@bridge_gpt/mcp-server 0.2.6 → 0.2.10

package/build/conductor/epic-runtime.js

@@ -17,16 +17,20 @@
  * All durable mutations go through the injectable seams that call the sibling
  * Epic Run TS client (already available in bridge-api-client.ts as of BAPI-407).
  */
-import { resolveConductorBridgeApiAccess, claimEpicSupervisionLease, fetchEpicRunState, advanceEpicTicketStatus, createEpicTicketStatus, recordEpicDispatch, transitionEpicDispatch, fetchParseStatus, triggerRepositoryParse, getEpicPlan, buildEpicDispatchKey, } from "./bridge-api-client.js";
+import { spawnSync } from "child_process";
+import { resolveConductorBridgeApiAccess, claimEpicSupervisionLease, fetchEpicRunState, advanceEpicTicketStatus, createEpicTicketStatus, recordEpicDispatch, transitionEpicDispatch, fetchParseStatus, triggerRepositoryParse, getEpicPlan, buildEpicDispatchKey, fetchEffectiveSupervisorConfig, fetchEffectiveSupervisorSetup, fetchPrReviewStatus, remediateEpicTicket, deletePullRequestBranch, transitionJiraStatus, } from "./bridge-api-client.js";
 import { processGateMetMerge } from "./supervisor-merge.js";
-import { rebuildObservedState, } from "./epic-state.js";
+import { rebuildObservedState, extractWorkerLiveness, } from "./epic-state.js";
 import { reconcileEpic } from "./epic-reconcile.js";
+import { buildSupervisorRemediationWorkerMessage } from "./supervisor-message-relay.js";
+import { sendWorkerMessage } from "./store.js";
 import { hashPlan } from "./plan.js";
-import { pollConductorEvents } from "./store.js";
+import { pollConductorEvents, POLL_LIMIT_MAX } from "./store.js";
 import { dispatchSupervisorNotification } from "./supervisor-notification.js";
 import { makeSupervisorIdempotencyKey } from "./supervisor-ledger.js";
 import { createDefaultStartTicketsDeps, orchestrateStartTickets } from "../start-tickets.js";
 import { orchestrateReviewTickets } from "../review-tickets.js";
+import { createStartTicketsConductorContext, provisionConductorHooksForRows, emitStartTicketsRunStarted, } from "../start-tickets-conductor.js";
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
@@ -46,7 +50,7 @@ function defaultLeaseOwner() {
 async function defaultEscalateOnce(epicKey, reason) {
     process.stderr.write(`[epic-tick] ESCALATION epic=${epicKey} reason=${reason}\n`);
 }
-async function defaultDispatchSeam(_epicKey, ticketKey) {
+async function defaultDispatchSeam(_epicKey, ticketKey, _attempt = 0) {
     throw new Error(`dispatch seam not wired for ticket ${ticketKey}`);
 }
 async function defaultPostActionWaitSeam(_epicKey, _ticketKey) {
@@ -73,7 +77,8 @@ export async function runEpicTick(options, deps = {}) {
     const dispatchSeam = deps.dispatchSeam ?? defaultDispatchSeam;
     const processMergeFn = deps.processMerge ?? processGateMetMerge;
     const postActionWaitSeam = deps.postActionWaitSeam ?? defaultPostActionWaitSeam;
-    const fetchLocalEvents = deps.fetchLocalEvents ?? ((_key) => []);
+    const fetchLocalEvents = deps.fetchLocalEvents ??
+        ((_key, _runIds) => []);
     const resolveBridgeAccess = deps.resolveBridgeAccess ?? resolveConductorBridgeApiAccess;
     const claimLeaseFn = deps.claimLease ?? claimEpicSupervisionLease;
     const fetchEpicStateFn = deps.fetchEpicState ?? fetchEpicRunState;
@@ -190,7 +195,15 @@ export async function runEpicTick(options, deps = {}) {
                 worker_count: 0,
             };
         }
-        const localEvents = fetchLocalEvents(epic_key);
+        // Scope the local-ledger read to this epic's dispatched run_ids. The shared
+        // ~/.config/bridge/events.db ledger accumulates events for every epic/worker
+        // on the machine; rebuildObservedState only folds signals whose run_id maps
+        // to one of these dispatches, so scoping the read here avoids loading the
+        // entire (up to 50K-row) ledger on every tick.
+        const dispatchedRunIds = epicRunState.dispatches
+            .map((d) => d.run_id)
+            .filter((rid) => typeof rid === "string" && rid.length > 0);
+        const localEvents = fetchLocalEvents(epic_key, dispatchedRunIds);
         const observed = rebuildObservedState(epicRunState, localEvents, nowFn());
         workerCount = [...observed.ticket_statuses.values()].filter((s) => ACTIVE_WORKER_STATUSES.has(s)).length;
         // Step 3.5: Run post-action waits (parse-after-merge)
@@ -330,6 +343,82 @@ export async function runEpicTick(options, deps = {}) {
         }
         // Step 5: Reconcile observed→desired
         if (plan !== null) {
+            // BAPI-441: fetch the effective supervisor config (budget ceilings +
+            // liveness window) and setup (pr_bindings) once. Fail-open: if the config
+            // read fails, remediationConfig stays undefined and reconcile skips the
+            // remediation pass entirely (dispatch/merge steps unaffected).
+            let remediationConfig;
+            let livenessWindowSeconds = 120;
+            let prBindings = {};
+            try {
+                const cfg = await fetchEffectiveSupervisorConfig(access, epic_key);
+                remediationConfig = {
+                    max_remediation_attempts: cfg.max_remediation_attempts,
+                    max_remediation_no_progress_attempts: cfg.max_remediation_no_progress_attempts,
+                    auto_rereview_enabled: cfg.auto_rereview_enabled ?? false,
+                    teardown_enabled: cfg.teardown_enabled ?? false,
+                };
+                livenessWindowSeconds = cfg.worker_liveness_window_seconds;
+            }
+            catch (err) {
+                const safeMsg = err instanceof Error ? err.constructor.name : "config error";
+                errorLog(`[epic-tick] supervisor-config fetch failed (${safeMsg}); skipping remediation for epic=${epic_key}`);
+            }
+            if (remediationConfig) {
+                try {
+                    const setup = await fetchEffectiveSupervisorSetup(access, epic_key);
+                    if (setup.pr_bindings && typeof setup.pr_bindings === "object") {
+                        prBindings = setup.pr_bindings;
+                    }
+                }
+                catch (err) {
+                    const safeMsg = err instanceof Error ? err.constructor.name : "setup error";
+                    errorLog(`[epic-tick] supervisor-setup fetch failed (${safeMsg}); remediation PR resolution degraded for epic=${epic_key}`);
+                }
+            }
+            // ticket_key → dispatched run_id (the run whose heartbeat liveness reads).
+            // Seed from ticket_status.dispatch_run_id, then prefer the most-recent
+            // dispatch-ledger run_id per ticket so that after a remediation re-dispatch
+            // (a new attempt-scoped epic_dispatch row correlated with the fresh run_id)
+            // liveness tracks the NEW worker rather than the stale original.
+            const ticketRunIdMap = new Map();
+            for (const ts of epicRunState.ticket_statuses) {
+                if (ts.dispatch_run_id)
+                    ticketRunIdMap.set(ts.ticket_key, ts.dispatch_run_id);
+            }
+            const latestDispatchByTicket = new Map();
+            for (const d of epicRunState.dispatches) {
+                if (!d.run_id)
+                    continue;
+                const updatedAt = new Date(d.updated_at).getTime();
+                const prev = latestDispatchByTicket.get(d.ticket_key);
+                if (!prev || updatedAt >= prev.updatedAt) {
+                    latestDispatchByTicket.set(d.ticket_key, { runId: d.run_id, updatedAt });
+                }
+            }
+            for (const [tk, info] of latestDispatchByTicket) {
+                ticketRunIdMap.set(tk, info.runId);
+            }
+            const resolvePrNumber = (ticketKey) => {
+                const raw = prBindings[ticketKey];
+                if (typeof raw === "number" && Number.isInteger(raw) && raw >= 1)
+                    return raw;
+                if (raw && typeof raw === "object") {
+                    const obj = raw;
+                    const pr = obj.pr_number ?? obj.pr;
+                    if (typeof pr === "number" && Number.isInteger(pr) && pr >= 1)
+                        return pr;
+                }
+                return null;
+            };
+            const maxSeqForRun = (runId) => {
+                let maxSeq = 0;
+                for (const ev of localEvents) {
+                    if (ev.run_id === runId && ev.seq > maxSeq)
+                        maxSeq = ev.seq;
+                }
+                return maxSeq;
+            };
             const reconcileDeps = {
                 casTicketStatus: async (ek, tk, rowVersion, nextStatus, planVersion) => advanceEpicTicketStatus(access, {
                     epicKey: ek,
@@ -360,13 +449,146 @@ export async function runEpicTick(options, deps = {}) {
                         runId,
                     });
                 },
-                dispatchSeam: async (ek, tk) => dispatchSeam(ek, tk),
+                dispatchSeam: async (ek, tk, attempt = 0) => dispatchSeam(ek, tk, attempt),
                 processMerge: async (acc, event) => processMergeFn(acc, event),
                 postActionWaitSeam: async (ek, tk) => postActionWaitSeam(ek, tk),
                 escalateOnce: async (ek, reason) => escalateOnce(ek, reason),
                 log,
+                // BAPI-442: teardown and Jira-transition seams (fail-open, optional).
+                teardownSeam: async (_ek, tk) => {
+                    // Resolve the PR number for the ticket.
+                    const prNumber = resolvePrNumber(tk);
+                    if (prNumber === null) {
+                        errorLog(`[epic-tick] teardown: no PR binding for ${tk}; skipping`);
+                        return;
+                    }
+                    // Fetch setup to get the expected head SHA if available; fall back to empty.
+                    let expectedSha = "";
+                    try {
+                        const setup = await fetchEffectiveSupervisorSetup(access, epic_key);
+                        const binding = (setup.pr_bindings ?? {})[tk];
+                        if (binding && typeof binding === "object") {
+                            const b = binding;
+                            if (typeof b.head_sha === "string")
+                                expectedSha = b.head_sha;
+                        }
+                    }
+                    catch {
+                        // Best-effort; proceed with empty SHA (endpoint still deletes by PR number)
+                    }
+                    try {
+                        await deletePullRequestBranch(access, prNumber, expectedSha || "");
+                        log(`[epic-tick] teardown: branch deleted for PR #${prNumber} (ticket=${tk})`);
+                    }
+                    catch (err) {
+                        const safeMsg = err instanceof Error ? err.constructor.name : "error";
+                        errorLog(`[epic-tick] teardown: branch-delete failed (${safeMsg}) for ${tk}`);
+                    }
+                    // Remove local worktree idempotently; errors are benign.
+                    try {
+                        spawnSync("git", ["worktree", "remove", "--force", tk], { stdio: "ignore" });
+                        log(`[epic-tick] teardown: worktree removed for ${tk}`);
+                    }
+                    catch {
+                        // Already removed or never created — idempotent skip.
+                    }
+                },
+                jiraTransitionSeam: async (_ek, tk) => {
+                    try {
+                        const result = await transitionJiraStatus(access, tk, "auto");
+                        if (result.status === "skipped") {
+                            log(`[epic-tick] jira-transition: no matching transition for ${tk} (skipped)`);
+                        }
+                        else {
+                            log(`[epic-tick] jira-transition: transitioned ${tk}`);
+                        }
+                    }
+                    catch (err) {
+                        const safeMsg = err instanceof Error ? err.constructor.name : "error";
+                        errorLog(`[epic-tick] jira-transition failed (${safeMsg}) for ${tk}`);
+                    }
+                },
+                // BAPI-441 remediation seams.
+                readWorkerLiveness: async (_ek, tk) => {
+                    const runId = ticketRunIdMap.get(tk);
+                    if (!runId)
+                        return { alive: false, workerId: null };
+                    return extractWorkerLiveness(localEvents, runId, nowFn(), livenessWindowSeconds);
+                },
+                remediateCas: async (ek, tk, attemptKind, reason) => {
+                    const prNumber = resolvePrNumber(tk);
+                    if (prNumber === null) {
+                        throw new Error(`remediate: no PR binding for ${tk}`);
+                    }
+                    const reviewStatus = (await fetchPrReviewStatus(access, prNumber));
+                    const headSha = reviewStatus?.detail?.head_sha ?? null;
+                    if (!headSha) {
+                        throw new Error(`remediate: no head_sha for PR ${prNumber}`);
+                    }
+                    const rowVersion = observed.ticket_row_versions.get(tk) ?? 0;
+                    // Deterministic block-state idempotency key: stable for a given durable
+                    // row_version so a same-tick retry replays (409, swallowed); advances
+                    // with the next attempt.
+                    const idempotencyKey = `remediate:${ek}:${tk}:${rowVersion}`;
+                    const result = await remediateEpicTicket(access, {
+                        pr_number: prNumber,
+                        epic_run_id: ek,
+                        ticket_key: tk,
+                        expected_row_version: rowVersion,
+                        head_sha: headSha,
+                        idempotency_key: idempotencyKey,
+                        attempt_kind: attemptKind,
+                        reason,
+                    });
+                    if (result.conflict) {
+                        return { conflict: true, reviewDigest: null, truncated: false };
+                    }
+                    return {
+                        conflict: false,
+                        reviewDigest: result.response.review_digest,
+                        truncated: result.response.truncated,
+                    };
+                },
+                sendNudge: async (_ek, tk, attempt, reviewDigest, truncated, reason, workerId) => {
+                    const runId = ticketRunIdMap.get(tk);
+                    if (!runId)
+                        throw new Error(`nudge: no run_id for ${tk}`);
+                    // workerId is resolved by readWorkerLiveness from the same heartbeat
+                    // scan and null-checked by the reconcile pass before remediateCas, so
+                    // the two seams stay consistent and no budget is burned on a missing id.
+                    const input = buildSupervisorRemediationWorkerMessage({
+                        runId,
+                        workerId,
+                        ticketKey: tk,
+                        reason,
+                        attempt,
+                        reviewDigest: reviewDigest ?? "",
+                        truncated,
+                        causeSeq: maxSeqForRun(runId),
+                    });
+                    sendWorkerMessage(input);
+                },
+                resumeDispatch: async (ek, tk, attempt) => {
+                    // Claim an attempt-scoped pending dispatch row FIRST so the spawn's
+                    // run_spawned correlation (inside orchestrateStartTickets) has a row to
+                    // transition and the re-dispatched run_id is durably recorded against
+                    // the ticket. The claim is idempotent (lease-held/already-spawned are
+                    // returned, not thrown).
+                    await recordEpicDispatch(access, {
+                        epicKey: ek,
+                        ticketKey: tk,
+                        planVersion: plan.plan_version,
+                        leaseOwner: lease_owner,
+                        ttlSeconds: DEFAULT_DISPATCH_KEY_TTL_SECONDS,
+                        attempt,
+                    });
+                    // dispatchSeam returns the new run_id; orchestrate correlates it into
+                    // the attempt-scoped epic_dispatch row, so the next tick's liveness map
+                    // (built from the dispatch ledger) tracks the fresh worker.
+                    await dispatchSeam(ek, tk, attempt);
+                },
             };
-            const reconcileResult = await reconcileEpic(access, observed, plan, reconcileDeps);
+            const reconcileResult = await reconcileEpic(access, observed, plan, reconcileDeps, remediationConfig);
             log(`[epic-tick] reconcile done: epic=${epic_key} ` +
                 `signals=${reconcileResult.signals_folded} ` +
                 `dispatched=${reconcileResult.dispatched} ` +
@@ -494,7 +716,7 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
         const planHash = hashPlan(dag);
         return { plan_hash: planHash, plan_version: response.plan_version, tickets };
     };
-    const dispatchSeam = async (ek, tk) => {
+    const dispatchSeam = async (ek, tk, attempt = 0) => {
         // Guard: fetchPlan must run before dispatchSeam so cachedPlanVersion and
         // automationMap are populated. A zero version means the factory seam was
         // wired but fetchPlan was never called — fail explicitly rather than silently
@@ -502,6 +724,12 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
         if (cachedPlanVersion === 0) {
             throw new Error(`dispatchSeam called before fetchPlan for epic ${ek} ticket ${tk}; cachedPlanVersion is 0`);
         }
+        // BAPI-441: a remediation re-dispatch (attempt > 0) reuses the existing
+        // branch/worktree (resume mode) and claims an attempt-scoped dispatch key so
+        // it is not deduped against the original epic dispatch.
+        const isResume = attempt > 0;
+        // The dispatch kind comes from the plan node's automation (start-tickets or
+        // review-tickets); default to start-tickets when unspecified.
         const kind = automationMap.get(tk) ?? "start-tickets";
         // Operator dry-run: when BAPI_CONDUCTOR_DISPATCH_DRY_RUN=1, dispatch resolves
         // the spawn command + model routing but opens NO terminal, creates NO worktree,
@@ -513,7 +741,7 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
             epic_key: ek,
             epic_run_id: ek,
             plan_version: cachedPlanVersion,
-            dispatch_key: buildEpicDispatchKey(ek, tk, cachedPlanVersion),
+            dispatch_key: buildEpicDispatchKey(ek, tk, cachedPlanVersion, attempt),
         };
         const deps = createDefaultStartTicketsDeps();
         let runId;
@@ -533,6 +761,14 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
             runId = result.rows[0]?.runId;
         }
         else {
+            // BAPI-409 / IH-1: epic dispatch (dispatch_key set) requires the conductor
+            // stage to mint a run_id and provision per-worker env/supervisor context.
+            // `conductorEnabled: true` alone is necessary but not sufficient — the
+            // BAPI-409 guard in orchestrateStartTickets fails closed unless the
+            // createConductorContext seam (and its siblings) is injected via the third
+            // `overrides` argument, exactly as the packaged start-tickets CLI does. The
+            // orchestrator short-circuits on dryRun before using them, so passing them
+            // unconditionally is safe; dispatchDryRun preserves the operator dry-run seam.
             const result = await orchestrateStartTickets(deps, {
                 keys: [tk],
                 epic: identity,
@@ -543,6 +779,13 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
                 refreshMain: false,
                 branchOverrides: {},
                 baseBranch: "main",
+                conductorEnabled: true,
+                // BAPI-441: re-dispatch reuses the existing branch/worktree.
+                resumeMode: isResume,
+            }, {
+                createConductorContext: createStartTicketsConductorContext,
+                provisionConductorHooksForRows,
+                emitStartTicketsRunStarted,
             });
             if (!result.ok) {
                 throw new Error(`start-tickets dispatch failed: ${result.error}`);
@@ -559,11 +802,50 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
         }
         return runId;
     };
-    const fetchLocalEvents = (_ek) => {
+    const fetchLocalEvents = (_ek, runIds) => {
         // Workers and the epic-tick process share the same local SQLite ledger
         // (~/.config/bridge/events.db). pollConductorEvents opens it read-only.
-        const result = pollConductorEvents({ data_mode: "full" });
-        return result.events;
+        //
+        // Scope the read to this epic's dispatched run_ids. The shared ledger holds
+        // events for every epic/worker on the machine (up to RETENTION_MAX_ROWS),
+        // but rebuildObservedState only folds signals whose run_id maps to one of
+        // these dispatches — so the run_ids filter pushes that scoping into SQL and
+        // avoids loading sibling-epic events on every tick. With no known run_ids
+        // (first tick before any dispatch) there is nothing to fold, so skip the
+        // read entirely.
+        //
+        // pollConductorEvents returns at most POLL_LIMIT_MAX events per call
+        // (default 100, capped at 1000) starting at `since_seq`. rebuildObservedState
+        // folds terminal signals (gate.met/run.stopped/merge.succeeded/ci.failed)
+        // ONLY from the events it is handed, so a single capped page silently hides
+        // recent terminal signals once the (scoped) result grows past one page —
+        // done-detection then breaks. Drain the COMPLETE history by paginating on the
+        // `next_seq` cursor until a short (or empty) page signals the tail.
+        if (runIds !== undefined && runIds.length === 0) {
+            return [];
+        }
+        const runIdsFilter = runIds && runIds.length > 0 ? { run_ids: [...runIds] } : undefined;
+        const events = [];
+        let sinceSeq = 1;
+        // Retention caps (retention_days/retention_max_rows) bound the ledger, but
+        // cap total iterations defensively against a non-advancing cursor.
+        const MAX_PAGES = 10_000;
+        for (let page = 0; page < MAX_PAGES; page += 1) {
+            const result = pollConductorEvents({
+                data_mode: "full",
+                since_seq: sinceSeq,
+                limit: POLL_LIMIT_MAX,
+                filter: runIdsFilter,
+            });
+            events.push(...result.events);
+            // Stop on a short/empty page (no more rows) or a cursor that fails to
+            // advance (guards against an infinite loop).
+            if (result.count < POLL_LIMIT_MAX || result.next_seq <= sinceSeq) {
+                break;
+            }
+            sinceSeq = result.next_seq;
+        }
+        return events;
     };
     const escalateOnce = async (ek, reason) => {
         const candidate = {
@@ -618,5 +900,9 @@ export async function buildProductionEpicRuntimeDeps(epicKey) {
         fetchLocalEvents,
         escalateOnce,
         postActionWaitSeam,
+        // BAPI-442 seams are wired at the reconcileDeps level inside runEpicTick
+        // (they need the per-tick `access` and `prBindings` closure). The factory
+        // returns the dispatchSeam with isReReview support; the other two seams are
+        // defined inline in the reconcileDeps object in runEpicTick.
     };
 }

package/build/conductor/epic-state.js

@@ -1,44 +1,63 @@
 /**
  * Pure, deterministic observed-state rebuild + ready-set computation for the
- * Epic Supervisor (BAPI-408).
+ * Epic Supervisor (BAPI-408, BAPI-436).
  *
  * This module has NO I/O, NO timers, and NO LLM calls. Every time-dependent
  * function takes an explicit `now` (epoch ms) so tests are wall-clock
  * independent. Truth precedence: raw local ledger events override non-terminal
  * Postgres states.
+ *
+ * Status mapping (BAPI-436 — merge-gated dependent dispatch):
+ *   gate.met      → ready_for_review  (implementation done; awaiting merge)
+ *   run.stopped   → ready_for_review  (worker session ended; awaiting merge)
+ *   merge.succeeded → done            (merged; dependents may now dispatch)
+ *   ci.failed     → blocked           (unchanged)
  */
 // ---------------------------------------------------------------------------
 // Status sets (module-private)
 // ---------------------------------------------------------------------------
 const NOT_STARTED_STATUS = "planned";
 const DONE_STATUSES = new Set(["done"]);
+// "blocked" is intentionally non-terminal: a merge.succeeded arriving in a
+// subsequent tick (cross-tick) can still advance a blocked ticket to done.
+// This is the expected path when an operator merges a PR despite failed CI.
+// Contrast with the same-tick case: ci.failed wins over merge.succeeded in
+// the same ledger batch (first-signal-wins; see the foldedTicketKeys guard).
 const NON_TERMINAL_STATUSES = new Set([
     "planned",
     "ready",
     "dispatched",
     "running",
     "blocked",
+    "ready_for_review",
 ]);
 const TERMINAL_SIGNAL_TYPES = new Set([
     "gate.met",
     "merge.succeeded",
     "ci.failed",
     "run.stopped",
+    "review.changes_requested",
 ]);
 function isNonTerminal(status) {
     return NON_TERMINAL_STATUSES.has(status);
 }
-function signalToNextStatus(signalType) {
+export function signalToNextStatus(signalType) {
     if (signalType === "ci.failed")
         return "blocked";
-    return "done";
+    if (signalType === "review.changes_requested")
+        return "blocked";
+    if (signalType === "merge.succeeded")
+        return "done";
+    return "ready_for_review"; // gate.met and run.stopped: awaiting merge
 }
 // ---------------------------------------------------------------------------
 // computeReadySet
 // ---------------------------------------------------------------------------
 /**
  * Pure deterministic ready-set computation. Returns ticket keys that:
- *   1. Have status "planned" (not yet started), AND
+ *   1. Have status "planned" (not yet started) or "ready" (crash-recovery —
+ *      a ticket already advanced to ready on a prior tick that crashed before
+ *      dispatch must not be silently dropped), AND
  *   2. Whose full `depends_on` list is satisfied (all deps have "done" status).
  *
  * Never calls an LLM or performs I/O. Goal 8 invariant.
@@ -47,7 +66,7 @@ export function computeReadySet(plan, ticketStatuses) {
     const ready = [];
     for (const ticket of plan.tickets) {
         const currentStatus = ticketStatuses.get(ticket.ticket_key) ?? "planned";
-        if (currentStatus !== NOT_STARTED_STATUS)
+        if (currentStatus !== NOT_STARTED_STATUS && currentStatus !== "ready")
             continue;
         const allDepsResolved = ticket.depends_on.every((dep) => DONE_STATUSES.has(ticketStatuses.get(dep) ?? "planned"));
         if (allDepsResolved)
@@ -55,6 +74,46 @@ export function computeReadySet(plan, ticketStatuses) {
     }
     return ready;
 }
+/**
+ * Pure, deterministic remediation decision (no I/O, no clock). Given the current
+ * budget counters, the ledger-derived worker liveness, and the configured
+ * ceilings, decide whether to NUDGE (worker still alive), RE-DISPATCH (worker
+ * gone, budget remaining), or ESCALATE (budget exhausted).
+ *
+ * Budget exhaustion is checked FIRST so an at-ceiling ticket always escalates
+ * regardless of liveness. A counter at-or-above its ceiling exhausts the budget.
+ */
+export function decideRemediation(attempts, noProgressAttempts, alive, config) {
+    if (attempts >= config.max_remediation_attempts ||
+        noProgressAttempts >= config.max_remediation_no_progress_attempts) {
+        return "escalate";
+    }
+    return alive ? "nudge" : "redispatch";
+}
+/**
+ * Pure liveness extraction (no I/O, explicit `nowMs`). Finds the most recent
+ * `message.delivered`/`message.acked` heartbeat event for `runId` and reports
+ * the worker alive when that heartbeat's age is within
+ * `windowSeconds`. An empty ledger (no heartbeat for the run) defaults to
+ * `{ alive: false, workerId: null }` (fail-closed: never misjudge a worker
+ * alive without evidence).
+ */
+export function extractWorkerLiveness(events, runId, nowMs, windowSeconds) {
+    let latest = null;
+    for (const ev of events) {
+        if (ev.run_id !== runId)
+            continue;
+        if (ev.type !== "message.delivered" && ev.type !== "message.acked")
+            continue;
+        if (!latest || new Date(ev.time).getTime() > new Date(latest.time).getTime()) {
+            latest = ev;
+        }
+    }
+    if (!latest)
+        return { alive: false, workerId: null };
+    const age = nowMs - new Date(latest.time).getTime();
+    return { alive: age <= windowSeconds * 1000, workerId: latest.worker_id ?? null };
+}
 // ---------------------------------------------------------------------------
 // rebuildObservedState
 // ---------------------------------------------------------------------------
@@ -75,14 +134,23 @@ export function rebuildObservedState(postgresState, events, _now) {
     // Populate base maps from Postgres
     const ticketStatusMap = new Map();
     const ticketRowVersionMap = new Map();
+    const ticketRemediationMap = new Map();
     for (const ts of ticket_statuses) {
         ticketStatusMap.set(ts.ticket_key, ts.status);
         ticketRowVersionMap.set(ts.ticket_key, ts.row_version);
+        ticketRemediationMap.set(ts.ticket_key, {
+            attempts: ts.remediation_attempts ?? 0,
+            no_progress: ts.remediation_no_progress_attempts ?? 0,
+        });
     }
     const unfoldedSignals = [];
     const pendingMergeEvents = [];
     // Track which tickets already have a folded signal (one override per ticket)
     const foldedTicketKeys = new Set();
+    // BAPI-441: per-ticket latest blocking reason (ci.failed / review.changes_requested),
+    // tracked across the full ledger so an already-blocked ticket still carries a
+    // reason for the remediation pass to frame the nudge.
+    const ticketBlockedReasons = new Map();
     for (const event of events) {
         if (!TERMINAL_SIGNAL_TYPES.has(event.type))
             continue;
@@ -91,16 +159,45 @@ export function rebuildObservedState(postgresState, events, _now) {
         const ticketKey = runId ? runIdToTicketKey.get(runId) : undefined;
         if (!ticketKey)
             continue;
-        if (event.type === "gate.met") {
-            pendingMergeEvents.push(event);
+        // Record the blocking reason (latest wins; events are seq-ordered) regardless
+        // of fold state, so a ticket blocked on a prior tick still resolves a reason.
+        if (event.type === "ci.failed" || event.type === "review.changes_requested") {
+            ticketBlockedReasons.set(ticketKey, event.type);
         }
         const postgresStatus = ticketStatusMap.get(ticketKey) ?? "planned";
         if (!isNonTerminal(postgresStatus))
             continue;
-        if (foldedTicketKeys.has(ticketKey))
-            continue;
+        // Only queue for merge actioning if this ticket hasn't already been folded
+        // this tick. Without this guard, two gate.met events for the same ticket
+        // would both enqueue, and a ci.failed → gate.met sequence would enqueue a
+        // merge action for a ticket whose effective status is "blocked".
+        if (event.type === "gate.met" && !foldedTicketKeys.has(ticketKey)) {
+            pendingMergeEvents.push(event);
+        }
         const signalType = event.type;
         const nextStatus = signalToNextStatus(signalType);
+        if (foldedTicketKeys.has(ticketKey)) {
+            // Allow a same-tick upgrade from ready_for_review → done when
+            // merge.succeeded arrives after gate.met in the same ledger batch.
+            // First-signal-wins for everything else: if ci.failed arrived first,
+            // currentLocalStatus is "blocked" (not "ready_for_review"), so the
+            // upgrade guard below is false and merge.succeeded is intentionally
+            // dropped — a failed-CI ticket must not be silently advanced to done.
+            const currentLocalStatus = ticketStatusMap.get(ticketKey);
+            if (currentLocalStatus === "ready_for_review" && nextStatus === "done") {
+                const existingIdx = unfoldedSignals.findIndex((s) => s.ticket_key === ticketKey);
+                if (existingIdx >= 0) {
+                    unfoldedSignals[existingIdx] = {
+                        ...unfoldedSignals[existingIdx],
+                        next_status: nextStatus,
+                        signal_type: signalType,
+                        event,
+                    };
+                    ticketStatusMap.set(ticketKey, nextStatus);
+                }
+            }
+            continue;
+        }
         const rowVersion = ticketRowVersionMap.get(ticketKey) ?? 0;
         unfoldedSignals.push({
             ticket_key: ticketKey,
@@ -119,6 +216,8 @@ export function rebuildObservedState(postgresState, events, _now) {
         plan_version: epic_run.current_plan_version,
         ticket_statuses: ticketStatusMap,
         ticket_row_versions: ticketRowVersionMap,
+        ticket_remediation_counters: ticketRemediationMap,
+        ticket_blocked_reasons: ticketBlockedReasons,
         unfolded_terminal_signals: unfoldedSignals,
         pending_merge_events: pendingMergeEvents,
     };

package/build/conductor/git-ci-types.js

@@ -25,8 +25,14 @@ export const GIT_CI_PRODUCER = "git-pr-ci-producer";
 export const GIT_HOOK_PRODUCER = "git-hook";
 /** The single v1 done-gate condition type. */
 export const REQUIRED_CI_CHECKS_GREEN = "required_ci_checks_green";
+/** The v2 review-state done-gate condition type. */
+export const REVIEW_STATE = "review_state";
 /** Default gate name surfaced in `gate.met` event data. */
 export const DEFAULT_GATE_NAME = "done";
+/** Event type emitted when the configured review source is satisfied. */
+export const REVIEW_PASSED = "review.passed";
+/** Event type emitted when a reviewer requests changes. */
+export const REVIEW_CHANGES_REQUESTED = "review.changes_requested";
 /** Matches ASCII control characters (C0 range plus DEL). */
 const CONTROL_CHAR_RE = /[\u0000-\u001F\u007F]/;
 /** Matches a 40- or 64-character hex string (git SHA-1 / SHA-256 object ids). */