Add optional target-repo + vault token support for selected scheduled create-issue workflows#700
Add optional target-repo + vault token support for selected scheduled create-issue workflows#700
Conversation
…t token support Add optional target-repo and token-policy inputs to selected scheduled create-issue workflows, wire create-issue target-repo, and use an optional GH_AW_GITHUB_TOKEN fallback for cross-repo previous-findings lookups. Made-with: Cursor
…OKEN Align the new vault and cross-repo wiring with a standard optional secret name by replacing GH_AW_GITHUB_TOKEN with GITHUB_TOKEN in selected scheduled create-issue workflows and related fragments. Made-with: Cursor
…n updates Regenerate lock files for the selected scheduled create-issue workflows after rebasing the change set onto current origin/main. Made-with: Cursor
github-actions
bot
added
the
medium_boom
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| steps: | ||
| - name: List previous findings | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} |
There was a problem hiding this comment.
List previous findings still authenticates with $\{\{ secrets.GITHUB_TOKEN || github.token }} even when the workflow is configured to use token-policy for cross-repo issue creation. In that setup, this lookup can fail against inputs.target-repo, hit the fallback [], and disable dedupe while create_issue later succeeds with the minted token — causing duplicate issues across runs.
Please use the same token source here as safe outputs (steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token) by running this step after token creation, or otherwise wiring the minted token into this fragment.
📝 WalkthroughWalkthroughThis pull request introduces cross-repository issue creation and ephemeral token support across five GitHub Actions workflows. Two new optional inputs are added: Possibly related PRs
Suggested labels
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/gh-aw-scheduled-audit.lock.yml (1)
1457-1459:⚠️ Potential issue | 🔴 CriticalAdd
id-token: writeto thesafe_outputsjob permissions.The
Create ephemeral tokenstep at line 1495 useselastic/oblt-actions/github/create-token, which requirespermissions: id-token: writeto mint an OIDC token. Wheninputs.token-policyis provided, the step will fail because the job grants onlycontents: readandissues: write. Workflows that setinputs.token-policywill fail at the token creation step without this permission.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-scheduled-audit.lock.yml around lines 1457 - 1459, The job permissions for the safe_outputs job are missing id-token: write, so the "Create ephemeral token" step that uses elastic/oblt-actions/github/create-token fails when inputs.token-policy is set; update the permissions block (the permissions: contents: read / issues: write section for the safe_outputs job) to include id-token: write so the action can mint an OIDC token..github/workflows/gh-aw-bug-hunter.lock.yml (1)
1511-1513:⚠️ Potential issue | 🔴 CriticalAdd
id-token: writepermission to thesafe_outputsjob.Lines 1511-1513 grant only
contents: readandissues: write, but line 1549'selastic/oblt-actions/github/create-tokenstep requiresid-token: writefor OIDC token minting. Any invocation withinputs.token-policyset will fail at the "Create ephemeral token" step without this permission.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-bug-hunter.lock.yml around lines 1511 - 1513, The safe_outputs job is missing the id-token write permission required by the "elastic/oblt-actions/github/create-token" step; add "id-token: write" to the job's permissions block (alongside contents: read and issues: write) so OIDC token minting succeeds when the step is invoked with inputs.token-policy set..github/workflows/gh-aw-text-auditor.lock.yml (1)
1641-1643:⚠️ Potential issue | 🔴 CriticalAdd
id-token: writepermission to thesafe_outputsjob.Line 1679 uses
elastic/oblt-actions/github/create-token, which requiresid-token: writeto authenticate via GitHub's OIDC provider. Lines 1641-1643 only grantcontents: readandissues: write, so any run withinputs.token-policyset will fail at the token-minting step.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-text-auditor.lock.yml around lines 1641 - 1643, The safe_outputs job's permissions block only grants contents: read and issues: write but the action elastic/oblt-actions/github/create-token (used in the job) requires id-token: write to mint OIDC tokens; update the safe_outputs job's permissions section to include id-token: write alongside the existing permissions so the token creation step can authenticate successfully.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Around line 673-678: The "List previous findings" step runs gh issue list with
env GH_TOKEN set to secrets.GITHUB_TOKEN || github.token before the ephemeral
token is minted, which can leak broad caller-scoped permissions and break access
to private TARGET_REPO; fix by making the step use the ephemeral/token produced
by the token minting step (or move this step to after the ephemeral token
creation), i.e., stop referencing secrets.GITHUB_TOKEN || github.token in the
env for the "List previous findings" step and instead reference the generated
token variable created by the token-policy/token minting step (the same token
used later around the ephemeral token creation lines) so gh issue list executes
with the scoped ephemeral token for TARGET_REPO.
In @.github/workflows/gh-aw-docs-drift.lock.yml:
- Line 1439: The conclusion job is referencing a non-existent step output
`steps.create-token.outputs.token` in multiple `github-token` entries; either
add a step named `create-token` in the conclusion job that emits an
`outputs.token` value (so `steps.create-token.outputs.token` becomes available),
or update those `github-token` references to the actual step that produces the
ephemeral token in this job (e.g., correct step id if different); ensure the
step that you add or reference sets a workflow output named `token` so the
existing `github-token: ${{ steps.create-token.outputs.token ||
secrets.GITHUB_TOKEN || github.token }}` lines will use the ephemeral token when
present.
In @.github/workflows/gh-aw-docs-patrol.lock.yml:
- Around line 718-720: The checkout-pr and GH_TOKEN lines reference
steps.create-token.outputs.token which only exists inside the safe_outputs job;
export the step output at the safe_outputs job level (e.g., add a job output
mapping like outputs.create-token: ${{ steps.create-token.outputs.token }} in
safe_outputs) and then reference it from the agent job via
needs.safe_outputs.outputs.create-token (use ${{
needs.safe_outputs.outputs.create-token || secrets.GITHUB_TOKEN || github.token
}} for both GH_TOKEN and the github-token input) so the token is correctly
propagated across jobs instead of relying on the step-scoped reference.
In @.github/workflows/gh-aw-scheduled-audit.lock.yml:
- Around line 610-616: The "List previous findings" step uses GH_TOKEN: ${{
secrets.GITHUB_TOKEN || github.token }} and runs before the ephemeral token is
minted, causing cross-repo/private lookups with gh issue list (the step that
uses TARGET_REPO and TITLE_PREFIX) to fail; fix by either moving the ephemeral
token creation step earlier in the workflow so the ephemeral token is available
before the step named "List previous findings", or update the step's env
GH_TOKEN to prefer the ephemeral token when present (same pattern used near the
other lookup at line ~643) so gh issue list --repo "$TARGET_REPO" uses the
ephemeral token for cross-repo access.
In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Around line 803-808: The "List previous findings" step (env
GH_TOKEN/TARGET_REPO/TITLE_PREFIX) runs before the ephemeral token is created,
so its repo-scoped token may lack cross-repo access; either move the step that
creates the ephemeral token (the workflow step that produces the
higher-permission token) to execute before the "List previous findings" step so
GH_TOKEN points to the ephemeral token, or add a guard in the "List previous
findings" step to detect insufficient token permissions (or absence of ephemeral
token) and skip the dedup fetch (write an empty /tmp/previous-findings.json and
emit a warning) when cross-repo access is not available. Ensure you update
references to GH_TOKEN and any token-policy usage accordingly.
---
Outside diff comments:
In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Around line 1511-1513: The safe_outputs job is missing the id-token write
permission required by the "elastic/oblt-actions/github/create-token" step; add
"id-token: write" to the job's permissions block (alongside contents: read and
issues: write) so OIDC token minting succeeds when the step is invoked with
inputs.token-policy set.
In @.github/workflows/gh-aw-scheduled-audit.lock.yml:
- Around line 1457-1459: The job permissions for the safe_outputs job are
missing id-token: write, so the "Create ephemeral token" step that uses
elastic/oblt-actions/github/create-token fails when inputs.token-policy is set;
update the permissions block (the permissions: contents: read / issues: write
section for the safe_outputs job) to include id-token: write so the action can
mint an OIDC token.
In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Around line 1641-1643: The safe_outputs job's permissions block only grants
contents: read and issues: write but the action
elastic/oblt-actions/github/create-token (used in the job) requires id-token:
write to mint OIDC tokens; update the safe_outputs job's permissions section to
include id-token: write alongside the existing permissions so the token creation
step can authenticate successfully.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 20702064-b2f8-4b37-bc88-2bd7fbac9879
📒 Files selected for processing (12)
.github/workflows/gh-aw-bug-hunter.lock.yml.github/workflows/gh-aw-bug-hunter.md.github/workflows/gh-aw-docs-drift.lock.yml.github/workflows/gh-aw-docs-patrol.lock.yml.github/workflows/gh-aw-docs-patrol.md.github/workflows/gh-aw-fragments/previous-findings-target-repo.md.github/workflows/gh-aw-fragments/safe-output-scheduled-audit-issue.md.github/workflows/gh-aw-fragments/vault-token.md.github/workflows/gh-aw-scheduled-audit.lock.yml.github/workflows/gh-aw-scheduled-audit.md.github/workflows/gh-aw-text-auditor.lock.yml.github/workflows/gh-aw-text-auditor.md
| - env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} | ||
| TARGET_REPO: ${{ inputs.target-repo || github.repository }} | ||
| TITLE_PREFIX: ${{ inputs.title-prefix }} | ||
| name: List previous findings | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
git ls-files | grep -i "gh-aw-bug-hunter"Repository: elastic/ai-github-actions
Length of output: 150
🏁 Script executed:
wc -l .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 117
🏁 Script executed:
sed -n '670,680p' .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 1082
🏁 Script executed:
sed -n '1545,1560p' .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 5914
🏁 Script executed:
head -100 .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 3477
🏁 Script executed:
sed -n '1,50p' .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 1777
🏁 Script executed:
grep -n "workflow_call\|inputs:" .github/workflows/gh-aw-bug-hunter.lock.yml | head -30Repository: elastic/ai-github-actions
Length of output: 229
🏁 Script executed:
sed -n '1549,1600p' .github/workflows/gh-aw-bug-hunter.lock.ymlRepository: elastic/ai-github-actions
Length of output: 6841
gh issue list at line 673-678 executes before ephemeral token creation, bypassing token-policy scoping.
In this reusable workflow, the "List previous findings" step (673-678) uses secrets.GITHUB_TOKEN || github.token to query the remote repository, but the ephemeral token is minted later at line 1549. Since secrets.GITHUB_TOKEN in reusable workflows inherits the caller's repo-scoped permissions, --repo "$TARGET_REPO" will fail on private remote targets unless the caller explicitly passes a broader secret—undermining the intent of the token-policy input to enforce scoped credentials. This prevents the deduplication mechanism from functioning when called with restrictive token policies.
Also applies to: 1549-1554
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-bug-hunter.lock.yml around lines 673 - 678, The
"List previous findings" step runs gh issue list with env GH_TOKEN set to
secrets.GITHUB_TOKEN || github.token before the ephemeral token is minted, which
can leak broad caller-scoped permissions and break access to private
TARGET_REPO; fix by making the step use the ephemeral/token produced by the
token minting step (or move this step to after the ephemeral token creation),
i.e., stop referencing secrets.GITHUB_TOKEN || github.token in the env for the
"List previous findings" step and instead reference the generated token variable
created by the token-policy/token minting step (the same token used later around
the ephemeral token creation lines) so gh issue list executes with the scoped
ephemeral token for TARGET_REPO.
| GH_AW_WORKFLOW_NAME: "Docs Patrol" | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} |
There was a problem hiding this comment.
Same issue: steps.create-token.outputs.token references non-existent step in conclusion job.
Multiple steps in the conclusion job reference steps.create-token.outputs.token, but no such step exists in this job. The fallbacks will work, but ephemeral tokens won't be used.
Also applies to: 1452-1452, 1475-1475, 1492-1492
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-docs-drift.lock.yml at line 1439, The conclusion job
is referencing a non-existent step output `steps.create-token.outputs.token` in
multiple `github-token` entries; either add a step named `create-token` in the
conclusion job that emits an `outputs.token` value (so
`steps.create-token.outputs.token` becomes available), or update those
`github-token` references to the actual step that produces the ephemeral token
in this job (e.g., correct step id if different); ensure the step that you add
or reference sets a workflow output named `token` so the existing `github-token:
${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }}`
lines will use the ephemeral token when present.
| GH_TOKEN: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} | ||
| with: | ||
| github-token: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| github-token: ${{ steps.create-token.outputs.token || secrets.GITHUB_TOKEN || github.token }} |
There was a problem hiding this comment.
Same issue: steps.create-token undefined in agent job.
The checkout-pr step references steps.create-token.outputs.token, but the create-token step is only defined in the safe_outputs job. This reference will always be empty, falling through to secrets.GITHUB_TOKEN || github.token.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-docs-patrol.lock.yml around lines 718 - 720, The
checkout-pr and GH_TOKEN lines reference steps.create-token.outputs.token which
only exists inside the safe_outputs job; export the step output at the
safe_outputs job level (e.g., add a job output mapping like
outputs.create-token: ${{ steps.create-token.outputs.token }} in safe_outputs)
and then reference it from the agent job via
needs.safe_outputs.outputs.create-token (use ${{
needs.safe_outputs.outputs.create-token || secrets.GITHUB_TOKEN || github.token
}} for both GH_TOKEN and the github-token input) so the token is correctly
propagated across jobs instead of relying on the step-scoped reference.
| - env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} | ||
| TARGET_REPO: ${{ inputs.target-repo || github.repository }} | ||
| TITLE_PREFIX: ${{ inputs.title-prefix }} | ||
| if: ${{ !inputs.close-older-issues }} | ||
| name: List previous findings | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }\n" | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }\n" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, check if the file exists and its size
wc -l .github/workflows/gh-aw-scheduled-audit.lock.ymlRepository: elastic/ai-github-actions
Length of output: 122
🏁 Script executed:
# Read the relevant section around lines 610-616
sed -n '605,625p' .github/workflows/gh-aw-scheduled-audit.lock.ymlRepository: elastic/ai-github-actions
Length of output: 4036
🏁 Script executed:
# Read the section around line 1495
sed -n '1490,1505p' .github/workflows/gh-aw-scheduled-audit.lock.ymlRepository: elastic/ai-github-actions
Length of output: 835
🏁 Script executed:
# Search for all token-related definitions and usage
rg -n "token-policy|GITHUB_TOKEN|ephemeral|token" .github/workflows/gh-aw-scheduled-audit.lock.yml | head -50Repository: elastic/ai-github-actions
Length of output: 4898
Ephemeral token created too late for "List previous findings" lookup.
Line 611 (gh issue list) uses secrets.GITHUB_TOKEN || github.token and runs before the ephemeral token is created at line 1495. In a reusable workflow, the built-in token is repo-scoped to the caller, so --repo "$TARGET_REPO" will fail against private remote repositories that the caller lacks access to. The new token-policy path cannot address cross-repo lookups because the ephemeral token is minted after this step executes.
To enable the token-policy feature to help with remote private repo access, the ephemeral token creation must move earlier in the workflow, or line 611 must be refactored to use the ephemeral token when available (similar to line 643's pattern).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-scheduled-audit.lock.yml around lines 610 - 616, The
"List previous findings" step uses GH_TOKEN: ${{ secrets.GITHUB_TOKEN ||
github.token }} and runs before the ephemeral token is minted, causing
cross-repo/private lookups with gh issue list (the step that uses TARGET_REPO
and TITLE_PREFIX) to fail; fix by either moving the ephemeral token creation
step earlier in the workflow so the ephemeral token is available before the step
named "List previous findings", or update the step's env GH_TOKEN to prefer the
ephemeral token when present (same pattern used near the other lookup at line
~643) so gh issue list --repo "$TARGET_REPO" uses the ephemeral token for
cross-repo access.
| - env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN || github.token }} | ||
| TARGET_REPO: ${{ inputs.target-repo || github.repository }} | ||
| TITLE_PREFIX: ${{ inputs.title-prefix }} | ||
| name: List previous findings | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$GITHUB_REPOSITORY\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" | ||
| run: "set -euo pipefail\ngh issue list \\\n --repo \"$TARGET_REPO\" \\\n --search \"in:title \\\"$TITLE_PREFIX\\\"\" \\\n --state all \\\n --limit 100 \\\n --json number,title,state \\\n > /tmp/previous-findings.json || { echo \"::warning::Failed to fetch previous findings — dedup will be skipped\"; echo \"[]\" > /tmp/previous-findings.json; }" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
head -20 .github/workflows/gh-aw-text-auditor.lock.ymlRepository: elastic/ai-github-actions
Length of output: 772
🏁 Script executed:
wc -l .github/workflows/gh-aw-text-auditor.lock.ymlRepository: elastic/ai-github-actions
Length of output: 119
🏁 Script executed:
sed -n '800,815p' .github/workflows/gh-aw-text-auditor.lock.ymlRepository: elastic/ai-github-actions
Length of output: 2035
🏁 Script executed:
sed -n '1675,1690p' .github/workflows/gh-aw-text-auditor.lock.ymlRepository: elastic/ai-github-actions
Length of output: 5914
🏁 Script executed:
# Search for ephemeral token or token-policy references
rg "ephemeral|token-policy|ACTIONS_ID_TOKEN" .github/workflows/gh-aw-text-auditor.lock.ymlRepository: elastic/ai-github-actions
Length of output: 309
Move token creation before "List previous findings" step or use ephemeral token for cross-repo lookups.
The "List previous findings" step at line 804 uses secrets.GITHUB_TOKEN || github.token and runs before the ephemeral token is created at line 1679. In reusable workflows, this repo-scoped token cannot access private remote targets. Passing token-policy won't help because the ephemeral token is created after this step. Either move the "Create ephemeral token" step before "List previous findings" or refactor to skip dedup when the token lacks sufficient permissions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-text-auditor.lock.yml around lines 803 - 808, The
"List previous findings" step (env GH_TOKEN/TARGET_REPO/TITLE_PREFIX) runs
before the ephemeral token is created, so its repo-scoped token may lack
cross-repo access; either move the step that creates the ephemeral token (the
workflow step that produces the higher-permission token) to execute before the
"List previous findings" step so GH_TOKEN points to the ephemeral token, or add
a guard in the "List previous findings" step to detect insufficient token
permissions (or absence of ephemeral token) and skip the dedup fetch (write an
empty /tmp/previous-findings.json and emit a warning) when cross-repo access is
not available. Ensure you update references to GH_TOKEN and any token-policy
usage accordingly.
1 participant
Summary
gh-aw-fragments/vault-token.mdand wire it into selected scheduled create-issue workflowstarget-repoandtoken-policyworkflow_call inputs plus optionalGITHUB_TOKENsecretcreate-issuesafe outputs to${{ inputs.target-repo || '' }}previous-findings-target-repofragment so dedupe lookups query${{ inputs.target-repo || github.repository }}Included workflows
gh-aw-scheduled-auditgh-aw-docs-patrolgh-aw-bug-huntergh-aw-text-auditorTest plan
origin/mainbranch stateSupersedes #699 (recreated from current
origin/mainto avoid stale branch history).Made with Cursor