@codedrifters/configulator 0.0.327 → 0.0.329

package/lib/index.mjs

@@ -2252,6 +2252,55 @@ function renderSharedEditingRuleContent(se) {
     }
   }
   lines.push(
+    "## Defer Shared-Index Commit to Final Pre-Push Step",
+    "",
+    "Even with the single-entry, deterministic-sort discipline above,",
+    "two sessions that **prepare** their row inserts at the same time",
+    "still race on push: whichever session pushes second sees the",
+    "first session's commit on the remote and has to rebase its own",
+    "commit on top, regenerating the same insert position calculation",
+    "against a now-changed file. Repeated rebases multiply the chance",
+    "of a mis-merge that silently drops a row.",
+    "",
+    "Sessions that produce both content and a shared-index row insert",
+    "shrink this race window by deferring the index commit to the",
+    "**final pre-push step** \u2014 after every content commit has landed",
+    "locally, and immediately before `git push`:",
+    "",
+    "1. **Commit content first.** Write and commit every non-index",
+    "   change that the session produces (profile body, transcript",
+    "   extraction, requirement document, etc.) in its own focused",
+    "   commit or commits.",
+    "2. **Rebase against the remote default branch** before touching",
+    "   the shared index:",
+    "",
+    "   ```bash",
+    "   git fetch origin",
+    `   git pull --${se.conflictStrategy} origin <default-branch>`,
+    "   ```",
+    "",
+    "3. **Re-read the shared index** from the now-up-to-date working",
+    "   tree. Another session may have appended a row while this",
+    "   session's content commits were in flight.",
+    "4. **Re-compute the insert position** in declared sort order",
+    "   against the freshly-read rows. Do not assume the position",
+    "   computed earlier in the session is still correct.",
+    "5. **Insert the row and commit the index edit on its own** \u2014",
+    "   one focused commit whose only file is the shared index. Run",
+    "   the commit-path verification (above) against that commit",
+    "   before continuing.",
+    "6. **Push immediately.** The shorter the wall-clock gap between",
+    "   the rebase / re-read in step 2 and the push, the smaller the",
+    "   window in which another session can land a competing row.",
+    "",
+    "Per-agent workflows that touch a shared index file should call",
+    "out this defer-to-final-commit sequence explicitly \u2014 see the",
+    "`meeting-analyst` and `software-profile-analyst` sub-agent",
+    "prompts for the canonical wording. The pattern is mechanical",
+    "(rebase, re-read, re-compute, focused commit, push) rather than",
+    "editorial, so the same recipe applies to every shared-index",
+    "row-producing agent regardless of what content surrounds it.",
+    "",
     "## Merge-Conflict Resolution",
     "",
     "When `git push` reports a conflict on a shared index file (two",
@@ -2299,9 +2348,14 @@ function renderSharedEditingBundleHook(se, bundleLabel) {
     "the latest default branch before editing, insert exactly one row",
     "in deterministic sort position, commit the index edit in its own",
     "focused commit, and verify the row is present in the commit",
-    "before pushing. See the `shared-editing-safety` rule for the",
-    "full protocol, the list of files covered, and the",
-    "merge-conflict resolution recipe."
+    "before pushing. **Defer the index commit to the final pre-push",
+    "step** \u2014 land every content commit first, then rebase against",
+    "the remote default branch, re-read the index, re-compute the",
+    "insert position, write the row, commit the index on its own,",
+    "and push immediately. See the `shared-editing-safety` rule for",
+    "the full protocol, the list of files covered, the",
+    "defer-to-final-commit sequence, and the merge-conflict",
+    "resolution recipe."
   ].join("\n");
 }
 function renderSharedEditingHelperScript(_se) {
@@ -9762,6 +9816,395 @@ var setIssueTypeProcedure = {
     `echo "$result" | jq -c '.data.updateIssueIssueType.issue'`
   ].join("\n")
 };
+var cleanMergedBranchesProcedure = {
+  name: "clean-merged-branches.sh",
+  description: "Analyse local branches and classify each as MERGED, UNMERGED, EMPTY, or SKIP_WORKTREE against a base branch (default: main). Analysis-only \u2014 never deletes branches. Handles squash merges via content equality.",
+  content: [
+    "#!/usr/bin/env bash",
+    "# clean-merged-branches.sh \u2014 Analyse local branches against a base.",
+    "#",
+    "# Reports each local branch (other than HEAD and the base branch) as",
+    "# MERGED, UNMERGED, EMPTY, or SKIP_WORKTREE. MERGED means every file the",
+    "# branch added or modified now matches the base \u2014 so the branch content",
+    "# is fully on the base even when the merge was a squash.",
+    "#",
+    "# This procedure is analysis-only. It never runs `git branch -D`. The",
+    "# /clean-merged-branches slash-command skill wraps it with the deletion",
+    "# prompt; the procedure itself is safe to invoke non-interactively from",
+    "# any agent.",
+    "#",
+    "# Usage:",
+    "#   .claude/procedures/clean-merged-branches.sh             # default base: main",
+    "#   .claude/procedures/clean-merged-branches.sh --base develop",
+    "#",
+    "# Output (one line per branch, stable format for grepping):",
+    "#   MERGED       <branch>  files=<n>",
+    "#   UNMERGED     <branch>  files=<n>  differs=<n>",
+    "#   EMPTY        <branch>",
+    "#   SKIP_WORKTREE <branch>  worktree=<path>",
+    "#",
+    "# Exit codes:",
+    "#   0 \u2014 analysis completed (whether or not any MERGED branches were found)",
+    "#   2 \u2014 argument error",
+    "#   3 \u2014 required command not on PATH",
+    "#   4 \u2014 not a git repository",
+    "",
+    "set -uo pipefail",
+    "",
+    "# \u2500\u2500 helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    "err() {",
+    '  printf "clean-merged-branches.sh: %s\\n" "$*" >&2',
+    "}",
+    "",
+    "usage() {",
+    "  cat >&2 <<'USAGE'",
+    "Usage: clean-merged-branches.sh [--base <name>]",
+    "",
+    "  --base <name>   Base branch to compare against (default: main; falls",
+    "                  back to whatever origin/HEAD points at if main is",
+    "                  not present locally).",
+    "",
+    "Reports MERGED / UNMERGED / EMPTY / SKIP_WORKTREE for every local",
+    "branch other than HEAD and the base branch. Does not delete anything.",
+    "USAGE",
+    "}",
+    "",
+    "# \u2500\u2500 argument parsing \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    'base=""',
+    "while [[ $# -gt 0 ]]; do",
+    '  case "$1" in',
+    "    --base)",
+    '      if [[ $# -lt 2 || -z "${2:-}" ]]; then',
+    '        err "--base requires a value"',
+    "        usage",
+    "        exit 2",
+    "      fi",
+    '      base="$2"',
+    "      shift 2",
+    "      ;;",
+    "    -h|--help)",
+    "      usage",
+    "      exit 0",
+    "      ;;",
+    "    *)",
+    '      err "unknown argument: $1"',
+    "      usage",
+    "      exit 2",
+    "      ;;",
+    "  esac",
+    "done",
+    "",
+    "# \u2500\u2500 dependency checks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    "for cmd in git; do",
+    '  if ! command -v "$cmd" >/dev/null 2>&1; then',
+    '    err "required command not found on PATH: $cmd"',
+    "    exit 3",
+    "  fi",
+    "done",
+    "",
+    "# \u2500\u2500 repo + base resolution \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    "if ! git rev-parse --git-dir >/dev/null 2>&1; then",
+    '  err "not inside a git repository"',
+    "  exit 4",
+    "fi",
+    "",
+    "# Default base = main if it exists locally, otherwise whatever",
+    "# origin/HEAD points at (e.g. master, trunk, develop).",
+    'if [[ -z "$base" ]]; then',
+    '  if git show-ref --verify --quiet "refs/heads/main"; then',
+    '    base="main"',
+    "  else",
+    "    origin_head=$(git symbolic-ref --short refs/remotes/origin/HEAD 2>/dev/null || true)",
+    '    if [[ -n "$origin_head" ]]; then',
+    '      base="${origin_head#origin/}"',
+    "    else",
+    '      base="main"',
+    "    fi",
+    "  fi",
+    "fi",
+    "",
+    "# Verify the chosen base actually exists as a local branch.",
+    'if ! git show-ref --verify --quiet "refs/heads/$base"; then',
+    `  err "base branch '$base' does not exist locally"`,
+    "  exit 4",
+    "fi",
+    "",
+    "# Refresh remote-tracking refs and prune deleted upstream branches",
+    "# so the gone-upstream signal is fresh (best effort \u2014 never fatal).",
+    "git fetch --prune origin >/dev/null 2>&1 || true",
+    "",
+    'current=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")',
+    "",
+    "# \u2500\u2500 worktree map (branch -> worktree path, excluding the current) \u2500\u2500\u2500",
+    "",
+    "# Use git worktree list --porcelain to detect any branch checked out in",
+    "# a separate worktree. We must skip those because `git branch -D` would",
+    "# refuse to delete a branch that is checked out elsewhere.",
+    "#",
+    "# We use parallel arrays (not an associative array) to stay compatible",
+    "# with bash 3 \u2014 macOS still ships bash 3.2 as /bin/bash, and the script",
+    "# is invoked via #!/usr/bin/env bash which picks whichever bash is",
+    "# first on PATH. Lookups are O(n) but n is tiny (worktree count).",
+    "worktree_branches=()",
+    "worktree_paths=()",
+    'cwd_top=$(git rev-parse --show-toplevel 2>/dev/null || echo "")',
+    'wt_path=""',
+    "while IFS= read -r line; do",
+    '  case "$line" in',
+    "    worktree\\ *)",
+    '      wt_path="${line#worktree }"',
+    "      ;;",
+    "    branch\\ *)",
+    '      wt_branch="${line#branch refs/heads/}"',
+    "      # Skip the worktree that matches the current top-level \u2014 that one",
+    "      # is the *current* checkout; skipping HEAD is handled separately.",
+    '      if [[ -n "$wt_path" && "$wt_path" != "$cwd_top" ]]; then',
+    '        worktree_branches+=("$wt_branch")',
+    '        worktree_paths+=("$wt_path")',
+    "      fi",
+    '      wt_path=""',
+    "      ;;",
+    '    "")',
+    '      wt_path=""',
+    "      ;;",
+    "  esac",
+    "done < <(git worktree list --porcelain 2>/dev/null)",
+    "",
+    "# Echo the worktree path for the given branch, or empty string if the",
+    "# branch is not checked out in another worktree.",
+    "lookup_worktree() {",
+    '  local needle="$1"',
+    "  local i",
+    '  for i in "${!worktree_branches[@]}"; do',
+    '    if [[ "${worktree_branches[$i]}" == "$needle" ]]; then',
+    `      printf '%s\\n' "\${worktree_paths[$i]}"`,
+    "      return 0",
+    "    fi",
+    "  done",
+    "  return 0",
+    "}",
+    "",
+    "# \u2500\u2500 walk local branches \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "",
+    'echo "Analysing local branches against ${base}\u2026"',
+    "echo",
+    "",
+    "while IFS= read -r branch; do",
+    '  [[ -z "$branch" ]] && continue',
+    '  [[ "$branch" == "$base" ]] && continue',
+    '  [[ "$branch" == "$current" ]] && continue',
+    "",
+    '  wt=$(lookup_worktree "$branch")',
+    '  if [[ -n "$wt" ]]; then',
+    `    printf 'SKIP_WORKTREE %s  worktree=%s\\n' "$branch" "$wt"`,
+    "    continue",
+    "  fi",
+    "",
+    '  mb=$(git merge-base "$base" "$branch" 2>/dev/null || true)',
+    '  if [[ -z "$mb" ]]; then',
+    "    # No common ancestor with base \u2014 treat as UNMERGED (don't risk it).",
+    `    printf 'UNMERGED     %s  files=?  differs=?\\n' "$branch"`,
+    "    continue",
+    "  fi",
+    "",
+    '  files=$(git diff --name-only "$mb" "$branch" 2>/dev/null || true)',
+    '  if [[ -z "$files" ]]; then',
+    `    printf 'EMPTY        %s\\n' "$branch"`,
+    "    continue",
+    "  fi",
+    "",
+    "  # Count how many of those files still differ from the base today.",
+    "  # We use NUL-delimited git output to survive filenames with spaces.",
+    "  diff_count=0",
+    "  while IFS= read -r -d '' f; do",
+    "    diff_count=$((diff_count + 1))",
+    '  done < <(git diff -z --name-only "$branch" "$base" -- $files 2>/dev/null)',
+    "",
+    `  total=$(echo "$files" | wc -l | tr -d ' ')`,
+    "",
+    '  if [[ "$diff_count" -eq 0 ]]; then',
+    `    printf 'MERGED       %s  files=%s\\n' "$branch" "$total"`,
+    "  else",
+    `    printf 'UNMERGED     %s  files=%s  differs=%s\\n' "$branch" "$total" "$diff_count"`,
+    "  fi",
+    "done < <(git branch --format='%(refname:short)')",
+    "",
+    "exit 0"
+  ].join("\n")
+};
+var cleanMergedBranchesSkill = {
+  name: "clean-merged-branches",
+  description: "Report every local branch as MERGED or UNMERGED against the base (handles squash merges via content equality), then prompt the user to force-delete the MERGED list. Defaults base to main; --base overrides. Skips current branch, base branch, and any branch checked out in another worktree.",
+  disableModelInvocation: true,
+  userInvocable: true,
+  platforms: { cursor: { exclude: true } },
+  instructions: [
+    "# Clean Merged Branches",
+    "",
+    "Identify local branches whose content is fully on the base branch \u2014",
+    "including branches that were squash-merged (where `git branch -d`",
+    "refuses because the branch commits are not ancestors of the base) \u2014",
+    "report them to the user, and force-delete them after explicit",
+    "confirmation.",
+    "",
+    "## Usage",
+    "",
+    "```",
+    "/clean-merged-branches                # default base: main",
+    "/clean-merged-branches --base develop # custom base branch",
+    "```",
+    "",
+    "### Flags",
+    "",
+    "- **`--base <name>`** \u2014 base branch to compare against. Defaults to",
+    "  `main`; falls back to whatever `origin/HEAD` points at if `main`",
+    "  does not exist locally.",
+    "",
+    "## What This Skill Does",
+    "",
+    "1. **Analyse.** Runs `.claude/procedures/clean-merged-branches.sh`",
+    "   (passing through any `--base` flag). The procedure walks every",
+    "   local branch and prints one stable log line per branch:",
+    "   - `MERGED       <branch>  files=<n>` \u2014 every file the branch added",
+    "     or modified now matches the base. Safe to delete.",
+    "   - `UNMERGED     <branch>  files=<n>  differs=<n>` \u2014 branch content",
+    "     still differs from the base. Do NOT delete.",
+    "   - `EMPTY        <branch>` \u2014 branch has no file changes vs. its",
+    "     merge-base. Safe to delete.",
+    "   - `SKIP_WORKTREE <branch>  worktree=<path>` \u2014 branch is checked",
+    "     out in another worktree. Skipped (cannot be deleted while it's",
+    "     in use).",
+    "",
+    "2. **Confirm.** If the report turns up at least one `MERGED` (or",
+    "   `EMPTY`) branch, print the exact deletion list and a single",
+    "   `[y/N]` prompt. Empty input defaults to **no** and aborts.",
+    "",
+    "3. **Delete.** On explicit `y` / `Y`, run `git branch -D <branch>`",
+    "   for each confirmed branch and emit one `DELETED <branch>` line",
+    "   per success. On any other answer (including empty input),",
+    "   abort with `Aborted. No branches deleted.` and exit cleanly.",
+    "",
+    "If the report finds zero deletable branches, exit cleanly without",
+    "prompting \u2014 there is nothing to confirm.",
+    "",
+    "## Behaviour Guarantees",
+    "",
+    "- **Always skip the current branch and the base branch.** The",
+    "  procedure enforces this; the skill never needs to filter again.",
+    "- **Never delete without an explicit `y`.** The default on empty",
+    "  input is no. The skill never runs `git branch -D` until after",
+    "  the prompt returns `y` or `Y`.",
+    "- **Content equality is the proof.** A branch classifies as",
+    "  `MERGED` when every file it added or modified matches the base",
+    "  today \u2014 handles squash merges, file deletions, and renames.",
+    "  The `[origin/<branch>: gone]` indicator is a useful secondary",
+    "  signal but is NOT the deletion gate.",
+    "- **Safe across worktrees.** Branches checked out in another",
+    "  worktree are logged as `SKIP_WORKTREE` and excluded from the",
+    "  deletion list.",
+    "",
+    "## Output",
+    "",
+    "The procedure's per-branch log lines first, then (if any deletable",
+    "branches exist) the confirmation prompt, then one `DELETED <branch>`",
+    "line per successful deletion or `Aborted. No branches deleted.`",
+    "on abort.",
+    "",
+    "## Implementation Recipe",
+    "",
+    "```bash",
+    "# 1. Run the analysis-only procedure and capture its output.",
+    'report=$(.claude/procedures/clean-merged-branches.sh "$@")',
+    'printf "%s\\n" "$report"',
+    "",
+    "# 2. Extract the MERGED + EMPTY branch names from the report.",
+    "mergeable=()",
+    "while IFS= read -r line; do",
+    '  case "$line" in',
+    '    "MERGED "*|"EMPTY "*)',
+    "      # The branch name is the second whitespace-delimited token.",
+    `      branch=$(echo "$line" | awk '{print $2}')`,
+    '      [[ -n "$branch" ]] && mergeable+=("$branch")',
+    "      ;;",
+    "  esac",
+    'done <<< "$report"',
+    "",
+    "# 3. If nothing to delete, exit cleanly without prompting.",
+    "if [[ ${#mergeable[@]} -eq 0 ]]; then",
+    "  echo",
+    '  echo "No merged branches to delete."',
+    "  exit 0",
+    "fi",
+    "",
+    "# 4. Show the list and prompt the user once.",
+    "echo",
+    'echo "The following ${#mergeable[@]} branches are safe to delete:"',
+    `printf '  %s\\n' "\${mergeable[@]}"`,
+    "echo",
+    'read -r -p "Force-delete all ${#mergeable[@]} with git branch -D? [y/N] " answer',
+    "",
+    "# 5. On explicit y/Y only, delete each branch.",
+    'if [[ "$answer" == "y" || "$answer" == "Y" ]]; then',
+    '  for b in "${mergeable[@]}"; do',
+    '    if git branch -D "$b" >/dev/null 2>&1; then',
+    '      echo "DELETED      $b"',
+    "    else",
+    '      echo "DELETE_FAILED $b" >&2',
+    "    fi",
+    "  done",
+    "else",
+    '  echo "Aborted. No branches deleted."',
+    "fi",
+    "```",
+    "",
+    "## Composability",
+    "",
+    "The procedure (`.claude/procedures/clean-merged-branches.sh`) is",
+    "analysis-only and safe to invoke from any agent. The skill is the",
+    "interactive entry point \u2014 use it when a human is at the keyboard.",
+    "Background workers (orchestrator, maintenance-audit) should call",
+    "the procedure directly and report its output without acting on it."
+  ].join("\n"),
+  referenceFiles: [
+    {
+      path: "evals/evals.json",
+      content: JSON.stringify(
+        {
+          skill_name: "clean-merged-branches",
+          evals: [
+            {
+              id: 1,
+              prompt: "/clean-merged-branches",
+              expected_output: "The skill runs the analysis-only `clean-merged-branches.sh` procedure against the current checkout's base branch (default: `main`). Each local branch other than HEAD and `main` is reported on one stable line as `MERGED`, `UNMERGED`, `EMPTY`, or `SKIP_WORKTREE` with a file count. When at least one branch classifies as `MERGED` or `EMPTY`, the skill prints the exact deletion list and prompts `Force-delete all <n> with git branch -D? [y/N]`. On explicit `y` / `Y` it force-deletes each branch with `git branch -D` and emits one `DELETED <branch>` line per success. Empty input or any other answer aborts with `Aborted. No branches deleted.` and no branches are deleted. When zero branches are deletable, the skill exits cleanly without prompting.",
+              files: [],
+              product_context_refs: []
+            },
+            {
+              id: 2,
+              prompt: "/clean-merged-branches --base develop",
+              expected_output: "The skill forwards `--base develop` to the procedure, which compares every local branch (other than HEAD and `develop`) against `develop` instead of `main`. Branches whose content matches `develop` classify as `MERGED`; others as `UNMERGED`. The base-branch override is also reflected in the deletion prompt (`...with git branch -D?`), and the skill never deletes `develop` itself or the current HEAD. If `develop` does not exist as a local branch, the procedure exits non-zero with a clear diagnostic and the skill aborts without prompting.",
+              files: [],
+              product_context_refs: []
+            },
+            {
+              id: 3,
+              prompt: "/clean-merged-branches \u2014 I have a branch called feat/old-feature that I checked out in a sibling worktree under /tmp/work. Confirm it's skipped.",
+              expected_output: "The procedure detects `feat/old-feature` via `git worktree list --porcelain` and reports `SKIP_WORKTREE feat/old-feature  worktree=/tmp/work` instead of classifying it. The branch is excluded from the deletion list shown at the confirmation prompt. Even if the user answers `y`, the skill never runs `git branch -D feat/old-feature` because the branch is not in the mergeable list.",
+              files: [],
+              product_context_refs: []
+            }
+          ]
+        },
+        null,
+        2
+      )
+    }
+  ]
+};
 var githubWorkflowBundle = {
   name: "github-workflow",
   description: "GitHub issue and PR workflow automation patterns",
@@ -9909,9 +10352,36 @@ var githubWorkflowBundle = {
         "- Delegate merge to the `pr-reviewer` sub-agent \u2014 do not merge manually and do not enable auto-merge directly"
       ].join("\n"),
       tags: ["workflow"]
+    },
+    {
+      name: "branch-cleanup",
+      description: "Local-branch hygiene helpers shipped with the github-workflow bundle, including the /clean-merged-branches skill for safely force-deleting branches whose content has already merged into the base (handles squash merges).",
+      scope: AGENT_RULE_SCOPE.ALWAYS,
+      content: [
+        "# Branch Cleanup",
+        "",
+        "Local branches accumulate after every merged PR. In squash-merge",
+        "repositories `git branch -d` refuses to delete them because the",
+        "commit hash on the base differs, even when the branch content is",
+        "fully merged. The `github-workflow` bundle ships two affordances",
+        "that use content-equality (not commit-graph reachability) to",
+        "identify branches safe to force-delete:",
+        "",
+        "- `/clean-merged-branches` \u2014 interactive slash-command skill that",
+        "  classifies every local branch, prompts for confirmation, then",
+        "  runs `git branch -D` on the confirmed list. See",
+        "  `.claude/skills/clean-merged-branches/SKILL.md` for usage,",
+        "  output format, and the squash-merge verification algorithm.",
+        "- `.claude/procedures/clean-merged-branches.sh` \u2014 analysis-only",
+        "  procedure for non-interactive agent use (orchestrator,",
+        "  maintenance-audit). NEVER deletes \u2014 only reports `MERGED` /",
+        "  `UNMERGED` / `EMPTY` / `SKIP_WORKTREE` lines."
+      ].join("\n"),
+      tags: ["workflow"]
     }
   ],
-  procedures: [setIssueTypeProcedure]
+  skills: [cleanMergedBranchesSkill],
+  procedures: [setIssueTypeProcedure, cleanMergedBranchesProcedure]
 };
 
 // src/agent/bundles/industry-discovery.ts
@@ -11548,12 +12018,14 @@ function buildMeetingAnalystSubAgent(tier) {
       "     Interest (signal threshold still applies); capture customer",
       "     pain points as candidate BR (not FR).",
       "",
-      "5. **Maintain the `insights/` tree index.** Ensure",
-      "   `<meetingsRoot>/insights/index.md` and",
+      "5. **Plan the `insights/` tree index update \u2014 do not commit it",
+      "   yet.** Ensure `<meetingsRoot>/insights/index.md` and",
       "   `<meetingsRoot>/insights/{type}/index.md` exist (create them",
-      "   following the `section-index` convention if missing) and append",
-      "   a row for the current meeting's basename if one is not already",
-      "   present.",
+      "   following the `section-index` convention if missing). Note",
+      "   the basename row this phase will eventually append, but",
+      "   **defer** the row insert and its commit to step 8 below so",
+      "   the shared-index commit can land in the smallest possible",
+      "   window before push.",
       "",
       "6. **Create downstream phase issues** using `gh issue create`:",
       "   - Always create a `meeting:notes` issue (blocked on this extract issue)",
@@ -11564,7 +12036,35 @@ function buildMeetingAnalystSubAgent(tier) {
       "   - Always create a `meeting:link` issue \u2014 blocked on the draft issue if one",
       "     was created, otherwise blocked on the notes issue",
       "",
-      "7. Commit, push, and close the extract issue.",
+      "7. **Commit the extraction content first.** Stage and commit",
+      "   the `insights/{type}/<basename>.md` file (and any newly",
+      "   created `insights/index.md` / `insights/{type}/index.md`",
+      "   stub pages from step 5 that do not yet exist on the remote)",
+      "   in a single focused commit. **Do not push yet.**",
+      "",
+      "8. **Defer the shared-index row insert to a final pre-push",
+      "   commit.** Per the `shared-editing-safety` rule's",
+      "   **Defer Shared-Index Commit to Final Pre-Push Step**",
+      "   subsection, the index update for an existing",
+      "   `insights/{type}/index.md` is a **shared-index row insert**",
+      "   that races other parallel meeting sessions writing rows into",
+      "   the same partition file. Apply the deferred sequence:",
+      "",
+      "   ```bash",
+      "   git fetch origin",
+      "   git pull --rebase origin <default-branch>",
+      "   ```",
+      "",
+      "   Re-read `insights/{type}/index.md` from the now-up-to-date",
+      "   working tree, re-compute the alphabetical insert position",
+      "   for the current meeting's basename row (another session may",
+      "   have appended a sibling row in the meantime), insert exactly",
+      "   one row, and commit the index edit in its **own focused",
+      "   commit** whose only file is the shared index. Run the",
+      "   commit-path verification step (`git show HEAD:<index-path>`",
+      "   + grep count) against that commit before pushing.",
+      "",
+      "9. **Push and close.** Push the branch and close the extract issue.",
       "",
       "---",
       "",
@@ -11624,13 +12124,41 @@ function buildMeetingAnalystSubAgent(tier) {
       "   - Action Items (table: who, what, when)",
       "   - Open Questions",
       "   - Follow-up items",
-      "4. **Maintain the `notes/` tree index.** Ensure",
-      "   `<meetingsRoot>/notes/index.md` and",
+      "4. **Plan the `notes/` tree index update \u2014 do not commit it",
+      "   yet.** Ensure `<meetingsRoot>/notes/index.md` and",
       "   `<meetingsRoot>/notes/{type}/index.md` exist (create them",
-      "   following the `section-index` convention if missing) and append",
-      "   a row for the current meeting's basename if one is not already",
-      "   present.",
-      "5. Commit, push, and close the notes issue.",
+      "   following the `section-index` convention if missing). Note",
+      "   the basename row this phase will eventually append, but",
+      "   **defer** the row insert and its commit to step 6 below so",
+      "   the shared-index commit can land in the smallest possible",
+      "   window before push.",
+      "5. **Commit the notes content first.** Stage and commit the",
+      "   `notes/{type}/<basename>.md` file (and any newly created",
+      "   `notes/index.md` / `notes/{type}/index.md` stub pages from",
+      "   step 4 that do not yet exist on the remote) in a single",
+      "   focused commit. **Do not push yet.**",
+      "6. **Defer the shared-index row insert to a final pre-push",
+      "   commit.** Per the `shared-editing-safety` rule's",
+      "   **Defer Shared-Index Commit to Final Pre-Push Step**",
+      "   subsection, the index update for an existing",
+      "   `notes/{type}/index.md` is a **shared-index row insert**",
+      "   that races other parallel meeting sessions writing rows",
+      "   into the same partition file. Apply the deferred sequence:",
+      "",
+      "   ```bash",
+      "   git fetch origin",
+      "   git pull --rebase origin <default-branch>",
+      "   ```",
+      "",
+      "   Re-read `notes/{type}/index.md` from the now-up-to-date",
+      "   working tree, re-compute the alphabetical insert position",
+      "   for the current meeting's basename row (another session may",
+      "   have appended a sibling row in the meantime), insert exactly",
+      "   one row, and commit the index edit in its **own focused",
+      "   commit** whose only file is the shared index. Run the",
+      "   commit-path verification step against that commit before",
+      "   pushing.",
+      "7. Push and close the notes issue.",
       "",
       "---",
       "",
@@ -15272,12 +15800,25 @@ var issueWorkerSubAgent = {
     "   `file` (and optional `line`). Track `comment_id` per item so you can",
     "   report which items were handled and which (if any) failed.",
     "",
-    "   **Synthetic rebase items.** A `comment_id` of",
-    "   `synthetic:rebase-behind-main` is the reviewer's signal that the",
-    "   PR's head branch is BEHIND the default branch with merge conflicts",
-    "   that `gh pr update-branch` could not resolve. For this item only,",
-    "   the work is **not** an editorial change \u2014 it is a rebase plus",
-    "   conflict resolution. Run the following sequence:",
+    "   **Synthetic rebase items.** Two `comment_id` values flag the",
+    "   reviewer's signal that the PR's head branch is BEHIND the default",
+    "   branch with merge conflicts that `gh pr update-branch` could not",
+    "   resolve. For either item the work is **not** an editorial change",
+    "   \u2014 it is a rebase plus conflict resolution. The two ids select",
+    "   different recipes:",
+    "",
+    "   - `synthetic:rebase-behind-main` \u2014 generic conflict. Resolve",
+    "     each conflicting file by hand (read both sides, reconcile,",
+    "     stage), then `git rebase --continue` until the rebase",
+    "     completes.",
+    "   - `synthetic:rebase-shared-index` \u2014 every conflicting file is a",
+    "     row-insert race on a shared-index file (registry / index /",
+    "     feature-matrix under a Starlight content root). Apply the",
+    "     explicit re-insert recipe carried in the item's `instruction`",
+    "     field \u2014 do **not** hand-merge.",
+    "",
+    "   **For `synthetic:rebase-behind-main`.** Run the following",
+    "   sequence:",
     "",
     "   ```bash",
     "   git fetch origin",
@@ -15301,6 +15842,75 @@ var issueWorkerSubAgent = {
     "   history. Push with a regular non-force `git push origin <branch>`",
     "   and report the rebased head SHA as the worker's commit.",
     "",
+    "   **For `synthetic:rebase-shared-index`.** Apply the typed",
+    "   re-insert recipe step-by-step. Read the recipe verbatim from the",
+    "   item's `instruction` field; the steps below summarise the",
+    "   contract the reviewer encodes and the precondition guards you",
+    "   must enforce:",
+    "",
+    "   1. **Pull and rebase** onto the default branch:",
+    "",
+    "      ```bash",
+    "      git fetch origin",
+    "      git pull --rebase origin {{repository.defaultBranch}}",
+    "      ```",
+    "",
+    "   2. **For each conflicting file**, inspect the conflict markers",
+    "      against the shared-index glob set and the precondition",
+    "      guards. The shared-index globs (sourced from the",
+    "      `shared-editing-safety` rule) are:",
+    "",
+    ...DEFAULT_SHARED_INDEX_PATHS.map((p) => `      - \`${p}\``),
+    "",
+    "      **Precondition guards.** Before re-inserting, confirm every",
+    "      `<<<<<<<` / `=======` / `>>>>>>>` hunk in the file touches",
+    "      only data rows (lines starting with `| ` that are not the",
+    "      table header or `|---|---|` separator). If any hunk touches",
+    "      the frontmatter (lines between the opening / closing `---`",
+    "      fences), the page H1, surrounding prose paragraphs, the",
+    "      table header row, or the separator row, **stop**, run",
+    "      `git rebase --abort`, and record the item as `failed` with",
+    "      the structured marker `BLOCKED <reason>` (e.g.",
+    "      `BLOCKED conflict touches table header in <path>`). Do not",
+    "      hand-merge \u2014 the typed recipe applies only to pure",
+    "      row-insert races.",
+    "",
+    "      When the guards pass, read the rebased version of the file",
+    "      (it now contains the other PR's row), extract this PR's row",
+    "      from the `<<<<<<<` side of the conflict markers, re-insert",
+    "      that row in declared sort order using the file's documented",
+    "      sort key (alphabetical on the first column by default), and",
+    "      stage the file:",
+    "",
+    "      ```bash",
+    "      git add <path>",
+    "      ```",
+    "",
+    "   3. **Run the commit-path verification** for each re-inserted",
+    "      row. The marker must appear exactly once in the staged file",
+    "      (zero means missing, more than one means duplicated by a",
+    "      mis-merge):",
+    "",
+    "      ```bash",
+    '      count=$(git show :<path> | grep -Fc "<row-unique-marker>")',
+    '      [ "$count" = "1" ] || { echo "BLOCKED verification failed for <path>"; exit 1; }',
+    "      ```",
+    "",
+    "   4. **Continue the rebase and push** with a non-force push once",
+    "      every file is staged and verified:",
+    "",
+    "      ```bash",
+    "      git rebase --continue",
+    "      git push origin <branch>",
+    "      ```",
+    "",
+    "   On any `BLOCKED` precondition failure, exit non-zero with the",
+    "   `BLOCKED <reason>` line, run `git rebase --abort`, record the",
+    "   item as `failed`, and proceed to the report step. The reviewer",
+    "   will see the `failed` outcome on the next pass and fall through",
+    "   to the human-required hand-off via `review:awaiting-human`. Do",
+    "   not force-push under any circumstance.",
+    "",
     "4. When complete, prepare a short structured report (PR number, commit",
     "   SHAs you will push, items handled by `comment_id`, items that failed",
     "   to apply) \u2014 you will return this after Phase 6.",
@@ -15364,11 +15974,11 @@ var issueWorkerSubAgent = {
     "",
     "**Synthetic-rebase items skip the `fix(review)` commit.** When the",
     "fix-list contained a `comment_id` of `synthetic:rebase-behind-main`",
-    "and you completed the rebase in Phase 4, the rebased commit history",
-    "is itself the deliverable \u2014 there is no per-item editorial change to",
-    "wrap in a `fix(review)` commit. Skip `git add` / `git commit` /",
-    "`git pull --rebase` for that item and push the rebased branch",
-    "directly:",
+    "or `synthetic:rebase-shared-index` and you completed the rebase in",
+    "Phase 4, the rebased commit history is itself the deliverable \u2014",
+    "there is no per-item editorial change to wrap in a `fix(review)`",
+    "commit. Skip `git add` / `git commit` / `git pull --rebase` for",
+    "that item and push the rebased branch directly:",
     "",
     "```bash",
     "git push origin <branch-name>",
@@ -16779,6 +17389,32 @@ var pnpmBundle = {
   ]
 };
 
+// src/agent/bundles/pr-review-policy.ts
+var DEFAULT_PATHS_EXEMPT_FROM_SIZE = [
+  "docs/**"
+];
+function resolvePrReviewPolicy(config) {
+  const pathsExemptFromSize = config?.autoMerge?.pathsExemptFromSize ?? DEFAULT_PATHS_EXEMPT_FROM_SIZE;
+  assertValidPathsExemptFromSize(pathsExemptFromSize);
+  return {
+    autoMerge: {
+      pathsExemptFromSize: [...pathsExemptFromSize]
+    }
+  };
+}
+function validatePrReviewPolicyConfig(config) {
+  return resolvePrReviewPolicy(config);
+}
+function assertValidPathsExemptFromSize(paths) {
+  for (const path8 of paths) {
+    if (typeof path8 !== "string" || path8.trim().length === 0) {
+      throw new Error(
+        "prReviewPolicy.autoMerge.pathsExemptFromSize entries must be non-empty strings"
+      );
+    }
+  }
+}
+
 // src/agent/bundles/pr-review.ts
 var prReviewerSubAgent = {
   name: "pr-reviewer",
@@ -16969,11 +17605,16 @@ var prReviewerSubAgent = {
     "### Step 2: Evaluate in precedence order",
     "",
     "Walk the following checks in order. The **first match wins** and fixes",
-    "the mode; record the triggering condition as the `reason`. Mixed-match",
-    "PRs (signals from both sides) resolve conservatively to",
-    "`human-required` \u2014 force-auto only wins when it is the single highest",
-    "match and no later human-required signal changes the outcome under",
-    "step 2c.",
+    "the mode; record the triggering condition as the `reason` **and**",
+    "record the numeric **`matched_rule`** index (one of `2`, `3`, `4`,",
+    "`5`, or `6` for any human-required match \u2014 see the rule numbers",
+    "below) so later phases can branch on which precedence rule fired.",
+    "When rule 1 (force-auto label) or rule 7 (default) fixes the mode,",
+    "record `matched_rule: null` \u2014 only the human-required rules carry an",
+    "actionable index. Mixed-match PRs (signals from both sides) resolve",
+    "conservatively to `human-required` \u2014 force-auto only wins when it is",
+    "the single highest match and no later human-required signal changes",
+    "the outcome under step 2c.",
     "",
     "1. **Force-auto label** \u2014 if the PR carries any label listed under",
     "   `auto-merge.labels-that-force-auto` (e.g. `review:auto-ok`), set",
@@ -16990,9 +17631,18 @@ var prReviewerSubAgent = {
     "   (fetched in Phase 2) matches any entry in",
     "   `human-required.issue-types` (case-insensitive), set",
     "   `mode = human-required`.",
-    "6. **Size thresholds** \u2014 if the PR exceeds either threshold under",
-    "   `human-required.size` (`files` count or `insertions` count), set",
-    "   `mode = human-required`.",
+    "6. **Size thresholds** \u2014 first read",
+    "   `auto-merge.paths-exempt-from-size` from the policy (defaults to",
+    "   the documented carve-out list). For every file in the PR diff,",
+    "   evaluate whether the file path matches at least one glob in the",
+    "   carve-out list. If **every** changed path matches the carve-out,",
+    "   **skip rule #6** entirely and continue to rule #7 \u2014 the PR is",
+    "   exempt from the size threshold regardless of its `files` or",
+    "   `insertions` count. Otherwise (any changed path falls outside",
+    "   the carve-out list), apply the size check: if the PR exceeds",
+    "   either threshold under `human-required.size` (`files` count or",
+    "   `insertions` count), set `mode = human-required` and record the",
+    "   triggered axis (files vs. insertions) as the reason.",
     "7. **Default** \u2014 if no rule above matched, apply the `default` field",
     "   from the policy (typically `auto-merge`).",
     "",
@@ -17006,14 +17656,23 @@ var prReviewerSubAgent = {
     "",
     "### Step 3: Record the decision",
     "",
-    "Persist the evaluated mode and reason for later phases so Phase 4 and",
-    "any downstream summary writer can cite it:",
+    "Persist the evaluated mode, the reason, and the matched-rule index",
+    "for later phases so Phase 4 and any downstream summary writer can",
+    "cite them:",
     "",
     "```",
     "Review mode: <auto-merge | human-required>",
     "Reason: <short explanation \u2014 label name, path+glob, issue type, size threshold, default>",
+    "Matched rule: <2 | 3 | 4 | 5 | 6 | null>",
     "```",
     "",
+    "`Matched rule` is the numeric index of the precedence rule that",
+    "fixed the mode in Step 2. It is populated only for human-required",
+    "matches (rules 2\u20136) \u2014 force-auto (rule 1) and default (rule 7)",
+    "record `null`. Phase 4's `gh pr update-branch` gate consults this",
+    "field to decide whether the size-only carve-out (rule 6) allows the",
+    "bot to keep a human-required branch fresh against the default branch.",
+    "",
     "Phases 3 (acceptance-criteria comparison) and CI verification run",
     "unchanged regardless of mode. Only the terminal action in Phase 4",
     "branches on the decided mode.",
@@ -17465,9 +18124,42 @@ var prReviewerSubAgent = {
     "gh pr view <pr-number> --json mergeStateStatus --jq '.mergeStateStatus'",
     "```",
     "",
-    "When the value is `BEHIND`, attempt to bring the head branch current with",
-    "the default branch via `gh pr update-branch` (default merge strategy \u2014",
-    "**never** `--rebase`, which would rewrite commits on a published branch):",
+    "Before running `gh pr update-branch`, evaluate the **eligibility",
+    "gate** below. The step runs when `mergeStateStatus == BEHIND` **AND**",
+    "either of the following holds:",
+    "",
+    "- The review mode decided in Phase 2.75 is `auto-merge`, **or**",
+    "- The review mode is `human-required` **and** `matched_rule == 6`",
+    "  (size threshold is the sole trigger that fixed the mode).",
+    "",
+    "All other `human-required` matches (rules 2\u20135) continue to block",
+    "`update-branch`. Concretely, **never** run `gh pr update-branch`",
+    "when the mode is `human-required` and any of the following fired:",
+    "",
+    "- rule 2 (`review:human-required` label),",
+    "- rule 3 (any `labels-that-force-human` label such as `priority:critical`),",
+    "- rule 4 (`human-required.paths` glob match), or",
+    "- rule 5 (`human-required.issue-types` match).",
+    "",
+    "The rationale: rule 6 fires on the **volume** of the diff alone \u2014",
+    "there is nothing about the changed paths or labels that suggests a",
+    "human reviewer has explicit ownership of the branch's lifecycle.",
+    "Pushing the default branch into a size-tripped human-required PR",
+    "keeps it from sitting stale while the human is still drafting",
+    "their review. By contrast, each of rules 2\u20135 signals a human",
+    "reviewer who owns the branch's lifecycle; silently pushing main",
+    "into those PRs expands the diff under review without their consent.",
+    "",
+    "When the gate **denies** `update-branch` (`human-required` mode and",
+    "`matched_rule` in 2\u20135), record",
+    "`Branch updated: not eligible (human-required by rule <N>)` and skip",
+    "the rest of this sub-section. The human reviewer keeps branch-",
+    "lifecycle ownership.",
+    "",
+    "When the gate **permits** `update-branch`, attempt to bring the head",
+    "branch current with the default branch via `gh pr update-branch`",
+    "(default merge strategy \u2014 **never** `--rebase`, which would rewrite",
+    "commits on a published branch):",
     "",
     "```bash",
     "gh pr update-branch <pr-number>",
@@ -17476,8 +18168,9 @@ var prReviewerSubAgent = {
     "Branch on the outcome:",
     "",
     "- **Success** \u2014 record `Branch updated: yes` for the per-PR report and",
-    "  stop. Auto-merge will fire when required checks pass on the new head",
-    "  SHA. Do **not** poll for the merge here \u2014 Phase 5 owns polling.",
+    "  stop. Auto-merge (when enabled) will fire when required checks pass",
+    "  on the new head SHA. Do **not** poll for the merge here \u2014 Phase 5",
+    "  owns polling.",
     "- **Failure for reasons other than a merge conflict** (permission",
     "  denied, branch protection refusing the merge commit, transient",
     "  network error) \u2014 record `Branch updated: failed (<reason>)`, post a",
@@ -17491,13 +18184,6 @@ var prReviewerSubAgent = {
     "an `update-branch` attempt \u2014 every other state either has nothing to do",
     "or is already gated on a different signal that Phase 5 picks up.",
     "",
-    "Never run `gh pr update-branch` on a PR whose review mode is",
-    "`human-required`. Pushing main into a human-required PR expands the",
-    "scope of the diff the human is reviewing without their consent. The",
-    "`update-branch` step lives **only** under the `Mode auto-merge` branch",
-    "of this phase \u2014 `human-required` skips straight to its hand-off block",
-    "below.",
-    "",
     "##### Conflict-resolution delegation (BEHIND + conflicts)",
     "",
     "When `gh pr update-branch <pr-number>` fails because the merge would",
@@ -17511,9 +18197,13 @@ var prReviewerSubAgent = {
     "fall through to the fallback at the end of this sub-section instead.",
     "",
     "1. **Review mode is `auto-merge`.** Never delegate conflict",
-    "   resolution on `human-required` PRs \u2014 pushing main resolutions into",
-    "   them expands the diff the human is reviewing. (This is the same",
-    "   reason the `update-branch` step itself is auto-merge-only.)",
+    "   resolution on `human-required` PRs \u2014 pushing worker-resolved",
+    "   merge content into them expands the diff under review without",
+    "   the human reviewer's consent. (Unlike the `update-branch` step",
+    "   above, which permits a size-only `human-required` carve-out, the",
+    "   conflict-resolution delegation flow is auto-merge-only across",
+    "   the board: a worker rebase push is a stronger branch mutation",
+    "   than the merge-commit `gh pr update-branch` performs.)",
     "2. **Delegation invocation guard permits the hand-off** \u2014 the PR",
     "   carries the `origin:issue-worker` label, **or** the reviewer was",
     "   invoked with `--allow-human-author`. The same guard used for the",
@@ -17538,8 +18228,53 @@ var prReviewerSubAgent = {
     "   and conflicts there should be resolved by re-running synth, not by",
     "   merging the conflict markers.",
     "",
-    "When every guard above passes, hand off to `issue-worker` with a",
-    "**single synthetic fix-list item** that describes the rebase work:",
+    "When every guard above passes, **classify each conflicting file**",
+    "before composing the fix-list. The classification picks one of two",
+    "typed recipes \u2014 a precise `shared-index` resolver when every",
+    "conflict is a row-insert race on a registry / index / feature-matrix",
+    "file, or the generic rebase recipe in every other case.",
+    "",
+    "**Classification step.** For each conflicting path reported by the",
+    "failed `update-branch`, decide whether the file is `shared-index` or",
+    "`generic` against these criteria (the shared-index glob set comes",
+    "from the `shared-editing-safety` rule \u2014 see the bundle's",
+    "`shared-editing.ts` for the canonical constant):",
+    "",
+    "- `shared-index` \u2014 the path matches one of the shared-editing glob",
+    "  patterns:",
+    ...DEFAULT_SHARED_INDEX_PATHS.map((p) => `    - \`${p}\``),
+    "  **AND** the conflict diff is bounded to row insertions only.",
+    "  Inspect the merge conflict diff for the file: every `<<<<<<<` /",
+    "  `=======` / `>>>>>>>` hunk must touch only data rows (lines that",
+    "  start with `| ` and are not the table header or the `|---|---|`",
+    "  separator). The conflict must **not** touch:",
+    "    - The frontmatter block (lines between the opening and",
+    "      closing `---` fences at the top of the file).",
+    "    - The page H1 or any surrounding prose paragraphs.",
+    "    - The table header row (the first `| Column | ... |` row of",
+    "      any table).",
+    "    - The separator row (`|---|---|...|`).",
+    "  If the conflict hunks touch any of the above, classify the file",
+    "  as `generic` \u2014 the mechanical row-insert recipe cannot safely",
+    "  reconcile structural edits.",
+    "- `generic` \u2014 anything else (path outside the shared-editing glob",
+    "  set, **or** conflict hunks touch the frontmatter / header /",
+    "  separator / surrounding prose).",
+    "",
+    "**Branching emit step.**",
+    "",
+    "- **Every conflicting file is `shared-index`** \u2014 emit the typed",
+    '  fix-list item with `comment_id: "synthetic:rebase-shared-index"`',
+    "  carrying the explicit re-insert recipe (see step 3 below). The",
+    "  worker mechanically re-inserts each row in declared sort order",
+    "  against the rebased file.",
+    "- **Any conflicting file is `generic`** \u2014 emit the existing generic",
+    '  fix-list item with `comment_id: "synthetic:rebase-behind-main"`',
+    "  (see step 3 below). The worker performs a hand-merge of the",
+    "  conflict markers.",
+    "",
+    "Hand off to `issue-worker` with the chosen single synthetic",
+    "fix-list item:",
     "",
     "1. **Disable auto-merge** so a fast CI pass cannot land the PR",
     "   mid-delegation (idempotent \u2014 safe no-op when auto-merge was never",
@@ -17558,9 +18293,18 @@ var prReviewerSubAgent = {
     "   ```",
     "",
     "3. **Post a fix-list comment** containing exactly one synthetic item",
-    "   describing the rebase. The `comment_id` is the literal string",
-    "   `synthetic:rebase-behind-main` so the worker recognises the",
-    "   special case and the next reviewer pass can identify the item:",
+    "   describing the rebase. The `comment_id` field selects the typed",
+    "   recipe:",
+    "",
+    "   - `synthetic:rebase-behind-main` \u2014 generic conflict; the worker",
+    "     resolves conflicting hunks by hand.",
+    "   - `synthetic:rebase-shared-index` \u2014 every conflict is a pure",
+    "     row-insert race on a shared-index file; the worker re-inserts",
+    "     each row in declared sort order against the rebased file.",
+    "",
+    "   The next reviewer pass identifies the item by its `comment_id`.",
+    "",
+    "   **Generic shape (`synthetic:rebase-behind-main`):**",
     "",
     "   ```markdown",
     "   ## Reviewer: fix list for @issue-worker",
@@ -17579,6 +18323,27 @@ var prReviewerSubAgent = {
     "   ```",
     "   ```",
     "",
+    "   **Typed shape (`synthetic:rebase-shared-index`).** The",
+    "   `instruction` field carries the full re-insert recipe \u2014 the",
+    "   worker reads it imperatively, so spell every step out:",
+    "",
+    "   ```markdown",
+    "   ## Reviewer: fix list for @issue-worker",
+    "",
+    "   - [ ] @reviewer \u2014 rebase onto origin/<default-branch> and re-insert shared-index rows in: <space-separated list of conflicting files>",
+    "",
+    "   ```json fix-list",
+    "   {",
+    '     "pr": <pr-number>,',
+    '     "branch": "<head-ref-name>",',
+    '     "generated_at": "<ISO-8601 timestamp>",',
+    '     "items": [',
+    '       {"comment_id": "synthetic:rebase-shared-index", "author": "reviewer", "file": "<first-conflicting-file>", "instruction": "Branch is BEHIND default-branch with shared-index row-insert conflicts only. Apply this recipe: (1) Fetch and rebase: `git fetch origin && git pull --rebase origin <default-branch>`. (2) For each conflicting shared-index file: read the rebased version (it now contains the other PR\'s row), extract this PR\'s row from the `<<<<<<<` side of the conflict markers, re-insert that row in declared sort order using the file\'s documented sort key (alphabetical on the first column by default), stage the file with `git add <path>`. (3) Run the commit-path verification for each row: `count=$(git show :<path> | grep -Fc <row-unique-marker>) && [ \\"$count\\" = \\"1\\" ] || exit 1`. (4) `git rebase --continue` and push with non-force `git push origin <branch>`. (5) If any conflict marker touches the frontmatter, table header row, `|---|---|` separator, or surrounding prose, abort the recipe and emit `BLOCKED <reason>` \u2014 the precondition guards from the reviewer\'s classification step were violated."}',
+    "     ]",
+    "   }",
+    "   ```",
+    "   ```",
+    "",
     "4. **Invoke `issue-worker` in feedback mode** with the same prompt",
     "   shape used by the in-scope-fix flow: include the literal phrase",
     "   `feedback mode: PR #<n>` plus the repository identifier",
@@ -17623,7 +18388,16 @@ var prReviewerSubAgent = {
     "   gh pr edit <pr-number> --add-label 'review:awaiting-human'",
     "   ```",
     "",
-    "2. Exit cleanly after the acceptance-criteria check completes and any",
+    "2. **If `matched_rule == 6`** (size threshold was the sole trigger),",
+    "   run the `Update the branch when `mergeStateStatus` is `BEHIND``",
+    "   step from the `Mode auto-merge` branch above before exiting. The",
+    "   eligibility gate documented in that sub-section explicitly permits",
+    "   `gh pr update-branch` on size-only human-required PRs so the bot",
+    "   keeps the branch fresh against the default branch while the human",
+    "   reviews. Skip this sub-step for `matched_rule` in 2\u20135 \u2014 the gate",
+    "   denies `update-branch` there and the human owns branch-lifecycle.",
+    "",
+    "3. Exit cleanly after the acceptance-criteria check completes and any",
     "   summary comment the reviewer posts. Proceed to Phase 5 only if a",
     "   merge occurred \u2014 in `human-required` mode the reviewer stops at",
     "   the hand-off and does not poll for merge.",
@@ -17868,13 +18642,20 @@ var prReviewerSubAgent = {
     "    AC-drift pushback, any failed-fix pushback, and any human-required",
     "    hand-off all keep auto-merge disabled until the human resolves",
     "    the underlying state.",
-    "15. **Never run `gh pr update-branch` on a `human-required` PR.**",
-    "    Pushing main into a human-required PR expands the scope of the",
-    "    diff the human is reviewing without their consent. The",
-    "    `update-branch` step is gated to the `Mode auto-merge` branch of",
-    "    Phase 4 only. The same restriction applies to delegating",
+    "15. **Restrict `gh pr update-branch` on `human-required` PRs.** The",
+    "    `update-branch` step is permitted when the review mode is",
+    "    `auto-merge`, **or** when the mode is `human-required` **and**",
+    "    Phase 2.75's `matched_rule == 6` (size threshold was the sole",
+    "    trigger). All other human-required matches (rule 2 force-human",
+    "    label, rule 3 listed force-human label, rule 4 path glob, rule 5",
+    "    issue type) continue to block `update-branch`: pushing main into",
+    "    those PRs expands the diff under review without the human",
+    "    reviewer's consent. The same restriction applies to delegating",
     "    conflict resolution to `issue-worker`: never delegate a rebase",
-    "    on a `human-required` PR.",
+    "    on a `human-required` PR regardless of `matched_rule` \u2014 the",
+    "    typed-recipe delegation flow stays auto-merge-only because a",
+    "    worker push to a human-required branch is a stronger mutation",
+    "    than the merge-commit `gh pr update-branch` performs.",
     "16. **Never delegate conflict resolution involving generated or",
     "    projen-managed files.** When `gh pr update-branch` fails on a",
     "    BEHIND PR with conflicts and any conflicting path is a lockfile,",
@@ -18042,364 +18823,426 @@ var reviewPrsSkill = {
     "comment on that PR and continue with the next."
   ].join("\n")
 };
-var prReviewBundle = {
-  name: "pr-review",
-  description: "Pull request review workflow: verifies PRs against their linked issues' acceptance criteria and orchestrates squash-merge, single or looped over all eligible PRs",
-  // Default-apply: the PR review workflow is safe to include everywhere,
-  // and keeping review/merge policy centralised in the pr-reviewer agent
-  // means consumers get consistent behaviour out of the box. Consumers can
-  // still exclude it explicitly via `excludeBundles` if desired.
-  appliesWhen: () => true,
-  rules: [
-    {
-      name: "pr-review-policy",
-      description: "Declarative policy that tells the pr-reviewer which PRs may auto-merge and which must wait for a human reviewer",
-      scope: AGENT_RULE_SCOPE.ALWAYS,
-      content: [
-        "# PR Review Policy",
-        "",
-        "The `pr-reviewer` sub-agent evaluates every PR it reviews against the",
-        "policy below and routes the PR into one of two modes:",
-        "",
-        "- **`auto-merge`** \u2014 the reviewer may enable squash auto-merge once",
-        "  all acceptance criteria are met and CI is green.",
-        "- **`human-required`** \u2014 the reviewer runs the full AC/CI check but",
-        "  never calls `gh pr merge --auto`. It applies the",
-        "  `review:awaiting-human` label and hands off to a human reviewer.",
-        "",
-        "## Policy",
-        "",
-        "```yaml",
-        "version: 1",
-        "default: auto-merge",
-        "",
-        "human-required:",
-        "  paths:",
-        '    - "docs/src/content/docs/requirements/architectural-decisions/**"',
-        '    - "docs/src/content/docs/project-context.md"',
-        '    - ".github/workflows/**"',
-        '    - ".github/CODEOWNERS"',
-        '    - ".projenrc.ts"',
-        '    - "projenrc/**"',
-        '    - "CLAUDE.md"',
-        '    - ".claude/**"',
-        '    - "packages/**/package.json"',
-        "  issue-types:",
-        "    - release",
-        "    - hotfix",
-        "  size:",
-        "    files: 10",
-        "    insertions: 500",
-        "  labels-that-force-human:",
-        '    - "review:human-required"',
-        '    - "priority:critical"',
-        "",
-        "auto-merge:",
-        "  labels-that-force-auto:",
-        '    - "review:auto-ok"',
-        "```",
-        "",
-        "## Precedence",
-        "",
-        "The reviewer walks the following checks in order. The **first match**",
-        "fixes the mode; any mixed-match PR (signals from both sides) resolves",
-        "conservatively to `human-required` \u2014 `auto-merge` only wins when the",
-        "force-auto label is the single top-priority match.",
-        "",
-        "1. **`auto-merge.labels-that-force-auto`** \u2014 if the PR carries any of",
-        "   these labels (e.g. `review:auto-ok`), the mode is `auto-merge`",
-        "   outright. This is the only escape hatch from the conservative",
-        "   default; it requires a maintainer to apply the label explicitly.",
-        "2. **`review:human-required` label** \u2014 reserved force-human label;",
-        "   if present (and no force-auto label beat it in step 1), the mode",
-        "   is `human-required`.",
-        "3. **`human-required.labels-that-force-human`** \u2014 any listed label on",
-        "   the PR (e.g. `priority:critical`) forces `human-required`.",
-        "4. **`human-required.paths`** \u2014 if any file in the PR diff matches",
-        "   any glob here, the mode is `human-required`. Matching uses",
-        "   standard glob semantics (`**` for recursive directories,",
-        "   `*` for a single path segment).",
-        "5. **`human-required.issue-types`** \u2014 if the linked issue's GitHub",
-        "   issue type matches any entry (case-insensitive), the mode is",
-        "   `human-required`.",
-        "6. **`human-required.size`** \u2014 if the PR exceeds either the `files`",
-        "   count or the `insertions` count, the mode is `human-required`.",
-        "7. **`default`** \u2014 applied only when no rule above matched",
-        "   (normally `auto-merge`).",
-        "",
-        "The `pr-reviewer` sub-agent records the decided mode and the triggering",
-        "reason in its Phase 2.75 output so downstream phases and any sticky",
-        "summary can cite the specific rule that applied."
-      ].join("\n"),
-      tags: ["policy", "review"]
-    },
-    {
-      name: "pr-review-workflow",
-      description: "Describes the /review-pr and /review-prs skills and their delegation to the pr-reviewer sub-agent",
-      scope: AGENT_RULE_SCOPE.ALWAYS,
-      content: [
-        "# PR Review Workflow",
-        "",
-        "Two skills are available, both backed by the same `pr-reviewer`",
-        "sub-agent:",
-        "",
-        "- **`/review-pr <pr-number>`** \u2014 review a single targeted PR.",
-        "- **`/review-prs`** \u2014 loop over every eligible open PR in the",
-        "  repository and review each one in turn.",
-        "",
-        "The `pr-reviewer` sub-agent:",
-        "",
-        "1. Runs a pre-flight eligibility filter (mergeable, CI not failing,",
-        "   has a linked issue). Ineligible PRs get a short comment and are",
-        "   skipped.",
-        "2. Fetches the PR, its diff, CI status, and the linked issue",
-        "3. **Evaluates the PR Review Policy** (see the `PR Review Policy`",
-        "   section above) to decide whether the PR is `auto-merge` or",
-        "   `human-required`, and records the triggering reason",
-        "4. Builds a checklist from the issue's acceptance criteria",
-        "5. Verifies the diff satisfies each criterion and that CI is green",
-        "6. **Enables squash auto-merge** (with `--delete-branch`) when all",
-        "   checks pass **and** the review mode is `auto-merge`",
-        "7. **Applies `review:awaiting-human`** and hands off to a human",
-        "   reviewer when the review mode is `human-required` (no auto-merge,",
-        "   even if every acceptance criterion is met)",
-        "8. **Comments with grouped findings** when any check fails (plain",
-        "   `gh pr comment`, not a formal `--request-changes` review)",
-        "9. After a successful merge, verifies the linked issue is closed",
-        "   and closes it explicitly if the merge commit did not",
-        "10. Cleans up the local branch after merge",
-        "",
-        "The reviewer **never** implements code and **never** pushes commits",
-        "to a PR's branch \u2014 it only reviews, decides, and orchestrates merge",
-        "or comment. In loop mode, a failed review for one PR never stops",
-        "the loop; the reviewer comments and moves on. See the `pr-reviewer`",
-        "agent definition for the full phase-by-phase contract."
-      ].join("\n"),
-      platforms: {
-        cursor: { exclude: true }
+function buildPrReviewBundle(policy = resolvePrReviewPolicy()) {
+  return {
+    name: "pr-review",
+    description: "Pull request review workflow: verifies PRs against their linked issues' acceptance criteria and orchestrates squash-merge, single or looped over all eligible PRs",
+    // Default-apply: the PR review workflow is safe to include everywhere,
+    // and keeping review/merge policy centralised in the pr-reviewer agent
+    // means consumers get consistent behaviour out of the box. Consumers can
+    // still exclude it explicitly via `excludeBundles` if desired.
+    appliesWhen: () => true,
+    rules: [
+      {
+        name: "pr-review-policy",
+        description: "Declarative policy that tells the pr-reviewer which PRs may auto-merge and which must wait for a human reviewer",
+        scope: AGENT_RULE_SCOPE.ALWAYS,
+        content: [
+          "# PR Review Policy",
+          "",
+          "The `pr-reviewer` sub-agent evaluates every PR it reviews against the",
+          "policy below and routes the PR into one of two modes:",
+          "",
+          "- **`auto-merge`** \u2014 the reviewer may enable squash auto-merge once",
+          "  all acceptance criteria are met and CI is green.",
+          "- **`human-required`** \u2014 the reviewer runs the full AC/CI check but",
+          "  never calls `gh pr merge --auto`. It applies the",
+          "  `review:awaiting-human` label and hands off to a human reviewer.",
+          "",
+          "## Policy",
+          "",
+          "```yaml",
+          "version: 1",
+          "default: auto-merge",
+          "",
+          "human-required:",
+          "  paths:",
+          '    - "docs/src/content/docs/requirements/architectural-decisions/**"',
+          '    - "docs/src/content/docs/project-context.md"',
+          '    - ".github/workflows/**"',
+          '    - ".github/CODEOWNERS"',
+          '    - ".projenrc.ts"',
+          '    - "projenrc/**"',
+          '    - "CLAUDE.md"',
+          '    - ".claude/**"',
+          '    - "packages/**/package.json"',
+          "  issue-types:",
+          "    - release",
+          "    - hotfix",
+          "  size:",
+          "    files: 10",
+          "    insertions: 500",
+          "  labels-that-force-human:",
+          '    - "review:human-required"',
+          '    - "priority:critical"',
+          "",
+          "auto-merge:",
+          "  labels-that-force-auto:",
+          '    - "review:auto-ok"',
+          "  paths-exempt-from-size:",
+          ...renderPathsExemptFromSizeYaml(
+            policy.autoMerge.pathsExemptFromSize
+          ),
+          "```",
+          "",
+          "## Precedence",
+          "",
+          "The reviewer walks the following checks in order. The **first match**",
+          "fixes the mode; any mixed-match PR (signals from both sides) resolves",
+          "conservatively to `human-required` \u2014 `auto-merge` only wins when the",
+          "force-auto label is the single top-priority match.",
+          "",
+          "1. **`auto-merge.labels-that-force-auto`** \u2014 if the PR carries any of",
+          "   these labels (e.g. `review:auto-ok`), the mode is `auto-merge`",
+          "   outright. This is the only escape hatch from the conservative",
+          "   default; it requires a maintainer to apply the label explicitly.",
+          "2. **`review:human-required` label** \u2014 reserved force-human label;",
+          "   if present (and no force-auto label beat it in step 1), the mode",
+          "   is `human-required`.",
+          "3. **`human-required.labels-that-force-human`** \u2014 any listed label on",
+          "   the PR (e.g. `priority:critical`) forces `human-required`.",
+          "4. **`human-required.paths`** \u2014 if any file in the PR diff matches",
+          "   any glob here, the mode is `human-required`. Matching uses",
+          "   standard glob semantics (`**` for recursive directories,",
+          "   `*` for a single path segment).",
+          "5. **`human-required.issue-types`** \u2014 if the linked issue's GitHub",
+          "   issue type matches any entry (case-insensitive), the mode is",
+          "   `human-required`.",
+          "6. **`human-required.size`** \u2014 first read",
+          "   `auto-merge.paths-exempt-from-size` from the policy block above.",
+          "   For every file in the PR diff, evaluate whether the file path",
+          "   matches at least one glob in that carve-out list. If **every**",
+          "   changed path matches the carve-out, **skip rule #6** entirely",
+          "   and continue to rule #7 \u2014 the PR is exempt from the size",
+          "   threshold regardless of its `files` or `insertions` count.",
+          "   Otherwise (any changed path falls outside the carve-out list),",
+          "   apply the size check: if the PR exceeds either the `files`",
+          "   count or the `insertions` count, the mode is `human-required`.",
+          "7. **`default`** \u2014 applied only when no rule above matched",
+          "   (normally `auto-merge`).",
+          "",
+          "The `auto-merge.paths-exempt-from-size` carve-out exists so",
+          "**doc-only PRs** that routinely exceed the 500-insertion size",
+          "threshold (large migrations, bulk additions, refresh passes)",
+          "are not forced into `human-required` mode for a reason that does",
+          "not reflect production risk. The default carve-out exempts the",
+          "entire `docs/**` tree \u2014 every consumer of configulator places its",
+          "Starlight docs site there. A PR mixing docs and code still falls",
+          "into `human-required` at rule #6 because the non-docs path fails",
+          "the carve-out check, so the rule only relaxes the threshold for",
+          "PRs whose **every** changed path is doc-only.",
+          "",
+          "The `pr-reviewer` sub-agent records the decided mode, the",
+          "triggering reason, and the numeric **matched-rule index** (2\u20136",
+          "for human-required matches; `null` for rule 1 force-auto or",
+          "rule 7 default) in its Phase 2.75 output. Downstream phases and",
+          "the sticky summary cite the specific rule that applied.",
+          "",
+          "### Rule-#6 carve-out for `gh pr update-branch`",
+          "",
+          "The reviewer's BEHIND-branch refresh step (`gh pr update-branch`)",
+          "is normally restricted to `auto-merge` PRs because pushing the",
+          "default branch into a `human-required` PR expands the diff the",
+          "human is reviewing without their consent. A narrow exception",
+          "applies when rule #6 (size threshold) is the **sole** trigger",
+          "for `human-required` mode: the bot may still run `gh pr",
+          "update-branch` so a code-heavy size-tripped PR does not sit",
+          "BEHIND while the human drafts their review.",
+          "",
+          "The exception is keyed on the matched-rule index recorded in",
+          "Phase 2.75. All other `human-required` triggers \u2014 rule 2",
+          "(`review:human-required` label), rule 3 (any",
+          "`labels-that-force-human` label such as `priority:critical`),",
+          "rule 4 (`human-required.paths` glob match), and rule 5",
+          "(`human-required.issue-types` match) \u2014 continue to block",
+          "`update-branch` because each one signals a human reviewer who",
+          "has explicit ownership of the branch's lifecycle.",
+          "",
+          "This carve-out is largely belt-and-suspenders given the doc-only",
+          "size carve-out above. Doc-only PRs that trip rule #6 now route",
+          "directly to `auto-merge`, so the rule-#6 `update-branch` carve-",
+          "out only kicks in for **code-heavy** PRs that legitimately trip",
+          "rule #6 (mixed-content diffs whose non-doc paths fail the",
+          "`paths-exempt-from-size` check, or consumers that disable the",
+          "doc-only carve-out entirely)."
+        ].join("\n"),
+        tags: ["policy", "review"]
       },
-      tags: ["workflow"]
-    },
-    {
-      name: "pr-review-feedback-protocol",
-      description: "Documents the human-in-the-loop feedback loop on PR review: reaction state machine, pushback resolution, fix-list comment format, sticky reviewer-notes comment, label glossary, and human-author opt-in flag.",
-      scope: AGENT_RULE_SCOPE.ALWAYS,
-      content: [
-        "# PR Review Feedback Protocol",
-        "",
-        "## Human-in-the-Loop Feedback Protocol",
-        "",
-        "The PR review pipeline is a **human-in-the-loop feedback loop**.",
-        "Reviewers (human or agent) leave comments on the PR; the",
-        "`pr-reviewer` sub-agent classifies each comment, reacts to it,",
-        "delegates in-scope fixes to `issue-worker`, and updates a single",
-        "sticky `## Reviewer notes` comment that is the canonical record of",
-        "PR state. The sections below document the conventions humans need",
-        "to read and drive that loop.",
-        "",
-        "### Trigger Model: Human-Triggered, Single-Pass",
-        "",
-        "Each reviewer pass runs exactly once and does not self-chain. A",
-        "human re-invokes `/review-pr <n>` (or `/review-prs`) whenever the",
-        "PR state changes enough to warrant another look \u2014 a new comment,",
-        "a new commit, a resolved pushback, a label flip. The reviewer",
-        "never reschedules itself and never loops back after handing off to",
-        "`issue-worker`: the worker's run is the terminal step of that",
-        "pass, and a human must re-invoke the reviewer to see the follow-up",
-        "reactions and the auto-merge re-enablement decision.",
-        "",
-        "This keeps the loop cheap to reason about: every agent action is",
-        "traceable to a specific human invocation, and there is no",
-        "background automation to pause or cancel.",
-        "",
-        "### Reaction State Machine",
-        "",
-        "The reviewer signals its disposition toward each human comment via",
-        "GitHub reactions on that comment. Five reactions carry meaning in",
-        "this workflow; every other reaction is ignored.",
-        "",
-        "| Reaction | Meaning | Terminal? |",
-        "|----------|---------|-----------|",
-        "| `eyes` | Seen by reviewer; no terminal decision yet. Queued for processing on this or a later pass. | No |",
-        "| `+1` | Reviewer accepted the comment's request; a fix has been queued or has already landed. | **Yes** |",
-        "| `rocket` | The accepted fix has landed on the branch. The reviewer's reply cites the commit SHA that applied it. | **Yes** |",
-        "| `thinking_face` | Reviewer pushback \u2014 the comment conflicts with an acceptance criterion, a CLAUDE.md convention, the project-context doc, or is ambiguous. **Blocks auto-merge** until resolved. | No |",
-        "| `-1` | Declined as out-of-scope. A separate tracking issue was created; the reviewer's reply links to it. | **Yes** |",
-        "",
-        "Terminal reactions (`+1`, `rocket`, `-1`) are applied **only after**",
-        "the corresponding action has truly completed \u2014 the fix accepted,",
-        "the commit landed on the branch, or the out-of-scope tracking",
-        "issue created and linked in a reply. The reviewer never applies a",
-        "terminal reaction pre-emptively.",
-        "",
-        "A comment carrying only `eyes` or `thinking_face` from the",
-        "reviewer is **non-terminal** and will be re-evaluated on the next",
-        "pass. A comment carrying any terminal reaction authored by the",
-        "reviewer is dropped from future classification.",
-        "",
-        "GitHub's reactions API uses `confused` as the content string for",
-        "the `thinking_face` reaction (`content=confused` when POSTing).",
-        "",
-        "### Resolving a Pushback",
-        "",
-        "When the reviewer pushes back on a comment with `thinking_face`,",
-        "auto-merge is blocked until the dispute is resolved. Humans have",
-        "three ways to clear a pushback:",
-        "",
-        "1. **Withdraw the comment.** Delete the comment, or edit out the",
-        "   disputed request, then re-invoke `/review-pr <n>`. The reviewer",
-        "   drops the withdrawn item from its queue on the next pass.",
-        "2. **Reply with clarification.** Post a reply on the same thread",
-        "   that addresses the reviewer's objection (cite the acceptance",
-        "   criterion you meant, supply the missing context, or concede the",
-        "   point). Re-invoke `/review-pr <n>` \u2014 the reviewer re-classifies",
-        "   the thread and may promote `thinking_face` to `+1` if the",
-        "   clarification satisfies it.",
-        "3. **Force through with `review:auto-ok`.** Apply the",
-        "   `review:auto-ok` label to the PR as an explicit maintainer",
-        "   override. The reviewer will log the override in the sticky",
-        "   `## Reviewer notes` comment and proceed with auto-merge even",
-        "   though the dispute was never resolved by reply or withdrawal.",
-        "",
-        "### Fix-List Comment Format",
-        "",
-        "When Phase 4 delegates in-scope fixes to `issue-worker`, it posts",
-        "a single PR-level comment whose body carries both a human-readable",
-        "checkbox summary and a fenced ```json fix-list``` block. The JSON",
-        "block is the authoritative payload the worker parses; the",
-        "checkbox list is for humans reading the PR.",
-        "",
-        "```markdown",
-        "## Reviewer: fix list for @issue-worker",
-        "",
-        "- [ ] @<author> \u2014 <instruction summary> (<file>:<line>)",
-        "",
-        "```json fix-list",
-        "{",
-        '  "pr": <pr-number>,',
-        '  "branch": "<head-ref-name>",',
-        '  "generated_at": "<ISO-8601 timestamp>",',
-        '  "items": [',
-        '    {"comment_id": "<id>", "author": "<login>", "file": "<path>", "line": <n>, "instruction": "<imperative instruction>"}',
-        "  ]",
-        "}",
-        "```",
-        "```",
-        "",
-        "Each `items[]` entry corresponds to one in-scope comment the",
-        "reviewer queued on this pass. The `comment_id` is preserved",
-        "exactly as returned by the GitHub API so that `issue-worker` can",
-        "report per-item outcomes and the reviewer can apply `rocket` or",
-        "`thinking_face` to the correct source comment on the next pass.",
-        "",
-        "### Sticky `## Reviewer notes` Comment",
-        "",
-        "Every PR has **one** canonical reviewer-notes comment. The",
-        "reviewer creates it on the first pass, then **edits it in place**",
-        "on every subsequent pass via",
-        "`gh api .../issues/comments/<id> -X PATCH`. It is never",
-        "duplicated and never replaced by a fresh per-pass summary.",
-        "",
-        "This sticky comment is the **single human-facing source of truth**",
-        "for the PR's current state. Humans scanning the PR should read",
-        "the sticky first, before scrolling back through individual threads.",
-        "It carries, at a minimum:",
-        "",
-        "- **Mode** \u2014 `auto-merge` or `human-required`, with the Phase 2.75",
-        "  reason that chose that mode.",
-        "- **AC status** \u2014 met, partial, or missing, with evidence links",
-        "  to files or tests.",
-        "- **CI status** \u2014 green, pending, or red.",
-        "- **Outstanding** \u2014 comments still carrying a non-terminal",
-        "  reviewer reaction (`eyes`, open `thinking_face`).",
-        "- **Pushbacks** \u2014 every unresolved `thinking_face` the reviewer",
-        "  has left, with the reason captured in its pushback reply.",
-        "- **Last pass** \u2014 the ISO 8601 timestamp of the most recent run.",
-        "",
-        "The sticky is updated on every pass \u2014 including passes that ended",
-        "in a pushback-gated skip, a `NEEDS_CHANGES` findings comment, or",
-        "a `human-required` hand-off \u2014 so it never goes stale while the",
-        "reviewer is actively processing the PR.",
-        "",
-        "### Label Glossary",
-        "",
-        "Five review-workflow labels drive the feedback loop. Consumers",
-        "that adopt this workflow are responsible for creating them in",
-        "their own repos (the same way they create `priority:*` and",
-        "`status:*` labels).",
-        "",
-        "| Label | Purpose |",
-        "|-------|---------|",
-        "| `origin:issue-worker` | PR was opened by the `issue-worker` agent. Eligible for auto-delegation of in-scope fixes. Human-authored PRs lack this label and will not trigger delegation unless the reviewer is invoked with `--allow-human-author`. |",
-        "| `review:human-required` | Force human review regardless of what the policy would otherwise decide. The reviewer never enables auto-merge on a PR carrying this label. |",
-        "| `review:auto-ok` | Force auto-merge regardless of what the policy would otherwise decide. **Also resolves outstanding `thinking_face` pushbacks** as an explicit maintainer override; the reviewer logs the override in the sticky summary. |",
-        "| `review:awaiting-human` | Set by the reviewer when it completes its work on a `human-required` PR and is handing off the final merge decision. Cleared by a human (or by `review:auto-ok` flipping the PR back to `auto-merge` mode). |",
-        "| `review:fixing` | Short-lived lease held by the reviewer while an `issue-worker` feedback-mode delegation is mid-run. Released automatically at the end of Phase 4 step (g). Contention on this label means a prior delegation crashed without releasing it and needs human investigation. |",
-        "",
-        "### Reviewing Human-Authored PRs: the `--allow-human-author` Flag",
-        "",
-        "By default the reviewer only **delegates** in-scope fixes on",
-        "bot-authored PRs \u2014 those carrying the `origin:issue-worker`",
-        "label. Running `/review-pr <n>` or `/review-prs` on a",
-        "human-authored PR still produces a full review (reactions,",
-        "replies, sticky summary, and auto-merge when the policy allows",
-        "it) but skips the delegation hand-off to `issue-worker` \u2014 the",
-        "human author is expected to apply the fixes themselves.",
-        "",
-        "Pass `--allow-human-author` to opt into delegation on",
-        "human-authored PRs for a single invocation:",
-        "",
-        "```",
-        "/review-pr <pr-number> --allow-human-author",
-        "/review-prs --allow-human-author",
-        "```",
-        "",
-        "The flag does **not** persist across invocations. Subsequent",
-        "invocations return to the bot-only default and require the flag",
-        "to be re-supplied if delegation on a human-authored PR is desired",
-        "again."
-      ].join("\n"),
-      platforms: {
-        cursor: { exclude: true }
+      {
+        name: "pr-review-workflow",
+        description: "Describes the /review-pr and /review-prs skills and their delegation to the pr-reviewer sub-agent",
+        scope: AGENT_RULE_SCOPE.ALWAYS,
+        content: [
+          "# PR Review Workflow",
+          "",
+          "Two skills are available, both backed by the same `pr-reviewer`",
+          "sub-agent:",
+          "",
+          "- **`/review-pr <pr-number>`** \u2014 review a single targeted PR.",
+          "- **`/review-prs`** \u2014 loop over every eligible open PR in the",
+          "  repository and review each one in turn.",
+          "",
+          "The `pr-reviewer` sub-agent:",
+          "",
+          "1. Runs a pre-flight eligibility filter (mergeable, CI not failing,",
+          "   has a linked issue). Ineligible PRs get a short comment and are",
+          "   skipped.",
+          "2. Fetches the PR, its diff, CI status, and the linked issue",
+          "3. **Evaluates the PR Review Policy** (see the `PR Review Policy`",
+          "   section above) to decide whether the PR is `auto-merge` or",
+          "   `human-required`, and records the triggering reason",
+          "4. Builds a checklist from the issue's acceptance criteria",
+          "5. Verifies the diff satisfies each criterion and that CI is green",
+          "6. **Enables squash auto-merge** (with `--delete-branch`) when all",
+          "   checks pass **and** the review mode is `auto-merge`",
+          "7. **Applies `review:awaiting-human`** and hands off to a human",
+          "   reviewer when the review mode is `human-required` (no auto-merge,",
+          "   even if every acceptance criterion is met)",
+          "8. **Comments with grouped findings** when any check fails (plain",
+          "   `gh pr comment`, not a formal `--request-changes` review)",
+          "9. After a successful merge, verifies the linked issue is closed",
+          "   and closes it explicitly if the merge commit did not",
+          "10. Cleans up the local branch after merge",
+          "",
+          "The reviewer **never** implements code and **never** pushes commits",
+          "to a PR's branch \u2014 it only reviews, decides, and orchestrates merge",
+          "or comment. In loop mode, a failed review for one PR never stops",
+          "the loop; the reviewer comments and moves on. See the `pr-reviewer`",
+          "agent definition for the full phase-by-phase contract."
+        ].join("\n"),
+        platforms: {
+          cursor: { exclude: true }
+        },
+        tags: ["workflow"]
       },
-      tags: ["workflow"]
-    }
-  ],
-  skills: [reviewPrSkill, reviewPrsSkill],
-  subAgents: [prReviewerSubAgent],
-  labels: [
-    {
-      name: "type:pr-review",
-      color: "5319E7",
-      description: "PR review tasks"
-    },
-    {
-      name: "origin:issue-worker",
-      color: "5319E7",
-      description: "PR opened by the issue-worker agent"
-    },
-    {
-      name: "review:auto-ok",
-      color: "0E8A16",
-      description: "Force auto-merge regardless of policy"
-    },
-    {
-      name: "review:human-required",
-      color: "D93F0B",
-      description: "Force human review regardless of policy"
-    },
-    {
-      name: "review:awaiting-human",
-      color: "FBCA04",
-      description: "Reviewer handed off; awaiting human merge decision"
-    },
-    {
-      name: "review:fixing",
-      color: "D4C5F9",
-      description: "Short-lived lease while issue-worker applies feedback fixes"
-    }
-  ]
-};
+      {
+        name: "pr-review-feedback-protocol",
+        description: "Documents the human-in-the-loop feedback loop on PR review: reaction state machine, pushback resolution, fix-list comment format, sticky reviewer-notes comment, label glossary, and human-author opt-in flag.",
+        scope: AGENT_RULE_SCOPE.ALWAYS,
+        content: [
+          "# PR Review Feedback Protocol",
+          "",
+          "## Human-in-the-Loop Feedback Protocol",
+          "",
+          "The PR review pipeline is a **human-in-the-loop feedback loop**.",
+          "Reviewers (human or agent) leave comments on the PR; the",
+          "`pr-reviewer` sub-agent classifies each comment, reacts to it,",
+          "delegates in-scope fixes to `issue-worker`, and updates a single",
+          "sticky `## Reviewer notes` comment that is the canonical record of",
+          "PR state. The sections below document the conventions humans need",
+          "to read and drive that loop.",
+          "",
+          "### Trigger Model: Human-Triggered, Single-Pass",
+          "",
+          "Each reviewer pass runs exactly once and does not self-chain. A",
+          "human re-invokes `/review-pr <n>` (or `/review-prs`) whenever the",
+          "PR state changes enough to warrant another look \u2014 a new comment,",
+          "a new commit, a resolved pushback, a label flip. The reviewer",
+          "never reschedules itself and never loops back after handing off to",
+          "`issue-worker`: the worker's run is the terminal step of that",
+          "pass, and a human must re-invoke the reviewer to see the follow-up",
+          "reactions and the auto-merge re-enablement decision.",
+          "",
+          "This keeps the loop cheap to reason about: every agent action is",
+          "traceable to a specific human invocation, and there is no",
+          "background automation to pause or cancel.",
+          "",
+          "### Reaction State Machine",
+          "",
+          "The reviewer signals its disposition toward each human comment via",
+          "GitHub reactions on that comment. Five reactions carry meaning in",
+          "this workflow; every other reaction is ignored.",
+          "",
+          "| Reaction | Meaning | Terminal? |",
+          "|----------|---------|-----------|",
+          "| `eyes` | Seen by reviewer; no terminal decision yet. Queued for processing on this or a later pass. | No |",
+          "| `+1` | Reviewer accepted the comment's request; a fix has been queued or has already landed. | **Yes** |",
+          "| `rocket` | The accepted fix has landed on the branch. The reviewer's reply cites the commit SHA that applied it. | **Yes** |",
+          "| `thinking_face` | Reviewer pushback \u2014 the comment conflicts with an acceptance criterion, a CLAUDE.md convention, the project-context doc, or is ambiguous. **Blocks auto-merge** until resolved. | No |",
+          "| `-1` | Declined as out-of-scope. A separate tracking issue was created; the reviewer's reply links to it. | **Yes** |",
+          "",
+          "Terminal reactions (`+1`, `rocket`, `-1`) are applied **only after**",
+          "the corresponding action has truly completed \u2014 the fix accepted,",
+          "the commit landed on the branch, or the out-of-scope tracking",
+          "issue created and linked in a reply. The reviewer never applies a",
+          "terminal reaction pre-emptively.",
+          "",
+          "A comment carrying only `eyes` or `thinking_face` from the",
+          "reviewer is **non-terminal** and will be re-evaluated on the next",
+          "pass. A comment carrying any terminal reaction authored by the",
+          "reviewer is dropped from future classification.",
+          "",
+          "GitHub's reactions API uses `confused` as the content string for",
+          "the `thinking_face` reaction (`content=confused` when POSTing).",
+          "",
+          "### Resolving a Pushback",
+          "",
+          "When the reviewer pushes back on a comment with `thinking_face`,",
+          "auto-merge is blocked until the dispute is resolved. Humans have",
+          "three ways to clear a pushback:",
+          "",
+          "1. **Withdraw the comment.** Delete the comment, or edit out the",
+          "   disputed request, then re-invoke `/review-pr <n>`. The reviewer",
+          "   drops the withdrawn item from its queue on the next pass.",
+          "2. **Reply with clarification.** Post a reply on the same thread",
+          "   that addresses the reviewer's objection (cite the acceptance",
+          "   criterion you meant, supply the missing context, or concede the",
+          "   point). Re-invoke `/review-pr <n>` \u2014 the reviewer re-classifies",
+          "   the thread and may promote `thinking_face` to `+1` if the",
+          "   clarification satisfies it.",
+          "3. **Force through with `review:auto-ok`.** Apply the",
+          "   `review:auto-ok` label to the PR as an explicit maintainer",
+          "   override. The reviewer will log the override in the sticky",
+          "   `## Reviewer notes` comment and proceed with auto-merge even",
+          "   though the dispute was never resolved by reply or withdrawal.",
+          "",
+          "### Fix-List Comment Format",
+          "",
+          "When Phase 4 delegates in-scope fixes to `issue-worker`, it posts",
+          "a single PR-level comment whose body carries both a human-readable",
+          "checkbox summary and a fenced ```json fix-list``` block. The JSON",
+          "block is the authoritative payload the worker parses; the",
+          "checkbox list is for humans reading the PR.",
+          "",
+          "```markdown",
+          "## Reviewer: fix list for @issue-worker",
+          "",
+          "- [ ] @<author> \u2014 <instruction summary> (<file>:<line>)",
+          "",
+          "```json fix-list",
+          "{",
+          '  "pr": <pr-number>,',
+          '  "branch": "<head-ref-name>",',
+          '  "generated_at": "<ISO-8601 timestamp>",',
+          '  "items": [',
+          '    {"comment_id": "<id>", "author": "<login>", "file": "<path>", "line": <n>, "instruction": "<imperative instruction>"}',
+          "  ]",
+          "}",
+          "```",
+          "```",
+          "",
+          "Each `items[]` entry corresponds to one in-scope comment the",
+          "reviewer queued on this pass. The `comment_id` is preserved",
+          "exactly as returned by the GitHub API so that `issue-worker` can",
+          "report per-item outcomes and the reviewer can apply `rocket` or",
+          "`thinking_face` to the correct source comment on the next pass.",
+          "",
+          "### Sticky `## Reviewer notes` Comment",
+          "",
+          "Every PR has **one** canonical reviewer-notes comment. The",
+          "reviewer creates it on the first pass, then **edits it in place**",
+          "on every subsequent pass via",
+          "`gh api .../issues/comments/<id> -X PATCH`. It is never",
+          "duplicated and never replaced by a fresh per-pass summary.",
+          "",
+          "This sticky comment is the **single human-facing source of truth**",
+          "for the PR's current state. Humans scanning the PR should read",
+          "the sticky first, before scrolling back through individual threads.",
+          "It carries, at a minimum:",
+          "",
+          "- **Mode** \u2014 `auto-merge` or `human-required`, with the Phase 2.75",
+          "  reason that chose that mode.",
+          "- **AC status** \u2014 met, partial, or missing, with evidence links",
+          "  to files or tests.",
+          "- **CI status** \u2014 green, pending, or red.",
+          "- **Outstanding** \u2014 comments still carrying a non-terminal",
+          "  reviewer reaction (`eyes`, open `thinking_face`).",
+          "- **Pushbacks** \u2014 every unresolved `thinking_face` the reviewer",
+          "  has left, with the reason captured in its pushback reply.",
+          "- **Last pass** \u2014 the ISO 8601 timestamp of the most recent run.",
+          "",
+          "The sticky is updated on every pass \u2014 including passes that ended",
+          "in a pushback-gated skip, a `NEEDS_CHANGES` findings comment, or",
+          "a `human-required` hand-off \u2014 so it never goes stale while the",
+          "reviewer is actively processing the PR.",
+          "",
+          "### Label Glossary",
+          "",
+          "Five review-workflow labels drive the feedback loop. Consumers",
+          "that adopt this workflow are responsible for creating them in",
+          "their own repos (the same way they create `priority:*` and",
+          "`status:*` labels).",
+          "",
+          "| Label | Purpose |",
+          "|-------|---------|",
+          "| `origin:issue-worker` | PR was opened by the `issue-worker` agent. Eligible for auto-delegation of in-scope fixes. Human-authored PRs lack this label and will not trigger delegation unless the reviewer is invoked with `--allow-human-author`. |",
+          "| `review:human-required` | Force human review regardless of what the policy would otherwise decide. The reviewer never enables auto-merge on a PR carrying this label. |",
+          "| `review:auto-ok` | Force auto-merge regardless of what the policy would otherwise decide. **Also resolves outstanding `thinking_face` pushbacks** as an explicit maintainer override; the reviewer logs the override in the sticky summary. |",
+          "| `review:awaiting-human` | Set by the reviewer when it completes its work on a `human-required` PR and is handing off the final merge decision. Cleared by a human (or by `review:auto-ok` flipping the PR back to `auto-merge` mode). |",
+          "| `review:fixing` | Short-lived lease held by the reviewer while an `issue-worker` feedback-mode delegation is mid-run. Released automatically at the end of Phase 4 step (g). Contention on this label means a prior delegation crashed without releasing it and needs human investigation. |",
+          "",
+          "### Reviewing Human-Authored PRs: the `--allow-human-author` Flag",
+          "",
+          "By default the reviewer only **delegates** in-scope fixes on",
+          "bot-authored PRs \u2014 those carrying the `origin:issue-worker`",
+          "label. Running `/review-pr <n>` or `/review-prs` on a",
+          "human-authored PR still produces a full review (reactions,",
+          "replies, sticky summary, and auto-merge when the policy allows",
+          "it) but skips the delegation hand-off to `issue-worker` \u2014 the",
+          "human author is expected to apply the fixes themselves.",
+          "",
+          "Pass `--allow-human-author` to opt into delegation on",
+          "human-authored PRs for a single invocation:",
+          "",
+          "```",
+          "/review-pr <pr-number> --allow-human-author",
+          "/review-prs --allow-human-author",
+          "```",
+          "",
+          "The flag does **not** persist across invocations. Subsequent",
+          "invocations return to the bot-only default and require the flag",
+          "to be re-supplied if delegation on a human-authored PR is desired",
+          "again."
+        ].join("\n"),
+        platforms: {
+          cursor: { exclude: true }
+        },
+        tags: ["workflow"]
+      }
+    ],
+    skills: [reviewPrSkill, reviewPrsSkill],
+    subAgents: [prReviewerSubAgent],
+    labels: [
+      {
+        name: "type:pr-review",
+        color: "5319E7",
+        description: "PR review tasks"
+      },
+      {
+        name: "origin:issue-worker",
+        color: "5319E7",
+        description: "PR opened by the issue-worker agent"
+      },
+      {
+        name: "review:auto-ok",
+        color: "0E8A16",
+        description: "Force auto-merge regardless of policy"
+      },
+      {
+        name: "review:human-required",
+        color: "D93F0B",
+        description: "Force human review regardless of policy"
+      },
+      {
+        name: "review:awaiting-human",
+        color: "FBCA04",
+        description: "Reviewer handed off; awaiting human merge decision"
+      },
+      {
+        name: "review:fixing",
+        color: "D4C5F9",
+        description: "Short-lived lease while issue-worker applies feedback fixes"
+      }
+    ]
+  };
+}
+function renderPathsExemptFromSizeYaml(paths) {
+  if (paths.length === 0) {
+    return ["    []"];
+  }
+  return paths.map((path8) => `    - "${path8}"`);
+}
+var prReviewBundle = buildPrReviewBundle();
 
 // src/agent/bundles/projen.ts
 var projenBundle = {
@@ -25462,8 +26305,39 @@ function buildSoftwareProfileAnalystSubAgent(paths, issueDefaults, tier) {
       "   every profile is mapped back to the capability model regardless",
       "   of whether any adjacent products were surfaced.",
       "",
-      "7. **Commit and push** the matrix file (and any profile updates).",
-      "   Close the matrix issue.",
+      "7. **Commit any profile updates first \u2014 do not touch the",
+      "   matrix yet.** If step 4 surfaced edits to the per-product",
+      "   profile file (e.g. notes added to `## Risks / Open",
+      "   Questions` about column drift), stage and commit those",
+      "   profile changes in a focused commit. **Do not push yet,**",
+      "   and **do not** include the matrix file in this commit.",
+      "",
+      "8. **Defer the feature-matrix row insert to a final pre-push",
+      "   commit.** Per the `shared-editing-safety` rule's",
+      "   **Defer Shared-Index Commit to Final Pre-Push Step**",
+      "   subsection, the feature matrix is the canonical example of",
+      "   a **shared index file** \u2014 multiple software-profile",
+      "   sessions racing to append rows for different products is",
+      "   the exact contention this rule exists to mitigate. Apply",
+      "   the deferred sequence:",
+      "",
+      "   ```bash",
+      "   git fetch origin",
+      "   git pull --rebase origin <default-branch>",
+      "   ```",
+      "",
+      "   Re-read `<MATRIX_FILE>` from the now-up-to-date working",
+      "   tree, re-compute the deterministic insert position for the",
+      "   current product's rows (another session may have appended",
+      "   rows for a different product, or extended the segment",
+      "   columns, in the meantime), insert the rows in sort order,",
+      "   and commit the matrix edit in its **own focused commit**",
+      "   whose only file is `<MATRIX_FILE>`. Run the commit-path",
+      "   verification step (`git show HEAD:<MATRIX_FILE>` + grep",
+      "   count on the product slug as the unique marker) against",
+      "   that commit before pushing.",
+      "",
+      "9. **Push and close.** Push the branch and close the matrix issue.",
       "",
       "---",
       "",
@@ -28035,7 +28909,7 @@ var VERSION = {
   /**
    * Version of Astro to pin for AstroProject scaffolding.
    */
-  ASTRO_VERSION: "6.3.6",
+  ASTRO_VERSION: "6.3.7",
   /**
    * CDK CLI for workflows and command line operations.
    *
@@ -28047,7 +28921,7 @@ var VERSION = {
    *
    * CLI and lib are versioned separately, so this is the lib version.
    */
-  AWS_CDK_LIB_VERSION: "2.256.1",
+  AWS_CDK_LIB_VERSION: "2.257.0",
   /**
    * Version of the AWS Constructs library to use.
    */
@@ -28064,11 +28938,11 @@ var VERSION = {
   /**
    * Version of PNPM to use in workflows at github actions.
    */
-  PNPM_VERSION: "11.2.1",
+  PNPM_VERSION: "11.2.2",
   /**
    * Version of Projen to use.
    */
-  PROJEN_VERSION: "0.99.63",
+  PROJEN_VERSION: "0.99.64",
   /**
    * Version of `actions/setup-node` to use in GitHub workflows.
    * Tracks the version projen currently emits (see node_modules/projen/lib/github/workflows.js).
@@ -28820,7 +29694,7 @@ function renderPriorityRulesSection(rules) {
 }
 
 // src/agent/bundles/index.ts
-function buildBuiltInBundles(paths = DEFAULT_AGENT_PATHS, issueDefaults = DEFAULT_RESOLVED_ISSUE_DEFAULTS, defaultAgentTier = AGENT_MODEL.BALANCED, bundleAgentTiers = /* @__PURE__ */ new Map()) {
+function buildBuiltInBundles(paths = DEFAULT_AGENT_PATHS, issueDefaults = DEFAULT_RESOLVED_ISSUE_DEFAULTS, defaultAgentTier = AGENT_MODEL.BALANCED, bundleAgentTiers = /* @__PURE__ */ new Map(), prReviewPolicy = resolvePrReviewPolicy()) {
   const tierFor = (bundle) => bundleAgentTiers.get(bundle) ?? defaultAgentTier;
   return [
     buildBaseBundle(paths),
@@ -28837,7 +29711,7 @@ function buildBuiltInBundles(paths = DEFAULT_AGENT_PATHS, issueDefaults = DEFAUL
     buildMeetingAnalysisBundle(tierFor("meeting-analysis")),
     agendaBundle,
     orchestratorBundle,
-    prReviewBundle,
+    buildPrReviewBundle(prReviewPolicy),
     buildRequirementsAnalystBundle(paths, issueDefaults),
     buildRequirementsWriterBundle(paths, issueDefaults),
     buildRequirementsReviewerBundle(paths, issueDefaults),
@@ -28901,210 +29775,10 @@ function prefix(rel, entry) {
   return path.posix.join(rel, entry);
 }
 
-// src/agent/renderers/cursor-renderer.ts
+// src/agent/renderers/claude-renderer.ts
 import { JsonFile as JsonFile2 } from "projen";
 import { TextFile as TextFile2 } from "projen/lib/textfile";
-var GENERATED_MARKER = "# ~~ Generated by @codedrifters/configulator. Edits welcome \u2014 please contribute improvements back. ~~";
-var CursorRenderer = class _CursorRenderer {
-  /**
-   * Render all Cursor configuration files.
-   */
-  static render(component, rules, skills, subAgents, mcpServers, settings) {
-    _CursorRenderer.renderRules(component, rules);
-    _CursorRenderer.renderSkills(component, skills);
-    _CursorRenderer.renderSubAgents(component, subAgents);
-    _CursorRenderer.renderMcpServers(component, mcpServers);
-    _CursorRenderer.renderHooks(component, settings);
-    _CursorRenderer.renderIgnoreFiles(component, settings);
-  }
-  static renderRules(component, rules) {
-    for (const rule of rules) {
-      if (rule.platforms?.cursor?.exclude) continue;
-      const lines = [];
-      const description = rule.platforms?.cursor?.description ?? rule.description;
-      const isAlways = rule.scope === AGENT_RULE_SCOPE.ALWAYS;
-      lines.push("---");
-      lines.push(`description: "${description}"`);
-      lines.push(`alwaysApply: ${isAlways}`);
-      if (!isAlways && rule.filePatterns && rule.filePatterns.length > 0) {
-        lines.push(`path: ${JSON.stringify([...rule.filePatterns])}`);
-      }
-      lines.push("---");
-      lines.push("");
-      lines.push(...rule.content.split("\n"));
-      new TextFile2(component, `.cursor/rules/${rule.name}.mdc`, { lines });
-    }
-  }
-  static renderSkills(component, skills) {
-    for (const skill of skills) {
-      if (skill.platforms?.cursor?.exclude) continue;
-      const lines = [];
-      lines.push("---");
-      lines.push(`name: "${skill.name}"`);
-      lines.push(`description: "${skill.description}"`);
-      if (skill.disableModelInvocation) {
-        lines.push(`disable-model-invocation: true`);
-      }
-      if (skill.userInvocable === false) {
-        lines.push(`user-invocable: false`);
-      }
-      if (skill.context) {
-        lines.push(`context: "${skill.context}"`);
-      }
-      if (skill.agent) {
-        lines.push(`agent: "${skill.agent}"`);
-      }
-      if (skill.shell) {
-        lines.push(`shell: "${skill.shell}"`);
-      }
-      if (skill.allowedTools && skill.allowedTools.length > 0) {
-        lines.push(`allowed-tools:`);
-        for (const tool of skill.allowedTools) {
-          lines.push(`  - "${tool}"`);
-        }
-      }
-      lines.push("---");
-      lines.push("");
-      lines.push(...skill.instructions.split("\n"));
-      new TextFile2(component, `.cursor/skills/${skill.name}/SKILL.md`, {
-        lines
-      });
-      if (skill.referenceFiles && skill.referenceFiles.length > 0) {
-        for (const file of skill.referenceFiles) {
-          new TextFile2(component, `.cursor/skills/${skill.name}/${file.path}`, {
-            lines: file.content.split("\n")
-          });
-        }
-      }
-    }
-  }
-  static renderSubAgents(component, subAgents) {
-    for (const agent of subAgents) {
-      if (agent.platforms?.cursor?.exclude) continue;
-      const lines = [];
-      lines.push("---");
-      lines.push(`name: ${agent.name}`);
-      lines.push(`description: >-`);
-      lines.push(`  ${agent.description}`);
-      if (agent.platforms?.cursor?.readonly) {
-        lines.push(`readonly: true`);
-      }
-      if (agent.platforms?.cursor?.isBackground) {
-        lines.push(`is_background: true`);
-      }
-      lines.push("---");
-      lines.push("");
-      lines.push(...agent.prompt.split("\n"));
-      new TextFile2(component, `.cursor/agents/${agent.name}.md`, { lines });
-    }
-  }
-  static renderMcpServers(component, mcpServers) {
-    const serverNames = Object.keys(mcpServers);
-    if (serverNames.length === 0) return;
-    const obj = { mcpServers: {} };
-    const servers = obj.mcpServers;
-    for (const [name, config] of Object.entries(mcpServers)) {
-      const server = {};
-      if (config.transport) server.transport = config.transport;
-      if (config.command) server.command = config.command;
-      if (config.args) server.args = [...config.args];
-      if (config.url) server.url = config.url;
-      if (config.headers && Object.keys(config.headers).length > 0) {
-        server.headers = { ...config.headers };
-      }
-      if (config.env) server.env = { ...config.env };
-      servers[name] = server;
-    }
-    new JsonFile2(component, ".cursor/mcp.json", { obj });
-  }
-  static renderHooks(component, settings) {
-    if (!settings?.hooks) return;
-    const hooks = {};
-    const hookEntries = settings.hooks;
-    for (const [event, actions] of Object.entries(hookEntries)) {
-      if (actions && actions.length > 0) {
-        hooks[event] = actions.map((h) => ({
-          command: h.command
-        }));
-      }
-    }
-    if (Object.keys(hooks).length === 0) return;
-    new JsonFile2(component, ".cursor/hooks.json", {
-      obj: { version: 1, hooks }
-    });
-  }
-  static renderIgnoreFiles(component, settings) {
-    if (settings?.ignorePatterns && settings.ignorePatterns.length > 0) {
-      new TextFile2(component, ".cursorignore", {
-        lines: [GENERATED_MARKER, "", ...settings.ignorePatterns]
-      });
-    }
-    if (settings?.indexingIgnorePatterns && settings.indexingIgnorePatterns.length > 0) {
-      new TextFile2(component, ".cursorindexingignore", {
-        lines: [GENERATED_MARKER, "", ...settings.indexingIgnorePatterns]
-      });
-    }
-  }
-};
-
-// src/agent/template-resolver.ts
-var FALLBACKS = {
-  "repository.owner": "<owner>",
-  "repository.name": "<repo>",
-  "repository.defaultBranch": "main",
-  "organization.name": "<organization>",
-  "organization.githubOrg": "<org>",
-  "githubProject.name": "<project-name>",
-  "githubProject.number": "<project-number>",
-  "githubProject.nodeId": "<project-node-id>",
-  docsPath: "<docs-path>",
-  // The monorepo-layout seed block is additive: when absent, the
-  // seeded `project-context.md` template reads cleanly without it.
-  // Fall back to an empty string so no placeholder text leaks into
-  // rendered prompts for repos that predate the layout contract.
-  monorepoLayoutSeedBlock: ""
-};
-var TEMPLATE_RE = /\{\{(\w+(?:\.\w+)*)\}\}/g;
-function getNestedValue(obj, path8) {
-  const parts = path8.split(".");
-  let current = obj;
-  for (const part of parts) {
-    if (current == null || typeof current !== "object") {
-      return void 0;
-    }
-    current = current[part];
-  }
-  if (current == null) {
-    return void 0;
-  }
-  return String(current);
-}
-function resolveTemplateVariables(template, metadata) {
-  if (!TEMPLATE_RE.test(template)) {
-    return { resolved: template, unresolvedKeys: [] };
-  }
-  const unresolvedKeys = [];
-  TEMPLATE_RE.lastIndex = 0;
-  const resolved = template.replace(TEMPLATE_RE, (_match, key) => {
-    if (metadata) {
-      const value = getNestedValue(
-        metadata,
-        key
-      );
-      if (value !== void 0) {
-        return value;
-      }
-    }
-    unresolvedKeys.push(key);
-    return FALLBACKS[key] ?? `<${key}>`;
-  });
-  return { resolved, unresolvedKeys };
-}
-
-// src/agent/renderers/claude-renderer.ts
-import { JsonFile as JsonFile3 } from "projen";
-import { TextFile as TextFile3 } from "projen/lib/textfile";
-var GENERATED_MARKER2 = "<!-- ~~ Generated by @codedrifters/configulator. Edits welcome \u2014 please contribute improvements back. ~~ -->";
+var GENERATED_MARKER = "<!-- ~~ Generated by @codedrifters/configulator. Edits welcome \u2014 please contribute improvements back. ~~ -->";
 var ClaudeRenderer = class _ClaudeRenderer {
   /**
    * Render all Claude Code configuration files.
@@ -29129,12 +29803,12 @@ var ClaudeRenderer = class _ClaudeRenderer {
       return target === CLAUDE_RULE_TARGET.CLAUDE_MD;
     });
     if (claudeMdRules.length === 0) return;
-    const lines = [GENERATED_MARKER2, ""];
+    const lines = [GENERATED_MARKER, ""];
     for (let i = 0; i < claudeMdRules.length; i++) {
       if (i > 0) lines.push("", "---", "");
       lines.push(...claudeMdRules[i].content.split("\n"));
     }
-    new TextFile3(component, "CLAUDE.md", { lines });
+    new TextFile2(component, "CLAUDE.md", { lines });
   }
   static renderScopedRules(component, rules) {
     const scopedRules = rules.filter((r) => {
@@ -29154,7 +29828,7 @@ var ClaudeRenderer = class _ClaudeRenderer {
         lines.push("");
       }
       lines.push(...rule.content.split("\n"));
-      new TextFile3(component, `.claude/rules/${rule.name}.md`, { lines });
+      new TextFile2(component, `.claude/rules/${rule.name}.md`, { lines });
     }
   }
   static renderSettings(component, mcpServers, settings) {
@@ -29279,7 +29953,7 @@ var ClaudeRenderer = class _ClaudeRenderer {
       hasContent = true;
     }
     if (!hasContent) return;
-    new JsonFile3(component, ".claude/settings.json", { obj });
+    new JsonFile2(component, ".claude/settings.json", { obj });
   }
   static buildSandboxObj(sandbox) {
     const obj = {};
@@ -29366,12 +30040,12 @@ var ClaudeRenderer = class _ClaudeRenderer {
       lines.push("---");
       lines.push("");
       lines.push(...skill.instructions.split("\n"));
-      new TextFile3(component, `.claude/skills/${skill.name}/SKILL.md`, {
+      new TextFile2(component, `.claude/skills/${skill.name}/SKILL.md`, {
         lines
       });
       if (skill.referenceFiles && skill.referenceFiles.length > 0) {
         for (const file of skill.referenceFiles) {
-          new TextFile3(component, `.claude/skills/${skill.name}/${file.path}`, {
+          new TextFile2(component, `.claude/skills/${skill.name}/${file.path}`, {
             lines: file.content.split("\n")
           });
         }
@@ -29429,7 +30103,7 @@ var ClaudeRenderer = class _ClaudeRenderer {
       lines.push("---");
       lines.push("");
       lines.push(...agent.prompt.split("\n"));
-      new TextFile3(component, `.claude/agents/${agent.name}.md`, { lines });
+      new TextFile2(component, `.claude/agents/${agent.name}.md`, { lines });
     }
   }
   static buildMcpServerObj(config) {
@@ -29446,7 +30120,7 @@ var ClaudeRenderer = class _ClaudeRenderer {
   }
   static renderProcedures(component, procedures) {
     for (const proc of procedures) {
-      new TextFile3(component, `.claude/procedures/${proc.name}`, {
+      new TextFile2(component, `.claude/procedures/${proc.name}`, {
         lines: proc.content.split("\n"),
         executable: true
       });
@@ -29473,7 +30147,7 @@ var ClaudeRenderer = class _ClaudeRenderer {
       lines.push("---");
       lines.push("");
       lines.push(...command.content.split("\n"));
-      new TextFile3(component, `.claude/commands/${command.name}.md`, { lines });
+      new TextFile2(component, `.claude/commands/${command.name}.md`, { lines });
     }
   }
   /**
@@ -29485,6 +30159,206 @@ var ClaudeRenderer = class _ClaudeRenderer {
   }
 };
 
+// src/agent/renderers/cursor-renderer.ts
+import { JsonFile as JsonFile3 } from "projen";
+import { TextFile as TextFile3 } from "projen/lib/textfile";
+var GENERATED_MARKER2 = "# ~~ Generated by @codedrifters/configulator. Edits welcome \u2014 please contribute improvements back. ~~";
+var CursorRenderer = class _CursorRenderer {
+  /**
+   * Render all Cursor configuration files.
+   */
+  static render(component, rules, skills, subAgents, mcpServers, settings) {
+    _CursorRenderer.renderRules(component, rules);
+    _CursorRenderer.renderSkills(component, skills);
+    _CursorRenderer.renderSubAgents(component, subAgents);
+    _CursorRenderer.renderMcpServers(component, mcpServers);
+    _CursorRenderer.renderHooks(component, settings);
+    _CursorRenderer.renderIgnoreFiles(component, settings);
+  }
+  static renderRules(component, rules) {
+    for (const rule of rules) {
+      if (rule.platforms?.cursor?.exclude) continue;
+      const lines = [];
+      const description = rule.platforms?.cursor?.description ?? rule.description;
+      const isAlways = rule.scope === AGENT_RULE_SCOPE.ALWAYS;
+      lines.push("---");
+      lines.push(`description: "${description}"`);
+      lines.push(`alwaysApply: ${isAlways}`);
+      if (!isAlways && rule.filePatterns && rule.filePatterns.length > 0) {
+        lines.push(`path: ${JSON.stringify([...rule.filePatterns])}`);
+      }
+      lines.push("---");
+      lines.push("");
+      lines.push(...rule.content.split("\n"));
+      new TextFile3(component, `.cursor/rules/${rule.name}.mdc`, { lines });
+    }
+  }
+  static renderSkills(component, skills) {
+    for (const skill of skills) {
+      if (skill.platforms?.cursor?.exclude) continue;
+      const lines = [];
+      lines.push("---");
+      lines.push(`name: "${skill.name}"`);
+      lines.push(`description: "${skill.description}"`);
+      if (skill.disableModelInvocation) {
+        lines.push(`disable-model-invocation: true`);
+      }
+      if (skill.userInvocable === false) {
+        lines.push(`user-invocable: false`);
+      }
+      if (skill.context) {
+        lines.push(`context: "${skill.context}"`);
+      }
+      if (skill.agent) {
+        lines.push(`agent: "${skill.agent}"`);
+      }
+      if (skill.shell) {
+        lines.push(`shell: "${skill.shell}"`);
+      }
+      if (skill.allowedTools && skill.allowedTools.length > 0) {
+        lines.push(`allowed-tools:`);
+        for (const tool of skill.allowedTools) {
+          lines.push(`  - "${tool}"`);
+        }
+      }
+      lines.push("---");
+      lines.push("");
+      lines.push(...skill.instructions.split("\n"));
+      new TextFile3(component, `.cursor/skills/${skill.name}/SKILL.md`, {
+        lines
+      });
+      if (skill.referenceFiles && skill.referenceFiles.length > 0) {
+        for (const file of skill.referenceFiles) {
+          new TextFile3(component, `.cursor/skills/${skill.name}/${file.path}`, {
+            lines: file.content.split("\n")
+          });
+        }
+      }
+    }
+  }
+  static renderSubAgents(component, subAgents) {
+    for (const agent of subAgents) {
+      if (agent.platforms?.cursor?.exclude) continue;
+      const lines = [];
+      lines.push("---");
+      lines.push(`name: ${agent.name}`);
+      lines.push(`description: >-`);
+      lines.push(`  ${agent.description}`);
+      if (agent.platforms?.cursor?.readonly) {
+        lines.push(`readonly: true`);
+      }
+      if (agent.platforms?.cursor?.isBackground) {
+        lines.push(`is_background: true`);
+      }
+      lines.push("---");
+      lines.push("");
+      lines.push(...agent.prompt.split("\n"));
+      new TextFile3(component, `.cursor/agents/${agent.name}.md`, { lines });
+    }
+  }
+  static renderMcpServers(component, mcpServers) {
+    const serverNames = Object.keys(mcpServers);
+    if (serverNames.length === 0) return;
+    const obj = { mcpServers: {} };
+    const servers = obj.mcpServers;
+    for (const [name, config] of Object.entries(mcpServers)) {
+      const server = {};
+      if (config.transport) server.transport = config.transport;
+      if (config.command) server.command = config.command;
+      if (config.args) server.args = [...config.args];
+      if (config.url) server.url = config.url;
+      if (config.headers && Object.keys(config.headers).length > 0) {
+        server.headers = { ...config.headers };
+      }
+      if (config.env) server.env = { ...config.env };
+      servers[name] = server;
+    }
+    new JsonFile3(component, ".cursor/mcp.json", { obj });
+  }
+  static renderHooks(component, settings) {
+    if (!settings?.hooks) return;
+    const hooks = {};
+    const hookEntries = settings.hooks;
+    for (const [event, actions] of Object.entries(hookEntries)) {
+      if (actions && actions.length > 0) {
+        hooks[event] = actions.map((h) => ({
+          command: h.command
+        }));
+      }
+    }
+    if (Object.keys(hooks).length === 0) return;
+    new JsonFile3(component, ".cursor/hooks.json", {
+      obj: { version: 1, hooks }
+    });
+  }
+  static renderIgnoreFiles(component, settings) {
+    if (settings?.ignorePatterns && settings.ignorePatterns.length > 0) {
+      new TextFile3(component, ".cursorignore", {
+        lines: [GENERATED_MARKER2, "", ...settings.ignorePatterns]
+      });
+    }
+    if (settings?.indexingIgnorePatterns && settings.indexingIgnorePatterns.length > 0) {
+      new TextFile3(component, ".cursorindexingignore", {
+        lines: [GENERATED_MARKER2, "", ...settings.indexingIgnorePatterns]
+      });
+    }
+  }
+};
+
+// src/agent/template-resolver.ts
+var FALLBACKS = {
+  "repository.owner": "<owner>",
+  "repository.name": "<repo>",
+  "repository.defaultBranch": "main",
+  "organization.name": "<organization>",
+  "organization.githubOrg": "<org>",
+  "githubProject.name": "<project-name>",
+  "githubProject.number": "<project-number>",
+  "githubProject.nodeId": "<project-node-id>",
+  docsPath: "<docs-path>",
+  // The monorepo-layout seed block is additive: when absent, the
+  // seeded `project-context.md` template reads cleanly without it.
+  // Fall back to an empty string so no placeholder text leaks into
+  // rendered prompts for repos that predate the layout contract.
+  monorepoLayoutSeedBlock: ""
+};
+var TEMPLATE_RE = /\{\{(\w+(?:\.\w+)*)\}\}/g;
+function getNestedValue(obj, path8) {
+  const parts = path8.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current == null || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[part];
+  }
+  if (current == null) {
+    return void 0;
+  }
+  return String(current);
+}
+function resolveTemplateVariables(template, metadata) {
+  if (!TEMPLATE_RE.test(template)) {
+    return { resolved: template, unresolvedKeys: [] };
+  }
+  const unresolvedKeys = [];
+  TEMPLATE_RE.lastIndex = 0;
+  const resolved = template.replace(TEMPLATE_RE, (_match, key) => {
+    if (metadata) {
+      const value = getNestedValue(
+        metadata,
+        key
+      );
+      if (value !== void 0) {
+        return value;
+      }
+    }
+    unresolvedKeys.push(key);
+    return FALLBACKS[key] ?? `<${key}>`;
+  });
+  return { resolved, unresolvedKeys };
+}
+
 // src/agent/renderers/codex-renderer.ts
 var CodexRenderer = class {
   static render(_component, _rules, _skills, _subAgents) {
@@ -29701,6 +30575,7 @@ var SHARED_EDITING_BUNDLE_HOOKS = [
   ["customer-profile-workflow", "customer-profile"],
   ["industry-discovery-workflow", "industry-discovery"],
   ["meeting-agenda-workflow", "agenda"],
+  ["meeting-processing-workflow", "meeting-analyst"],
   ["people-profile-workflow", "people-profile"],
   ["regulatory-research-workflow", "regulatory-research"],
   ["requirements-reviewer-workflow", "requirements-reviewer"],
@@ -29890,7 +30765,8 @@ var AgentConfig = class _AgentConfig extends Component8 {
         this.resolvedPaths,
         resolveIssueDefaults(this.options.issueDefaults),
         resolveDefaultAgentTier(this.options),
-        resolveBundleAgentTiers(this.options)
+        resolveBundleAgentTiers(this.options),
+        resolvePrReviewPolicy(this.options.prReviewPolicy)
       );
     }
     return this.cachedBundles;
@@ -29932,6 +30808,7 @@ var AgentConfig = class _AgentConfig extends Component8 {
     super.preSynthesize();
     validateAgentTierConfig(this.options.tiers);
     validateScopeGateConfig(this.options.scopeGate);
+    validatePrReviewPolicyConfig(this.options.prReviewPolicy);
     const resolvedRunRatio = resolveRunRatio(this.options.runRatio);
     if (resolvedRunRatio.enabled) {
       this.project.gitignore.addPatterns(`/${resolvedRunRatio.stateFilePath}`);
@@ -36470,6 +37347,7 @@ export {
   DEFAULT_ISSUE_TEMPLATES_REQUIRE_REFERENCE,
   DEFAULT_OFF_PEAK_CRON_EXAMPLE,
   DEFAULT_PARTIAL_UNBLOCK_COMMENT_TEMPLATE,
+  DEFAULT_PATHS_EXEMPT_FROM_SIZE,
   DEFAULT_PRIORITY_LABELS,
   DEFAULT_PRODUCT_CONTEXT_PATH,
   DEFAULT_PROGRESS_FILES_ENABLED,
@@ -36572,6 +37450,7 @@ export {
   buildMeetingAnalysisBundle,
   buildOrchestratorConventionsContent,
   buildPeopleProfileBundle,
+  buildPrReviewBundle,
   buildRegulatoryResearchBundle,
   buildReport,
   buildRequirementsAnalystBundle,
@@ -36702,6 +37581,7 @@ export {
   resolveOrchestratorAssets,
   resolveOutdirFromPackageName,
   resolveOverrideForLabels,
+  resolvePrReviewPolicy,
   resolveProgressFiles,
   resolveReactViteSiteProjectOutdir,
   resolveRunRatio,
@@ -36725,6 +37605,7 @@ export {
   validateIssueDefaultsConfig,
   validateIssueTemplatesConfig,
   validateMonorepoLayout,
+  validatePrReviewPolicyConfig,
   validateProgressFilesConfig,
   validateRunRatioConfig,
   validateScheduledTasksConfig,