fix(workflow): feature-research silent-success + copilot-cli v1.0.21 pin

Three compounding defects caused run 24232817769 to roll up as `success`
while producing zero safe-outputs:

1. Copilot CLI v1.0.22 regression (confirmed in gh-aw v0.68.1 release
   notes + PR #25689 - "0-byte output due to incompatibilities with
   v1.0.22"). Fix: upgrade gh-aw to v0.68.1, inherit framework-level
   pin of Copilot CLI to v1.0.21 via install_copilot_cli.sh.
2. gh-aw has no built-in fail-on-empty for safe-outputs. Fix: new
   post-steps assertion reads /tmp/gh-aw/agent_output.json and exits
   non-zero when create_issue AND noop counts are both zero.
3. Agent improvised `bun run check` on a Bun-less runner. Fix: new
   "Read-only scope" section in prompt body forbidding build/test
   commands.

Spec correction: original attribution to copilot-cli#2479/#2481 is
wrong; those bugs were closed as fixed (2026-04-09 / 2026-04-03,
fixed in CLI v1.0.19) before the 2026-04-10 failing run. Corrected
in spec.md Background / FR-002 / Assumptions.

Details and walkthrough evidence:
specs/20260411-143905-fix-feature-researcher/

Walkthrough T025-T028 still pending - PR opens as draft.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: chrisleekr

.github/aw/actions-lock.json

@@ -5,10 +5,15 @@
       "version": "v8",
       "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
     },
-    "github/gh-aw-actions/setup@v0.67.0": {
+    "actions/github-script@v9": {
+      "repo": "actions/github-script",
+      "version": "v9",
+      "sha": "373c709c69115d41ff229c7e5df9f8788daa9553"
+    },
+    "github/gh-aw-actions/setup@v0.68.1": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.67.0",
-      "sha": "cde65c546c2b0f6d3f3a9492a04e6687887c4fe8"
+      "version": "v0.68.1",
+      "sha": "2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc"
     }
   }
 }

.github/workflows/feature-research.lock.yml

@@ -36,6 +36,25 @@ safe-outputs:
     assignees: [chrisleekr]
     close-older-issues: true
     expires: 7d
+
+post-steps:
+  - name: Assert agent emitted at least one safe-output record
+    if: always()
+    run: |
+      set -euo pipefail
+      AGENT_OUT=/tmp/gh-aw/agent_output.json
+      if [[ ! -s "$AGENT_OUT" ]]; then
+        echo "::error::Agent produced no output file at $AGENT_OUT"
+        exit 1
+      fi
+      CREATE_ISSUE_COUNT=$(jq '[.items[] | select(.type == "create_issue")] | length' "$AGENT_OUT")
+      NOOP_COUNT=$(jq '[.items[] | select(.type == "noop")] | length' "$AGENT_OUT")
+      echo "create_issue records: $CREATE_ISSUE_COUNT"
+      echo "noop records:         $NOOP_COUNT"
+      if [[ "$CREATE_ISSUE_COUNT" -lt 1 && "$NOOP_COUNT" -lt 1 ]]; then
+        echo "::error::FR-001 violation — agent emitted zero create_issue and zero noop safe-outputs. Failing the run to prevent silent success."
+        exit 1
+      fi
 ---
 
 # Feature Opportunity Researcher
@@ -59,6 +78,16 @@ in the **past 7 days** for each of these tools:
 You MUST use the `mcp__tavily__search` tool for all web searches and content
 retrieval. Do NOT use WebFetch or direct HTTP requests to external URLs unless travily is unable to retrieve the content you need.
 
+## Read-only scope
+
+This research task is **read-only** against the working tree. Do NOT run any
+repository build, test, or validation command. In particular, do NOT invoke
+`bun run check`, `bun install`, `bun test`, `npm test`, `npm install`, `git add`,
+`git commit`, or any equivalent. The GitHub-hosted `ubuntu-24.04` runner does
+not have Bun installed, and repository validation is not this workflow's job —
+your only task is to read source files under `src/agents/*.ts` and compare
+them against the upstream changelogs you retrieve through Tavily.
+
 ## What to Check
 
 Compare any newly discovered config fields against the current agent

.github/workflows/feature-research.md

@@ -9,6 +9,8 @@ Auto-generated from all feature plans. Last updated: 2026-04-11
 - Local filesystem (agent config files via `AgentPaths`) (20260406-164513-repo-housekeeping)
 - TypeScript 6.x, strict mode (`"strict": true`), Bun ≥ 1.3.9 runtime + `citty` (CLI), `@clack/prompts` (output), `tar` v7 (archive), `age-encryption` (X25519 encryption), `simple-git` (vault Git ops), `zod` (schema validation), `picocolors` (terminal colours) (20260411-002222-agent-skills-sync)
 - Local filesystem only. Skill sources at `~/.claude/skills/`, `~/.cursor/skills/`, `~/.codex/skills/`, `~/.copilot/skills/`. Encrypted destinations at `<vaultDir>/<agent>/skills/<name>.tar.age`, wired through `AgentPaths` in `src/config/paths.ts` (20260411-002222-agent-skills-sync)
+- YAML (GitHub Actions schema) + Markdown (gh-aw (20260411-143905-fix-feature-researcher)
+- N/A. Workflow file only; no persistent state. (20260411-143905-fix-feature-researcher)
 
 - TypeScript 6.x, strict mode (`"strict": true`) + citty 0.2.x, @clack/prompts 1.2.x, zod 4.x, simple-git 3.x, age-encryption 0.3.x (20260406-094347-stabilise-daemon)
 
@@ -28,9 +30,9 @@ bun run check
 TypeScript 6.x, strict mode (`"strict": true`): Follow standard conventions
 
 ## Recent Changes
+- 20260411-143905-fix-feature-researcher: Added YAML (GitHub Actions schema) + Markdown (gh-aw
 - 20260411-002222-agent-skills-sync: Added TypeScript 6.x, strict mode (`"strict": true`), Bun ≥ 1.3.9 runtime + `citty` (CLI), `@clack/prompts` (output), `tar` v7 (archive), `age-encryption` (X25519 encryption), `simple-git` (vault Git ops), `zod` (schema validation), `picocolors` (terminal colours)
 - 20260406-164513-repo-housekeeping: Added TypeScript 6.x, strict mode + citty 0.2.x (CLI), @clack/prompts 1.2.x (output), zod 4.x (validation), simple-git 3.x, age-encryption 0.3.x, picocolors 1.1.x (new explicit dep)
-- 20260406-125441-config-migration: Added TypeScript 6.x, strict mode (`"strict": true`) + citty 0.2.x (CLI), @clack/prompts 1.2.x (output), @iarna/toml ^2.2.5 (Codex TOML), zod 4.x (validation)
 
 
 <!-- MANUAL ADDITIONS START -->

CLAUDE.md

@@ -0,0 +1,61 @@
+# Specification Quality Checklist: Fix Feature Opportunity Researcher Workflow Silent Failure
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning
+**Created**: 2026-04-11
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Iteration 1 left two [NEEDS CLARIFICATION] markers (fallback web-search
+  policy; shape of the health signal). User review rejected the premise of
+  the first one ("Tavily must be available — why did it fail?") and
+  answered the second ("A: fail the run"). User also pushed back on the
+  third clarification about `bun run check` by asking why the agent runs
+  check at all — which led to verifying that the prompt does not contain
+  that instruction; the agent improvised it.
+- Iteration 2 (this version) integrates all three decisions:
+  - FR-002 + User Story 2 + Background root-cause section 1 replace the
+    fallback-policy question with a concrete diagnosis (Copilot CLI
+    personal-account MCP allowlist bug,
+    [github/copilot-cli#2479](https://github.com/github/copilot-cli/issues/2479),
+    [#2481](https://github.com/github/copilot-cli/issues/2481)).
+  - FR-001 + SC-005 operationalise Option A: zero-safe-output runs end in
+    conclusion `failure`.
+  - FR-004 + Background root-cause section 2 pin responsibility for the
+    `bun run check` improvisation on prompt under-specification, not on a
+    missing runner tool.
+- Spec deliberately avoids prescribing *how* to apply the Copilot CLI
+  workaround (env var vs. version pin vs. alternative CLI). Implementation
+  choices belong in the plan phase.
+- Two citations ([#2479](https://github.com/github/copilot-cli/issues/2479)
+  and [#2481](https://github.com/github/copilot-cli/issues/2481)) appear
+  in the Background and in FR-002 as authoritative evidence for the root
+  cause — these are not implementation prescriptions, they are the
+  incident-diagnosis trail required under the user's "verify with official
+  documentation or authoritative references" rule.
+- All checklist items pass. Spec is ready for `/speckit.plan`.

specs/20260411-143905-fix-feature-researcher/checklists/requirements.md

@@ -0,0 +1,93 @@
+# Contract — Post-execution assertion (NEW)
+
+**Status**: **NEW** — introduced by this feature to satisfy FR-001.
+**Location**: injected into `.github/workflows/feature-research.md`
+frontmatter as a `post-steps:` entry. Compiled into the `agent` job
+of `feature-research.lock.yml` after the existing “Execute GitHub
+Copilot CLI” step.
+
+## Purpose
+
+Make silent-success impossible: fail the agent step when it emits
+zero `create_issue` safe-output records and zero `noop` safe-output
+records, so the overall run conclusion rolls up as `failure` and the
+Actions UI shows a red X.
+
+## Producer → Consumer
+
+| Producer | Consumer |
+|----------|----------|
+| `post-steps` assertion (new) | GitHub Actions job conclusion resolver |
+
+## Input contract
+
+| Input | Source | Required |
+|-------|--------|----------|
+| `/tmp/gh-aw/agent_output.json` | Written by existing gh-aw lock step “Write agent output placeholder if missing” at `feature-research.lock.yml:770` | Yes (gh-aw guarantees the file exists — it writes `{"items":[]}` if the agent produced nothing) |
+
+The file shape is a JSON object with an `items` array whose entries
+match the `SafeOutputRecord` entity in `data-model.md`.
+
+## Output contract (exit semantics)
+
+| Situation | Exit code | Observable effect |
+|-----------|-----------|-------------------|
+| `items[].type == "create_issue"` count `>= 1` | `0` | Agent step passes; downstream jobs run as normal |
+| `items[].type == "noop"` count `>= 1` (no create_issue) | `0` | Agent step passes; noop tracking issue is created by the existing `handle_noop_message.cjs` step in the conclusion job |
+| Both counts are zero | `1` | Agent step fails; `needs.agent.result == "failure"`; conclusion job rolls up as `failure`; **red X in Actions UI** |
+| `/tmp/gh-aw/agent_output.json` is missing or not valid JSON | `1` | Same as above — silent-success is impossible even on malformed output |
+
+## Frontmatter declaration
+
+```yaml
+post-steps:
+  - name: Assert agent emitted at least one safe-output record
+    if: always()
+    run: |
+      set -euo pipefail
+      AGENT_OUT=/tmp/gh-aw/agent_output.json
+      if [[ ! -s "$AGENT_OUT" ]]; then
+        echo "::error::Agent produced no output file at $AGENT_OUT"
+        exit 1
+      fi
+      CREATE_ISSUE_COUNT=$(jq '[.items[] | select(.type == "create_issue")] | length' "$AGENT_OUT")
+      NOOP_COUNT=$(jq '[.items[] | select(.type == "noop")] | length' "$AGENT_OUT")
+      echo "create_issue records: $CREATE_ISSUE_COUNT"
+      echo "noop records:         $NOOP_COUNT"
+      if [[ "$CREATE_ISSUE_COUNT" -lt 1 && "$NOOP_COUNT" -lt 1 ]]; then
+        echo "::error::FR-001 violation — agent emitted zero create_issue and zero noop safe-outputs. Failing the run to prevent silent success."
+        exit 1
+      fi
+```
+
+## Invariants
+
+| Invariant | Enforcement |
+|-----------|-------------|
+| `set -euo pipefail` must be at the top of the script | Documented above; reviewers reject PRs without it |
+| Error messages go to `::error::` workflow command (not just `echo`) | Makes the failure visible in the Actions UI summary |
+| Step uses `if: always()` | Runs even if the agent step crashed (spec Edge Case: max-continuations exhaustion) |
+| Script MUST NOT write to `$GITHUB_TOKEN`, MUST NOT read secrets | Post-steps run outside the firewall sandbox; avoid leaking anything from the runner environment |
+| Script uses `jq` (pre-installed on `ubuntu-24.04`) | Documented in `docs.github.com/en/actions/reference/runner-images#ubuntu-2404-lts-installed-software` |
+
+## What this contract does NOT cover
+
+- **Signal-to-maintainer-via-email** — spec does not require it.
+- **Per-iteration progress tracking** — the agent runs up to 3
+  autopilot continuations; this assertion runs once at the end,
+  exactly as the agent step completes.
+- **Alerting on partial Tavily rate-limit** — spec Edge Case says a
+  partial-data run is legitimate success; the assertion only fires on
+  zero output, not on degraded output.
+
+## Test strategy
+
+- **Happy path**: `quickstart.md` step 4 dispatches the workflow and
+  verifies the post-step passes (green agent job, green run).
+- **Forced failure**: `quickstart.md` step 5 temporarily breaks the
+  MCP gateway (e.g. by invalidating `TAVILY_API_KEY`) to force zero
+  safe-outputs, verifying the assertion fires and the run ends in
+  red X.
+- **Regression lock-in**: after merge, the next 4 scheduled runs
+  (SC-001 window) are observed; any silent-success regression is
+  treated as a FR-001 violation and re-opens this spec.

specs/20260411-143905-fix-feature-researcher/contracts/post-check.md

@@ -0,0 +1,78 @@
+# Contract — `safe-outputs` shape (PRESERVED)
+
+**Status**: **DO NOT CHANGE.** This contract is the shape the workflow
+emits today and MUST continue to emit after the fix. Any divergence
+fails spec FR-005. This file is a **read-only reference** for task
+phase — it does NOT introduce a new contract.
+
+**Source of truth**: compiled `feature-research.lock.yml` line 370 (the
+`GH_AW_SAFE_OUTPUTS_CONFIG_*` block) and
+`.github/workflows/feature-research.md` frontmatter lines 32–38.
+
+## Producer → Consumer
+
+| Producer | Consumer |
+|----------|----------|
+| `agent` job calling `mcp__safeoutputs__create_issue` | `safe_outputs` job running `safe_output_handler_manager.cjs` |
+
+## Wire format
+
+One JSON object per record, one record per line in
+`/tmp/gh-aw/safeoutputs.jsonl`.
+
+```jsonc
+{
+  "type": "create_issue",
+  "title": "...",          // sanitized, max 128 chars. Will be prefixed by safe-outputs handler with "[feature-research] "
+  "body": "...",           // sanitized, max 65000 chars (markdown)
+  "labels": ["..."],       // max 128 chars each, sanitized. MUST include "feature-research" and "automated"
+  "assignees": ["..."],    // MUST include "chrisleekr"
+  "temporary_id": "..."    // gh-aw internal; agent leaves blank
+}
+```
+
+Validation schema is in the compiled lock under
+`safeoutputs/validation.json` — the `create_issue` entry with
+`required: ["body", "title"]`.
+
+## Frontmatter declaration (MUST remain exactly as shown)
+
+```yaml
+safe-outputs:
+  create-issue:
+    title-prefix: "[feature-research]"
+    labels: [feature-research, automated]
+    assignees: [chrisleekr]
+    close-older-issues: true
+    expires: 7d
+```
+
+## Invariants the fix must preserve
+
+| Invariant | Why |
+|-----------|-----|
+| `title-prefix` is `[feature-research]` | spec FR-005 |
+| `labels` contains both `feature-research` and `automated` | spec FR-005, SC-001 |
+| `assignees` contains `chrisleekr` | spec FR-005 |
+| `close-older-issues: true` | spec FR-005 |
+| `expires: 7d` | spec FR-005 |
+| `create-issue.max` remains `1` | existing gh-aw default; spec does not loosen |
+| `noop` safe-output type remains allowed (even though not named in the source frontmatter, gh-aw injects it as a default) | spec User Story 1 scenario 3 needs `noop` for the “no gaps this week” happy-path |
+
+## What the fix MAY change (but is NOT required to change)
+
+- Nothing in this contract. The fix only **reads** safe-outputs (via
+  the new post-steps assertion in `contracts/post-check.md`); it does
+  not modify how they are produced or consumed.
+
+## Test strategy
+
+No automated test — this is a docs-only feature per Principle II
+exception. Manual walkthrough in `quickstart.md` asserts that on a
+successful run:
+
+1. A single issue is created (or updated) with the prefix, labels,
+   and assignee above.
+2. The issue title is visible on `chrisleekr/agentsync/issues` within
+   ~30 seconds of the agent job completing.
+3. Prior week’s issue is closed by the `close-older-issues` mechanism.