[Pelis Agent Factory Advisor] Pelis Agent Factory Advisor - Agentic Workflow Analysis (March 2026)

[github-actions[bot]]

📊 Executive Summary

gh-aw-firewall is an exceptionally mature agentic repository — one of the most automated in the GitHub ecosystem — with 21 active agentic workflows spanning security, CI, docs, testing, and more. The core security and operational gaps are well covered. The primary remaining opportunities are in continuous code quality (code simplifier, duplicate detection), meta-monitoring (workflow health manager), reactive ChatOps (pr-fix slash command), and a few domain-specific workflows tailored to its unique role as a security firewall tool.

---

🎓 Patterns Learned from Pelis Agent Factory

From the Documentation Site

The Pelis Agent Factory blog series (19 parts) documents 100+ workflows across these categories, with key lessons:

Pattern	Key Insight
Specialization	Focused workflows outperform monolithic agents — many small agents doing targeted tasks
Continuous quality	Code quality isn't a destination — daily simplifier + refactoring agents prevent debt accumulation
Meta-monitoring	"Who watches the watchers?" — Workflow Health Manager monitors all other workflows
Multi-phase improvers	Cache memory enables multi-day projects (daily-perf-improver runs in 3 phases across days)
Trust but verify	Testing workflows run continuously, not just at deployment
Incremental beats heroic	Daily Backlog Burner works through 1 issue/day, consistently, without fatigue
Causal chain metrics	Workflows create issues that trigger Copilot agents, which create PRs — the chain compounds value

From the githubnext/agentics Reference Repository

The agentics repo contains reference implementations including daily-test-improver, daily-backlog-burner, daily-perf-improver, daily-qa, pr-fix, and daily-accessibility-review — all directly adaptable.

How This Repo Compares

This repo already applies most of the factory's security, testing, and documentation patterns. The main gaps are in code quality automation and advanced orchestration (meta-monitoring, issue organization, ChatOps).

---

📋 Current Agentic Workflow Inventory

Workflow	Purpose	Trigger	Assessment
build-test	Runs tests on PRs via Copilot agent	PR	✅ Well-configured
ci-cd-gaps-assessment	Identifies CI/CD coverage gaps	Daily	✅ Good hygiene
ci-doctor	Investigates CI failures, creates issues	workflow_run fail	✅ Excellent — core pattern
cli-flag-consistency-checker	CLI docs vs implementation drift	Weekly	✅ Tailored to repo
dependency-security-monitor	CVE monitoring, proposes updates	Daily	✅ Strong
doc-maintainer	Syncs docs with code changes	Daily	✅ Comprehensive
issue-duplication-detector	Detects duplicate issues with cache	issue.opened	✅ Smart use of cache-memory
issue-monster	Dispatches issues to Copilot coding agent	issue.opened + 1h	✅ Core orchestrator
pelis-agent-factory-advisor	This workflow!	Daily	✅ Meta-awareness
plan	/plan slash command for task breakdown	Slash command	✅ Good ChatOps
secret-digger-claude/codex/copilot	Red team secret scanning (3 engines)	Hourly	✅ Excellent — multi-engine
security-guard	PR security review (Claude)	PR	✅ Domain-critical
security-review	Daily comprehensive threat modeling	Daily	✅ Thorough
smoke-claude/codex/copilot	End-to-end firewall smoke tests	PR + 12h	✅ Critical validation
smoke-chroot	Chroot mode smoke test	PR	✅ Targeted
test-coverage-improver	Security-focused test coverage PRs	Weekly	✅ Security-tailored
update-release-notes	Enriches release notes with diffs	Release published	✅ Automated

---

🚀 Actionable Recommendations

P0 — Implement Immediately

---

🏷️ Issue Triage Agent

What: Automatically label new issues (bug, feature, documentation, question, etc.) and leave a comment explaining the label and how the issue might be addressed.

Why: With issue-monster dispatching every issue to Copilot agents, unlabeled issues make prioritization and filtering impossible. This is the "hello world" of agentic workflows with immediate, measurable value. The factory's triage agent achieves near-100% accuracy in practice.

How: Simple workflow on issue.opened — reads issue title/body, searches codebase context, applies a label from a defined allowlist, adds comment.

Effort: Low (~20 lines of workflow markdown)

Example:

---
on:
  issue:
    types: [opened, reopened]
permissions:
  issues: read
tools:
  github:
    toolsets: [issues, labels]
safe-outputs:
  add-labels:
    allowed: [bug, feature, enhancement, documentation, question, help-wanted, good-first-issue, security]
  add-comment: {}
timeout-minutes: 5
---
# Issue Triage Agent
List open issues in $\{\{ github.repository }} with no labels. For each unlabeled issue, analyze the title and body in context of this **security firewall tool**...

---

🔧 PR Fix Slash Command

What: A /pr-fix slash command that, when posted on a PR with failing CI, investigates the failures and attempts to fix them by pushing commits.

Why: This repo has 21 workflows monitored by ci-doctor, but when CI fails on a PR, developers still have to manually investigate and fix. The factory's pr-fix command delegates this tedious work entirely — the agent reads logs, identifies root cause, and pushes a fix. Given the complex CI pipeline here (smoke tests, integration tests, TypeScript builds), this saves significant developer time.

How: Add pr-fix workflow from githubnext/agentics and customize for this repo's TypeScript + Docker build patterns.

Effort: Low — direct adaptation of reference workflow

Add with: gh aw add-wizard githubnext/agentics/workflows/pr-fix.md

---

P1 — Plan for Near-Term

---

🚨 Breaking Change Checker

What: A PR-triggered workflow that detects backward-incompatible changes to the CLI interface (src/cli.ts), public API, Docker Compose schema, or configuration format.

Why: This is a security-critical tool used in production workflows. A breaking CLI change (renamed flag, changed behavior) can silently break users' CI pipelines. The factory's Breaking Change Checker flags these before merge. Particularly important for: CLI flag renames, changes to WrapperConfig types, Docker image tag behavior changes, and environment variable removals.

How: On PR open/sync — compare CLI flags, exported types, and config format against main branch. Create issue with [breaking-change] label if incompatible changes detected.

Effort: Medium (~2-3 hours)

---

🏥 Workflow Health Manager

What: A meta-workflow that monitors all 21 other agentic workflows — checks if they're running, succeeding, producing outputs, and flags anomalies. Creates issues for unhealthy workflows.

Why: With 21 agentic workflows, some inevitably silently fail or stop running (permission changes, API deprecations, quota limits). Currently there's no visibility into "which of my 21 agents is broken?" The factory's Workflow Health Manager has created 40 issues, with 25 leading to 34 PRs. Given the secret-diggers run hourly and smoke tests run every 12 hours, silent failures have high blast radius.

How: Daily scheduled workflow using actions toolset — query recent workflow runs, identify failures or missing runs, create diagnostic issues.

Effort: Medium (~3 hours)

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/workflow-health-manager.md

---

🧹 Automatic Code Simplifier

What: Daily workflow that analyzes recently modified TypeScript files for complexity — nested conditionals, repeated patterns, verbose error handling — and creates PRs with simplifications.

Why: This is an actively developed TypeScript codebase (~2000+ lines in src/). With rapid development of security features, code complexity accumulates. The factory's Code Simplifier has an 83% PR merge rate. The firewall codebase in particular has complex docker-manager.ts (~1000+ lines) that could benefit from continuous simplification. This also makes security review easier — simpler code is more auditable.

How: Daily scheduled on recently modified .ts files, creates PRs with [simplify] prefix.

Effort: Medium (~2 hours)

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/code-simplifier.md

---

P2 — Consider for Roadmap

---

🦠 Daily Malicious Code Scan

What: Daily review of recent code changes (past 24h) for suspicious patterns — unusual network calls, credential harvesting patterns, obfuscated code, or supply chain attack indicators.

Why: As a security tool that runs in Docker containers with network access, this repo is a high-value target for supply chain attacks. The factory's malicious code scan provides an additional defense layer beyond CodeQL and container scanning. Particularly important for: containers/agent/ scripts, setup-iptables.sh, entrypoint scripts, and dependency updates.

Effort: Medium

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/daily-malicious-code-scan.md

---

📐 Schema/Type Consistency Checker

What: Weekly workflow that checks for drift between src/types.ts (WrapperConfig), CLI flags in src/cli.ts, documentation in docs/, and the Astro docs site reference.

Why: WrapperConfig is the central type with ~50+ fields. When new CLI flags are added, the type, CLI parser, documentation, and docs-site reference often drift. The factory's Schema Consistency Checker has created 55 analysis discussions identifying this kind of drift. This repo already has cli-flag-consistency-checker but a type-focused schema checker would complement it for the WrapperConfig ↔ docs → docs-site chain.

Effort: Medium (could extend cli-flag-consistency-checker)

---

⚡ CI Coach

What: Periodic analysis of CI pipeline performance — identifies slow tests, redundant steps, opportunities to parallelize, and suggests optimizations.

Why: This repo has 21 agentic workflows + 10+ traditional workflows, some with complex Docker builds. The smoke tests spin up Docker containers and take significant time. The factory's CI Coach has 100% PR merge rate on 9 proposals, including removing unnecessary dependencies and fixing duplicate test execution.

Effort: Medium

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/ci-coach.md

---

🔥 Daily Firewall Self-Test

What: Domain-specific workflow that runs awf against itself daily — tests that the firewall correctly blocks unauthorized domains, allows whitelisted ones, reports accurate Squid logs, and that the smoke tests themselves are passing consistently.

Why: Unique to this repo: awf is the tool being tested, and the repo itself runs awf in smoke tests. A dedicated daily self-test workflow would create a discussion with a "firewall health report" — summarizing daily smoke test results, flagging anomalies, tracking regression trends over time. The gh-aw repo itself has a Firewall workflow that creates 59 daily firewall report discussions for this exact purpose.

Effort: Medium-High (domain-specific, requires awf execution)

---

📦 Changeset/Version Automation

What: Automated changelog entry generation and version bump PRs after each set of merged PRs, replacing manual version decisions with AI-assisted semantic versioning.

Why: update-release-notes runs on release.published but doesn't automate the decision of when to release or what version to bump to. The factory's Changeset workflow has a 78% PR merge rate on 28 proposals. For this repo, the agent would analyze merged PRs since last tag, determine semver bump (patch/minor/major), and propose a release.

Effort: Medium

---

🌳 Issue Arborist

What: Periodic workflow that links related issues as sub-issues, building an organizational hierarchy of the issue tracker.

Why: With issue-monster dispatching issues to Copilot agents, related issues can multiply quickly. The Issue Arborist would group issues by theme (security, DNS, Docker, CLI) and link them as sub-issues to parent tracking issues. Factory created 77 reports + 18 parent issues.

Effort: Medium

---

P3 — Future Ideas

---

🔀 Mergefest

Auto-merge main into open PRs to keep them current. Particularly useful given the number of Copilot agent PRs from issue-monster that may go stale.

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/mergefest.md

---

🔖 Sub Issue Closer

Automatically close completed sub-issues when their parent is resolved. Complements Issue Arborist.

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/sub-issue-closer.md

---

📥 Daily Backlog Burner

One issue per day — methodically works through open issues, assigning each to Copilot agent for resolution. Complementary to issue-monster (which is reactive).

Add with: gh aw add-wizard githubnext/agentics/workflows/daily-backlog-burner.md

---

🔍 Duplicate Code Detector

Semantic duplicate code analysis using Serena toolkit — finds duplicate patterns across src/docker-manager.ts, src/squid-config.ts, and src/host-iptables.ts.

Add with: gh aw add-wizard https://github.com/github/gh-aw/blob/v0.45.5/.github/workflows/duplicate-code-detector.md

---

📈 Maturity Assessment

Dimension	Score	Notes
Security automation	5/5	Exceptional — secret diggers (3 engines, hourly), security-guard, security-review, dependency monitor
CI/CD automation	4/5	Strong — ci-doctor, build-test, smoke tests; missing CI Coach and Breaking Change Checker
Documentation	5/5	Excellent — doc-maintainer, cli-flag-consistency-checker, update-release-notes
Code quality	2/5	Gap — no code simplifier, no duplicate detector, no refactoring agent
Issue management	3/5	Good — issue-monster, issue-duplication-detector; missing triage labels, arborist
Meta-monitoring	2/5	Gap — no workflow health manager watching the 21 workflows
ChatOps	3/5	Good — /plan; missing /pr-fix and other slash commands

Current Level: 4/5 — Advanced automated repository with strong security posture and broad workflow coverage.

Target Level: 5/5 — Adding code quality automation, meta-monitoring, and missing ChatOps would complete the picture.

Gap to Close: ~5-7 additional workflows, focused on code quality (P1) and orchestration (P1-P2).

---

🔄 Comparison with Best Practices

What This Repo Does Exceptionally Well

• Multi-engine security: Running secret-diggers on Claude, Codex, AND Copilot simultaneously is a best-in-class approach not commonly seen
• Domain-specific tailoring: security-guard is deeply customized for iptables/Squid/container security — not a generic reviewer
• Smoke test coverage: 4 smoke workflows (3 engine variants + chroot) ensure the firewall actually works
• Cache-memory usage: issue-duplication-detector uses cache-memory for persistent state — a sophisticated pattern
• Shared imports: shared/mcp-pagination.md, shared/secret-audit.md etc. — DRY principle applied to workflows

What Could Be Improved

• Code quality gap: Zero continuous improvement agents for TypeScript quality (the factory has 5+ such workflows)
• No meta-monitoring: 21 workflows with no health manager creates blind spots
• Missing triage labels: Issues dispatched to issue-monster without labels create organizational debt
• No pr-fix: Given complex CI, this is a daily-value workflow missing from the arsenal

Unique Opportunities Given the Security Domain

This repo is itself a security enforcement tool, creating unique opportunities:

1. Self-dogfooding workflow: Run awf in CI to validate its own firewall rules work
2. Security boundary regression testing: Track what domains each smoke test allows/blocks over time
3. Threat intelligence integration: A workflow that monitors CVE feeds for Docker/Squid/iptables vulnerabilities specifically

---

📝 Notes for Future Runs

Stored in /tmp/gh-aw/cache-memory/pelis-advisor-notes.json

• 21 agentic workflows found as of 2026-03-15 (up from baseline)
• Key gap: No code quality continuous improvement workflows
• Track over time: Whether issue-monster backlog is growing or shrinking (health indicator)
• Next check: Has pr-fix slash command been added? Has issue triage labeling been implemented?
• Maturity score: 4/5 overall, 2/5 for code quality specifically

AI generated by Pelis Agent Factory Advisor

• expires on Mar 22, 2026, 3:39 AM UTC