Skip daily AI-credit guardrail for user-initiated and command-routed runs

[Copilot]

The daily max AI-credit guardrail was incorrectly applying to runs where users intentionally invoked the workflow (manual dispatch, slash commands, label commands). This updates guardrail bypass semantics so these invocation paths proceed without daily-credit blocking.

• Guardrail bypass semantics

  • Treat workflow_dispatch without aw_context as manual user intent and bypass daily guardrail.
  • Preserve bypass for dispatch-routed runs carrying aw_context.
  • Explicitly bypass command-driven invocations (slash/label), including centralized and non-centralized routing paths.

• Compiler wiring for runtime guard decisions

  • Activation job now emits explicit command-presence env flags consumed by the guardrail script:
    • GH_AW_HAS_SLASH_COMMAND
    • GH_AW_HAS_LABEL_COMMAND
  • Runtime logic uses these flags + event type to identify non-centralized command-triggered executions.

• Coverage additions

  • Expanded guardrail JS tests for:
    • manual dispatch
    • aw_context command payloads
    • malformed context fallback
    • non-centralized slash/label event handling gated by command flags
  • Added workflow integration coverage for all requested scenarios:
    • manual workflow_dispatch
    • slash command (centralized / non-centralized)
    • label command (centralized / non-centralized)
  • Updated affected WASM golden outputs for compiler-emitted env changes.

env:
  GH_AW_WORKFLOW_DISPATCH_AW_CONTEXT: ${{ github.event.inputs.aw_context || '' }}
  GH_AW_HAS_SLASH_COMMAND: "true|false"
  GH_AW_HAS_LABEL_COMMAND: "true|false"

[pelikhan]

@copilot use tech writer agent to update docs about exceptions

[Copilot]

Pull request overview

This PR updates the daily max AI-credits guardrail skip logic so that user-intent runs (manual workflow_dispatch, slash commands, label commands, and dispatch-routed command invocations via aw_context) are not blocked by the daily guardrail. It also wires compiler-emitted env flags into the activation job to help the runtime guard script identify non-centralized command-triggered executions.

Changes:

• Updated the guardrail runtime logic (actions/setup/js/check_daily_aic_workflow_guardrail.cjs) to skip daily guardrail for manual dispatch and command-driven runs, including non-centralized triggers gated by new env flags.
• Updated compiler activation-job env wiring to emit GH_AW_HAS_SLASH_COMMAND / GH_AW_HAS_LABEL_COMMAND, and added integration coverage to ensure the compiled lock output contains these flags.
• Refreshed WASM golden fixtures to include the new compiler-emitted env vars.

Show a summary per file

File	Description
pkg/workflow/compiler_activation_job_builder.go	Adds env vars indicating whether slash/label commands are configured for this workflow.
actions/setup/js/check_daily_aic_workflow_guardrail.cjs	Adjusts skip semantics for manual + command-driven invocations; adds env flag parsing and event gating.
actions/setup/js/check_daily_aic_workflow_guardrail.test.cjs	Expands unit coverage for manual dispatch, command aw_context payloads, malformed context, and non-centralized event gating via env flags.
pkg/workflow/daily_aic_workflow_guardrail_skip_integration_test.go	New integration test asserting compiled lock files include the new env flags across scenarios.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden	Updates golden output to include new env flags (default false).
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden	Updates golden output to include new env flags (default false).
.github/workflows/test-quality-sentinel.lock.yml	Regenerated lock workflow (but currently missing the new guardrail env flags in the activation guardrail step).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 14/14 changed files
• Comments generated: 2

[Copilot]

@copilot use tech writer agent to update docs about exceptions

Done in commit 3f8aa9a. The tech writer agent updated two docs files:

• docs/src/content/docs/specs/ai-credits-specification.md — Added new §9.8 "Guardrail Bypass Conditions" with normative RFC 2119 language for all five bypass cases (centralized invocations, manual dispatch, dispatch-routed commands, non-centralized slash commands, non-centralized label commands), plus nine new compliance test rows (T-AIC-DG-008–016) and a 1.4.0 change log entry.
• docs/src/content/docs/reference/rate-limiting-controls.md — Added a new "Daily AI Credits Guardrail" section covering the threshold, the -1 disable sentinel, the org variable override, and the four bypass exception categories in plain language.