From 1e15b84e9cd4b921e66e8044cf1d5ac3a47f6555 Mon Sep 17 00:00:00 2001
From: jwbron <8340608+jwbron@users.noreply.github.com>
Date: Mon, 9 Mar 2026 23:47:32 +0000
Subject: [PATCH 1/2] docs: update gateway README with gh api ownership rules
Authored-by: egg
---
gateway/README.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gateway/README.md b/gateway/README.md
index e4a6b61d..b557edd8 100644
--- a/gateway/README.md
+++ b/gateway/README.md
@@ -44,6 +44,12 @@ The gateway sidecar is the **trusted** component that holds credentials and vali
| `gh pr merge` | **BLOCKED** | No merge endpoint - human must merge via GitHub UI |
| `gh pr edit` | PR ownership | PR must be authored by egg |
| `gh pr close` | PR ownership | PR must be authored by egg |
+| `gh api PATCH repos/.../issues/comments/{id}` | Comment ownership | Comment must be authored by egg or configured user |
+| `gh api PATCH repos/.../pulls/comments/{id}` | Comment ownership | Comment must be authored by egg or configured user |
+| `gh api PATCH repos/.../comments/{id}` (commits) | Comment ownership | Comment must be authored by egg or configured user |
+| `gh api POST repos/.../issues/{id}/labels` | Issue/PR ownership | Issue or PR must be authored by egg or configured user |
+| `gh api POST repos/.../pulls/{id}/requested_reviewers` | PR ownership | PR must be authored by egg or configured user |
+| `gh api POST repos/.../pulls/{id}/reviews` | PR ownership | PR must be authored by egg or configured user |
**Bot variants for ownership check**: `egg`, `egg[bot]`, `app/egg`, `apps/egg`
From 8ff4d09087094ed5421f6932aac7d46175527bd1 Mon Sep 17 00:00:00 2001
From: "egg-reviewer[bot]"
<261018737+egg-reviewer[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 23:59:28 +0000
Subject: [PATCH 2/2] fix: correct policy descriptions for pr comment, review,
edit, close
---
gateway/README.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/gateway/README.md b/gateway/README.md
index b557edd8..3f940d25 100644
--- a/gateway/README.md
+++ b/gateway/README.md
@@ -40,16 +40,16 @@ The gateway sidecar is the **trusted** component that holds credentials and vali
|-----------|--------|-------|
| `git push` | Branch ownership + Phase filter | Branch has open PR authored by egg, OR branch starts with `egg-` or `egg/`, AND operation is allowed in current phase |
| `gh pr create` | Phase filter + mode policy | Operation is allowed in current phase (typically only in 'pr' phase)
In user mode, PR is forced to draft
Blocked in reviewer mode |
-| `gh pr comment` | PR ownership | PR must be authored by egg |
+| `gh pr comment` | Allowed on any PR | PR must exist and be accessible |
| `gh pr merge` | **BLOCKED** | No merge endpoint - human must merge via GitHub UI |
-| `gh pr edit` | PR ownership | PR must be authored by egg |
-| `gh pr close` | PR ownership | PR must be authored by egg |
+| `gh pr edit` | PR ownership | PR must be authored by egg or configured user |
+| `gh pr close` | PR ownership | PR must be authored by egg or configured user |
| `gh api PATCH repos/.../issues/comments/{id}` | Comment ownership | Comment must be authored by egg or configured user |
| `gh api PATCH repos/.../pulls/comments/{id}` | Comment ownership | Comment must be authored by egg or configured user |
| `gh api PATCH repos/.../comments/{id}` (commits) | Comment ownership | Comment must be authored by egg or configured user |
| `gh api POST repos/.../issues/{id}/labels` | Issue/PR ownership | Issue or PR must be authored by egg or configured user |
| `gh api POST repos/.../pulls/{id}/requested_reviewers` | PR ownership | PR must be authored by egg or configured user |
-| `gh api POST repos/.../pulls/{id}/reviews` | PR ownership | PR must be authored by egg or configured user |
+| `gh api POST repos/.../pulls/{id}/reviews` | Allowed on any PR | PR must exist and be accessible |
**Bot variants for ownership check**: `egg`, `egg[bot]`, `app/egg`, `apps/egg`