fix: report-incomplete fails pipeline, percent-encode user_id, stage-1 status validation, merge_strategy validation, dead code removal (#141)

* feat: add 8 new safe output tools

Implements the remaining safe output features from GitHub issues #72-#79:

- add-pr-comment (#72): Create comment threads on Azure DevOps pull requests
  with support for general and file-specific inline comments
- link-work-items (#73): Create relationships between work items (parent/child,
  related, predecessor/successor, duplicate)
- queue-build (#74): Trigger Azure DevOps pipeline/build runs with optional
  branch and template parameters
- create-git-tag (#75): Create annotated git tags on commits in ADO repositories
- add-build-tag (#76): Add tags to Azure DevOps builds for classification
- create-branch (#77): Create new branches without immediately creating a PR
- update-pr (#78): Update PR metadata (reviewers, labels, auto-complete, vote,
  description)
- upload-attachment (#79): Upload file attachments to work items

Each tool includes:
- Params struct with validation
- Config struct for front matter configuration
- Executor with full ADO REST API implementation
- Sanitize impl for security
- Comprehensive unit tests

All 8 tools are registered in the MCP server, Stage 2 executor dispatch,
budget system, and write-permissions validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback

Bug fixes:
- create-git-tag: resolve HEAD via repository's defaultBranch instead of
  hardcoding 'heads/main' (works with master, develop, etc.)
- update-pr: resolve reviewer emails to GUIDs via VSSPS identity API
  before adding to PR (ADO reviewers endpoint requires user ID, not email)

Security:
- update-pr: require 'allowed-votes' to be explicitly configured for vote
  operation — empty list now rejects all votes to prevent accidental
  auto-approve by agents

Improvements:
- update-pr: make auto-complete merge options configurable via front matter
  (delete-source-branch, merge-strategy) instead of hardcoding squash+delete
- add-pr-comment: validate file_path in Validate::validate() at Stage 1
  (was only validated at Stage 2, giving no feedback to agent)
- queue-build: sanitize template parameter keys and values to prevent
  ##vso[] command injection in build logs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: align with gh-aw — add review tools and enhancements

Adds 4 new safe output tools to align with gh-aw's PR review capabilities:

- submit-pr-review: Submit PR review with decision (approve, request-changes,
  comment) and optional body/rationale text. Requires allowed-events config.
- reply-to-pr-review-comment: Reply to existing review comment threads
- resolve-pr-review-thread: Resolve/reactivate review threads (fixed, wont-fix,
  closed, by-design, active)
- report-incomplete: Signal task could not complete due to infrastructure failure

Enhancements to existing tools:
- add-pr-comment: Add start_line param for multi-line code comments (gh-aw parity)
- link-work-items: Set DEFAULT_MAX=5 (matches gh-aw link-sub-issue default)
- queue-build: Set DEFAULT_MAX=3 (prevents pipeline queue flooding)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address second round of PR review feedback

Bug fixes:
- update-pr: derive connectiondata URL from org_url instead of hardcoding
  dev.azure.com — supports vanity domains and national cloud endpoints
- update-pr: derive VSSPS identity URL from org_url instead of hardcoding
  vssps.dev.azure.com — same environment portability fix
- submit-pr-review: same connectiondata URL fix (derived from org_url)

Security:
- upload-attachment: add canonicalize() + prefix check after resolving file
  path to prevent symlink escape attacks (symlinks within workspace could
  previously be followed to read arbitrary files outside source_directory)

Improvements:
- add-pr-comment: sanitize structural fields (repository, status, file_path)
  with control-char stripping for defense-in-depth consistency

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: branch wildcard matching + VSSPS URL warning

- queue-build: drop equality arm from release/* wildcard matching so bare
  'release' no longer matches 'release/*' — only 'release/...' does
- update-pr: add warn! log when VSSPS URL derivation produces no change
  (surfaces the issue for visualstudio.com-hosted orgs at runtime)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: status mapping, VSSPS rejection, branch sanitize, policy order

Bug fix:
- add-pr-comment: fix WontFix status mapped to 6 (should be 3). Unify status
  strings to kebab-case (active, fixed, wont-fix, closed, by-design) with
  CamelCase accepted for backwards compatibility.

Security:
- update-pr: reject add-reviewers for non-dev.azure.com org URLs instead of
  silently proceeding with a malformed VSSPS URL (*.visualstudio.com orgs)

Improvements:
- queue-build: sanitize branch field for defense-in-depth consistency
- update-pr: document allow-list semantics asymmetry (operations=permissive,
  votes=secure) in UpdatePrConfig doc comment
- create-branch: check config policy (allowed-repositories) before resolving
  repo alias, so operators see a policy error not a checkout-list error

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: repo policy ordering, VSSPS loop hoist, dedup resolve_repo_name

Bug fixes:
- create-git-tag: check config allowed-repositories before resolving repo
  alias (same fix as create-branch — policy error before resolution error)
- update-pr: hoist VSSPS URL derivation and validation out of the
  per-reviewer loop (avoids repeated work, fails fast before any API calls)

Refactor:
- Extract resolve_repo_name() to tools/mod.rs — was duplicated identically
  in update_pr.rs and submit_pr_review.rs

Documentation:
- add-pr-comment: clarify start_line must be strictly less than line
- reply-to-pr-comment: explain parentCommentId=1 targets root comment
- upload-attachment: document ##vso[] scan UTF-8 boundary behavior
- mcp.rs: log warning on report-incomplete write failure

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback — report-incomplete, percent-encode user_id, status validation, merge_strategy validation, dead code removal

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/474893c9-505a-48fb-a77e-768710027c85

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

* fix: improve merge_strategy tests to be non-tautological

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/474893c9-505a-48fb-a77e-768710027c85

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

* fix: merge_strategy guard before GET, per-component .. check, compile-time submit-pr-review validation

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/c36b2130-22bf-49ac-929f-0de6cada3ef6

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

* fix: review thread status 4→1, case-insensitive allowed_statuses, compile-time update-pr vote validation

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/147051a9-a11a-4967-9c19-9fd9a2093064

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

* fix: flush NDJSON file after write to prevent stale reads

tokio::fs::File::write_all may buffer data internally without
flushing to the filesystem. Under load (e.g., full test suite),
a subsequent read_to_string could see stale data, causing
write_safe_output_file_with_maximum to miss already-written
entries and exceed the configured limit.

Adding an explicit flush() ensures data reaches the filesystem
before the function returns.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address 3 critical security issues from review

1. Self-approval guard for submit-pr-review and update-pr vote:
   Both voting paths now fetch the PR createdBy.id and block positive
   votes (approve, approve-with-suggestions) when the authenticated
   identity is the PR author.

2. ##vso[ pipeline command neutralization in core sanitize():
   Added neutralize_pipeline_commands() step that wraps ##vso[ and ##[
   sequences in backticks, preventing ADO from interpreting them as
   logging commands. This provides defense-in-depth for all text fields
   across all safe output tools.

3. resolve-pr-review-thread fail-closed allowed-statuses:
   Changed from permissive default (empty = all allowed) to fail-closed
   (empty = all rejected). Added compile-time validator
   validate_resolve_pr_thread_statuses() that requires explicit
   allowed-statuses config, matching the pattern of submit-pr-review
   allowed-events and update-pr allowed-votes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address 7 high-severity issues from review

4. link-work-items: Added required target config field (reuses
   CommentTarget enum from comment-on-work-item). Execution now
   fails if target is not configured, preventing unrestricted
   cross-project work item linking.

5. queue-build: Added ADO variable injection check for template
   parameter values. Rejects values containing \$(, \${{ or \$[
   syntax that could reference pipeline variables.

6. upload-attachment: Fixed path traversal via backslash by
   splitting on both / and \\ in .., .git, and absolute path
   checks. Added tests for backslash-based traversal.

7. create-git-tag + create-branch: Added comprehensive git ref
   name validation via shared validate_git_ref_name() helper.
   Rejects .., @{, ~, ^, :, ?, *, [, \\, //, .lock suffix,
   leading dots in path components, and trailing dots.

8. add-build-tag: Added allow-any-build config (default: false).
   When not explicitly enabled, only the current pipeline build
   (BUILD_BUILDID) can be tagged.

9. update-pr: Changed auto-complete to use the agent's own
   identity from _apis/connectiondata instead of the PR
   createdBy.id, providing correct audit attribution.

10. report-incomplete: Added sanitize_fields() call before using
    the reason field in execute.rs to prevent injection via
    unsanitized agent output.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: component-wise .. check in add_pr_comment, remove spurious pending status, use resolve_repo_name helper

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/91091a0b-42a6-4559-afa4-44d12b847a4e

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

src/compile/common.rs

@@ -678,6 +678,17 @@ const WRITE_REQUIRING_SAFE_OUTPUTS: &[&str] = &[
     "update-work-item",
     "create-wiki-page",
     "update-wiki-page",
+    "add-pr-comment",
+    "link-work-items",
+    "queue-build",
+    "create-git-tag",
+    "add-build-tag",
+    "create-branch",
+    "update-pr",
+    "upload-attachment",
+    "submit-pr-review",
+    "reply-to-pr-review-comment",
+    "resolve-pr-review-thread",
 ];
 
 /// Validate that write-requiring safe-outputs have a write service connection configured.
@@ -759,6 +770,118 @@ pub fn validate_update_work_item_target(front_matter: &FrontMatter) -> Result<()
     Ok(())
 }
 
+/// Validate that submit-pr-review has a required `allowed-events` field when configured.
+///
+/// An empty or missing `allowed-events` list would allow agents to cast any review vote,
+/// including auto-approvals. Operators must explicitly opt in to each allowed event.
+pub fn validate_submit_pr_review_events(front_matter: &FrontMatter) -> Result<()> {
+    if let Some(config_value) = front_matter.safe_outputs.get("submit-pr-review") {
+        if let Some(obj) = config_value.as_object() {
+            let allowed_events = obj.get("allowed-events");
+            let is_empty = match allowed_events {
+                None => true,
+                Some(v) => v.as_array().map_or(true, |a| a.is_empty()),
+            };
+            if is_empty {
+                anyhow::bail!(
+                    "safe-outputs.submit-pr-review requires a non-empty 'allowed-events' list \
+                     to prevent agents from casting unrestricted review votes. Example:\n\n  \
+                     safe-outputs:\n    submit-pr-review:\n      allowed-events:\n        \
+                     - comment\n        - approve-with-suggestions\n\n\
+                     Valid events: approve, approve-with-suggestions, request-changes, comment\n"
+                );
+            }
+        } else {
+            anyhow::bail!(
+                "safe-outputs.submit-pr-review must be a configuration object with an \
+                 'allowed-events' list. Example:\n\n  \
+                 safe-outputs:\n    submit-pr-review:\n      allowed-events:\n        - comment\n"
+            );
+        }
+    }
+    Ok(())
+}
+
+/// Validate that update-pr has a required `allowed-votes` field when the `vote` operation
+/// is enabled (i.e., `allowed-operations` is empty — meaning all ops — or explicitly contains
+/// "vote").
+///
+/// An empty `allowed-votes` list when vote is enabled would always fail at Stage 2 with a
+/// runtime error. Catching this at compile time is consistent with how
+/// `validate_submit_pr_review_events` handles the analogous case.
+pub fn validate_update_pr_votes(front_matter: &FrontMatter) -> Result<()> {
+    if let Some(config_value) = front_matter.safe_outputs.get("update-pr") {
+        if let Some(obj) = config_value.as_object() {
+            // Determine whether the vote operation is reachable:
+            // - allowed-operations absent or empty → all operations allowed (includes vote)
+            // - allowed-operations non-empty → vote is allowed only if explicitly listed
+            let vote_reachable = match obj.get("allowed-operations") {
+                None => true,
+                Some(v) => v
+                    .as_array()
+                    .map_or(true, |a| a.is_empty() || a.iter().any(|x| x == "vote")),
+            };
+
+            if vote_reachable {
+                let allowed_votes_empty = match obj.get("allowed-votes") {
+                    None => true,
+                    Some(v) => v.as_array().map_or(true, |a| a.is_empty()),
+                };
+                if allowed_votes_empty {
+                    anyhow::bail!(
+                        "safe-outputs.update-pr enables the 'vote' operation but has no \
+                         'allowed-votes' list. This would reject all votes at Stage 2. \
+                         Either restrict 'allowed-operations' to exclude 'vote', or add an \
+                         explicit 'allowed-votes' list:\n\n  \
+                         safe-outputs:\n    update-pr:\n      allowed-votes:\n        \
+                         - approve-with-suggestions\n        - wait-for-author\n\n\
+                         Valid votes: approve, approve-with-suggestions, reject, \
+                         wait-for-author, reset\n"
+                    );
+                }
+            }
+        }
+        // If the value is a scalar (e.g. `update-pr: true`) we don't error here —
+        // the config will default to empty allowed-votes, which is safe (vote always rejected).
+    }
+    Ok(())
+}
+
+/// Validate that resolve-pr-review-thread has a required `allowed-statuses` field when configured.
+///
+/// An empty or missing `allowed-statuses` list would let agents set any thread status,
+/// including "fixed" or "wontFix" on security-critical review threads. Operators must
+/// explicitly opt in to each allowed status transition.
+pub fn validate_resolve_pr_thread_statuses(front_matter: &FrontMatter) -> Result<()> {
+    if let Some(config_value) = front_matter.safe_outputs.get("resolve-pr-review-thread") {
+        if let Some(obj) = config_value.as_object() {
+            let allowed_statuses = obj.get("allowed-statuses");
+            let is_empty = match allowed_statuses {
+                None => true,
+                Some(v) => v.as_array().map_or(true, |a| a.is_empty()),
+            };
+            if is_empty {
+                anyhow::bail!(
+                    "safe-outputs.resolve-pr-review-thread requires a non-empty \
+                     'allowed-statuses' list to prevent agents from manipulating thread \
+                     statuses without explicit operator consent. Example:\n\n  \
+                     safe-outputs:\n    resolve-pr-review-thread:\n      allowed-statuses:\n\
+                     \x20       - fixed\n\n\
+                     Valid statuses: active, fixed, wont-fix, closed, by-design\n"
+                );
+            }
+        } else {
+            anyhow::bail!(
+                "safe-outputs.resolve-pr-review-thread must be a configuration object \
+                 with an 'allowed-statuses' list. Example:\n\n  \
+                 safe-outputs:\n    resolve-pr-review-thread:\n      allowed-statuses:\n\
+                 \x20       - fixed\n"
+            );
+        }
+    }
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1350,4 +1473,167 @@ mod tests {
         let result = generate_pipeline_path(&abs_path);
         assert_eq!(result, "{{ workspace }}/agents/ctf.yml");
     }
+
+    // ─── validate_submit_pr_review_events ────────────────────────────────────
+
+    #[test]
+    fn test_submit_pr_review_events_passes_when_not_configured() {
+        let fm = minimal_front_matter();
+        assert!(validate_submit_pr_review_events(&fm).is_ok());
+    }
+
+    #[test]
+    fn test_submit_pr_review_events_fails_when_allowed_events_missing() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  submit-pr-review:\n    allowed-repositories:\n      - self\n---\n"
+        ).unwrap();
+        let result = validate_submit_pr_review_events(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-events"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_submit_pr_review_events_fails_when_allowed_events_empty() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  submit-pr-review:\n    allowed-events: []\n---\n"
+        ).unwrap();
+        let result = validate_submit_pr_review_events(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-events"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_submit_pr_review_events_fails_when_value_is_scalar() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  submit-pr-review: true\n---\n"
+        ).unwrap();
+        let result = validate_submit_pr_review_events(&fm);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_submit_pr_review_events_passes_when_events_provided() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  submit-pr-review:\n    allowed-events:\n      - comment\n      - approve\n---\n"
+        ).unwrap();
+        assert!(validate_submit_pr_review_events(&fm).is_ok());
+    }
+
+    // ─── validate_update_pr_votes ─────────────────────────────────────────────
+
+    #[test]
+    fn test_update_pr_votes_passes_when_not_configured() {
+        let fm = minimal_front_matter();
+        assert!(validate_update_pr_votes(&fm).is_ok());
+    }
+
+    #[test]
+    fn test_update_pr_votes_fails_when_vote_reachable_and_no_allowed_votes() {
+        // allowed-operations absent → vote is reachable; no allowed-votes → should fail
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-repositories:\n      - self\n---\n"
+        ).unwrap();
+        let result = validate_update_pr_votes(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-votes"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_update_pr_votes_fails_when_vote_explicit_and_no_allowed_votes() {
+        // allowed-operations contains "vote"; no allowed-votes → should fail
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-operations:\n      - vote\n---\n"
+        ).unwrap();
+        let result = validate_update_pr_votes(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-votes"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_update_pr_votes_fails_when_allowed_votes_empty() {
+        // allowed-operations absent; allowed-votes is empty list → should fail
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-votes: []\n---\n"
+        ).unwrap();
+        let result = validate_update_pr_votes(&fm);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_update_pr_votes_passes_when_vote_excluded_from_allowed_operations() {
+        // allowed-operations is non-empty and does not contain "vote" → safe, no error
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-operations:\n      - add-reviewers\n      - set-auto-complete\n---\n"
+        ).unwrap();
+        assert!(validate_update_pr_votes(&fm).is_ok());
+    }
+
+    #[test]
+    fn test_update_pr_votes_passes_when_vote_reachable_and_allowed_votes_set() {
+        // allowed-operations absent; allowed-votes non-empty → OK
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-votes:\n      - approve-with-suggestions\n---\n"
+        ).unwrap();
+        assert!(validate_update_pr_votes(&fm).is_ok());
+    }
+
+    #[test]
+    fn test_update_pr_votes_passes_when_vote_explicit_and_allowed_votes_set() {
+        // allowed-operations contains "vote"; allowed-votes non-empty → OK
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  update-pr:\n    allowed-operations:\n      - vote\n    allowed-votes:\n      - wait-for-author\n---\n"
+        ).unwrap();
+        assert!(validate_update_pr_votes(&fm).is_ok());
+    }
+
+    // ─── validate_resolve_pr_thread_statuses ──────────────────────────────────
+
+    #[test]
+    fn test_resolve_pr_thread_passes_when_not_configured() {
+        let fm = minimal_front_matter();
+        assert!(validate_resolve_pr_thread_statuses(&fm).is_ok());
+    }
+
+    #[test]
+    fn test_resolve_pr_thread_fails_when_allowed_statuses_missing() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  resolve-pr-review-thread:\n    allowed-repositories:\n      - self\n---\n"
+        ).unwrap();
+        let result = validate_resolve_pr_thread_statuses(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-statuses"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_resolve_pr_thread_fails_when_allowed_statuses_empty() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  resolve-pr-review-thread:\n    allowed-statuses: []\n---\n"
+        ).unwrap();
+        let result = validate_resolve_pr_thread_statuses(&fm);
+        assert!(result.is_err());
+        let msg = result.unwrap_err().to_string();
+        assert!(msg.contains("allowed-statuses"), "message: {msg}");
+    }
+
+    #[test]
+    fn test_resolve_pr_thread_fails_when_value_is_scalar() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  resolve-pr-review-thread: true\n---\n"
+        ).unwrap();
+        let result = validate_resolve_pr_thread_statuses(&fm);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_resolve_pr_thread_passes_when_statuses_provided() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  resolve-pr-review-thread:\n    allowed-statuses:\n      - fixed\n      - wont-fix\n---\n"
+        ).unwrap();
+        assert!(validate_resolve_pr_thread_statuses(&fm).is_ok());
+    }
 }

src/compile/onees.rs

@@ -24,7 +24,8 @@ use super::common::{
     generate_pipeline_resources, generate_pr_trigger, generate_repositories,
     generate_schedule, generate_source_path, generate_working_directory,
     replace_with_indent, validate_comment_target, validate_update_work_item_target,
-    validate_write_permissions,
+    validate_write_permissions, validate_submit_pr_review_events,
+    validate_update_pr_votes, validate_resolve_pr_thread_statuses,
 };
 use super::types::{FrontMatter, McpConfig};
 
@@ -139,6 +140,12 @@ displayName: "Finalize""#,
         validate_comment_target(front_matter)?;
         // Validate update-work-item has required target field
         validate_update_work_item_target(front_matter)?;
+        // Validate submit-pr-review has required allowed-events field
+        validate_submit_pr_review_events(front_matter)?;
+        // Validate update-pr vote operation has required allowed-votes field
+        validate_update_pr_votes(front_matter)?;
+        // Validate resolve-pr-review-thread has required allowed-statuses field
+        validate_resolve_pr_thread_statuses(front_matter)?;
 
         // Replace all template markers
         let compiler_version = env!("CARGO_PKG_VERSION");

src/compile/standalone.rs

@@ -21,7 +21,8 @@ use super::common::{
     generate_pipeline_path, generate_pipeline_resources, generate_pr_trigger,
     generate_repositories, generate_schedule, generate_source_path,
     generate_working_directory, replace_with_indent, sanitize_filename,
-    validate_write_permissions, validate_comment_target, validate_update_work_item_target,
+    validate_write_permissions, validate_comment_target, validate_update_work_item_target, validate_submit_pr_review_events,
+    validate_update_pr_votes, validate_resolve_pr_thread_statuses,
 };
 use super::types::{FrontMatter, McpConfig};
 use crate::allowed_hosts::{CORE_ALLOWED_HOSTS, mcp_required_hosts};
@@ -130,6 +131,12 @@ impl Compiler for StandaloneCompiler {
         validate_comment_target(front_matter)?;
         // Validate update-work-item has required target field
         validate_update_work_item_target(front_matter)?;
+        // Validate submit-pr-review has required allowed-events field
+        validate_submit_pr_review_events(front_matter)?;
+        // Validate update-pr vote operation has required allowed-votes field
+        validate_update_pr_votes(front_matter)?;
+        // Validate resolve-pr-review-thread has required allowed-statuses field
+        validate_resolve_pr_thread_statuses(front_matter)?;
 
         // Load threat analysis prompt template
         let threat_analysis_prompt = include_str!("../../templates/threat-analysis.md");