1 - Prepare agent architecture and SDLC processes (GH-600)

What is the primary shift in how software is maintained when adopting agentic systems?. Teams rely on systems that can interpret goals and take action within repositories. Software is built using static templates that do not require updates from developers. Repositories are managed entirely through natural language without the use of branches. Human developers no longer need to provide feedback on code reviews or security scans.

Why is agent capability alone insufficient for reliable production environments?. Agents cannot interpret complex goals without human-written pseudocode. Without architecture, agents may act too early or operate without sufficient validation. High-capability agents typically lack the permissions needed to open pull requests. Agentic systems are currently limited to identifying bugs rather than proposing solutions.

What is the definition of a 'Plan' as an artifact within this module?. A chronological log of every action an agent has taken in the repository history. A structured description of intended changes, often found in a pull request description. The underlying machine learning model used to generate code suggestions. The set of security scanning rules that an agent must follow during a workflow.

Which of the following is considered a 'Planning' capability for an agent?. The final merge of a pull request into the production environment. The process by which an agent generates or refines a description of changes based on input. The automated execution of unit tests after a code change. The hard-coded logic within a GitHub workflow file.

When is an agent action accepted in a well-designed GitHub architecture?. Whenever the agent's internal logic determines the goal is met. Only when it meets policy requirements. As soon as the agent completes the modification of files. When the agent creates a branch for the new code.

Mapping SDLC stages to GitHub artifacts. Planning. Implementation. Validation. Deployment.

Which of the following GitHub artifacts is primarily associated with the Planning stage of the SDLC for an agent?. GitHub Issues and pull request descriptions. Commit history and branch names. Deployment approvals and environments. Workflow runs and status checks.

What is a recommended design boundary to reduce risk when an agent interacts with a repository?. Agents should prioritize application code changes over infrastructure changes. Agents should be allowed to merge directly to the default branch. Agents should operate without directory-level restrictions to maximize reach. Agents propose changes while humans and policy accept them.

In the context of agent responsibilities, which SDLC stage involves running checks, attaching artifacts, and iterating on failures?. Deployment. Implementation. Validation. Planning.

According to the practical example of a dependency remediation agent, what is the final step of its scoped responsibility?. Merging the updated dependency into the main branch. Deleting the vulnerable dependency from the repository. Opening a pull request with a plan and success signals. Deploying the fix to the production environment.

Why does the source material recommend scoping agents to specific directories by policy and ownership?. To reduce the 'blast radius' of potential errors. To ensure the agent can work faster by scanning fewer files. To prevent the agent from reading sensitive documentation. To allow multiple agents to work on the same file simultaneously.

Which type of change is explicitly identified as having a higher risk than application code changes?. README documentation updates. Workflow and infrastructure changes. Unit test updates. CSS and styling changes.

Most teams start by scoping agents to the implementation and validation stages because pull requests and workflows provide natural control points. True. False.

Implementation mapping: risk → GitHub mitigation. Planless execution. Over-permissioned agents. Hidden reasoning. Blind trust in automation.

Which risk is characterized by an agent beginning to modify code without a clear, inspectable approach?. Hidden reasoning. Planless execution. Blind trust in automation. Over-permissioned agents.

What does 'blind trust in automation' look like in a GitHub workflow environment?. Using least-privilege tokens for environment access. Recording decision points in PR comments. Restricting which users can trigger specific workflows. A 'CI passed, ship it' mindset.

Which of the following is a component of the 'minimum audit trail' for agent contributions?. A stated goal, such as an issue link or PR description. The agent's internal neural network weights. The total time the agent took to generate the code. A record of the developer's personal browser history.

What is the primary purpose of traceability and observability in agentic systems, beyond just meeting compliance standards?. To eliminate the need for human intervention in code reviews. To hide the complexity of the agent's decision-making process. To achieve operational understanding when failures occur. To increase the speed of the software development lifecycle.

In the context of agent supervision, what does a 'final diff' lack that a full 'trail' provides?. Intermediate artifacts like plans, assumptions, and decision points. The syntax highlighting of the revised code. The final version of the code to be merged. A list of files that were modified.

As AI agents become more capable and autonomous, the accountability for outcomes shifts from the human developers to the system. True. False.

According to the contributor model, how should agent-generated output be evaluated in a development environment?. Based primarily on the novelty of the AI model used. By applying the same standards used for human-authored contributions. As a categorically different type of work requiring unique metrics. By prioritizing speed and automation over human review.

What is considered the 'natural unit of contribution' in the GitHub workflow described by the contributor model?. The repository branch. The individual commit. The code snippet. The pull request.

In the practical review rubric for agent PRs, what does the 'Fallback' criterion refer to?. The ability of the agent to retry the task if it fails. A manual rewrite of the code by a human developer. Using a secondary AI model if the first one produces poor code. Ensuring a clear rollback or escalation path for high-risk changes.

When reviewing an agent PR, why is it insufficient to only check if the code compiles?. Agents cannot generate code that compiles consistently. Compilation checks are considered excessive suspicion under the contributor model. Compiling is a human-only task that agents cannot perform. Compiling is only a check of syntax and does not justify extra changes or alignment with policy.

According to the 'What good looks like' section, a well-supervised agent contribution is 'Bounded.' What does this mean?. The code is written in a sandbox environment that cannot be exported. The agent is prohibited from changing more than ten lines of code. The changeset is scoped and adheres to the principle of least privilege. The agent can only contribute to non-critical legacy systems.

What is the purpose of the 'Reconstructable' characteristic in agent-generated work?. It requires the agent to explain its logic in natural language comments. It refers to the code being written in a modular way for reuse. It ensures there is an audit trail to support post-hoc analysis. It allows the agent to rebuild the code from scratch if deleted.

How does the 'Ownership' criterion in the review rubric help protect sensitive areas of a codebase?. By restricting agent access to public repositories only. By verifying if designated CODEOWNERS reviewed those sensitive areas. By ensuring that only the original author can edit sensitive files. By assigning legal copyright of the code to the human supervisor.

What is the ultimate goal of treating agents as contributors in a development workflow?. To eventually replace human developers with fully autonomous agents. To ensure that AI-generated code is always more efficient than human code. To lower the quality bar for automated submissions to increase velocity. To ground evaluation in repository policy and human judgment rather than hype or fear.

Under the 'Evidence' criterion, which of the following is required for a high-quality agent contribution?. Passing required checks and the availability of logs or artifacts. Confirmation that no humans were involved in the code generation. A screenshot of the agent's internal reasoning process. A list of the training data used to generate the pull request.

Which risk occurs when an agent system exposes only the final code diff without providing intermediate artifacts or decision points?. Blind trust in automation. Hidden reasoning. Over-permissioned agents. Planless execution.

What is the primary reason for separating planning, execution, and validation in agent-based systems?. To improve the reliability of the system by allowing early intent validation. To bypass the need for human reviewers in the pull request process. To increase the speed at which an agent can generate code for a repository. To ensure that the agent uses fewer computational resources during the reasoning phase.

What defines the 'Plan-first' pull request (Option A) approach?. Human reviewers are only involved after the code has been fully implemented. The agent creates a PR containing only the plan, which must be approved before code changes. The plan and the code are submitted simultaneously to speed up the review cycle. Code is generated immediately, but the plan is hidden until the final merge.

When is it most appropriate to use the 'Plan + execution' (Option B) workflow?. When it is impossible to predict the plan without seeing the code first. When the team wants to minimize the effort required by human reviewers. When the changes involve security-sensitive areas or production infrastructure. When speed and iteration are more important than strict separation.

Which risk is specifically associated with the 'Plan + execution' (Option B) workflow?. It bypasses standard GitHub controls like CODEOWNERS and branch protection. It allows unsafe code to be merged automatically without human approval. It may introduce unnecessary or incorrect changes that must be reviewed and rejected. It prevents the agent from ever updating the plan once the PR is open.

How can a system enforce a 'capability boundary' to ensure a planning agent does not modify files?. By limiting the agent to read-only tools during the planning phase. By ensuring the agent only operates on markdown files instead of source code. By instructing the agent in its system prompt to 'not edit any files'. By deleting the repository's write access after the agent finishes its work.

What is the purpose of 'tool gating' in automated orchestrations?. To enable execution tools only after a plan has been accepted by a human. To verify that the agent has the correct license to use specific software tools. To prevent the agent from communicating with external APIs during the reasoning phase. To allow the agent to choose its own tools based on the complexity of the task.

Which of the following is considered a 'high-risk' task where a Plan-first workflow is specifically recommended?. Updating production infrastructure or authentication logic. Refactoring a local utility function with high test coverage. Generating initial boilerplate for a new, non-deployed prototype. Fixing a typo in a documentation file.

What happens if planning and execution are mixed together without separation?. The agent will be unable to generate any commits for the PR. The system becomes more reliable because the agent can correct itself faster. GitHub's branch protection rules will fail to trigger correctly. Reviewers lose the ability to detect misunderstandings quickly and see only the final diff.

What is the primary objective of the 'implementation-planner' custom agent described in the source material?. To break down features into actionable tasks and create detailed technical specifications. To automatically execute deployment scripts and manage cloud infrastructure. To serve as a real-time debugger for identifying syntax errors in live code. To generate marketing materials and user manuals for new software features.

Which set of tools is explicitly defined in the 'implementation-planner' agent profile?. ["git", "bash", "python"]. ["compile", "debug", "deploy"]. ["analyze", "plan", "execute"]. ["read", "search", "edit"].

What is the required directory path for saving the custom agent profile file in a repository?. .github/workflows. root/scripts. docs/custom-agents. .github/agents.

Which section of the 'Considerations' header is used to document potential limitations such as time, budget, or technical restrictions?. Not Included. Risks. Assumptions. Constraints.

What is the purpose of the 'Not Included' section in the implementation plan?. To document code that has been deprecated or deleted from the project. To record bugs that were found but not fixed during development. To list features or improvements saved for later versions and non-essential items. To list the names of developers who are not assigned to the project.