feat: update-work-item safe output

[jamesadevine]

Summary

Add an update-work-item safe output that allows agents to update fields on existing Azure DevOps work items.

ADO API

PATCH /_apis/wit/workitems/{id}?api-version=7.1

Agent Parameters

• id (required) — Work item ID to update
• fields (required) — Map of field names to new values (e.g., state, assignee, tags, priority, title, description, custom fields, iteration/area path)

Front Matter Configuration (safe-outputs.update-work-item)

• allowed-fields — Restrict which fields can be modified (e.g., only allow System.State, System.AssignedTo)
• allowed-states — Restrict which state transitions are permitted
• allowed-work-item-types — Restrict which work item types can be updated
• tags — Tags to add alongside agent-specified updates

Use Cases

• Triage agents updating work item state/priority
• Assignment agents setting AssignedTo
• Sprint planning agents moving items between iterations
• Agents closing work items they've resolved

Security Considerations

• Field allow-list prevents agents from modifying sensitive fields (e.g., area path, custom admin fields)
• State transition constraints prevent skipping approval flows
• Work item ID must reference an existing item in the configured project
• Standard IS-10 text sanitization on all text values

Priority

Tier 1 — High value, common agent pattern

[jamesadevine]

#65