Strengthen self-improvement decision support

[edithatogo]

Summary

• fix security policy detection in the self-improvement data gatherer by checking standard SECURITY.md locations
• generate decision-oriented self-improvement issue content with explicit Adopt/Reject/Defer suggestions
• upload a standalone decision-log artifact from the scheduled workflow and update the active conductor track notes

Verification

• node scripts/gather-repo-data.js edithatogo/humanizer-next blader/humanizer
• node scripts/render-self-improvement-issue.js
• npm test
• npm run validate
• npm run lint:all

Summary by CodeRabbit

• New Features
  • Workflow now generates a decision log artifact with structured recommendations for adopting or rejecting suggestions
  • Added security policy detection to repository data gathering
  • Enhanced issue content with decision support sections to help evaluate suggestions

[qodo-code-review]

Review Summary by Qodo

Strengthen self-improvement decision support with policy detection

✨ Enhancement

Walkthroughs

Description

• Detect security policies by checking standard SECURITY.md locations
• Generate decision-oriented issue content with Adopt/Reject/Defer suggestions
• Create standalone decision-log artifact from scheduled workflow
• Update conductor track notes reflecting strengthened automation

Diagram

flowchart LR
  A["gather-repo-data.js"] -->|"check SECURITY.md locations"| B["hasPublishedSecurityPolicy"]
  A -->|"fetch repo metadata"| C["getRepoMetadata"]
  C -->|"include security policy flag"| D["repo-data.json"]
  D -->|"process decisions"| E["render-self-improvement-issue.js"]
  E -->|"build local/upstream decisions"| F["Decision Items"]
  F -->|"format with reasons"| G["self-improvement-issue.md"]
  F -->|"standalone log"| H["self-improvement-decisions.md"]
  G -->|"upload artifact"| I["Workflow Artifacts"]
  H -->|"upload artifact"| I

Loading

File Changes

1. scripts/gather-repo-data.js ✨ Enhancement +47/-2

Add security policy detection via standard locations

• Added SECURITY_POLICY_CANDIDATES constant with standard SECURITY.md locations
• Implemented repoFileExists() function to check file presence via GitHub API
• Implemented hasPublishedSecurityPolicy() function to detect security policies
• Modified getRepoMetadata() to use actual security policy detection instead of GitHub secret
 scanning status

scripts/gather-repo-data.js

---

2. scripts/render-self-improvement-issue.js ✨ Enhancement +178/-1

Generate decision-oriented issue with adoption rules

• Added formatDecisionItems() function to format decisions with scope, number, title, decision,
 and reason
• Implemented buildLocalDecisions() with rules for changesets, workflow dependencies, and
 maintainer tooling
• Implemented buildUpstreamDecisions() with rules for OpenCode, Wikipedia sync, Claude
 compatibility, and pattern changes
• Added decision rubric section covering evidence quality, pattern overlap, false-positive risk, and
 adapter impact
• Generated standalone decision-log artifact at self-improvement-decisions.md
• Updated recommended actions to reference automated suggestions

scripts/render-self-improvement-issue.js

---

3. .github/workflows/self-improvement.yml ✨ Enhancement +4/-3

Upload decision log artifact and enhance notices

• Updated step name to reflect decision support generation
• Added self-improvement-decisions.md to artifact upload path
• Enhanced workflow output notices to mention Adopt/Reject/Defer suggestions and decision log

.github/workflows/self-improvement.yml

---

View more (2)

4. conductor/tracks/repo-self-improvement_20260303/plan.md 📝 Documentation +4/-2

Update task completion status and current state

• Marked task R4 subtasks as complete (workflow data consumption and decision criteria)
• Added status note explaining current state and remaining maintainer work

conductor/tracks/repo-self-improvement_20260303/plan.md

---

5. conductor/tracks/repo-self-improvement_20260303/spec.md 📝 Documentation +1/-1

Reflect strengthened workflow capabilities in spec

• Updated workflow assessment to reflect new decision-oriented content generation
• Clarified that workflow is stronger but not fully closed-loop pending maintainer finalization

conductor/tracks/repo-self-improvement_20260303/spec.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. File check bypasses retries 🐞 Bug ⛯ Reliability

Description

repoFileExists() performs a raw fetch() without the retry/rate-limit handling used by
fetchGitHub(), so transient GitHub errors (or throttling) will throw and abort getRepoMetadata()
and the whole gatherer run.

Code

scripts/gather-repo-data.js[R58-75]

+async function repoFileExists(repo, filePath) {
+  const response = await fetch(`${GITHUB_API}/repos/${repo}/contents/${filePath}`, {
+    headers: {
+      Accept: 'application/vnd.github.v3+json',
+      'User-Agent': 'humanizer-self-improvement-bot',
+    },
+  });
+
+  if (response.status === 404) {
+    return false;
+  }
+
+  if (!response.ok) {
+    throw new Error(`Failed to check ${filePath} in ${repo}: ${response.status}`);
+  }
+
+  return true;
+}

Evidence

The repo already has a retrying/rate-limit-aware fetch helper, but the newly added security-policy
probe does not use it and throws on any non-404 non-2xx response. Because getRepoMetadata() runs
the probe inside Promise.all(), any thrown error rejects the whole metadata fetch.

scripts/gather-repo-data.js[27-49]
scripts/gather-repo-data.js[58-75]
scripts/gather-repo-data.js[149-154]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`repoFileExists()` uses a raw `fetch()` and throws on any non-404 error without retries/rate-limit handling, which can fail the entire scheduled intelligence gather.

### Issue Context
The codebase already has `fetchGitHub()` with retries and rate-limit handling, but the new SECURITY.md probe bypasses it.

### Fix Focus Areas
- scripts/gather-repo-data.js[27-90]
- scripts/gather-repo-data.js[149-167]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Missing GitHub auth header 🐞 Bug ⛯ Reliability

Description

The new SECURITY.md probing adds extra GitHub API calls but none of the API requests include an
Authorization header (e.g., GITHUB_TOKEN), increasing the likelihood of throttling/403 failures
in the scheduled workflow.

Code

scripts/gather-repo-data.js[R20-25]

// GitHub API base URL
const GITHUB_API = 'https://api.github.com';
+const SECURITY_POLICY_CANDIDATES = ['SECURITY.md', '.github/SECURITY.md', 'docs/SECURITY.md'];

/**
 * Fetch data from GitHub API with rate limit handling

Evidence

Both the retrying API helper and the new repo file probe only set Accept and User-Agent headers;
no token is used anywhere. The PR adds up to three additional /contents/... API calls per repo,
increasing request volume without authentication.

scripts/gather-repo-data.js[30-35]
scripts/gather-repo-data.js[58-64]
scripts/gather-repo-data.js[22-22]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
All GitHub API requests are anonymous; the PR adds more API calls for SECURITY.md detection, which increases the chance of 403/throttling and failed scheduled runs.

### Issue Context
`fetchGitHub()` and `repoFileExists()` only set `Accept` + `User-Agent` headers.

### Fix Focus Areas
- scripts/gather-repo-data.js[27-75]
- .github/workflows/self-improvement.yml[45-49]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Decision log may overwrite 🐞 Bug ✓ Correctness

Description

If scripts/render-self-improvement-issue.js is invoked with a custom outputPath that does not
end in self-improvement-issue.md, decisionsPath will equal outputPath and the decision log
write will overwrite the issue body.

Code

scripts/render-self-improvement-issue.js[R161-166]

  const outputPath =
    process.argv[3] || path.join(REPO_ROOT, '.github', 'generated', 'self-improvement-issue.md');
+  const decisionsPath = outputPath.replace(
+    /self-improvement-issue\.md$/,
+    'self-improvement-decisions.md'
+  );

Evidence

The script explicitly supports a custom output path via process.argv[3]. The decision-log path is
computed with a regex replace that becomes a no-op when the filename doesn’t match, and then both
bodies are written using outputPath/decisionsPath without checking for collision.

scripts/render-self-improvement-issue.js[161-166]
scripts/render-self-improvement-issue.js[242-244]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`decisionsPath` derivation can collapse to `outputPath`, causing the decision log to overwrite the issue markdown when a non-standard output filename is used.

### Issue Context
The script supports `process.argv[3]` for output path customization.

### Fix Focus Areas
- scripts/render-self-improvement-issue.js[157-166]
- scripts/render-self-improvement-issue.js[242-246]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Security policy text inaccurate 🐞 Bug ✓ Correctness

Description

The rendered report says “Security policy detected by GitHub”, but has_security_policy is now
derived from checking for SECURITY.md in standard repo paths, not a GitHub setting.

Code

scripts/gather-repo-data.js[R151-158]

+  const [repoData, hasSecurityPolicy] = await Promise.all([
+    fetchGitHub(`/repos/${repo}`),
+    hasPublishedSecurityPolicy(repo),
+  ]);
+
  return {
    name: repoData.name,
    full_name: repoData.full_name,

Evidence

has_security_policy is now explicitly set from hasPublishedSecurityPolicy() (SECURITY.md
existence probe), while the report copy claims the value was detected by GitHub.

scripts/gather-repo-data.js[151-166]
scripts/gather-repo-data.js[82-90]
scripts/render-self-improvement-issue.js[188-190]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The report copy claims the security policy status is “detected by GitHub”, but the value is computed by checking for SECURITY.md files.

### Issue Context
The detection mechanism changed in `gather-repo-data.js`.

### Fix Focus Areas
- scripts/gather-repo-data.js[20-90]
- scripts/render-self-improvement-issue.js[182-201]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the repository's self-improvement automation by improving how security policies are detected and by introducing automated decision support for pull requests. The changes aim to provide maintainers with clearer, actionable insights and pre-analyzed suggestions, thereby reducing manual effort in evaluating potential improvements and ensuring a more robust and efficient review cycle for both local and upstream changes.

Highlights

• Security Policy Detection: The data gathering script now accurately detects security policies by checking standard SECURITY.md file locations, improving the reliability of security posture assessments.
• Decision-Oriented Issue Content: The self-improvement issue generation script has been enhanced to include explicit 'Adopt', 'Reject', or 'Defer' suggestions for both local and upstream pull requests, streamlining the decision-making process.
• Standalone Decision Log Artifact: A new self-improvement-decisions.md artifact is now generated by the scheduled workflow, providing a dedicated log of automated decision suggestions, and the conductor track notes have been updated to reflect this.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• conductor/tracks/repo-self-improvement_20260303/plan.md
  • Marked two self-improvement automation tasks as complete: consuming refreshed upstream data and adding decision criteria for AI tells.
  • Added a 'Current state' note detailing the new capabilities of the scheduled workflow and remaining manual decision steps.
• conductor/tracks/repo-self-improvement_20260303/spec.md
  • Updated the description of the self-improvement.yml workflow to reflect its enhanced data gathering and decision-oriented content generation capabilities.
• scripts/gather-repo-data.js
  • Defined SECURITY_POLICY_CANDIDATES for common SECURITY.md file paths.
  • Implemented repoFileExists to check for the presence of a file in a given repository.
  • Added hasPublishedSecurityPolicy to detect if a repository has a security policy in a standard location.
  • Modified getRepoMetadata to use the new hasPublishedSecurityPolicy function for more accurate security policy detection.
• scripts/render-self-improvement-issue.js
  • Introduced formatDecisionItems to structure decision output clearly.
  • Implemented buildLocalDecisions to automatically suggest 'Adopt', 'Reject', or 'Defer' outcomes for local pull requests based on their titles.
  • Implemented buildUpstreamDecisions to automatically suggest 'Adopt', 'Reject', or 'Defer' outcomes for upstream pull requests based on their titles.
  • Added a 'Decision Rubric' section to the generated self-improvement issue.
  • Integrated 'Local Decision Support' and 'Upstream Decision Support' sections into the generated issue, displaying automated suggestions.
  • Updated the 'Recommended Actions' to guide maintainers on finalizing the automated decision suggestions.
  • Added functionality to generate a standalone self-improvement-decisions.md file, serving as a dedicated decision log artifact.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/self-improvement.yml

Activity

• No human activity (comments, reviews) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@edithatogo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 53 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 82b30492-94e8-4b18-9398-e53809409bd1

📥 Commits

Reviewing files that changed from the base of the PR and between ae6d27d and 2de87bb.

📒 Files selected for processing (5)

• .github/workflows/self-improvement.yml
• conductor/tracks/repo-self-improvement_20260303/plan.md
• conductor/tracks/repo-self-improvement_20260303/spec.md
• scripts/gather-repo-data.js
• scripts/render-self-improvement-issue.js

📝 Walkthrough

Walkthrough

The pull request enhances the self-improvement workflow by introducing decision log generation and policy detection. It updates the GitHub workflow to produce an additional artifact containing structured decision recommendations, adds policy detection utilities to repository metadata gathering, and implements decision formatting functions to render adoption guidance in both the issue body and a separate log file.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/self-improvement.yml	Renamed step label, added new artifact path for decision log output, and updated status messages to reference decision suggestions and log guidance.
Planning Documentation conductor/tracks/repo-self-improvement_20260303/plan.md, conductor/tracks/repo-self-improvement_20260303/spec.md	Marked two Task R4 items as completed (workflow consuming refreshed data and decision criteria addition), updated spec description to reflect decision-oriented workflow state, and added status note on manual conversion step.
Repository Data & Decision Generation scripts/gather-repo-data.js, scripts/render-self-improvement-issue.js	Added security policy detection (candidates list and helper functions), integrated concurrent policy checking into metadata fetching. Expanded decision generation with formatting utilities, decision builders for local and upstream PRs, decision rubric sections, and separate decision log artifact writing.

Sequence Diagram

sequenceDiagram
    actor Scheduler as Scheduled Workflow
    participant GatherScript as gather-repo-data.js
    participant RepoAPI as GitHub API
    participant RenderScript as render-self-improvement-issue.js
    participant FileSystem as File System

    Scheduler->>GatherScript: Fetch repository metadata
    par Concurrent Requests
        GatherScript->>RepoAPI: Get repo data
        GatherScript->>RepoAPI: Check for security policy files
    end
    RepoAPI-->>GatherScript: Repository data + policy status
    GatherScript-->>Scheduler: Enhanced metadata with has_security_policy

    Scheduler->>RenderScript: Generate decision content from PRs
    RenderScript->>RenderScript: Build local decisions<br/>(format, categorize PRs)
    RenderScript->>RenderScript: Build upstream decisions<br/>(format, categorize PRs)
    RenderScript->>FileSystem: Write primary issue.md<br/>(with decision rubric & support sections)
    RenderScript->>FileSystem: Write decision log<br/>(standalone decision-oriented artifact)
    FileSystem-->>Scheduler: Artifacts created
    Scheduler->>Scheduler: Upload artifacts to workflow

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Align humanizer-next with skill-first validation and release flow #31 — Directly modifies the same workflow configuration and scripts (gather-repo-data.js, render-self-improvement-issue.js) to implement decision-log artifacts and structured decision generation, indicating overlapping or closely coordinated work on the self-improvement system.

Poem

🐰 With whiskers twitching, logic flows,
Decision logs now bloom and grow,
Policies detected, choices clear,
Self-improvement drawing near!
Adopt, Reject, or Defer with care,
The rabbit's workflow improves with flair! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Strengthen self-improvement decision support' directly captures the primary objective of the PR, which centers on enhancing decision-making capabilities in the self-improvement workflow through decision detection, formatting, and artifact generation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch self-improvement-decision-support-20260314

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request enhances the self-improvement automation by improving security policy detection, generating decision-oriented issue content, and creating a decision log artifact. The changes correctly detect SECURITY.md files and make API calls more efficient. The rendering script now uses heuristics to suggest 'Adopt/Reject/Defer' decisions for pull requests, which are then included in the generated issue and a new decision log file. My review includes suggestions to improve the robustness of API calls in the data gathering script and to enhance the maintainability of the decision-making logic in the rendering script.

[gemini-code-assist]

The repoFileExists function can be improved for efficiency, robustness, and to avoid rate-limiting issues.

1. Efficiency: It's using a GET request to check for file existence. A HEAD request is more efficient as it doesn't transfer the file content, only the headers.
2. Rate Limiting: The function makes unauthenticated requests to the GitHub API, which are subject to very strict rate limits (60 requests/hour). For a bot, it's crucial to use a GITHUB_TOKEN (e.g., from process.env.GITHUB_TOKEN) to increase this limit.
3. Robustness: This function lacks the retry logic present in fetchGitHub. Network requests can be flaky, and retries are important for a reliable script.

I've suggested a change to use HEAD and include an Authorization header. You should also consider adding retry logic for consistency with fetchGitHub.

async function repoFileExists(repo, filePath) {
  const response = await fetch(`${GITHUB_API}/repos/${repo}/contents/${filePath}`, {
    method: 'HEAD',
    headers: {
      Accept: 'application/vnd.github.v3+json',
      'User-Agent': 'humanizer-self-improvement-bot',
      ...(process.env.GITHUB_TOKEN && { Authorization: `token ${process.env.GITHUB_TOKEN}` }),
    },
  });

  if (response.status === 404) {
    return false;
  }

  if (!response.ok) {
    throw new Error(`Failed to check ${filePath} in ${repo}: ${response.status}`);
  }

  return true;
}

[gemini-code-assist]

The buildLocalDecisions function (and buildUpstreamDecisions, which follows the same pattern) uses a series of if statements to classify PRs based on their titles. This approach can become difficult to maintain and extend as more rules are added.

Consider refactoring this logic to be data-driven. You could define the rules in an array of objects, where each object contains matching criteria (e.g., keywords) and the corresponding decision details. A generic function could then iterate through these rules to process the PRs.

This would make the code more declarative, reduce duplication, and make it easier to add, remove, or modify rules in the future—potentially from a separate configuration file.

Here's a conceptual example of how the rules could be structured:

const localDecisionRules = [
  {
    keywords: ['@changesets/cli'],
    decision: 'reject',
    reason: 'Changesets is no longer part of the repo release model...'
  },
  {
    keywords: ['actions/upload-artifact', 'create-issue-from-file'],
    decision: 'adopt',
    reason: 'Workflow dependency updates match the current automation direction...'
  },
  // ... more rules
];

[Copilot]

Pull request overview

Strengthens the weekly self-improvement automation by improving SECURITY.md detection, adding “Adopt/Reject/Defer” decision-oriented output, and persisting a standalone decision-log artifact for maintainers to finalize in the active conductor track.

Changes:

• Detect published security policies by probing standard SECURITY.md locations during repo data gathering.
• Generate decision-support sections (rubric + suggested Adopt/Reject/Defer items) and emit a separate decision-log markdown file.
• Upload the decision-log as a workflow artifact and update the active conductor track notes to reflect the stronger (but still human-finalized) loop.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
scripts/render-self-improvement-issue.js	Adds decision rubric + suggested decisions and writes an additional decision-log markdown output.
scripts/gather-repo-data.js	Changes security policy detection to check for SECURITY.md in standard locations.
conductor/tracks/repo-self-improvement_20260303/spec.md	Updates track notes to reflect improved self-improvement workflow outputs.
conductor/tracks/repo-self-improvement_20260303/plan.md	Marks automation tasks complete and documents current state (decision log artifact + maintainer finalization).
.github/workflows/self-improvement.yml	Updates step name, uploads the decision log artifact, and tweaks run notices accordingly.

---

You can also share your feedback on Copilot code review. Take the survey.

[qodo-code-review]

1. File check bypasses retries 🐞 Bug ⛯ Reliability

repoFileExists() performs a raw fetch() without the retry/rate-limit handling used by
fetchGitHub(), so transient GitHub errors (or throttling) will throw and abort getRepoMetadata()
and the whole gatherer run.

Agent Prompt

### Issue description
`repoFileExists()` uses a raw `fetch()` and throws on any non-404 error without retries/rate-limit handling, which can fail the entire scheduled intelligence gather.

### Issue Context
The codebase already has `fetchGitHub()` with retries and rate-limit handling, but the new SECURITY.md probe bypasses it.

### Fix Focus Areas
- scripts/gather-repo-data.js[27-90]
- scripts/gather-repo-data.js[149-167]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. Missing github auth header 🐞 Bug ⛯ Reliability

The new SECURITY.md probing adds extra GitHub API calls but none of the API requests include an
Authorization header (e.g., GITHUB_TOKEN), increasing the likelihood of throttling/403 failures
in the scheduled workflow.

Agent Prompt

### Issue description
All GitHub API requests are anonymous; the PR adds more API calls for SECURITY.md detection, which increases the chance of 403/throttling and failed scheduled runs.

### Issue Context
`fetchGitHub()` and `repoFileExists()` only set `Accept` + `User-Agent` headers.

### Fix Focus Areas
- scripts/gather-repo-data.js[27-75]
- .github/workflows/self-improvement.yml[45-49]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

3. Decision log may overwrite 🐞 Bug ✓ Correctness

If scripts/render-self-improvement-issue.js is invoked with a custom outputPath that does not
end in self-improvement-issue.md, decisionsPath will equal outputPath and the decision log
write will overwrite the issue body.

Agent Prompt

### Issue description
`decisionsPath` derivation can collapse to `outputPath`, causing the decision log to overwrite the issue markdown when a non-standard output filename is used.

### Issue Context
The script supports `process.argv[3]` for output path customization.

### Fix Focus Areas
- scripts/render-self-improvement-issue.js[157-166]
- scripts/render-self-improvement-issue.js[242-246]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ae6d27d5b5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Derive decision-log path without assuming output filename

If process.argv[3] is any path that does not end with self-improvement-issue.md, this replace(...) call returns the original outputPath, so the later fs.writeFileSync(decisionsPath, ...) overwrites the issue body file with the decision log. Running node scripts/render-self-improvement-issue.js <data.json> /tmp/custom.md reproduces this (only the decision log remains), so custom script invocations silently lose the generated issue content.

Useful? React with 👍 / 👎.