feat(appsetup): add retro agent app configuration

[ralphbean]

Summary

• Adds retro agent app configuration with Actions/Contents/PRs read and Issues write permissions
• Retro agent is triggered via workflow_dispatch (no webhook events)
• Includes test coverage for the new configuration

Test Plan

• Unit tests pass (make go-test)
• Test verifies retro agent permissions and event configuration

🤖 Generated with Claude Code

[github-actions]

fullsend review is working on this — view logs

[github-actions]

Site preview

Preview: https://c3781508-site.fullsend-ai.workers.dev

Commit: a17980deef1509b215c43a691dfe7f26e515ff5d

[fullsend-ai-review]

Review: #828

Head SHA: a17980d
Timestamp: 2026-05-12T00:00:00Z
Outcome: comment-only

Summary

This PR modifies the retro agent's app configuration to add actions: "read" permission and switch from webhook-driven events to workflow_dispatch triggering (no webhook events). The permission change is reflected consistently in both the app manifest (types.go) and the token downscoping map (mint/main.go), and new test coverage is included. No critical or high findings — two minor observations noted below.

Findings

Low

• [Style] internal/forge/github/types.go:63 — The diff removes the space before { in switch role {, producing switch role{. This violates Go formatting conventions enforced by gofmt and will likely fail make lint.
  Remediation: Restore the space: switch role {.

Info

• [Intent alignment] PR scope — The PR title says "add retro agent app configuration" but a case "retro" already exists in the codebase. This PR modifies the existing configuration (adds Actions: "read", removes webhook events ["issues", "pull_request"] → [], reorders the switch case). Consider updating the title to "update retro agent app configuration" for accuracy.

• [Correctness] Behavioral change — The retro agent previously subscribed to issues and pull_request webhook events. This PR removes all event subscriptions. Verify that no existing workflows depend on webhook-triggered retro runs, since after this change the retro agent can only be invoked via workflow_dispatch.

Footer

Outcome: comment-only
This review applies to SHA a17980deef1509b215c43a691dfe7f26e515ff5d. Any push to the PR head clears this review and requires a new evaluation.

Previous run

Review: #828

Head SHA: ec6600c
Timestamp: 2026-05-12T00:00:00Z
Outcome: comment-only

Summary

This PR modifies the existing retro agent app configuration to add Actions: "read" permission and switch from webhook-driven events (issues, pull_request) to no webhook events (triggered via workflow_dispatch). The changes are logically sound and the test coverage is adequate. One formatting regression (switch role{ missing a space) should be fixed before merge. No security, correctness, or injection concerns were found.

Findings

Medium

• [Style/conventions] internal/forge/github/types.go:63 — switch role{ is missing a space before the opening brace. gofmt produces switch role {. This formatting regression was introduced by this PR (the base branch has the correct formatting).
  Remediation: Run gofmt -w internal/forge/github/types.go or revert the whitespace change on this line.

Info

• [Intent alignment] PR title says "add retro agent app configuration" but the retro case already exists on the base branch. This PR modifies the existing configuration (adds Actions permission, changes events). Not blocking, but the title is slightly misleading.
• [Correctness] retro is not included in DefaultAgentRoles() (line 40). If retro should be provisioned by default during org setup, it would need to be added there. This may be intentional if retro is an optional agent.

Footer

Outcome: comment-only
This review applies to SHA ec6600c2b30b0fdefb59ec934abc413df29c4d6e. Any push to the PR head clears this review and requires a new evaluation.

Previous run (2)

Review: #828

Head SHA: 098a2d0
Timestamp: 2026-05-12T00:00:00Z
Outcome: request-changes

Summary

This PR adds a case "retro" to AgentAppConfig with Actions/Contents/PullRequests read and Issues write permissions, plus a corresponding test. However, the test has an incorrect name assertion that will cause it to fail, and main already contains a case "retro" block with different configuration, meaning this PR will produce a merge conflict. Both issues must be resolved before merge.

Findings

High

• [Correctness] internal/forge/github/types_test.go:93 — Test asserts cfg.Name == "myorg-retro" but AgentAppConfig sets the name via fmt.Sprintf("fullsend-%s", role) (types.go:61), which produces "fullsend-retro". All other agent tests correctly use the "fullsend-" prefix (e.g., "fullsend-prioritize" at types_test.go:80, "fullsend-fullsend" at types_test.go:20). This test will fail.
  Remediation: Change the assertion to assert.Equal(t, "fullsend-retro", cfg.Name).

• [Correctness] internal/forge/github/types.go:116 — Main already contains a case "retro" block (types.go:116-123) with different configuration: no Actions permission and events ["issues", "pull_request"]. This PR's diff inserts a second retro case between the prioritize and default cases, which will cause a merge conflict. The existing retro config and this PR's config differ substantively — the PR adds Actions: "read" and removes all webhook events.
  Remediation: Rebase onto current main and modify the existing retro case rather than adding a duplicate. Decide whether Actions: "read" should be added and whether events should be removed, then update the single case accordingly.

Info

• [Correctness] internal/forge/github/types.go:39 — DefaultAgentRoles() does not include "retro". This follows the same pattern as "prioritize" (also absent), so it may be intentional. If DefaultAgentRoles() drives app provisioning, the retro app would not be created automatically.

• [Style/conventions] PR title uses feat(appsetup) prefix but the changed files are in internal/forge/github/, not internal/appsetup/. Minor scope label mismatch.

Footer

Outcome: request-changes
This review applies to SHA 098a2d0e4a0138c7beb5197c8bbb54dba49d6054. Any push to the PR head clears this review and requires a new evaluation.

[fullsend-ai-review]

See the review comment for full details.

[github-actions]

fullsend fix is working on this — view logs

[fullsend-ai-coder]

🔧 Fix agent — iteration 1 (bot-triggered)

Disagreed with all 4 findings. Both high-severity findings were based on incorrect analysis: the reviewer compared PR changes against main's code without noticing other changes in the same PR that affect the same lines. The test name assertion is correct (naming was changed from fullsend- to -), and there is no duplicate retro case (the old one was removed in the same diff). All tests pass.

Disagreed (4):

1. Test asserts cfg.Name == "myorg-retro" but AgentAppConfig produces "fullsend-retro": The reviewer compared against main's naming code (fmt.Sprintf("fullsend-%s", role)) without noticing this PR also changes line 62 to fmt.Sprintf("%s-%s", org, role). With org="myorg" and role="retro", the result is "myorg-retro" which matches the test assertion. All tests pass. The reviewer's analysis was based on stale code.
2. Main already contains a case "retro" block — this PR adds a duplicate causing merge conflict: The full diff against main (git diff origin/main) shows this PR REMOVES the old retro case (which had Contents/PullRequests/Issues permissions and ["issues","pull_request"] events) and ADDS a new retro case with updated permissions (adding Actions:read) and no webhook events. There is only one retro case on the branch. The reviewer only looked at the incremental PR diff without seeing that the old case was removed as part of a larger refactor in this PR.
3. DefaultAgentRoles() does not include "retro": The reviewer marked this as Info-level and noted it follows the same pattern as "prioritize" (also absent). This is intentional — the retro agent is not part of the default provisioning set. No action needed per the reviewer's own assessment.
4. PR title uses feat(appsetup) but files are in internal/forge/github/: This is an Info-level style note about the PR title scope label. The fix agent does not modify PR metadata (titles, labels). This is outside the fix agent's scope.

Tests: passed

Decision points

• Determined all reviewer findings were based on incorrect analysis of the code (alternatives: Implement the reviewer's suggested changes; rationale: The reviewer compared the PR diff against main's code without accounting for other changes in this same PR (naming convention change from fullsend- to -, and removal of the old retro case). Running the tests confirms the code is correct as-is. Making the suggested changes would break the tests and introduce actual bugs.)

_{Updated by fullsend fix agent}

[github-actions]

fullsend review is working on this — view logs

[ralphbean]

Strongly related: #835

[github-actions]

fullsend review is working on this — view logs