Add scribe agent#10
Conversation
Move the scribe harness, prompt, policy, schema, and pre/post scripts into the agents repo so org configs can register it via ADR 0058 instead of maintaining copies under .fullsend/customized/. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Adam Scerra <ascerra@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
b1a5291 to
0079218
Compare
PR Summary by QodoAdd scribe agent package (prompt, harness, policy, schema, pre/post scripts)
AI Description
Diagram
High-Level Assessment
Files changed (6)
|
|
🤖 Finished Review · ✅ Success · Started 7:48 PM UTC · Completed 8:00 PM UTC |
Code Review by Qodo
1.
|
ReviewRe-review at Fresh analysis found one new medium finding: the documentation file path diverges from the established repo pattern. FindingsHigh
Medium
Low
Prior review resolution: 3 of 6 medium findings from Previous runReviewRe-review at Fresh analysis found additional issues: GHA workflow command injection, ISSUE_NUM input validation gap, comment-count reporting bug, and missing tests. FindingsHigh
Medium
Low
Previous runReviewRe-review at Fresh analysis found additional issues: GHA workflow command injection, ISSUE_NUM input validation gap, comment-count reporting bug, and missing tests. FindingsHigh
Medium
Low
Prior review resolution: 5 of 6 prior findings resolved in Previous run (2)ReviewVerdict: request-changes Re-review at the same commit ( HighH1 ·
|
Remove curl from sandbox policy to prevent GCP key exfiltration, fix post-script dedup/null/dry-run/idempotency bugs, harden pre-script token error handling, tighten summary schema, and add user documentation. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Adam Scerra <ascerra@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
8070758 to
dc4f09e
Compare
|
🤖 Review · |
|
🤖 Finished Review · ❌ Failure · Started 8:20 PM UTC · Completed 8:33 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 8:42 PM UTC · Completed 8:52 PM UTC |
Wrap Drive export in set +e so failed exports skip to the next doc instead of aborting the pre-script. Align LOOKBACK default to 168h with docs. Add instruction-hierarchy boundary in the agent prompt, fallback idempotency dedup when notes URL is missing, and document SCRIBE_DRIVE_CREDENTIALS in the env vars table. Signed-off-by: Adam Scerra <ascerra@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Finished Review · ✅ Success · Started 11:54 AM UTC · Completed 12:12 PM UTC |
Add sanitize_gha for agent-controlled echo output, validate existing_issue is a positive integer before gh api calls, and defer COMMENT_TOPICS tracking until after idempotency passes in live mode. Signed-off-by: Adam Scerra <ascerra@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Review · |
Align pre-scribe.sh and docs/agents/scribe.md on a 3-hour Drive search default instead of 168 hours. Signed-off-by: Adam Scerra <ascerra@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
🤖 Finished Review · ✅ Success · Started 1:17 PM UTC · Completed 1:29 PM UTC |
| | sed -E '/^Participants:?$/d' \ | ||
| | sed -E 's/^(Organizer|Host|Co-host):?.*/[meeting role line removed]/g' \ | ||
| | sed -n '/^Details/,$!p' \ | ||
| | sed -E 's/\[[A-Z][a-zA-Z .,-]+\]/[attendee]/g') |
There was a problem hiding this comment.
[medium] pii-scrubbing
Name scrubbing regex only catches bracketed Gemini-format names ([John Smith]). Unbracketed names in Summary/Next Steps sections pass through unscrubbed. Defense relies on the agent's public_safe gate as defense-in-depth.
Suggested fix: Document the scrubber's format-specific scope. Consider adding patterns for common unbracketed attribution formats.
| fi | ||
| echo "Confidence threshold: ${MIN_CONFIDENCE}" | ||
| REJECTED=0 | ||
| POSTED=0 |
There was a problem hiding this comment.
[low] error-handling
POSTED and CREATED counters are initialized and incremented but never referenced in console summary, step summary, or Slack notification. All output paths use array lengths instead. Dead code.
| @@ -0,0 +1,536 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
[low] secrets-handling
GH_TOKEN is not masked with ::add-mask:: at script entry. Other post-scripts (post-retro.sh, post-review.sh, post-fix.sh, post-code.sh) all mask their tokens.
Suggested fix: Add echo "::add-mask::${GH_TOKEN}" after the required-var checks.
| MEETING_DATE=$(printf '%s' "${SUMMARY}" | grep -oP '(?<=\*\*Meeting update — ).*?(?=\*\*)' || echo "") | ||
| EXISTING=0 | ||
| if [[ -n "${NOTES_URL}" ]]; then | ||
| EXISTING=$(gh api "repos/${SCRIBE_REPO}/issues/${ISSUE_NUM}/comments" 2>/dev/null \ |
There was a problem hiding this comment.
[important, non-blocking] The idempotency gh api calls here (and the fallback at line 299) don't use --paginate. Issues with 30+ comments would miss prior scribe posts. AGENTS.md has the fix pattern: gh api --paginate ... | jq -s 'add | ...'.
| fi | ||
|
|
||
| # Gate: code blocks in comments | ||
| if echo "${SUMMARY}" | grep -q '```'; then |
There was a problem hiding this comment.
[moderate, non-blocking] This gate rejects summaries with triple backticks, but the agent prompt doesn't mention the restriction. If the agent references a config key in a fenced block, the topic gets silently dropped. Might be worth adding a line to the prompt's output rules.
| | `REPO` | yes | Target GitHub repository (`owner/name`) | | ||
| | `SEARCH_QUERY` | yes | Drive search term for meeting note doc names | | ||
| | `LOOKBACK_HOURS` | no | How far back to search Drive (default: 3) | | ||
| | `DRY_RUN` | yes | `true` to preview; `false` for live writes | |
There was a problem hiding this comment.
[minor, non-blocking] The config table here uses bare names (DRY_RUN, REPO, etc.) but the scripts and security section use the SCRIBE_ prefix. I think these should all be SCRIBE_-prefixed — SCRIBE_DRY_RUN, SCRIBE_REPO, SCRIBE_SEARCH_QUERY, etc. — to align with the naming convention ADR. The harness mapping would need to match.
Summary
fullsend-ai/.fullsend/customized/fullsend agent add/ configagents:(ADR 0058) instead of maintaining inline customized copiesFiles added
agents/scribe.mdharness/scribe.yamlpolicies/scribe.yamlschemas/scribe-result.schema.jsonscripts/pre-scribe.shscripts/post-scribe.shSecurity review
GH_TOKEN,SCRIBE_*,GOOGLE_APPLICATION_CREDENTIALS, etc.).fullsend/customized/)Follow-up (separate PR)
After merge, register in
fullsend-ai/.fullsend:fullsend agent add \ https://github.com/fullsend-ai/agents/blob/main/harness/scribe.yaml \ --name scribe \ --fullsend-dir .Test plan
fullsend-dev agent addagainst the merged harness URLfullsend-dev agent list --fullsend-dir .fullsendshows scribeMade with Cursor