docs(#279): draft canonical AGENTS.md for Codex review path

[cbeaulieu-gt]

Summary

This PR drafts AGENTS.md at the repo root — the canonical Codex review-guidance file for glitchwerks/github-actions and consumer repos that mirror its rules.

It ports the existing 696-line inline Claude PR-review prompt into Codex's P0/P1 review-guidance schema. The result is 19 rules across 7 thematic clusters:

1. Permissions — workflow-level vs job-level permissions: blocks; packages: read for GHCR container jobs
2. Token and identity — App token vs GITHUB_TOKEN for claude-code-action; PEM handling
3. Shell discipline — shellcheck disable=SC2016 on ${{ }} in single-quoted strings; no standalone jq; uncapped polling loops
4. Action reference integrity — absolute refs, not ./ relative paths; SHA pinning for third-party actions; no expressions in uses: values
5. Security — untrusted-value injection via github.event.*; secret echo; unguarded diff application
6. GitHub Actions conventions — ruleset entries for new required checks; concurrency: on push+PR triggers; secret forwarding in workflow_call
7. Container runtime — /etc/gitconfig safe.directory preservation; ci-manifest.yaml ref format; diff review discipline

What was dropped

Claude prompt material that did not port cleanly to P0/P1 vocabulary:

• Medium and Nit severity categories — Codex does not surface sub-P1 findings, so these were dropped entirely
• Meta-instructions about how to structure a review comment (format, length, tone) — Codex's review surface is opinionated about format; these instructions were Claude-specific
• The 5-dimension review framework prose (code quality, security, performance, test coverage, docs) — converted to specific, actionable Flag-as-P0/P1 sentences rather than open-ended evaluation criteria

Why this is a draft

This PR is gated on issue #295 (the [Q] empirical validation sub-issue). Until #295 confirms whether Codex Cloud env setup-scripts can deliver AGENTS.md remotely or the repo must carry it as a committed file, the delivery mechanism is unresolved. The content is identical either way. Do not merge until #295 resolves.

This PR contributes to the [A] sub-issue (#279) under the codex-pivot milestone but does not by itself satisfy its acceptance criteria — #295 resolution is required before the merge gate opens.

Refs #279, #294, #295.

---

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt

[cbeaulieu-gt]

Closing as superseded

Codex evaluation has been pivoted to a scratch repo: glitchwerks/github-actions-codex (see tracking issue #297).

The decision: the canonical AGENTS.md will be authored from scratch in the scratch repo (if exploration goes positive), informed by what Codex actually wants rather than by porting pr-review/action.yml's 696-line Claude prompt. That port carries Claude conventions that may not translate well — and the scratch repo is the right surface to discover what does translate.

This draft remains visible in git history as a reference for the rule-extraction work (7 themed clusters, 19 P0/P1 rules), but the file should not land on main of this repo.

Refs #279, #294, #295, #297.

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt