Knowledge-Based Pull Requests for Cross-Trust-Boundary Contributions¶

A knowledge-based pull request treats an external contribution as a confirmable package, then has a project-owned agent regenerate the code in-house.

When To Reach For This Workflow¶

Knowledge-Based Pull Requests (KPR) pay off in a narrow window. Use them only when reconstructing intent from the diff is more expensive than rewriting the change: cross-module features, behaviour changes a maintainer cannot validate from the patch alone, high-context bug fixes, security-sensitive contributions, and changes that span policy or architecture boundaries (arXiv:2606.26721 §4.2). The paper that introduced the workflow is explicit that small bug fixes, dependency bumps, doc edits, and other low-risk mechanical changes are more efficiently handled as ordinary code PRs — KPR's extra stages are dead weight on contributions whose diff already conveys intent.

The empirical record agrees with that scoping. Across 33k agent-authored PRs on GitHub, the categories with the highest merge rates are documentation, CI, and build updates — exactly the mechanical changes KPR explicitly excludes (arXiv:2601.15195, Ehsani et al., MSR 2026). Treat KPR as a targeted tool for the long-tail, high-context contributions, not a default replacement for code review.

The Trust Problem KPR Addresses¶

Agent-mediated contribution collapses two costs that traditional pull requests assumed were the same problem: (1) judging whether the knowledge — the goal, the diagnosis, the proposed design — is worth incorporating, and (2) judging whether a specific implementation should land. When the implementation is generated by an external agent the maintainer does not control, conflating these two decisions creates two failure modes:

Indirect prompt injection through contribution surface. Hidden instructions inside PR descriptions, agent traces, or referenced issues have already produced CVSS-9.6 RCE against GitHub Copilot (CVE-2025-53773) and authorisation-bypass exfiltration against the Claude Code GitHub Action (Help Net Security, CSA Research). The pull_request_target / "pwn-request" class of attack — fork PR content running with target-repo privileges — has driven multiple supply-chain compromises across major repositories (OpenSSF, GHSA-9jgv-x8cq-296q).
High-context contributions stall in review. When the diff alone cannot convey intent, reviewers either over-trust it or bounce it back for clarification rounds; a qualitative study of failed agentic PRs identifies "lack of meaningful reviewer engagement," "unwanted feature implementations," and "agent misalignment" as dominant rejection patterns (arXiv:2601.15195).

KPR responds by structurally separating intake from regeneration.

The Four-Stage Pipeline¶

flowchart TD
    A[External contributor:<br/>code + tests + agent trace] --> B[Stage 1<br/>Gateway: sanitise + taint]
    B --> C[Stage 2<br/>Distil knowledge package]
    C --> D[Stage 3<br/>Human reviewer confirms]
    D --> E[Stage 4<br/>Project agent regenerates]
    E --> F[Final PR<br/>with split attribution]
    D -.->|reject knowledge| A
    E -.->|cannot regenerate| D

Stage 1: Gateway — Sanitise and Taint¶

The receiving project runs every incoming contribution through a sanitisation gateway before any agent reasons over it. The gateway removes secrets, private paths, irrelevant logs, and obvious prompt-injection content while retaining taint labels that mark all external trace material as untrusted (arXiv:2606.26721 §3). The taint label is the load-bearing part — downstream agents must treat tainted content as data, never as instructions. This is the same posture that closes the lethal trifecta: segregate untrusted content from any principal that holds both private data and write-back.

Stage 2: Distil the Knowledge Package¶

A summariser produces a structured artifact the reviewer can judge in one pass. The package is not free-form prose; it captures goals, constraints, validation steps, rejected alternatives, and unresolved questions, and renders into one of: design memo, risk checklist, test plan, or implementation brief (arXiv:2606.26721 §3). The package is the unit of trust — once it exists, the original code is a reference, no longer a merge candidate.

Stage 3: Human Confirmation¶

A maintainer reviews the package and decides whether the knowledge is worth incorporating. This decision is deliberately separated from any judgement about the contributor's specific implementation. Rejection at this stage is cheap — the project never spends regeneration effort on a contribution it would not have accepted anyway. Approval moves the package, not the code, into the project.

Stage 4: Project Agent Regenerates¶

A project-owned coding agent reads the confirmed package and writes the implementation against the receiving project's environment: its conventions, its tests, its security policy, its repository context. The external diff is reference material the agent may consult, but the executed output is something the project would have written for itself. This is the operational meaning of "trusted environment" — even if the external trace was poisoned, the regenerated code lives inside the project's existing guardrails. The execution-provenance literature frames the same primitive (typed traces, retained taint, replayable provenance) as the substrate downstream trust assessments can be built on (arXiv:2606.04990, Wang et al., 2026).

Cost Comparison¶

The paper provides explicit cost accounting against a traditional PR (arXiv:2606.26721 Table 1):

Stage	Traditional PR	KPR
Intent extraction	Inferred from diff	Extracted from local trace, external diff, tests, and human corrections
First judgement	Code and intent reviewed together	Problem fit, evidence, and constraints reviewed separately from any specific code
Implementation	External code is the candidate	Project-owned inner trusted coding agent regenerates the candidate

KPR adds stages. The trade is that maintainer time-to-first-judgement is spent on the one artifact that determines whether the change should land at all, and downstream regeneration runs unattended against project tests.

Pilot Evidence and Its Limits¶

Treat the published evidence as a controlled simulation, not a deployment validation. The pilot is n=7 merged public PRs (each ≤5 changed files, ≤350 added+deleted lines) covering small API exposure, test regression, doc/testing, automated maintenance, and workflow-security changes (arXiv:2606.26721 §5). Results from Table 3:

Intent correctness: 7/7 KPR packages
Evidence traceability: 7/7 KPR packages vs. 0/7 normal summaries
Implementation sufficiency: 6/7 KPR packages
Poisoned-patch rejection: 7/7 marked external code as untrusted

The authors flag what the pilot does not show: it does not validate maintainer-burden reduction, does not measure project-side regeneration effectiveness at scale, and the enterprise / vendor / contractor examples are "plausible extensions of the same trust-boundary pattern, not as empirically validated deployment settings" (arXiv:2606.26721 §5). The single failure case in the pilot — an automated plugin-list update — is the predictable one: a compact summary cannot reconstruct an exact target state, so regeneration produces drift on changes that require literal output.

Attribution and Licensing¶

Regenerating code in-project "does not automatically remove license or authorship concerns" (arXiv:2606.26721 §4.6). Without explicit credit, the workflow becomes "a worse deal for contributors than an ordinary PR" — bona fide contributors disengage. Three operational rules from the paper:

Cite the KPR package in commit metadata, the discussion thread, or the implementation PR body.
Distinguish three roles in the final PR record: knowledge package by (the external contributor), implementation generated by (the project's agent), reviewed by (the maintainer).
Apply provenance and licence checks to the upstream materials, not only the final regenerated code.

Why It Works¶

KPR works because it inserts a sanitisation-and-regeneration gateway at the exact boundary where indirect prompt injection has been shown to be most dangerous — the point where an LLM is asked to read, reason about, and then act on untrusted external text and code (Help Net Security on OWASP). The mechanism has two legs that compose. First, tainted-evidence routing: external diffs and traces are flagged as untrusted at ingestion, so downstream agents treat them as data. Second, provenance-preserving regeneration: the in-project agent writes the implementation under project conventions and tests, so even if the external trace was poisoned, the executed output is something the project would have written anyway. The execution-provenance survey frames this same primitive — typed traces with retained taint and replayable provenance — as the substrate trust assessments for agent systems can be built on (arXiv:2606.04990). KPR is not a "review more carefully" pattern; it is a structural separation between knowledge intake and code production that survives a malicious or sloppy upstream agent.

When This Backfires¶

Small mechanical changes. Doc edits, dependency bumps, single-line bug fixes — the diff already conveys intent, so the knowledge-package overhead exceeds the original review cost. The paper itself excludes these (arXiv:2606.26721 §4.2).
No project-owned trusted agent. KPR presupposes the receiving project runs its own coding agent under its conventions, tests, and security policy. Teams without that infrastructure pay the knowledge-package cost without the regeneration benefit.
Exact-state changes. Data files, generated artifacts, or "the precise contents of this list" — a summary cannot reconstruct the literal target state. The pilot's single failure (automated plugin-list update) is the canonical case (arXiv:2606.26721 §5).
High-frequency, low-context contribution streams. Translation projects, typo bots, and similar high-volume / low-judgement streams: contributor burden of producing memo + checklist + plan exceeds value to the project; throughput collapses.
Adversarial spec spam. Malicious collaborators can produce polished-looking packages with weak evidence; a structured package "can look more credible than it is" if summarisers omit uncertainty (arXiv:2606.26721 §5). Without enforced evidence and provenance requirements, the gateway becomes a credibility-laundering layer.
Attribution-sensitive open-source workflows. Rewriting external code in-house without explicit credit converts a merged contribution into a credit gap; contributors disengage even when the workflow is technically running.

Key Takeaways¶

KPR is a workflow for high-context cross-trust-boundary contributions, not a default replacement for the pull request — the paper that introduced it explicitly excludes small mechanical changes.
It works by structurally separating two decisions traditional PRs collapse: whether the knowledge is worth incorporating and whether a specific implementation should land.
The four-stage pipeline (gateway → distil → confirm → regenerate) holds together because the gateway taints external content as untrusted and the project's own agent writes the executed code.
Pilot evidence is real but narrow (n=7 PRs); maintainer-burden reduction and project-side regeneration effectiveness at scale are still open.
Attribution is non-optional: split the final record into knowledge-package-by, implementation-by, and reviewed-by, or the workflow becomes a worse deal for contributors than a normal PR.

Agent-Authored PR Integration — reviewer-engagement evidence on why agent-authored PRs are accepted or rejected, the empirical ground KPR is responding to.
Reviewer's Playbook for Agent-Authored Pull Requests — the inspection priorities a reviewer applies when judging an agent-generated PR directly; KPR shifts what gets reviewed from code to knowledge package.
Tiered Code Review — route review effort by risk; KPR is the high-context branch when the diff alone is not enough.
Lethal Trifecta in Agent Tooling — the cross-tool security model KPR's tainted-trace gateway operationalises for the contribution surface.
Agent-Proposed Merge Resolution — sibling pattern where an agent prepares a change for confirmation rather than direct merge.