From 1668f828142679c867c43d4f71c6797e48d5e104 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 4 Mar 2026 19:25:48 +0000
Subject: [PATCH 1/2] docs: document secrecy and integrity security metadata
 fields for safe outputs

Add a new "Security Metadata" subsection to the Global Configuration
Options section of safe-outputs.md documenting the secrecy and integrity
optional fields available on all safe output tool calls.

These fields have been defined in BaseSafeOutputItem (safe-outputs.d.ts)
and referenced in the glossary but were missing from the main reference
documentation. Commit #19552 added display of these fields in the step
summary renderer, making them more visible to users who will look for
configuration guidance.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docs/src/content/docs/reference/safe-outputs.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md
index bc7aa1d618e..1e08cc02f81 100644
--- a/docs/src/content/docs/reference/safe-outputs.md
+++ b/docs/src/content/docs/reference/safe-outputs.md
@@ -1381,6 +1381,23 @@ safe-outputs:
 
 **Variables**: `{workflow_name}`, `{run_url}`, `{triggering_number}`, `{workflow_source}`, `{workflow_source_url}`, `{event_type}`, `{status}`, `{operation}`
 
+### Security Metadata (`secrecy`, `integrity`)
+
+Any safe output tool call can optionally include `secrecy` and `integrity` metadata fields. Unlike frontmatter options, these are set in the **agent's output** (the JSON the agent sends when calling a safe output tool), not in the workflow's `safe-outputs:` configuration.
+
+- **`secrecy`**: Confidentiality level of the message content. Values: `"public"`, `"internal"`, `"private"`.
+- **`integrity`**: Trustworthiness of the data source. Values: `"low"`, `"medium"`, `"high"`.
+
+When present, both values are displayed in the workflow step summary.
+
+**Example — agent output including security metadata:**
+
+```json
+{"type": "create_issue", "title": "Security report", "body": "...", "secrecy": "internal", "integrity": "medium"}
+```
+
+See [Secrecy](/gh-aw/reference/glossary/#secrecy) and [Integrity](/gh-aw/reference/glossary/#integrity) in the Glossary for definitions.
+
 ## Related Documentation
 
 - [Threat Detection Guide](/gh-aw/reference/threat-detection/) - Complete threat detection documentation and examples

From 9d4bf5eee844ee96a134958857e736eac3999c62 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 4 Mar 2026 19:28:29 +0000
Subject: [PATCH 2/2] ci: trigger checks