pdurlej/platform

Fork 0

docs(prompts): tooling-canary-workflow-rewrite master prompt for Codex #51

Merged

pdurlej merged 2 commits from claude/orders/codex-canary-workflow-rewrite-prompt into main

2026-05-04 01:40:07 +02:00

claude commented

2026-05-04 01:13:05 +02:00

Collaborator

Canary status: missing — fire canary 3+3 manually before merge (the workflow this PR rewrites is what would normally auto-fire)

Summary

Master prompt for Codex to rewrite .forgejo/workflows/canary-required.yml fixing PR #44 v2 canary findings (BLOCKER + 4 HIGH) PLUS the live failure on PR #50 (workflow run #34 — collect-diff died after 4s at exactly the predicted Alpine + checkout incompatibility point).

Parallel to PR #50 (smoke.sh rewrite master prompt). Per operator 2026-05-04: "lecimy parallel."

Why now (was this scaffold-deferred?)

ADR 0002 v2 marked the workflow as "Accepted design, NOT operational" with intent to defer rewrite. But operator merged it anyway, and on PR #50 it fired and FAILED at the exact point Oracle predicted in PR #44 v2 canary HIGH finding.

Result: every PR opening now creates a red canary-required check. The deferred-rewrite strategy isn't sustainable when the workflow actively fails on every PR. Operator 2026-05-04: "czasy się skończyły leniwe."

Canary Context Pack

Product story

ADR 0002 + canary 3+3 enforcement is supposed to be the operator's safety net for non-technical-owner merge decisions. Right now the safety net is: workflow runs, fails predictably, blocks nothing (because branch protection isn't configured per Issue #49) — but creates noise. Rewrite makes it: works correctly, soft-skips honestly when secrets absent, ready to enforce after operator setup tasks.

What changed

New file: prompts/tooling-canary-workflow-rewrite.md (286 lines)

Why it changed

PR #44 v2 canary surfaced BLOCKER (iter counter broken) + 4 HIGH (Alpine checkout, decision packet path, scaffold-creates-live-red-checks, expected secrets)
PR #50 workflow run #34 = live confirmation Oracle's HIGH 2 was right (collect-diff dies in Alpine before reaching anything else)
Operator framing: parallel master prompt to smoke.sh (PR #50); same Codex execution pattern

Files touched

prompts/tooling-canary-workflow-rewrite.md (new)

Relevant context

PR #44 v2 canary: state/reviews/PR-44-v2/decision_packet.md (BLOCKER + 4 HIGH details)
PR #50 workflow run #34: live failure evidence
AGENTS.md (on main, PR #43 merged) — Codex reads for identity-isolation + canary conventions
ADR 0002 (on main, PR #44 merged) — implementation must align with ADR text; ADR Status stays "Accepted design, NOT operational" until Issue #49 setup + first real test PR passes
Issue #49 — setup tasks (ZAI_API_KEY, CANARY_FORGEJO_TOKEN, branch protection, runner verify, first test PR)
PR #50 (sister master prompt for smoke.sh rewrite) — same Codex execution pattern

Runtime evidence

From workflow run #34 (PR #50, this morning):

collect-diff job: FAILED after 4s
canary job: SKIPPED (needs: collect-diff blocked)
Predicted by Oracle in PR #44 v2 canary HIGH 2: actions/checkout@v4 needs Node; Alpine is musl-only
Predicted by tech-glm + tech-claude in PR #44 v2 canary BLOCKER + HIGH: iter counter find always reads 0 because state/reviews/ is gitignored

Known constraints

Master prompt is doc-only (no workflow change in THIS PR; rewrite happens in Codex's PR)
Per operator default: minimal viable scope (no auto-derive scope, no auto-status, no branch protection setup)
Codex MUST author rewrite PR as codex (not pdurlej, not claude)
2-job security architecture from v2 stays — Oracle validated; only fix implementation bugs

Explicit out-of-scope

The workflow rewrite itself (Codex does that as separate PR)
ADR 0002 status update to "Operational" (operator decides after Issue #49 + first test PR)
Issue #49 setup tasks (operator UI work)
Branch protection configuration (operator UI; Issue #49)
Multi-actor PAT rotation (deferred)

Requested decision

approve_merge after canary 3+3 passes (manual fire — workflow this PR rewrites is what would normally auto-fire); OR operator_override per Rule 2.

Merge blockers

Canary 3+3 not yet fired (manual)
If reviewer cites scope creep — iterate (within cap)

How operator triggers Codex

After this PR merges, in master operator (Codex thread):

cd ~/Developer/iskra-platform-2026-04-30
git pull
codex exec < prompts/tooling-canary-workflow-rewrite.md

Codex executes per prompt; opens workflow rewrite PR as codex; orchestrator (claude) reports back when PR opens.

Can run parallel with smoke.sh rewrite (PR #50) — different files, independent Codex sessions. Two tracks fully concurrent.

Test plan

Operator readback: prompt scope feels right (minimal viable, fixes bugs not adds features)
Manual canary 3+3 fires + passes (or operator_override rationale clear)
After merge: Codex runs prompt, opens workflow rewrite PR as codex
Workflow rewrite PR has Canary status line per ADR 0001 Rule 1a
Workflow rewrite PR includes evidence of test (actionlint, manual readback of soft-skip + iter counter logic)

Canary status: missing — fire canary 3+3 manually before merge (the workflow this PR rewrites is what would normally auto-fire) ## Summary Master prompt for Codex to rewrite `.forgejo/workflows/canary-required.yml` fixing PR #44 v2 canary findings (BLOCKER + 4 HIGH) PLUS the live failure on PR #50 (workflow run #34 — `collect-diff` died after 4s at exactly the predicted Alpine + checkout incompatibility point). Parallel to PR #50 (smoke.sh rewrite master prompt). Per operator 2026-05-04: "lecimy parallel." ## Why now (was this scaffold-deferred?) ADR 0002 v2 marked the workflow as "Accepted design, NOT operational" with intent to defer rewrite. But operator merged it anyway, and on PR #50 it fired and FAILED at the exact point Oracle predicted in PR #44 v2 canary HIGH finding. Result: every PR opening now creates a red `canary-required` check. The deferred-rewrite strategy isn't sustainable when the workflow actively fails on every PR. Operator 2026-05-04: "czasy się skończyły leniwe." ## Canary Context Pack ### Product story ADR 0002 + canary 3+3 enforcement is supposed to be the operator's safety net for non-technical-owner merge decisions. Right now the safety net is: workflow runs, fails predictably, blocks nothing (because branch protection isn't configured per Issue #49) — but creates noise. Rewrite makes it: works correctly, soft-skips honestly when secrets absent, ready to enforce after operator setup tasks. ### What changed - New file: `prompts/tooling-canary-workflow-rewrite.md` (286 lines) ### Why it changed - PR #44 v2 canary surfaced BLOCKER (iter counter broken) + 4 HIGH (Alpine checkout, decision packet path, scaffold-creates-live-red-checks, expected secrets) - PR #50 workflow run #34 = live confirmation Oracle's HIGH 2 was right (collect-diff dies in Alpine before reaching anything else) - Operator framing: parallel master prompt to smoke.sh (PR #50); same Codex execution pattern ### Files touched - `prompts/tooling-canary-workflow-rewrite.md` (new) ### Relevant context - PR #44 v2 canary: `state/reviews/PR-44-v2/decision_packet.md` (BLOCKER + 4 HIGH details) - PR #50 workflow run #34: live failure evidence - AGENTS.md (on main, PR #43 merged) — Codex reads for identity-isolation + canary conventions - ADR 0002 (on main, PR #44 merged) — implementation must align with ADR text; ADR Status stays "Accepted design, NOT operational" until Issue #49 setup + first real test PR passes - Issue #49 — setup tasks (ZAI_API_KEY, CANARY_FORGEJO_TOKEN, branch protection, runner verify, first test PR) - PR #50 (sister master prompt for smoke.sh rewrite) — same Codex execution pattern ### Runtime evidence From workflow run #34 (PR #50, this morning): - collect-diff job: FAILED after 4s - canary job: SKIPPED (needs: collect-diff blocked) - Predicted by Oracle in PR #44 v2 canary HIGH 2: actions/checkout@v4 needs Node; Alpine is musl-only - Predicted by tech-glm + tech-claude in PR #44 v2 canary BLOCKER + HIGH: iter counter `find` always reads 0 because state/reviews/ is gitignored ### Known constraints - Master prompt is doc-only (no workflow change in THIS PR; rewrite happens in Codex's PR) - Per operator default: minimal viable scope (no auto-derive scope, no auto-status, no branch protection setup) - Codex MUST author rewrite PR as `codex` (not pdurlej, not claude) - 2-job security architecture from v2 stays — Oracle validated; only fix implementation bugs ### Explicit out-of-scope - The workflow rewrite itself (Codex does that as separate PR) - ADR 0002 status update to "Operational" (operator decides after Issue #49 + first test PR) - Issue #49 setup tasks (operator UI work) - Branch protection configuration (operator UI; Issue #49) - Multi-actor PAT rotation (deferred) ### Requested decision approve_merge after canary 3+3 passes (manual fire — workflow this PR rewrites is what would normally auto-fire); OR operator_override per Rule 2. ### Merge blockers - Canary 3+3 not yet fired (manual) - If reviewer cites scope creep — iterate (within cap) ## How operator triggers Codex After this PR merges, in master operator (Codex thread): ``` cd ~/Developer/iskra-platform-2026-04-30 git pull codex exec < prompts/tooling-canary-workflow-rewrite.md ``` Codex executes per prompt; opens workflow rewrite PR as `codex`; orchestrator (claude) reports back when PR opens. **Can run parallel with smoke.sh rewrite (PR #50)** — different files, independent Codex sessions. Two tracks fully concurrent. ## Test plan - [ ] Operator readback: prompt scope feels right (minimal viable, fixes bugs not adds features) - [ ] Manual canary 3+3 fires + passes (or operator_override rationale clear) - [ ] After merge: Codex runs prompt, opens workflow rewrite PR as `codex` - [ ] Workflow rewrite PR has `Canary status` line per ADR 0001 Rule 1a - [ ] Workflow rewrite PR includes evidence of test (actionlint, manual readback of soft-skip + iter counter logic)

claude added 1 commit

2026-05-04 01:13:05 +02:00

docs(prompts): tooling-canary-workflow-rewrite master prompt for Codex ede555b2dc

Per operator decision 2026-05-04: parallel master prompt to smoke.sh
rewrite (PR #50). Workflow live on main since PR #44 merge fired
on PR #50 and FAILED at exactly predicted point — Oracle's HIGH
finding "actions/checkout@v4 requires Node runtime; Alpine is
musl-only" confirmed live.

Codifies PR #44 v2 canary findings (BLOCKER + 4 HIGH) + PR #50 live
failure as bug list Codex fixes:
1. BLOCKER: iter counter via PR comments (not git tree; hard cap
   currently non-functional because state/reviews/ is gitignored)
2. HIGH: container alpine:3.19 → node:20-alpine (Node runtime
   needed for actions/checkout@v4)
3. HIGH: soft-skip mode when secrets absent (eliminates live red
   checks during scaffold phase; honest "not configured" state)
4. HIGH: absolute WORKSPACE paths (no .. traversal; consistent)
5. MEDIUM: env-var indirection for ${{ }} (injection-safe)
6. MEDIUM: container images SHA-pinned + actions SHA-pinned
7. MEDIUM: path classifier extracted to .forgejo/canary-paths.txt

Constraints:
- Authored as codex (not pdurlej, not claude) per AGENTS.md identity
- PR size: Large (workflow + ADR text + config file)
- Hard 3-iter cap per ADR 0002 Rule 2
- Minimal viable scope (no auto-derive scope, no auto-status, no
  branch protection setup, no multi-actor PAT rotation)
- Trust boundary preserved (2-job pattern stays; Oracle validated)
- Manual canary fire by orchestrator since the workflow this PR
  rewrites is what would normally auto-fire

Length: ~280 lines, ~5k tokens. Fits comfortably in Codex session.

Plus ADR 0002 text update in same PR (Rule 1 reflects actual
implementation; Status stays "Accepted design, NOT operational"
until operator updates post Issue #49 setup tasks + first real
test PR passes).

PR for this prompt opens as claude (orchestrator); workflow
rewrite PR opens as codex (producer). Identity-isolation preserved.

claude added 1 commit

2026-05-04 01:22:05 +02:00

docs(prompts): canary workflow rewrite — append iter 1 canary context for Codex 0ac7871b0d

Per operator instruction 2026-05-04: stop iterating, ship, let Codex
egzekwować with full agency. Append BLOCKER + 4 HIGH findings + 3 MEDIUM
+ honest orchestrator gaps as concrete specs Codex addresses in
implementation.

Findings appended (with concrete picks Codex should implement):

BLOCKER 1: artifact-passing mechanism — picked: artifact name=pr-diff,
files=/tmp/canary/pr.diff + /tmp/canary/pr-files.txt, 7-day retention

HIGH 2: iter counter marker — picked: HTML comment
<!-- canary-decision-packet:v1 --> at top of decision_packet.md;
implement in BOTH workflow Iter step + run_review.py
--post-forgejo-comment flag (2-file scope)

HIGH 3: TOCTOU iter counter race — picked: Forgejo Actions concurrency
group `canary-pr-${PR_NUMBER}`, cancel-in-progress: false. Serializes
same-key runs.

HIGH 4: credential paths in prompt — fix: workflow rewrite PR refs
AGENTS.md §Identity-isolation only, no BW item details

HIGH 5: soft-skip exits 0 = misleading green — fix: prefer red failure
with explicit warning over false-green; verify Forgejo neutral status
support

MEDIUM 6: bootstrap bleed (broken workflow fires on rewrite PR) — fix:
workflow_dispatch only during rewrite phase

MEDIUM 7-9: node:20-alpine verification, path classifier file format,
SHA pinning specs

Honest orchestrator gaps named (don't know Forgejo concurrency support,
don't know neutral status support — Codex verifies + picks).

Operator override framing: quality gate shifts from prompt review to
artifact review (Codex's actual rewrite PR canary).

Authored as claude per identity-isolation. Ships with operator_override
per ADR 0001 Rule 2.

claude commented

2026-05-04 01:22:35 +02:00

Author

Collaborator

Canary status: operator_override — per operator decision in chat 2026-05-04.

Iter 1 canary returned BLOCKER defer with 9 substantive findings (BLOCKER artifact-passing spec missing; HIGH iter counter marker undefined; HIGH TOCTOU race on iter counter; HIGH credential-paths in prompt; HIGH soft-skip false-green; plus mediums). All real, all worth Codex addressing.

Operator decision: append findings as concrete specs Codex implements (artifact name = pr-diff; iter marker =  HTML comment in BOTH workflow + run_review.py; TOCTOU = Forgejo concurrency: group; credentials = ref AGENTS.md only; soft-skip = honest red over false-green; etc.).

See commit 0ac7871 — context section appended at end of prompts/tooling-canary-workflow-rewrite.md. Codex reads concrete picks + own honest gaps (don't know Forgejo concurrency exact behavior; verify + pick).

Quality gate shifts from prompt review to artifact review (canary on Codex's actual workflow rewrite PR will catch implementation issues). Sustainable.

Ready for merge. Note: this rewrite PR will likely require manual canary fire (workflow this PR rewrites is what would normally auto-fire); Codex will document this in its PR description.

**Canary status: operator_override** — per operator decision in chat 2026-05-04. Iter 1 canary returned **BLOCKER defer** with 9 substantive findings (BLOCKER artifact-passing spec missing; HIGH iter counter marker undefined; HIGH TOCTOU race on iter counter; HIGH credential-paths in prompt; HIGH soft-skip false-green; plus mediums). All real, all worth Codex addressing. Operator decision: append findings as concrete specs Codex implements (artifact name = `pr-diff`; iter marker = `` HTML comment in BOTH workflow + run_review.py; TOCTOU = Forgejo `concurrency:` group; credentials = ref AGENTS.md only; soft-skip = honest red over false-green; etc.). See commit `0ac7871` — context section appended at end of `prompts/tooling-canary-workflow-rewrite.md`. Codex reads concrete picks + own honest gaps (don't know Forgejo concurrency exact behavior; verify + pick). Quality gate shifts from prompt review to **artifact review** (canary on Codex's actual workflow rewrite PR will catch implementation issues). Sustainable. Ready for merge. **Note**: this rewrite PR will likely require manual canary fire (workflow this PR rewrites is what would normally auto-fire); Codex will document this in its PR description.