@codedrifters/configulator 0.0.350 → 0.0.352

package/lib/index.js

@@ -12200,7 +12200,7 @@ function buildMeetingAnalystSubAgent(tier) {
       "| `planning` | Sprint/plan updates, task issues, requirement drafts | Extract every task assignment. Phase 4 updates the active sprint-plan doc directly and creates one issue per assigned task. |",
       "| `review` | Retro notes, follow-up issues, status updates, requirement revisions | Mark completed tasks in the active sprint-plan doc. Capture retrospective learnings inside the meeting notes \u2014 do not spawn a separate retro document. |",
       "| `brainstorm` | Future-feature candidates, research topics, very few Firm decisions | Lower the bar for Open Questions. Do **not** create requirement or ADR issues from brainstorm output unless the item is explicitly marked **Firm**. Prefer research/discovery issues for promising ideas. |",
-      "| `standup` | Action items, blockers, status updates | Do not produce requirement, ADR, or BDR drafts. Phase 3 (Draft) is almost always skipped. Focus on action-item issues and sprint-plan status updates. |",
+      "| `standup` | Action items, blockers, status updates | Do not produce requirement, ADR, or BDR drafts. Phase 3 (Draft) is almost always skipped. Capture action items in the notes `## Action Items` table; file issues only for agent-workable doc deliverables (per the **Action-item filing policy**) and apply sprint-plan status updates. |",
       "| `external` | Customer/competitive intel, people/company profiles, lead capture | Default every attendee outside the team into **People of Interest**. Default every organization mentioned into **Companies of Interest** (signal threshold still applies). Capture stated customer pain points as candidate **BR** (business requirements), not FR. |",
       "| `other` | General meeting extraction | Apply the default workflow with no type-specific overrides. |",
       "",
@@ -12262,6 +12262,61 @@ function buildMeetingAnalystSubAgent(tier) {
       "",
       "---",
       "",
+      "## Action-item filing policy",
+      "",
+      "Not every action item should become a GitHub issue. The pipeline",
+      "can only ever close issues whose deliverable an automated agent",
+      "(or this repo's existing channels) can produce. Filing an issue",
+      "for a task only a human can do \u2014 in the real world or in a system",
+      "this pipeline cannot touch \u2014 creates queue noise that no worker or",
+      "orchestrator can ever resolve. Apply the **agent-workability",
+      "test** below in phases 1, 3, and 4.",
+      "",
+      "### Agent-workability test",
+      "",
+      "An action item is **agent-workable** only when completing it",
+      "produces a documentation deliverable an automated agent can author",
+      "in this repo's docs tree \u2014 a requirement document, an ADR, a docs",
+      "page, a BCM capability model, a research note, or a roadmap /",
+      "product-doc update. Route agent-workable items through their",
+      "**dedicated downstream channel** (`req:write`, `docs:write`,",
+      "`bcm:*`, `research:scope`, roadmap/product-doc follow-up). Never",
+      "file them as a generic `action-item` / `type:chore` issue.",
+      "",
+      "An action item is **human-owned** when it requires a person to act",
+      "in the real world or in a system this pipeline cannot reach.",
+      "Typical cues:",
+      "",
+      '- **send / email / schedule / invite / call** \u2014 e.g. "send out',
+      `  company invoices", "invite X to next week's call".`,
+      '- **install / configure / provision / set up** \u2014 e.g. "install and',
+      '  configure Claude", "get codebase read access".',
+      "- **decide / approve / choose / prioritise** (a human judgement",
+      "  call, not a documented decision record).",
+      '- **communicate / notify / give a heads-up** \u2014 e.g. "give Dr. Y a',
+      '  heads-up".',
+      "- **get / request access or credentials**, **pay / invoice**.",
+      "- **build or change code in another repo**, **design in an",
+      "  external tool** (Figma, etc.).",
+      "",
+      "Record human-owned items **only** in the notes `## Action Items`",
+      "table (who / what / when) \u2014 that table is the **system of record**",
+      "for human follow-ups. Do **not** file a GitHub issue for them.",
+      "",
+      "When an item is ambiguous, default to **human-owned**",
+      "(notes-only): a missed issue is cheaper than queue noise the",
+      "pipeline can never close.",
+      "",
+      "**Consumer tuning.** When the project supplies",
+      "`AgentConfigOptions.meetings.actionItemFiling`, an",
+      "**Action-item filing policy** subsection is rendered into the",
+      "meetings taxonomy with any extra human-owned / agent-workable cues",
+      "and a note when the split is disabled. Apply those overrides on",
+      "top of the built-in cues above; if the split is disabled, fall",
+      "back to filing a follow-up issue for every non-draft action item.",
+      "",
+      "---",
+      "",
       ...PROJECT_CONTEXT_MAINTAINER_SECTION,
       "## Traceability",
       "",
@@ -12293,7 +12348,7 @@ function buildMeetingAnalystSubAgent(tier) {
       "",
       "   | Artifact | Type | Issue/Path |",
       "   |----------|------|------------|",
-      "   | <title> | requirement / ADR / action-item / profile | #<N> or <path> |",
+      "   | <title> | requirement / ADR / docs / profile / research | #<N> or <path> |",
       "   ```",
       "",
       "2. **Update the meeting notes** with a similar `## Related Issues` section",
@@ -12358,7 +12413,7 @@ function buildMeetingAnalystSubAgent(tier) {
       `   | **Decisions** | "We decided...", "Let's go with...", explicit choices |`,
       '   | **Requirements** | Feature descriptions, acceptance criteria, "it should..." |',
       "   | **Technology discussions** | Platform comparisons, architecture options, tool evaluations |",
-      '   | **Action items** | "[Person] will...", "Next step is...", assigned tasks |',
+      '   | **Action items** | "[Person] will...", "Next step is...", assigned tasks. Tag each with its **disposition** (`agent-workable` vs `human-owned`) per the **Action-item filing policy**. |',
       '   | **Open questions** | "We need to figure out...", unresolved debates |',
       "   | **People of interest** | Industry contacts, domain experts mentioned |",
       "   | **Companies of interest** | Competitors, vendors, partners discussed |",
@@ -12373,7 +12428,10 @@ function buildMeetingAnalystSubAgent(tier) {
       "   - Decisions Made (with category and confidence: Firm / Tentative / Needs confirmation)",
       "   - Requirements Identified (with category and priority estimate)",
       "   - Technology Discussions (with status: Decided / Leaning toward / Open)",
-      "   - Action Items (with assignee and due date if stated)",
+      "   - Action Items (with assignee and due date if stated, and a",
+      "     **disposition** tag \u2014 `agent-workable` or `human-owned` \u2014 per",
+      "     the **Action-item filing policy** so Phase 4 can route each",
+      "     item without re-classifying it)",
       "   - Open Questions",
       "   - People of Interest (with context and whether a profile exists)",
       "   - Companies of Interest (with type and context)",
@@ -12503,7 +12561,11 @@ function buildMeetingAnalystSubAgent(tier) {
       "   - Agenda / topics covered",
       "   - Key Discussion Points (organized by topic)",
       "   - Decisions (numbered, with rationale)",
-      "   - Action Items (table: who, what, when)",
+      "   - Action Items (table: who, what, when). This table is the",
+      "     **system of record for human follow-ups** \u2014 human-owned",
+      "     action items live here and are never filed as GitHub issues",
+      "     (see the **Action-item filing policy**). Capture every",
+      "     action item here regardless of disposition.",
       "   - Open Questions",
       "   - Follow-up items",
       "4. **Plan the `notes/` tree index update \u2014 do not commit it",
@@ -12551,6 +12613,11 @@ function buildMeetingAnalystSubAgent(tier) {
       "This phase only exists if the extraction identified requirements, architectural",
       "decisions, or strategy changes. If this issue exists, execute it.",
       "",
+      "Draft proposals only for **agent-workable** deliverables (per the",
+      "**Action-item filing policy**). Action items tagged `human-owned`",
+      "in the extraction are not drafted here \u2014 they stay in the notes",
+      "`## Action Items` table and produce no follow-up issue.",
+      "",
       "### Steps",
       "",
       "1. Read the extraction file from Phase 1 at",
@@ -12590,8 +12657,27 @@ function buildMeetingAnalystSubAgent(tier) {
       "   gated by areas.",
       "3. Create ADR issues if technology decisions need formal records.",
       "   Include a `## Traceability` section in each. Not gated by areas.",
-      "4. Create action item issues for tasks that are not document-related.",
-      "   Include a `## Traceability` section in each. Not gated by areas.",
+      "4. **Route action items per the Action-item filing policy \u2014 do",
+      "   not file a generic `action-item` issue per task.** Read each",
+      "   action item's `disposition` tag from the extraction (re-apply",
+      "   the **agent-workability test** if the tag is missing):",
+      "   - **Agent-workable** (yields a doc deliverable an agent can",
+      "     author): file it through its **dedicated downstream channel**",
+      "     \u2014 a `req:write` issue for a requirement, a `docs:write` issue",
+      "     for a docs page, `bcm:*` for a capability model, a",
+      "     `research:scope` issue for a research note, or a roadmap /",
+      "     product-doc follow-up. Use the matching template from the",
+      "     issue-templates page; include a `## Traceability` section.",
+      "     Issue creation is not gated by areas.",
+      "   - **Human-owned** (send/schedule/install/decide/communicate/",
+      "     get-access/build-elsewhere): record it **only** in the notes",
+      "     `## Action Items` table (step 8 already carries the table",
+      "     forward). **File no GitHub issue.** When ambiguous, treat the",
+      "     item as human-owned.",
+      "   If the project disabled the split via",
+      "   `meetings.actionItemFiling.enabled: false`, fall back to filing",
+      "   a follow-up issue for every action item not already covered by",
+      "   a Phase 3 draft.",
       "5. Cross-reference the meeting in any existing documents that were",
       "   discussed **and that live under an in-scope `docRoot`**. For",
       "   discussed documents under an out-of-scope `docRoot`, open a",
@@ -12628,7 +12714,10 @@ function buildMeetingAnalystSubAgent(tier) {
       "- Use `gh` CLI for all GitHub operations",
       "- Apply the appropriate `meeting:*` phase label to each phase issue",
       "- Use `type:docs` for documentation-producing issues, `type:chore` for",
-      "  maintenance/organizational tasks",
+      "  maintenance/organizational tasks the pipeline can action",
+      "- Do **not** file issues for human-owned action items \u2014 per the",
+      "  **Action-item filing policy** they live only in the notes",
+      "  `## Action Items` table",
       "- Use `status:` labels to track progress (`status:ready`, `status:in-progress`, `status:done`)",
       "- Reference the source meeting transcript in all created issues",
       "- Link phase issues with `Depends on: #N` to enforce ordering",
@@ -12699,7 +12788,10 @@ var processMeetingSkill = {
     "1. Resolve the basename, partition, and any sibling files using",
     "   the **Basename-pairing algorithm** above",
     "2. Execute Phase 1 (Extract) \u2014 categorize the available content into",
-    "   decisions, requirements, action items, open questions, and more",
+    "   decisions, requirements, action items, open questions, and more.",
+    "   Tag each action item's disposition (`agent-workable` vs",
+    "   `human-owned`) per the agent's **Action-item filing policy** so",
+    "   Phase 4 keeps human-owned tasks out of the issue queue",
     "3. Write the extraction to",
     "   `<meetingsRoot>/insights/{type}/<basename>.md`",
     "4. Create downstream phase issues using `gh issue create`:",
@@ -12769,7 +12861,18 @@ function buildMeetingAnalysisBundle(tier = AGENT_MODEL.BALANCED) {
           "direct edits to the doc-root sub-folders declared in the project's",
           "**Area \u2192 doc-root mapping** table. When both fields are absent",
           "the pipeline falls back to the default workflow (kind `other`,",
-          "no area gating)."
+          "no area gating).",
+          "",
+          "Phase 4 applies an **agent-workability split** to action items:",
+          "items that yield a documentation deliverable an agent can author",
+          "are filed through their dedicated downstream channel",
+          "(`req:write`, `docs:write`, `bcm:*`, `research:scope`, roadmap",
+          "follow-up); human-owned tasks (send / schedule / install /",
+          "decide / communicate / get-access / build-elsewhere) are",
+          "recorded **only** in the notes `## Action Items` table, which is",
+          "the **system of record for human follow-ups** \u2014 no GitHub issue",
+          "is filed for them. Consumers tune or disable the split via",
+          "`AgentConfigOptions.meetings.actionItemFiling`."
         ].join("\n"),
         platforms: {
           cursor: { exclude: true }
@@ -13914,6 +14017,9 @@ var DEFAULT_BUNDLE_OVERRIDES = {
   "regulatory:research": {
     acceptanceCriteria: { smallMax: 3, mediumMax: 10 }
   },
+  "standards:research": {
+    acceptanceCriteria: { smallMax: 3, mediumMax: 10 }
+  },
   "software:map": {
     acceptanceCriteria: { smallMax: 3, mediumMax: 12 },
     sources: { smallMax: 2, mediumMax: 15 }
@@ -14127,6 +14233,31 @@ function renderScopeGateSection(gate, excludeBundles = []) {
       "alphabetical order on the label name** \u2014 first-wins, deterministic."
     );
   }
+  lines.push(
+    "",
+    "### Reconfiguring the thresholds",
+    "",
+    "Every threshold above is configurable per repo \u2014 the global",
+    "`acceptance-criteria` / `sources` classification bands and each",
+    "per-phase-label override. Retune them in the project's",
+    "configulator config so the gate fits this repo's issue shapes:",
+    "",
+    "- `AgentConfigOptions.scopeGate.acceptanceCriteria` /",
+    "  `AgentConfigOptions.scopeGate.sources` \u2014 the global",
+    "  `smallMax` / `mediumMax` bands applied to every issue.",
+    "- `AgentConfigOptions.scopeGate.bundleOverrides.<phase-label>` \u2014",
+    "  a per-phase-label override for **any** phase label, not just",
+    "  the ones shipped above. The map deep-merges with the shipped",
+    "  defaults (consumer-wins-per-key): add a key to raise a new",
+    "  label's AC / sources ceiling, set an existing key to replace a",
+    "  shipped default, or set a key to `undefined` to drop a shipped",
+    "  default and classify that label against the global bands.",
+    "",
+    "Each override entry's `acceptanceCriteria` and `sources` axes are",
+    "independent \u2014 override one and the other falls through to the",
+    "global band. Malformed thresholds (negative, non-integer, or",
+    "`mediumMax <= smallMax`) fail the build at synth time."
+  );
   lines.push(
     "",
     "### Decomposition-proposal template",
@@ -17782,12 +17913,18 @@ var pnpmBundle = {
 var DEFAULT_PATHS_EXEMPT_FROM_SIZE = [
   "docs/**"
 ];
+var DEFAULT_REQUIRED_WORKFLOWS = [];
 function resolvePrReviewPolicy(config) {
   const pathsExemptFromSize = config?.autoMerge?.pathsExemptFromSize ?? DEFAULT_PATHS_EXEMPT_FROM_SIZE;
+  const requiredWorkflows = config?.ciVerification?.requiredWorkflows ?? DEFAULT_REQUIRED_WORKFLOWS;
   assertValidPathsExemptFromSize(pathsExemptFromSize);
+  assertValidRequiredWorkflows(requiredWorkflows);
   return {
     autoMerge: {
       pathsExemptFromSize: [...pathsExemptFromSize]
+    },
+    ciVerification: {
+      requiredWorkflows: [...requiredWorkflows]
     }
   };
 }
@@ -17803,6 +17940,15 @@ function assertValidPathsExemptFromSize(paths) {
     }
   }
 }
+function assertValidRequiredWorkflows(workflows) {
+  for (const workflow of workflows) {
+    if (typeof workflow !== "string" || workflow.trim().length === 0) {
+      throw new Error(
+        "prReviewPolicy.ciVerification.requiredWorkflows entries must be non-empty strings"
+      );
+    }
+  }
+}
 
 // src/agent/bundles/pr-review.ts
 var prReviewerSubAgent = {
@@ -17844,6 +17990,125 @@ var prReviewerSubAgent = {
     "",
     "---",
     "",
+    "## CI Verification (primary read + Actions-runs fallback)",
+    "",
+    "Every CI-status decision in this agent \u2014 the Phase 1.5 eligibility",
+    "filter, the Phase 3 checklist, the Phase 4 merge gate, the Phase 4",
+    "step (h) re-enable condition, and the Phase 4.5 sticky `CI status`",
+    "field \u2014 resolves CI through the procedure below. It yields one of",
+    "three verdicts: **green** (every required check succeeded),",
+    "**pending** (no failures, but at least one required check is still",
+    "running or queued), or **red** (at least one required check",
+    "failed). Never enable auto-merge unless the verdict is **green**.",
+    "",
+    "### Step 1: Primary read \u2014 check-runs / statusCheckRollup",
+    "",
+    "Read CI from the GitHub check-runs rollup, the canonical source",
+    "GitHub itself uses to gate branch protection:",
+    "",
+    "```bash",
+    "gh pr checks <pr-number>",
+    "# equivalently, the rollup field:",
+    "gh pr view <pr-number> --json statusCheckRollup",
+    "```",
+    "",
+    "This read aggregates **every** check context \u2014 GitHub Actions,",
+    "third-party CI, GitHub Apps, and commit statuses. When it returns",
+    "one or more readable contexts, it is authoritative: map each",
+    "required context's conclusion with the table in Step 4 and do",
+    "**not** fall back. It is strictly more complete than the",
+    "Actions-runs view in Step 3.",
+    "",
+    "### Step 2: Detect the fine-grained-PAT 403",
+    "",
+    "The primary read fails closed for one specific credential: a",
+    "**fine-grained personal access token**. GitHub exposes no `Checks`",
+    "permission for fine-grained PATs (it is GitHub-App-only), so the",
+    "check-runs / `statusCheckRollup` request returns:",
+    "",
+    "```",
+    "HTTP 403: Resource not accessible by personal access token",
+    "```",
+    "",
+    "Trigger the Step 3 fallback **only** when the primary read either:",
+    "",
+    "- returns an explicit **403** (`Resource not accessible by personal",
+    "  access token`) on the check-runs / `statusCheckRollup` request,",
+    "  **or**",
+    "- returns **no readable check contexts at all** (an empty rollup)",
+    "  for a head SHA that does have CI configured.",
+    "",
+    "A primary read that returns one or more readable contexts is",
+    "authoritative \u2014 **never** fall back in that case (GitHub-App and",
+    "classic-PAT consumers keep the complete check-runs view). **Never**",
+    "treat a 403 or an unreadable check as green: the 403 is a",
+    "visibility failure, not a passing signal.",
+    "",
+    "### Step 3: Fallback read \u2014 Actions runs API",
+    "",
+    "A fine-grained PAT with `Actions: Read-only` (which **is**",
+    "grantable) can read workflow-run conclusions even when check-runs",
+    "is denied. Read every workflow run for the PR's head SHA:",
+    "",
+    "```bash",
+    "head_sha=$(gh pr view <pr-number> --json headRefOid --jq '.headRefOid')",
+    'gh api "repos/{{repository.owner}}/{{repository.name}}/actions/runs?head_sha=${head_sha}&per_page=100"',
+    "```",
+    "",
+    "Each run carries a `name`, `status`, and `conclusion`. **Collapse",
+    "re-runs:** when a workflow `name` appears more than once for the",
+    "same head SHA, keep only the most recent run (highest",
+    "`run_number` / latest `created_at`) for that name.",
+    "",
+    "This fallback only sees GitHub Actions runs. It is sound for repos",
+    "whose CI is entirely GitHub Actions; if a consumer adds a",
+    "non-Actions required check, a fine-grained-PAT credential cannot",
+    "see it and the consumer must move the reviewer to a GitHub App /",
+    "classic PAT to regain the complete check-runs view.",
+    "",
+    "### Step 4: Map conclusions to a verdict",
+    "",
+    "Apply this mapping to the set of required checks (Step 5 defines",
+    '"required"):',
+    "",
+    "| status / conclusion | Treatment |",
+    "|---------------------|-----------|",
+    "| `completed` / `success` | pass |",
+    "| `completed` / `skipped` | non-blocking (ignore) |",
+    "| `completed` / `neutral` | non-blocking (ignore) |",
+    "| `completed` / `failure` | **block \u2192 red** |",
+    "| `completed` / `cancelled` | **block \u2192 red** |",
+    "| `completed` / `timed_out` | **block \u2192 red** |",
+    "| `completed` / `action_required` | **block \u2192 red** |",
+    "| `in_progress` / `queued` / `requested` / `waiting` / null conclusion | not-yet-green (pending) |",
+    "",
+    "- If any required check is **red**, the verdict is **red**.",
+    "- Else if any required check is **pending**, the verdict is",
+    "  **pending**.",
+    "- Else (every required check passed or was non-blocking) the",
+    "  verdict is **green**.",
+    "",
+    '### Step 5: Which workflows are "required"',
+    "",
+    'In the **Step 1 primary path**, "required" means the contexts',
+    "GitHub marks required under branch protection \u2014 the rollup already",
+    "reflects this.",
+    "",
+    "In the **Step 3 fallback path**, the Actions runs API does not say",
+    "which workflows are required, so consult the policy's",
+    "`ci-verification.required-workflows` list (rendered in the",
+    "`PR Review Policy` block in CLAUDE.md):",
+    "",
+    "- **Non-empty list** \u2014 gate only on the workflow `name`s in the",
+    "  list. A listed workflow with **no** run for the head SHA is",
+    "  treated as not-yet-green (pending), never green.",
+    "- **Empty list (default)** \u2014 treat **every** workflow run observed",
+    "  for the head SHA as required. This is the conservative",
+    "  zero-config default: an unknown failing workflow blocks rather",
+    "  than slips through.",
+    "",
+    "---",
+    "",
     "## Phase 1: Identify the PR",
     "",
     "If a PR number was provided in your instructions, use that. Otherwise stop",
@@ -17862,7 +18127,12 @@ var prReviewerSubAgent = {
     '1. `mergeable == "MERGEABLE"` (no merge conflicts).',
     "2. No **failing** required checks in `statusCheckRollup` \u2014 CI must be",
     "   green or still pending. Any `FAILURE`, `TIMED_OUT`, `CANCELLED`, or",
-    "   `ERROR` conclusion on a required check disqualifies the PR.",
+    "   `ERROR` conclusion on a required check disqualifies the PR. If the",
+    "   `statusCheckRollup` read returns a 403 `Resource not accessible by",
+    "   personal access token` (fine-grained PAT) or an empty rollup,",
+    "   resolve CI via the **CI Verification** section's Actions-runs",
+    "   fallback before deciding eligibility \u2014 do **not** treat the 403 as",
+    "   either a pass or an automatic disqualification.",
     "3. The PR body contains a linked issue via one of the closing keywords:",
     "   `Closes #N`, `Fixes #N`, or `Resolves #N` (case-insensitive).",
     "",
@@ -18080,7 +18350,9 @@ var prReviewerSubAgent = {
     "- **Convention compliance** \u2014 PR title uses a conventional commit prefix,",
     "  body includes a closing keyword, branch name follows project conventions",
     "- **Test coverage** \u2014 new or changed behavior has tests",
-    "- **CI status** \u2014 `gh pr checks` reports all required checks passing",
+    "- **CI status** \u2014 resolve CI via the **CI Verification** section",
+    "  (primary check-runs read, with the Actions-runs fallback on a",
+    "  fine-grained-PAT 403). The verdict must be **green**.",
     "- **Scope creep** \u2014 diff stays within the issue's stated scope",
     "",
     "## Phase 3.5: Classify Comments",
@@ -18455,7 +18727,9 @@ var prReviewerSubAgent = {
     "   pushbacks added in step (a) and the failure pushbacks added in",
     "   step (f).",
     "4. CI is green or still pending (any failing required check",
-    "   disqualifies re-enablement).",
+    "   disqualifies re-enablement). Resolve CI via the **CI",
+    "   Verification** section, including the Actions-runs fallback on a",
+    "   fine-grained-PAT 403.",
     "",
     "When all four hold, re-enable auto-merge with the same command used",
     "in the auto-merge branch below:",
@@ -18854,7 +19128,9 @@ var prReviewerSubAgent = {
     "- **AC status** \u2014 the checklist produced in Phase 3 (met, partial,",
     "  or missing), with links to the files or tests that provide the",
     "  evidence.",
-    "- **CI status** \u2014 derived from `gh pr checks`.",
+    "- **CI status** \u2014 the verdict from the **CI Verification** section",
+    "  (primary check-runs read, or the Actions-runs fallback when",
+    "  check-runs returns a fine-grained-PAT 403).",
     "- **Outstanding** \u2014 the comments still carrying a non-terminal",
     "  reviewer reaction from Phase 3.5 (typically `eyes` for queued",
     "  in-scope items and `nit` / `question` items that remain open).",
@@ -18979,7 +19255,11 @@ var prReviewerSubAgent = {
     "2. **Never merge without a linked issue.** If the PR body has no",
     "   `Closes #N` / `Fixes #N` / `Resolves #N`, comment and stop.",
     "3. **Never merge with failing CI.** Even if every criterion is met,",
-    "   block on red checks.",
+    "   block on red checks. Resolve CI status via the **CI",
+    "   Verification** section: read check-runs first, and only on a",
+    "   fine-grained-PAT 403 (or an empty rollup) fall back to the",
+    "   Actions runs API. A 403 is a visibility failure, **never** a",
+    "   passing check \u2014 do not treat an unreadable check as green.",
     "4. **Never bypass review conventions.** Always use `--squash`, `--auto`,",
     "   and `--delete-branch` for merges. Do not force-merge.",
     "5. **Never auto-merge a `human-required` PR.** When Phase 2.75 resolves",
@@ -19161,7 +19441,10 @@ var reviewPrsSkill = {
     '2. `mergeable == "MERGEABLE"` (no conflicts).',
     "3. No required check in `statusCheckRollup` has a failing conclusion",
     "   (`FAILURE`, `TIMED_OUT`, `CANCELLED`, `ERROR`). CI green or still",
-    "   pending is fine.",
+    "   pending is fine. When `statusCheckRollup` is empty or denied with",
+    "   a fine-grained-PAT 403, keep the PR in the queue \u2014 the per-PR",
+    "   pipeline resolves CI authoritatively via the reviewer's CI",
+    "   Verification Actions-runs fallback.",
     "4. The PR body contains a linked issue (`Closes #N` / `Fixes #N` /",
     "   `Resolves #N`, case-insensitive).",
     "",
@@ -19280,6 +19563,12 @@ function buildPrReviewBundle(policy = resolvePrReviewPolicy()) {
           ...renderPathsExemptFromSizeYaml(
             policy.autoMerge.pathsExemptFromSize
           ),
+          "",
+          "ci-verification:",
+          "  required-workflows:",
+          ...renderRequiredWorkflowsYaml(
+            policy.ciVerification.requiredWorkflows
+          ),
           "```",
           "",
           "## Precedence",
@@ -19361,7 +19650,69 @@ function buildPrReviewBundle(policy = resolvePrReviewPolicy()) {
           "out only kicks in for **code-heavy** PRs that legitimately trip",
           "rule #6 (mixed-content diffs whose non-doc paths fail the",
           "`paths-exempt-from-size` check, or consumers that disable the",
-          "doc-only carve-out entirely)."
+          "doc-only carve-out entirely).",
+          "",
+          "## CI Verification",
+          "",
+          "Before enabling auto-merge the reviewer confirms CI is green.",
+          "The **primary** read is the GitHub check-runs rollup",
+          "(`gh pr checks` / `statusCheckRollup`) \u2014 the same source",
+          "GitHub uses for branch protection, covering **every** check",
+          "context (Actions, third-party CI, GitHub Apps, commit",
+          "statuses). It stays primary for every consumer because it is",
+          "strictly more complete than the Actions-only fallback below.",
+          "",
+          "### Fine-grained-PAT fallback to the Actions runs API",
+          "",
+          "When the reviewer authenticates with a **fine-grained personal",
+          "access token**, the check-runs read returns",
+          "`HTTP 403: Resource not accessible by personal access token`.",
+          "This is not grantable away: GitHub exposes **no `Checks`",
+          "permission for fine-grained tokens** (it is GitHub-App-only),",
+          "so the token permission picker has no entry to add. On that",
+          "specific 403 (or when the rollup returns no readable contexts",
+          "at all), the reviewer falls back to the **Actions runs API**:",
+          "",
+          "```",
+          "GET /repos/{owner}/{repo}/actions/runs?head_sha={head_sha}&per_page=100",
+          "```",
+          "",
+          "which a fine-grained PAT with `Actions: Read-only` **can**",
+          "read. Auto-merge is then gated on the required workflows'",
+          "latest run per workflow name concluding `success`",
+          "(`skipped` / `neutral` are non-blocking; `failure` /",
+          "`cancelled` / `timed_out` / `action_required` block; a run",
+          "still `in_progress` / `queued`, or a required workflow with no",
+          "run at all, counts as not-yet-green). The 403 is detected",
+          "explicitly and is **never** treated as a passing check \u2014 it is",
+          "a visibility failure, not a green signal.",
+          "",
+          "The fallback fires **only** when the primary check-runs read",
+          "is denied, so GitHub-App and classic-PAT consumers (which can",
+          "read check-runs) are unaffected and keep the complete view.",
+          "The fallback only sees GitHub Actions runs; a consumer whose",
+          "CI includes a non-Actions required check cannot verify it on a",
+          "fine-grained PAT and must move the reviewer to a GitHub App /",
+          "classic PAT to regain the complete check-runs view.",
+          "",
+          "### Configuring required workflows",
+          "",
+          "The `ci-verification.required-workflows` list in the policy",
+          "YAML names the workflows the fallback gates on:",
+          "",
+          "- **Non-empty list** \u2014 gate only on those workflow `name`s.",
+          "  A listed workflow with no run for the head SHA is treated as",
+          "  not-yet-green (pending), never green.",
+          "- **Empty list (the default)** \u2014 treat **every** workflow run",
+          "  observed for the head SHA as required. This is the",
+          "  conservative zero-config default so an unknown failing",
+          "  workflow blocks rather than slips through.",
+          "",
+          "Consumers tune the list via",
+          "`agentConfig.prReviewPolicy.ciVerification.requiredWorkflows`.",
+          "The list governs **only** the fallback path; the primary",
+          'check-runs read derives "required" from branch protection',
+          "directly."
         ].join("\n"),
         tags: ["policy", "review"]
       },
@@ -19647,6 +19998,12 @@ function renderPathsExemptFromSizeYaml(paths) {
   }
   return paths.map((path8) => `    - "${path8}"`);
 }
+function renderRequiredWorkflowsYaml(workflows) {
+  if (workflows.length === 0) {
+    return ["    []"];
+  }
+  return workflows.map((workflow) => `    - "${workflow}"`);
+}
 var prReviewBundle = buildPrReviewBundle();
 
 // src/agent/bundles/projen.ts
@@ -30086,13 +30443,20 @@ function renderFocusSection(focus) {
 
 // src/agent/bundles/meeting-types.ts
 var DEFAULT_AGENDA_TEMPLATE_ROOT = "<meetingsRoot>/_agenda-templates";
+function actionItemFilingHasOverride(filing) {
+  if (!filing) {
+    return false;
+  }
+  return filing.enabled === false || (filing.humanOwnedCues ?? []).length > 0 || (filing.agentWorkableCues ?? []).length > 0;
+}
 function renderMeetingTypesSection(meetings) {
   if (!meetings) {
     return "";
   }
   const types = meetings.meetingTypes ?? [];
   const areas = meetings.meetingAreas ?? [];
-  if (types.length === 0 && areas.length === 0) {
+  const filingOverride = actionItemFilingHasOverride(meetings.actionItemFiling) ? meetings.actionItemFiling : void 0;
+  if (types.length === 0 && areas.length === 0 && !filingOverride) {
     return "";
   }
   const sections = [];
@@ -30102,6 +30466,9 @@ function renderMeetingTypesSection(meetings) {
   if (areas.length > 0) {
     sections.push(renderMeetingAreas(areas));
   }
+  if (filingOverride) {
+    sections.push(renderActionItemFiling(filingOverride));
+  }
   return sections.join("\n\n");
 }
 function renderMeetingTypes(types, agendaTemplateRoot) {
@@ -30155,6 +30522,54 @@ function renderMeetingAreas(areas) {
   }
   return lines.join("\n");
 }
+function renderActionItemFiling(filing) {
+  const lines = [
+    "## Action-item filing policy",
+    "",
+    "This project tunes the Phase 4 (Link) agent-workability split",
+    "through `AgentConfigOptions.meetings.actionItemFiling`. See the",
+    "**Action-item filing policy** section of the `meeting-analyst`",
+    "agent for the full baked-in test.",
+    ""
+  ];
+  if (filing.enabled === false) {
+    lines.push(
+      "- **Split disabled.** Phase 4 falls back to the legacy behaviour:",
+      "  file a follow-up issue for every action item that is not",
+      "  already covered by a requirement or ADR draft, including",
+      "  human-owned tasks. The notes `## Action Items` table is still",
+      "  written, but it is no longer the sole record for human",
+      "  follow-ups."
+    );
+  } else {
+    lines.push(
+      "- **Split enabled** (default). Agent-workable doc deliverables are",
+      "  filed through their dedicated downstream channel; human-owned",
+      "  tasks are recorded only in the notes `## Action Items` table."
+    );
+  }
+  const humanCues = filing.humanOwnedCues ?? [];
+  if (humanCues.length > 0) {
+    lines.push(
+      "",
+      "**Additional human-owned cues** (recorded notes-only, never",
+      "filed), in addition to the bundle's built-in list:",
+      "",
+      ...humanCues.map((cue) => `- ${cue}`)
+    );
+  }
+  const agentCues = filing.agentWorkableCues ?? [];
+  if (agentCues.length > 0) {
+    lines.push(
+      "",
+      "**Additional agent-workable cues** (filed through the matching",
+      "downstream channel), in addition to the bundle's built-in list:",
+      "",
+      ...agentCues.map((cue) => `- ${cue}`)
+    );
+  }
+  return lines.join("\n");
+}
 
 // src/agent/bundles/priority-rules.ts
 function renderPriorityRulesSection(rules) {