[Pelis Agent Factory Advisor] Agentic Workflow Opportunities — Q2 2026 Analysis

[github-actions[bot]]

📊 Executive Summary

The gh-aw-firewall repository demonstrates exceptional agentic workflow maturity — 35 agentic workflow definitions covering security red-teaming, smoke testing across 3 AI engines, token cost optimization, CI diagnosis, and daily threat modeling. The top opportunities are: adding a Grumpy Code Reviewer on PRs (code quality → security quality), scheduling the Secret Digger workflows for automated regression coverage, and adding a Codex Token Analyzer to match the Claude/Copilot parity already in place.

---

🎓 Patterns Learned

From the Pelis Agent Factory catalog and analysis of this repository:

Pattern Family	Key Insight	Applied Here?
Fault Analysis	CI Doctor + CI Coach pair	✅ Doctor only — Coach missing
Security	Malicious code scan + VEX Generator	⚠️ Secret Digger present, daily scan missing
Code Review	Grumpy Reviewer on PR events	❌ Security-only guard, no quality reviewer
Token Optimization	Analyzer → Optimizer chained via workflow_run	✅ Claude + Copilot; ❌ Codex missing
Command-triggered	/plan, /fix, /ask, /archie	✅ /plan only
Formal Verification	Lean Squad for critical code paths	❌ Not present
Meta-optimization	Q - Workflow Optimizer	❌ Not present
Dependency	Dependabot PR Bundler	❌ Not present
Moderation	AI Moderator for spam/AI issues	❌ Not present

Strongest patterns already applied: multi-engine smoke tests with reaction triggers, token optimizer chains, firewall-issue-dispatcher cross-repo coordination, shared MCP imports, and layered security review (PR guard + daily review + red team escape testing).

---

📋 Workflow Inventory

Workflow	Purpose	Trigger	Assessment
build-test	Copilot-run build/test suite	PR + dispatch	✅ Solid
ci-cd-gaps-assessment	CI pipeline gap analysis	Daily + dispatch	✅ Good
ci-doctor	CI failure investigator	workflow_run on failure	✅ Comprehensive
claude-token-usage-analyzer	Claude cost trends	Daily	✅ Good
claude-token-optimizer	Claude cost recommendations	After analyzer run	✅ Good
cli-flag-consistency-checker	CLI doc/code parity	Weekly	✅ Domain-specific
copilot-token-usage-analyzer	Copilot cost trends	Daily	✅ Good
copilot-token-optimizer	Copilot cost recommendations	After analyzer run	✅ Good
dependency-security-monitor	CVE scanning + fix PRs	Daily	✅ Strong
doc-maintainer	Doc sync with code changes	Daily + PR	✅ Good
firewall-issue-dispatcher	Cross-repo issue tracking	Every 6h	✅ Unique
issue-duplication-detector	Duplicate issue detection	On issue open	✅ Good
issue-monster	Assigns issues to Copilot	Hourly + on open	⚠️ No labeling step
pelis-agent-factory-advisor	This workflow	Scheduled	✅ Meta
plan	/plan slash command	Slash command	✅ Good
secret-digger-claude	Escape testing (Claude)	Manual only	⚠️ Should be scheduled
secret-digger-codex	Escape testing (Codex)	Manual only	⚠️ Should be scheduled
secret-digger-copilot	Escape testing (Copilot)	Manual only	⚠️ Should be scheduled
security-guard	PR security review	PR + dispatch	✅ Strong
security-review	Daily threat modeling	Daily	✅ Very strong
smoke-chroot	Chroot feature smoke test	PR + dispatch (no schedule)	⚠️ Missing schedule
smoke-claude	Claude smoke test	Every 12h + PR	✅ Good
smoke-codex	Codex smoke test	Every 12h + PR	✅ Good
smoke-copilot	Copilot smoke test	Every 12h + PR	✅ Good
smoke-services	Host service ports test	Every 12h + PR	✅ Good
test-coverage-improver	Add tests for security paths	Weekly	✅ Domain-specific
update-release-notes	Release notes automation	On release	✅ Good

---

🚀 Recommendations

P0 — Implement Immediately (High Impact, Low Effort)

1. 🔁 Codex Token Usage Analyzer + Optimizer

What: Create codex-token-usage-analyzer.md and codex-token-optimizer.md mirroring the existing Claude and Copilot equivalents.
Why: Claude and Copilot have full cost analysis chains; Codex (which runs 12h smoke tests) is missing. Unmonitored cost growth risk.
How: Copy claude-token-usage-analyzer.md and claude-token-optimizer.md, swap engine references to Codex/codex. The shared imports (shared/mcp/gh-aw.md, shared/reporting.md) are already compatible.
Effort: ~1h (pure copy-adapt)

# codex-token-usage-analyzer.md (key changes from claude version)
description: Daily Codex token usage analysis across agentic workflow runs
on:
  schedule: daily
  workflow_dispatch:
engine:
  id: codex

2. 🗓️ Schedule Secret Digger Workflows

What: Add schedule: weekly (or every 48h) trigger to secret-digger-copilot.md (primary), with Claude and Codex on alternate schedules.
Why: All 3 secret-digger workflows are workflow_dispatch only. The security-review.md reads the latest escape test result — if nobody runs it manually, the daily security review uses stale data. Automated regression catches new escape vectors introduced by code changes.
How: Add schedule: weekly to each secret-digger. Offset days to avoid simultaneous runs. Copilot: Monday, Claude: Wednesday, Codex: Friday.
Effort: ~15 min (add 1 line to each of 3 files + recompile)

3. 📅 Add Schedule to smoke-chroot

What: Add schedule: every 12h to smoke-chroot.md to match other smoke tests.
Why: Chroot is a critical security feature (host filesystem isolation). The other 4 smoke tests run every 12h for continuous validation; chroot only runs on PRs. A regression in chroot isolation could go undetected between PRs.
How: Add schedule: every 12h to the on: block.
Effort: ~5 min

---

P1 — Near-Term (High Impact, Medium Effort)

4. 😤 Grumpy Code Reviewer on PRs

What: Add a Grumpy Reviewer workflow (grumpy-reviewer.md) triggered on PRs, providing opinionated code review focusing on correctness, security, and maintainability.
Why: security-guard.md only reviews security-critical files. General code quality review is absent. For a security tool, code clarity directly affects security — confusing iptables logic is more likely to contain bypasses.
How: Use the Pelis Agent Factory Grumpy Reviewer pattern. Trigger on PR open/sync. Use skip-if-match to skip trivial PRs (docs-only).
Effort: ~2h
Example trigger:

on:
  pull_request:
    types: [opened, synchronize]
  skip-if-match:
    query: 'is:pr label:documentation'
    max: 1

5. 🔍 Daily Malicious Code Scan

What: Add malicious-code-scan.md that scans recent commits (last 24h) for suspicious patterns indicating supply chain attacks.
Why: This repo is a security tool used by AI agents — a supply chain compromise would be especially dangerous. The Pelis catalog explicitly provides this pattern. Current security-review.md does broad threat modeling but doesn't specifically look for injected malicious code patterns.
How: Daily schedule, scan git log last 24h, look for: base64-encoded payloads, DNS exfiltration patterns in shell scripts, unexpected binary files, obfuscated JS in containers, new outbound domains in Dockerfiles.
Effort: ~3h

6. 🤖 AI Moderator for Issues

What: Add ai-moderator.md to detect and handle spam, link-spam, and AI-generated noise in issues.
Why: Issue Monster assigns issues to Copilot — feeding it spam/noise wastes agent capacity and tokens. A pre-filter before assignment would improve issue quality and reduce costs.
How: Trigger on issues: [opened] before Issue Monster. Label spam issues and close/lock them. Issue Monster already has skip-if-no-match which can be tuned.
Effort: ~2h

7. 🏥 PR Fix Slash Command

What: Add /fix slash command (pr-fix.md) that analyzes failing CI checks on a PR and implements fixes.
Why: When build-test or smoke tests fail on a PR, maintainers currently investigate manually. A /fix command directly creates a fix commit.
How: Slash command trigger on PR comments. Read failing job logs via actions toolset. Implement fix and push.
Effort: ~4h

8. 🚀 CI Coach (Workflow Optimizer)

What: Add ci-coach.md that analyzes workflow run durations and costs, and suggests optimizations.
Why: There are 18 conventional CI workflows + 35 agentic ones. Some may have redundant steps or suboptimal scheduling. CI Doctor handles failures; CI Coach handles efficiency.
How: Weekly schedule. Use agentic-workflows MCP to fetch run metrics. Analyze job durations, parallelization opportunities, caching gaps.
Effort: ~3h

9. 📦 Dependabot PR Bundler

What: Add dependabot-bundler.md that batches compatible Dependabot PRs into a single PR.
Why: dependency-security-monitor.md creates issues for CVEs and proposes updates, but Dependabot still creates individual PRs. Bundling reduces review load significantly.
How: Weekly schedule. Use GitHub API to find open Dependabot PRs. Group by ecosystem (npm, Docker). Create bundle PR with combined changes.
Effort: ~4h

10. 🔒 VEX Generator

What: Add vex-generator.md that auto-generates OpenVEX statements for dismissed Dependabot alerts.
Why: This is a security tool used in enterprise environments. Machine-readable security assessments (VEX) demonstrate security rigor and provide audit trails for dismissed vulnerabilities. Aligns with the repo's security-first posture.
How: Trigger on Dependabot alert dismissal events (or weekly scan). Generate VEX JSON documents committed to a vex/ directory.
Effort: ~3h

---

P2 — Medium Priority

11. 🔬 Lean Squad (Formal Verification)

What: Progressively apply Lean 4 formal verification to security-critical components.
Why: The iptables rule ordering, domain pattern matching, and Squid ACL logic are pure functions with verifiable correctness properties. For a security firewall, formal proofs of "no bypass" are extremely valuable. This is unique to security-critical projects.
How: Start with src/domain-patterns.ts (pure functions), src/squid-config.ts (ACL generation). Use Lean Squad pattern from Pelis catalog.
Effort: High (ongoing)

12. 🔧 Q — Workflow Optimizer

What: Add the meta-workflow q.md that analyzes and optimizes the 35+ agentic workflows in this repo.
Why: With 35+ workflows, there's significant optimization potential: redundant GitHub API calls, unoptimized scheduling, missing skip-if-match guards, over-broad permissions.
How: Weekly run. Reads all .github/workflows/*.md files. Analyzes patterns, identifies inefficiencies, creates improvement issues.
Effort: ~3h

13. 📊 Weekly Issue Summary

What: Add weekly issue activity report with trend analysis.
Why: The firewall-issue-dispatcher tracks cross-repo issues, but there's no summary of overall issue health/trends for maintainers.
How: Weekly schedule. Aggregate issue stats, identify stale issues, flag growing backlogs.
Effort: ~2h

14. ✅ Contribution Guidelines Checker

What: Add contribution-check.md that reviews PRs against CONTRIBUTING.md.
Why: CONTRIBUTING.md exists but compliance is manual. Automated checking reduces review burden.
How: PR trigger. Compare PR against contribution guidelines. Comment if violations found.
Effort: ~2h

---

P3 — Nice to Have

15. 📊 Archie Diagram Command

What: /archie command generating Mermaid diagrams for issue/PR relationships.
Why: Cross-repo firewall issue tracking (firewall-issue-dispatcher) creates complex relationships that visual diagrams would clarify.
Effort: Low

16. 🗺️ Weekly Repository Map

What: Weekly ASCII tree visualization of repository structure and file size distribution.
Why: Useful for spotting unexpectedly large files (e.g., lock files, generated files) in a security tool where binary blobs are suspicious.
Effort: Low

---

📈 Maturity Assessment

Dimension	Current (1–5)	Target	Gap
Security automation	⭐⭐⭐⭐⭐ 5	5	None — exceptional
Test automation	⭐⭐⭐⭐ 4	5	Chroot scheduling; secret-digger scheduling
Code quality review	⭐⭐ 2	4	No general PR code reviewer
Cost observability	⭐⭐⭐⭐ 4	5	Codex token analyzer missing
Issue management	⭐⭐⭐⭐ 4	4.5	No AI Moderator
Release automation	⭐⭐⭐ 3	4	No VEX generator
Dependency management	⭐⭐⭐ 3	4	No Dependabot bundler
CI optimization	⭐⭐⭐ 3	4	No CI Coach
Cross-repo coordination	⭐⭐⭐⭐⭐ 5	5	Excellent (firewall-issue-dispatcher)
Overall	⭐⭐⭐⭐ 3.9	4.5	Close to top tier

---

🔄 Best Practice Comparison

What This Repo Does Exceptionally Well

• Multi-engine testing parity: Smoke tests + secret diggers + token analyzers across Claude, Copilot, and Codex
• Defense-in-depth automation: Security operates at 3 layers (PR guard → daily review → red team escape testing)
• Chained workflow_run triggers: Token analyzer → optimizer chain is a clean event-driven pattern
• Cross-repo automation: firewall-issue-dispatcher syncing issues from github/gh-aw is sophisticated and rare
• Shared imports: shared/mcp-pagination.md, shared/reporting.md, shared/mcp/gh-aw.md show good DRY practices
• Domain-specific automation: cli-flag-consistency-checker and test-coverage-improver target security-critical paths specifically

What Could Be Improved

• Secret Digger scheduling: The most important red team tests run manually only — they should be on a schedule to catch regressions automatically. The security-review.md reads the latest run, but only if someone remembers to run it.
• Issue quality pre-filtering: Issue Monster assigns any opened issue without a quality/spam filter — this wastes AI capacity
• General code review: Security review is thorough but code quality review is absent; for a security tool, these overlap
• Token cost parity: Codex generates tokens in 12h smoke tests but has no cost monitoring

---

📝 Notes

Cache-memory update attempted — write access to /tmp/gh-aw/cache-memory/ was denied in this environment (constraint of the runner sandbox). Patterns observed this run:

• Content hash: cef0ee71f7924ee29cc70f1d7da216f8e14efc782cdc2527e1cc107c4b524f3b
• 35 agentic workflow definitions found (+ 8 shared)
• 18 conventional CI/CD workflows
• Key gap: Codex token monitoring, secret-digger scheduling, general code review

Top 3 quick wins to implement this sprint:

1. Add schedule: weekly to secret-digger-copilot.md (15 min)
2. Add schedule: every 12h to smoke-chroot.md (5 min)
3. Create codex-token-usage-analyzer.md by copying Claude equivalent (1 hour)

Generated by Pelis Agent Factory Advisor · ● 604.6K · ◷

• expires on Apr 19, 2026, 9:44 PM UTC