Restrict retro agent target_repo to known-valid destinations

[ralphbean]

What happens

The retro agent's post-retro.sh accepts any target_repo value from agent output as long as it matches the owner/repo regex format. There's no validation that the target is a repo the agent should be filing in. If the agent hallucinates or is prompt-injected, it could file issues in any repo the token has access to within the org.

The token scoping (org-bounded) limits blast radius, but within the org the agent has unsupervised control over where issues land.

What should happen

target_repo should be validated against a closed set of known-valid destinations:

1. The source repo — the repo whose PR triggered the retro
2. The org's .fullsend repo — for org-level configuration improvements
3. fullsend-ai/fullsend — for upstream platform improvements (pending cross-org authorization from Retro agent post-script needs cross-org issue filing with authorization #672)

Any other target_repo value should be rejected by the post-script before attempting gh issue create.

Context

Split out from #672, which is now focused on the cross-org authorization mechanism. This issue covers the complementary concern: even within authorized orgs, the agent shouldn't have free rein over which repos it targets.

Related: #672, #833

[github-actions]

fullsend triage is working on this — view logs

[fullsend-ai-triage]

Triage Summary

Severity: High | Category: Security

The post-retro.sh script at internal/scaffold/fullsend-repo/scripts/post-retro.sh accepts any target_repo value from agent output as long as it matches the owner/repo regex format, with no semantic validation. Under prompt injection or hallucination, the agent could file issues in any repo the org token has access to.

Recommended Fix

Add an allowlist check in post-retro.sh before the gh issue create call. Valid destinations:

1. Source repo — the repo whose PR triggered the retro (should be available from the run context)
2. Org .fullsend repo — for org-level config improvements
3. (Future, pending Retro agent post-script needs cross-org issue filing with authorization #672) — fullsend-ai/fullsend for upstream improvements, once cross-org authorization is implemented

Reject any target_repo not on the allowlist with a clear error message. Items 1–2 are implementable now; item 3 should be stubbed with a comment referencing #672.

Note: #833 (temporary discouragement of .fullsend filing) is already closed, so .fullsend can be included in the allowlist.

Proposed Test Case

Test: target_repo allowlist validation

Given source repo = "myorg/myapp":
  - target_repo="myorg/myapp"       → ACCEPT (source repo)
  - target_repo="myorg/.fullsend"   → ACCEPT (org config repo)
  - target_repo="myorg/other-repo"  → REJECT
  - target_repo="other-org/repo"    → REJECT
  - target_repo=""                  → REJECT
  - target_repo="invalid"           → REJECT