[Pelis Agent Factory Advisor] Agentic Workflow Advisor Report — March 2026

[github-actions[bot]]

📊 Executive Summary

gh-aw-firewall has an impressively mature agentic workflow ecosystem with 16 specialized agentic workflows covering security, CI/CD, documentation, and issue management — well above average for a project of this size. The most significant gap is the absence of issue triage/labeling (creating a broken pipeline feeding the Issue Monster) and meta-workflow observability (no agent monitoring the agents themselves). Closing these two gaps would unlock substantial multiplier value from the existing workflow investment.

---

🎓 Patterns Learned from Pelis Agent Factory

The Pelis Agent Factory (100+ workflows in github/gh-aw) revealed several key patterns directly applicable here:

1. Specialization over monoliths — Many focused agents outperform one "do everything" agent. This repo already follows this pattern well.

2. Causal chain automation — The most effective setups chain agents: Triage labels an issue → Issue Monster assigns it → Copilot fixes it → CI Doctor validates the fix. This repo has the middle and end of the chain but is missing the labeling step at the start.

3. Meta-agents are invaluable — The Pelis Factory's Workflow Health Manager created 40 issues and 5 direct + 14 causal PRs by monitoring other workflows. This repo has no equivalent.

4. Trust but verify — Continuous testing workflows (Daily Test Improver, CI Coach) with high merge rates (100%) show that validation-focused agents are extremely reliable. This repo's weekly test-coverage-improver could be expanded.

5. Documentation quality multipliers — Daily Doc Updater in the Pelis Factory achieved a 96% PR merge rate (57/59 merged). This repo's doc-maintainer runs daily but could be enhanced with validation.

6. Domain-specific security workflow — The Pelis Factory runs a dedicated "Firewall" agent to test its own network security. This repo is a firewall — it has excellent security workflows, but no agent specifically testing the AWF firewall from a user perspective.

Comparison with githubnext/agentics: The agentics reference repo includes workflows like daily-test-improver, daily-repo-chronicle, weekly-issue-summary, and grumpy-reviewer that are absent here. The ci-doctor.md in agentics directly inspired this repo's implementation.

---

📋 Current Agentic Workflow Inventory

Workflow	Purpose	Trigger	Assessment
issue-monster	Assigns issues to Copilot coding agent	issues: opened, hourly	✅ Active; limited by missing labeling upstream
issue-duplication-detector	Detects duplicate issues via cache-memory	issues: opened	✅ Good use of cache-memory persistence
ci-doctor	Investigates CI failures, creates diagnostic issues	workflow_run: completed	✅ Strong; hardcoded workflow list needs maintenance
security-review	Daily threat modeling + security analysis	Daily + manual	✅ Excellent depth; uses agentic-workflows tool
security-guard	Reviews PRs for security-weakening changes	PR opened/sync	✅ Domain-specific, very relevant
secret-digger-claude	Red team secret scanning (Claude)	Hourly + manual	✅ Unique multi-engine approach
secret-digger-codex	Red team secret scanning (Codex)	Hourly + manual	✅ Engine diversity
secret-digger-copilot	Red team secret scanning (Copilot)	Hourly + manual	✅ Engine diversity
doc-maintainer	Documentation sync with code changes	Daily + manual	✅ Good; could be enhanced
test-coverage-improver	Security-focused test coverage improvement	Weekly + manual	⚠️ Weekly cadence may be too slow
dependency-security-monitor	Daily CVE monitoring, creates issues/PRs	Daily + manual	✅ Well-structured security pipeline
cli-flag-consistency-checker	CLI flags vs. documentation sync	Weekly + manual	✅ Domain-relevant quality check
ci-cd-gaps-assessment	CI/CD pipeline coverage analysis	(check needed)	✅ Meta-level analysis
update-release-notes	Enhances release notes on publish	release: published	✅ Clean automation
plan	Slash command to create structured sub-issues	/plan comment	✅ Good ChatOps pattern
build-test	Agentic build validation	PR/push	✅ Core CI automation
smoke-claude/codex/copilot/chroot	Multi-engine smoke tests	(various)	✅ Excellent coverage
pelis-agent-factory-advisor	This workflow — periodic advisor	(this run)	✅ Meta-advisory pattern

---

🚀 Actionable Recommendations

P0 — Implement Immediately

🏷️ Issue Triage / Labeling Agent

What: An automated workflow that labels new issues with appropriate tags (bug, enhancement, security, documentation, good-first-issue, no-bot, etc.).

Why: The Issue Monster explicitly skips issues without recognized labels (it looks for bug, enhancement, feature, security, etc.). Currently, no workflow applies these labels, meaning Issue Monster has limited effectiveness. A triage agent closes this gap and creates a complete automation pipeline: Label → Assign → Fix.

How: Trigger on issues: [opened, reopened]. Analyze issue title/body, apply one label from the allowed set, leave a brief comment explaining the label choice.

Effort: Low — this is the Pelis Factory "hello world" pattern, well-documented and straightforward to implement.

Example:

---
on:
  issues:
    types: [opened, reopened]
permissions:
  issues: read
tools:
  github:
    toolsets: [issues, labels]
safe-outputs:
  add-labels:
    allowed: [bug, enhancement, security, documentation, question, good-first-issue, no-bot]
  add-comment: {}
timeout-minutes: 5
---
# Issue Triage Agent
Analyze new issues in $\{\{ github.repository }}. Label each issue with one of the allowed labels
based on its content. Leave a comment explaining the label choice and how the issue might be addressed.

---

📊 Workflow Health Manager (Meta-Agent)

What: A daily/weekly agent that monitors all other agentic workflows in this repository — checking if they're succeeding, trending toward failures, producing expected outputs, and remaining within cost/time budgets.

Why: This repo now has 16+ agentic workflows. Without observability, degraded workflows go unnoticed. The Pelis Factory's Workflow Health Manager created 40 issues and 19 merged PRs just by watching other workflows. As this workflow collection grows, meta-observability becomes essential.

How: Use the agentic-workflows tool to pull run history. Identify workflows with high failure rates, stalled outputs (no recent discussions/issues/PRs), or anomalous runtimes. Create issues for problems found.

Effort: Low-Medium — can use existing agentic-workflows tool and cache-memory for trending data.

---

P1 — Plan for Near-Term

🔄 Breaking Change Checker

What: A workflow that triggers on PRs and analyzes changes to CLI flags, public API shapes, and container behavior for backward-incompatible changes.

Why: AWF is a developer tool integrated into CI/CD pipelines. Breaking changes (removed flags, changed defaults, renamed Docker images) cause real downstream failures for users. The Pelis Factory's Breaking Change Checker catches these before they reach production. This repo has a CLI Flag Consistency Checker, but that checks docs, not backward compatibility.

How: On PR, compare changed src/cli.ts options against the previous version. Flag removed flags, changed argument types, and renamed outputs. Check container interface changes (entrypoint args, environment variables).

Effort: Medium — requires careful analysis logic, but the Pelis Factory pattern is well-established.

---

🔍 Container Security Audit Agent

What: A periodic agent that deeply audits the Docker container configurations (containers/squid/, containers/agent/, containers/api-proxy/) for security misconfigurations, outdated base images, and dangerous patterns.

Why: This repo is a security tool — its core product is Docker containers with iptables, Squid proxy, and capability management. An agent that validates the container security posture (base image CVEs, capability grants, seccomp profile completeness, Squid ACL correctness) would directly strengthen the core product. The static codeql.yml only covers TypeScript, not shell scripts or container configs.

How: Weekly schedule. Use bash with docker inspect, review seccomp-profile.json, cross-reference capability grants in setup-iptables.sh and entrypoint.sh, check for recently disclosed CVEs in Ubuntu base images. Post findings as a discussion.

Effort: Medium — requires domain expertise in container security (which the repo's existing context provides amply via AGENTS.md).

---

🗂️ Issue Arborist

What: A workflow that periodically links related issues as sub-issues, building hierarchical issue trees automatically.

Why: The Pelis Factory's Issue Arborist created 77 discussion reports and 18 parent issues for grouping. As this repo grows its issue backlog, organizing related security issues, feature requests, and test coverage gaps into parent/child hierarchies would make the backlog far more navigable.

How: Weekly schedule. Analyze open issues using embeddings or keyword similarity. When issues share a common theme (e.g., "iptables filtering", "API proxy", "DNS exfiltration"), create a parent tracking issue and link related issues as sub-issues.

Effort: Medium.

---

P2 — Consider for Roadmap

♻️ Daily Code Simplification Agent

What: A daily agent that identifies overly complex code patterns and proposes simplifications via PRs — focusing on the TypeScript codebase (src/).

Why: The Pelis Factory's Continuous Simplicity workflow contributed 26 merged PRs out of 30 proposed (86% merge rate). Security-critical code especially benefits from simplicity: simpler code is easier to audit. Complex conditional chains in src/docker-manager.ts (1000+ lines) could be targeted.

Effort: Medium — well-established Pelis pattern. Risk: security-sensitive code needs careful review.

---

📈 Agentic Portfolio Analyst

What: A weekly workflow that analyzes the portfolio of agentic workflow runs — identifying cost per workflow, token usage trends, merge rates, and suggesting which workflows to tune or retire.

Why: As workflow count grows from 16 to 20+ (which this report will likely trigger), cost visibility becomes important. The Pelis Factory's Portfolio Analyst found workflows "costing money unnecessarily because some agents were too chatty."

Effort: Low-Medium — uses the agentic-workflows tool for data, outputs a markdown discussion.

---

🔁 PR Auto-Update (Mergefest-style)

What: A workflow that automatically merges main into open PRs when they fall behind, preventing stale PR conflicts.

Why: As agentic workflows generate more PRs (doc-maintainer, test-coverage-improver, dependency-security-monitor), keeping those PRs up to date manually becomes friction. Mergefest in the Pelis Factory handles this automatically.

Effort: Low — simple orchestration pattern.

---

P3 — Future Ideas

📚 Glossary Maintainer

A workflow that maintains a consistent security glossary — ensuring terms like "egress filtering", "transparent proxy", "iptables DNAT" are used consistently across docs, AGENTS.md, and CLAUDE.md. The Pelis Factory's Glossary Maintainer achieved 100% PR merge rate (10/10).

📊 Weekly Repository Chronicle

A weekly narrative summary of what changed in the codebase, what agentic workflows ran, and what progress was made. Useful for async teams and for keeping the AI agents' context current.

🤖 PR Nitpick Reviewer

A general code quality reviewer (separate from Security Guard) that checks for non-security issues: TypeScript anti-patterns, missing error handling, test coverage in PRs. The Pelis Factory's Grumpy Reviewer and PR Nitpick Reviewer fill this role.

🔗 Sub-Issue Closer

Automatically close sub-issues when all their children are resolved. Pairs naturally with the Issue Arborist and plan slash command.

---

📈 Maturity Assessment

Dimension	Current	Target	Gap
Security Automation	⭐⭐⭐⭐⭐ (5/5)	5/5	None — exceptional
CI/CD Automation	⭐⭐⭐⭐ (4/5)	5/5	Container security audit missing
Issue Management	⭐⭐⭐ (3/5)	4/5	Triage/labeling missing
Documentation	⭐⭐⭐ (3/5)	4/5	Validation + glossary missing
Code Quality	⭐⭐ (2/5)	4/5	No continuous improvement agents
Meta-Observability	⭐⭐ (2/5)	4/5	No workflow health manager
Release Automation	⭐⭐⭐⭐ (4/5)	4/5	Solid with update-release-notes

Overall Current Level: 3.5 / 5 — "Active Automation" (multiple specialized agents, strong security focus, but gaps in issue pipeline and meta-observability)

Target Level: 4.5 / 5 — "Factory Mode" (complete issue automation pipeline, meta-agents monitoring agents, continuous code quality, full observability)

To get there: Implement the two P0 recommendations (triage + health manager) and the two P1 recommendations (breaking change checker + container audit). That alone would bring the repo to ~4.5/5.

---

🔄 Comparison with Best Practices

✅ What This Repo Does Well

• Security-first automation: 3 secret diggers with different engines, a security guard, daily security review, and dependency monitoring is exceptional — more comprehensive than the Pelis Factory itself in this dimension
• Multi-engine smoke testing: Testing with Claude, Codex, Copilot, and chroot variants shows sophisticated thinking about agent diversity
• Issue Monster + duplication detector: The combination of task dispatch and deduplication is a solid foundation
• CI Doctor with 69%+ merge rate inspiration: The implementation here mirrors the highly effective Pelis pattern
• Cache-memory usage: The issue-duplication-detector correctly uses cache-memory for cross-run persistence — a best practice

⚠️ What Could Improve

• Broken automation pipeline: Issue Monster is the best workflow in the repo, but it needs labeled issues to work optimally — adding a triage agent is the highest-leverage single change
• No meta-observability: 16 workflows running without a meta-agent is flying blind. The Pelis Factory's Workflow Health Manager was described as one of their most valuable contributions
• No continuous code improvement: The Pelis Factory ran simplicity/refactoring agents with 80-86% merge rates. Zero continuous quality agents here means code quality improvement is 100% manual

🎯 Unique Opportunities Given This Domain

This repo builds a firewall — which means it can dogfood its own security tools. An agentic workflow that runs AWF itself to validate firewall behavior (testing domain blocking, credential isolation, iptables rules) from a user's perspective would be uniquely valuable. The smoke tests do some of this, but an agent-driven integration test reporter that interprets those smoke test results and creates actionable issues would close the loop.

---

This report was generated by the Pelis Agent Factory Advisor workflow on 2026-03-22. Analysis was based on crawling the Pelis Agent Factory documentation, exploring the githubnext/agentics reference repository, and analyzing all 16 agentic workflow files in .github/workflows/. Notes saved to /tmp/gh-aw/cache-memory/pelis-advisor-notes.json for future runs.

AI generated by Pelis Agent Factory Advisor

• expires on Mar 29, 2026, 3:32 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-29T03:32:40.690Z.

Closed by Workflow