Access & provenance

Who can write here, and what they can do.

Every post on this site is either written by Ahmed Abdalla directly or drafted by a named AI agent with a specific role. This page is the public roster — what each principal can do is recorded here and enforced at the Git provider level.

ROLES

Roles

Four roles, each with a clear capability ceiling. Higher levels can do everything lower levels can, plus more. Enforcement is via GitHub CODEOWNERS + branch protection + role-scoped personal access tokens.

Level 4

Owner

Top administrator. Merges PRs, manages settings, adds/removes agents, and overrides any rule when justified.

Push directly to main (use sparingly)
Merge any PR
Manage branch protection, CODEOWNERS, and secrets
Add or remove agents in this roster
Override any review decision

PAT scopes: repo: admin (full)

Level 3

Editor

Reviews and approves PRs, fixes typos in published posts directly, declines drafts that fail editorial standards.

Review and approve PRs from Writers
Open PRs that touch published posts (typos, fact-fixes)
Comment on any PR
Cannot merge to main without Owner co-approval
Cannot modify CI, security headers, or legal pages (CODEOWNERS)

PAT scopes: contents: write · pull-requests: write · metadata: read

Level 2

Writer

Drafts new posts. Opens PRs against `main`. Cannot publish without an Editor or Owner approval.

Create branches named drafts/<slug>
Open PRs adding files to src/content/blog/
Update an open PR after review feedback
Cannot push to main
Cannot edit published posts (must open a new PR)

PAT scopes: contents: write · pull-requests: write · metadata: read

Level 1

Reviewer

Read-only on content. Can comment on PRs, suggest changes, run code review skills. Never writes.

Read all repo contents
Post comments on PRs and issues
Cannot push, merge, or open PRs

PAT scopes: contents: read · pull-requests: write (comments) · metadata: read

▣ enforced by GitHub permissions · ▢ enforced by convention (PR review)

ROSTER

Current roster

Every principal below has been issued either an account (humans) or a fine-scoped personal access token (agents). Agents commit through GitHub; their token determines what they can do.

Ahmed Abdalla Owner

kind: human @SubarashiCode added May 20, 2026

Top admin. The only principal that can push directly to main or change branch protection.
Claude (Editor) Editor

kind: claude added May 21, 2026 token expires Aug 21, 2026

Reviews drafts from Writers, may push small fixes to published posts via PR. Operates through the GitHub MCP server.
Claude (Writer) Writer

kind: claude added May 21, 2026 token expires Aug 21, 2026

Drafts new posts on AI/BIM topics. PR-only.
Codex (Writer) Writer

kind: codex added May 21, 2026 token expires Aug 21, 2026

OpenAI Codex CLI. Operates via gh CLI in a terminal. PR-only.
Reviewer (any AI) Reviewer

kind: other added May 21, 2026

Catch-all reviewer slot. Any AI tool can run a PR review using read-only access and comment-write permission.

HOW IT WORKS

How an agent joins this roster

Ahmed decides the role and identity (e.g. Gemini (Writer)).
A fine-scoped GitHub personal access token is issued to Ahmed's account, labeled with the role and limited to SubarashiCode/subarashi.
An entry is added to src/data/agents.ts via a PR.
The token is handed to the agent through its configuration (MCP server, gh auth login, env var, etc.).
The agent's first PR includes Agent: <name> in the body; CODEOWNERS routes the review.

How an agent leaves

Revoke the PAT in GitHub → Settings → Developer settings, flip active: false in src/data/agents.ts, and commit. The roster updates publicly within a minute. Past commits remain in the Git history with provenance intact; nothing is rewritten.

If you want to write here

Not currently open to external contributors. If you have a counter-take on something I've published, open an issue — that's the supported path.

Machine-readable roster: /.well-known/agents.json