harden: require manual experiment validation dispatch

.github/workflows/experiment_validation.yml

@@ -1,8 +1,6 @@
 name: Experiment Validation
 
 "on":
-  issues:
-    types: [opened, edited, reopened, labeled]
   workflow_dispatch:
     inputs:
       issue_number:
@@ -11,7 +9,6 @@ name: Experiment Validation
 
 jobs:
   validate:
-    if: contains(github.event.issue.labels.*.name, 'monthly-optimization-task') || inputs.issue_number != ''
     runs-on:
       - self-hosted
       - Linux
@@ -78,7 +75,7 @@ jobs:
           PY
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ISSUE_NUMBER: ${{ inputs.issue_number || github.event.issue.number }}
+          ISSUE_NUMBER: ${{ inputs.issue_number }}
 
       - name: Prepare experiment validation payload
         id: experiment_payload
@@ -131,13 +128,13 @@ jobs:
         run: |
           python3 scripts/post_experiment_validation_comment.py \
             --repo "${GITHUB_REPOSITORY}" \
-            --issue-number "${{ inputs.issue_number || github.event.issue.number }}" \
+            --issue-number "${{ inputs.issue_number }}" \
             --review-file data/output/experiment_validation/validation_summary.md \
             --run-url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
 
       - name: Upload validation artifact
         if: always()
         uses: actions/upload-artifact@v7
         with:
-          name: experiment-validation-${{ inputs.issue_number || github.event.issue.number }}
+          name: experiment-validation-${{ inputs.issue_number }}
           path: data/output/experiment_validation/

README.md

@@ -535,7 +535,7 @@ Behavior:
 
 After the monthly report bundle is assembled, the workflow creates a GitHub Issue containing the full `ai_review_input.md` content. The automated review route dispatches `QuantStrategyLab/CryptoCodexAuditBridge`. The bridge owns provider selection through `SELFHOSTED_CODEX_REVIEW_PROVIDER`:
 
-- `auto` (default): run Codex first; if Codex fails and the bridge has `OPENAI_API_KEY`, post the API review fallback from the bridge. If the API fallback is not configured, fail loudly.
+- `auto` (default): run the self-hosted Codex path first; if Codex setup or execution fails and the bridge has `OPENAI_API_KEY`, post the API review fallback from the bridge. If the API fallback is not configured, fail loudly.
 - `codex`: run Codex on the self-hosted VPS runner, post the audit result, and open a PR directly for safe low-risk fixes without API fallback.
 - `openai`: run an API review inside the bridge and post a review comment only.
 

README.zh-CN.md

@@ -382,7 +382,7 @@ make monthly-review-briefing
 
 月报 bundle 组装完成后，workflow 会自动创建一个 GitHub Issue，内容为完整的 `ai_review_input.md`。自动审阅路径会 dispatch `QuantStrategyLab/CryptoCodexAuditBridge`，由 bridge 统一决定 provider：
 
-- `auto`（默认）：先跑 Codex；如果 Codex 失败且 bridge 配置了 `OPENAI_API_KEY`，由 bridge 回落到 OpenAI API 审阅；如果 API fallback 没配置则明确失败。
+- `auto`（默认）：先跑 self-hosted Codex 路径；如果 Codex 准备或执行失败且 bridge 配置了 `OPENAI_API_KEY`，由 bridge 回落到 OpenAI API 审阅；如果 API fallback 没配置则明确失败。
 - `codex`：只跑 Codex，不使用 API fallback。
 - `openai`：在 bridge 内运行 API 审阅，只回帖，不改代码。
 

docs/operator_runbook.md

@@ -76,7 +76,7 @@ Boundary rules:
 
 ## Monthly Codex Remediation
 
-The monthly publish workflow creates a `monthly-review` issue, then dispatches `CryptoCodexAuditBridge` as the automated review and remediation path. The bridge owns provider selection through `SELFHOSTED_CODEX_REVIEW_PROVIDER`: `auto` is the default and runs self-hosted Codex first, falls back to OpenAI review when Codex fails and the bridge has `OPENAI_API_KEY`, and fails loudly when the API fallback is not configured. `codex` disables API fallback; `openai` posts an API review comment only.
+The monthly publish workflow creates a `monthly-review` issue, then dispatches `CryptoCodexAuditBridge` as the automated review and remediation path. The bridge owns provider selection through `SELFHOSTED_CODEX_REVIEW_PROVIDER`: `auto` is the default and runs the self-hosted Codex path first, falls back to OpenAI review when Codex setup or execution fails and the bridge has `OPENAI_API_KEY`, and fails loudly when the API fallback is not configured. `codex` disables API fallback; `openai` posts an API review comment only.
 
 If the bridge dispatch fails, the monthly publish workflow fails loudly. The older source-local `ai_review.yml` workflow remains only as a manual compatibility path.
 

tests/test_experiment_validation_workflow_config.py

@@ -12,9 +12,10 @@ class ExperimentValidationWorkflowConfigTests(unittest.TestCase):
     def test_workflow_runs_shadow_build_and_posts_comment(self) -> None:
         workflow = WORKFLOW_PATH.read_text(encoding="utf-8")
 
-        self.assertIn("issues:", workflow)
         self.assertIn("workflow_dispatch:", workflow)
         self.assertIn("issue_number:", workflow)
+        self.assertNotIn("types: [opened, edited, reopened, labeled]", workflow)
+        self.assertNotIn("github.event.issue", workflow)
         self.assertIn("self-hosted", workflow)
         self.assertIn("prepare_experiment_validation.py", workflow)
         self.assertIn("download_history.py", workflow)
@@ -23,7 +24,6 @@ def test_workflow_runs_shadow_build_and_posts_comment(self) -> None:
         self.assertIn("render_experiment_validation_summary.py", workflow)
         self.assertIn("post_experiment_validation_comment.py", workflow)
         self.assertIn("actions/upload-artifact@v7", workflow)
-        self.assertIn("monthly-optimization-task", workflow)
 
 
 if __name__ == "__main__":