github · pelikhan · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/.github/workflows/unbloat-docs.md b/.github/workflows/unbloat-docs.md
@@ -158,6 +158,7 @@ find docs/src/content/docs -path 'docs/src/content/docs/blog' -prune -o -name '*
 **IMPORTANT**: Exclude these directories and files:
 - `docs/src/content/docs/blog/` - Blog posts have a different writing style and purpose
 - `frontmatter-full.md` - Automatically generated from the JSON schema by `scripts/generate-schema-docs.js` and should not be manually edited
+- **Files with `disable-agentic-editing: true` in frontmatter** - These files are protected from automated editing
 
 Focus on files that were recently modified or are in the `docs/src/content/docs/` directory (excluding blog).
 
@@ -178,17 +179,34 @@ Focus on markdown files in the `docs/` directory that appear in the PR's changed
 **NEVER select these directories or code-generated files**:
 - `docs/src/content/docs/blog/` - Blog posts have a different writing style and should not be unbloated
 - `docs/src/content/docs/reference/frontmatter-full.md` - Auto-generated from JSON schema
+- **Files with `disable-agentic-editing: true` in frontmatter** - These files are explicitly protected from automated editing
+
+Before selecting a file, check its frontmatter to ensure it doesn't have `disable-agentic-editing: true`:
+```bash
+# Check if a file has disable-agentic-editing set to true
+head -20 <filename> | grep -A1 "^---" | grep "disable-agentic-editing: true"
-head -20 <filename> | grep -A1 "^---" | grep "disable-agentic-editing: true"
+head -20 <filename> | grep "disable-agentic-editing: true"
-head -20 <filename> | grep -A1 "^---" | grep "disable-agentic-editing: true"
+head -20 <filename> | grep "disable-agentic-editing: true"
+# If this returns a match, SKIP this file - it's protected
+```
 
 Choose the file most in need of improvement based on:
 - Recent modification date
 - File size (larger files may have more bloat)
 - Number of bullet points or repetitive patterns
 - **Files NOT in the cleaned-files.txt cache** (avoid duplicating recent work)
 - **Files NOT in the exclusion list above** (avoid editing generated files)
+- **Files WITHOUT `disable-agentic-editing: true` in frontmatter** (respect protection flag)
 
 ### 4. Analyze the File
 
-Read the selected file and identify bloat:
+**First, verify the file is editable**:
+```bash
+# Check frontmatter for disable-agentic-editing flag
+head -20 <filename> | grep -A1 "^---" | grep "disable-agentic-editing: true"
+```
+
+If this command returns a match, **STOP** - the file is protected. Select a different file.
+
+Once you've confirmed the file is editable, read it and identify bloat:
 - Count bullet points - are there excessive lists?
 - Look for duplicate information
 - Check for repetitive "What it does" / "Why it's valuable" patterns

diff --git a/docs/package-lock.json b/docs/package-lock.json
diff --git a/docs/src/content.config.ts b/docs/src/content.config.ts
@@ -1,4 +1,4 @@
-import { defineCollection } from 'astro:content';
+import { defineCollection, z } from 'astro:content';
 import { docsLoader } from '@astrojs/starlight/loaders';
 import { docsSchema } from '@astrojs/starlight/schema';
 import { blogSchema } from 'starlight-blog/schema';
@@ -8,7 +8,19 @@ export const collections = {
 	docs: defineCollection({ 
 		loader: docsLoader(), 
 		schema: docsSchema({
-			extend: (context) => blogSchema(context)
+			extend: (ctx) => {
+				const blogExtension = blogSchema(ctx);
+				return blogExtension.extend({
+					// Agent protection flag: when set to true, instructs AI agents
+					// to treat this documentation page as read-only and skip any
+					// automated editing, generation, or modification operations.
+					// This is useful for auto-generated content, release notes,
+					// or documentation pages that should only be manually curated.
+					'disable-agentic-editing': z.boolean().optional().describe(
+						'Prevents AI agents from making automated edits to this page'
+					),
+				});
+			}
 		})
 	}),
 	// changelogs: defineCollection({

diff --git a/docs/src/content/docs/introduction/architecture.mdx b/docs/src/content/docs/introduction/architecture.mdx
@@ -3,6 +3,7 @@ title: Security Architecture
 description: Comprehensive security architecture overview for GitHub Agentic Workflows, including defense-in-depth mechanisms against rogue MCP servers and malicious agents.
 sidebar:
   order: 3
+disable-agentic-editing: true
 ---
 
 import { Aside } from '@astrojs/starlight/components';

diff --git a/docs/src/content/docs/reference/sandbox.md b/docs/src/content/docs/reference/sandbox.md
@@ -3,6 +3,7 @@ title: Sandbox Configuration
 description: Configure sandbox environments for AI engines including AWF agent container, mounted tools, runtime environments, and MCP Gateway
 sidebar:
   order: 1350
+disable-agentic-editing: true
 ---
 
 The `sandbox` field configures sandbox environments for AI engines, providing two main capabilities:

diff --git a/docs/src/content/docs/reference/threat-detection.md b/docs/src/content/docs/reference/threat-detection.md
@@ -3,6 +3,7 @@ title: Threat Detection
 description: Configure automated threat detection to analyze agent output and code changes for security issues before they are applied.
 sidebar:
   order: 40
+disable-agentic-editing: true
 ---
 
 GitHub Agentic Workflows includes automatic threat detection to analyze agent output and code changes for potential security issues before they are applied. When safe outputs are configured, a threat detection job automatically runs to identify prompt injection attempts, secret leaks, and malicious code patches.

diff --git a/docs/src/content/docs/reference/tokens.md b/docs/src/content/docs/reference/tokens.md
@@ -3,6 +3,7 @@ title: GitHub Tokens
 description: Comprehensive reference for all GitHub tokens used in gh-aw, including authentication, token precedence, and security best practices
 sidebar:
   order: 650
+disable-agentic-editing: true
 ---
 
 GitHub Agentic Workflows authenticate using multiple tokens depending on the operation. This reference explains which token to use, when it's required, and how precedence works across different operations.