From 0861cade5a17228f35d03c3ebd200dcb04e4ddab Mon Sep 17 00:00:00 2001
From: Tom Kirkpatrick <200251+mrfelton@users.noreply.github.com>
Date: Thu, 11 Jun 2026 19:15:10 +0200
Subject: [PATCH] fix: stop token-optimizer self-targeting the AIC monitoring
 family
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Phase 1 self-targeting guard ("Exclude workflows with \"Token\" in the
name") can never fire: gh aw logs reports `workflow_name` as the display
name (the H1), which for these two workflows is "Agentic Workflow AIC
Usage Optimizer" / "Daily Agentic Workflow AIC Usage Audit" — neither
contains "Token". The string only appears in the workflow id / tracker-id.
So the monitoring family is never excluded, and the optimizer selects
itself (or its sibling audit) as the target.

This fixes it two ways:
- Deterministic pre-filter in the "Download" step: drop runs whose
  workflow_path matches `agentic-token-(optimizer|audit)` or whose
  display name matches `AIC Usage (Optimizer|Audit)`, so neither
  all-runs.json nor top-workflows.json can list the family.
- Correct the Phase 1 prompt guard to key off the actual ids/display
  names instead of the substring "Token".

Source `.md` only — the generated `.lock.yml` files are intentionally
left for in-repo regeneration via `gh aw compile` (lock cron jitter and
action-pin resolution are repo-scoped, so fork-built locks would not
match this repo's CI output).

Fixes #119

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/agentic-token-optimizer.md | 13 ++++++++++++-
 workflows/agentic-token-optimizer.md         | 13 ++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/agentic-token-optimizer.md b/.github/workflows/agentic-token-optimizer.md
index 6117f5e..ce3da79 100644
--- a/.github/workflows/agentic-token-optimizer.md
+++ b/.github/workflows/agentic-token-optimizer.md
@@ -58,6 +58,17 @@ steps:
         echo '{"runs":[],"summary":{}}' > /tmp/gh-aw/token-audit/all-runs.json
       fi
 
+      # Exclude the AIC monitoring family (this optimizer + its sibling audit) from the
+      # candidate pool so the optimizer never selects its own meta-monitoring workflows.
+      # The in-prompt "Token in the name" guard misses these: their display names are
+      # "...AIC Usage Optimizer/Audit" (no "Token"), so match on workflow id/name here.
+      jq '.runs |= map(select(
+            (((.workflow_path // "") | test("agentic-token-(optimizer|audit)"))
+             or ((.workflow_name // "") | test("AIC Usage (Optimizer|Audit)"))) | not
+          ))' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/all-runs.filtered.json \
+        && mv /tmp/gh-aw/token-audit/all-runs.filtered.json /tmp/gh-aw/token-audit/all-runs.json
+      echo "🚫 Excluded AIC monitoring family — $(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json) runs remain in candidate pool"
+
   - name: Aggregate top workflows by AIC usage
     run: |
       set -euo pipefail
@@ -161,7 +172,7 @@ Treat missing numeric fields (`aic`, `token_usage`, `turns`, `action_minutes`) a
 
 - Start from `top-workflows.json`.
 - Exclude workflows optimized in the last 14 days (use `optimization-log.json`).
-- Exclude workflows with "Token" in the name to avoid self-targeting.
+- Exclude the AIC monitoring family — the `agentic-token-optimizer` and `agentic-token-audit` workflows (display names "Agentic Workflow AIC Usage Optimizer" / "Daily Agentic Workflow AIC Usage Audit") — to avoid self-targeting. These are also pre-filtered from `all-runs.json`/`top-workflows.json`, but never select them even if a stale snapshot still lists them.
 - Choose the highest AI-credit-spend workflow that remains.
 - If no snapshot/history exists, derive candidates directly from `all-runs.json`.
 
diff --git a/workflows/agentic-token-optimizer.md b/workflows/agentic-token-optimizer.md
index 6117f5e..ce3da79 100644
--- a/workflows/agentic-token-optimizer.md
+++ b/workflows/agentic-token-optimizer.md
@@ -58,6 +58,17 @@ steps:
         echo '{"runs":[],"summary":{}}' > /tmp/gh-aw/token-audit/all-runs.json
       fi
 
+      # Exclude the AIC monitoring family (this optimizer + its sibling audit) from the
+      # candidate pool so the optimizer never selects its own meta-monitoring workflows.
+      # The in-prompt "Token in the name" guard misses these: their display names are
+      # "...AIC Usage Optimizer/Audit" (no "Token"), so match on workflow id/name here.
+      jq '.runs |= map(select(
+            (((.workflow_path // "") | test("agentic-token-(optimizer|audit)"))
+             or ((.workflow_name // "") | test("AIC Usage (Optimizer|Audit)"))) | not
+          ))' /tmp/gh-aw/token-audit/all-runs.json > /tmp/gh-aw/token-audit/all-runs.filtered.json \
+        && mv /tmp/gh-aw/token-audit/all-runs.filtered.json /tmp/gh-aw/token-audit/all-runs.json
+      echo "🚫 Excluded AIC monitoring family — $(jq '.runs | length' /tmp/gh-aw/token-audit/all-runs.json) runs remain in candidate pool"
+
   - name: Aggregate top workflows by AIC usage
     run: |
       set -euo pipefail
@@ -161,7 +172,7 @@ Treat missing numeric fields (`aic`, `token_usage`, `turns`, `action_minutes`) a
 
 - Start from `top-workflows.json`.
 - Exclude workflows optimized in the last 14 days (use `optimization-log.json`).
-- Exclude workflows with "Token" in the name to avoid self-targeting.
+- Exclude the AIC monitoring family — the `agentic-token-optimizer` and `agentic-token-audit` workflows (display names "Agentic Workflow AIC Usage Optimizer" / "Daily Agentic Workflow AIC Usage Audit") — to avoid self-targeting. These are also pre-filtered from `all-runs.json`/`top-workflows.json`, but never select them even if a stale snapshot still lists them.
 - Choose the highest AI-credit-spend workflow that remains.
 - If no snapshot/history exists, derive candidates directly from `all-runs.json`.