[Pelis Agent Factory Advisor] Agentic Workflow Advisor Report — April 2026

[github-actions[bot]]

📊 Executive Summary

gh-aw-firewall has a mature and security-focused agentic workflow collection — 23 agentic workflows covering security, CI health, smoke testing, documentation, and dependency monitoring. The biggest gaps are automated issue triage, breaking change detection, and a meta-monitoring workflow that watches the health of all other workflows. With targeted additions in these areas, the repository could reach near-maximum agentic automation density for a project of its scope.

---

🎓 Patterns Learned from Pelis Agent Factory

From the Documentation Site

The factory runs 100+ workflows organized into these categories:

Category	Key Pattern
Issue Management	Triage + labels on open, arborist for organization, monster for dispatching
Fault Investigation	CI Doctor (post-failure analysis), Breaking Change Checker, Schema Drift Checker
Security	Daily secrets scan, malicious code scan, static analysis report, firewall validation
Documentation	Updater (daily), Noob Tester, Unbloat, Glossary Maintainer
Testing & Validation	Daily test improver, CLI Consistency Checker, CI Coach
Meta-Monitoring	Workflow Health Manager — monitors all other workflows
Operations	Changeset generator, Daily workflow updater

Key Design Principles

1. Specialization over monoliths — Many focused workflows outperform single general-purpose agents
2. Read-only analysts produce discussions; writers produce PRs — Clear output contracts
3. Meta-agents are highly valuable — Watching other workflows catches silent failures
4. skip-if-match — Prevent pile-up by skipping if a similar open PR/issue exists
5. cache-memory — State across runs enables incremental/delta workflows (e.g., issue deduplication)
6. min-integrity: none for public-facing triage to reach all users
7. Multi-engine smoke tests are a best practice for multi-engine repos (this repo already does this well)

How This Repo Compares

Strengths:

• Strong security posture: security-guard (PR review), security-review (daily), secret-diggers (multi-engine), dependency-security-monitor
• Multi-engine smoke testing (Claude, Codex, Copilot, Chroot, Services) — exceptional
• Cross-repo issue dispatcher from gh-aw — sophisticated integration pattern
• CI Doctor with targeted workflow monitoring
• cache-memory usage in issue-duplication-detector and smoke tests

Gaps vs. Factory Patterns:

• No issue triage agent (labels on open)
• No breaking change checker for CLI/API
• No schema/type consistency checker (TypeScript types ↔ docs drift)
• No Workflow Health Manager (meta-monitoring)
• No changeset generator for release automation
• No "documentation noob tester"
• No PR quick-fix workflow

---

📋 Current Agentic Workflow Inventory

Workflow	Purpose	Trigger	Assessment
build-test	Build + test verification via PR	PR	✅ Solid
ci-cd-gaps-assessment	Daily CI/CD gap analysis	Daily	✅ Good
ci-doctor	Investigates failed CI runs	workflow_run (failed)	✅ High-value, well-configured
cli-flag-consistency-checker	Weekly CLI/docs sync	Weekly	✅ Good
dependency-security-monitor	Daily CVE monitoring + patch PRs	Daily	✅ Excellent
doc-maintainer	Daily doc sync with code changes	Daily	✅ Good
firewall-issue-dispatcher	Cross-repo issue sync from gh-aw	Every 6h	✅ Sophisticated
issue-duplication-detector	Flags duplicate issues	Issue opened	✅ Uses cache-memory well
issue-monster	Dispatches issues to Copilot agent	Issue opened + schedule	✅ Good dispatcher
pelis-agent-factory-advisor	This workflow	Schedule	✅ Meta-analysis
plan	/plan slash command → sub-issues	Slash command	✅ Useful ChatOps
secret-digger-{claude,codex,copilot}	Multi-engine secret scanning	Schedule	✅ Multi-engine best practice
security-guard	PR security review	PR opened/sync	✅ Critical guard
security-review	Daily comprehensive security review	Daily	✅ Deep coverage
smoke-{chroot,claude,codex,copilot,services}	Multi-engine smoke tests	Schedule + PR	✅ Outstanding
test-coverage-improver	Weekly test gap analysis + PRs	Weekly	✅ Good
update-release-notes	Enhances release notes on publish	Release published	✅ Good

---

🚀 Actionable Recommendations

P0 — Implement Immediately

[P0] Automated Issue Triage Agent

What: On issue open, analyze content and apply one of a predefined label set (bug, feature, enhancement, documentation, security, question). Leave a brief explanatory comment for the author.

Why: Every new issue currently arrives unlabeled, creating manual overhead and making filtering/searching the issue tracker difficult. Issue triage is the "hello world" of agentic automation — simple, high impact, immediate user value.

How: Single workflow triggered on issues: [opened, reopened], read-only on issues + labels, uses safe-outputs: add-labels (scoped to allowed set) + add-comment.

Effort: Low (< 1 hour)

---
on:
  issues:
    types: [opened, reopened]
  min-integrity: none
permissions:
  issues: read
tools:
  github:
    toolsets: [issues, labels]
safe-outputs:
  add-labels:
    allowed: [bug, feature, enhancement, documentation, security, question, good-first-issue]
  add-comment:
    max: 1
timeout-minutes: 5
---
Analyze unlabeled issues in this AWF repository. Apply one label from the allowed set and leave a brief comment explaining why, noting how the issue fits into the firewall's architecture (Squid proxy, Docker networking, domain ACLs, chroot sandboxing).

---

[P0] Breaking Change Checker

What: On every PR, detect backward-incompatible changes to: CLI flags, WrapperConfig TypeScript interface, Docker Compose API, environment variables exposed to agents, or container image contracts.

Why: AWF has external users who depend on CLI flag compatibility and container behavior. A silent breaking change (e.g., renaming --allow-domains, changing env var names) could break CI pipelines. The existing security-guard reviews security posture but not API compatibility. This repo is explicitly used by other repos in its organization.

How: PR-triggered agent that reads src/types.ts, src/cli.ts, the PR diff, and CHANGELOG.md. Creates an issue if breaking changes detected. No code writes needed — read-only analyst.

Effort: Low–Medium

---

P1 — Plan for Near-Term

[P1] Workflow Health Manager

What: Daily meta-agent that inspects the health of all 20+ agentic workflows: checks for recent run failures, workflows that haven't triggered in unexpectedly long periods, stale open PRs from AI agents, and workflow configuration regressions.

Why: With 23 workflows running on various schedules, silent failures are easy to miss. In Pelis Agent Factory, this workflow created 40 issues and drove 25+ merged PRs — it's one of the highest-ROI meta-patterns. It already exists for ci-doctor to watch specific CI jobs, but no workflow watches the agentic workflows themselves.

How: Daily schedule, uses agentic-workflows tool + github: actions toolset. Creates issues for anomalies. Posts daily health discussion.

Effort: Medium

---

[P1] Changeset Generator

What: On PR merge to main (or scheduled daily), analyze commits since the last release, determine the appropriate semver bump (major/minor/patch), and open a PR updating CHANGELOG.md and package.json version. This complements update-release-notes.md (which runs after release publish) by preparing the release.

Why: Release preparation is currently manual. With frequent CI/security fixes, release cadence could accelerate if the changelog and version bump are automated. Pelis Agent Factory's Changeset workflow achieved 78% merge rate across 28 proposed PRs.

Effort: Medium

---

[P1] TypeScript Type/Schema Consistency Checker

What: Daily or weekly agent that checks for drift between: src/types.ts (WrapperConfig, DockerComposeConfig, etc.), CLI argument definitions in src/cli.ts, documentation in docs/, and AGENTS.md/CLAUDE.md. Creates a discussion report with any inconsistencies found.

Why: This repo's TypeScript interfaces define the public contract for AWF. As the codebase grows, drift between the type definitions, CLI help text, and documentation creates confusion. The Pelis Factory's Schema Consistency Checker created 55 analysis discussions and caught critical drift. This is especially relevant here since types.ts is central to the architecture.

Effort: Low–Medium (discussion-output only, no code writes)

---

[P1] PR Quick-Fix Workflow

What: When a PR has failing CI checks AND a human adds a 👍 reaction or /fix comment, trigger an agent to investigate the failure and attempt a minimal fix.

Why: CI failures on PRs (lint errors, test failures, type errors) are common and often trivial to fix. Having an agent attempt the fix immediately reduces round-trip time. The Copilot coding agent is already dispatched for issues via issue-monster; extending this pattern to PRs is a natural evolution. In the agentics repo, pr-fix.md implements this exact pattern.

Effort: Medium

---

P2 — Consider for Roadmap

[P2] Documentation Noob Tester

What: Weekly agent that reads the docs-site/ content and README.md as if it were a new user trying to install and use AWF for the first time. Creates issues for confusing steps, missing context, or broken example commands. Especially valuable for testing the setup flow (Docker prerequisites, iptables requirements, sudo usage).

Why: AWF has a non-trivial setup process (Docker, sudo, iptables). New users frequently hit friction that experienced maintainers don't notice. Pelis Factory's Noob Tester achieved 9 merged PRs from its causal chain.

Effort: Low (discussion/issue output only)

---

[P2] Daily Container Security Scanner

What: Daily workflow that scans the three AWF Docker images (squid, agent, api-proxy) for CVEs using Trivy or similar. Creates issues for HIGH/CRITICAL findings. Distinct from dependency-security-monitor which focuses on npm dependencies.

Why: AWF ships Docker container images to GHCR. Container base images accumulate vulnerabilities independently of npm dependencies. ubuntu/squid:latest and ubuntu:22.04 receive security patches that require rebuild+republish. This is a security-critical project that should have container-layer CVE visibility.

Effort: Low–Medium (bash tool + Trivy, issue output)

---

[P2] Weekly Repo Chronicle / Activity Summary

What: Weekly agent that summarizes: merged PRs and their themes, opened/closed issues, AI-agent PR activity metrics, security findings addressed. Posts as a discussion. Useful for async teams and external contributors.

Why: With 23+ agentic workflows generating PRs and discussions, it's easy to lose track of overall project velocity. A weekly human-readable chronicle helps maintainers stay oriented and builds community awareness.

Effort: Low (read-only, discussion output)

---

[P2] Issue Arborist

What: Daily agent that scans open issues for related content, proposes parent/child issue relationships, and links them as sub-issues. For AWF, this would group issues by component (Squid config, Docker networking, iptables, chroot, API proxy).

Why: Issue organization improves navigation and milestone planning. In the Pelis Factory, this workflow created 18 parent issues and 77 discussion reports. AWF has a complex multi-component architecture where issue relationships aren't always obvious.

Effort: Medium (issue write permissions, sub-issue linking)

---

P3 — Future Ideas

[P3] Docs Site Multi-Device Tester

What: Test the docs-site/ (Astro Starlight) across mobile, tablet, and desktop using Playwright. Verify responsive layout, navigation, code blocks, and link validity.

Why: The docs site is used by external developers. Mobile rendering issues won't be caught by existing link-check workflows. Pelis Factory's implementation achieved 100% merge rate (2/2 PRs).

Effort: Medium–High (Playwright setup required)

---

[P3] Contributor Onboarding Assistant

What: On first-time contributor PRs, trigger a welcoming agent that explains the PR requirements, points to CONTRIBUTING.md, and checks for common issues (missing tests, documentation gaps).

Why: First-time contributors need extra guidance. This pattern reduces maintainer burden for basic PR feedback. Low risk, potentially high community impact.

Effort: Low

---

📈 Maturity Assessment

Dimension	Score	Notes
Security automation	5/5	Exemplary — multi-engine secret scanning, daily security review, PR guard, dependency monitoring
Testing & validation	5/5	Multi-engine smoke tests are best-in-class
CI/CD automation	4/5	CI Doctor + gaps assessment strong; missing changeset/release prep
Documentation automation	3/5	Daily doc maintainer good; missing noob tester, consistency checker
Issue management	2/5	Deduplication + monster + dispatcher, but no triage labels
Meta-monitoring	2/5	No Workflow Health Manager watching all workflows
Overall	4/5	Strong foundation, clear incremental path to 5/5

Target Level: 5/5 — achievable with P0+P1 items above (5–6 new workflows)

Gap Analysis:

1. Add issue triage (immediate, trivial)
2. Add breaking change checker (PR gate, critical for external users)
3. Add Workflow Health Manager (meta-monitoring, high leverage)
4. Add changeset generator (release automation)
5. Add type/schema consistency checker (architecture hygiene)

---

🔄 Domain-Specific Opportunities

Given AWF's unique role as a network firewall for AI agents, there are opportunities no generic repository would have:

1. Firewall Escape Regression Tests — Automated tests that verify known escape vectors remain blocked. Already partially done in smoke tests, but a dedicated "adversarial" workflow could probe the boundaries more systematically.

2. Domain Whitelist Coverage Analyzer — Weekly agent that reviews which domains smoke tests actually hit vs. which domains are in the default whitelist, identifying over-permissive defaults.

3. Multi-Engine Parity Checker — Compare smoke test results across Claude/Codex/Copilot engines to identify engine-specific behavior differences in the firewall.

---

📝 Notes for Future Runs

Stored in /tmp/gh-aw/cache-memory/advisor-notes.md:

• 23 agentic workflow MD files as of April 2026
• Top gaps: issue triage, breaking change detector, workflow health manager
• Strong security posture — unique multi-engine testing approach
• Next run: check if issue triage, breaking change checker, or Workflow Health Manager have been added

AI generated by Pelis Agent Factory Advisor

• expires on Apr 8, 2026, 3:44 AM UTC