fix: add division-by-zero guard and enforce agent delegation protocol#583
Open
oalanicolas wants to merge 9 commits intomainfrom
Open
fix: add division-by-zero guard and enforce agent delegation protocol#583oalanicolas wants to merge 9 commits intomainfrom
oalanicolas wants to merge 9 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
bot
added
area: agents
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds division-by-zero guards to master-orchestrator progress calculations and updates aiox-master persona and agent-authority rules to enforce a mandatory pre-execution ownership check that delegates to exclusive agents by default, with explicit override exceptions (--force-execute, workflow-engine mode, AIOX_DEBUG=true). Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client
participant Master as aiox-master
participant Matrix as Delegation Matrix
participant Agent as Exclusive Agent
Client->>Master: request(task)
Master->>Matrix: checkOwnership(task)
alt exclusive owner found
Matrix-->>Master: owner = Agent
Master->>Agent: delegate(task)
Agent-->>Client: result
else no exclusive owner
Master-->>Client: execute(task) / result
end
Note right of Master: exceptions: --force-execute, workflow-engine mode, AIOX_DEBUG=true
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
📊 Coverage ReportCoverage report not available
Generated by PR Automation (Story 6.1) |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.aiox-core/core/orchestration/master-orchestrator.js (1)
1357-1364:⚠️ Potential issue | 🟠 MajorExclude on-demand epics from the completed count too.
Both helpers now guard the zero denominator, but the numerator still counts every completed epic. If Epic 5 finishes during recovery, these methods can report
4 / 3 = 133%becausetotalEpicsexcludes on-demand epics whilecompletedEpicsdoes not. That leaks intolistSavedStates(),getStatus(), and dashboard updates.Suggested fix
- const totalEpics = Object.keys(EPIC_CONFIG).filter((num) => !EPIC_CONFIG[num].onDemand).length; - if (totalEpics === 0) return 0; - - const completedEpics = Object.values(state.epics).filter( - (epic) => epic.status === EpicStatus.COMPLETED, - ).length; + const includedEpics = Object.keys(EPIC_CONFIG).filter((num) => !EPIC_CONFIG[num].onDemand); + const totalEpics = includedEpics.length; + if (totalEpics === 0) return 0; + + const completedEpics = includedEpics.filter( + (num) => state.epics[num]?.status === EpicStatus.COMPLETED, + ).length; @@ - const totalEpics = Object.keys(EPIC_CONFIG).filter((num) => !EPIC_CONFIG[num].onDemand).length; - if (totalEpics === 0) return 0; - - const completedEpics = Object.values(this.executionState.epics).filter( - (epic) => epic.status === EpicStatus.COMPLETED, - ).length; + const includedEpics = Object.keys(EPIC_CONFIG).filter((num) => !EPIC_CONFIG[num].onDemand); + const totalEpics = includedEpics.length; + if (totalEpics === 0) return 0; + + const completedEpics = includedEpics.filter( + (num) => this.executionState.epics[num]?.status === EpicStatus.COMPLETED, + ).length;As per coding guidelines, "
.aiox-core/core/**: Ensure backwards compatibility — core modules are consumed by all agents."Also applies to: 1414-1421
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.aiox-core/core/orchestration/master-orchestrator.js around lines 1357 - 1364, The completedEpics count currently includes on-demand epics while totalEpics excludes them, causing percentages >100%; update the computation that uses EPIC_CONFIG and state.epics (the block using totalEpics, completedEpics, and EpicStatus.COMPLETED) to filter completedEpics the same way totalEpics is computed by ignoring EPIC_CONFIG[num].onDemand — i.e., only count epics present in EPIC_CONFIG and not marked onDemand and with status === EpicStatus.COMPLETED. Apply the same fix to the other occurrence around the block at 1414-1421 to keep behavior consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.aiox-core/development/agents/aiox-master.md:
- Around line 105-106: The agent definition for `@aiox-master` contains
conflicting rules: update the "PRE-EXECUTION CHECK" block so it clearly mandates
delegation to an exclusive agent (unless overridden by --force-execute,
workflow-engine mode, or AIOX_DEBUG=true) and remove or narrow the blanket
permission expressed by the line "Execute framework governance tasks directly"
and any other language that says `@aiox-master` may execute any task directly;
ensure all sections that currently grant universal execution power (including
the paragraphs that repeat the old behavior) are changed to reference
delegation-first behavior and enumerate the explicit, small set of governance
exceptions if any; after updating the source agent definition update the
regenerated docs so they match the new delegation-first language (verify
occurrences of the strings "PRE-EXECUTION CHECK" and "Execute framework
governance tasks directly" are consistent).
In @.claude/rules/agent-authority.md:
- Around line 86-90: The Rejection Script for `@aiox-master` currently only emits
a delegation message and lacks the required self-correction flow from Issue
`#527`; update the agent-authority rule (the "Rejection Script" section) to
require that when `@aiox-master` has begun incorrect work it must: (1) revert or
remove any improper artifacts it created (describe the revert step and reference
the artifact naming conventions used by the repo), (2) append the delegation
message "⚠️ This task belongs to @{agent} ({persona}). Delegating: → @{agent} |
task: {task-file}" and explicitly hand off the task to @{agent}, and (3) create
a structured incident log entry that records the original actions, timestamps,
and the target @{agent} for auditing; ensure the new text names `@aiox-master` and
@{agent} so implementers can map the behavior to the existing rejection/delegate
workflow.
- Around line 76-84: The Delegation Matrix row for "Override agent boundaries"
is missing the AIOX_DEBUG=true debug override; update the table entry so the
policy row aligns with the mandatory pre-execution check by including
AIOX_DEBUG=true as an allowed override (in addition to `--force-execute` and
workflow-engine mode), and ensure the text under "Pre-Execution Check" and any
references to `@aiox-master`, `--force-execute`, and workflow-engine mode
consistently mention AIOX_DEBUG=true so agents reading the capability table will
accept the debug override.
In @.gemini/rules/AIOX/agents/aiox-master.md:
- Around line 105-106: Add a new agent-authority.md containing a clear
"Delegation Matrix" referenced by the PRE-EXECUTION CHECK principle in
.gemini/rules/AIOX/agents/aiox-master.md, and update that principle to point to
the new document; document the three exception mechanisms (--force-execute flag,
workflow-engine mode, and AIOX_DEBUG=true) in user-facing docs (or in
aiox-master.md) with purpose, usage examples, and security implications; verify
that the standardized rejection script format and self-correction protocol
described in the PR objectives are implemented (or add them) and reference their
implementation files/entrypoints so the PRE-EXECUTION CHECK and delegation flow
can call the rejection handler and self-correction routine consistently.
---
Outside diff comments:
In @.aiox-core/core/orchestration/master-orchestrator.js:
- Around line 1357-1364: The completedEpics count currently includes on-demand
epics while totalEpics excludes them, causing percentages >100%; update the
computation that uses EPIC_CONFIG and state.epics (the block using totalEpics,
completedEpics, and EpicStatus.COMPLETED) to filter completedEpics the same way
totalEpics is computed by ignoring EPIC_CONFIG[num].onDemand — i.e., only count
epics present in EPIC_CONFIG and not marked onDemand and with status ===
EpicStatus.COMPLETED. Apply the same fix to the other occurrence around the
block at 1414-1421 to keep behavior consistent.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d175a267-d627-41b5-a530-012154909aa2
📒 Files selected for processing (8)
.aiox-core/core/orchestration/master-orchestrator.js.aiox-core/data/entity-registry.yaml.aiox-core/development/agents/aiox-master.md.aiox-core/install-manifest.yaml.claude/commands/AIOX/agents/aiox-master.md.claude/rules/agent-authority.md.codex/agents/aiox-master.md.gemini/rules/AIOX/agents/aiox-master.md
Comment on lines
+105
to
+106
| - "PRE-EXECUTION CHECK: Before executing any task, verify if an exclusive agent owns it (see agent-authority.md Delegation Matrix). If yes, DELEGATE — do not execute directly. Exceptions: --force-execute flag, workflow-engine mode, or AIOX_DEBUG=true." | ||
| - Execute framework governance tasks directly (meta-ops, orchestration, constitutional enforcement) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify agent-authority.md, delegation mechanism, and IDE copy consistency
echo "=== Checking for agent-authority.md and Delegation Matrix ==="
fd -t f "agent-authority.md" --exec grep -l "Delegation Matrix"
echo -e "\n=== Checking for delegation mechanism implementation ==="
rg -n -C3 "DELEGATE|delegation" --type=js --type=md -g '!.gemini/*' | head -50
echo -e "\n=== Checking exception flag documentation ==="
rg -n "force-execute|workflow-engine mode|AIOX_DEBUG" --type=md -g 'README*' -g '*doc*'
echo -e "\n=== Verifying consistency across IDE agent copies ==="
echo "Gemini version (this file):"
rg -n "PRE-EXECUTION CHECK" .gemini/rules/AIOX/agents/aiox-master.md
echo -e "\nClaude version:"
fd -t f "aiox-master.md" -p ".claude" --exec rg -n "PRE-EXECUTION CHECK"
echo -e "\nCodex version:"
fd -t f "aiox-master.md" -p ".codex" --exec rg -n "PRE-EXECUTION CHECK"
echo -e "\nMain aiox-core version:"
rg -n "PRE-EXECUTION CHECK" .aiox-core/development/agents/aiox-master.md 2>/dev/null || echo "File not found"
echo -e "\n=== Checking for rejection script format ==="
rg -n -C3 "rejection script|out-of-scope" --type=mdRepository: SynkraAI/aiox-core
Length of output: 5727
Resolve external file references and document exception mechanisms.
The PRE-EXECUTION CHECK principle references agent-authority.md Delegation Matrix, but this file does not exist in the codebase. Additionally, the three exception conditions (--force-execute flag, workflow-engine mode, AIOX_DEBUG=true) are not documented anywhere in the repository, creating unclear escape hatches from the delegation protocol.
Required actions:
- Create
agent-authority.mdwith a Delegation Matrix section that this principle depends on - Document the three exception flags (their purpose, usage, and security implications) in user-facing documentation or this file
- Verify that the standardized rejection script format and self-correction protocol mentioned in the PR objectives are implemented or add them to this change
Note: The consistency across all four IDE agent copies (Gemini, Claude, Codex, and main .aiox-core) is confirmed.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.gemini/rules/AIOX/agents/aiox-master.md around lines 105 - 106, Add a new
agent-authority.md containing a clear "Delegation Matrix" referenced by the
PRE-EXECUTION CHECK principle in .gemini/rules/AIOX/agents/aiox-master.md, and
update that principle to point to the new document; document the three exception
mechanisms (--force-execute flag, workflow-engine mode, and AIOX_DEBUG=true) in
user-facing docs (or in aiox-master.md) with purpose, usage examples, and
security implications; verify that the standardized rejection script format and
self-correction protocol described in the PR objectives are implemented (or add
them) and reference their implementation files/entrypoints so the PRE-EXECUTION
CHECK and delegation flow can call the rejection handler and self-correction
routine consistently.
Contributor
|
@Pedrovaleriolopez, o fix de divisão por zero no master-orchestrator já está coberto pelo nosso PR #536 (aberto 28/fev). Inclusive a issue #532 que originou esse fix foi reportada por nós. O PR #536 já está MERGEABLE com testes. |
2 tasks
Contributor
|
Hey @oalanicolas — CodeRabbit flagged 4 actionable issues: Actionable:
Also check CI is green. Please apply and push. |
oalanicolas
added a commit
that referenced
this pull request
Mar 11, 2026
- Resolve delegation rule contradiction in aiox-master.md (line 106): Replace vague "Execute framework governance tasks directly" with explicit language clarifying these are the ONLY tasks executed directly and that delegation-first applies to all exclusive-agent tasks. Applies to .aiox-core and .gemini copies. - Add AIOX_DEBUG=true to override table in agent-authority.md (line 78): The capability table row for "Override agent boundaries" was missing the debug override, creating a gap between the table and the Pre-Execution Check text (which already listed it). - Add self-correction protocol to Rejection Script in agent-authority.md: Issue #527 required @aiox-master to revert improper artifacts, delegate to the correct agent, and log the incident when it has already begun executing an out-of-scope task. The prior fix only defined the rejection message; this adds the full remediation flow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.claude/rules/agent-authority.md (2)
86-90: Consider adding language specifier to code block.The fenced code block at line 87 lacks a language identifier. While this is a minor markdown linting issue, adding a language specifier (e.g.,
text ormarkdown) improves consistency and tool compatibility.📝 Proposed fix
**Rejection Script:** When `@aiox-master` cannot execute a task due to agent authority: -``` +```text ⚠️ This task belongs to @{agent} ({persona}). Delegating: → @{agent} | task: {task-file}</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In @.claude/rules/agent-authority.md around lines 86 - 90, The fenced code block
containing the rejection script lines starting with "⚠️ This task belongs to
@{agent} ({persona})." should include a language specifier to satisfy markdown
linting and improve tool compatibility; update the opening fence fromto a language-tagged fence liketext (or ```markdown) for the block that also
contains "Delegating: → @{agent} | task: {task-file}" so the block is
consistently recognized as plain text/markdown by linters and renderers.</details> --- `92-102`: **Consider adding language specifier to log format code block.** The log format code block at line 96 lacks a language identifier. Adding a specifier (e.g., ```text or ```log) would address the markdown linting warning and improve consistency with documentation standards. <details> <summary>📝 Proposed fix</summary> ```diff 3. **Log the incident** — Append a structured entry to `.aiox/logs/agent-authority-incidents.log`: - ``` + ```text [timestamp] AUTHORITY_VIOLATION: `@aiox-master` attempted {task-file} owned_by: @{agent} ({persona}) actions_taken: [list of actions performed before detection] reverted: [list of artifacts removed/undone] delegated_to: @{agent} ``` ``` </details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In @.claude/rules/agent-authority.md around lines 92 - 102, In the
"Self-Correction Protocol" section containing the log example code block (the
triple-backtick block starting with "[timestamp] AUTHORITY_VIOLATION:
@aiox-masterattempted {task-file}"), add a language specifier liketext (orlog) immediately after the opening backticks so the block becomes ```text ...opening fence is modified and the content of the log example remains unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.aiox-core/development/agents/aiox-master.md:
- Around line 105-106: Replace the three contradictory statements so they
reflect the delegation-first policy: change the phrase "executes any task
directly" to state that the agent must DELEGATE tasks owned by exclusive agents
and only execute framework governance tasks directly or when explicit exceptions
apply (--force-execute, workflow-engine mode, or AIOX_DEBUG=true); similarly
replace "Can execute any task from any agent directly" and "Executing any task
from any agent directly" with wording that mandates delegation to the owning
exclusive agent first and permits direct execution only for framework governance
tasks or under the same explicit exceptions referenced in the PRE-EXECUTION
CHECK.
---
Nitpick comments:
In @.claude/rules/agent-authority.md:
- Around line 86-90: The fenced code block containing the rejection script lines
starting with "⚠️ This task belongs to @{agent} ({persona})." should include a
language specifier to satisfy markdown linting and improve tool compatibility;
update the opening fence from ``` to a language-tagged fence like ```text (or
```markdown) for the block that also contains "Delegating: → @{agent} | task:
{task-file}" so the block is consistently recognized as plain text/markdown by
linters and renderers.
- Around line 92-102: In the "Self-Correction Protocol" section containing the
log example code block (the triple-backtick block starting with "[timestamp]
AUTHORITY_VIOLATION: `@aiox-master` attempted {task-file}"), add a language
specifier like ```text (or ```log) immediately after the opening backticks so
the block becomes ```text ... ``` to satisfy markdown linting and documentation
consistency; ensure only the opening fence is modified and the content of the
log example remains unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 61127bfc-bc1f-4b1f-8686-6f49b0408ea2
📒 Files selected for processing (4)
.aiox-core/development/agents/aiox-master.md.aiox-core/install-manifest.yaml.claude/rules/agent-authority.md.gemini/rules/AIOX/agents/aiox-master.md
🚧 Files skipped from review as they are similar to previous changes (1)
- .gemini/rules/AIOX/agents/aiox-master.md
Contributor
Review ⚡ @devopsCode: APPROVED ✅ — Fixes are correct:
Blocker: ❌ Merge conflict — please rebase against git fetch origin && git rebase origin/mainOnce rebased, this is ready to merge. |
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
.claude/commands/AIOX/agents/aiox-master.md (1)
106-106:⚠️ Potential issue | 🟠 MajorCritical: Line 106 is inconsistent with the source file (same issue as .codex version).
This file has the same synchronization problem as .codex/agents/aiox-master.md. Line 106 contains an incomplete principle that omits the mandatory delegation language and explicit exceptions present in the source file.
🔧 Proposed fix to synchronize with source
- - Execute framework governance tasks directly (meta-ops, orchestration, constitutional enforcement) + - "Framework governance tasks (meta-ops, orchestration, constitutional enforcement) are the ONLY tasks executed directly. All tasks that belong to an exclusive agent MUST be delegated first. Direct execution is permitted only under explicit exceptions: --force-execute flag, workflow-engine mode, or AIOX_DEBUG=true."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/AIOX/agents/aiox-master.md at line 106, The principle line currently reads "Execute framework governance tasks directly (meta-ops, orchestration, constitutional enforcement)" but is missing the mandatory delegation wording and explicit exception clauses from the canonical source; update the corresponding entry in aiox-master.md so it exactly matches the source (.codex version) by adding the required mandatory delegation language and the explicit exceptions/exemptions for when direct execution is allowed, ensuring the phraseology and parenthetical examples (meta-ops, orchestration, constitutional enforcement) match the source verbatim.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.aiox-core/development/agents/aiox-master.md:
- Around line 105-106: Update the PRE-EXECUTION CHECK reference to point to the
correct document title "Command Authority Matrix" (replace the old
"agent-authority.md Delegation Matrix" text with "Command Authority Matrix") and
append a brief parenthetical or inline note that the three escape mechanisms are
the --force-execute flag, workflow-engine mode, and AIOX_DEBUG=true; also add a
short pointer to where those mechanisms are implemented or documented
(referencing the flag/setting names themselves) so readers can find the
implementation details for the exceptions.
In @.codex/agents/aiox-master.md:
- Line 106: Replace the abbreviated bullet "- Execute framework governance tasks
directly (meta-ops, orchestration, constitutional enforcement)" with the full
principle text from the source so the delegation rule and explicit exceptions
are preserved: use the exact wording "Framework governance tasks (meta-ops,
orchestration, constitutional enforcement) are the ONLY tasks executed directly.
All tasks that belong to an exclusive agent MUST be delegated first. Direct
execution is permitted only under explicit exceptions: --force-execute flag,
workflow-engine mode, or AIOX_DEBUG=true." to ensure the mandatory delegation
requirement and allowed exceptions are present.
---
Duplicate comments:
In @.claude/commands/AIOX/agents/aiox-master.md:
- Line 106: The principle line currently reads "Execute framework governance
tasks directly (meta-ops, orchestration, constitutional enforcement)" but is
missing the mandatory delegation wording and explicit exception clauses from the
canonical source; update the corresponding entry in aiox-master.md so it exactly
matches the source (.codex version) by adding the required mandatory delegation
language and the explicit exceptions/exemptions for when direct execution is
allowed, ensuring the phraseology and parenthetical examples (meta-ops,
orchestration, constitutional enforcement) match the source verbatim.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4cc5a5f1-3230-463f-b134-64970f373165
📒 Files selected for processing (5)
.aiox-core/development/agents/aiox-master.md.aiox-core/install-manifest.yaml.claude/commands/AIOX/agents/aiox-master.md.codex/agents/aiox-master.md.gemini/rules/AIOX/agents/aiox-master.md
Comment on lines
+105
to
+106
| - "PRE-EXECUTION CHECK: Before executing any task, verify if an exclusive agent owns it (see agent-authority.md Delegation Matrix). If yes, DELEGATE — do not execute directly. Exceptions: --force-execute flag, workflow-engine mode, or AIOX_DEBUG=true." | ||
| - "Framework governance tasks (meta-ops, orchestration, constitutional enforcement) are the ONLY tasks executed directly. All tasks that belong to an exclusive agent MUST be delegated first. Direct execution is permitted only under explicit exceptions: --force-execute flag, workflow-engine mode, or AIOX_DEBUG=true." |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify agent-authority.md exists and contains Delegation Matrix
echo "=== Searching for agent-authority.md ==="
fd -t f "agent-authority.md" -x echo "Found: {}"
echo -e "\n=== Checking for Delegation Matrix in agent-authority.md ==="
fd -t f "agent-authority.md" -x grep -n "Delegation Matrix" {}
echo -e "\n=== Searching for exception flag documentation ==="
rg -n "force-execute|workflow-engine mode|AIOX_DEBUG" --type=md -g 'README*' -g '*doc*' -g '*guide*' | head -20
echo -e "\n=== Checking if flags are implemented in code ==="
rg -n "force-execute|workflow-engine|AIOX_DEBUG" --type=js --type=ts -C2 | head -30Repository: SynkraAI/aiox-core
Length of output: 1787
🌐 Web query:
AIOX agent-authority.md Delegation Matrix SynkraAI
💡 Result:
What I found (SynkraAI / AIOX)
- I could not find any file named
agent-authority.mdin the publicSynkraAI/aiox-corerepository (main branch). (github.com) - In AIOX, the “delegation matrix” concept appears to be implemented/documented as a “Command Authority Matrix” (i.e., which agent can run which commands / who delegates to whom). This is explicitly referenced inside agent definitions (example:
pm.mdlinks todocs/architecture/command-authority-matrix.md). (app.unpkg.com) - The repo’s framework docs also mention an old/deprecated
docs/architecture/location for framework docs (kept temporarily for backward compatibility), which matches thatpm.mdlink style. (github.com) - A release note for
SynkraAI/aiox-corementions fixes tocommand-authority-matrix.md, confirming the file name exists/has existed in the project history even if it’s not currently at the guessed paths onmain. (newreleases.io)
Likely conclusion
Your query string “AIOX agent-authority.md Delegation Matrix” most likely refers to the Command Authority Matrix documentation, and agent-authority.md is either:
- an older internal name,
- a file that was moved/renamed, or
- not part of the public repo.
If you tell me where you saw agent-authority.md referenced (issue/PR/link), I can track the exact commit/path it lived at.
Citations:
- 1: https://github.com/SynkraAI/aiox-core
- 2: https://app.unpkg.com/aios-core%404.4.6/files/.aios-core/development/agents/pm.md?utm_source=openai
- 3: https://github.com/SynkraAI/aiox-core/tree/main/docs/framework
- 4: https://newreleases.io/project/github/SynkraAI/aiox-core/release/v4.0.0?utm_source=openai
Update the PRE-EXECUTION CHECK reference to point to the correct documentation file.
Line 105 references agent-authority.md Delegation Matrix, but the actual file is docs/architecture/command-authority-matrix.md (often called the "Command Authority Matrix" in the codebase). Additionally, the three exception mechanisms (--force-execute flag, workflow-engine mode, AIOX_DEBUG=true) are mentioned but not documented within this agent definition or clearly linked to their implementation, leaving unclear escape hatches from the delegation protocol.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.aiox-core/development/agents/aiox-master.md around lines 105 - 106, Update
the PRE-EXECUTION CHECK reference to point to the correct document title
"Command Authority Matrix" (replace the old "agent-authority.md Delegation
Matrix" text with "Command Authority Matrix") and append a brief parenthetical
or inline note that the three escape mechanisms are the --force-execute flag,
workflow-engine mode, and AIOX_DEBUG=true; also add a short pointer to where
those mechanisms are implemented or documented (referencing the flag/setting
names themselves) so readers can find the implementation details for the
exceptions.
…#532, #527) master-orchestrator.js divide by totalEpics without checking for zero. When all epics have onDemand: true, this produces NaN. Added early return of 0 when totalEpics === 0. interpreted by LLMs as blanket permission, bypassing agent authority. Fixed by: - Replacing "No restrictions" with explicit delegation-by-default table in agent-authority.md - Adding PRE-EXECUTION CHECK as first core_principle in aiox-master agent - Defining rejection script format for out-of-scope tasks - Preserving --force-execute, workflow-engine, and debug overrides Synced across all IDE copies (claude, gemini, codex). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Resolve delegation rule contradiction in aiox-master.md (line 106): Replace vague "Execute framework governance tasks directly" with explicit language clarifying these are the ONLY tasks executed directly and that delegation-first applies to all exclusive-agent tasks. Applies to .aiox-core and .gemini copies. - Add AIOX_DEBUG=true to override table in agent-authority.md (line 78): The capability table row for "Override agent boundaries" was missing the debug override, creating a gap between the table and the Pre-Execution Check text (which already listed it). - Add self-correction protocol to Rejection Script in agent-authority.md: Issue #527 required @aiox-master to revert improper artifacts, delegate to the correct agent, and log the incident when it has already begun executing an out-of-scope task. The prior fix only defined the rejection message; this adds the full remediation flow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Addresses CodeRabbit Critical: ensure aiox-master mandates delegation to exclusive agents, with direct execution only for governance tasks or explicit exceptions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
oalanicolas
force-pushed
the
fix/bugfix-527-532-authority-divzero
branch
from
6f47289 to
4bbfec3
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (3)
.aiox-core/development/agents/aiox-master.md (1)
433-433:⚠️ Potential issue | 🟠 MajorThe guide still reintroduces blanket direct execution.
This line switches the guide to delegation-first, but Line 446 still says
*task {task}can "run any task directly." That makes the source definition internally inconsistent again, and the synced copies inherit the same mixed instruction set.As per coding guidelines, "Allowed direct execution only for framework governance tasks; explicit overrides: --force-execute, workflow-engine mode, or AIOX_DEBUG=true."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.aiox-core/development/agents/aiox-master.md at line 433, The document is inconsistent: update the phrase that currently allows "*task {task} can run any task directly" so it matches the expressed policy "Executing framework governance tasks directly; delegating exclusive-agent tasks to their owners"; change the "*task {task}" wording to explicitly restrict direct execution to framework governance tasks only and list the explicit overrides (--force-execute, workflow-engine mode, AIOX_DEBUG=true) as the only cases permitting direct execution; ensure the new wording references framework governance tasks and the three overrides so the guide and synced copies are consistent..codex/agents/aiox-master.md (1)
105-106:⚠️ Potential issue | 🟠 MajorThis synced copy still weakens the governance rule.
Line 106 drops the source wording from
.aiox-core/development/agents/aiox-master.mdLines 105-106 that governance tasks are the only work@aiox-mastermay execute directly and that direct execution is limited to the explicit exceptions. If Codex reads this file in isolation, it can still interpret governance execution as a broad permission.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.codex/agents/aiox-master.md around lines 105 - 106, Restore the original strict governance wording: in the PRE-EXECUTION CHECK and the line that currently reads "Execute framework governance tasks directly (meta-ops, orchestration, constitutional enforcement)" explicitly state that governance tasks are the only tasks `@aiox-master` may execute directly and re-add the exception clause exactly naming the allowed exceptions (--force-execute flag, workflow-engine mode, AIOX_DEBUG=true); ensure the PRE-EXECUTION CHECK text includes the "only" qualifier and the three explicit exceptions so the rule cannot be interpreted as a broad permission..claude/commands/AIOX/agents/aiox-master.md (1)
105-106:⚠️ Potential issue | 🟠 MajorThis synced copy is still missing the "only direct tasks" wording.
Line 106 reverts to the abbreviated sentence and drops the explicit exception language present in
.aiox-core/development/agents/aiox-master.mdLines 105-106. That reintroduces the same ambiguity this PR is trying to remove.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/AIOX/agents/aiox-master.md around lines 105 - 106, Restore the missing explicit wording by replacing the abbreviated line with the full pre-execution check text: include the exact string starting "PRE-EXECUTION CHECK: Before executing any task, verify if an exclusive agent owns it (see agent-authority.md Delegation Matrix). If yes, DELEGATE — do not execute directly. Exceptions: --force-execute flag, workflow-engine mode, or AIOX_DEBUG=true." and ensure the following line still states "Execute framework governance tasks directly (meta-ops, orchestration, constitutional enforcement)" so the document keeps the "only direct tasks" semantics and the explicit exception list.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.aiox-core/install-manifest.yaml:
- Around line 903-906: In both _calculateProgressFromState and
getProgressPercentage update how completedEpics is computed: instead of counting
all completed epics, use Object.entries(state.epics) and filter entries by the
same condition used for totalEpics (i.e., !EPIC_CONFIG[num].onDemand) and
epic.status === EpicStatus.COMPLETED so onDemand epics are excluded; update the
completedEpics variable in each function to mirror the provided filter logic
referencing EPIC_CONFIG, EpicStatus, and state.epics.
In @.claude/rules/agent-authority.md:
- Around line 81-102: The agent-invoker currently bypasses the Delegation
Matrix; update .aiox-core/core/orchestration/agent-invoker.js to perform a
pre-execution authority check before loading/executing any agent/task pair: call
a new or existing checkDelegationMatrix(task, agent, context) and if the matrix
says the operation is owned by an exclusive agent, do not execute but instead
emit the Rejection Script message, delegate to that agent, and return; honor the
three override paths (--force-execute flag, workflow-engine mode, and
AIOX_DEBUG=true) to allow execution when explicitly allowed; additionally,
implement the Self-Correction Protocol in the execution path (undo created
artifacts, emit the delegation message, and append a structured entry to
.aiox/logs/agent-authority-incidents.log) if execution already started for a
task owned by another agent so violations are reverted, logged, and handed off.
- Around line 81-95: The Delegation Matrix is missing an entry for QA so
`@aiox-master` may not delegate `@qa *qa-gate` tasks; update the Delegation Matrix
in .claude/rules/agent-authority.md to include an authority row for `@qa` (or a
wildcard mapping that covers `*qa-gate`) so the Pre-Execution Check performed by
`@aiox-master` will detect and delegate QA-owned operations; ensure the matrix key
exactly matches `@qa` and/or the pattern `*qa-gate`, and keep the Rejection
Script and Self-Correction Protocol behavior (including appending to
.aiox/logs/agent-authority-incidents.log) unchanged.
---
Duplicate comments:
In @.aiox-core/development/agents/aiox-master.md:
- Line 433: The document is inconsistent: update the phrase that currently
allows "*task {task} can run any task directly" so it matches the expressed
policy "Executing framework governance tasks directly; delegating
exclusive-agent tasks to their owners"; change the "*task {task}" wording to
explicitly restrict direct execution to framework governance tasks only and list
the explicit overrides (--force-execute, workflow-engine mode, AIOX_DEBUG=true)
as the only cases permitting direct execution; ensure the new wording references
framework governance tasks and the three overrides so the guide and synced
copies are consistent.
In @.claude/commands/AIOX/agents/aiox-master.md:
- Around line 105-106: Restore the missing explicit wording by replacing the
abbreviated line with the full pre-execution check text: include the exact
string starting "PRE-EXECUTION CHECK: Before executing any task, verify if an
exclusive agent owns it (see agent-authority.md Delegation Matrix). If yes,
DELEGATE — do not execute directly. Exceptions: --force-execute flag,
workflow-engine mode, or AIOX_DEBUG=true." and ensure the following line still
states "Execute framework governance tasks directly (meta-ops, orchestration,
constitutional enforcement)" so the document keeps the "only direct tasks"
semantics and the explicit exception list.
In @.codex/agents/aiox-master.md:
- Around line 105-106: Restore the original strict governance wording: in the
PRE-EXECUTION CHECK and the line that currently reads "Execute framework
governance tasks directly (meta-ops, orchestration, constitutional enforcement)"
explicitly state that governance tasks are the only tasks `@aiox-master` may
execute directly and re-add the exception clause exactly naming the allowed
exceptions (--force-execute flag, workflow-engine mode, AIOX_DEBUG=true); ensure
the PRE-EXECUTION CHECK text includes the "only" qualifier and the three
explicit exceptions so the rule cannot be interpreted as a broad permission.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 1c1181f4-1dc3-45d9-9494-41162e088dc1
📒 Files selected for processing (9)
.aiox-core/core/orchestration/master-orchestrator.js.aiox-core/data/entity-registry.yaml.aiox-core/development/agents/aiox-master.md.aiox-core/install-manifest.yaml.claude/commands/AIOX/agents/aiox-master.md.claude/rules/agent-authority.md.codex/agents/aiox-master.md.gemini/rules/AIOX/agents/aiox-master.md.github/agents/aiox-master.agent.md
🚧 Files skipped from review as they are similar to previous changes (2)
- .aiox-core/core/orchestration/master-orchestrator.js
- .gemini/rules/AIOX/agents/aiox-master.md
Comment on lines
903
to
+906
| - path: core/orchestration/master-orchestrator.js | ||
| hash: sha256:61b874d74fae62e9307861b02b7505538f1c94362fe638fc3941b0665dcbbdf6 | ||
| hash: sha256:9f9a8c6be08bf371eff33076e01c8aeec610aec27a81534dad93e15f0824d983 | ||
| type: core | ||
| size: 54417 | ||
| size: 54489 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
fd "master-orchestrator.js" . -x sh -c '
echo "=== {} ==="
rg -n -C4 "_calculateProgressFromState|getProgressPercentage|completedEpics|totalEpics|onDemand" "{}"
'Repository: SynkraAI/aiox-core
Length of output: 44
🏁 Script executed:
find . -name "*master-orchestrator*" -type fRepository: SynkraAI/aiox-core
Length of output: 157
🏁 Script executed:
ls -la core/orchestration/ 2>/dev/null || echo "Path not found at core/orchestration/"Repository: SynkraAI/aiox-core
Length of output: 99
🏁 Script executed:
git ls-files | grep -i "master-orchestrator"Repository: SynkraAI/aiox-core
Length of output: 153
🏁 Script executed:
wc -l .aiox-core/core/orchestration/master-orchestrator.jsRepository: SynkraAI/aiox-core
Length of output: 119
🏁 Script executed:
rg -n "_calculateProgressFromState|getProgressPercentage" .aiox-core/core/orchestration/master-orchestrator.js -A 15Repository: SynkraAI/aiox-core
Length of output: 2552
🏁 Script executed:
rg -n "completedEpics|totalEpics" .aiox-core/core/orchestration/master-orchestrator.js -B 2 -A 2Repository: SynkraAI/aiox-core
Length of output: 1435
🏁 Script executed:
rg -n "state\.epics\[|state\.epics\.|Object\.values.*epics" .aiox-core/core/orchestration/master-orchestrator.js -B 2 -A 2 | head -50Repository: SynkraAI/aiox-core
Length of output: 462
🏁 Script executed:
rg -n "EPIC_CONFIG\[" .aiox-core/core/orchestration/master-orchestrator.js -B 1 -A 1 | head -30Repository: SynkraAI/aiox-core
Length of output: 613
🏁 Script executed:
rg -n "this\.executionState\.epics\[|state\.epics\[" .aiox-core/core/orchestration/master-orchestrator.js -B 1 -A 3 | head -40Repository: SynkraAI/aiox-core
Length of output: 1527
🏁 Script executed:
rg -n "Object\.entries.*epics|Object\.keys.*epics" .aiox-core/core/orchestration/master-orchestrator.js -B 2 -A 2Repository: SynkraAI/aiox-core
Length of output: 1187
The completedEpics filter must exclude onDemand epics to match totalEpics.
Both _calculateProgressFromState() (line 1360-1362) and getProgressPercentage() (line 1417-1419) count all completed epics regardless of the onDemand flag, while totalEpics correctly excludes them. This creates a mismatch where progress can exceed 100% if any onDemand epic is completed.
Change completedEpics to use Object.entries() and apply the same !EPIC_CONFIG[num].onDemand filter as totalEpics:
const completedEpics = Object.entries(state.epics).filter(
([num, epic]) => !EPIC_CONFIG[num].onDemand && epic.status === EpicStatus.COMPLETED,
).length;🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.aiox-core/install-manifest.yaml around lines 903 - 906, In both
_calculateProgressFromState and getProgressPercentage update how completedEpics
is computed: instead of counting all completed epics, use
Object.entries(state.epics) and filter entries by the same condition used for
totalEpics (i.e., !EPIC_CONFIG[num].onDemand) and epic.status ===
EpicStatus.COMPLETED so onDemand epics are excluded; update the completedEpics
variable in each function to mirror the provided filter logic referencing
EPIC_CONFIG, EpicStatus, and state.epics.
Comment on lines
+81
to
+102
| **Pre-Execution Check (MANDATORY):** Before executing any task, @aiox-master MUST check the Delegation Matrix above. If an exclusive agent owns the operation, @aiox-master MUST delegate — not execute directly. The only exceptions are: | ||
| 1. User explicitly requests `--force-execute` | ||
| 2. Running in workflow-engine mode (automated pipeline) | ||
| 3. Framework debugging with `AIOX_DEBUG=true` | ||
|
|
||
| **Rejection Script:** When @aiox-master cannot execute a task due to agent authority: | ||
| ``` | ||
| ⚠️ This task belongs to @{agent} ({persona}). | ||
| Delegating: → @{agent} | task: {task-file} | ||
| ``` | ||
|
|
||
| **Self-Correction Protocol:** When @aiox-master has already begun executing a task that belongs to an exclusive agent, it MUST: | ||
| 1. **Revert improper artifacts** — Remove or undo any files, outputs, or side effects created during the unauthorized execution. Artifact naming follows the owning agent's conventions (e.g., story files follow `{epicNum}.{storyNum}.story.md`; git operations leave no remote state). | ||
| 2. **Delegate and hand off** — Emit the delegation message above and explicitly pass the task to `@{agent}` with the original context intact. | ||
| 3. **Log the incident** — Append a structured entry to `.aiox/logs/agent-authority-incidents.log`: | ||
| ``` | ||
| [timestamp] AUTHORITY_VIOLATION: @aiox-master attempted {task-file} | ||
| owned_by: @{agent} ({persona}) | ||
| actions_taken: [list of actions performed before detection] | ||
| reverted: [list of artifacts removed/undone] | ||
| delegated_to: @{agent} | ||
| ``` |
There was a problem hiding this comment.
This is still policy-only unless the runtime path enforces it.
.aiox-core/core/orchestration/agent-invoker.js:129-211 still loads and executes any requested agent/task pair without consulting the Delegation Matrix or the three override paths. That means workflow-engine callers can bypass this rule entirely today.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.claude/rules/agent-authority.md around lines 81 - 102, The agent-invoker
currently bypasses the Delegation Matrix; update
.aiox-core/core/orchestration/agent-invoker.js to perform a pre-execution
authority check before loading/executing any agent/task pair: call a new or
existing checkDelegationMatrix(task, agent, context) and if the matrix says the
operation is owned by an exclusive agent, do not execute but instead emit the
Rejection Script message, delegate to that agent, and return; honor the three
override paths (--force-execute flag, workflow-engine mode, and AIOX_DEBUG=true)
to allow execution when explicitly allowed; additionally, implement the
Self-Correction Protocol in the execution path (undo created artifacts, emit the
delegation message, and append a structured entry to
.aiox/logs/agent-authority-incidents.log) if execution already started for a
task owned by another agent so violations are reverted, logged, and handed off.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add @qa exclusive operations to agent-authority rules. Document runtime enforcement as follow-up. Clean manifest regeneration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes two critical bugs:
bug: master-orchestrator _calculateProgressFromState divisão por zero quando todos epics são onDemand #532 —
_calculateProgressFromState()andgetProgressPercentage()inmaster-orchestrator.jsdivide bytotalEpicswithout zero-check. When all epics haveonDemand: true, this producesNaNthat propagates to dashboard, logs, and status. Addedif (totalEpics === 0) return 0;guard to both methods.@aios-master executes exclusive tasks directly instead of delegating — "No restrictions" label causes enforcement gap #527 —
@aiox-master's authority entry read "Execute ANY task directly | No restrictions", which LLMs interpret as blanket permission to bypass agent authority (Constitution Article II violation). Fixed by:agent-authority.mdcore_principlein the aiox-master agent definition--force-execute, workflow-engine, and debug overrides as explicit exceptionsTest plan
npm run lint— 0 errorsnpm run typecheck— passesCloses #532
Closes #527
🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Behavior Changes
Chores