Expose provenance and guardrails for every-code label automation

[cbusillo]

Summary

Adding the every-code label can launch automated Every Code sessions in the background, but the current GitHub trail only shows the authenticated actor that applied the label. It is not obvious whether the label came from a human action, CLI helper, local automation wrapper, or another automation surface.

Why it matters

When an unexpected background session starts, operators need to know what action triggered it and whether the label should have been applied. The label currently describes the effect, but not the source or guardrails.

Observed evidence

In cbusillo/codex-skills, PR #140 had the every-code label. Issue/PR events showed:

2026-05-27T20:41:17Z labeled every-code by cbusillo

No checked-in codex-skills helper appeared to add the label directly. That leaves local tooling, UI actions, or external automation as likely sources.

Expected behavior

Every Code automation should make label-triggered sessions auditable and deliberate:

• record or expose the source that applied every-code when possible
• document which tools or flows are allowed to apply it automatically
• provide a visible confirmation or dry-run path where accidental background sessions are likely
• link this to session-origin metadata work so a launched session can identify the triggering repo/issue/PR/label event

Related

• Related to Expose Every Code automation origin on sessions #27, which tracks structured automation-origin metadata on sessions.

[cbusillo]

Launchplane-side owner issue created: cbusillo/launchplane#936. That issue tracks preserving provenance from the every-code label webhook/worker path. This Code issue can stay focused on Code/session-side exposure and guardrails, with #27 as the broader session-origin metadata work.

[cbusillo]

Code-side provenance landed in #166.

What is now available:

• external launchers can pass structured session origin via CODE_AUTOMATION_ORIGIN
• rollout SessionMeta persists the origin metadata
• session_configured exposes the same metadata to clients
• the protocol schema/typescript fixtures and config docs now include the contract

Validation included the targeted core/protocol/schema tests plus ./build-fast.sh; the post-merge Release workflow passed 8/8.

The remaining label-source guardrails are launcher-side: the service that observes/applies every-code needs to preserve the webhook/event source and set CODE_AUTOMATION_ORIGIN when starting Code. That is tracked outside this repo; this issue can close for the Code metadata contract.

[cbusillo]

Closing for the Code-side metadata contract: #166 added the origin env contract, rollout persistence, session_configured exposure, protocol fixtures, docs, and passed the post-merge Release workflow. Remaining label-source provenance belongs to the launcher/webhook layer that sets CODE_AUTOMATION_ORIGIN.