[Pelis Agent Factory Advisor] Agentic Workflow Opportunities — March 2026 Analysis

[github-actions[bot]]

📊 Executive Summary

The gh-aw-firewall repository demonstrates exceptional agentic workflow maturity — particularly in security-focused automation — with 22 agentic workflows spanning red-teaming, CI investigation, dependency monitoring, and multi-engine smoke testing. Compared to Pelis Agent Factory patterns, the main gaps are in meta-agent observability (no workflow-health monitor), issue lifecycle management (no triage/labeling agent), continuous code quality (no simplification/refactoring agents), and breaking change detection — all of which are high-ROI additions for a rapidly evolving security tool.

---

🎓 Patterns Learned from Pelis Agent Factory

Key Patterns from the Documentation Site

The factory demonstrates several powerful principles:

Pattern	Description	Best Example
Specialization over monoliths	Many focused agents > one large agent	Secret Digger runs as 3 separate workflows (Claude, Codex, Copilot)
Meta-agents	Agents that watch other agents	Workflow Health Manager, Audit Workflows, Portfolio Analyst
Trust but verify	Continuous testing prevents silent regressions	CI Doctor, Schema Consistency Checker
Skip-if-match	Avoid duplicate in-flight work	skip-if-match: is:pr is:open in:title "[docs]"
Cache memory	State across runs enables smarter decisions	Issue Duplication Detector stores seen issues
Causal chains	Agent A creates issue → Issue Monster assigns → Copilot fixes	Full autonomous loop at ~78% merge rate
Reaction triggers	On-demand workflows via emoji reactions	Smoke tests triggered by 🚀/❤️/🎉/👀
read-only analysts	Low-risk agents that discuss/report without changing code	CI/CD Gaps Assessment, Portfolio Analyst

Key Patterns from githubnext/agentics

The agentics repo showcases:

• daily-repo-goals.md — Tracks stated repository goals daily and reports on progress, keeping the team aligned
• daily-workflow-sync.md — Keeps shared workflow templates in sync across multiple repositories
• daily-test-improver.md — Incremental test coverage improvement (referenced from Pelis factory)
• link-checker.md / maintainer.md — Link validation and repository maintenance agents

How This Repo Compares

This repo already implements many patterns well: the three-engine secret digger is a sophisticated specialization, the firewall-issue-dispatcher is an excellent cross-repo orchestration pattern, and the CI Doctor is a direct application of the most impactful Pelis Factory workflow. The main gap is in the quality/refactoring and meta-observability tiers.

---

📋 Current Agentic Workflow Inventory

Workflow	Purpose	Trigger	Assessment
build-test	Test suite across engines (Node, Go, Rust, Java, .NET)	PR + dispatch	✅ Solid
ci-cd-gaps-assessment	Identify gaps in CI/CD coverage	Daily	✅ Good read-only analyst
ci-doctor	Investigate CI failures, create diagnostic issues	Workflow failure	✅ Core pattern, well implemented
cli-flag-consistency-checker	Detect CLI flag/doc discrepancies	Weekly	✅ 78% merge rate in Pelis Factory analog
dependency-security-monitor	Monitor CVEs, propose patch updates	Daily	✅ Security-critical
doc-maintainer	Sync docs with code changes via PR	Daily + skip-if	✅ Good pattern
firewall-issue-dispatcher	Mirror gh-aw issues → gh-aw-firewall	Every 6h	✅ Unique cross-repo pattern
issue-duplication-detector	Detect duplicates using cache memory	Issue opened	✅ Good cache-memory usage
issue-monster	Dispatch open issues to Copilot agent	Issue opened + 1h	✅ Task dispatcher pattern
pelis-agent-factory-advisor	This workflow	Daily	✅ Meta-analysis
plan	/plan slash command	Issue/discussion comment	✅ ChatOps pattern
secret-digger-claude/codex/copilot	Red-team secret scanning (3 engines)	Hourly	✅ Outstanding — industry-leading
security-guard	PR security review	PR opened/sync	✅ Claude engine, good fit
security-review	Deep security + threat modeling	Daily	✅ Comprehensive
smoke-chroot/claude/codex/copilot	End-to-end smoke tests per engine	PR + reaction + 12h	✅ Multi-engine is excellent
test-coverage-improver	Improve security-critical test coverage	Weekly	⚠️ Weekly may be too infrequent
update-release-notes	Enhance release notes from git diff	Release published	✅ Solid release automation

---

🚀 Actionable Recommendations

P0 — Implement Immediately

🏷️ Issue Triage Agent

What: Automatically label new issues (bug, feature, enhancement, documentation, question, security) based on content analysis, and leave a friendly comment explaining the label and suggesting next steps.

Why: Issues arrive unlabeled and unrouted. The Pelis Factory's triage agent is their "hello world" workflow — immediately useful, low risk, and sets the stage for downstream automation (Issue Monster can be more selective with labels present). Without labels, issue-monster can't discriminate between feature requests and bugs when dispatching to Copilot.

How:

---
timeout-minutes: 5
on:
  issues:
    types: [opened, reopened]
permissions:
  issues: read
tools:
  github:
    toolsets: [issues, labels]
    min-integrity: none
safe-outputs:
  add-labels:
    allowed: [bug, feature, enhancement, documentation, question, security, good-first-issue]
  add-comment:
    max: 1
---
# Issue Triage Agent
Analyze new issues in $\{\{ github.repository }}. For unlabeled issues, apply one label from
the allowed list. Post a comment @-mentioning the author explaining the label and summarizing
how the issue likely maps to the AWF architecture (iptables, Squid ACL, container security,
domain validation, CLI, docs).

Effort: Low (< 1 hour, direct from Pelis Factory template)

---

🔍 Workflow Health Monitor

What: A meta-agent that audits all other agentic workflows — checking for failed runs, low merge rates, stale outputs, and configuration drift — then creates issues for degraded workflows.

Why: With 22 workflows running continuously, failures can go unnoticed. The CI Doctor already monitors traditional CI, but nobody monitors the agentic workflows themselves. The Pelis Factory's Workflow Health Manager generated 40 issues and had 5 direct PRs merged from monitoring alone. This is especially important as the workflow count grows.

How: Weekly schedule, queries agentic-workflows tool for recent run logs, checks success rates and output freshness, creates issues prefixed [Workflow Health] for degraded workflows.

Effort: Low–Medium

---

🚨 Breaking Change Checker

What: On each PR, analyze changes to public-facing interfaces — CLI flags, Docker API, environment variable names, exit codes — and create an alert issue if backward-incompatible changes are detected.

Why: AWF is used as a GitHub Action (action.yml), has a CLI interface, and emits specific exit codes. Breaking changes affect downstream users silently. The existing security-guard reviews security implications but not compatibility. The Pelis Factory's Breaking Change Checker caught issues like CLI version update impacts before production.

How: PR trigger, reads action.yml, src/cli.ts diff, checks for removed/renamed flags, changed parameter semantics, modified exit codes.

Effort: Medium

---

P1 — Plan for Near-Term

📊 Smoke Test Flakiness Tracker

What: A weekly agent that analyzes historical smoke test results (claude/codex/copilot/chroot) stored in agentic-workflows logs and identifies flaky tests — those that alternate between pass/fail without code changes. Creates issues for consistently flaky scenarios.

Why: Smoke tests run every 12h and on PRs. Flakiness erodes trust in test results. A security tool must have reliable smoke tests. Currently there's no visibility into test reliability trends over time.

How: Uses agentic-workflows.logs to pull the last 30 smoke test runs per engine, calculates pass/fail rates per test scenario, creates a weekly discussion with reliability metrics and flags flaky scenarios as issues.

Effort: Medium

---

✂️ Code Simplifier

What: Daily agent that reviews TypeScript files modified in the last 3 commits and proposes simplifications — extracting repeated patterns, reducing nesting, using standard library idioms — via draft PRs.

Why: AWF's core TypeScript (src/cli.ts, src/docker-manager.ts) grows rapidly as new features are added. The Pelis Factory's Code Simplifier achieved 83% merge rate on 6 PRs with simplifications. For a security-critical tool, clear code directly improves auditability.

How: Daily schedule with skip-if-match to avoid in-flight simplification PRs. Analyzes git log --since=3.days changed .ts files. Creates draft PRs titled [Simplify] ....

Effort: Low (direct from Pelis Factory template, adapted for TypeScript)

---

📈 Workflow Portfolio Analyst

What: Weekly meta-agent that examines the costs and effectiveness of all agentic workflows — which ones are producing merged PRs, which ones are expensive but unproductive, token usage trends. Creates a discussion report.

Why: 22 workflows × 3 engines running hourly/daily creates significant LLM cost. Without visibility, it's impossible to optimize. The Pelis Factory's Portfolio Analyst identified "chatty" workflows costing money unnecessarily.

How: Uses agentic-workflows.logs to pull run metrics, correlates discussions/issues/PRs created by each workflow, produces a ranked efficiency report.

Effort: Medium

---

P2 — Consider for Roadmap

🔄 Schema Consistency Checker

What: Weekly agent that checks for drift between TypeScript interfaces in src/types.ts, JSON schemas (if any), CLI help text, and documentation. Reports in a discussion.

Why: WrapperConfig, SquidConfig, and DockerComposeConfig types drive the entire system. Drift between code types and documentation creates security-relevant confusion (e.g., undocumented flags that bypass security checks).

Effort: Medium

---

🏃 CI Optimization Coach

What: Monthly agent that analyzes CI run times across all workflows, identifies parallelization opportunities, redundant steps, and unnecessary dependencies. Creates PRs with optimizations.

Why: The build matrix (Node/Go/Rust/Java/.NET) and integration tests may have sequential dependencies that could be parallelized. Pelis Factory's CI Coach achieved 100% merge rate on 9 PRs. Faster CI = faster feedback for security fixes.

Effort: Medium

---

📦 Container Security Baseline Monitor

What: Weekly agent that validates container hardening parameters haven't regressed — capability drop lists, seccomp profile entries, memory/PID limits, non-root user enforcement. Creates an issue if drift is detected from a known-good baseline.

Why: Container security hardening in src/docker-manager.ts and containers/agent/ is the core security guarantee of AWF. Changes that inadvertently loosen constraints (e.g., adding a capability for a new feature) need immediate attention beyond what security-guard provides at PR time.

Effort: Medium

---

📝 Documentation Noob Tester

What: Monthly agent that attempts to follow the README.md installation and quickstart instructions in a fresh environment, documenting any steps that fail or are confusing. Creates improvement issues.

Why: AWF has complex setup (Docker, iptables, sudo requirements). The Pelis Factory's Docs Noob Tester generated 9 merged PRs at 43% rate — lower rate but high value for UX. For a security tool, confusing setup leads to misconfiguration.

Effort: Medium–High

---

P3 — Future Ideas

🌐 Domain Allowlist Auditor

What: After each smoke test run, extract and analyze the domain allowlists used in test scenarios to ensure they follow the principle of least privilege — flagging overly broad patterns like *.com or entire CDN domains.

Effort: Low

---

🔀 Mergefest / Branch Sync

What: Auto-merge main into long-lived PR branches to prevent integration pain. Particularly useful for the multi-engine smoke test PRs.

Effort: Low (direct from Pelis Factory)

---

🏗️ Architecture Decision Recorder

What: When significant architectural changes land (new container, new CLI flag category, new security mechanism), auto-generate an Architecture Decision Record (ADR) stub as a PR.

Effort: Medium

---

🔬 Daily Malicious Code Scanner

What: Adapted from Pelis Factory pattern — scans recent commits for suspicious patterns (eval, base64-encoded payloads, unexpected network calls in tests). Important for supply-chain security of a security tool.

Effort: Low–Medium (direct template adaptation)

---

📈 Maturity Assessment

Dimension	Score	Notes
Security automation	⭐⭐⭐⭐⭐	Outstanding — secret diggers, security guard, security review are exemplary
CI/fault investigation	⭐⭐⭐⭐	CI Doctor is well-implemented; could add breaking change detection
Documentation maintenance	⭐⭐⭐	Doc maintainer exists but lacks noob testing, CLI consistency is weekly
Issue/PR lifecycle	⭐⭐⭐	Issue Monster + duplication detector, but missing triage/labeling
Code quality/refactoring	⭐⭐	Test coverage improver exists, but no continuous simplification
Meta-observability	⭐⭐	No workflow health monitor, no portfolio analyst
Release automation	⭐⭐⭐⭐	Release notes updater is solid
Multi-engine coverage	⭐⭐⭐⭐⭐	3-engine secret diggers + 4 smoke tests is exceptional

Current Level: 4/5 — This repository is in the top tier of agentic workflow adoption. The security coverage is genuinely state-of-the-art. The gaps are in code quality automation and meta-observability.

Target Level: 4.5/5 — Adding issue triage, workflow health monitoring, and a code simplifier would bring it to near-parity with the full Pelis Factory pattern set.

Gap Analysis: The 3 P0 recommendations (issue triage, workflow health monitor, breaking change checker) are high-value with low implementation effort. Adding them would close the most significant gaps.

---

🔄 Comparison with Best Practices

What This Repo Does Exceptionally Well

• Multi-engine security testing: Running secret digger tests across Claude, Codex, and Copilot simultaneously is more thorough than any Pelis Factory workflow
• Cross-repo coordination: The firewall-issue-dispatcher (syncing from gh-aw to gh-aw-firewall) is a sophisticated pattern not seen in the base factory
• Security-first design: security-guard on every PR with Claude (best model for security analysis) is the right choice
• Reaction-triggered smoke tests: Using emoji reactions to trigger engine-specific smoke tests is an elegant ChatOps pattern

What Could Be Improved

• Issue lifecycle management: Issues currently get no labels, making issue-monster dispatch indiscriminate
• Code quality automation: The TypeScript codebase grows but has no continuous simplification or refactoring agents
• Observability of agents: No agent currently watches the other agents (the Audit Workflows and Workflow Health Manager from Pelis Factory are missing)
• Test coverage cadence: Weekly is too slow for a security-critical tool; daily test coverage analysis would catch regressions faster

Unique Opportunities Given the Security Domain

1. AWF is itself the subject of its security workflows — the secret diggers and security review create a unique self-referential security loop worth preserving and expanding
2. Container hardening is a moving target — a baseline monitor would catch accidental security regressions faster than any human review
3. The firewall's correctness is verifiable — domain filtering rules can be tested automatically after every change, making a regression-detection workflow uniquely valuable here

---

📝 Notes for Future Runs

Stored to cache memory at /tmp/gh-aw/cache-memory/pelis-advisor-notes.md

• First run: 2026-03-30. All 22 workflows are compiled and have "Unknown" GitHub status (possibly new repo setup or API limitation).
• The issue-monster has a sophisticated skip-if-match pattern limiting parallel Copilot agent work to 9 in-flight PRs.
• Security review workflow is very long (45 min timeout) — monitor for cost.
• Three secret digger engines run at :00, :05, :10 past each hour respectively — good staggering to avoid simultaneous execution.
• In future runs: track which P0/P1 recommendations have been implemented and adjust focus accordingly.

AI generated by Pelis Agent Factory Advisor

• expires on Apr 6, 2026, 3:44 AM UTC