[Pelis Agent Factory Advisor] Agentic Workflow Maturity Analysis & Recommendations — April 2026

[github-actions[bot]]

📊 Executive Summary

gh-aw-firewall is an advanced-maturity agentic repository with ~27 agentic workflows covering security red-teaming, CI health, documentation, issue management, and token optimization. The primary gaps are in automated code quality review on PRs and proactive supply-chain threat detection — two areas especially critical for a security-focused firewall tool. Adding a small number of targeted workflows would push this repo to industry-leading automation coverage.

---

🎓 Patterns Learned (Pelis Agent Factory)

The Pelis Agent Factory (githubnext/agentics) documents these reusable workflow families:

Category	Pattern	Key Features
Maintainer	Issue Triage / Repo Assist	Label-driven, issues: opened trigger
Fault Analysis	CI Doctor / CI Coach	workflow_run trigger, auto-fix chains
Code Review	Grumpy Reviewer / PR Nitpick	pull_request trigger, add-comment safe-output
Research & Status	Weekly Issue Summary / Daily Status	schedule, discussion output
Dependency Mgmt	Dependabot PR Bundler	Groups updates, draft PR output
Command-Triggered	/plan, /repo-ask, /archie	slash_command trigger, write-access guarded
Security	Daily Malicious Code Scan / VEX Generator	Recent-commits scan, OpenVEX output
Meta-Workflows	Q - Workflow Optimizer	Self-improves other workflows
Code Improvement	Code Simplifier / Test Improver	Produces PRs, skip-if-match guard

Standout patterns this repo already uses well:

• workflow_run chaining (token-analyzer → optimizer)
• Multi-engine red-team tests (Claude + Codex + Copilot variants)
• skip-if-match guards to prevent duplicate open PRs/issues
• cache-memory for persistent state across runs (issue deduplication)
• imports for shared logic (mcp-pagination, secret-audit, version-reporting)
• features: cli-proxy for cross-repo operations

---

📋 Workflow Inventory

Workflow	Purpose	Trigger	Assessment
security-guard	Blocks PRs that weaken security	PR opened/sync	✅ Well-configured, claude engine
security-review	Daily threat modeling + evidence	daily + dispatch	✅ Comprehensive, uses escape test results
secret-digger-claude	Red-team container escape (Claude)	dispatch	✅ Unique to this repo
secret-digger-codex	Red-team container escape (Codex)	dispatch	✅ Multi-engine coverage
secret-digger-copilot	Red-team container escape (Copilot)	dispatch	✅ Multi-engine coverage
dependency-security-monitor	CVE detection + safe dependency PRs	daily	✅ 24h detection SLA
smoke-claude	Validate Claude engine every 12h	12h + PR	✅ Reaction trigger heart
smoke-copilot	Validate Copilot engine every 12h	12h + PR	✅ Reaction trigger eyes
smoke-codex	Validate Codex engine	PR + schedule	✅
smoke-chroot	Validate chroot bind-mount feature	PR (src/containers)	✅ Path-filtered
smoke-services	Validate host service port access	12h + PR	✅ Reaction trigger rocket
build-test	Multi-runtime build test	PR	⚠️ Many runtimes for Node.js project
ci-doctor	Investigate CI failures, create issues	workflow_run	✅ Monitors 26 workflows
ci-cd-gaps-assessment	Daily CI/CD coverage gap report	daily	✅
doc-maintainer	Daily doc sync with code changes	daily	✅ skip-if-match guard
issue-monster	Auto-assign issues to Copilot	issues:opened + 1h	✅ skip-if-no-match guard
firewall-issue-dispatcher	Cross-repo issue bridging gh-aw→this	6h	✅ cli-proxy, PAT cross-repo
issue-duplication-detector	Detect duplicate issues with cache	issues:opened	✅ cache-memory state
plan	/plan slash command for breakdown	slash_command	✅
update-release-notes	Auto-update release notes	release:published	✅
claude-token-usage-analyzer	Analyze Claude token consumption	daily	✅
claude-token-optimizer	Recommendations to cut Claude cost	workflow_run	✅ Chained pattern
copilot-token-usage-analyzer	Analyze Copilot token consumption	daily	✅
copilot-token-optimizer	Recommendations to cut Copilot cost	workflow_run	✅ Chained pattern
cli-flag-consistency-checker	Detect CLI doc/impl drift weekly	weekly	✅
test-coverage-improver	Weekly test coverage PRs	weekly	✅ skip-if-match guard
pelis-agent-factory-advisor	This advisor (meta)	daily	✅

Traditional (non-agentic) workflows: build, codeql, dependency-audit, deploy-docs, link-check, lint, performance-monitor, pr-title, release, test-action, test-chroot, test-coverage, test-examples, test-integration-suite, test-integration

---

🚀 Recommendations

P0 — High Impact, Low Effort (Implement Immediately)

1. 🔍 PR Code Quality Reviewer (Grumpy Reviewer)

What: Add a Claude-powered code reviewer that comments on PRs with quality observations — complexity, naming, missing tests, adherence to patterns — beyond just security regressions.

Why: security-guard only covers security. There's no agentic check for overall code quality, adherence to the CONTRIBUTING.md conventions, or TypeScript best practices. For a project that aspires to be a reference implementation, code quality review is high-value signal.

How:

---
description: Opinionated code quality reviewer for PRs
on:
  pull_request:
    types: [opened, synchronize]
  reaction: "+1"
permissions:
  contents: read
  pull-requests: read
engine:
  id: claude
  max-turns: 15
tools:
  github:
    toolsets: [pull_requests, repos]
safe-outputs:
  add-comment:
    max: 1
    hide-older-comments: true
timeout-minutes: 10

Effort: Low — similar structure to security-guard.md

Reference: Pelis "Grumpy Reviewer" / "PR Nitpick Reviewer" patterns

---

2. 🔒 Sub-Issue Closer

What: Automatically close parent issues when all their sub-issues are resolved.

Why: issue-monster and plan workflows create many sub-issues. Without a closer, resolved work items leave stale parent issues open, cluttering the backlog.

How: Use the standard Pelis sub-issue-closer pattern — triggers on issues: closed, checks if all sub-issues of any parent are now closed, closes the parent with a summary comment.

Effort: Very Low — copy from Pelis patterns with minimal customization

---

3. 📋 Contribution Guidelines Checker

What: On each new PR, verify compliance with CONTRIBUTING.md — conventional commit format, test inclusion for code changes, documentation updates for API changes, and that CLAUDE.md/AGENTS.md instruction files are not modified without justification.

Why: The repo enforces commitlint via husky for local commits, but CI PRs from agents (issue-monster/Copilot) may not run husky. An agentic checker closes this gap and produces a friendly PR comment with specific remediation steps.

How:

---
description: Check PRs against CONTRIBUTING.md guidelines
on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  contents: read
  pull-requests: read
engine:
  id: claude
  max-turns: 10
safe-outputs:
  add-comment:
    max: 1
    hide-older-comments: true
  add-labels:
    allowed: [needs-revision, guidelines-ok]
timeout-minutes: 8

Effort: Low

---

P1 — High Impact, Medium Effort (Near-Term)

4. 🦠 Daily Malicious Code Scanner

What: Daily scan of commits from the last 24 hours for suspicious patterns: unexpected network calls added to containers, obfuscated strings, base64-encoded payloads in shell scripts, new eval/exec patterns, unexpected changes to iptables rules or Squid ACLs, hardcoded IPs.

Why: This repo is a security sandbox tool — it is an extremely high-value supply chain target. The existing security-review is comprehensive but broad; a focused daily scanner specifically targeting recent-commit code patterns adds a critical defense layer. This aligns directly with the Pelis "Daily Malicious Code Scan" pattern.

How:

---
description: Daily scan of recent commits for supply chain attack indicators
on:
  schedule: daily
  workflow_dispatch:
permissions:
  contents: read
  security-events: read
engine:
  id: claude
  max-turns: 20
tools:
  bash:
    - "git log:*"
    - "git diff:*"
    - "git show:*"
safe-outputs:
  create-issue:
    title-prefix: "[Security Alert] "
    labels: [security, supply-chain]
    max: 3
    expires: 14d
timeout-minutes: 15

Effort: Medium — needs careful prompt engineering for low false-positive rate

Reference: Pelis "Daily Malicious Code Scan"

---

5. 🏥 PR Fix Agent

What: When ci-doctor creates an investigation issue, chain a PR-Fix agent that attempts to implement the fix automatically for failing CI checks.

Why: ci-doctor already does the hard part (identifying root cause). The next logical step is automated remediation. For a TypeScript project with well-defined tests, many CI failures (type errors, lint issues, test regressions) are automatable.

How: Trigger on workflow_run (ci-doctor completed) or on issue_comment with /fix command. Use create-pull-request safe-output with draft: true.

Effort: Medium — requires careful scoping of what to auto-fix vs. escalate

Reference: Pelis "PR Fix" pattern

---

6. 🔍 Discussion Task Miner

What: Weekly agent that reads GitHub Discussions (General, Ideas categories) and extracts actionable improvement tasks, creating tracked issues for items that haven't been addressed.

Why: The repo produces many agentic discussion reports (CI assessments, security reviews, CLI flag checks, this advisor). These reports contain valuable insights but often go unacted upon. A task miner bridges the gap from "observation" to "tracked work item."

How:

---
description: Mine discussions for actionable tasks and create issues
on:
  schedule: weekly
  workflow_dispatch:
permissions:
  contents: read
  discussions: read
  issues: read
tools:
  github:
    toolsets: [discussions, issues]
  cache-memory:
    key: discussion-task-miner
safe-outputs:
  create-issue:
    title-prefix: "[Task] "
    labels: [task-mined, ai-generated]
    max: 5
    expires: 7d
timeout-minutes: 20

Effort: Medium

Reference: Pelis "Discussion Task Miner"

---

P2 — Medium Impact

7. 📦 Dependabot PR Bundler

What: Group multiple Dependabot PRs for related ecosystems (npm patch updates, Docker base image updates) into a single bundle PR to reduce reviewer fatigue.

Why: The repo has dependency-security-monitor for CVE detection but no automation for the routine Dependabot PR queue. Bundling reduces the approval overhead.

Effort: Medium | Reference: Pelis "Dependabot PR Bundler"

---

8. 📊 Weekly Issue Summary

What: Weekly activity report summarizing issue trends, PR velocity, open security issues, and CI health into a discussion post with trend charts.

Why: Multiple individual analysis workflows exist (CI assessment, security review, token analysis) but no unified weekly health dashboard that maintainers can skim in 2 minutes.

Effort: Low-Medium | Reference: Pelis "Weekly Issue Summary"

---

9. 🔒 VEX Generator

What: When a Dependabot alert is dismissed with a justification, auto-generate an OpenVEX statement that captures the security assessment in a machine-readable format.

Why: As a security tool, gh-aw-firewall should model best practices in vulnerability management transparency. VEX statements provide auditable, standards-compliant records of security decisions.

Effort: Medium | Reference: Pelis "VEX Generator"

---

10. 🔍 /repo-ask Command

What: Slash command that answers repository questions using code search, documentation, and issue history — a research assistant for contributors navigating the complex AWF architecture.

Why: The codebase is architecturally complex (3 containers, iptables NAT, chroot, Squid ACL, multiple engines). Contributors frequently need to understand how pieces fit together. A /repo-ask command in issues/PRs reduces friction.

Effort: Low-Medium | Reference: Pelis "Repo Ask"

---

P3 — Nice-to-Have

11. 🗺️ /archie Command — Issue/PR Relationship Diagrams

Generate Mermaid diagrams showing issue/PR dependency relationships. Useful as the repo grows and tracking issue hierarchies becomes complex. Effort: Low

12. 📊 Repository Quality Improver

Daily rotating analysis across dimensions (code complexity, test coverage, documentation completeness, security posture, performance). Complements the existing individual analyzers with a unified rotating report. Effort: Medium

13. 🗜️ Documentation Unbloat

Simplify overly verbose documentation sections. CLAUDE.md is 26KB and growing — an automated unbloat pass could improve agent instruction quality. Effort: Low

---

📈 Maturity Assessment

Dimension	Current Level (1–5)	Target	Gap
Security Automation	⭐⭐⭐⭐⭐ 5	5	None — best-in-class
CI Health	⭐⭐⭐⭐ 4	5	Add PR-fix agent
Code Quality Review	⭐⭐ 2	4	PR code reviewer, contribution checker
Issue/PR Management	⭐⭐⭐⭐ 4	5	Sub-issue closer, task miner
Documentation	⭐⭐⭐ 3	4	Unbloat, discussion task miner
Supply Chain Defense	⭐⭐⭐ 3	5	Malicious code scanner, VEX generator
Workflow Integration	⭐⭐⭐⭐ 4	5	Chain ci-doctor → PR-fix
Token/Cost Optimization	⭐⭐⭐⭐⭐ 5	5	None — exemplary chained pattern
Overall	⭐⭐⭐⭐ 3.75/5	4.5/5	6 targeted additions

---

🔄 Best Practice Comparison

What this repo does exceptionally well ✅

• Multi-engine red-team testing — Running escape tests with Claude, Codex, and Copilot in parallel is a unique pattern not seen in typical repositories
• Workflow chaining via workflow_run — The token-analyzer → optimizer chain is a textbook example of event-driven agentic automation
• skip-if-match guards — Consistently prevents duplicate open PRs/issues across all PR-producing workflows
• cache-memory for persistent state — Issue deduplication using cache is a sophisticated pattern used correctly
• imports for shared logic — mcp-pagination, secret-audit, version-reporting shared modules reduce duplication
• features: cli-proxy for cross-repo operations — The firewall-issue-dispatcher using cross-repo PAT with cli-proxy is architecturally elegant
• Security-first safe-outputs — threat-detection: enabled: false consistently set, appropriate permission scoping

What to improve 🔧

• Code quality review gap — security-guard reviews for security but no agentic workflow reviews code quality, style, or contribution guideline compliance on PRs
• Reactive vs. proactive supply chain — Daily security review is reactive; a proactive malicious-pattern scan on recent commits adds a faster detection layer
• Discussion → Issue pipeline missing — Many valuable agentic reports are created as discussions but there's no automated mechanism to extract and track the actionable items
• Sub-issue lifecycle — plan and issue-monster create sub-issues but no workflow closes parent issues when all sub-tasks are done
• build-test.md runtime scope — Configuring Go 1.22, Rust stable, Java 21, and .NET 8.0 for a Node.js/TypeScript project adds unnecessary cost and complexity

---

📝 Notes

Cache memory has been updated with:

• Hash: 7632246862... (run date: 2026-04-11)
• Patterns reference: Pelis agentics README (maintainer, fault analysis, code review, research, dependency, command-triggered, security, meta-workflow categories)
• Repository assessment: 27 agentic workflows, maturity level ~3.75/5, top gaps = PR code quality reviewer + malicious code scanner + sub-issue closer + discussion task miner

Top 3 quick wins to implement next: (1) PR Code Quality Reviewer, (2) Sub-Issue Closer, (3) Contribution Guidelines Checker — all can be scaffolded in under 2 hours each using existing workflow patterns in this repo as templates.

Generated by Pelis Agent Factory Advisor · ● 706.4K · ◷

• expires on Apr 18, 2026, 9:43 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir beneath the firewall gates.
The smoke-test wanderer has passed through this realm,
and the runes now record its presence.
By starlight and packet-trace, the oracle was here.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-18T21:43:37.545Z.

Closed by Workflow

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test agent was here, and the runes of workflow 24615910452 were read.

Warning

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex