🤖 Generated by the Daily AI Engineer
Intent (maintainer direction, 2026-07-16)
Restrict code authorship in devantler-tech to the AI engineer, so the agent owns the code and the
products. The maintainer's retained surface is deliberately narrow:
- observe results,
- promote PRs from draft to ready-for-review (and merge),
- create and comment on issues, and comment on PRs.
Explicitly not retained: authoring code, creating PRs. In his words — "I will never be the one to
create them myself. You own the code and products, I own you."
Evidence — this codifies what already happens
- Of the last 40 merged PRs org-wide, zero were human-authored: 29
dependabot[bot], 5
devantler (all agent-authored), 3 renovate[bot], 2 ksail-bot[bot], 1 botantler-1[bot].
- The org has exactly one human member (
devantler). "Restrict all humans" therefore reduces to
restricting a single account — the same account the agent currently operates as (see the blocker).
- Every product already ships through the draft-PR + promotion flow defined in the monorepo's
AGENTS.md.
So this is mostly making the real policy enforceable, not changing how work happens.
🔴 Blocking prerequisite — the agent has no identity of its own
The agent commits and opens PRs as devantler (a User, the maintainer's own account) — this is
written into the engineering contract's trust gate, and every PR it authored today
(ksail#6164 @3317b55a9, ksail#5775 @12d894e02) carries that identity.
Consequence: restricting devantler from writing code disables the agent. The two are the same
principal on GitHub. No org ruleset can distinguish them, because there is nothing to distinguish.
This is the first child and a hard gate on everything else: mint a dedicated agent identity
(a GitHub App — the org already runs botantler-1[bot] and ksail-bot[bot], so the pattern exists),
migrate the agent's git/gh credentials to it, and update the trust gate + disclosure conventions to
match. Only once the agent is a distinct principal can "humans cannot write code" mean anything.
Second-order effects to handle in that child:
- The sibling ChatGPT/Codex instance also authors code (
codex/* branches) and must be moved to
its own identity, or it gets locked out too.
CODEOWNERS is @devantler-tech/maintainers; review/ownership semantics need rechecking once the
author is a bot.
- Some
gh subcommands need broader scopes than the raw API (see cask-handoff-never-promotes) —
the App's permission set must be validated against the real workflows, least-privilege, before cutover.
Target state (proposed)
| Actor |
Push to main |
Create PR |
Author code |
Promote draft → ready |
Merge |
Issues / comments |
Admin |
| AI engineer (new App identity) |
❌ (never — via PR only) |
✅ |
✅ |
❌ (gate stays human) |
✅ (own, per merge policy) |
✅ |
❌ |
| Trusted release bots |
❌ |
✅ |
✅ (programmed paths) |
n/a |
✅ (auto-merge) |
✅ |
❌ |
devantler (human) |
❌ |
❌ |
❌ |
✅ |
✅ |
✅ |
✅ (owner, break-glass) |
| Everyone else |
❌ |
❌ |
❌ |
❌ |
❌ |
✅ (issues only) |
❌ |
The promotion gate is preserved and becomes more load-bearing, not less. It is the only human
checkpoint in the agent's definition; the agent never self-promotes. Tightening human write access
must not touch it.
🔴 Break-glass is non-negotiable
The maintainer is the org owner and must retain an unconditional emergency path to change code — org
owners can always edit rulesets, so this is inherent, but it must stay explicit and tested, not
incidental.
Live evidence from today: an org ruleset change at 06:07Z froze every non-bot merge portfolio-wide
(monorepo#2184) — the agent could diagnose it but not fix it, because org config is out of its reach by
design. Had the maintainer also been locked out of authoring code, recovery would have depended on the
very agent that could not ship. A lockdown must never create a state only the agent can exit.
Concretely: keep the owner's ruleset-bypass, and add a documented, periodically-exercised break-glass
procedure. Note the current stack already relies on bypass_actors: [OrganizationAdmin:always].
Honest trade-off
This concentrates delivery on a single automated actor and raises the bus factor: if the agent is
wedged, misconfigured, or wrong, nothing ships until the maintainer intervenes through a path this
issue is deliberately preserving. The mitigation is the break-glass above plus the promotion gate —
the maintainer still approves every change before it merges. Ownership of the code and accountability
for it remain his; this issue delegates authorship, not responsibility.
Proposed children (decompose; each independently shippable)
- Mint a dedicated agent identity (App), migrate credentials, update the trust gate + disclosure
conventions. (hard gate on 2–5; includes the Codex sibling)
- Document + test the break-glass path, before any restriction lands.
- Restrict PR creation / code authorship to the agent + trusted bot identities (declaratively, via
deploy/).
- Restrict direct pushes for all human actors on every repo (extends the existing
Require a pull request before merging).
- Sweep repository-permission grants to least privilege for every non-agent principal; keep issue
- comment + promote rights intact.
Order matters: 1 → 2 → (3,4,5). Landing 3–5 before 1 locks out the agent; landing them before 2
risks an unrecoverable state.
Acceptance criteria
Open questions for the maintainer
- Identity: new dedicated App, or reuse
botantler-1[bot]? A fresh, purpose-named App is
cleaner for audit and least privilege.
- Should the agent keep merge rights, or should merge also collapse into your promote action
(i.e. promotion == merge via auto-merge)? Today the contract has the agent merge its own promoted PRs.
- Scope: all 19 repos at once, or pilot on one (e.g.
ksail) first? A pilot is the lower-risk path
and matches feature-flag-first delivery.
Size
L (epic). Child 1 is M and gates the rest.
Relates to #56 (declarative GitHub-org-as-code) and #69 (adopt remaining rulesets declaratively) —
the enforcement here should land through that same declarative source of truth.
Intent (maintainer direction, 2026-07-16)
Restrict code authorship in
devantler-techto the AI engineer, so the agent owns the code and theproducts. The maintainer's retained surface is deliberately narrow:
Explicitly not retained: authoring code, creating PRs. In his words — "I will never be the one to
create them myself. You own the code and products, I own you."
Evidence — this codifies what already happens
dependabot[bot], 5devantler(all agent-authored), 3renovate[bot], 2ksail-bot[bot], 1botantler-1[bot].devantler). "Restrict all humans" therefore reduces torestricting a single account — the same account the agent currently operates as (see the blocker).
AGENTS.md.So this is mostly making the real policy enforceable, not changing how work happens.
🔴 Blocking prerequisite — the agent has no identity of its own
The agent commits and opens PRs as
devantler(aUser, the maintainer's own account) — this iswritten into the engineering contract's trust gate, and every PR it authored today
(
ksail#6164@3317b55a9,ksail#5775@12d894e02) carries that identity.Consequence: restricting
devantlerfrom writing code disables the agent. The two are the sameprincipal on GitHub. No org ruleset can distinguish them, because there is nothing to distinguish.
This is the first child and a hard gate on everything else: mint a dedicated agent identity
(a GitHub App — the org already runs
botantler-1[bot]andksail-bot[bot], so the pattern exists),migrate the agent's git/
ghcredentials to it, and update the trust gate + disclosure conventions tomatch. Only once the agent is a distinct principal can "humans cannot write code" mean anything.
Second-order effects to handle in that child:
codex/*branches) and must be moved toits own identity, or it gets locked out too.
CODEOWNERSis@devantler-tech/maintainers; review/ownership semantics need rechecking once theauthor is a bot.
ghsubcommands need broader scopes than the raw API (seecask-handoff-never-promotes) —the App's permission set must be validated against the real workflows, least-privilege, before cutover.
Target state (proposed)
maindevantler(human)The promotion gate is preserved and becomes more load-bearing, not less. It is the only human
checkpoint in the agent's definition; the agent never self-promotes. Tightening human write access
must not touch it.
🔴 Break-glass is non-negotiable
The maintainer is the org owner and must retain an unconditional emergency path to change code — org
owners can always edit rulesets, so this is inherent, but it must stay explicit and tested, not
incidental.
Live evidence from today: an org ruleset change at 06:07Z froze every non-bot merge portfolio-wide
(monorepo#2184) — the agent could diagnose it but not fix it, because org config is out of its reach by
design. Had the maintainer also been locked out of authoring code, recovery would have depended on the
very agent that could not ship. A lockdown must never create a state only the agent can exit.
Concretely: keep the owner's ruleset-bypass, and add a documented, periodically-exercised break-glass
procedure. Note the current stack already relies on
bypass_actors: [OrganizationAdmin:always].Honest trade-off
This concentrates delivery on a single automated actor and raises the bus factor: if the agent is
wedged, misconfigured, or wrong, nothing ships until the maintainer intervenes through a path this
issue is deliberately preserving. The mitigation is the break-glass above plus the promotion gate —
the maintainer still approves every change before it merges. Ownership of the code and accountability
for it remain his; this issue delegates authorship, not responsibility.
Proposed children (decompose; each independently shippable)
conventions. (hard gate on 2–5; includes the Codex sibling)
deploy/).Require a pull request before merging).Order matters: 1 → 2 → (3,4,5). Landing 3–5 before 1 locks out the agent; landing them before 2
risks an unrecoverable state.
Acceptance criteria
instance likewise.
devantler-tech.devantlercan still: promote drafts, merge, create/comment on issues, comment on PRs..githubdeploy/(per Roadmap: declarative GitHub-org-as-code — extend coverage & sustain the source of truth #56), not clicked in the UI.Open questions for the maintainer
botantler-1[bot]? A fresh, purpose-named App iscleaner for audit and least privilege.
(i.e. promotion == merge via auto-merge)? Today the contract has the agent merge its own promoted PRs.
ksail) first? A pilot is the lower-risk pathand matches feature-flag-first delivery.
Size
L (epic). Child 1 is M and gates the rest.
Relates to #56 (declarative GitHub-org-as-code) and #69 (adopt remaining rulesets declaratively) —
the enforcement here should land through that same declarative source of truth.