What happened
PR #2857, a bot-authored fix that modifies the review agent's own severity calibration rules, was merged with only a single human approval and zero review agent involvement. The dispatch authorization gate (ADR 0054) rejects bot PRs because fullsend-ai-coder[bot] lacks write collaborator permission, and the label-based fallback doesn't fire because GitHub suppresses events from app tokens. Issue #2674 already tracks the general dispatch gap. This retro confirms the gap is actively causing unreviewed merges of agent-behavior-modifying code — PR #2857 changed intent-coherence.md and SKILL.md, files that directly control review agent behavior.
What could go better
Changes to agent definitions (skills, sub-agent prompts, dimension mappings) are among the highest-impact changes in this repo because they alter how all future reviews behave. These changes getting zero automated review creates a blind spot: if the code agent introduces a subtle error in severity guidance or prompt wording, no automated check catches it. Issue #2674 already proposes fixing the dispatch authorization gate, but that issue doesn't call out the specific risk of agent-definition changes going unreviewed. Confidence is high that this is a recurring pattern — PRs #2885 and #2881 (also bot-authored) similarly lacked review agent runs.
Proposed change
Add urgency context to issue #2674 noting that bot PRs modifying internal/scaffold/fullsend-repo/skills/pr-review/ are particularly high-risk to leave unreviewed. As an interim measure until #2674 is resolved, add a CODEOWNERS entry requiring a second human reviewer for paths under internal/scaffold/fullsend-repo/skills/pr-review/ — this ensures changes to review agent behavior get at least two human reviewers when the review agent itself cannot participate. The CODEOWNERS entry should require review from a team or individual with domain expertise in the review agent's behavior.
Validation criteria
Short-term: after adding the CODEOWNERS entry, verify that the next bot-authored PR touching internal/scaffold/fullsend-repo/skills/pr-review/ requires and receives two human approvals before merge. Long-term: after #2674 is resolved, verify the next 3 bot-authored PRs all receive review agent runs by checking for fullsend-ai-review[bot] comments.
Generated by retro agent from #2857
What happened
PR #2857, a bot-authored fix that modifies the review agent's own severity calibration rules, was merged with only a single human approval and zero review agent involvement. The dispatch authorization gate (ADR 0054) rejects bot PRs because fullsend-ai-coder[bot] lacks write collaborator permission, and the label-based fallback doesn't fire because GitHub suppresses events from app tokens. Issue #2674 already tracks the general dispatch gap. This retro confirms the gap is actively causing unreviewed merges of agent-behavior-modifying code — PR #2857 changed
intent-coherence.mdandSKILL.md, files that directly control review agent behavior.What could go better
Changes to agent definitions (skills, sub-agent prompts, dimension mappings) are among the highest-impact changes in this repo because they alter how all future reviews behave. These changes getting zero automated review creates a blind spot: if the code agent introduces a subtle error in severity guidance or prompt wording, no automated check catches it. Issue #2674 already proposes fixing the dispatch authorization gate, but that issue doesn't call out the specific risk of agent-definition changes going unreviewed. Confidence is high that this is a recurring pattern — PRs #2885 and #2881 (also bot-authored) similarly lacked review agent runs.
Proposed change
Add urgency context to issue #2674 noting that bot PRs modifying
internal/scaffold/fullsend-repo/skills/pr-review/are particularly high-risk to leave unreviewed. As an interim measure until #2674 is resolved, add a CODEOWNERS entry requiring a second human reviewer for paths underinternal/scaffold/fullsend-repo/skills/pr-review/— this ensures changes to review agent behavior get at least two human reviewers when the review agent itself cannot participate. The CODEOWNERS entry should require review from a team or individual with domain expertise in the review agent's behavior.Validation criteria
Short-term: after adding the CODEOWNERS entry, verify that the next bot-authored PR touching
internal/scaffold/fullsend-repo/skills/pr-review/requires and receives two human approvals before merge. Long-term: after #2674 is resolved, verify the next 3 bot-authored PRs all receive review agent runs by checking for fullsend-ai-review[bot] comments.Generated by retro agent from #2857