Skip to content

agent: block integration trigger labels from agent write-back #550

Description

@krokoko

Component

Agent (Python runtime)

Describe the feature

Prevent the agent from setting integration trigger labels that would re-fire webhooks and spawn duplicate tasks (infinite loop / cost blow-up).

Known trigger surfaces today:

Integration Default trigger Set by
Jira bgagent label User / automation
Linear bgagent label User / automation
Future GitHub label channel TBD (e.g. bgagent) User only

Enforcement:

  1. PreToolUse / Cedar hard-deny on issue-write tools when labels includes the configured trigger label for that task's source integration.
  2. Allowlist of agent-set labels: progress/status labels only (e.g. agent:implementing, agent:pr-created, agent:error) — configurable per integration in Blueprint.
  3. Fail-closed if task metadata does not include trigger_label when issue-write tools are allowed.

Use case

Linear and Jira processors fire on label added events. If the agent posts comments and accidentally (or via prompt injection) re-applies the trigger label, the platform may enqueue another full task against the same issue — unbounded cost and race conditions.

Proposed solution

  1. Extend task hydration context with trigger_label and allowed_agent_labels from repo Blueprint / integration mapping.
  2. Add Cedar policy module builtin/trigger_label_governance or extend deterministic PreToolUse regex guards for MCP update_issue / label payloads.
  3. Mirror check in Jira/Linear outbound clients if agents call REST directly.
  4. Tests: agent policy tests + handler tests for webhook processor dedup (label must be newly added, not re-saved — already true for Jira; document same for agent writes).
  5. Document operator guidance: restrict who can apply trigger labels on public repos.

Other information

Acknowledgements

  • I may be able to implement this feature
  • This might be a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2lowest priorityadaptersThird-party integrations: Linear, Slack, GitHub App, notification/deploy providersagent-runtimePython agent container: pipeline, runner, hooks, prompts, tools, DockerfileenhancementNew feature or requestsecurityCedar/HITL, IAM least-privilege, secrets, PII/DLP, guardrails, supply-chain/CVE

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions