Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,16 @@ The reusable workflow declares the expected typed review artifacts for Docs Agen

The target repository grants `contents: write`, `pull-requests: write`, and `issues: write`. Docs Agent forwards the caller-scoped `${{ github.token }}` to WP Codebox for same-repository publication, so consumers do not configure `ACCESS_TOKEN`. `OPENAI_API_KEY` is an optional workflow secret and is required only for a live OpenAI run; skipped and dry-run calls do not require it. `EXTERNAL_PACKAGE_SOURCE_POLICY` remains a separate required v1 JSON secret. Migrate its value to the exact one-line JSON in the root README: it authorizes the selected Docs Agent package, the pinned Agents API component, the pinned PHP AI Client overlay, and the checksum-pinned OpenAI provider artifact. Both secrets are forwarded to WP Codebox without serialization into the task descriptor.

Docs Agent consumes the released [WP Codebox v0.12.26](https://github.com/Automattic/wp-codebox/releases/tag/v0.12.26) workflow and passes the matching `wp_codebox_release_ref: v0.12.26` input. The release tag resolves to immutable revision `2d5d000f2f43670117b373d1b26a23181ee05480`, which is distinct from the fixed Docs Agent package revision. WP Codebox validates the paired tags, materializes the declared native runtime closure, executes the selected package, applies bounded workspace changes, runs verification, and publishes approved host changes. Its published assets are `wp-codebox-workspace-0.12.26.tgz` and `wp-codebox.zip`; the private package-recovery manifest is intentionally not a reviewer asset.
Docs Agent consumes the released [WP Codebox v0.12.27](https://github.com/Automattic/wp-codebox/releases/tag/v0.12.27) workflow and passes the matching `wp_codebox_release_ref: v0.12.27` input. The release tag resolves to immutable revision `65cc5fb4699cb7c2df13d04b4715c97097ac7565`, which is distinct from the fixed Docs Agent package revision. WP Codebox validates the paired tags, materializes the declared native runtime closure, executes the selected package, applies bounded workspace changes, runs verification, and publishes approved host changes. Its published assets are `01-wp-codebox.zip` and `02-wp-codebox-workspace-0.12.27.tgz`; the private package-recovery manifest is intentionally not a reviewer asset.

Provider artifacts retain only allowlisted review artifacts, controlled workflow envelopes, and canonical runtime-source and seed provenance. WP Codebox v0.12.24 uploads a reviewer-safe workflow-result projection: public control, verification, publication, output-projection, access, failure, artifact-declaration, and canonical transcript-provenance fields remain, while raw `runtime_result`, `outputs.engine_data`, model/provider/tool payloads, source content, private paths, and secrets are excluded. Before persistence or upload, it sanitizes private runtime paths from nested values, object keys, diagnostics, and command arguments. WP Codebox captures one trusted canonical `codebox-transcript` through a pre-sanitization reviewer-evidence descriptor, validates its artifact-root containment, schema, digest, and size, then emits the compact reviewer transcript as a `wp-codebox/reviewer-agent-transcript/v1` projection. Before apply-back, it compares the seed identity with the host workspace identity; rejected patches preserve the expected and actual identities plus patch and changed-file evidence for upload. Its pre-redaction trusted apply input preserves machine-applicable patch bytes in a private channel that is removed before durable artifact sanitization, as fixed in [WP Codebox #1842](https://github.com/Automattic/wp-codebox/pull/1842). The canonical transcript remains the bounded tool-observability surface. Lifecycle and downstream failures retain runtime evidence in their internal normalized failed result even when artifact preparation cannot complete. Diagnostic messages that name runtime classes remain reviewable, while PHP-shaped runtime source remains blocked. See [WP Codebox #1767](https://github.com/Automattic/wp-codebox/issues/1767), [WP Codebox #1814](https://github.com/Automattic/wp-codebox/issues/1814), [WP Codebox #1815](https://github.com/Automattic/wp-codebox/pull/1815), and [WP Codebox #1823](https://github.com/Automattic/wp-codebox/pull/1823). Successful canonical reviewer-evidence reference: [run `29350690551`](https://github.com/Automattic/build-with-wordpress/actions/runs/29350690551). The [hosted failure `29468956857`](https://github.com/Automattic/agents-api/actions/runs/29468956857) executed WP Codebox v0.12.20, published [Agents API #430](https://github.com/Automattic/agents-api/pull/430), then failed during upload preparation; it motivated #1814/#1815 and is not a successful v0.12.24 reviewer-safe workflow-result run.

WP Codebox v0.12.25 excludes Git-ignored verification artifacts such as pnpm's symlinked `node_modules` tree from publication integrity snapshots while continuing to reject tracked or otherwise publishable symlinks. This allows dependency installation during verification without weakening the bounded workspace publication contract; see [WP Codebox #1845](https://github.com/Automattic/wp-codebox/pull/1845).

WP Codebox v0.12.26 restores the unconditional exclusion for mutable `.codebox` runtime control files, preventing task request and result state from invalidating an approved workspace snapshot. Publishable workspace files remain governed by Git tracking and ignore semantics; see [WP Codebox #1848](https://github.com/Automattic/wp-codebox/pull/1848).

WP Codebox v0.12.27 reports bounded added, modified, and deleted paths when post-verification integrity changes and preserves that evidence in normalized publication failures. It also restores bounded filesystem snapshots for non-Git workspaces; see [WP Codebox #1852](https://github.com/Automattic/wp-codebox/pull/1852).

## Docs Agent Runner Recipe

Docs Agent workflow call sites prepare a portable recipe instead of calling a concrete runner. Docs Agent owns the native package, lane, artifact, prompt, and workspace mapping. Consumers depend on Docs Agent inputs and review artifacts, not runner internals.
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/maintain-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -259,9 +259,9 @@ jobs:
contents: write
pull-requests: write
issues: write
uses: Automattic/wp-codebox/.github/workflows/run-agent-task.yml@v0.12.26
uses: Automattic/wp-codebox/.github/workflows/run-agent-task.yml@v0.12.27
with:
wp_codebox_release_ref: v0.12.26
wp_codebox_release_ref: v0.12.27
external_package_source: ${{ needs.prepare.outputs.external_package_source }}
runtime_sources: ${{ needs.prepare.outputs.runtime_sources }}
workload_id: docs-agent-${{ inputs.audience }}-${{ inputs.run_kind }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
uses: actions/checkout@v4
with:
repository: Automattic/wp-codebox
ref: v0.12.26
ref: v0.12.27
path: .wp-codebox
- name: Validate Docs Agent
env:
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ Docs Agent declares the review artifacts it expects the runner to materialize as

`maintain-docs.yml` writes `expected_artifacts` and `artifact_declarations` into a portable Docs Agent recipe and exposes the same declaration objects as `declared_artifacts_json`.

WP Codebox v0.12.26 at `2d5d000f2f43670117b373d1b26a23181ee05480` uploads a reviewer-safe workflow-result projection with public control and publication fields plus canonical transcript provenance. This released workflow revision remains distinct from the fixed Docs Agent package revision. It excludes raw `runtime_result`, `outputs.engine_data`, model/provider/tool payloads, source content, private paths, secrets, Git-ignored verification artifacts such as pnpm's symlinked `node_modules` tree, and mutable `.codebox` runtime control files. Tracked or otherwise publishable symlinks remain rejected. The canonical `codebox-transcript` remains the bounded tool-observability surface: its pre-sanitization reviewer-evidence descriptor records the trusted artifact-relative path, schema, verified source digest, and size, which the uploader revalidates before producing the `wp-codebox/reviewer-agent-transcript/v1` projection. Before apply-back, it validates that the runner seed and host workspace identities match; rejected patches retain identity, patch, and changed-file evidence for review. The pre-redaction trusted apply input fixed by [WP Codebox #1842](https://github.com/Automattic/wp-codebox/pull/1842) retains machine-applicable patch bytes privately, then removes them before durable artifact sanitization. The publication snapshot fixes are tracked in [WP Codebox #1845](https://github.com/Automattic/wp-codebox/pull/1845) and [WP Codebox #1848](https://github.com/Automattic/wp-codebox/pull/1848). The published release assets are `wp-codebox-workspace-0.12.26.tgz` and `wp-codebox.zip`; its private package-recovery manifest is intentionally not a reviewer asset.
WP Codebox v0.12.27 at `65cc5fb4699cb7c2df13d04b4715c97097ac7565` uploads a reviewer-safe workflow-result projection with public control and publication fields plus canonical transcript provenance. This released workflow revision remains distinct from the fixed Docs Agent package revision. It excludes raw `runtime_result`, `outputs.engine_data`, model/provider/tool payloads, source content, private paths, secrets, Git-ignored verification artifacts such as pnpm's symlinked `node_modules` tree, and mutable `.codebox` runtime control files. Tracked or otherwise publishable symlinks remain rejected. Integrity failures retain bounded added, modified, and deleted path evidence, and non-Git workspaces retain a bounded filesystem snapshot fallback. The canonical `codebox-transcript` remains the bounded tool-observability surface: its pre-sanitization reviewer-evidence descriptor records the trusted artifact-relative path, schema, verified source digest, and size, which the uploader revalidates before producing the `wp-codebox/reviewer-agent-transcript/v1` projection. Before apply-back, it validates that the runner seed and host workspace identities match; rejected patches retain identity, patch, and changed-file evidence for review. The pre-redaction trusted apply input fixed by [WP Codebox #1842](https://github.com/Automattic/wp-codebox/pull/1842) retains machine-applicable patch bytes privately, then removes them before durable artifact sanitization. The publication snapshot fixes are tracked in [WP Codebox #1845](https://github.com/Automattic/wp-codebox/pull/1845), [WP Codebox #1848](https://github.com/Automattic/wp-codebox/pull/1848), and [WP Codebox #1852](https://github.com/Automattic/wp-codebox/pull/1852). The published release assets are `01-wp-codebox.zip` and `02-wp-codebox-workspace-0.12.27.tgz`; its private package-recovery manifest is intentionally not a reviewer asset.

Docs Agent owns native package selection, lane, artifact, prompt, and workspace mapping. Execution, credentials, AI provider selection, sandboxing, and publication are runner-owned concerns outside this repository.

Expand Down
6 changes: 3 additions & 3 deletions tests/validate-docs-agent-packages.php
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@
$assert( str_contains( $maintain_docs_workflow, 'artifact_declarations<<EOF' ), 'maintain-docs.yml must prepare typed artifact declarations without caller-specific projections.' );
$assert( str_contains( $maintain_docs_workflow, 'artifact_declarations<<EOF' ), 'maintain-docs.yml must expose artifact declarations through workflow outputs.' );

$generic_codebox_agent_task_workflow = 'uses: Automattic/wp-codebox/.github/workflows/run-agent-task.yml@v0.12.26';
$generic_codebox_agent_task_workflow = 'uses: Automattic/wp-codebox/.github/workflows/run-agent-task.yml@v0.12.27';
$assert( str_contains( $maintain_docs_workflow, $generic_codebox_agent_task_workflow ), 'maintain-docs.yml must call the generic Codebox agent-task workflow.' );
$assert( str_contains( $maintain_docs_workflow, 'wp_codebox_release_ref: v0.12.26' ), 'maintain-docs.yml must pass the matching WP Codebox release tag.' );
$assert( str_contains( $maintain_docs_workflow, 'wp_codebox_release_ref: v0.12.27' ), 'maintain-docs.yml must pass the matching WP Codebox release tag.' );

$assert( str_contains( $maintain_docs_workflow, '--arg writablePaths "$INPUT_WRITABLE_PATHS"' ), 'maintain-docs.yml must include writable paths in the portable recipe.' );
$assert( str_contains( $maintain_docs_workflow, 'output_projections:' ), 'maintain-docs.yml must project the bounded runner publication result.' );
Expand All @@ -85,7 +85,7 @@
foreach ( array( 'Docs Agent Runner Recipe', 'portable recipe', 'Docs Agent owns the native package' ) as $migration_note_text ) {
$assert( str_contains( $workflow_readme, $migration_note_text ), "Workflow README missing agent runtime note: {$migration_note_text}" );
}
$assert( str_contains( $workflow_readme, 'v0.12.26' ), 'Workflow README must record the WP Codebox release tag.' );
$assert( str_contains( $workflow_readme, 'v0.12.27' ), 'Workflow README must record the WP Codebox release tag.' );
$assert( str_contains( $workflow_readme, 'Diagnostic messages that name runtime classes remain reviewable' ), 'Workflow README must document diagnostic-versus-source detection.' );
$assert( str_contains( $workflow_readme, 'allowlisted review artifacts' ), 'Workflow README must document the WP Codebox upload allowlist.' );
$assert( str_contains( $workflow_readme, 'normalized failed result' ), 'Workflow README must document normalized WP Codebox failures.' );
Expand Down
12 changes: 7 additions & 5 deletions tests/validate-wp-codebox-run-agent-task-contract.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,9 @@
$published_assets = $release['published_assets'] ?? null;
$assert( is_array( $published_assets ), 'WP Codebox release fixture must record published release assets.' );
$assert( array(
'wp-codebox-workspace-0.12.26.tgz' => 'sha256:f8d8e74831b9937e1d2f2e832af18d625c25179e74d9aa5801f17132aae03f08',
'wp-codebox.zip' => 'sha256:9246ec070d108936e7cf2a6194889af0c94e2de7c6980bc6507f07667b24012e',
) === $published_assets, 'WP Codebox release fixture must retain the published v0.12.26 asset digests.' );
'01-wp-codebox.zip' => 'sha256:1c03a35cf0f31e8b2fbbacaae5867f205ea8ae7b8c2017d0e3e297ed6298ff72',
'02-wp-codebox-workspace-0.12.27.tgz' => 'sha256:be6ec64bd0dc667629ee019d6a79d505927ef2854c8db21fd23d656d0e7d3e6d',
) === $published_assets, 'WP Codebox release fixture must retain the published v0.12.27 asset digests.' );
$run = $release['run'] ?? null;
$assert( is_string( $run ) && preg_match( '/^\d+$/', $run ) === 1, 'WP Codebox release fixture must retain the regression run reference.' );
$diagnostic_regression_run = $release['diagnostic_regression_run'] ?? null;
Expand Down Expand Up @@ -91,6 +91,8 @@
$assert( true === ( $release['pre_redaction_trusted_apply_input'] ?? null ), 'WP Codebox release fixture must preserve the pre-redaction trusted apply input.' );
$assert( true === ( $release['git_ignored_workspace_artifacts_excluded'] ?? null ), 'WP Codebox release fixture must exclude Git-ignored verification artifacts from publication integrity snapshots.' );
$assert( true === ( $release['runtime_control_files_excluded'] ?? null ), 'WP Codebox release fixture must exclude mutable .codebox runtime control files from publication integrity snapshots.' );
$assert( true === ( $release['workspace_integrity_change_evidence'] ?? null ), 'WP Codebox release fixture must preserve bounded workspace integrity change evidence.' );
$assert( true === ( $release['non_git_workspace_snapshot_fallback'] ?? null ), 'WP Codebox release fixture must retain bounded snapshots for non-Git workspaces.' );
$native_result_path = $release['native_result_path'] ?? null;
$workflow_result_path = $release['workflow_result_path'] ?? null;
$assert( '.codebox/native-agent-task-result.json' === $native_result_path, 'WP Codebox release fixture must declare the controlled native result path.' );
Expand Down Expand Up @@ -305,7 +307,7 @@
$assert( in_array( '.codebox/agent-task-request.json', $producer_upload_regression['observed']['uploaded'] ?? array(), true ), 'WP Codebox upload regression fixture must retain the controlled request upload.' );
$assert( ! array_intersect( array( 'MODEL_PROVIDER_SECRET_1', 'MODEL_PROVIDER_SECRET_2', 'MODEL_PROVIDER_SECRET_3', 'MODEL_PROVIDER_SECRET_4', 'MODEL_PROVIDER_SECRET_5' ), array_keys( $caller_secrets ) ), 'Docs Agent must forward only the OPENAI_API_KEY provider secret name.' );

$assert( str_contains( $workflow, 'output_projections="$(jq -cn --arg path \'metadata.runner_workspace_publication.url\' --argjson required "$success_requires_pr" \'{docs_agent_publication:{path:$path,required:$required}}\')"' ), 'Docs Agent must define the v0.12.26 publication projection descriptor.' );
$assert( str_contains( $workflow, 'output_projections="$(jq -cn --arg path \'metadata.runner_workspace_publication.url\' --argjson required "$success_requires_pr" \'{docs_agent_publication:{path:$path,required:$required}}\')"' ), 'Docs Agent must define the v0.12.27 publication projection descriptor.' );
$docs_projections = array(
'docs_agent_publication' => array(
'path' => 'metadata.runner_workspace_publication.url',
Expand All @@ -315,7 +317,7 @@
$publication_descriptor = $docs_projections['docs_agent_publication'] ?? null;
$assert( is_array( $publication_descriptor ), 'Docs Agent must define the docs_agent_publication projection descriptor.' );
$publication_path = $publication_descriptor['path'] ?? null;
$assert( 'metadata.runner_workspace_publication.url' === $publication_path, 'Docs Agent publication projection must use the v0.12.26 runner workspace publication URL path.' );
$assert( 'metadata.runner_workspace_publication.url' === $publication_path, 'Docs Agent publication projection must use the v0.12.27 runner workspace publication URL path.' );

$producer_request_fixture = $read_json( rtrim( $wp_codebox_dir, '/' ) . '/contracts/agent-task-workflow-request.fixture.json' );
$producer_projection_paths = array_values( $producer_request_fixture['outputs']['projections'] ?? array() );
Expand Down
12 changes: 7 additions & 5 deletions tests/wp-codebox-release.fixture.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"tag": "v0.12.26",
"revision": "2d5d000f2f43670117b373d1b26a23181ee05480",
"package_version": "0.12.26",
"tag": "v0.12.27",
"revision": "65cc5fb4699cb7c2df13d04b4715c97097ac7565",
"package_version": "0.12.27",
"published_assets": {
"wp-codebox-workspace-0.12.26.tgz": "sha256:f8d8e74831b9937e1d2f2e832af18d625c25179e74d9aa5801f17132aae03f08",
"wp-codebox.zip": "sha256:9246ec070d108936e7cf2a6194889af0c94e2de7c6980bc6507f07667b24012e"
"01-wp-codebox.zip": "sha256:1c03a35cf0f31e8b2fbbacaae5867f205ea8ae7b8c2017d0e3e297ed6298ff72",
"02-wp-codebox-workspace-0.12.27.tgz": "sha256:be6ec64bd0dc667629ee019d6a79d505927ef2854c8db21fd23d656d0e7d3e6d"
},
"run": "29350690551",
"diagnostic_regression_run": "29307978522",
Expand Down Expand Up @@ -35,6 +35,8 @@
"pre_redaction_trusted_apply_input": true,
"git_ignored_workspace_artifacts_excluded": true,
"runtime_control_files_excluded": true,
"workspace_integrity_change_evidence": true,
"non_git_workspace_snapshot_fallback": true,
"native_result_path": ".codebox/native-agent-task-result.json",
"workflow_result_path": ".codebox/agent-task-workflow-result.json"
}
Loading