Context
PR #4724 had to be approved manually by Ema via gh pr review --approve 4724 because:
- The PR is bot-authored (by
aegis-gh-agent[bot])
- Branch protection on
develop requires an approving review
- GitHub blocks a bot from approving its own PR
- So every bot-authored PR that lands on
develop needs a human reviewer click
This pattern will keep recurring as more of our workflow is bot-driven (release-please, Dependabot auto-merges, aegis-gh-agent pre-checks, etc.).
Trigger
Boss approved #4724 manually on 2026-06-15 06:17 GMT+2 (msg 1515933266618613891) using the lane convention: "CLI authed as Ema, PR is bot-authored not Ema-authored, so the self-approval constraint doesn't apply."
Proposal — two paths, choose one (or both)
Path (a) — Dedicated reviewer GitHub App/PAT
- Mint a second GitHub App identity (or reuse an existing one with explicit reviewer scope) that:
- Has
contents: write and pull_requests: write on the repo
- Is NOT the same identity that opened the PR
- Add it as a required reviewer in branch protection for
develop (and main if needed for promotion PRs)
- This makes the bot chain fully self-approving — no human in the loop for approval-count
Tradeoffs:
- Pro: Zero human friction on bot PRs, scales linearly with bot volume
- Pro: Branch protection enforces it, no convention drift
- Con: New app identity to manage, rotate, audit
- Con: Requires a security review (Themis) on the new identity
Path (b) — Codify the lane convention in CONTRIBUTING.md
- Document the "Boss approves via CLI on bot-authored PRs" lane in
CONTRIBUTING.md (and/or AGENTS.md)
- Capture the exact
gh pr review --approve <N> invocation + the "self-approval doesn't apply" rationale
- Update
branching.md / prs.md in .claude/rules/ to point at it
Tradeoffs:
- Pro: Zero infrastructure cost
- Pro: Self-documenting — future agents discover the convention
- Con: Still requires a human in the loop (just one with a documented recipe)
- Con: Convention drift risk if not enforced via tooling
Hybrid (recommended) — both
Path (a) for the long-term fix (zero friction, no human), Path (b) as the documented fallback (covers edge cases where the reviewer app misbehaves or is revoked).
Acceptance criteria
- Bot-authored PRs to
develop can be approved without a human click
- The mechanism is documented in
CONTRIBUTING.md (or equivalent)
- Themis has signed off on the chosen path's security model
- Branch protection's required-reviewer rule reflects the actual approval chain
Out of scope (this issue is structural only)
Sprint placement
Post-#4683 backlog. Not P0/P1. Boss quote: "Not a P0, but it's a $5 friction fix that pays back fast."
References
Context
PR #4724 had to be approved manually by Ema via
gh pr review --approve 4724because:aegis-gh-agent[bot])developrequires an approving reviewdevelopneeds a human reviewer clickThis pattern will keep recurring as more of our workflow is bot-driven (release-please, Dependabot auto-merges, aegis-gh-agent pre-checks, etc.).
Trigger
Boss approved #4724 manually on 2026-06-15 06:17 GMT+2 (msg 1515933266618613891) using the lane convention: "CLI authed as Ema, PR is bot-authored not Ema-authored, so the self-approval constraint doesn't apply."
Proposal — two paths, choose one (or both)
Path (a) — Dedicated reviewer GitHub App/PAT
contents: writeandpull_requests: writeon the repodevelop(andmainif needed for promotion PRs)Tradeoffs:
Path (b) — Codify the lane convention in CONTRIBUTING.md
CONTRIBUTING.md(and/orAGENTS.md)gh pr review --approve <N>invocation + the "self-approval doesn't apply" rationalebranching.md/prs.mdin.claude/rules/to point at itTradeoffs:
Hybrid (recommended) — both
Path (a) for the long-term fix (zero friction, no human), Path (b) as the documented fallback (covers edge cases where the reviewer app misbehaves or is revoked).
Acceptance criteria
developcan be approved without a human clickCONTRIBUTING.md(or equivalent)Out of scope (this issue is structural only)
Sprint placement
Post-#4683 backlog. Not P0/P1. Boss quote: "Not a P0, but it's a $5 friction fix that pays back fast."
References
/home/bubuntu/.openclaw/workspace/infra/github-apps/get-installation-token*.sh.github/settings/branches.yml(or repo Settings → Branches, protected branches)