FAIR-band: in-band [4/30] — companion to #11491; extends tool-boundary mechanical body-shape validation pattern from PR-review surface to PR-creation surface.
Premise
Operator-flagged risk during the #11491 framing discussion 2026-05-16T20:46Z:
"risk: not using the tool, but gh cli directly instead. another angle is creating pull requests => without the skill. but that would be a different ticket."
Two distinct tool-bypass surfaces from the same Helpful Assistant tool-bypass pattern:
MCP → gh CLI bypass on review side: agent skips manage_pr_review (which has the description guard from #11479) and uses gh pr review --body "..." directly. Mechanical body-shape validation at the MCP tool boundary in #11491 doesn't catch this — agent never touches the MCP tool.
PR creation without invoking pull-request skill: agent uses gh pr create directly without reading .agents/skills/pull-request/SKILL.md. Same categorical failure mode as the pr-review bypass: discipline-only "agent should read skill" → agent skips skill → bad PR body shape lands.
The pull-request skill's authority artifact is .agents/skills/pull-request/references/pull-request-workflow.md (Pre-Flight checklist, FAIR-band stance declaration, Evidence-line declaration, cross-family review request, commit format, etc.). Per feedback_pr_review_template_discipline memory anchor, structural-template discipline is a wire-format contract with the Retrospective daemon — same downstream-consumer cost applies.
What this ticket covers (vs. #11491)
| Surface |
Tool |
Current state |
Covered by |
| PR review |
manage_pr_review MCP tool |
Discipline-only description guard (PR #11479); no body shape validation |
#11491 |
| PR review |
gh pr review CLI direct |
No guard at all (bypasses MCP) |
This ticket (sub-A) |
| PR creation |
create_pull_request MCP tool (if exists) / gh pr create CLI |
TBD — needs V-B-A |
This ticket (sub-B) |
Investigation steps (in-ticket V-B-A required before prescription)
This ticket needs Stage-0 V-B-A on:
- Does a
create_pull_request MCP tool exist? Check ai/mcp/server/github-workflow/openapi.yaml for the operationId.
- If yes: does it have a description guard pointing to pull-request skill? Same shape as PR #11479.
- If no: agents currently use
gh pr create directly. The mechanical layer would need to live at a different surface — possibly a git pre-push hook OR a CI lint that runs against PR body when the PR is opened.
- For the
gh pr review CLI bypass surface: post-creation CI lint on review comments authored by @neo-* agents within N minutes of submission.
Prescription space (deferred to in-ticket V-B-A)
Two candidate shapes pending step-1 investigation:
Shape A: tool-side mirror of #11491 (if create_pull_request MCP tool exists)
Add JSON-schema x-required-substrings validation on the body parameter against pull-request template anchors.
Shape B: post-creation CI lint (if agents use gh pr create directly)
GitHub Action workflow runs on pull_request: opened for PRs authored by @neo-*, validates body shape against pull-request template, posts a failure comment listing missing anchors. Same shape as the existing substrate-size-guard.yml precedent.
The right shape is empirically determined by whether MCP-tool path exists; not pre-committing without that V-B-A.
Acceptance criteria (placeholder pending V-B-A)
Why this is a separate ticket (not folded into #11491)
- Different surfaces: #11491 hits the review MCP tool's body parameter; this hits creation surfaces which may be CLI-only.
- Different empirical anchors: #11491 is anchored on Gemini's #11488/#11489 review-template failures; this is anchored on the operator-flagged risk surface without empirical-failure data yet.
- Different prescription space: #11491 prescription is locked (tool-side schema); this is shape-A-or-B depending on V-B-A.
- Scope-restraint discipline per memory anchor
feedback_substrate_scope_restraint.md — keeping each ticket bounded prevents iteration spirals.
Authority anchors
- Operator framing: 2026-05-16T20:46Z A2A — surfaced both bypass risks (CLI direct + creation-without-skill) in the same response that green-lit #11491; explicitly stated these belong in a separate ticket
- Conceptual sibling: #11491 — primary tool-boundary body-shape validation ticket
- Layered defense pattern reference: PR #11406/#11490 — multi-layer enforcement (discipline + CI grep-fail) for ADR 0004 §2.6 retired primitives
- Risk surface for CLI bypass: peer-not-assistant anti-pattern — when MCP tool gates are added, the Helpful Assistant prior may route around them via the un-gated CLI surface
Related
- #11491 — primary tool-boundary validation ticket; this is its companion
- PR #11479 — description-only guard on review surface
- #11105 — discipline-only audit-at-receipt fix (didn't prevent recurrence on #11488/#11489)
- PR #11490 (open) — conceptual sibling for ADR 0004 §2.6 mechanical-enforcement layer
FAIR-band: in-band [4/30] — companion to #11491; extends tool-boundary mechanical body-shape validation pattern from PR-review surface to PR-creation surface.
Premise
Operator-flagged risk during the #11491 framing discussion 2026-05-16T20:46Z:
Two distinct tool-bypass surfaces from the same Helpful Assistant tool-bypass pattern:
MCP → gh CLI bypass on review side: agent skips
manage_pr_review(which has the description guard from #11479) and usesgh pr review --body "..."directly. Mechanical body-shape validation at the MCP tool boundary in #11491 doesn't catch this — agent never touches the MCP tool.PR creation without invoking pull-request skill: agent uses
gh pr createdirectly without reading.agents/skills/pull-request/SKILL.md. Same categorical failure mode as the pr-review bypass: discipline-only "agent should read skill" → agent skips skill → bad PR body shape lands.The pull-request skill's authority artifact is
.agents/skills/pull-request/references/pull-request-workflow.md(Pre-Flight checklist, FAIR-band stance declaration, Evidence-line declaration, cross-family review request, commit format, etc.). Perfeedback_pr_review_template_disciplinememory anchor, structural-template discipline is a wire-format contract with the Retrospective daemon — same downstream-consumer cost applies.What this ticket covers (vs. #11491)
manage_pr_reviewMCP toolgh pr reviewCLI directcreate_pull_requestMCP tool (if exists) /gh pr createCLIInvestigation steps (in-ticket V-B-A required before prescription)
This ticket needs Stage-0 V-B-A on:
create_pull_requestMCP tool exist? Checkai/mcp/server/github-workflow/openapi.yamlfor the operationId.gh pr createdirectly. The mechanical layer would need to live at a different surface — possibly a git pre-push hook OR a CI lint that runs against PR body when the PR is opened.gh pr reviewCLI bypass surface: post-creation CI lint on review comments authored by@neo-*agents within N minutes of submission.Prescription space (deferred to in-ticket V-B-A)
Two candidate shapes pending step-1 investigation:
Shape A: tool-side mirror of #11491 (if
create_pull_requestMCP tool exists) Add JSON-schemax-required-substringsvalidation on thebodyparameter against pull-request template anchors.Shape B: post-creation CI lint (if agents use
gh pr createdirectly) GitHub Action workflow runs onpull_request: openedfor PRs authored by@neo-*, validates body shape against pull-request template, posts a failure comment listing missing anchors. Same shape as the existingsubstrate-size-guard.ymlprecedent.The right shape is empirically determined by whether MCP-tool path exists; not pre-committing without that V-B-A.
Acceptance criteria (placeholder pending V-B-A)
.agents/skills/pull-request/references/pull-request-workflow.mdWhy this is a separate ticket (not folded into #11491)
feedback_substrate_scope_restraint.md— keeping each ticket bounded prevents iteration spirals.Authority anchors
Related