From 408b515e67616ade94f79a88f3de4ccebd7fe4ee Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 29 May 2026 01:02:10 +0000
Subject: [PATCH] docs: update state-machine with security scan workflow and
 infra changes

- Add labelops-pr-security-scan (hourly PR safety classifier)
- Update aw-auto-update to reflect create-agent-session delegation
- Add all security scan labels to label dictionary
- Update source hashes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/docs/state-machine.md | 78 ++++++++++++++++++++++++++++++-----
 1 file changed, 67 insertions(+), 11 deletions(-)

diff --git a/.github/docs/state-machine.md b/.github/docs/state-machine.md
index 7dde7f9a82c..1b590ac96fa 100644
--- a/.github/docs/state-machine.md
+++ b/.github/docs/state-machine.md
@@ -10,7 +10,8 @@ Auto-generated documentation of all agentic workflows in this repository.
 | **labelops-pr-maintenance** | ⏰ every 3h | PRs with AI-Auto-Resolve-* labels, CI status | comment, push, labels, dispatch | `AI-Auto-Resolve-CI`, `AI-Auto-Resolve-Conflicts`, `AI-needs-CI-fix-input` |
 | **regression-pr-shepherd** | ⏰ every 4h | PRs with `AI-Issue-Regression-PR` | comment, push, remove-labels | `AI-Issue-Regression-PR`, `AI-thinks-issue-fixed` |
 | **labelops-flake-fix** | 🤖 dispatched by labelops-pr-maintenance | Test results, PR diffs | PR, comment, issue | `Flaky`, `automation` |
-| **aw-auto-update** | ⏰ every 24h | `.github/workflows/*` files | PR, push | `automation` |
+| **labelops-pr-security-scan** | ⏰ every 1h | PR diffs, file lists | labels, comment | `AI-Tooling-Check-Scanned-Clean`, `AI-Tooling-Check-Bypassed`, `⚠️ Affects-*`, `⚠️ Suspicious-Prompting`, `⚠️ Scope-Review-Needed` |
+| **aw-auto-update** | ⏰ every 24h | `.github/workflows/*` files | agent-session | `automation` |
 
 ## Issue Lifecycle
 
@@ -124,6 +125,46 @@ stateDiagram-v2
     Merged --> [*]
 ```
 
+## PR Security Scan Lifecycle
+
+```mermaid
+stateDiagram-v2
+    direction LR
+
+    [*] --> ScanQueue: ⏰ labelops-pr-security-scan (1h)
+
+    state "Per-PR Classification" as ScanLoop {
+        ScanQueue --> CheckMemory: 🤖 security-scan reads state.json
+
+        state memcheck <<choice>>
+        CheckMemory --> memcheck
+        memcheck --> AlreadyScanned: sha unchanged
+        memcheck --> ClassifyOrigin: new or updated PR
+
+        AlreadyScanned --> [*]: skip
+
+        state origin <<choice>>
+        ClassifyOrigin --> origin
+        origin --> NonFork: headRepository == this repo
+        origin --> ForkPR: headRepository != this repo
+
+        NonFork --> Bypassed: 🤖 adds AI-Tooling-Check-Bypassed
+        ForkPR --> ReadDiff: 🤖 reads file list + diff
+
+        state classify <<choice>>
+        ReadDiff --> classify
+        classify --> Clean: no categories match
+        classify --> Flagged: ≥1 category matches
+
+        Clean --> ScannedClean: 🤖 adds AI-Tooling-Check-Scanned-Clean
+        Flagged --> Labelled: 🤖 adds ⚠️ labels + comment (if changed)
+    }
+
+    Bypassed --> [*]
+    ScannedClean --> [*]
+    Labelled --> [*]: 👤 maintainer reviews flagged areas
+```
+
 ## Infrastructure Lifecycle
 
 ```mermaid
@@ -139,16 +180,17 @@ stateDiagram-v2
 
     UpToDate --> [*]: 🤖 aw-auto-update noops
 
-    ChangesDetected --> PRExists: 🤖 checks for existing PR
+    ChangesDetected --> DedupeCheck: 🤖 checks for existing PR/session
 
-    state prcheck <<choice>>
-    PRExists --> prcheck
-    prcheck --> UpdateExisting: open PR found
-    prcheck --> CreateNew: no open PR
+    state dedup <<choice>>
+    DedupeCheck --> dedup
+    dedup --> AlreadyOpen: open PR or session exists
+    dedup --> Delegate: no existing PR/session
 
-    UpdateExisting --> WaitReview: 🤖 aw-auto-update pushes to branch
-    CreateNew --> WaitReview: 🤖 aw-auto-update creates PR
+    AlreadyOpen --> [*]: 🤖 aw-auto-update noops
+    Delegate --> AgentSession: 🤖 aw-auto-update creates agent-session
 
+    AgentSession --> WaitReview: 🤖 Copilot Coding Agent opens PR
     WaitReview --> Merged: 👤 maintainer reviews + merges
     Merged --> [*]
 ```
@@ -164,6 +206,17 @@ stateDiagram-v2
 | `AI-needs-CI-fix-input` | 🤖 labelops-pr-maintenance | 🤖 labelops-pr-maintenance, 👤 maintainer | CI failure requires human intervention |
 | `AI-Issue-Regression-PR` | 🤖 repo-assist | 🤖 regression-pr-shepherd, 🤖 labelops-pr-maintenance (exclude) | PR is a regression test created by repo-assist |
 | `Flaky` | 🤖 labelops-flake-fix | 👤 maintainer | Test identified as non-deterministic |
+| `AI-Tooling-Check-Scanned-Clean` | 🤖 labelops-pr-security-scan | 👤 maintainer | Fork PR scanned, no safety concerns found |
+| `AI-Tooling-Check-Bypassed` | 🤖 labelops-pr-security-scan | 👤 maintainer | Non-fork PR, scan bypassed (trusted origin) |
+| `⚠️ Affects-Build-Infra` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies build infrastructure |
+| `⚠️ Affects-Compiler-Output` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects compiler output |
+| `⚠️ Affects-Bootstrap` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects bootstrap process |
+| `⚠️ Affects-Restore` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies restore/package resolution |
+| `⚠️ Affects-Design-Time` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR affects design-time behavior |
+| `⚠️ Affects-Test-Tooling` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies test tooling |
+| `⚠️ Affects-Agent-Config` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR modifies AI agent configuration |
+| `⚠️ Suspicious-Prompting` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR contains prompt injection patterns |
+| `⚠️ Scope-Review-Needed` | 🤖 labelops-pr-security-scan | 👤 maintainer | PR diff exceeds stated scope |
 | `automation` | 🤖 aw-auto-update, 🤖 labelops-flake-fix | 👤 maintainer | PR was created by automation |
 | `NO_RELEASE_NOTES` | 🤖 repo-assist, 🤖 labelops-flake-fix | ⚙️ CI | PR does not need release notes entry |
 | `repo-assist` | 🤖 repo-assist | 🤖 repo-assist | Issue is managed by repo-assist (monthly summary) |
@@ -182,14 +235,17 @@ stateDiagram-v2
 | ⏰ scheduler | 🤖 repo-assist | Every 12h | Cron schedule |
 | ⏰ scheduler | 🤖 labelops-pr-maintenance | Every 3h | Cron schedule |
 | ⏰ scheduler | 🤖 regression-pr-shepherd | Every 4h | Cron schedule |
+| ⏰ scheduler | 🤖 labelops-pr-security-scan | Every 1h | Cron schedule |
 | ⏰ scheduler | 🤖 aw-auto-update | Every 24h | Cron schedule |
+| 🤖 aw-auto-update | 🤖 Copilot Coding Agent | Changes detected | `create-agent-session` safe output |
 | 🤖 repo-assist | 🤖 repo-assist | Own PR has CI failure or conflicts | `push-to-pull-request-branch` (self-heal) |
 | 🤖 labelops-flake-fix | 🤖 labelops-pr-maintenance | Fix PR created | Originating PR comment posted |
 
 <!-- source-hashes:
-aw-auto-update.md: c6643ba35ba34b092b3d8f8bcf09f5310145a4ab64df29b18b47aa4c562fae2a
+aw-auto-update.md: da8c5e340a43d73616e3a0203c7e56de9ca4b82ee78b1902afe466a49a08bc17
 labelops-flake-fix.md: 7dca5b8faa60f947204f8925c6238fbecf42aa8cbf3144a166120501b0eef1e4
-labelops-pr-maintenance.md: 0bc03e9762ba51dc4226e0fc9aeb8fd9ef8fb17b287ae48fd67e2d33beb92473
+labelops-pr-maintenance.md: 59ba52fc625e0b9112c31864e92154cdf09acf0bc0f2b167aa30a0d76baa898f
+labelops-pr-security-scan.md: 4e0ee1ccd6212be30f8ccd334ecbc47123655e2507b5968c1bf2c1678a1ed306
 regression-pr-shepherd.md: 18a65fe1cdf8aa219158f1d610db14078e5ff2f1ac912df2566bf796792395b5
-repo-assist.md: ee557b9645115a600035c441e476e030e5a67aa1bca93dfd94985bf6f12e1d74
+repo-assist.md: 3775b51d142d22c98e87e48e8ac9d46cdf69e9c8306d5787758a35578dcb1119
 -->