Greptile Summary

Documentation-only PR adding a Secrets surface section to src/gateway/server-methods/AGENTS.md and a new src/channels/plugins/AGENTS.md (plus the required CLAUDE.md symlink) covering the pairing control-plane boundary. All code-level citations were verified against the actual source: pairing-store.ts:668-672, message-handler.ts:1444-1458, and the invariants described in both files match the live code. One minor precision issue exists in the gateway AGENTS.md where http-utils.ts:255 is cited as evidence for both the HTTP and WS shared-secret owner semantics, but that line resolves only to resolveOpenAiCompatibleHttpSenderIsOwner (the HTTP/OpenAI-compat path); the WS side needs its own anchor or clarified prose.

Confidence Score: 5/5

Safe to merge; documentation only, no code changes, all verified citations are accurate.

All three changed files are Markdown documentation. Every line-number reference that could be checked against source code was verified and correct. The single finding (http-utils.ts:255 citation precision) is P2 — a minor clarity improvement, not a blocker.

src/gateway/server-methods/AGENTS.md — the http-utils.ts:255 anchor could be more precise, but is not blocking.

This is a comment left during a code review.
Path: src/gateway/server-methods/AGENTS.md
Line: 17-19

Comment:
The line citation `http-utils.ts:255` resolves to `resolveOpenAiCompatibleHttpSenderIsOwner`, which specifically covers the OpenAI-compatible HTTP + `/tools/invoke` path. The claim that "the HTTP bearer-token surface and the WS shared-secret surface both map to `senderIsOwner: true` at … :255" is only half-supported by that citation — a reader going there won't see the WS shared-secret path. Tighten the description to match what the line actually shows, or add a second anchor for the WS side.

```suggestion
- The HTTP (OpenAI-compatible / `/tools/invoke`) bearer-token path maps to
  `senderIsOwner: true` at `src/gateway/http-utils.ts:255`
  (`resolveOpenAiCompatibleHttpSenderIsOwner`); the WS shared-secret surface
  carries the same semantics via a parallel path (documented as intentional in
  SECURITY.md). Device-token auth does _not_ get owner by
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "docs: add AGENTS.md for secrets and pair..." | Re-trigger Greptile}

Codex review: needs changes before merge.

Summary
The PR adds scoped AGENTS guidance for gateway secrets handlers and channel-plugin pairing/allowlist behavior, plus a CLAUDE.md symlink under src/channels/plugins.

Reproducibility: yes. for the review defects: compare the PR diff from the public GitHub diff URL with current main using nl and rg. Runtime reproduction is not applicable because this is a documentation-only PR.

Next step before merge
The remaining blockers are narrow mechanical docs corrections that an automated repair lane can safely attempt without changing runtime code.

Security
Cleared: The diff is Markdown plus a repository-local CLAUDE.md symlink and does not change executable code, dependencies, workflows, package metadata, secrets handling, or runtime permissions.

Review findings

• [P2] Update the HTTP owner-semantics source anchor — src/gateway/server-methods/AGENTS.md:18
• [P3] Point pairing storage at the channel helpers — src/channels/plugins/AGENTS.md:14
• [P3] Use the exported pairing approval symbol — src/channels/plugins/AGENTS.md:36

Thanks for writing these up — the secrets RPC surface and the channel-pairing shim are exactly the two zones where I've watched our deployments hit footguns that an in-tree AGENTS.md would have caught. I read the diff against current main and verified the citations; here are a few places where I think the wording could be tightened to match the source. None of these are blockers — happy to see this land.

1. http-utils.ts:255 only anchors the HTTP path, not the WS one (also flagged by Greptile)

In src/gateway/server-methods/AGENTS.md, the threat-model bullet currently reads:

The HTTP (OpenAI-compatible / /tools/invoke) bearer-token path maps to senderIsOwner: true at src/gateway/http-utils.ts:255 (resolveOpenAiCompatibleHttpSenderIsOwner); the WS shared-secret surface carries the same semantics via a parallel path...

:255 is resolveOpenAiCompatibleHttpSenderIsOwner, which is HTTP-only (used by openai-http.ts:541, openresponses-http.ts:460, tools-invoke-http.ts:228). The WS shared-secret = owner semantic is real and intentional (SECURITY.md lines 103, 106-110) but flows through a different anchor — the shared-auth scope assignment around src/gateway/server/ws-connection/message-handler.ts:1316-1317 plus the per-RPC re-check at 1502-1513. Splitting these two anchors would make the doc match the code one-to-one.

2. Device-token "does not get owner by default" could use an anchor

Same paragraph. The asymmetry is load-bearing, as the doc rightly says — pointing at the absence of senderIsOwner in the device-token WS path (or to the relevant SECURITY.md paragraph) would help a future reader confirm it without reverse-engineering.

3. The three fix/... branch names will go stale

The "Related incidents" section explicitly hedges that some of these may not be in main yet, which I appreciate — but in six months the branch names will be unrecoverable. Consider replacing them with PR numbers / merge SHAs once they land, or marking the section "(branch names pending merge — will be replaced with refs)" so future readers know the placeholder is intentional.

4. Small attributability nits

• (weight 24 historically) for the secrets → package co-mod edge — if that number is from the Architecture review: credential governance & undocumented coupling hotspots #71116 analysis, citing it (per #71116) would help.
• isKnownSecretTargetId lives in target-registry-query.ts and is re-exported via target-registry.ts. Citing the barrel is fine; just flagging in case you want the deeper anchor.
• Confirm #70239 resolves correctly when you next push.

One process suggestion

I see the PR picked up triage: blank-template and triage: low-signal-docs. The intro paragraph is genuinely substantive (the ghost-hotspot framing + tie to #71116), but the template's Summary bullets, Change Type (Docs), and Security Impact (all Nos, since this is pure docs) are still empty. Filling those in should clear both auto-labels and make the maintainer triage essentially a one-pass approve.

For what it's worth: I think this should land. The secrets/pairing zones are exactly where we've felt the lack of in-tree guidance, and the "silent failure shape" framing in particular is the kind of thing that pays for itself the next time someone is tempted to write a catch {} in a privilege-escalation path. Appreciate you doing this.

Mismarked my last comment — I'm not the PR author (that's @davidangularme), so I can't actually update the description from my side. Apologies for the confusion.

What I'd suggest, since the triage: low-signal-docs and triage: blank-template auto-labels look like the main thing standing in the way of human-maintainer attention:

@davidangularme — if you have a moment, filling in the PR body template (Summary bullets, Change Type = Docs, Security Impact = all No, Test Plan = N/A pure docs, Repro + Verification with the source-anchor verification done by clawsweeper) should clear both auto-labels. Happy to post a draft body you could paste in if helpful.

Substance-wise the doc itself reviews well (greptile gave 5/5, clawsweeper confirmed the citations against 9626ef274ae2); the inline review notes from greptile / chatgpt-codex-connector are mostly the http-utils.ts:255 citation precision issue (HTTP-only anchor; WS would need its own at message-handler.ts:1316-1317 and :1502-1513). Worth landing.

@mayank6136 The PR body has been updated with the full template, and the inline citations (HTTP vs WS and device-token race) were fixed in the latest commits. CI is green. Let me know if you need anything else to clear the triage labels!

The failing parity gate (thread-memory-isolation, scenario 8/12) is unrelated to this diff — this PR is pure Markdown + one symlink, no code changes. The same scenario fails on other PRs against main (job 73356314544). Happy to rebase once the gate is green on main, or this could be merged with a check bypass if maintainers prefer. Also: the triage: blank-template label may need a manual clear — the PR body was updated with the full template in the latest push.

Hi @steipete, @vincentkoc,

The CI failure in the Opus 4.6 parity gate is specifically failing on scenario 10 (approval-turn-tool-followthrough). As this PR is strictly limited to documentation changes (Markdown files and a symlink), this failure is clearly unrelated to the current diff and appears to be an upstream/environmental flake.

All documentation-specific checks are passing. Could you please take a look or consider a bypass for the parity gate?