fix(workflows): persist read-only node outputs via bash bridges in archon-refactor-safely

[kagura-agent]

Summary

The archon-refactor-safely workflow silently drops the impact analysis and refactoring plan at context boundaries, causing the execute node to find no plan and report success with zero changes.

Fixes #1477

Root Cause

The analyze-impact and plan-refactor nodes have denied_tools: [Write, Edit, Bash] (correctly — they should be read-only). However, their prompts instruct the AI to write files to $ARTIFACTS_DIR. The AI then wastes turns searching for unavailable tools, and the plan is never persisted. The downstream execute-refactor node tries to read the plan file — it doesn't exist.

Changes

1. Updated prompts: Changed "Write to $ARTIFACTS_DIR/..." → "Produce your output below" so the AI outputs the analysis/plan directly (captured as $node.output) instead of attempting unavailable file writes.

2. Added persist-impact bash node: Writes $analyze-impact.output to $ARTIFACTS_DIR/impact-analysis.md after the analysis node completes.

3. Added persist-plan bash node: Writes $plan-refactor.output to $ARTIFACTS_DIR/refactor-plan.md after the plan node completes.

4. Updated dependency chain: plan-refactor depends on persist-impact (so the file exists when the plan node reads it), execute-refactor depends on persist-plan (so the plan file exists when execution begins).

5. Regenerated bundled defaults (bun run generate:bundled).

Type of change

• Bug fix

How Has This Been Tested?

• bun run type-check — passes
• bun run generate:bundled — regenerated successfully (36 commands, 20 workflows)
• Verified YAML structure is valid and DAG dependencies form a correct chain:
  scan-scope → analyze-impact → persist-impact → plan-refactor → persist-plan → execute-refactor → validate → ...
• Test failures in bun run test are pre-existing upstream (verified by running tests on clean upstream/dev)

Checklist

• I have read the Code of Conduct and this PR adheres to it
• I ran linters/tests locally and they passed
• I updated documentation as needed
• I added tests or explain why not applicable (workflow YAML change — no unit tests for workflow definitions)
• I added a changeset if this change affects published packages (not applicable — only workflow YAML)

Summary by CodeRabbit

• Refactor
  • Enhanced the refactor workflow to improve how analysis and planning outputs are captured and persisted, ensuring proper file generation before execution proceeds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 16562bbe-4629-439d-95e0-d6dce9a10bb7

📥 Commits

Reviewing files that changed from the base of the PR and between 5283ea9 and fdbdba2.

📒 Files selected for processing (2)

• .archon/workflows/defaults/archon-refactor-safely.yaml
• packages/workflows/src/defaults/bundled-defaults.generated.ts

---

📝 Walkthrough

Walkthrough

The archon-refactor-safely workflow is updated to reliably persist refactor plans and impact analysis by decoupling output capture from file persistence. AI nodes now emit output for automatic capture; dedicated bash bridge nodes then write those captured outputs to $ARTIFACTS_DIR, bypassing tool restrictions that block the analysis node from direct writes.

Changes

Refactor Workflow Output Persistence

Layer / File(s)	Summary
Impact analysis capture and persistence .archon/workflows/defaults/archon-refactor-safely.yaml	analyze-impact prompt is reworded to emit impact analysis for automatic capture. New persist-impact bash node writes $analyze-impact.output to $ARTIFACTS_DIR/impact-analysis.md, creating the artifacts directory as needed.
Refactor plan capture and persistence .archon/workflows/defaults/archon-refactor-safely.yaml	plan-refactor prompt is reworded to emit refactor plan for automatic capture. New persist-plan bash node writes $plan-refactor.output to $ARTIFACTS_DIR/refactor-plan.md, mirroring the impact persistence pattern.
Execution dependency wiring .archon/workflows/defaults/archon-refactor-safely.yaml	execute-refactor node dependency is changed from plan-refactor to persist-plan, ensuring the refactor plan artifacts file exists before execution begins.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• coleam00/Archon#1387: Updates executeBashNode to always export $ARTIFACTS_DIR into spawned subprocess environments, providing the environment variable support that these new bash bridge nodes depend on.

Poem

🐰 A bash node bridges the gap, where tools once denied,
Output flows captured, then written with pride—
Plans now persist through the phases, no loss,
The workflow stands steady; refactors cross! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description covers key sections (Summary, Root Cause, Changes, Testing) but is missing several required template sections like Architecture Diagram, UX Journey, comprehensive Validation Evidence, and detailed Side Effects/Rollback Plan.	Add or expand: Architecture Diagram (Before/After), UX Journey flow, complete Validation Evidence output, detailed Side Effects analysis, and explicit Rollback Plan with observable failure symptoms.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing workflow behavior by persisting node outputs via bash bridges, with appropriate scope prefix.
Linked Issues check	✅ Passed	The PR successfully addresses the primary objectives from #1477: it prevents silent loss of analysis/plan by capturing outputs, persists them via bash nodes, updates DAG dependencies to ensure artifacts exist before consumption, and avoids wasting agent turns on unavailable tools.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the archon-refactor-safely workflow as required by #1477. The workflow YAML updates (prompt changes, bash node additions, dependency chain updates) and bundled generation are all necessary and on-topic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Wirasm]

Review Summary

Verdict: ready-to-merge

Your fix correctly resolves the issue where read-only nodes with denied_tools: [Write, Edit, Bash] were being instructed to write files they couldn't write. The solution adds bash bridge nodes to persist node outputs and updates prompts to output directly — clean and well-targeted.

Blocking issues

None.

Suggested fixes

None.

Minor / nice-to-have

None — this PR is clean.

Compliments

• Heredoc quoting is correct (<< 'ARCHON_EOF'), preventing variable expansion issues
• DAG dependency chain is properly structured with correct node ordering
• Follows existing patterns for persistence nodes with reasonable timeouts

---

Reviewed via maintainer-review-pr workflow (Pi/Minimax). Aspects run: code-review.