Skip to content

fix(ci): move Argus to the Secretariat App and load the prompt from base SHA#399

Open
bokelley wants to merge 1 commit into
mainfrom
secretariat-identity
Open

fix(ci): move Argus to the Secretariat App and load the prompt from base SHA#399
bokelley wants to merge 1 commit into
mainfrom
secretariat-identity

Conversation

@bokelley

@bokelley bokelley commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

What changed

Migrates the Argus AI-review workflow to the AAO Secretariat GitHub App identity and closes a prompt-injection gap in how the reviewer prompt is loaded. Mirrors the spec repo's migration (adcontextprotocol/adcp#5832).

  • App identity: the token-mint step now uses SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY (was IPR_APP_ID / IPR_APP_PRIVATE_KEY). Reviews will post as aao-secretariat[bot] instead of aao-ipr-bot[bot]. No hardcoded bot login existed — the verify step already derives the login from the minted App slug, so it follows the App automatically.
  • Prompt-injection fix: the prompt-build step read the reviewer prompt with cat .github/ai-review/expert-adcp-reviewer.md from the working checkout. On pull_request events the checkout is the PR merge ref, so the file on disk includes PR-controlled content — a PR could rewrite the rules it is reviewed under. The paths-ignore trigger filter and the self-modification gate reduce that risk but don't eliminate it (both depend on the file-list check running and agreeing). The prompt is now loaded with git show "${BASE_SHA}:..." and the step fails closed (::error + exit 1) if the file doesn't exist at the base SHA. The existing checkout uses fetch-depth: 0, so the base SHA is resolvable without an extra fetch.
  • WG constitution: the prompt-build step fetches the Working Group constitution from the spec repo at review time (https://raw.githubusercontent.com/adcontextprotocol/adcp/main/.agents/wg/constitution.md — never from this repo or the PR) and appends it under a ## WG constitution (from adcontextprotocol/adcp@main) heading when the fetch succeeds; the review proceeds without it otherwise.
  • Identity clause: .github/ai-review/expert-adcp-reviewer.md no longer reviews "in the voice of Brian O'Kelley" — Argus is the review desk of the AAO Secretariat serving the AdCP Working Group, applies the appended WG constitution, and cites decision records (DR-NNNN in the spec repo's governance/decisions/) when a question is settled precedent. Repo-specific review logic (MUST-FIX gates, coverage rules, delegation) is unchanged.
  • Header comments updated to match; the IPR-agreement workflow keeps the IPR App and is untouched.

Why base-SHA loading matters

The reviewer prompt is the review's trust anchor. Reading it from the merge-ref worktree means the reviewed code and the review rules come from the same (attacker-influenceable) source. Loading from ${{ github.event.pull_request.base.sha }} pins the rules to what's already on the target branch, so a PR can change the prompt only via a PR that is itself reviewed under the old rules.

⚠️ DO NOT MERGE

Do not merge until the org-level SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY secrets are visible to this repo. Merging first breaks Argus on every subsequent PR (token mint fails, no review posts, branch protection's required-review check goes unsatisfied by the bot).

🤖 Generated with Claude Code

…ase SHA

Argus now mints its installation token from the AAO Secretariat GitHub
App (SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY) instead of the
IPR App, so reviews post as aao-secretariat[bot].

The prompt-build step reads the reviewer prompt via
`git show ${BASE_SHA}:...` instead of `cat` from the working checkout.
The checkout is the PR merge ref, so reading from the worktree let a PR
rewrite the rules it is reviewed under; base-SHA loading closes that
prompt-injection path and fails closed if the prompt is missing at base.

The WG constitution is fetched from adcontextprotocol/adcp@main at
review time and appended to the prompt, and the reviewer identity clause
now describes the Secretariat's review desk applying the WG constitution
rather than a personal voice.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant