ci: require formal kapi-agent approval

[devkade]

Summary

• add GitHub Actions gate require formal kapi-agent approval
• gate fails unless latest formal kapi-agent PR review is APPROVED on the current head and kapi-agent/review is success
• document branch/ruleset requirement and PR feat: add RunContract evidence criteria #110 incident rule

Closes #122.

Verification

• npm ci
• git diff --check
• npm run verify

Required GitHub settings after merge

Require both checks in branch protection/rulesets for dev:

• kapi-agent/review
• require formal kapi-agent approval

Comment verdicts such as ## kapi-agent review / **Verdict:** APPROVE are ignored by the workflow.

[devkade]

Revision note after initial workflow run:

• kept this as the focused GitHub Actions enforcement PR after superseding fix: require formal kapi-agent approval before merge-ready #123
• verified the new required check fails from GitHub itself when formal kapi-agent review/check are missing
• tightened the workflow diagnostics so missing formal review does not also emit a misleading stale-head message
• added explicit draft PR blocking in the workflow gate

Verification already run locally on this focused branch:

• npm ci
• git diff --check
• npm run verify

[kapi-agent]

kapi-agent review

Verdict: APPROVE

Final approval summary

Review journey

Original goal: add a GitHub-enforced gate so Kapi PRs cannot merge based only on an approval-shaped comment. The semantic scope is limited to one CI workflow plus documentation for requiring formal current-head kapi-agent approval and the kapi-agent/review signal. No prior kapi-agent review existed for this PR, so there was no feedback/fix ping-pong to verify.

What changed

• Added .github/workflows/kapi-agent-formal-approval-gate.yml.
• Updated README.md to point branch/ruleset enforcement at both required checks.
• Added docs/kapi-agent-approval-gate.md explaining the formal approval contract and PR #110 incident rule.

Why this is correct

The workflow checks the latest formal PR review by kapi-agent, requires it to be APPROVED, ties it to the current head SHA, requires kapi-agent/review success, rejects drafts, and explicitly ignores approval-shaped comments. That matches the intended artifact/workflow contract: comments can explain reviews, but only GitHub review state plus the bot check can satisfy merge enforcement.

Evidence

• Verifier gate: PASS — npm ci && npm run verify exited 0.
• Size gate: PASS — 114 changed lines, below the 200-line limit.
• Revision explanation status: not required; no prior kapi-agent review existed.
• Inspected files: .github/workflows/kapi-agent-formal-approval-gate.yml, README.md, and docs/kapi-agent-approval-gate.md.

Remaining risks and approval rationale

Remaining risk is operational: the repository ruleset must actually require both kapi-agent/review and require formal kapi-agent approval after merge. The code and docs correctly define the gate, the PR is small, verification passed, and no blocking issue remains, so approval is justified.

Blocking issues

None.

Warnings / risks

• .github/workflows/kapi-agent-formal-approval-gate.yml: enforcement depends on branch protection/rulesets requiring this new check plus kapi-agent/review; without that repository setting, the workflow can report failure but cannot block merges.
• .github/workflows/kapi-agent-formal-approval-gate.yml: if GitHub represents the app reviewer login differently in this repo, for example as a bot-suffixed login, the reviewer = 'kapi-agent' constant may need adjustment. The current implementation is consistent with the documented contract.

Suggestions

• Consider adding a future small test/harness fixture for the github-script logic if this gate grows more complex.
• Consider documenting the expected exact GitHub review actor login if it ever differs from kapi-agent.

Looks good

• The workflow checks formal PR review state rather than parsing comment text as approval.
• The review is tied to pull.head.sha, preventing stale approvals after synchronize.
• The required kapi-agent/review check/status remains part of the contract.
• Documentation clearly explains the incident rule: approval-shaped comments are not merge approval.

Verification notes

Verifier gate status: PASS — npm ci && npm run verify exited 0.

Size gate status: PASS — 114 changed lines, below the 200-line limit.

Revision-explanation status: not required; no prior kapi-agent review exists for this PR.

PR evidence reviewed: workflow file, README update, approval-gate documentation, and provided CI/verifier output.

---

Engine: pi

[kapi-agent]

kapi-agent review

Verdict: REQUEST_CHANGES

Blocking issues

• Revision explanation gate failed. This PR was updated after a prior kapi-agent review, but the PR body or author comments do not explain what changed and why for this current revision. Per policy, please add a review response explaining what changed since the prior kapi-agent approval and why, then request re-review.

Warnings / risks

• None blocking from the inspected diff itself. The workflow/documentation scope remains small and focused.

Suggestions

• In the revision response, include the head SHA or a concise bullet list of the synchronize changes so reviewers can distinguish the current revision from the already-approved one.

Looks good

• The size gate passes: 133 changed lines, under the 200-line limit.
• The formal approval gate design is directionally sound: it requires a formal kapi-agent PR review on the current head, checks kapi-agent/review, rejects drafts, and treats approval-shaped comments as non-authoritative.
• Documentation in README.md and docs/kapi-agent-approval-gate.md clearly describes the branch/ruleset requirements and the comment-vs-review distinction.

Verification notes

• Verifier gate status: PASS — npm ci && npm run verify exited 0.
• Size gate status: PASS — 133 changed lines < 200.
• Revision-explanation status: FAIL — required now, but not found for the current synchronized revision.
• PR evidence inspected: workflow addition .github/workflows/kapi-agent-formal-approval-gate.yml, README update, approval-gate documentation, prior review history, and provided verification output.

---

Engine: pi

[devkade]

Revision note:

• Fixed the GitHub Action to read PR reviews through GraphQL because REST pulls.listReviews did not surface the kapi-agent App review on this PR while GraphQL/gh pr view did.
• Added the new required check to the active dev repository ruleset.
• Removed ruleset bypass actors so the dev ruleset cannot be bypassed casually by repository role.
• dev now requires both kapi-agent/review and require formal kapi-agent approval before merge.

Expected current state: this push invalidated the prior approval by changing the head SHA, so kapi-agent must approve the new head before the GitHub gate turns green.

[devkade]

Revision explanation for current head f12f849b905a04457a29423b8b08c4c6fde961de after prior kapi-agent approval:

• Changed .github/workflows/kapi-agent-formal-approval-gate.yml to read formal PR reviews through GitHub GraphQL instead of REST pulls.listReviews, because REST returned no kapi-agent reviews for PR ci: require formal kapi-agent approval #124 while GraphQL/gh pr view did show the formal approval and its commit OID.
• Kept the current-head approval invariant: the workflow still requires latestReview.commit.oid === pull.head.sha.
• Kept kapi-agent/review as a required success signal and draft PRs as blocking.
• Separately updated the active dev repository ruleset to require both kapi-agent/review and require formal kapi-agent approval, with no bypass actors.

Verification after this revision:

• git diff --check passed before commit.
• Prior focused-branch npm run verify passed; this revision only changes the GitHub Actions script surface.

[devkade]

@kapi-agent review

[kapi-agent]

kapi-agent review

Verdict: REQUEST_CHANGES

Blocking issues

• .github/workflows/kapi-agent-formal-approval-gate.yml: approval-shaped comments are not actually ignored. The workflow counts matching comments and then appends that count to diagnostics; any diagnostic causes core.setFailed(...). That means a PR with a valid formal current-head kapi-agent approval and successful kapi-agent/review can still be blocked forever merely because an old comment contains:

  ## kapi-agent review
  
  **Verdict:** APPROVE

  This contradicts the stated contract in the PR and docs: comments should be non-authoritative, not a failing condition. Please remove this from failing diagnostics, or report it only in the summary without failing the gate.

Warnings / risks

• The workflow only fetches reviews(last: 100) and comments(last: 100). This is probably fine for normal PRs, but if the repository ever has very noisy review history, pagination would be more robust.

Suggestions

• Consider adding a small fixture/unit-style test for the gate script logic if this workflow grows further, especially for: valid approval + approval-shaped comment should pass.

Looks good

• Size gate passes: 133 changed lines, under the 200-line limit.
• Revision explanation was provided and clearly explains the REST-to-GraphQL change and current-head approval invariant.
• The main enforcement model is sound: require latest formal kapi-agent review to be APPROVED, tie it to pull.head.sha, require kapi-agent/review success, and reject drafts.
• Documentation clearly distinguishes formal GitHub review state from comment text.

Verification notes

• Verifier gate status: PASS — npm ci && npm run verify exited 0.
• Size gate status: PASS — 133 changed lines, below the 200-line limit.
• Revision-explanation status: PASS — current-head revision explanation found.
• Local inspection focused on .github/workflows/kapi-agent-formal-approval-gate.yml, README.md, and docs/kapi-agent-approval-gate.md.

---

Engine: pi

---

kapi-agent request lifecycle:

• Status: COMPLETED
• Head: f12f849b905a
• Formal review event: REQUEST_CHANGES
• Review API status: 200
• Required check API status: 201

[kapi-agent]

kapi-agent review

Verdict: REQUEST_CHANGES

Blocking issues

• .github/workflows/kapi-agent-formal-approval-gate.yml: approval-shaped comments are not actually ignored. The workflow counts matching comments and then appends that count to diagnostics; any diagnostic causes core.setFailed(...). That means a PR with a valid formal current-head kapi-agent approval and successful kapi-agent/review can still be blocked forever merely because an old comment contains:

  ## kapi-agent review
  
  **Verdict:** APPROVE

  This contradicts the stated contract in the PR and docs: comments should be non-authoritative, not a failing condition. Please remove this from failing diagnostics, or report it only in the summary without failing the gate.

Warnings / risks

• The workflow only fetches reviews(last: 100) and comments(last: 100). This is probably fine for normal PRs, but if the repository ever has very noisy review history, pagination would be more robust.

Suggestions

• Consider adding a small fixture/unit-style test for the gate script logic if this workflow grows further, especially for: valid approval + approval-shaped comment should pass.

Looks good

• Size gate passes: 133 changed lines, under the 200-line limit.
• Revision explanation was provided and clearly explains the REST-to-GraphQL change and current-head approval invariant.
• The main enforcement model is sound: require latest formal kapi-agent review to be APPROVED, tie it to pull.head.sha, require kapi-agent/review success, and reject drafts.
• Documentation clearly distinguishes formal GitHub review state from comment text.

Verification notes

• Verifier gate status: PASS — npm ci && npm run verify exited 0.
• Size gate status: PASS — 133 changed lines, below the 200-line limit.
• Revision-explanation status: PASS — current-head revision explanation found.
• Local inspection focused on .github/workflows/kapi-agent-formal-approval-gate.yml, README.md, and docs/kapi-agent-approval-gate.md.

---

Engine: pi

[devkade]

@kapi-agent review

Revision explanation: What changed: fixed the blocking issue from the latest kapi-agent review. Approval-shaped comments are still counted and shown in the GitHub Actions summary, but they are no longer appended to failing diagnostics and therefore cannot block a PR that otherwise has a valid current-head formal approval plus successful kapi-agent/review.

Why: the intended contract is that comments are non-authoritative. They should be ignored for approval decisions, not treated as a failure condition.

Verification: git diff --check passed before commit. Change is limited to .github/workflows/kapi-agent-formal-approval-gate.yml.

[kapi-agent]

kapi-agent review

Verdict: REQUEST_CHANGES

Blocking issues

• Revision explanation gate failed. This PR was updated after prior kapi-agent reviews, including a prior approval and a later changes-requested review, but the current PR body or author comments do not explain what changed and why for this latest synchronized revision. Per policy, please add a revision response explaining the current-head changes and why they close the prior feedback, then request re-review.

Warnings / risks

• .github/workflows/kapi-agent-formal-approval-gate.yml: the remaining workflow risk is pagination/noise sensitivity. It reads only reviews(last: 100) and comments(last: 100). That is probably acceptable for this small repo, but very noisy PRs could hide older relevant data if this grows.

Suggestions

• In the revision response, include the current head SHA and a short bullet list of what changed since the last kapi-agent review, especially that approval-shaped comments are now only reported in the summary and no longer fail the gate.

Looks good

• The previous blocking workflow issue appears addressed in the provided current file: approval-shaped comments are counted and appended to summaryItems, but they are not added to diagnostics, so they should not fail an otherwise valid formal approval gate.
• The workflow continues to enforce the important contract: latest formal kapi-agent review must be APPROVED, tied to the current head SHA, with kapi-agent/review successful, and draft PRs blocked.
• Documentation in README.md and docs/kapi-agent-approval-gate.md clearly states that comment verdicts are not approval and that branch/ruleset enforcement should require both checks.

Verification notes

• Verifier gate: PASS — npm ci && npm run verify exited 0.
• Size gate: PASS — 136 changed lines, under the 200-line limit.
• Revision-explanation status: FAIL — required now, but not found for the current synchronized revision.
• Local inspection note: the checkout available to this review did not expose the full PR diff, so this review relies on the provided PR context plus the verification evidence.

---

Engine: pi

[devkade]

@kapi-agent review

Revision explanation for current head b77bf7c9d270fc1c83cec2a60c332a762198c12e after the latest kapi-agent REQUEST_CHANGES review:

What changed:

• Updated .github/workflows/kapi-agent-formal-approval-gate.yml so approval-shaped comments are no longer added to diagnostics.
• Approval-shaped comments are now only appended to summaryItems, so they appear in the GitHub Actions job summary as ignored/non-authoritative context.
• core.setFailed(...) still depends only on true gate diagnostics: draft PR, missing/non-approved current-head formal review, stale review commit, or missing/non-success kapi-agent/review.

Why this closes the prior feedback:

• The prior blocking issue was correct: ignored comments must not fail the gate. This revision makes comments non-blocking while preserving visibility.
• A PR with valid current-head formal kapi-agent APPROVED review and successful kapi-agent/review can now pass even if old approval-shaped comments exist.

Verification:

• git diff --check passed before commit.
• The change is limited to the GitHub Actions workflow and directly targets the reported blocking issue.

[devkade]

@kapi-agent review

[kapi-agent]

kapi-agent review

Verdict: APPROVE

Final approval summary

Review journey

Original goal: add a GitHub-enforced merge gate so Kapi PRs cannot merge from approval-shaped comments alone. The semantic scope is limited to one formal approval GitHub Actions workflow plus README/docs updates describing the required checks and PR #110 incident rule.

There was review/fix ping-pong:

• An earlier revision was approved.
• A later revision required changes because approval-shaped comments were still treated as failing diagnostics.
• The current revision explains that comments are now counted only for summary visibility and no longer block the gate.

What changed

• Added .github/workflows/kapi-agent-formal-approval-gate.yml.
• Updated README.md to document requiring both kapi-agent/review and require formal kapi-agent approval.
• Added docs/kapi-agent-approval-gate.md documenting the formal review contract and that comment verdicts are non-authoritative.

Why this is correct

The workflow now requires:

• latest formal kapi-agent PR review exists,
• latest formal review is APPROVED,
• review commit OID matches the current PR head SHA,
• kapi-agent/review check/status is success,
• PR is not draft.

Approval-shaped comments are only reported in the Actions summary and are not appended to failing diagnostics, which closes the prior blocking feedback.

Evidence

• Verifier gate: PASS — npm ci && npm run verify exited 0.
• Size gate: PASS — 136 changed lines, below the 200-line limit.
• Revision-explanation status: PASS — author explained what changed and why after prior kapi-agent feedback.
• Inspected files: .github/workflows/kapi-agent-formal-approval-gate.yml, README.md, docs/kapi-agent-approval-gate.md.

Remaining risks and approval rationale

Remaining risk: the workflow reads the last 100 reviews/comments/check runs/statuses and does not paginate. That is acceptable for this small focused gate, but could become brittle on extremely noisy PRs.

Approval is justified because all required gates pass, the PR is small and focused, the prior blocking issue is fixed, and no blocking correctness/security/workflow-contract issue remains.

Blocking issues

None.

Warnings / risks

• .github/workflows/kapi-agent-formal-approval-gate.yml: pagination remains a low-risk limitation. Very noisy PRs or refs with more than 100 relevant reviews/check runs/statuses could require pagination later.

Suggestions

• If this gate grows further, consider extracting the script into a testable module or adding fixture coverage for “valid formal approval + approval-shaped comment still passes.”

Looks good

• The workflow correctly uses formal PR review state rather than comment text as the approval authority.
• Current-head binding via latestReview.commit?.oid !== pull.head.sha protects against stale approval after synchronize.
• The prior issue is fixed: approval-shaped comments are summarized but no longer fail the gate.
• Documentation clearly explains the required branch/ruleset checks and the comment-vs-review distinction.

Verification notes

• Verifier gate status: PASS — npm ci && npm run verify exited 0.
• Size gate status: PASS — 136 changed lines < 200.
• Revision-explanation status: PASS — required and found.
• Local/PR evidence inspected: workflow file, README update, approval-gate docs, prior kapi-agent feedback, and current author revision explanation.

---

Engine: pi

---

kapi-agent request lifecycle:

• Status: COMPLETED
• Head: b77bf7c9d270
• Formal review event: APPROVE
• Review API status: 200
• Required check API status: 201

[kapi-agent]

kapi-agent review

Verdict: APPROVE

Final approval summary

Review journey

Original goal: add a GitHub-enforced merge gate so Kapi PRs cannot merge from approval-shaped comments alone. The semantic scope is limited to one formal approval GitHub Actions workflow plus README/docs updates describing the required checks and PR #110 incident rule.

There was review/fix ping-pong:

• An earlier revision was approved.
• A later revision required changes because approval-shaped comments were still treated as failing diagnostics.
• The current revision explains that comments are now counted only for summary visibility and no longer block the gate.

What changed

• Added .github/workflows/kapi-agent-formal-approval-gate.yml.
• Updated README.md to document requiring both kapi-agent/review and require formal kapi-agent approval.
• Added docs/kapi-agent-approval-gate.md documenting the formal review contract and that comment verdicts are non-authoritative.

Why this is correct

The workflow now requires:

• latest formal kapi-agent PR review exists,
• latest formal review is APPROVED,
• review commit OID matches the current PR head SHA,
• kapi-agent/review check/status is success,
• PR is not draft.

Approval-shaped comments are only reported in the Actions summary and are not appended to failing diagnostics, which closes the prior blocking feedback.

Evidence

• Verifier gate: PASS — npm ci && npm run verify exited 0.
• Size gate: PASS — 136 changed lines, below the 200-line limit.
• Revision-explanation status: PASS — author explained what changed and why after prior kapi-agent feedback.
• Inspected files: .github/workflows/kapi-agent-formal-approval-gate.yml, README.md, docs/kapi-agent-approval-gate.md.

Remaining risks and approval rationale

Remaining risk: the workflow reads the last 100 reviews/comments/check runs/statuses and does not paginate. That is acceptable for this small focused gate, but could become brittle on extremely noisy PRs.

Approval is justified because all required gates pass, the PR is small and focused, the prior blocking issue is fixed, and no blocking correctness/security/workflow-contract issue remains.

Blocking issues

None.

Warnings / risks

• .github/workflows/kapi-agent-formal-approval-gate.yml: pagination remains a low-risk limitation. Very noisy PRs or refs with more than 100 relevant reviews/check runs/statuses could require pagination later.

Suggestions

• If this gate grows further, consider extracting the script into a testable module or adding fixture coverage for “valid formal approval + approval-shaped comment still passes.”

Looks good

• The workflow correctly uses formal PR review state rather than comment text as the approval authority.
• Current-head binding via latestReview.commit?.oid !== pull.head.sha protects against stale approval after synchronize.
• The prior issue is fixed: approval-shaped comments are summarized but no longer fail the gate.
• Documentation clearly explains the required branch/ruleset checks and the comment-vs-review distinction.

Verification notes

• Verifier gate status: PASS — npm ci && npm run verify exited 0.
• Size gate status: PASS — 136 changed lines < 200.
• Revision-explanation status: PASS — required and found.
• Local/PR evidence inspected: workflow file, README update, approval-gate docs, prior kapi-agent feedback, and current author revision explanation.

---

Engine: pi