Prepare THE-GEMSTONE for LAF-US (Unified Swarm) consolidation

[Copilot]

Bootstraps THE-GEMSTONE into Logan's Unified Swarm (LAF-US / PROJECT HORIZON) by adding the standard agent instruction files and swarm-compatible automation that IDAHO-VAULT uses as the reference implementation.

Agent instruction files

• AGENTS.md — root cross-tool pointer; auto-loaded by Codex CLI, Copilot, and Qodo; maps each agent to its branch prefix and editorial boundaries
• .github/copilot-instructions.md — Copilot context: repo purpose, scope limits, swarm coordination model, directory structure
• .claude/CLAUDE.md — Claude Code instructions: role ("The Abhorsen"), build/test commands, editorial boundaries

Swarm automation

• .github/scripts/classify_paths.py — risk classifier for auto-PR: content/ → low-risk; quartz/, config, and workflow files → high-risk (fail-safe default)
• .github/workflows/auto-pr.yml — auto-creates PRs when agents push to copilot/**, claude/**, codex/**, gemini/** branches; labels by risk tier (agent-review-pending vs. review-required)
• .github/workflows/auto-merge.yml — extends existing Dependabot/chore handling to recognize the swarm-standard auto-merge label; gates on absence of review-required; bumps dependabot/fetch-metadata → v3, actions/github-script → v9

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• thegemstone.org
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[loganfinney27]

This will eventually be folded into the LAF-PUBLIC repos

[loganfinney27]

Re-evaluate after looking at the loganfinney27.github.io repo

[Copilot]

Re-evaluate after looking at the loganfinney27.github.io repo

Checked loganfinney27/loganfinney27.github.io — it's a bare placeholder with only a README.md and a boilerplate index.html. No agent files, workflows, or LAF-US infrastructure exists there. Nothing in that repo conflicts with or informs changes needed here. Happy to hold or adjust the PR if the consolidation plans shift.

[loganfinney27]

It was created during the quartz site setup...

[loganfinney27]

This project deploys thegemstone.org site, right?

[Copilot]

This project deploys thegemstone.org site, right?

Yes — quartz.config.ts sets baseUrl: "thegemstone.org", so this repo builds and deploys the thegemstone.org site.

[Copilot]

Pull request overview

Bootstraps THE-GEMSTONE into the “Unified Swarm” workflow by adding standard agent instruction files plus GitHub Actions automation to auto-create and (optionally) auto-merge agent-originated PRs with a path-based risk tier.

Changes:

• Add cross-tool agent instruction files (AGENTS.md, .github/copilot-instructions.md, .claude/CLAUDE.md).
• Add a risk classifier script (.github/scripts/classify_paths.py) used to label PRs as low/high risk.
• Add/extend GitHub Actions workflows for auto-PR creation and label-gated auto-merge.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
AGENTS.md	Adds agent registry, coordination model, and repo boundaries.
.github/copilot-instructions.md	Adds Copilot-scoped operational boundaries and repo structure context.
.claude/CLAUDE.md	Adds Claude Code operational instructions and build/test commands.
.github/scripts/classify_paths.py	Implements fail-safe path-based risk tier classification for changed files.
.github/workflows/auto-pr.yml	Creates PRs automatically for agent branches and applies risk-tier labels.
.github/workflows/auto-merge.yml	Extends automerge to PRs labeled auto-merge (and retains Dependabot/chore handling).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The agent registry table is using double leading pipes (||) which renders an extra empty column in Markdown tables. Use a single leading pipe (|) for each row so the table renders correctly across viewers.

[Copilot]

This workflow creates repo labels via gh label create, which requires the issues: write permission for the GITHUB_TOKEN. With only contents and pull-requests permissions, label creation will 403 and later PR creation with --label can fail.

Suggested change

	pull-requests: write
	pull-requests: write
	issues: write

[Copilot]

The workflow listens for perplexity/** and grok/** branches, but these agents are not listed in AGENTS.md and aren’t mentioned in the PR description. Either add them to the agent registry/boundaries or remove these branch patterns to keep automation aligned with the documented swarm model.

[Copilot]

gh pr create is followed by || true, so PR creation failures (missing labels, auth issues, API errors) will be silently ignored. This can leave the branch with no PR while the workflow still reports success in the step summary; consider failing the job on create errors or at least capturing and checking the command exit status/output.

Suggested change

	gh pr create \
	--title "$TITLE" \
	--body "$BODY" \
	--base main \
	--head "$BRANCH" \
	--label "$LABEL" 2>&1 || true
	if ! PR_CREATE_OUTPUT=$(gh pr create \
	--title "$TITLE" \
	--body "$BODY" \
	--base main \
	--head "$BRANCH" \
	--label "$LABEL" 2>&1); then
	echo "Failed to create PR for branch $BRANCH" >&2
	echo "$PR_CREATE_OUTPUT" >&2
	{
	echo "### Auto PR creation failed"
	echo
	echo '```'
	echo "$PR_CREATE_OUTPUT"
	echo '```'
	} >> "$GITHUB_STEP_SUMMARY"
	exit 1
	fi
	echo "$PR_CREATE_OUTPUT"
	{
	echo "### Auto PR created"
	echo
	echo "$PR_CREATE_OUTPUT"
	} >> "$GITHUB_STEP_SUMMARY"

[Copilot]

This workflow is configured to run on both pull_request and pull_request_target for the labeled event. That typically results in duplicate runs when a label is applied, and the pull_request run may not have sufficient token permissions for forks. Consider running label-based automerge only on pull_request_target (or gate label-automerge with github.event_name == 'pull_request_target').

Suggested change

- labeled

[Copilot]

label-automerge checks out the repository but doesn’t use the working tree; it only calls gh pr merge. Removing the checkout will reduce runtime and avoid unnecessary repository access in a pull_request_target context.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@v6

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 90bd36d813

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict privileged automerge trigger to trusted actors

Adding the pull_request_target labeled trigger here makes label-automerge run with base-repo privileges on fork PRs, but the job’s authorization is only label-based (auto-merge/chore and no review-required). In repositories that grant triage-style access (can apply labels but cannot merge), this can let non-writers cause gh pr merge --auto to run on their own PRs, effectively bypassing intended merge-permission boundaries; gate by trusted actors/roles or avoid pull_request_target for merge actions.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove blanket success on PR creation failures

The gh pr create command is forced to succeed with || true, so API/auth/validation failures are silently ignored and the workflow still reports success even when no PR is created. This breaks the core automation path (agent pushes may never open a PR) and makes the failure hard to detect; handle expected errors explicitly and fail the step for unexpected ones.

Useful? React with 👍 / 👎.