chore: clarify agent session instructions

.github/aw/close-agentic-campaign.md

@@ -4,13 +4,13 @@ Execute all four steps in strict order:
 
 1. Read State (no writes)
 2. Make Decisions (no writes)
-3. Dispatch Workers (dispatch-workflow only)
+3. Apply Updates (writes)
 4. Report
 
 The following rules are mandatory and override inferred behavior:
 
 - The GitHub Project board is the single source of truth.
-- All project writes MUST comply with the Project Update Instructions (in workers).
+- All project writes MUST comply with the Project Update Instructions.
 - State reads and state writes MUST NOT be interleaved.
 - Do NOT infer missing data or invent values.
 - Do NOT reorganize hierarchy.

.github/aw/generate-agentic-campaign.md

@@ -11,7 +11,8 @@ When creating or modifying GitHub resources, **use MCP tool calls directly** (no
 - `create_project` - Create project board
 - `update_project` - Create/update project fields, views, and items
 - `update_issue` - Update issue details
-- `assign_to_agent` - Assign to agent
+- `create_agent_session` - Create a Copilot coding agent session (preferred handoff)
+- `assign_to_agent` - Assign to agent (optional; use for existing issues/PRs)
 
 ## Workflow
 
@@ -24,7 +25,7 @@ When creating or modifying GitHub resources, **use MCP tool calls directly** (no
 5. Discover workflows: scan `.github/workflows/*.md` and check [agentics collection](https://github.com/githubnext/agentics)
 6. Generate `.campaign.md` spec in `.github/workflows/`
 7. Update the triggering issue with a human-readable status + Copilot Coding Agent instructions
-8. Assign to Copilot Coding Agent
+8. Create a Copilot coding agent session (preferred) or assign to agent (fallback)
 
 **Agent Responsibilities:** Compile with `gh aw compile`, commit files, create PR
 
@@ -79,7 +80,7 @@ Create them before adding any items to the project.
 
 ## Copilot Coding Agent Handoff (Required)
 
-Before calling `assign_to_agent`, update the triggering issue (via `update_issue`) to include a clear, human-friendly status update.
+Before creating an agent session, update the triggering issue (via `update_issue`) to include a clear, human-friendly status update.
 
 The issue update MUST be easy to follow for someone unfamiliar with campaigns. Include:
 
@@ -111,14 +112,15 @@ Add a section like this (fill in real values):
 - Selected workflows: `<workflow-1>`, `<workflow-2>`
 
 ### What happens next
-1. Copilot Coding Agent will open a pull request with the generated files.
+1. Copilot Coding Agent will open a pull request with the generated files (via agent session).
 2. You review the PR and merge it.
 3. After merge, run the orchestrator workflow from the Actions tab.
 
 ### Copilot Coding Agent handoff
 - **Campaign ID:** `<campaign-id>`
 - **Project URL:** <project-url>
 - **Workflows:** `<workflow-1>`, `<workflow-2>`
+- **Agent session:** <session-url (if created)>
 
 Run:
 ```bash
@@ -166,14 +168,14 @@ In addition to the structure above, include these exact items:
 **Safe Outputs (Least Privilege):**
 
 - For this campaign generator workflow, use `update-issue` for status updates (this workflow does not enable `add-comment`).
-- Project-based: `create-project`, `update-project`, `update-issue`, `assign-to-agent` (in order)
+- Project-based: `create-project`, `update-project`, `update-issue`, `create-agent-session` (preferred)
 
 **Operation Order for Project Setup:**
 
 1. `create-project` (creates project + views)
 2. `update-project` (adds items/fields)
 3. `update-issue` (updates metadata, optional)
-4. `assign-to-agent` (assigns agents, optional)
+4. `create-agent-session` (preferred) or `assign-to-agent` (fallback)
 
 **Example Safe Outputs Configuration for Project-Based Campaigns:**
 
@@ -197,7 +199,8 @@ safe-outputs:
     max: 10
     github-token: "<GH_AW_PROJECT_GITHUB_TOKEN>"  # Provide via workflow secret/env; avoid secrets expressions in runtime-import files
   update-issue:
-  assign-to-agent:
+  create-agent-session:
+    base: "${{ github.ref_name }}"  # Prefer main/default branch when appropriate
 ```
 
 **Risk Levels:**

.github/aw/orchestrate-agentic-campaign.md

@@ -2,9 +2,9 @@
 
 This orchestrator coordinates a single campaign by discovering worker outputs and making deterministic decisions.
 
-**Scope:** orchestration only (discovery, planning, pacing, reporting).
-**Actuation model:** **dispatch-only** — the orchestrator may only act by dispatching allowlisted worker workflows.
-**Write authority:** all GitHub writes (Projects, issues/PRs, comments, status updates) must happen in worker workflows.
+**Scope:** orchestration + project sync + reporting (discovery, planning, pacing, writing, reporting).
+**Actuation model:** **hybrid** — the orchestrator may update campaign state directly (Projects and status updates) and may also dispatch allowlisted worker workflows.
+**Write authority:** the orchestrator may write GitHub state when explicitly allowlisted via safe outputs; delegate repo/code changes (e.g., PRs) to workers unless this campaign explicitly defines otherwise.
 
 ---
 
@@ -47,7 +47,7 @@ This orchestrator coordinates a single campaign by discovering worker outputs an
 3. Correlation is explicit (tracker-id AND labels)
 4. Reads and writes are separate steps (never interleave)
 5. Idempotent operation is mandatory (safe to re-run)
-6. Orchestrators do not write GitHub state directly
+6. Orchestrator writes must be deterministic and minimal
 
 ---
 
@@ -83,19 +83,31 @@ This orchestrator coordinates a single campaign by discovering worker outputs an
 
 7) Reads and writes are separate steps (never interleave).
 
-### Step 3 — Dispatch Workers (Execution) [DISPATCH ONLY]
+### Step 3 — Apply Updates (Execution) [WRITES]
 
-8) For each selected unit of work, dispatch a worker workflow using `dispatch-workflow`.
+8) Apply required GitHub state updates in a single write phase.
+
+Allowed writes (when allowlisted via safe outputs):
+- Update the campaign Project board (add/update items and fields)
+- Post status updates (e.g., update an issue or add a comment)
+- Create Copilot agent sessions for repo-side work (use when you need code changes)
+
+Constraints:
+- Use only allowlisted safe outputs.
+- Keep within configured max counts and API budgets.
+- Do not interleave reads and writes.
+
+### Step 4 — Dispatch Workers (Optional) [DISPATCH]
+
+9) For repo-side actions (e.g., code changes), dispatch allowlisted worker workflows using `dispatch-workflow`.
 
 Constraints:
 - Only dispatch allowlisted workflows.
 - Keep within the dispatch-workflow max for this run.
 
-### Step 4 — Report (No Writes)
-
-9) Summarize what you dispatched, what remains, and what should run next.
+### Step 5 — Report
 
-If a status update is required on the GitHub Project, dispatch a dedicated reporting/sync worker to perform that write.
+10) Summarize what you updated and/or dispatched, what remains, and what should run next.
 
     **Discovered:** 25 items (15 issues, 10 PRs)
     **Processed:** 10 items added to project, 5 updated

.github/aw/update-agentic-campaign-project.md

@@ -10,8 +10,7 @@ If any other instructions conflict with this file, THIS FILE TAKES PRECEDENCE fo
 
 ## 0) Hard Requirements (Do Not Deviate)
 
-- Orchestrators are dispatch-only and MUST NOT perform project writes directly.
-- Worker workflows performing project writes MUST use only the `update-project` safe-output.
+- Any workflow performing project writes (orchestrators or workers) MUST use only the `update-project` safe-output.
 - All writes MUST target exactly:
   - **Project URL**: `{{.ProjectURL}}`
 - Every item MUST include: