Skip to content

[FAQ] Add: fail-closed admission control FAQ entry#28829

Draft
chrizbo wants to merge 1 commit intomainfrom
faq/issue-473-19458d20a112e5c0
Draft

[FAQ] Add: fail-closed admission control FAQ entry#28829
chrizbo wants to merge 1 commit intomainfrom
faq/issue-473-19458d20a112e5c0

Conversation

@chrizbo
Copy link
Copy Markdown
Collaborator

@chrizbo chrizbo commented Apr 28, 2026

Adds a new entry to the Guardrails section of the FAQ covering fail-closed behavior and admission boundaries in agentic workflows.

What changed

New FAQ entry: "Should agentic workflows fail closed when an external check can't confirm execution is allowed?"

  • Explains that fail-closed is the design default (read-only agent, safe outputs gated, threat detection as backstop)
  • Shows how to add an admission boundary before the agent runs using on.steps:, skip-if-match:/skip-if-no-match:, and manual-approval:
  • Includes a curl-based external gate example in on.steps: that fails closed if the service is unreachable
  • Clarifies the distinction between "can this workflow run?" (pre-agent gate) and "is this output safe?" (safe-outputs layer)

Source

Community question in github/agentic-workflows#473 — a broadly reusable design question about where to place admission control boundaries.

Type of change

New FAQ entry (no existing entry covered this topic).

Generated by Feedback Question Answerer · ● 1.1M ·

@chrizbo
docs: add FAQ entry on fail-closed admission control for agentic work…
6f058e8 
…flows

Adds a new Guardrails FAQ entry addressing how agentic workflows behave
when an external authority check cannot confirm execution is allowed.
Covers on.steps: for pre-agent admission checks, skip-if-match/no-match
for query-based gates, manual-approval: for human-in-the-loop gates,
and how the safe-outputs/threat-detection layer acts as a backstop.

Source issue: github/agentic-workflows#473

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

Smoke Multi PR failed to create multiple PRs. Check the logs.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

Smoke Project encountered failures. Check the logs for details.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

📰 DEVELOPING STORY: Smoke Copilot ARM64 reports was cancelled. Our correspondents are investigating the incident...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25026890148)

Generated by Smoke CI for issue #28829 ·

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

Comment Memory

CI lights the path\nGreen checks bloom at dawn\nQuiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #28829 ·

This was referenced Apr 28, 2026
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

automated faq-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chrizbo