[Pelis Agent Factory Advisor] Pelis Agent Factory Advisor — Agentic Workflow Opportunities (2026-06-16) #5138
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-23T22:53:04.824Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
gh-aw-firewallhas a mature agentic workflow estate (42 agentic + ~20 traditional workflows) with excellent smoke test, security, token analysis, and code quality coverage. The top gaps for a security/firewall tool are: no Docker base image CVE monitoring, dangerously low coverage on the two most critical TypeScript files (cli.ts0%,docker-manager.ts18%), and no health aggregation layer for the 7+ smoke test flavors running every 12h.📋 Workflow Inventory
build-testci-cd-gaps-assessmentci-doctorclaude/copilot-token-*(×4)cli-flag-consistency-checkerconfig-consistency-auditorcontribution-checkdependency-security-monitordoc-maintainerduplicate-code-detectorexport-auditfirewall-issue-dispatcherissue-duplication-detectorissue-monsterplanred-team-benchmarkrefactoring-scannerschema-syncsecret-digger-*(×3)security-guardsecurity-reviewsmoke-*(×9 flavors)test-coverage-improvertest-coverage-reportertest-hard-cap-ai-creditsupdate-release-notes🚀 Recommendations
P0 — High Impact · Low Effort
1. 🐳 Docker Base Image CVE Monitor
What: Weekly scan of
ubuntu/squidandubuntu:22.04base images for CVEs usingdocker scoutor Trivy; create issues for HIGH/CRITICAL findings.Why:
dependency-security-monitorcovers npm packages but ignores the Docker images that form the actual sandbox boundary. A compromised base image directly undermines the firewall's isolation guarantee — the most glaring security gap for a tool whose core value is network isolation.How: Mirror
dependency-security-monitorstructure; agent runsdocker scout cves ghcr.io/github/gh-aw-firewall/agent:latestandsquid:latest, creates issues for HIGH/CRITICAL CVEs with base image pin suggestions.Effort: Low — template available in agentics
dependency-security-monitor.2. 💰 Cost Tracker on PRs
What: Post per-run token cost summaries (from
token-usage.jsonl) as PR comments when smoke/agentic CI completes.Why: Token analytics infrastructure exists (two analyzers + two optimizers) but there is no per-PR cost visibility. The Agentics library has a Cost Tracker template exactly for this. Developers get immediate feedback on token costs.
How:
workflow_runtrigger after smoke test completion; parsetoken-usage.jsonlartifact; post concise cost comment on the triggering PR.Effort: Low — Cost Tracker template available; infrastructure in place.
P1 — High Impact · Medium Effort
3. 🔍 Log Watcher for Smoke Tests
What: After each smoke test batch, scan logs for errors, retry loops, rate-limit messages, and token anomalies; post a health report.
Why: With 9 smoke flavors running every 12h, silent degradations (rate limits, model deprecations, flaky network) persist unnoticed.
ci-doctoronly triggers on outright failures, not degraded-but-passing runs. The community Log Watcher (AgentMeter/agentmeter-action) is a ready-made template.Effort: Medium — correlating run IDs to PRs and parsing artifacts.
4. 🛡️ Firewall ACL Regression Detector
What: When
squid-config.tsorcontainers/squid/**changes in a PR, automatically test that known-allowed domains still pass and known-blocked domains are still blocked.Why: The core security contract of
awfis the domain ACL. Today, ACL generation code changes have no integration-level validation. A refactor accidentally flipping ACL logic could silently allow exfiltration — the highest-severity failure mode for this tool.How: PR trigger on squid-config file changes; agent starts AWF with test domain list, makes requests, validates pass/fail matrix, comments on PR.
Effort: Medium — requires an integration test harness using
awfitself.P2 — Medium Impact
5. 📈 Coverage Ratchet for Critical Files
What: Dedicated weekly workflow targeting
cli.ts(0%) anddocker-manager.ts(18%) specifically, with explicit per-file coverage targets (not just overall thresholds).Why: The existing
test-coverage-improveris generic and the thresholds sit just above the current watermark (38%). These two files orchestrate container lifecycle and network isolation setup — zero and near-zero coverage is a concrete security risk. The overall metric masks the critical gap.Effort: Medium — requires writing tests for complex async/docker-exec code paths.
P3 — Nice to Have
📈 Maturity Assessment
Overall: 4/5 — One of the most complete agentic workflow setups observed. Gaps are specific and actionable, not foundational.
📝 Cache Note
Content hash
08e334c6d63f14b2829907c5645eb34832c83b2ac96cd79910daa928300cff73— updatepelis_docs_hashin cache-memory on next run. Track: Docker CVE monitor adoption, cli.ts coverage trend, ACL regression detector.Beta Was this translation helpful? Give feedback.
All reactions