@AgentWrapperProblem
The config-generation agent (rube) misclassifies the auth scheme for new apps. Specifically, providers that should be S2S_OAUTH2 (2-legged, client_credentials, admin-managed credentials) are being emitted as OAUTH2 (3-legged, authorization_code with a user redirect). This was flagged by the PLEN-2215 audit and confirmed by the 9 broken-on-master schemes the audit identified.
The single biggest smoking gun: in 4 of 7 documented misclassifications, rube's own notes in the PR body correctly described the flow as "client credentials" or "Server-to-Server" — but the emitted mode field is still OAUTH2. The mode-selection step is decoupled from rube's own classification of the docs.
Goal
Improve the agent so that the seven known-misclassified cases (testbed in the attached HTML) all produce the correct mode + shape when re-run with the same workflow inputs.
Testbed — known-misclassified PRs
See the attached oauth2-decision-tree.html for the full visual decision tree, the rule set, and the testbed table with each case's:
- Origin PR + Cortex workflow ID + branch + commit (so the agent can be re-invoked with the same inputs)
- Author / approver / merge date
- Excerpt from rube's own notes showing the smoking gun
- The mode it picked vs the correct mode
- Which decision-tree node it flunked
- Link to our fix PR
Summary of cases:
| App | Workflow ID | Picked → Correct | Tree node missed | Fix PR |
|---|---|---|---|---|
| paychex | awd1qin2 | OAUTH2 → S2S_OAUTH2 | Q3 + URL-dedup | #23207 |
| vanta | 73timakv | OAUTH2 → S2S_OAUTH2 | Q3 + scope-forwarding | #23209 |
| anthology_student | up7amdvu |