docker
diff --git a/‎.github/agents/nightly-scanner.yaml‎
Lines changed: 9 additions & 8 deletions b/‎.github/agents/nightly-scanner.yaml‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎.github/workflows/auto-issue-triage.yml‎
Lines changed: 25 additions & 11 deletions b/‎.github/workflows/auto-issue-triage.yml‎
Lines changed: 25 additions & 11 deletions
@@ -53,14 +53,14 @@ agents:
          - `security` - for security vulnerabilities (HIGHEST PRIORITY)
            - If fails: log error, continue to bugs
          - `bugs` - for logic errors, resource leaks, race conditions
-           - If fails: log error, continue to documentation check
-         - `documentation` - for missing docs
-           - ONLY run if BOTH security AND bugs returned `NO_ISSUES`
-           - (Rationale: documentation issues are lower priority; we avoid noise when real bugs exist)
+           - If fails: log error, continue to documentation
+         - `documentation` - for missing docs (ALWAYS run, regardless of other findings)
            - If fails: log error, continue to reporting
       4. Collect findings from each sub-agent (they return text format or `NO_ISSUES`)
       5. Filter out any issues where FILE matches patterns from memory
-      6. Sort by SEVERITY (critical > high > medium) and select top 1-2 issues
+      6. Select findings for the reporter using separate budgets:
+         - Up to 2 security/bug findings (sorted by SEVERITY: critical > high > medium)
+         - Up to 1 documentation finding (the highest severity one)
       7. Add CATEGORY field to each finding based on source agent:
          - From security agent → `CATEGORY: security`
          - From bugs agent → `CATEGORY: bug`
@@ -358,9 +358,10 @@ agents:
 
       ## Workflow
 
-      **ENFORCE: Process at most 2 findings. If you receive more, only process the first 2.**
+      **ENFORCE: Process at most 2 security/bug findings AND at most 1 documentation finding per run.**
+      (Maximum 3 issues total: 2 bug/security + 1 documentation.)
 
-      For each finding (up to 2 maximum):
+      For each finding (within the limits above):
 
       1. Check if a similar issue already exists by searching for the same file AND line:
          ```bash
@@ -447,7 +448,7 @@ agents:
 
       ## Important
 
-      - **STRICT LIMIT: Maximum 2 issues per run** - Stop after creating 2 issues, even if more findings exist
+      - **STRICT LIMIT: Maximum 2 security/bug issues + 1 documentation issue per run** (3 total max)
       - Skip duplicates (search by file path AND line number in issue body)
       - Use exact code snippets from the findings
       - If creation fails, log FAILED and continue with remaining findings
 
@@ -83,6 +83,7 @@ jobs:
 
       - name: Run triage agent
         id: agent
+        continue-on-error: true
         uses: docker/cagent-action@latest
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
@@ -104,20 +105,20 @@ jobs:
             exit 0
           fi
 
-          CONTENT=$(cat "$OUTPUT_FILE")
           echo "--- Agent output ---"
-          echo "$CONTENT"
+          cat "$OUTPUT_FILE"
           echo "--------------------"
 
-          # Check for result markers (search from the end of output)
-          if echo "$CONTENT" | grep -q "RESULT:NEEDS_INFO"; then
+          # The agent contract requires the result marker on the last line
+          LAST_LINE=$(tail -n 1 "$OUTPUT_FILE" | tr -d '[:space:]')
+          if [[ "$LAST_LINE" == "RESULT:NEEDS_INFO" ]]; then
             echo "action=needs_info" >> "$GITHUB_OUTPUT"
-          elif echo "$CONTENT" | grep -q "RESULT:FIXED"; then
+          elif [[ "$LAST_LINE" == "RESULT:FIXED" ]]; then
             echo "action=fixed" >> "$GITHUB_OUTPUT"
-          elif echo "$CONTENT" | grep -q "RESULT:NO_CHANGES"; then
+          elif [[ "$LAST_LINE" == "RESULT:NO_CHANGES" ]]; then
             echo "action=none" >> "$GITHUB_OUTPUT"
           else
-            echo "No recognized result marker found"
+            echo "::warning::No recognized result marker on last line: $LAST_LINE"
             echo "action=none" >> "$GITHUB_OUTPUT"
           fi
 
@@ -135,6 +136,7 @@ jobs:
       - name: Commit and push fix
         if: steps.result.outputs.action == 'fixed' && steps.changes.outputs.has_changes == 'true'
         id: push
+        continue-on-error: true
         shell: bash
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
@@ -152,14 +154,13 @@ jobs:
           Automated fix generated by issue triage agent.
           Resolves #${ISSUE_NUMBER}"
 
-          git push origin "$BRANCH_NAME" || {
-            echo "::error::Failed to push branch $BRANCH_NAME"
-            exit 1
-          }
+          git push origin "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Create draft PR and comment on issue
         if: steps.push.outputs.branch != ''
+        id: pr
+        continue-on-error: true
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         env:
           BRANCH_NAME: ${{ steps.push.outputs.branch }}
@@ -209,3 +210,16 @@ jobs:
             });
 
             core.info(`Created draft PR #${pr.data.number}: ${pr.data.html_url}`);
+
+      - name: Notify issue on failure
+        if: failure() || (steps.result.outputs.action == 'fixed' && steps.changes.outputs.has_changes == 'true' && (steps.push.outcome == 'failure' || steps.pr.outcome == 'failure'))
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.issue.number,
+              body: 'I analyzed this bug report and attempted to create an automated fix, but encountered an error during the process. A maintainer will review this manually.',
+            });