fix(ci): move Argus to the Secretariat App and load the prompt from base SHA#399
Open
bokelley wants to merge 1 commit into
Open
fix(ci): move Argus to the Secretariat App and load the prompt from base SHA#399bokelley wants to merge 1 commit into
bokelley wants to merge 1 commit into
Conversation
…ase SHA
Argus now mints its installation token from the AAO Secretariat GitHub
App (SECRETARIAT_APP_ID / SECRETARIAT_APP_PRIVATE_KEY) instead of the
IPR App, so reviews post as aao-secretariat[bot].
The prompt-build step reads the reviewer prompt via
`git show ${BASE_SHA}:...` instead of `cat` from the working checkout.
The checkout is the PR merge ref, so reading from the worktree let a PR
rewrite the rules it is reviewed under; base-SHA loading closes that
prompt-injection path and fails closed if the prompt is missing at base.
The WG constitution is fetched from adcontextprotocol/adcp@main at
review time and appended to the prompt, and the reviewer identity clause
now describes the Secretariat's review desk applying the WG constitution
rather than a personal voice.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Migrates the Argus AI-review workflow to the AAO Secretariat GitHub App identity and closes a prompt-injection gap in how the reviewer prompt is loaded. Mirrors the spec repo's migration (adcontextprotocol/adcp#5832).
SECRETARIAT_APP_ID/SECRETARIAT_APP_PRIVATE_KEY(wasIPR_APP_ID/IPR_APP_PRIVATE_KEY). Reviews will post asaao-secretariat[bot]instead ofaao-ipr-bot[bot]. No hardcoded bot login existed — the verify step already derives the login from the minted App slug, so it follows the App automatically.cat .github/ai-review/expert-adcp-reviewer.mdfrom the working checkout. Onpull_requestevents the checkout is the PR merge ref, so the file on disk includes PR-controlled content — a PR could rewrite the rules it is reviewed under. Thepaths-ignoretrigger filter and the self-modification gate reduce that risk but don't eliminate it (both depend on the file-list check running and agreeing). The prompt is now loaded withgit show "${BASE_SHA}:..."and the step fails closed (::error+ exit 1) if the file doesn't exist at the base SHA. The existing checkout usesfetch-depth: 0, so the base SHA is resolvable without an extra fetch.https://raw.githubusercontent.com/adcontextprotocol/adcp/main/.agents/wg/constitution.md— never from this repo or the PR) and appends it under a## WG constitution (from adcontextprotocol/adcp@main)heading when the fetch succeeds; the review proceeds without it otherwise..github/ai-review/expert-adcp-reviewer.mdno longer reviews "in the voice of Brian O'Kelley" — Argus is the review desk of the AAO Secretariat serving the AdCP Working Group, applies the appended WG constitution, and cites decision records (DR-NNNNin the spec repo'sgovernance/decisions/) when a question is settled precedent. Repo-specific review logic (MUST-FIX gates, coverage rules, delegation) is unchanged.Why base-SHA loading matters
The reviewer prompt is the review's trust anchor. Reading it from the merge-ref worktree means the reviewed code and the review rules come from the same (attacker-influenceable) source. Loading from
${{ github.event.pull_request.base.sha }}pins the rules to what's already on the target branch, so a PR can change the prompt only via a PR that is itself reviewed under the old rules.Do not merge until the org-level
SECRETARIAT_APP_ID/SECRETARIAT_APP_PRIVATE_KEYsecrets are visible to this repo. Merging first breaks Argus on every subsequent PR (token mint fails, no review posts, branch protection's required-review check goes unsatisfied by the bot).🤖 Generated with Claude Code