Hack23
diff --git a/‎.github/aw/SHARED_PROMPT_PATTERNS.md‎
Lines changed: 19 additions & 12 deletions b/‎.github/aw/SHARED_PROMPT_PATTERNS.md‎
Lines changed: 19 additions & 12 deletions
diff --git a/‎.github/aw/actions-lock.json‎
Lines changed: 6 additions & 6 deletions b/‎.github/aw/actions-lock.json‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/agentics-maintenance.yml‎
Lines changed: 104 additions & 15 deletions b/‎.github/workflows/agentics-maintenance.yml‎
Lines changed: 104 additions & 15 deletions
@@ -71,12 +71,15 @@ TOTAL_READ_BYTES=0
 TOTAL_ONDISK_BYTES=0
 while read -r f; do
   if [ -f "$f" ]; then
-    FSIZE=$(wc -c < "$f" | tr -d ' ')
+    # AWF-safe: no $(...) command substitution — use tempfile + read redirection, then clean up.
+    wc -c < "$f" | tr -d ' ' > /tmp/fsize-$$.txt
+    read FSIZE < /tmp/fsize-$$.txt
+    rm -f /tmp/fsize-$$.txt
     TOTAL_ONDISK_BYTES=$((TOTAL_ONDISK_BYTES + FSIZE))
-    echo "--- BEGIN ANALYSIS FILE: $f (size: ${FSIZE} bytes) ---"
+    echo "--- BEGIN ANALYSIS FILE: $f (size: $FSIZE bytes) ---"
     if [ "$FSIZE" -gt "$MAX_FILE_BYTES" ]; then
       # Extremely rare — emit the full file but warn.
-      echo "⚠️  File exceeds ${MAX_FILE_BYTES}-byte soft cap; emitting in full regardless (§P0-5)."
+      echo "⚠️  File exceeds $MAX_FILE_BYTES-byte soft cap; emitting in full regardless (§P0-5)."
     fi
     cat "$f"
     TOTAL_READ_BYTES=$((TOTAL_READ_BYTES + FSIZE))
@@ -497,7 +500,7 @@ if [ "$IS_TIER_C" = "1" ]; then
     monthly-review*)      MULT_NUM=15; MULT_DEN=10 ;;  # 1.5×
     *)                    MULT_NUM=10; MULT_DEN=10 ;;  # fallback baseline
   esac
-  echo "📐 Period-scope multiplier for '$ANALYSIS_SUBFOLDER': ${MULT_NUM}/${MULT_DEN}"
+  echo "📐 Period-scope multiplier for '$ANALYSIS_SUBFOLDER': $MULT_NUM/$MULT_DEN"
 
   declare -A TIER_C_BASE_SIZES=(
     ["README.md"]=3000
@@ -513,9 +516,12 @@ if [ "$IS_TIER_C" = "1" ]; then
       echo "🔴 MISSING Tier-C: $REQUIRED_FILE — Tier-C workflow MUST CREATE"
       TIER_C_MISSING=$((TIER_C_MISSING + 1))
     else
-      FSIZE=$(wc -c < "$ANALYSIS_DIR/$REQUIRED_FILE")
+      # AWF-safe: no $(...) command substitution — use tempfile + read redirection, then clean up.
+      wc -c < "$ANALYSIS_DIR/$REQUIRED_FILE" | tr -d ' ' > /tmp/fsize-$$.txt
+      read FSIZE < /tmp/fsize-$$.txt
+      rm -f /tmp/fsize-$$.txt
       if [ "$FSIZE" -lt "$MIN_SIZE" ]; then
-        echo "🔴 UNDERSIZED Tier-C: $REQUIRED_FILE ($FSIZE bytes < $MIN_SIZE scaled minimum — base $BASE_SIZE × ${MULT_NUM}/${MULT_DEN}) — MUST ENRICH"
+        echo "🔴 UNDERSIZED Tier-C: $REQUIRED_FILE ($FSIZE bytes < $MIN_SIZE scaled minimum — base $BASE_SIZE × $MULT_NUM/$MULT_DEN) — MUST ENRICH"
         TIER_C_MISSING=$((TIER_C_MISSING + 1))
       else
         echo "✅ OK Tier-C: $REQUIRED_FILE ($FSIZE bytes ≥ $MIN_SIZE scaled minimum)"
@@ -2663,9 +2669,10 @@ Then call the health gate:
 > 🚨 **UNIVERSAL SAFE OUTPUT RULES — ALL WORKFLOWS MUST FOLLOW:**
 >
 > 1. **Call `safeoutputs___create_pull_request` as EARLY as possible** — the moment you have committed files. The safeoutputs MCP session has a finite lifetime. Successful runs call it by minute ~25. Failed runs that delayed past minute 40 got "session not found" and lost all work.
-> 2. **NEVER call `safeoutputs___noop` when artifacts exist.** Noop means "I did nothing." If you created files, you DID something and MUST create a PR. Partial work in a PR is infinitely better than lost work via noop.
-> 3. **At HARD DEADLINE**: If ANY files were created → `safeoutputs___create_pull_request`. ONLY noop if truly ZERO files were created.
-> 4. **Architecture reminder**: `safeoutputs___create_pull_request` records your intent. A separate `safe_outputs` job executes the PR creation AFTER the agent job ends. If the MCP session expires before you record the intent, the `safe_outputs` job is SKIPPED and all work is lost.
+> 2. **Heartbeat PR to keep the safeoutputs session alive (`max: 2+`)** — the Streamable-HTTP safeoutputs MCP session has a ~30–35 min idle lifetime (observed in PR #1835 and run #24672037751). Every `safeoutputs___create_pull_request` call **resets the session idle timer**. If the workflow sets `create-pull-request.max: 2` or higher, call the tool once at minute ~22–25 as a **heartbeat PR** capturing work-in-progress (partial analysis + first article draft), then call it again at minute 40–45 with the polished final output. Each call creates a separate PR on a separate branch; the final PR supersedes the heartbeat. This pattern was proven in `news-translate` (`max: 5`, zero session expiries across 55-minute runs) and `news-realtime-monitor` (`max: 3`). **Single-PR workflows (`max: 1`) that delay their only call past minute 35 WILL lose all work to session expiry.**
+> 3. **NEVER call `safeoutputs___noop` when artifacts exist.** Noop means "I did nothing." If you created files, you DID something and MUST create a PR. Partial work in a PR is infinitely better than lost work via noop.
+> 4. **At HARD DEADLINE**: If ANY files were created → `safeoutputs___create_pull_request`. ONLY noop if truly ZERO files were created.
+> 5. **Architecture reminder**: `safeoutputs___create_pull_request` records your intent. A separate `safe_outputs` job executes the PR creation AFTER the agent job ends. If the MCP session expires before you record the intent, the `safe_outputs` job is SKIPPED and all work is lost.
 
 ### Layer 3: MCP Gateway Diagnostics (run when tools fail)
 
@@ -2932,9 +2939,9 @@ echo "=== 🔍 Analysis Enrichment Verification Gate ==="
 for f in "$ANALYSIS_DIR"/*.md; do
   [ ! -f "$f" ] && continue
   # Skip the factual data-download-manifest.md — its script marker is expected and not a stub
-  FBASE=$(basename "$f")
-  case "$FBASE" in
-    data-download-manifest.md) echo "⏭️  SKIP (factual manifest): $f"; continue ;;
+  # AWF-safe: use `$f` path-pattern tests instead of $(basename "$f")
+  case "$f" in
+    */data-download-manifest.md) echo "⏭️  SKIP (factual manifest): $f"; continue ;;
   esac
   # Match the legacy `pre-article-analysis script` marker present in historical stub files.
   # The current download script writes only the factual `data-download-manifest.md` (skipped above),
 
@@ -40,15 +40,15 @@
       "version": "v7.0.1",
       "sha": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
     },
-    "github/gh-aw-actions/setup-cli@v0.68.7": {
+    "github/gh-aw-actions/setup-cli@v0.69.0": {
       "repo": "github/gh-aw-actions/setup-cli",
-      "version": "v0.68.7",
-      "sha": "f52802884d655622f0a2dfd6d6a2250983c95523"
+      "version": "v0.69.0",
+      "sha": "81b86c58b134601fc10d4745e276d7861cd12911"
     },
-    "github/gh-aw-actions/setup@v0.68.7": {
+    "github/gh-aw-actions/setup@v0.69.0": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.68.7",
-      "sha": "f52802884d655622f0a2dfd6d6a2250983c95523"
+      "version": "v0.69.0",
+      "sha": "81b86c58b134601fc10d4745e276d7861cd12911"
     },
     "github/gh-aw/actions/setup@v0.43.18": {
       "repo": "github/gh-aw/actions/setup",
 
@@ -12,7 +12,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.68.7). DO NOT EDIT.
+# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.69.0). DO NOT EDIT.
 #
 # To regenerate this workflow, run:
 #   gh aw compile
@@ -50,6 +50,8 @@ on:
           - 'upgrade'
           - 'safe_outputs'
           - 'create_labels'
+          - 'activity_report'
+          - 'close_agentic_workflows_issues'
           - 'clean_cache_memories'
           - 'validate'
       run_url:
@@ -60,7 +62,7 @@ on:
   workflow_call:
     inputs:
       operation:
-        description: 'Optional maintenance operation to run (disable, enable, update, upgrade, safe_outputs, create_labels, clean_cache_memories, validate)'
+        description: 'Optional maintenance operation to run (disable, enable, update, upgrade, safe_outputs, create_labels, activity_report, close_agentic_workflows_issues, clean_cache_memories, validate)'
         required: false
         type: string
         default: ''
@@ -89,7 +91,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -127,7 +129,7 @@ jobs:
       actions: write
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -141,7 +143,7 @@ jobs:
             await main();
 
   run_operation:
-    if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation != '' && inputs.operation != 'safe_outputs' && inputs.operation != 'create_labels' && inputs.operation != 'clean_cache_memories' && inputs.operation != 'validate' && (!(github.event.repository.fork)) }}
+    if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation != '' && inputs.operation != 'safe_outputs' && inputs.operation != 'create_labels' && inputs.operation != 'activity_report' && inputs.operation != 'close_agentic_workflows_issues' && inputs.operation != 'clean_cache_memories' && inputs.operation != 'validate' && (!(github.event.repository.fork)) }}
     runs-on: ubuntu-slim
     permissions:
       actions: write
@@ -156,7 +158,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -171,9 +173,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw-actions/setup-cli@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup-cli@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
-          version: v0.68.7
+          version: v0.69.0
 
       - name: Run operation
         uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
@@ -213,7 +215,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -257,7 +259,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -272,9 +274,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw-actions/setup-cli@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup-cli@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
-          version: v0.68.7
+          version: v0.69.0
 
       - name: Create missing labels
         uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
@@ -288,6 +290,93 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/create_labels.cjs');
             await main();
 
+  activity_report:
+    if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'activity_report' && (!(github.event.repository.fork)) }}
+    runs-on: ubuntu-slim
+    timeout-minutes: 120
+    permissions:
+      actions: read
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Scripts
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
+        with:
+          destination: ${{ runner.temp }}/gh-aw/actions
+
+      - name: Check admin/maintainer permissions
+        uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
+            await main();
+
+      - name: Install gh-aw
+        uses: github/gh-aw-actions/setup-cli@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
+        with:
+          version: v0.69.0
+
+      - name: Cache activity report logs
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ./.cache/gh-aw/activity-report-logs
+          key: ${{ runner.os }}-activity-report-logs-${{ github.repository }}-${{ github.ref_name }}-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-activity-report-logs-${{ github.repository }}-
+            ${{ runner.os }}-activity-report-logs-
+      - name: Generate agentic workflow activity report
+        uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_AW_CMD_PREFIX: gh aw
+          GH_AW_ACTIVITY_REPORT_OUTPUT_DIR: ./.cache/gh-aw/activity-report-logs
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/run_activity_report.cjs');
+            await main();
+
+  close_agentic_workflows_issues:
+    if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'close_agentic_workflows_issues' && (!(github.event.repository.fork)) }}
+    runs-on: ubuntu-slim
+    permissions:
+      issues: write
+    steps:
+      - name: Setup Scripts
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
+        with:
+          destination: ${{ runner.temp }}/gh-aw/actions
+
+      - name: Check admin/maintainer permissions
+        uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_team_member.cjs');
+            await main();
+
+      - name: Close no-repro agentic-workflows issues
+        uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/close_agentic_workflows_issues.cjs');
+            await main();
+
   validate_workflows:
     if: ${{ (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call') && inputs.operation == 'validate' && (!(github.event.repository.fork)) }}
     runs-on: ubuntu-latest
@@ -301,7 +390,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Scripts
-        uses: github/gh-aw-actions/setup@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
 
@@ -316,9 +405,9 @@ jobs:
             await main();
 
       - name: Install gh-aw
-        uses: github/gh-aw-actions/setup-cli@f52802884d655622f0a2dfd6d6a2250983c95523 # v0.68.7
+        uses: github/gh-aw-actions/setup-cli@81b86c58b134601fc10d4745e276d7861cd12911 # v0.69.0
         with:
-          version: v0.68.7
+          version: v0.69.0
 
       - name: Validate workflows and file issue on findings
         uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9