull requests 1 Projects Releases Packages Wiki Activity Actions

docs(prompts): codex master prompts — PR #53 rebase + workflows Infisical integration #72

Closed
claude wants to merge 1 commit from claude/orders/codex-prompts-canary-ops into main
pull from: claude/orders/codex-prompts-canary-ops
merge into: pdurlej:main
Conversation 3 Commits 1 Files changed 2 +366
claude commented 2026-05-05 02:00:45 +02:00
Collaborator
Copy link

Canary status: missing — Medium PR class (governance + Codex master prompts driving CI changes); fire canary 3+3 manually before merge

Purpose

Two master prompts for Codex GPT-5.5 execution, operationalizing canary workflow per operator decisions 2026-05-05:

  1. prompts/codex-pr-53-rebase.md — small operational fix. Codex rebases PR #53 on current main, resolves .forgejo/workflows/canary-required.yml conflict per #53 design, force-pushes with codex identity. Unblocks PR #53 merge.

  2. prompts/workflows-infisical-integration.md — feature work. Codex replaces Forgejo repo secrets in canary workflow with Infisical service-token retrieval. Operator chose this over manual sync (option b over option a) because "Infisical jako single source of truth" matches charter §5 direction.

This PR does NOT do

  • Does NOT execute either prompt (Codex does that in master operator thread)
  • Does NOT change .forgejo/workflows/canary-required.yml directly (Codex changes it)
  • Does NOT amend Issue #49 (Codex's PR for Infisical integration will comment on #49)
  • Does NOT install or configure Infisical CLI on Forgejo runner (that's runtime, in Codex's PR)

Changed artifacts

  • prompts/codex-pr-53-rebase.md (new, ~150 lines) — rebase + conflict resolution policy, identity check, escape hatches, self-verification
  • prompts/workflows-infisical-integration.md (new, ~210 lines) — pre-work research (R1 inventory, R2 Infisical structure verify, R3 CLI vs SDK decision, R4 bootstrap-secret scope), implementation steps S1-S5, self-verification, PR opening conventions, escape hatches

Total: 2 files, +362 lines.

Why now

  • PR #53 has been blocked on conflict since 2026-05-04. Architecture is correct (verified via PR #69 workflow run: collect-diff GREEN, canary honest-red on missing secrets). Only rebase needed.
  • Forgejo Actions currently fail at "Validate secrets present" because operator stores secrets in Infisical (charter direction) but workflow expects Forgejo repo secrets. Two paths: (a) manual sync (5 min, ongoing chore) or (b) Infisical integration (one-time work, clean architecture). Operator chose (b).

Relevant context

  • PR #53 (codex/orders/canary-workflow-rewrite) — target of prompt 1
  • PR #54 (codex/ci/forgejo-actions-guardrails, merged) — source of conflict for #53
  • PR #69 (just merged) — provided live test of #53 workflow architecture (collect-diff GREEN + honest fail on missing secret)
  • Issue #49 — ADR 0002 setup tasks; will be amended by Codex's Infisical PR comment to swap ZAI_API_KEY/CANARY_FORGEJO_TOKEN entries for INFISICAL_SERVICE_TOKEN bootstrap entry
  • PLATFORM_CHARTER.md §5 — Infisical primary, Vault sunset; this work fulfills the principle in workflow domain
  • migrations/vault-to-infisical.md — Vault sunset migration plan; Infisical structure should already be set up per Phase 0
  • AGENTS.md §"Identity-isolation" + §"Joining as a new agent" — both prompts reference these for identity discipline
  • state/agent-execution-template.md (just landed in PR #69) — referenced by both prompts for execution protocol

Runtime evidence

N/A — pure docs/prompts change. No workflow modification in this PR. Codex's resulting PRs (one per prompt) will have runtime evidence.

Known constraints

  • Prompt 2 makes assumptions about Infisical structure (project name iskra-platform, env prod, path /forgejo-actions/canary). Codex's R2 step verifies these against actual Infisical config; if assumptions wrong, Codex stops and surfaces.
  • Prompt 2 pins Infisical CLI version 0.28.0 as a placeholder; Codex must verify current stable + SHA at execution time.
  • Prompt 1 assumes operator's worktree platform-wt-takeover-pr51 still exists with codex/orders/canary-workflow-rewrite branch; if not, Codex needs to recreate from origin.

Explicit out-of-scope

  • Vault sunset itself (separate; Issue #48 + migrations/)
  • Other workflows besides canary-required.yml
  • Infisical organization/structure changes (operator pre-work if needed)
  • Branch protection on main (Issue #49 setup task #3, operator UI)
  • ADR 0002 status flip from "Accepted design, NOT operational" to "Operational" (depends on Codex's PRs landing + Issue #49 setup complete + first real test PR)

Requested decision

approve_merge after canary 3+3 fires (manual; workflow this PR depends on for auto-fire is not yet operational).

Merge blockers

  • Canary 3+3 not yet fired (manual)
  • If reviewer cites scope creep — iterate within cap

How operator triggers Codex

After this PR merges, in master operator (Codex thread):

cd ~/Developer/iskra-platform-2026-04-30   # or appropriate worktree
git pull

# Prompt 1 (smaller, can run first):
codex exec < prompts/codex-pr-53-rebase.md
# Codex rebases + force-pushes; PR #53 conflict gone

# Prompt 2 (feature work; can run in parallel after operator confirms Infisical structure):
codex exec < prompts/workflows-infisical-integration.md
# Codex opens new PR for Infisical integration

Orchestrator (claude) reports back when both PRs land.

Spec sources read

  • PR #53 body + comments — to understand current state and blocker
  • PR #54 (chore(ci): add Forgejo Actions guardrails) — to understand what conflicts with #53
  • PR #69 workflow run (commit 70cde4579) — to verify #53 architecture works (collect-diff GREEN + canary honest-red)
  • PLATFORM_CHARTER.md §5 — operator's Infisical primary stance
  • decisions/0002-ci-enforcement-canary.md — for trust boundary requirements that prompt 2 must preserve
  • Issue #49 — for setup task list amendment scope
  • AGENTS.md §"Identity-isolation" + §"Joining as a new agent" — referenced by both prompts
  • state/agent-execution-template.md — referenced for execution protocol

Test plan

  • Operator readback: prompt 1 rebase policy (keep #53's design, layer #54 additions only where compatible) feels right
  • Operator readback: prompt 2 Infisical CLI approach (vs SDK) and bootstrap-secret scope feel right
  • Operator confirms: Infisical actually has ZAI_API_KEY + CANARY_FORGEJO_TOKEN at predictable path (or names where they live)
  • Manual canary 3+3 fires + passes (or operator_override per Rule 2)
  • After merge: operator runs codex exec < prompts/codex-pr-53-rebase.md first; PR #53 conflict resolved
  • After merge: operator runs codex exec < prompts/workflows-infisical-integration.md; new PR opens with Infisical integration
  • Both Codex PRs authored by codex (NOT pdurlej; verified via user.login)
  • After both PRs merged: operator adds INFISICAL_SERVICE_TOKEN to Forgejo repo secrets (Issue #49 amended setup task)
  • Next PR's canary 3+3 fires successfully via Infisical secret retrieval
Canary status: missing — Medium PR class (governance + Codex master prompts driving CI changes); fire canary 3+3 manually before merge ## Purpose Two master prompts for Codex GPT-5.5 execution, operationalizing canary workflow per operator decisions 2026-05-05: 1. **`prompts/codex-pr-53-rebase.md`** — small operational fix. Codex rebases PR #53 on current main, resolves `.forgejo/workflows/canary-required.yml` conflict per #53 design, force-pushes with `codex` identity. Unblocks PR #53 merge. 2. **`prompts/workflows-infisical-integration.md`** — feature work. Codex replaces Forgejo repo secrets in canary workflow with Infisical service-token retrieval. Operator chose this over manual sync (option b over option a) because "Infisical jako single source of truth" matches charter §5 direction. ## This PR does NOT do - Does NOT execute either prompt (Codex does that in master operator thread) - Does NOT change `.forgejo/workflows/canary-required.yml` directly (Codex changes it) - Does NOT amend Issue #49 (Codex's PR for Infisical integration will comment on #49) - Does NOT install or configure Infisical CLI on Forgejo runner (that's runtime, in Codex's PR) ## Changed artifacts - `prompts/codex-pr-53-rebase.md` (new, ~150 lines) — rebase + conflict resolution policy, identity check, escape hatches, self-verification - `prompts/workflows-infisical-integration.md` (new, ~210 lines) — pre-work research (R1 inventory, R2 Infisical structure verify, R3 CLI vs SDK decision, R4 bootstrap-secret scope), implementation steps S1-S5, self-verification, PR opening conventions, escape hatches Total: 2 files, +362 lines. ## Why now - PR #53 has been blocked on conflict since 2026-05-04. Architecture is correct (verified via PR #69 workflow run: collect-diff GREEN, canary honest-red on missing secrets). Only rebase needed. - Forgejo Actions currently fail at "Validate secrets present" because operator stores secrets in Infisical (charter direction) but workflow expects Forgejo repo secrets. Two paths: (a) manual sync (5 min, ongoing chore) or (b) Infisical integration (one-time work, clean architecture). Operator chose (b). ## Relevant context - PR #53 (codex/orders/canary-workflow-rewrite) — target of prompt 1 - PR #54 (codex/ci/forgejo-actions-guardrails, merged) — source of conflict for #53 - PR #69 (just merged) — provided live test of #53 workflow architecture (collect-diff GREEN + honest fail on missing secret) - Issue #49 — ADR 0002 setup tasks; will be amended by Codex's Infisical PR comment to swap ZAI_API_KEY/CANARY_FORGEJO_TOKEN entries for INFISICAL_SERVICE_TOKEN bootstrap entry - `PLATFORM_CHARTER.md` §5 — Infisical primary, Vault sunset; this work fulfills the principle in workflow domain - `migrations/vault-to-infisical.md` — Vault sunset migration plan; Infisical structure should already be set up per Phase 0 - `AGENTS.md` §"Identity-isolation" + §"Joining as a new agent" — both prompts reference these for identity discipline - `state/agent-execution-template.md` (just landed in PR #69) — referenced by both prompts for execution protocol ## Runtime evidence N/A — pure docs/prompts change. No workflow modification in this PR. Codex's resulting PRs (one per prompt) will have runtime evidence. ## Known constraints - Prompt 2 makes assumptions about Infisical structure (project name `iskra-platform`, env `prod`, path `/forgejo-actions/canary`). Codex's R2 step verifies these against actual Infisical config; if assumptions wrong, Codex stops and surfaces. - Prompt 2 pins Infisical CLI version 0.28.0 as a placeholder; Codex must verify current stable + SHA at execution time. - Prompt 1 assumes operator's worktree `platform-wt-takeover-pr51` still exists with codex/orders/canary-workflow-rewrite branch; if not, Codex needs to recreate from origin. ## Explicit out-of-scope - Vault sunset itself (separate; Issue #48 + migrations/) - Other workflows besides canary-required.yml - Infisical organization/structure changes (operator pre-work if needed) - Branch protection on main (Issue #49 setup task #3, operator UI) - ADR 0002 status flip from "Accepted design, NOT operational" to "Operational" (depends on Codex's PRs landing + Issue #49 setup complete + first real test PR) ## Requested decision `approve_merge` after canary 3+3 fires (manual; workflow this PR depends on for auto-fire is not yet operational). ## Merge blockers - Canary 3+3 not yet fired (manual) - If reviewer cites scope creep — iterate within cap ## How operator triggers Codex After this PR merges, in master operator (Codex thread): ```bash cd ~/Developer/iskra-platform-2026-04-30 # or appropriate worktree git pull # Prompt 1 (smaller, can run first): codex exec < prompts/codex-pr-53-rebase.md # Codex rebases + force-pushes; PR #53 conflict gone # Prompt 2 (feature work; can run in parallel after operator confirms Infisical structure): codex exec < prompts/workflows-infisical-integration.md # Codex opens new PR for Infisical integration ``` Orchestrator (claude) reports back when both PRs land. ## Spec sources read - PR #53 body + comments — to understand current state and blocker - PR #54 (chore(ci): add Forgejo Actions guardrails) — to understand what conflicts with #53 - PR #69 workflow run (commit `70cde4579`) — to verify #53 architecture works (collect-diff GREEN + canary honest-red) - `PLATFORM_CHARTER.md` §5 — operator's Infisical primary stance - `decisions/0002-ci-enforcement-canary.md` — for trust boundary requirements that prompt 2 must preserve - Issue #49 — for setup task list amendment scope - `AGENTS.md` §"Identity-isolation" + §"Joining as a new agent" — referenced by both prompts - `state/agent-execution-template.md` — referenced for execution protocol ## Test plan - [ ] Operator readback: prompt 1 rebase policy (keep #53's design, layer #54 additions only where compatible) feels right - [ ] Operator readback: prompt 2 Infisical CLI approach (vs SDK) and bootstrap-secret scope feel right - [ ] Operator confirms: Infisical actually has `ZAI_API_KEY` + `CANARY_FORGEJO_TOKEN` at predictable path (or names where they live) - [ ] Manual canary 3+3 fires + passes (or operator_override per Rule 2) - [ ] After merge: operator runs `codex exec < prompts/codex-pr-53-rebase.md` first; PR #53 conflict resolved - [ ] After merge: operator runs `codex exec < prompts/workflows-infisical-integration.md`; new PR opens with Infisical integration - [ ] Both Codex PRs authored by `codex` (NOT pdurlej; verified via `user.login`) - [ ] After both PRs merged: operator adds `INFISICAL_SERVICE_TOKEN` to Forgejo repo secrets (Issue #49 amended setup task) - [ ] Next PR's canary 3+3 fires successfully via Infisical secret retrieval
docs(prompts): codex master prompts — PR #53 rebase + Infisical integration
Some checks failed
canary-required / collect-diff (pull_request) Successful in 3s
Details
canary-required / canary (pull_request) Failing after 1s
Details
cf6349d22e 
Two master prompts for Codex GPT-5.5 execution. Operator chose path (b)
2026-05-05: Infisical as single source of truth instead of manual Forgejo
repo secrets sync.

prompts/codex-pr-53-rebase.md (small operational fix):
- Rebase codex/orders/canary-workflow-rewrite on current main
- Resolve conflict in .forgejo/workflows/canary-required.yml per #53
  design (2-job trust boundary, concurrency, marker, digest pinning,
  honest-red on missing secrets); layer in #54 additions only where they
  don't conflict
- Force-push --force-with-lease as codex identity
- Comment on PR #53 documenting kept/dropped from #54

prompts/workflows-infisical-integration.md (feature work):
- Pre-work: inventory current secret needs, verify Infisical structure,
  pick CLI vs SDK, determine bootstrap-secret scope
- Implementation: replace Forgejo repo secrets with Infisical CLI
  (`infisical export --token=$INFISICAL_SERVICE_TOKEN --env=prod
  --path=/forgejo-actions/canary --format=dotenv`)
- Preserves trust boundary: only privileged canary job touches Infisical;
  collect-diff (unprivileged) never does
- Pin Infisical CLI version + SHA-verify
- No runtime fallback (silent degradation defeats single-source-of-truth)
- Update Issue #49 setup tasks: drop ZAI_API_KEY/CANARY_FORGEJO_TOKEN
  Forgejo-secrets entries, add INFISICAL_SERVICE_TOKEN bootstrap entry

Both prompts include identity check, escape hatches, self-verification,
PR-opening conventions per AGENTS.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pdurlej approved these changes 2026-05-05 15:48:52 +02:00
Dismissed
pdurlej approved these changes 2026-05-05 15:49:38 +02:00
codex commented 2026-05-05 23:40:51 +02:00
Collaborator
Copy link

Superseded by #89 and the post-#89 operating model.

The prompts here were useful as planning artifacts, but they now encode stale instructions around #53, force-push/rebase flow, and direct workflow secret assumptions. Merging them as agent-facing docs would make future agents more likely to choose the wrong path.

The live follow-up is a new implementation plan/PR for a runner-local Infisical bridge plus canary evidence, not these historical prompts. Closing as superseded.

Superseded by #89 and the post-#89 operating model. The prompts here were useful as planning artifacts, but they now encode stale instructions around #53, force-push/rebase flow, and direct workflow secret assumptions. Merging them as agent-facing docs would make future agents more likely to choose the wrong path. The live follow-up is a new implementation plan/PR for a runner-local Infisical bridge plus canary evidence, not these historical prompts. Closing as superseded.
codex closed this pull request 2026-05-05 23:40:51 +02:00
Some checks are pending
canary-required / collect-diff (pull_request) Successful in 3s
Details
canary-required / canary (pull_request) Failing after 1s
Details
base-is-main / guard (pull_request)
Required
patchwarden-pr-sanity / sanity (pull_request)
Required

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
pdurlej
Labels
Clear labels   
W6d-automerge-calibration

   
agent/claude-code
Vistula actor: Claude Code.

  
agent/codex
Vistula actor: Codex.

  
agent/hermes
Vistula actor: Hermes Upstream.

  
agent/iskra
Vistula actor: Iskra.

  
agent/ollama
Vistula actor: Ollama or compatible model.

  
agent/patchwarden
Vistula actor: Patchwarden.

  
automerge-candidate
Candidate for narrow W6d autonomous merge readiness pilot

  
class/security-sensitive
Security-sensitive class of service: smallest coherent PRs and full canary

  
cutover-gate
blocks production declare / final RS2000 replacement

  
dependency/blocked
Vistula dependency state: blocked.

  
dependency/blocks-others
Vistula dependency state: blocks other work.

  
dependency/cross-repo
Vistula dependency scope: cross-repository.

  
dependency/needs-confirmation
Vistula dependency state: needs confirmation.

  
domain:agents
Agent identity, delegation, subagents, routing, or workflows.

  
domain:ci
CI, checks, Actions, runners, or release automation.

  
domain:docs
Documentation, packets, practices, or source-of-truth text.

  
domain:forgejo
Forgejo issues, PRs, labels, repo settings, or identity.

  
domain:infra
Infrastructure, storage, backup, DNS, network, or host substrate.

  
domain:memory
Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  
domain:runtime
Runtime services, deploys, daemons, timers, or live behavior.

  
domain:signal
Signal UX, delivery, context, or outbound behavior.

  
domain:ux
Product UX, operator experience, or conversation ergonomics.

  
flow/architecture
Vistula lifecycle: architecture phase in progress.

  
flow/blocked
Vistula lifecycle: blocked on dependency or decision.

  
flow/deployed
Vistula lifecycle: deployed to runtime where applicable.

  
flow/done
Vistula lifecycle: work merged or otherwise done.

  
flow/implementation
Vistula lifecycle: implementation phase in progress.

  
flow/intake
Vistula lifecycle: incoming signal not refined yet.

  
flow/maintained
Vistula lifecycle: maintained/steady state.

  
flow/observed
Vistula lifecycle: observed after delivery.

  
flow/ready
Vistula lifecycle: ready for architecture or implementation.

  
flow/refining
Vistula lifecycle: Hermes/spec refinement in progress.

  
flow/retired
Vistula lifecycle: retired or intentionally closed.

  
flow/review
Vistula lifecycle: review phase in progress.

  
iterating
Orchestrator/Codex actively amending in response to review — operator can ignore until resolved

  
judge/codex-candidate
Candidate for Codex implementation.

  
judge/hermes-candidate
Candidate for Hermes discovery/research.

  
judge/low-confidence
Judgment confidence is low.

  
judge/needs-refinement
Needs clearer evidence or scope.

  
judge/operator-needed
Needs Piotr decision or input.

  
judge/p0
Urgent, operator attention or unblock now.

  
judge/p1
High value, schedule soon.

  
judge/p2
Useful, normal queue.

  
judge/p3
Low priority, keep but do not chase.

  
judge/park
Parked from current attention.

  
judge/patchwarden-candidate
Needs Patchwarden merge-safety attention.

  
judge/stale-priority
Existing priority judgment appears stale.

  
kind/adr
Vistula work kind: architecture decision record.

  
kind/bug
Vistula work kind: bug fix.

  
kind/chore
Vistula work kind: chore.

  
kind/feature
Vistula work kind: feature.

  
kind/infra
Vistula work kind: infrastructure.

  
kind/ops
Vistula work kind: operations.

  
kind/refactor
Vistula work kind: refactor.

  
kind/research
Vistula work kind: research/discovery.

  
large-impact
Per charter §3 review-by-impact: large impact (≥300 LOC OR new module OR identity/secret change OR architectural pivot) — Oracle pre-review recommended

  
merge/auto
Vistula merge mode: automated merge.

  
merge/manual
Vistula merge mode: manual merge.

  
merge/manual-dependency-conflict
Manual merge reason: dependency conflict.

  
merge/manual-failing-tests
Manual merge reason: failing tests.

  
merge/manual-merge-conflict
Manual merge reason: merge conflict.

  
merge/manual-missing-review
Manual merge reason: missing review.

  
merge/manual-operator-preference
Manual merge reason: operator preference.

  
merge/manual-red-zone
Manual merge reason: red-zone risk.

  
merge/manual-security-sensitive
Manual merge reason: security-sensitive work.

  
merge/manual-unclear-scope
Manual merge reason: unclear scope.

  
merge/manual-unknown
Manual merge reason: unknown.

  
meta
meta-decomposition issue; first agent decomposes into atomic children

  
mode:operator-only
Apply step requires explicit operator approval.

  
mode:patchwarden-iskra-approved
Work eligible for Patchwarden/Iskra approval inside repo policy.

  
mode:safe-auto
Low-risk work eligible for lightweight autonomous handling.

  
needs-operator-decision
PR is blocked on operator yes/no decision — fresh-Claude/Codex won't make this call alone

  
needs-triage
decomposing agent has open questions / unknowns

  
not-ready
reviewed but blocked on a precondition

  
observed/erroring
Vistula observation: erroring.

  
observed/needs-followup
Vistula observation: needs follow-up.

  
observed/pending
Vistula observation: pending.

  
observed/retire-candidate
Vistula observation: retire candidate.

  
observed/unused
Vistula observation: unused.

  
observed/used
Vistula observation: used.

  
operator-emotional
operator-emotional importance (Iskra memory etc.)

  
owner-attention
owner must decide; blocks default path

  
phase/02
Phase 02 cataloging

  
phase/03
Phase 03 control plane (platformctl)

  
priority:p0
Immediate safety, uptime, data, or operator-blocking issue.

  
priority:p1
Important active work; should be pulled soon.

  
priority:p2
Useful normal-priority work.

  
priority:p3
Opportunistic cleanup, research, or backlog work.

  
proposed
auto-generated by meta-decomposition; awaiting human review

  
ready-for-agent
reviewed and pickable; agents may claim per cookbook

  
ready-for-operator
PR is ready for operator review/merge — orchestrator finished its part

  
recovery
disaster recovery / restore semantics relevant

  
review:claude-reviewed
Reviewed by Claude-family agent.

  
review:codex-reviewed
Reviewed by Codex-family agent.

  
review:dziadek-reviewed
Reviewed by Dziadek pinch-point reviewer.

  
review:needs-human
Needs human review before merge or apply.

  
risk/exposure
incorrectly public/private/tailnet/auth/routed

  
risk/process
workflow/review/orchestration may produce bad outcomes

  
risk/product
work may have lost owner/user value

  
risk/runtime
platform may not run, recover, validate, behave reproducibly

  
safety:external-write
May write to external systems, users, rooms, repos, or services.

  
safety:no-prod-mutation
Must not mutate production or live external state.

  
safety:prod-impact
May affect production/runtime behavior.

  
safety:secret-touch
Touches secrets, credentials, auth, or secret-adjacent config.

  
size/large
Vistula size: large.

  
size/medium
Vistula size: medium.

  
size/small
Vistula size: small.

  
size/tiny
Vistula size: tiny.

  
size/unknown
Vistula size: not classified yet.

  
source/adr
Vistula source: ADR.

  
source/agent-generated
Vistula source: agent generated.

  
source/manual
Vistula source: manual entry.

  
source/operator-chat
Vistula source: operator chat.

  
source/voice-note
Vistula source: voice note.

  
status:blocked
Blocked by missing dependency, evidence, access, or operator decision.

  
status:codex-ready
Ready for a Codex implementation pass.

  
status:merged:pending-evidence
Merged but waiting for live or artifact evidence before closure.

  
status:needs-evidence
Needs proof, logs, tests, or operator-visible evidence.

  
status:operator-needed
Requires explicit operator input before safe progress.

  
status:parked
Intentionally deferred; not active campaign work.

  
tier/full
Full review tier per ADR-0007

  
tier/lite
Lite review tier per ADR-0007

  
tier/stacked
Stacked PR (base != main) escape hatch per ADR-0017. Requires consolidator-PR plan in PR body.

  
tier:0-platform-substrate
Data, secrets, backup, storage, or critical platform substrate.

  
tier:1-iskra-value-layer
Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  
tier:2-tools-products-modules
Tools, products, modules, experiments, and lower-blast-radius work.

  
type:bug
Incorrect behavior or regression.

  
type:chore
Maintenance, cleanup, metadata, or operational task.

  
type:docs
Documentation-only work.

  
type:feat
New capability or product behavior.

  
type:policy
Governance, protocol, boundary, or decision-contract change.

  
type:research
Investigation, spike, or evidence-gathering task.

No labels
W6d-automerge-calibration
agent/claude-code
agent/codex
agent/hermes
agent/iskra
agent/ollama
agent/patchwarden
automerge-candidate
class/security-sensitive
cutover-gate
dependency/blocked
dependency/blocks-others
dependency/cross-repo
dependency/needs-confirmation
domain:agents
domain:ci
domain:docs
domain:forgejo
domain:infra
domain:memory
domain:runtime
domain:signal
domain:ux
flow/architecture
flow/blocked
flow/deployed
flow/done
flow/implementation
flow/intake
flow/maintained
flow/observed
flow/ready
flow/refining
flow/retired
flow/review
iterating
judge/codex-candidate
judge/hermes-candidate
judge/low-confidence
judge/needs-refinement
judge/operator-needed
judge/p0
judge/p1
judge/p2
judge/p3
judge/park
judge/patchwarden-candidate
judge/stale-priority
kind/adr
kind/bug
kind/chore
kind/feature
kind/infra
kind/ops
kind/refactor
kind/research
large-impact
merge/auto
merge/manual
merge/manual-dependency-conflict
merge/manual-failing-tests
merge/manual-merge-conflict
merge/manual-missing-review
merge/manual-operator-preference
merge/manual-red-zone
merge/manual-security-sensitive
merge/manual-unclear-scope
merge/manual-unknown
meta
mode:operator-only
mode:patchwarden-iskra-approved
mode:safe-auto
needs-operator-decision
needs-triage
not-ready
observed/erroring
observed/needs-followup
observed/pending
observed/retire-candidate
observed/unused
observed/used
operator-emotional
owner-attention
phase/02
phase/03
priority:p0
priority:p1
priority:p2
priority:p3
proposed
ready-for-agent
ready-for-operator
recovery
review:claude-reviewed
review:codex-reviewed
review:dziadek-reviewed
review:needs-human
risk/exposure
risk/process
risk/product
risk/runtime
safety:external-write
safety:no-prod-mutation
safety:prod-impact
safety:secret-touch
size/large
size/medium
size/small
size/tiny
size/unknown
source/adr
source/agent-generated
source/manual
source/operator-chat
source/voice-note
status:blocked
status:codex-ready
status:merged:pending-evidence
status:needs-evidence
status:operator-needed
status:parked
tier/full
tier/lite
tier/stacked
tier:0-platform-substrate
tier:1-iskra-value-layer
tier:2-tools-products-modules
type:bug
type:chore
type:docs
type:feat
type:policy
type:research
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pdurlej/platform!72
No description provided.