@fitlab-ai/agent-infra 0.5.2 → 0.5.4

package/README.md

@@ -5,7 +5,7 @@
 <h1 align="center">Agent Infra</h1>
 
 <p align="center">
-  The missing collaboration layer for AI coding agents — unified skills and workflows for Claude Code, Codex, Gemini CLI, and OpenCode.
+  Collaboration infrastructure for AI coding agents — skills, workflows, and sandboxes for Claude Code, Codex, Gemini CLI, and OpenCode.
 </p>
 
 <p align="center">
@@ -29,7 +29,7 @@
 
 Teams increasingly mix Claude Code, Codex, Gemini CLI, OpenCode, and other AI TUIs in the same repository, but each tool tends to introduce its own commands, prompts, and local conventions. Without a shared layer, the result is fragmented workflows, duplicated setup, and task history that is difficult to audit.
 
-agent-infra standardizes that collaboration surface. It gives every supported AI TUI the same task lifecycle, the same skill vocabulary, the same project governance files, and the same upgrade path, so teams can switch tools without rebuilding process from scratch.
+agent-infra standardizes that shared infrastructure. It gives every supported AI TUI the same task lifecycle, the same skill vocabulary, the same project governance files, isolated development sandboxes, and the same upgrade path, so teams can switch tools without rebuilding process from scratch.
 
 <a id="see-it-in-action"></a>
 
@@ -410,7 +410,7 @@ The generated `.agents/.airc.json` file is the central contract between the boot
   "project": "my-project",
   "org": "my-org",
   "language": "en",
-  "templateVersion": "v0.5.2",
+  "templateVersion": "v0.5.4",
   "files": {
     "managed": [
       ".agents/workspace/README.md",

package/README.zh-CN.md

@@ -5,7 +5,7 @@
 <h1 align="center">Agent Infra</h1>
 
 <p align="center">
-  AI 编程代理之间缺失的协作层 —— 为 Claude Code、Codex、Gemini CLI、OpenCode 提供统一的 skills 和工作流。
+  AI 编程代理的协作基础设施 —— 为 Claude Code、Codex、Gemini CLI、OpenCode 提供 skills、工作流和沙箱。
 </p>
 
 <p align="center">
@@ -29,7 +29,7 @@
 
 越来越多的团队会在同一个仓库里混用 Claude Code、Codex、Gemini CLI、OpenCode 等 AI TUI，但每个工具往往都会带来自己的命令体系、提示词习惯和本地约定。缺少共享层时，结果通常是工作流割裂、初始化重复、任务历史难以追踪。
 
-agent-infra 的目标就是把这层协作面标准化。它为所有支持的 AI TUI 提供统一的任务生命周期、统一的 skill 词汇、统一的项目治理文件以及统一的升级路径，让团队切换工具时不必重新发明流程。
+agent-infra 的目标就是把这层共享基础设施标准化。它为所有支持的 AI TUI 提供统一的任务生命周期、统一的 skill 词汇、统一的项目治理文件、隔离的开发沙箱以及统一的升级路径，让团队切换工具时不必重新发明流程。
 
 <a id="see-it-in-action"></a>
 
@@ -410,7 +410,7 @@ import-issue #42                    从 GitHub Issue 导入任务
   "project": "my-project",
   "org": "my-org",
   "language": "en",
-  "templateVersion": "v0.5.2",
+  "templateVersion": "v0.5.4",
   "files": {
     "managed": [
       ".agents/workspace/README.md",

package/lib/merge.js

@@ -404,15 +404,22 @@ function removeManifestFiles(rootDir) {
 }
 
 function formatTimestamp(date) {
+  const pad = (value) => String(value).padStart(2, '0');
+  const offsetMinutes = -date.getTimezoneOffset();
+  const sign = offsetMinutes >= 0 ? '+' : '-';
+  const absoluteOffsetMinutes = Math.abs(offsetMinutes);
+  const offsetHours = Math.floor(absoluteOffsetMinutes / 60);
+  const offsetRemainderMinutes = absoluteOffsetMinutes % 60;
+
   return [
     date.getFullYear(),
-    String(date.getMonth() + 1).padStart(2, '0'),
-    String(date.getDate()).padStart(2, '0')
+    pad(date.getMonth() + 1),
+    pad(date.getDate())
   ].join('-') + ' ' + [
-    String(date.getHours()).padStart(2, '0'),
-    String(date.getMinutes()).padStart(2, '0'),
-    String(date.getSeconds()).padStart(2, '0')
-  ].join(':');
+    pad(date.getHours()),
+    pad(date.getMinutes()),
+    pad(date.getSeconds())
+  ].join(':') + `${sign}${pad(offsetHours)}:${pad(offsetRemainderMinutes)}`;
 }
 
 function formatBackupTimestamp(date) {
@@ -485,7 +492,15 @@ function getTaskTimestamp(taskDir) {
 }
 
 function compareTimestamps(left, right) {
-  return left.value.localeCompare(right.value);
+  const normalizeTimestamp = (timestamp) => (timestamp.includes('T') ? timestamp : timestamp.replace(' ', 'T'));
+  const leftMs = Date.parse(normalizeTimestamp(left.value));
+  const rightMs = Date.parse(normalizeTimestamp(right.value));
+
+  if (Number.isNaN(leftMs) || Number.isNaN(rightMs)) {
+    return left.value.localeCompare(right.value);
+  }
+
+  return leftMs - rightMs;
 }
 
 function scanWorkspaceSection(rootDir, sectionName) {

package/lib/sandbox/commands/rm.js

@@ -87,7 +87,7 @@ async function rmOne(config, tools, branch) {
 
       const shouldDeleteBranch = await p.confirm({
         message: `Also delete local branch '${effectiveBranch}'?`,
-        initialValue: false
+        initialValue: true
       });
 
       if (!p.isCancel(shouldDeleteBranch) && shouldDeleteBranch) {

package/lib/sandbox/runtimes/base.dockerfile

@@ -11,8 +11,10 @@ RUN (groupadd -g ${HOST_GID} devuser || true) && \
     useradd -u ${HOST_UID} -g ${HOST_GID} -m -s /bin/bash devuser
 
 RUN apt-get update && apt-get install -y \
-    curl wget git vim tmux file \
+    curl wget git vim file \
     build-essential ca-certificates gnupg lsb-release \
+    libevent-core-2.1-7 libncursesw6 libtinfo6 \
+    pkg-config bison libevent-dev libncurses-dev \
     locales \
     && locale-gen en_US.UTF-8 \
     && (curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
@@ -20,6 +22,19 @@ RUN apt-get update && apt-get install -y \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
         > /etc/apt/sources.list.d/github-cli.list \
     && apt-get update && apt-get install -y gh \
+    && TMUX_VERSION=3.6a \
+    && wget -qO /tmp/tmux.tar.gz \
+        "https://github.com/tmux/tmux/releases/download/${TMUX_VERSION}/tmux-${TMUX_VERSION}.tar.gz" \
+    && tar xzf /tmp/tmux.tar.gz -C /tmp \
+    && cd /tmp/tmux-${TMUX_VERSION} \
+    && ./configure --prefix=/usr/local \
+    && make -j"$(nproc)" \
+    && make install \
+    && cd / \
+    && rm -rf /tmp/tmux.tar.gz /tmp/tmux-${TMUX_VERSION} \
+    && apt-get purge -y pkg-config bison libevent-dev libncurses-dev \
+    && apt-get autoremove -y \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Enable extended keys in CSI u format so Shift+Enter and other modified
@@ -30,6 +45,7 @@ RUN printf '%s\n' \
       'set -g extended-keys-format csi-u' \
       "set -as terminal-features 'xterm*:extkeys'" \
       "set -ga update-environment 'TERM_PROGRAM TERM_PROGRAM_VERSION LC_TERMINAL LC_TERMINAL_VERSION'" \
+      'set -g mouse on' \
     > /etc/tmux.conf
 
 ENV LANG=en_US.UTF-8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fitlab-ai/agent-infra",
-  "version": "0.5.2",
+  "version": "0.5.4",
   "description": "Bootstrap tool for AI multi-tool collaboration infrastructure — works with Claude Code, Codex, Gemini CLI, and OpenCode",
   "license": "MIT",
   "type": "module",

package/templates/.agents/rules/issue-pr-commands.github.en.md

@@ -13,50 +13,65 @@ gh repo view --json nameWithOwner
 
 If either command fails, stop or degrade according to the calling skill.
 
+## Upstream Repository and Permission Detection
+
+Before any later `gh issue` or `gh api "repos/..."` call, follow `.agents/rules/issue-sync.md` to resolve `upstream_repo`, `has_triage`, and `has_push`.
+
+- every later `gh issue` command must use `-R "$upstream_repo"`
+- every later repository-scoped `gh api` command must use `"repos/$upstream_repo/..."`
+- keep `gh pr *` commands on the current repository without adding `-R`
+- keep organization-scoped commands such as `gh api "orgs/{owner}/..."` unchanged
+
 ## Read and Create Issues
 
 Read an Issue:
 
 ```bash
-gh issue view {issue-number} --json number,title,body,labels,state,milestone,url
+gh issue view {issue-number} -R "$upstream_repo" --json number,title,body,labels,state,milestone,url
 ```
 
 Create an Issue:
 
 ```bash
-gh issue create --title "{title}" --body "{body}" --assignee @me {label-args} {milestone-arg}
+gh issue create -R "$upstream_repo" --title "{title}" --body "{body}" --assignee @me {label-args} {milestone-arg}
 ```
 
 - expand `{label-args}` into repeated `--label` flags from the validated label list
+- pass `{label-args}` only when `has_triage=true`; otherwise omit it and continue
 - omit all `--label` flags when nothing valid remains
+- pass `{milestone-arg}` only when `has_triage=true`; otherwise omit it and continue
 - omit `{milestone-arg}` entirely when no milestone should be set
 
 Set the Issue Type:
 
 ```bash
 gh api "orgs/{owner}/issue-types" --jq '.[].name'
-gh api "repos/{owner}/{repo}/issues/{issue-number}" -X PATCH -f type="{issue-type}" --silent
+gh api "repos/$upstream_repo/issues/{issue-number}" -X PATCH -f type="{issue-type}" --silent
 ```
 
+- set the Issue Type only when `has_push=true`; otherwise skip and continue
+
 ## Update Issues
 
 Use this shape when updating titles, labels, assignees, or milestones:
 
 ```bash
-gh issue edit {issue-number} {edit-args}
+gh issue edit {issue-number} -R "$upstream_repo" {edit-args}
 ```
 
 Common arguments:
 - `--title "{title}"`
-- `--add-label "{label}"`
-- `--remove-label "{label}"`
+- `--add-label "{label}"` (only when `has_triage=true`)
+- `--remove-label "{label}"` (only when `has_triage=true`)
 - `--add-assignee @me`
-- `--milestone "{milestone}"`
+- `--milestone "{milestone}"` (only when `has_triage=true`)
+
+Do not pre-check assignee permissions. If the assignee command fails, silently skip it per the caller's contract.
 
 Close an Issue:
 
 ```bash
-gh issue close {issue-number} --reason "{reason}"
+gh issue close {issue-number} -R "$upstream_repo" --reason "{reason}"
 ```
 
 ## Read Issue Comments
@@ -64,7 +79,7 @@ gh issue close {issue-number} --reason "{reason}"
 Read Issue comments or search for existing hidden markers:
 
 ```bash
-gh api "repos/{owner}/{repo}/issues/{issue-number}/comments" --paginate
+gh api "repos/$upstream_repo/issues/{issue-number}/comments" --paginate
 ```
 
 ## Read and Create PRs
@@ -108,4 +123,5 @@ Common arguments:
 
 - read failures: stop or skip based on the calling skill
 - update failures: warn and continue when the caller marks the action as best-effort
+- insufficient permission: skip direct writes according to the `has_triage` / `has_push` branch and continue
 - `@me` is resolved by `gh` CLI to the authenticated user

package/templates/.agents/rules/issue-pr-commands.github.zh-CN.md

@@ -13,50 +13,65 @@ gh repo view --json nameWithOwner
 
 如果任一命令失败，按调用该规则的 skill 约定停止或降级。
 
+## Upstream 仓库与权限检测
+
+在后续任何 `gh issue` 或 `gh api "repos/..."` 操作之前，先按 `.agents/rules/issue-sync.md` 完成 `upstream_repo`、`has_triage` 和 `has_push` 检测。
+
+- 后续所有 `gh issue` 命令统一使用 `-R "$upstream_repo"`
+- 后续所有 repo 级 `gh api` 命令统一使用 `"repos/$upstream_repo/..."`
+- `gh pr *` 命令保持作用于当前仓库，不额外加 `-R`
+- `gh api "orgs/{owner}/..."` 这类 org 级命令保持不变
+
 ## Issue 读取与创建
 
 读取 Issue：
 
 ```bash
-gh issue view {issue-number} --json number,title,body,labels,state,milestone,url
+gh issue view {issue-number} -R "$upstream_repo" --json number,title,body,labels,state,milestone,url
 ```
 
 创建 Issue：
 
 ```bash
-gh issue create --title "{title}" --body "{body}" --assignee @me {label-args} {milestone-arg}
+gh issue create -R "$upstream_repo" --title "{title}" --body "{body}" --assignee @me {label-args} {milestone-arg}
 ```
 
 - `{label-args}` 由调用方按有效 label 列表展开为多个 `--label`
+- 仅当 `has_triage=true` 时传入 `{label-args}`；否则整体省略并继续
 - 没有有效 label 时省略全部 `--label`
+- 仅当 `has_triage=true` 时传入 `{milestone-arg}`；否则整体省略并继续
 - `{milestone-arg}` 为空时整体省略
 
 设置 Issue Type：
 
 ```bash
 gh api "orgs/{owner}/issue-types" --jq '.[].name'
-gh api "repos/{owner}/{repo}/issues/{issue-number}" -X PATCH -f type="{issue-type}" --silent
+gh api "repos/$upstream_repo/issues/{issue-number}" -X PATCH -f type="{issue-type}" --silent
 ```
 
+- 仅当 `has_push=true` 时执行 Issue Type 设置；否则跳过并继续
+
 ## Issue 更新
 
 更新标题、label、assignee 或 milestone 时使用：
 
 ```bash
-gh issue edit {issue-number} {edit-args}
+gh issue edit {issue-number} -R "$upstream_repo" {edit-args}
 ```
 
 常见参数：
 - `--title "{title}"`
-- `--add-label "{label}"`
-- `--remove-label "{label}"`
+- `--add-label "{label}"`（仅当 `has_triage=true`）
+- `--remove-label "{label}"`（仅当 `has_triage=true`）
 - `--add-assignee @me`
-- `--milestone "{milestone}"`
+- `--milestone "{milestone}"`（仅当 `has_triage=true`）
+
+Assignee 同步不做权限预判；如果命令失败，按调用方约定静默跳过。
 
 关闭 Issue：
 
 ```bash
-gh issue close {issue-number} --reason "{reason}"
+gh issue close {issue-number} -R "$upstream_repo" --reason "{reason}"
 ```
 
 ## Issue 评论读取
@@ -64,7 +79,7 @@ gh issue close {issue-number} --reason "{reason}"
 读取 Issue 评论或按隐藏标记查找已有评论：
 
 ```bash
-gh api "repos/{owner}/{repo}/issues/{issue-number}/comments" --paginate
+gh api "repos/$upstream_repo/issues/{issue-number}/comments" --paginate
 ```
 
 ## PR 读取与创建
@@ -108,4 +123,5 @@ gh pr edit {pr-number} {edit-args}
 
 - 读取失败：按调用方规则决定停止还是跳过
 - 更新失败：如果调用方标记为 best-effort，输出警告并继续
+- 权限不足：按 `has_triage` / `has_push` 分支跳过直接写操作，不阻塞调用方
 - `@me` 由 `gh` CLI 解析为当前认证用户

package/templates/.agents/rules/issue-sync.github.en.md

@@ -2,45 +2,119 @@
 
 Read this file before a task skill updates a GitHub Issue.
 
+## Upstream Repository Detection
+
+When an external contributor runs `gh` inside a fork, the default target is the fork instead of the upstream repository. Detect the upstream repository first and reuse `upstream_repo` for every later `gh issue` and `gh api "repos/..."` operation.
+
+```bash
+upstream_repo=$(gh api "repos/$(gh repo view --json nameWithOwner -q .nameWithOwner)" \
+  --jq 'if .fork then .parent.full_name else .full_name end' 2>/dev/null)
+```
+
+- non-fork repository: returns the current repository `full_name`
+- fork repository: returns the parent repository `full_name`
+- every later `gh issue` command must use `-R "$upstream_repo"`
+- every later `gh api "repos/..."` command must use `"repos/$upstream_repo/..."`
+
+## Permission Detection
+
+Run one permission check against the upstream repository before any write operation. When detection fails, treat it as no permission so the workflow degrades safely.
+
+```bash
+repo_perms=$(gh api "repos/$upstream_repo" --jq '.permissions' 2>/dev/null || echo '{}')
+has_triage=$(printf '%s' "$repo_perms" | grep -q '"triage":true' 2>/dev/null && echo true || echo false)
+has_push=$(printf '%s' "$repo_perms" | grep -q '"push":true' 2>/dev/null && echo true || echo false)
+```
+
+Operation-to-permission mapping:
+
+| Operation | Required permission | Notes |
+|------|---------|------|
+| add/remove labels | `has_triage` | triage is the minimum permission |
+| add/remove milestones | `has_triage` | same as above |
+| edit Issue body | `has_triage` | used by requirement checkbox sync |
+| set Issue Type | `has_push` | requires write permission |
+| set assignee | no check | skip directly when it fails |
+| publish/update comments | no check | allowed for authenticated users in public repositories |
+
+## Degradation Rules
+
+| Level | Operation type | With permission | Without permission |
+|------|---------|--------|--------|
+| silent degradation | label / milestone / Issue Type | run the `gh` command directly and also update the task comment | skip direct `gh` writes, update only the task comment, let the bot backfill |
+| direct skip | assignee | run the `gh` command directly | do nothing else |
+| normal execution | comments | run normally | run normally |
+
+Key rules:
+
+- task comment sync must continue whether write permission exists or not
+- insufficient permission only affects direct Issue metadata writes and must not stop the skill
+- keep the existing `2>/dev/null || true` error-tolerance pattern
+
+## External Contributor Locking
+
+Maintainers (`has_triage=true`) are never blocked. External contributors (`has_triage=false`) must check whether the current task already has a `task` comment author on the Issue before they start.
+
+```bash
+task_comment_author=$(gh api "repos/$upstream_repo/issues/{issue-number}/comments" \
+  --paginate --jq '[.[] | select(.body | test("<!-- sync-issue:{task-id}:task -->")) | .user.login] | first' \
+  2>/dev/null || echo "")
+current_user=$(gh api user --jq '.login' 2>/dev/null || echo "")
+```
+
+Decision rules:
+
+- no `task` comment exists: allow execution
+- the `task` comment author is the current user: allow continuation
+- the `task` comment author is another user: stop immediately and ask the contributor to coordinate with a maintainer before taking over
+
 ## Direct `status:` Label Updates
 
 If task.md contains a valid `issue_number` (not empty and not `N/A`) and the Issue state is `OPEN`, replace every existing `status:` label and add the target one:
 
 ```bash
-state=$(gh issue view {issue-number} --json state --jq '.state' 2>/dev/null)
+state=$(gh issue view {issue-number} -R "$upstream_repo" --json state --jq '.state' 2>/dev/null)
 if [ "$state" = "OPEN" ]; then
-  gh issue view {issue-number} --json labels \
+  gh issue view {issue-number} -R "$upstream_repo" --json labels \
     --jq '.labels[].name | select(startswith("status:"))' 2>/dev/null \
   | while IFS= read -r label; do
       [ -z "$label" ] && continue
-      gh issue edit {issue-number} --remove-label "$label" 2>/dev/null || true
+      if [ "$has_triage" = "true" ]; then
+        gh issue edit {issue-number} -R "$upstream_repo" --remove-label "$label" 2>/dev/null || true
+      fi
     done
-  gh issue edit {issue-number} --add-label "{target-status-label}" 2>/dev/null || true
+  if [ "$has_triage" = "true" ]; then
+    gh issue edit {issue-number} -R "$upstream_repo" --add-label "{target-status-label}" 2>/dev/null || true
+  fi
 fi
 ```
 
 Use `while IFS= read -r label` so labels like `status: in-progress` are handled line-by-line instead of being split on spaces.
 
+If `has_triage=false`, skip direct label changes, update only the task comment, and let the bot backfill from the latest task metadata.
+
 If `gh` fails, skip and continue. Do not fail the skill.
 
 ## Assignee Sync
 
 When a skill creates or imports an Issue, automatically add the current executor as assignee:
 
-- `create-issue`: use `--assignee @me` in the `gh issue create` command
-- `import-issue`: run `gh issue edit {issue-number} --add-assignee @me 2>/dev/null || true` after import
+- `create-issue`: use `--assignee @me` in `gh issue create` and include `-R "$upstream_repo"`
+- `import-issue`: run `gh issue edit {issue-number} -R "$upstream_repo" --add-assignee @me 2>/dev/null || true` after import
 
-`@me` is resolved by `gh` CLI to the authenticated user. The operation is idempotent (adding an existing assignee is a no-op). If the command fails (e.g. insufficient permissions), skip and continue.
+`@me` is resolved by `gh` CLI to the authenticated user. The operation is idempotent. If the command fails, skip it directly and do not provide a fallback path.
 
 ## `in:` Label Sync
 
+> **Trigger timing**: run `in:` label sync only after code is committed (the `commit` skill). Do not run it during `implement-task` or `refine-task`. During `create-pr`, only copy the labels from the Issue to the PR without recomputing them.
+
 Read the `labels.in` mapping from `.agents/.airc.json`.
 
 ```bash
 git diff {base-branch}...HEAD --name-only
 ```
 
-`{base-branch}` is usually `main`; in PR context, use the PR's base branch.
+`{base-branch}` is usually `main`; in PR context, use the PR base branch.
 
 ### When a mapping exists (precise add/remove)
 
@@ -48,15 +122,18 @@ git diff {base-branch}...HEAD --name-only
 2. Match each file against the directory prefixes in `labels.in` to compute the expected `in:` label set
 3. Query the current `in:` labels on the Issue or PR
 4. Apply the diff:
-   - expected but missing -> `gh issue edit {issue-number} --add-label "in: {module}" 2>/dev/null || true`
-   - present but no longer expected -> `gh issue edit {issue-number} --remove-label "in: {module}" 2>/dev/null || true`
+   - expected but missing: only when `has_triage=true`, run `gh issue edit {issue-number} -R "$upstream_repo" --add-label "in: {module}" 2>/dev/null || true`
+   - present but no longer expected: only when `has_triage=true`, run `gh issue edit {issue-number} -R "$upstream_repo" --remove-label "in: {module}" 2>/dev/null || true`
 
 ### When no mapping exists (add-only fallback)
 
 If `.airc.json` has no `labels.in` field or it is empty:
+
 1. query existing repository `in:` labels
 2. derive the top-level directory from each changed file
-3. add matching labels only and never remove existing `in:` labels
+3. only when `has_triage=true`, add matching labels and never remove existing `in:` labels
+
+If `has_triage=false`, skip direct `in:` label edits and keep task comment sync as the source for later automation backfill.
 
 ## Artifact Comment Publishing
 
@@ -69,7 +146,7 @@ The hidden marker must remain compatible:
 Check for an existing comment before publishing:
 
 ```bash
-gh api "repos/{owner}/{repo}/issues/{issue-number}/comments" \
+gh api "repos/$upstream_repo/issues/{issue-number}/comments" \
   --paginate --jq '.[].body' \
   | grep -qF "<!-- sync-issue:{task-id}:{file-stem} -->"
 ```
@@ -99,20 +176,23 @@ Use this format:
 `{agent}` is the name of the AI agent currently executing the skill (for example `claude`, `codex`, or `gemini`).
 
 `summary` comments need extra handling:
+
 - find an existing `<!-- sync-issue:{task-id}:summary -->` comment ID first
 - create the comment when none exists
-- patch the existing comment in place when the body changed
+- patch the existing comment in place when the body changed by using `gh api "repos/$upstream_repo/issues/comments/{comment-id}" -X PATCH -f body=...`
 
 ```bash
-summary_comment_id=$(gh api "repos/{owner}/{repo}/issues/{issue-number}/comments" \
+summary_comment_id=$(gh api "repos/$upstream_repo/issues/{issue-number}/comments" \
   --paginate --jq '.[] | select(.body | startswith("<!-- sync-issue:{task-id}:summary -->")) | .id' \
   | head -n 1)
-gh api "repos/{owner}/{repo}/issues/comments/{comment-id}" -X PATCH -f body="$(cat <<'EOF'
+gh api "repos/$upstream_repo/issues/comments/{comment-id}" -X PATCH -f body="$(cat <<'EOF'
 {comment-body}
 EOF
 )"
 ```
 
+Comment publishing is not gated by `has_triage` or `has_push`.
+
 ## task.md Comment Sync
 
 Hidden marker:
@@ -124,7 +204,7 @@ Hidden marker:
 Use an idempotent update path for `task.md`:
 
 1. Read the full `task.md`
-2. Wrap the YAML frontmatter (content between the `---` delimiters) inside a `<details><summary>Metadata (frontmatter)</summary>` block with a `yaml` code fence; render the remaining body as normal Markdown
+2. Wrap the YAML frontmatter (content between the `---` delimiters) inside a `<details><summary>Metadata (frontmatter)</summary>` block with a `yaml` code fence, then render the remaining body as normal Markdown
 3. Use `task` as `{file-stem}`
 4. Find an existing comment ID for the marker
 5. Create the comment when none exists
@@ -155,20 +235,23 @@ task.md comment format:
 *Generated by {agent} · Internal tracking: {task-id}*
 ```
 
-When restoring, extract the frontmatter from the `<details>` block and reassemble with the body to recover the original `task.md`.
+When restoring, extract the frontmatter from the `<details>` block and reassemble it with the body to recover the original `task.md`.
 
 Title mapping:
+
 - `task` -> `Task File`
 
+task comment sync always runs and is never downgraded.
+
 ## Backfill Rules (run before `/complete-task` archives)
 
 - Scan `task.md`, `analysis*.md`, `plan*.md`, `implementation*.md`, `review*.md`, and `refinement*.md` in the task directory
 - Check whether each `{file-stem}` was already published by its hidden marker; publish only missing artifacts
-- Backfill only appends missing comments; never delete or reorder existing comments
+- Backfill only appends missing comments and never deletes or reorders existing comments
 - Resolve `{agent}` for backfilled comments in this order:
-  1. Match the artifact filename in Activity Log (for example `→ analysis.md`) and extract the executor from `by {agent}`
-  2. If no match is found, fall back to `assigned_to` in task.md frontmatter
-  3. If `assigned_to` is also unavailable, use the current backfilling agent
+  1. match the artifact filename in Activity Log (for example `→ analysis.md`) and extract the executor from `by {agent}`
+  2. if no match is found, fall back to `assigned_to` in task.md frontmatter
+  3. if `assigned_to` is also unavailable, use the current backfilling agent
 - Derive the previous and next neighbors from Activity Log order and add this note below the title:
 
 ```markdown
@@ -178,6 +261,7 @@ Title mapping:
 - If only one neighbor exists, keep only that side of the note; if neither exists, omit the note
 
 Title mapping:
+
 - `task` -> `Task File`
 - `analysis` / `analysis-r{N}` -> `Requirements Analysis` / `Requirements Analysis (Round {N})`
 - `plan` / `plan-r{N}` -> `Technical Plan` / `Technical Plan (Round {N})`
@@ -186,6 +270,8 @@ Title mapping:
 - `refinement` / `refinement-r{N}` -> `Refinement Report (Round 1)` / `Refinement Report (Round {N})`
 - `summary` -> `Delivery Summary`
 
+Backfilled comments are also not gated by `has_triage` or `has_push`.
+
 ## Requirement Checkbox Sync
 
 Extract checked `- [x]` items from the `## Requirements` section in task.md. Skip when none exist.
@@ -193,10 +279,12 @@ Extract checked `- [x]` items from the `## Requirements` section in task.md. Ski
 Read the current Issue body:
 
 ```bash
-gh issue view {issue-number} --json body --jq '.body'
+gh issue view {issue-number} -R "$upstream_repo" --json body --jq '.body'
 ```
 
-Replace matching `- [ ] {text}` lines with `- [x] {text}` only when the body actually changes, then PATCH the full body with `gh api`.
+Replace matching `- [ ] {text}` lines with `- [x] {text}`. Use `gh api` to PATCH the full body only when the body changed and `has_triage=true`.
+
+If `has_triage=false`, skip the body PATCH, update only the task comment, and let the bot backfill from the latest task state.
 
 ## Shell Safety Rules