@h-rig/bundle-default-lifecycle 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/plugin.js

@@ -14,32 +14,2289 @@ var __export = (target, all) => {
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
 
-// packages/bundle-default-lifecycle/src/control-plane/verifier.ts
-import { existsSync, mkdirSync, writeFileSync } from "fs";
-import { resolve } from "path";
-import { resolveRuntimeSecrets } from "@rig/runtime/control-plane/runtime/baked-secrets";
-import { readPrMetadata } from "@rig/runtime/control-plane/native/git-ops";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
-import { readConfiguredTaskSourceTask } from "@rig/runtime/control-plane/tasks/source-lifecycle";
-import { artifactDirForId, lookupTask, readTaskConfig } from "@rig/runtime/control-plane/native/task-state";
-import { nowIso, resolveHarnessPaths, runCapture } from "@rig/runtime/control-plane/native/utils";
+// packages/bundle-default-lifecycle/src/control-plane/pr-merge-gate-cap.ts
+var exports_pr_merge_gate_cap = {};
+__export(exports_pr_merge_gate_cap, {
+  resolvePrMergeGateService: () => resolvePrMergeGateService
+});
+import { PR_MERGE_GATE } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { resolvePluginHost } from "@rig/core/project-plugins";
+async function resolvePrMergeGateService(projectRoot) {
+  const { host } = await resolvePluginHost(projectRoot);
+  return PrMergeGateCap.require(host);
+}
+var PrMergeGateCap;
+var init_pr_merge_gate_cap = __esm(() => {
+  PrMergeGateCap = defineCapability(PR_MERGE_GATE);
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/pr-automation.ts
+var exports_pr_automation = {};
+__export(exports_pr_automation, {
+  runRepoDefaultMerge: () => runRepoDefaultMerge,
+  runPrAutomation: () => runPrAutomation,
+  resolvePrAutomationLimits: () => resolvePrAutomationLimits,
+  requestGreptileRereview: () => requestGreptileRereview,
+  pushBranchSyncedWithOrigin: () => pushBranchSyncedWithOrigin,
+  hasCommittableRunChanges: () => hasCommittableRunChanges,
+  gateNeedsGreptileRereview: () => gateNeedsGreptileRereview,
+  commitRunChanges: () => commitRunChanges,
+  collectPendingPrChecks: () => collectPendingPrChecks,
+  collectActionablePrFeedback: () => collectActionablePrFeedback,
+  closeIssueAfterMergedPr: () => closeIssueAfterMergedPr,
+  buildPrAutomationBody: () => buildPrAutomationBody,
+  UPLOADED_SNAPSHOT_PR_MARKER: () => UPLOADED_SNAPSHOT_PR_MARKER
+});
+import { assertSafeGitBranchName } from "@rig/core/safe-identifiers";
+function positiveInt(value, fallback) {
+  return typeof value === "number" && Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
+}
+function resolvePrAutomationLimits(config) {
+  return {
+    maxPrFixIterations: positiveInt(config?.automation?.maxPrFixIterations, 100500)
+  };
+}
+function buildPrAutomationBody(input) {
+  const lines = [
+    input.summary?.trim() || "Rig completed this task autonomously.",
+    "",
+    `Run: ${input.runId}`
+  ];
+  if (/^\d+$/.test(input.taskId)) {
+    lines.push("", `Closes #${input.taskId}`);
+  }
+  if (input.uploadedSnapshot) {
+    lines.push("", UPLOADED_SNAPSHOT_PR_MARKER, "This PR was seeded from an uploaded local working-tree snapshot. Review local snapshot provenance before merging if repository policy requires it.");
+  }
+  return lines.join(`
+`);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function isPendingCheck(check) {
+  const conclusion = String(check.conclusion ?? "").toLowerCase();
+  const state = String(check.state ?? check.status ?? "").toLowerCase();
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(conclusion) || ["pending", "queued", "in_progress", "waiting", "requested", "expected"].includes(state);
+}
+function isPassingCheck(check) {
+  const conclusion = String(check.conclusion ?? "").toLowerCase();
+  const state = String(check.state ?? check.status ?? "").toLowerCase();
+  return ["success", "successful", "passed", "neutral", "skipped"].includes(conclusion) || ["success", "successful", "passed", "completed"].includes(state);
+}
+function isFailingCheck(check) {
+  const conclusion = String(check.conclusion ?? "").toLowerCase();
+  const state = String(check.state ?? check.status ?? "").toLowerCase();
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "error"].includes(conclusion) || ["failure", "failed", "timed_out", "action_required", "cancelled", "error"].includes(state);
+}
+function collectPendingPrChecks(input) {
+  const allowedFailures = input.allowedFailures ?? [];
+  const pending = [];
+  for (const check of input.checks ?? []) {
+    const name = check.name.trim();
+    if (!name || isAllowedFailure(name, allowedFailures))
+      continue;
+    if (isPendingCheck(check) && !isPassingCheck(check))
+      pending.push(name);
+  }
+  return pending;
+}
+function collectActionablePrFeedback(input) {
+  const allowedFailures = input.allowedFailures ?? [];
+  const feedback = [];
+  for (const check of input.checks ?? []) {
+    const name = check.name.trim();
+    if (!name || !isFailingCheck(check) || isAllowedFailure(name, allowedFailures))
+      continue;
+    feedback.push(`Check failed: ${name}${check.detailsUrl ? ` (${check.detailsUrl})` : ""}`);
+  }
+  for (const thread of input.reviewThreads ?? []) {
+    if (thread.resolved === true)
+      continue;
+    const body = thread.body.trim();
+    if (!body)
+      continue;
+    feedback.push(`Review feedback from ${thread.author?.trim() || "reviewer"}: ${body}`);
+  }
+  return feedback;
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return [];
+  try {
+    const parsed = JSON.parse(value);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch {
+    return [];
+  }
+}
+function parsePrChecks(value) {
+  return parseJsonArray(value).flatMap((entry) => {
+    if (!entry || typeof entry !== "object")
+      return [];
+    const record = entry;
+    const name = typeof record.name === "string" ? record.name : "";
+    if (!name.trim())
+      return [];
+    return [{
+      name,
+      status: typeof record.status === "string" ? record.status : null,
+      state: typeof record.state === "string" ? record.state : null,
+      conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+      detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.link === "string" ? record.link : null
+    }];
+  });
+}
+function parsePrViewStatusCheckRollup(value) {
+  if (!value?.trim())
+    return [];
+  try {
+    const parsed = JSON.parse(value);
+    const rollup = Array.isArray(parsed.statusCheckRollup) ? parsed.statusCheckRollup : [];
+    return rollup.flatMap((entry) => {
+      if (!entry || typeof entry !== "object")
+        return [];
+      const record = entry;
+      const name = typeof record.name === "string" ? record.name : "";
+      if (!name.trim())
+        return [];
+      return [{
+        name,
+        status: typeof record.status === "string" ? record.status : null,
+        state: typeof record.state === "string" ? record.state : null,
+        conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+        detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.link === "string" ? record.link : null
+      }];
+    });
+  } catch {
+    return [];
+  }
+}
+async function readPrChecks(input) {
+  const checks = await input.command(["pr", "checks", input.prUrl, "--json", "name,state,link"], input.cwd ? { cwd: input.cwd } : undefined);
+  if (checks.exitCode === 0) {
+    return parsePrChecks(checks.stdout);
+  }
+  const combined = `${checks.stderr ?? ""}
+${checks.stdout ?? ""}`;
+  if (!/unknown flag.*--json|unknown flag: --json|unknown shorthand flag/i.test(combined)) {
+    throw new Error(`gh pr checks ${input.prUrl} --json name,state,link failed (${checks.exitCode}): ${checks.stderr ?? checks.stdout ?? ""}`.trim());
+  }
+  const view = await runChecked(input.command, ["pr", "view", input.prUrl, "--json", "statusCheckRollup"], input.cwd, "gh");
+  return parsePrViewStatusCheckRollup(view.stdout);
+}
+function parsePrViewReviewThreads(value) {
+  if (!value?.trim())
+    return [];
+  try {
+    const parsed = JSON.parse(value);
+    const feedback = [];
+    const reviewThreads = parsed.reviewThreads;
+    if (Array.isArray(reviewThreads)) {
+      feedback.push(...reviewThreads.flatMap((entry) => {
+        if (!entry || typeof entry !== "object")
+          return [];
+        const record = entry;
+        const body = typeof record.body === "string" ? record.body : null;
+        if (!body)
+          return [];
+        return [{
+          id: typeof record.id === "string" ? record.id : null,
+          body,
+          resolved: typeof record.resolved === "boolean" ? record.resolved : false,
+          author: typeof record.author === "string" ? record.author : null
+        }];
+      }));
+    }
+    const reviews = parsed.reviews;
+    if (Array.isArray(reviews)) {
+      feedback.push(...reviews.flatMap((entry) => {
+        if (!entry || typeof entry !== "object")
+          return [];
+        const record = entry;
+        const state = typeof record.state === "string" ? record.state.toUpperCase() : "";
+        if (state !== "CHANGES_REQUESTED")
+          return [];
+        const body = typeof record.body === "string" && record.body.trim() ? record.body : "Changes requested by reviewer.";
+        const author = record.author && typeof record.author === "object" ? record.author.login : null;
+        return [{
+          id: typeof record.id === "string" ? record.id : null,
+          body,
+          resolved: false,
+          author: typeof author === "string" ? author : null
+        }];
+      }));
+    }
+    const reviewDecision = typeof parsed.reviewDecision === "string" ? parsed.reviewDecision.toUpperCase() : "";
+    if (reviewDecision === "CHANGES_REQUESTED" && feedback.length === 0) {
+      feedback.push({ body: "Changes requested by reviewer.", resolved: false });
+    }
+    return feedback;
+  } catch {
+    return [];
+  }
+}
+function findPrUrl(output) {
+  return output?.split(/\s+/).map((part) => part.trim()).find((part) => /^https?:\/\/\S+\/pull\/\d+$/i.test(part)) ?? null;
+}
+function normalizePrUrl(stdout) {
+  const url = findPrUrl(stdout);
+  if (!url)
+    throw new Error("gh pr create did not return a PR URL");
+  return url;
+}
+function parseGitHubPullRequestUrl(prUrl) {
+  try {
+    const parsed = new URL(prUrl);
+    const [owner, repo, kind, number] = parsed.pathname.split("/").filter(Boolean);
+    if (!owner || !repo || kind !== "pull" || !number || !/^\d+$/.test(number))
+      return null;
+    return { owner, repo, number };
+  } catch {
+    return null;
+  }
+}
+async function ensureExistingPrBodyHasRigMarkers(input) {
+  const view = await input.command(["pr", "view", input.prUrl, "--json", "body"], input.cwd ? { cwd: input.cwd } : undefined);
+  if (view.exitCode !== 0) {
+    throw new Error(`gh pr view ${input.prUrl} --json body failed (${view.exitCode}): ${view.stderr ?? view.stdout ?? ""}`.trim());
+  }
+  let currentBody = "";
+  try {
+    const parsed = JSON.parse(view.stdout ?? "{}");
+    currentBody = typeof parsed.body === "string" ? parsed.body : "";
+  } catch {
+    currentBody = "";
+  }
+  const requiredBlocks = input.body.split(/\n{2,}/).map((block) => block.trim()).filter((block) => /^Run: /i.test(block) || /^Closes #\d+/i.test(block));
+  const missing = requiredBlocks.filter((block) => {
+    if (/^Run: /i.test(block))
+      return !/^Run: \S+/im.test(currentBody);
+    return !currentBody.includes(block);
+  });
+  if (missing.length === 0)
+    return;
+  const nextBody = [currentBody.trim(), ...missing].filter(Boolean).join(`
+
+`);
+  const pr = parseGitHubPullRequestUrl(input.prUrl);
+  if (!pr)
+    throw new Error(`Cannot update existing PR body for unrecognized PR URL: ${input.prUrl}`);
+  const edit = await input.command(["api", `repos/${pr.owner}/${pr.repo}/issues/${pr.number}`, "-X", "PATCH", "-f", `body=${nextBody}`], input.cwd ? { cwd: input.cwd } : undefined);
+  if (edit.exitCode !== 0) {
+    throw new Error(`gh api repos/${pr.owner}/${pr.repo}/issues/${pr.number} -X PATCH -f body=<redacted> failed (${edit.exitCode}): ${edit.stderr ?? edit.stdout ?? ""}`.trim());
+  }
+}
+async function runChecked(command, args, cwd, label = "gh") {
+  const result = await command(args, cwd ? { cwd } : undefined);
+  if (result.exitCode !== 0) {
+    throw new Error(`${label} ${args.join(" ")} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim());
+  }
+  return result;
+}
+function statusPathFromShortLine(line) {
+  const rawPath = line.length > 3 ? line.slice(3).trim() : "";
+  const renamedPath = rawPath.includes(" -> ") ? rawPath.split(" -> ").at(-1).trim() : rawPath;
+  if (renamedPath.startsWith('"') && renamedPath.endsWith('"')) {
+    try {
+      return JSON.parse(renamedPath);
+    } catch {
+      return renamedPath.slice(1, -1);
+    }
+  }
+  return renamedPath;
+}
+function isRuntimeCommitExcludedPath(path) {
+  const normalized = path.replace(/^\.\/+/, "").replace(/\/+$/, "");
+  return RIG_RUNTIME_COMMIT_EXCLUDES.some((excluded) => normalized === excluded || normalized.startsWith(`${excluded}/`));
+}
+function committableRunChangePaths(statusText) {
+  const seen = new Set;
+  const paths = [];
+  for (const line of statusText.split(/\r?\n/)) {
+    const path = statusPathFromShortLine(line);
+    if (!path || isRuntimeCommitExcludedPath(path) || seen.has(path))
+      continue;
+    seen.add(path);
+    paths.push(path);
+  }
+  return paths;
+}
+function hasCommittableRunChanges(statusText) {
+  return committableRunChangePaths(statusText).length > 0;
+}
+async function commitRunChanges(input) {
+  const status = await runChecked(input.command, ["status", "--short", "--untracked-files=all"], input.cwd, "git");
+  const statusText = status.stdout ?? "";
+  const committablePaths = committableRunChangePaths(statusText);
+  if (!statusText.trim() || committablePaths.length === 0) {
+    return { committed: false, status: statusText };
+  }
+  await runChecked(input.command, ["add", "-A", "--", ...committablePaths], input.cwd, "git");
+  const staged = await input.command(["diff", "--cached", "--quiet"], { cwd: input.cwd });
+  if (staged.exitCode === 0) {
+    return { committed: false, status: statusText };
+  }
+  if (staged.exitCode !== 1) {
+    throw new Error(`git diff --cached --quiet failed (${staged.exitCode}): ${staged.stderr ?? staged.stdout ?? ""}`.trim());
+  }
+  await runChecked(input.command, ["commit", "-m", input.message], input.cwd, "git");
+  return { committed: true, status: statusText };
+}
+async function closeIssueAfterMergedPr(input) {
+  await input.updateTaskSource(input.projectRoot, {
+    taskId: input.taskId,
+    ...input.sourceTask !== undefined ? { sourceTask: input.sourceTask } : {},
+    update: {
+      status: "closed",
+      comment: [
+        "<!-- rig:status-comment -->",
+        "### Rig status: closed",
+        "",
+        "Rig PR merged and closed this task.",
+        "",
+        `- Run: ${input.runId}`,
+        `- PR merged: ${input.prUrl}`
+      ].join(`
+`)
+    }
+  });
+}
+function parseGitHubRepoFromPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/\d+\/?$/i.exec(prUrl.trim());
+  return match ? { owner: match[1], repo: match[2] } : null;
+}
+async function resolveRepoDefaultMergeFlag(input) {
+  const repo = parseGitHubRepoFromPrUrl(input.prUrl);
+  if (!repo)
+    throw new Error(`Cannot resolve GitHub repository from PR URL: ${input.prUrl}`);
+  const result = await input.command(["api", `repos/${repo.owner}/${repo.repo}`], input.cwd ? { cwd: input.cwd } : undefined);
+  if (result.exitCode !== 0) {
+    throw new Error(`Could not read repository merge policy for ${repo.owner}/${repo.repo}: ${result.stderr ?? result.stdout ?? "gh api failed"}`.trim());
+  }
+  try {
+    const parsed = JSON.parse(result.stdout ?? "{}");
+    if (parsed.allow_merge_commit !== false)
+      return "--merge";
+    if (parsed.allow_squash_merge !== false)
+      return "--squash";
+    if (parsed.allow_rebase_merge !== false)
+      return "--rebase";
+  } catch (error) {
+    throw new Error(`Could not parse repository merge policy for ${repo.owner}/${repo.repo}: ${error instanceof Error ? error.message : String(error)}`);
+  }
+  throw new Error(`Repository ${repo.owner}/${repo.repo} has no enabled merge method for repo-default merge.`);
+}
+async function runRepoDefaultMerge(input) {
+  const merge = input.config?.merge ?? {};
+  if (merge.mode === "off")
+    return;
+  const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot ?? input.cwd ?? process.cwd());
+  const matchHeadSha = mergeGate.resolveHeadSha({ result: input.strictGate, prUrl: input.prUrl, requireGreptile });
+  const method = merge.method ?? "repo-default";
+  const args = ["pr", "merge", input.prUrl];
+  if (method === "repo-default") {
+    args.push(await resolveRepoDefaultMergeFlag({ prUrl: input.prUrl, command: input.command, ...input.cwd !== undefined ? { cwd: input.cwd } : {} }));
+  } else {
+    args.push(`--${method}`);
+  }
+  args.push("--match-head-commit", matchHeadSha);
+  if (merge.deleteBranch === true) {
+    args.push("--delete-branch");
+  }
+  if (merge.bypass === true) {
+    args.push("--admin");
+  }
+  await runChecked(input.command, args, input.cwd);
+}
+function shouldAttemptRigMerge(config) {
+  const mode = config?.merge?.mode;
+  return mode !== "off" && mode !== "pr-ready";
+}
+function isPendingOnlyGate(result) {
+  return result.pending && result.reasonDetails.length > 0 && result.reasonDetails.every((reason) => reason.reasonClass === "pending" && reason.suggestedAction === "wait");
+}
+function gateNeedsGreptileRereview(result) {
+  if (result.approved)
+    return false;
+  const staleShaEvidence = result.reasonDetails.some((reason) => reason.surface === "greptile" && (reason.code === "greptile_stale" || reason.code === "greptile_not_current_head" && !!reason.reviewedSha && reason.reviewedSha !== reason.headSha));
+  const hasParseableGreptileScore = !!result.evidence.greptile.score;
+  const greptileNeedsPrompt = !hasParseableGreptileScore && result.reasonDetails.some((reason) => reason.surface === "greptile" && reason.suggestedAction === "ask_greptile" && (reason.code === "greptile_not_current_head" || reason.code === "greptile_score_missing" || reason.code === "greptile_mapping_unproven"));
+  const greptileStillRunning = result.reasonDetails.some((reason) => reason.code === "greptile_pending" || reason.code === "greptile_missing");
+  return (staleShaEvidence || greptileNeedsPrompt) && !greptileStillRunning;
+}
+async function requestGreptileRereview(input) {
+  const sha = input.headSha?.trim() || "unknown";
+  const marker = `<!-- ${GREPTILE_REREVIEW_MARKER_PREFIX}:${sha} -->`;
+  const existing = await input.command(["pr", "view", input.prUrl, "--json", "comments"], input.cwd ? { cwd: input.cwd } : undefined);
+  if (existing.exitCode === 0 && (existing.stdout ?? "").includes(marker)) {
+    return false;
+  }
+  await runChecked(input.command, [
+    "pr",
+    "comment",
+    input.prUrl,
+    "--body",
+    `${marker}
+@greptileai review
+
+Rig strict merge gate: Greptile evidence is bound to an older commit. Requesting a fresh review of the current head (${sha}). Merge waits until Greptile re-reviews this exact commit.`
+  ], input.cwd);
+  return true;
+}
+async function pushBranchSyncedWithOrigin(input) {
+  const branch = assertSafeGitBranchName(input.branch, "PR branch");
+  const fetched = await input.gitCommand(["fetch", "origin", branch], { cwd: input.projectRoot });
+  if (fetched.exitCode === 0) {
+    const originRef = `origin/${branch}`;
+    const behind = await input.gitCommand(["rev-list", "--count", `HEAD..${originRef}`], { cwd: input.projectRoot });
+    const behindCount = Number.parseInt((behind.stdout ?? "").trim(), 10);
+    if (behind.exitCode === 0 && Number.isFinite(behindCount) && behindCount > 0) {
+      await runChecked(input.gitCommand, ["rebase", "--autostash", originRef], input.projectRoot, "git");
+    }
+  }
+  const pushed = await input.gitCommand(["push", "--set-upstream", "origin", branch], { cwd: input.projectRoot });
+  if (pushed.exitCode !== 0) {
+    await runChecked(input.gitCommand, ["push", "--set-upstream", "--force-with-lease", "origin", branch], input.projectRoot, "git");
+  }
+}
+async function syncBranchAfterPrFeedback(input) {
+  if (!input.gitCommand)
+    return;
+  const branch = assertSafeGitBranchName(input.branch, "PR branch");
+  await commitRunChanges({
+    cwd: input.projectRoot,
+    message: `rig: address PR feedback for task ${input.taskId}`,
+    command: input.gitCommand
+  });
+  await pushBranchSyncedWithOrigin({ projectRoot: input.projectRoot, branch, gitCommand: input.gitCommand });
+}
+async function runPrAutomation(input) {
+  const branch = assertSafeGitBranchName(input.branch, "PR branch");
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot);
+  const prConfig = input.config?.pr ?? {};
+  const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
+  if (prConfig.mode === "off" || prConfig.mode === "ask") {
+    return { status: "skipped", iterations: 0, actionableFeedback: [] };
+  }
+  const body = buildPrAutomationBody({
+    taskId: input.taskId,
+    runId: input.runId,
+    summary: input.sourceTask?.title ? `Rig completed: ${input.sourceTask.title}` : null,
+    ...input.uploadedSnapshot !== undefined ? { uploadedSnapshot: input.uploadedSnapshot } : {}
+  });
+  if (input.gitCommand) {
+    await pushBranchSyncedWithOrigin({ projectRoot: input.projectRoot, branch, gitCommand: input.gitCommand });
+  }
+  const createArgs = [
+    "pr",
+    "create",
+    "--head",
+    branch,
+    "--title",
+    input.sourceTask?.title?.trim() || `Rig task ${input.taskId}`,
+    "--body",
+    body
+  ];
+  const createResult = await input.command(createArgs, { cwd: input.projectRoot });
+  const existingPrUrl = createResult.exitCode === 0 ? null : /pull request .*already exists/i.test(`${createResult.stderr ?? ""}
+${createResult.stdout ?? ""}`) ? findPrUrl(`${createResult.stderr ?? ""}
+${createResult.stdout ?? ""}`) : null;
+  if (createResult.exitCode !== 0 && !existingPrUrl) {
+    throw new Error(`gh ${createArgs.join(" ")} failed (${createResult.exitCode}): ${createResult.stderr ?? createResult.stdout ?? ""}`.trim());
+  }
+  const prUrl = existingPrUrl ?? normalizePrUrl(createResult.stdout);
+  if (existingPrUrl) {
+    await ensureExistingPrBodyHasRigMarkers({ prUrl, body, command: input.command, cwd: input.projectRoot });
+  }
+  await input.lifecycle?.onPrOpened?.({ prUrl });
+  const { maxPrFixIterations } = resolvePrAutomationLimits(input.config);
+  let latestFeedback = [];
+  let pendingElapsedMs = 0;
+  const shouldMerge = shouldAttemptRigMerge(input.config);
+  for (let iteration = 1;iteration <= maxPrFixIterations; iteration += 1) {
+    await input.lifecycle?.onReviewCiStarted?.({ prUrl, iteration });
+    if (!shouldMerge) {
+      const checks = prConfig.watchChecks === false ? [] : await readPrChecks({ prUrl, command: input.command, cwd: input.projectRoot });
+      const reviewThreads = prConfig.autoFixReview === false ? [] : parsePrViewReviewThreads((await runChecked(input.command, ["pr", "view", prUrl, "--json", "reviewDecision,reviews"], input.projectRoot)).stdout);
+      latestFeedback = collectActionablePrFeedback({
+        checks,
+        reviewThreads,
+        allowedFailures: input.config?.merge?.allowedFailures ?? []
+      });
+      const pendingChecks = collectPendingPrChecks({ checks, allowedFailures: input.config?.merge?.allowedFailures ?? [] });
+      if (latestFeedback.length === 0 && pendingChecks.length > 0) {
+        const timeoutMs = positiveInt(prConfig.pendingTimeoutMs, 600000);
+        const pollMs = positiveInt(prConfig.pendingPollMs, 15000);
+        if (iteration >= maxPrFixIterations || timeoutMs <= 0 || pendingElapsedMs >= timeoutMs) {
+          return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: pendingChecks.map((name) => `Check still pending: ${name}`), merged: false };
+        }
+        const sleepMs = Math.min(pollMs, timeoutMs - pendingElapsedMs);
+        await (input.sleep ?? Bun.sleep)(sleepMs);
+        pendingElapsedMs += sleepMs;
+        continue;
+      }
+      if (latestFeedback.length === 0) {
+        pendingElapsedMs = 0;
+        return { status: "opened", prUrl, iterations: iteration, actionableFeedback: [], merged: false };
+      }
+      pendingElapsedMs = 0;
+      if (iteration >= maxPrFixIterations || prConfig.autoFixChecks === false && prConfig.autoFixReview === false) {
+        return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+      }
+      await input.lifecycle?.onFeedback?.({ prUrl, iteration, feedback: latestFeedback });
+      await input.steerPi([
+        `PR automation found actionable feedback on ${prUrl}.`,
+        `Fix iteration ${iteration + 1}/${maxPrFixIterations}.`,
+        "",
+        ...latestFeedback.map((entry) => `- ${entry}`)
+      ].join(`
+`));
+      await syncBranchAfterPrFeedback({ projectRoot: input.projectRoot, taskId: input.taskId, branch, gitCommand: input.gitCommand });
+      continue;
+    }
+    const gate = await mergeGate.runGate({
+      projectRoot: input.projectRoot,
+      prUrl,
+      taskId: input.taskId,
+      runId: input.runId,
+      cycle: iteration,
+      command: input.command,
+      ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
+      allowedFailures: input.config?.merge?.allowedFailures ?? [],
+      ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
+      requireGreptile
+    });
+    latestFeedback = [...gate.actionableFeedback];
+    if (requireGreptile && gateNeedsGreptileRereview(gate)) {
+      const requested = await requestGreptileRereview({
+        prUrl,
+        headSha: gate.evidence.headSha ?? null,
+        command: input.command,
+        cwd: input.projectRoot
+      });
+      if (requested) {
+        await input.lifecycle?.onFeedback?.({
+          prUrl,
+          iteration,
+          feedback: [`Requested a fresh Greptile review for current head ${gate.evidence.headSha ?? "unknown"}; merge stays blocked until Greptile re-reviews it.`]
+        });
+      }
+      const timeoutMs = positiveInt(prConfig.pendingTimeoutMs, 600000);
+      const pollMs = positiveInt(prConfig.pendingPollMs, 15000);
+      if (iteration >= maxPrFixIterations || timeoutMs <= 0 || pendingElapsedMs >= timeoutMs) {
+        return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+      }
+      const sleepMs = Math.min(pollMs, timeoutMs - pendingElapsedMs);
+      await (input.sleep ?? Bun.sleep)(sleepMs);
+      pendingElapsedMs += sleepMs;
+      continue;
+    }
+    if (gate.approved) {
+      pendingElapsedMs = 0;
+      const finalGate = await mergeGate.runGate({
+        projectRoot: input.projectRoot,
+        prUrl,
+        taskId: input.taskId,
+        runId: input.runId,
+        cycle: iteration,
+        command: input.command,
+        ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
+        allowedFailures: input.config?.merge?.allowedFailures ?? [],
+        ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
+        requireGreptile,
+        final: true
+      });
+      if (finalGate.approved) {
+        await input.lifecycle?.onMergeStarted?.({ prUrl });
+        await runRepoDefaultMerge({ prUrl, ...input.config !== undefined ? { config: input.config } : {}, command: input.command, cwd: input.projectRoot, strictGate: finalGate });
+        await input.lifecycle?.onMerged?.({ prUrl });
+        return { status: "merged", prUrl, iterations: iteration, actionableFeedback: [], merged: true };
+      }
+      latestFeedback = [...finalGate.actionableFeedback];
+      if (isPendingOnlyGate(finalGate)) {
+        const timeoutMs = positiveInt(prConfig.pendingTimeoutMs, 600000);
+        const pollMs = positiveInt(prConfig.pendingPollMs, 15000);
+        if (iteration >= maxPrFixIterations || timeoutMs <= 0 || pendingElapsedMs >= timeoutMs) {
+          return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+        }
+        const sleepMs = Math.min(pollMs, timeoutMs - pendingElapsedMs);
+        await (input.sleep ?? Bun.sleep)(sleepMs);
+        pendingElapsedMs += sleepMs;
+        continue;
+      }
+      if (iteration >= maxPrFixIterations || prConfig.autoFixChecks === false && prConfig.autoFixReview === false) {
+        return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+      }
+      await input.lifecycle?.onFeedback?.({ prUrl, iteration, feedback: latestFeedback });
+      await input.steerPi(finalGate.steeringPrompt);
+      await syncBranchAfterPrFeedback({ projectRoot: input.projectRoot, taskId: input.taskId, branch, gitCommand: input.gitCommand });
+      continue;
+    }
+    if (isPendingOnlyGate(gate)) {
+      const timeoutMs = positiveInt(prConfig.pendingTimeoutMs, 600000);
+      const pollMs = positiveInt(prConfig.pendingPollMs, 15000);
+      if (iteration >= maxPrFixIterations || timeoutMs <= 0 || pendingElapsedMs >= timeoutMs) {
+        return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+      }
+      const sleepMs = Math.min(pollMs, timeoutMs - pendingElapsedMs);
+      await (input.sleep ?? Bun.sleep)(sleepMs);
+      pendingElapsedMs += sleepMs;
+      continue;
+    }
+    pendingElapsedMs = 0;
+    if (iteration >= maxPrFixIterations || prConfig.autoFixChecks === false && prConfig.autoFixReview === false) {
+      return { status: "needs_attention", prUrl, iterations: iteration, actionableFeedback: latestFeedback, merged: false };
+    }
+    await input.lifecycle?.onFeedback?.({ prUrl, iteration, feedback: latestFeedback });
+    await input.steerPi(gate.steeringPrompt);
+    await syncBranchAfterPrFeedback({ projectRoot: input.projectRoot, taskId: input.taskId, branch, gitCommand: input.gitCommand });
+  }
+  return { status: "needs_attention", prUrl, iterations: maxPrFixIterations, actionableFeedback: latestFeedback, merged: false };
+}
+var UPLOADED_SNAPSHOT_PR_MARKER = "<!-- rig:uploaded-snapshot -->", RIG_RUNTIME_COMMIT_EXCLUDES, GREPTILE_REREVIEW_MARKER_PREFIX = "rig:greptile-rereview";
+var init_pr_automation = __esm(() => {
+  init_pr_merge_gate_cap();
+  RIG_RUNTIME_COMMIT_EXCLUDES = [
+    ".rig",
+    "artifacts",
+    "node_modules"
+  ];
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/task-data.ts
+import { TASK_DATA_SERVICE_CAPABILITY } from "@rig/contracts";
+import { defineCapability as defineCapability3 } from "@rig/core/capability";
+import { requireInstalledCapability } from "@rig/core/capability-loaders";
+function taskData() {
+  return requireInstalledCapability(TaskDataCap, "task-data capability unavailable: load @rig/task-sources-plugin (default bundle) before running the lifecycle.");
+}
+var TaskDataCap;
+var init_task_data = __esm(() => {
+  TaskDataCap = defineCapability3(TASK_DATA_SERVICE_CAPABILITY);
+});
+
+// packages/bundle-default-lifecycle/src/native/github-auth-env.ts
+import { existsSync, readFileSync } from "fs";
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function authStateToken(env = process.env) {
+  const file = env.RIG_GITHUB_AUTH_STATE_FILE?.trim();
+  if (!file || !existsSync(file))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(file, "utf8"));
+    return cleanToken(typeof parsed.token === "string" ? parsed.token : undefined);
+  } catch {
+    return null;
+  }
+}
+function resolveGitHubAuthToken(env = process.env) {
+  return cleanToken(env.RIG_GITHUB_TOKEN) ?? cleanToken(env.GH_TOKEN) ?? cleanToken(env.GITHUB_TOKEN) ?? authStateToken(env);
+}
+var init_github_auth_env = () => {};
+
+// packages/bundle-default-lifecycle/src/native/host-git.ts
+import { existsSync as existsSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+function isRuntimeGatewayGitPath(candidate) {
+  return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
+}
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
+function resolveHostGitBinary() {
+  const candidates = [
+    process.env.RIG_GIT_BIN?.trim() || "",
+    "/usr/bin/git",
+    "/opt/homebrew/bin/git",
+    "/usr/local/bin/git"
+  ];
+  const bunResolved = Bun.which("git");
+  if (bunResolved && !isRuntimeGatewayGitPath(bunResolved)) {
+    candidates.push(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (!candidate || isRuntimeGatewayGitPath(candidate)) {
+      continue;
+    }
+    if (existsSync2(candidate)) {
+      return candidate;
+    }
+  }
+  return "git";
+}
+function resolveGithubCliBinary(options = {}) {
+  const candidates = new Set;
+  const explicit = process.env.RIG_GH_BIN?.trim();
+  if (explicit) {
+    candidates.add(explicit);
+  }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
+  if (options.scanPath) {
+    for (const entry of (process.env.PATH || "").split(":").map((e) => e.trim()).filter(Boolean)) {
+      candidates.add(resolve2(entry, "gh"));
+    }
+  }
+  const bunResolved = Bun.which("gh");
+  if (bunResolved) {
+    candidates.add(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && existsSync2(candidate) && !isRuntimeGatewayGhPath(candidate)) {
+      return candidate;
+    }
+  }
+  return "";
+}
+var init_host_git = () => {};
+
+// packages/bundle-default-lifecycle/src/control-plane/native/git-ops.ts
+import { existsSync as existsSync3, lstatSync, mkdirSync, readFileSync as readFileSync2, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { dirname, isAbsolute, resolve as resolve3 } from "path";
+import { fileURLToPath } from "url";
+import { loadDotEnvSecrets, resolveRuntimeSecrets } from "@rig/core/baked-secrets";
+import { loadRuntimeContext, loadRuntimeContextFromEnv } from "@rig/core/runtime-context";
+import { nowIso, runCapture as baseRunCapture } from "@rig/core/exec";
+import { resolveCheckoutRoot as resolveMonorepoRoot } from "@rig/core/checkout-root";
+import { getScopeRules } from "@rig/core/scope-rules";
+import { safePathSegment } from "@rig/core/safe-identifiers";
+function resolveOptionalMonorepoRoot(projectRoot) {
+  const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
+  if (runtimeWorkspace && existsSync3(resolve3(runtimeWorkspace, ".git"))) {
+    return resolve3(runtimeWorkspace);
+  }
+  try {
+    return resolveMonorepoRoot(projectRoot);
+  } catch {
+    return null;
+  }
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function safeCurrentTaskId(projectRoot) {
+  try {
+    const taskId = taskData().currentTaskId(projectRoot);
+    return /^bd-[a-z0-9-]+$/.test(taskId) ? taskId : "";
+  } catch {
+    return "";
+  }
+}
+function gitCmd(projectRoot, repoRoot, ...args) {
+  return [resolveHostGitBinary(), "-C", repoRoot, ...args];
+}
+function shouldScopeGitCommit(args, hasTaskContext) {
+  if (!hasTaskContext) {
+    return false;
+  }
+  return args.includes("--scoped");
+}
+function gitStatus(projectRoot, taskId) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const expected = resolvedTask ? `rig/${resolveTaskBranchId(projectRoot, resolvedTask)}` : "";
+  console.log("=== Git Flow Status ===");
+  if (resolvedTask) {
+    console.log(`Task: ${resolvedTask}`);
+    console.log(`Expected monorepo branch: ${expected}`);
+  } else {
+    console.log("Task: (none active)");
+  }
+  console.log("");
+  printRepoStatus(projectRoot, "project-rig", projectRoot, "");
+  const monorepoPath = monorepoRoot || resolveMonorepoRoot(projectRoot);
+  if (monorepoPath !== projectRoot) {
+    printRepoStatus(projectRoot, "monorepo", monorepoPath, expected);
+  }
+}
+function gitChanged(projectRoot, taskId, scoped) {
+  if (scoped) {
+    const resolvedTask = taskId || taskData().currentTaskId(projectRoot);
+    if (!resolvedTask) {
+      throw new Error("No task specified and no active task in session. Use --task or omit --scoped.");
+    }
+    return taskData().changedFilesForTask(projectRoot, resolvedTask, true);
+  }
+  return taskData().changedFilesForTask(projectRoot, taskId || taskData().currentTaskId(projectRoot) || "", false);
+}
+function gitPreflight(projectRoot, taskId, strict) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const expected = resolvedTask ? `rig/${resolveTaskBranchId(projectRoot, resolvedTask)}` : "";
+  console.log("=== Git Flow Preflight ===");
+  let issues = 0;
+  if (!existsSync3(resolve3(projectRoot, ".git"))) {
+    console.log(`ERROR: project root is not a git repo (${projectRoot})`);
+    issues += 1;
+  }
+  if (monorepoRoot && existsSync3(resolve3(monorepoRoot, ".git"))) {
+    const monoBranch = branchName(projectRoot, monorepoRoot);
+    if (expected && monoBranch !== expected) {
+      console.log(`WARN: monorepo branch is ${monoBranch}, expected ${expected} for task ${resolvedTask}`);
+      if (strict) {
+        issues += 1;
+      }
+    }
+    const monoChanges = changeCount(projectRoot, monorepoRoot);
+    if (monoChanges > 0 && !monoBranch.startsWith("rig/")) {
+      console.log(`WARN: monorepo has uncommitted changes on non-rig branch (${monoBranch})`);
+      issues += 1;
+    }
+  } else {
+    console.log(`WARN: monorepo repo unavailable.`);
+  }
+  const projectChanges = changeCount(projectRoot, projectRoot);
+  if (projectChanges > 0) {
+    console.log(`INFO: project-rig has ${projectChanges} changed file(s).`);
+  }
+  if (issues > 0) {
+    console.log(`Preflight: ${issues} issue(s) detected.`);
+    return false;
+  }
+  console.log("Preflight: OK");
+  return true;
+}
+function gitSyncBranch(projectRoot, taskId, targetRepo = "monorepo") {
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  if (!resolvedTask) {
+    throw new Error("No task specified and no active task in session.");
+  }
+  const repoRoot = targetRepo === "monorepo" ? resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot) : projectRoot;
+  const repoLabel = targetRepo === "monorepo" ? "Monorepo" : "Project";
+  if (!existsSync3(resolve3(repoRoot, ".git"))) {
+    throw new Error(`${repoLabel} repo not found at ${repoRoot}`);
+  }
+  const branchId = resolveTaskBranchId(projectRoot, resolvedTask);
+  const branchTarget = `rig/${branchId}`;
+  const current = branchName(projectRoot, repoRoot);
+  if (current === branchTarget) {
+    console.log(`${repoLabel} branch: already on ${branchTarget}`);
+    return;
+  }
+  const hasBranch = runCapture(gitCmd(projectRoot, repoRoot, "show-ref", "--verify", "--quiet", `refs/heads/${branchTarget}`), projectRoot).exitCode === 0;
+  const cmd = hasBranch && current === "HEAD" ? gitCmd(projectRoot, repoRoot, "checkout", "-B", branchTarget) : hasBranch ? gitCmd(projectRoot, repoRoot, "checkout", branchTarget) : gitCmd(projectRoot, repoRoot, "checkout", "-b", branchTarget);
+  const checkout = runCapture(cmd, projectRoot);
+  if (checkout.exitCode !== 0) {
+    throw new Error(`Failed to sync ${repoLabel.toLowerCase()} branch: ${checkout.stderr || checkout.stdout}`);
+  }
+  const action = hasBranch && current === "HEAD" ? "reset" : hasBranch ? "checked out" : "created";
+  console.log(`${repoLabel} branch: ${action} ${branchTarget}`);
+}
+function gitCommit(options) {
+  const { projectRoot } = options;
+  const resolvedTask = options.taskId || safeCurrentTaskId(projectRoot);
+  const baseMessage = options.message || (resolvedTask ? `rig: ${resolvedTask}` : "rig: harness update");
+  const changedFilesManifest = resolvedTask && options.scoped === true ? refreshChangedFilesManifest(projectRoot, resolvedTask) : "";
+  const changedFiles = resolvedTask && options.scoped === true ? readChangedFilesManifest(projectRoot, resolvedTask) : resolvedTask ? taskData().changedFilesForTask(projectRoot, resolvedTask, false) : [];
+  if (options.target === "project" || options.target === "both") {
+    if (resolvedTask) {
+      gitSyncBranch(projectRoot, resolvedTask, "project");
+    }
+    const projectFiles = resolveScopedStageFilesForRepo(projectRoot, projectRoot, resolvedTask, changedFiles);
+    commitRepo(projectRoot, projectRoot, "project-rig", options.target === "both" ? `${baseMessage} [harness]` : baseMessage, options.allowEmpty, options.scoped === true, projectFiles, changedFilesManifest);
+  }
+  if (options.target === "monorepo" || options.target === "both") {
+    const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot);
+    if (resolvedTask) {
+      gitSyncBranch(projectRoot, resolvedTask, "monorepo");
+    }
+    const monorepoFiles = resolveScopedStageFilesForRepo(projectRoot, monorepoRoot, resolvedTask, changedFiles);
+    commitRepo(projectRoot, monorepoRoot, "monorepo", options.target === "both" ? `${baseMessage} [monorepo]` : baseMessage, options.allowEmpty, options.scoped === true, monorepoFiles, changedFilesManifest);
+  }
+}
+function gitSnapshot(projectRoot, taskId, outputPath) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const output = outputPath || (resolvedTask ? resolveArtifactSnapshot(projectRoot, resolvedTask) : resolve3(resolve3(projectRoot, ".rig", "state"), "git-state.txt"));
+  mkdirSync(dirname(output), { recursive: true });
+  const lines = ["# Git Snapshot", `timestamp: ${nowIso()}`];
+  if (resolvedTask) {
+    lines.push(`task: ${resolvedTask}`);
+  }
+  lines.push("");
+  lines.push(...snapshotRepo(projectRoot, "project-rig", projectRoot));
+  if (monorepoRoot && monorepoRoot !== projectRoot) {
+    lines.push(...snapshotRepo(projectRoot, "monorepo", monorepoRoot));
+  }
+  writeFileSync(output, `${lines.join(`
+`)}
+`, "utf-8");
+  return output;
+}
+function gitOpenPr(options) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    throw new Error("gh CLI is required for open-pr. Install and authenticate with: gh auth login");
+  }
+  const taskId = options.taskId || safeCurrentTaskId(options.projectRoot);
+  const target = options.target || (taskId ? "monorepo" : "project");
+  let repoRoot = options.projectRoot;
+  let repoLabel = "project-rig";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
+  if (target === "monorepo") {
+    repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot(options.projectRoot);
+    repoLabel = "monorepo";
+    if (taskId) {
+      gitSyncBranch(options.projectRoot, taskId, "monorepo");
+    }
+  } else if (taskId) {
+    gitSyncBranch(options.projectRoot, taskId, "project");
+  }
+  if (!existsSync3(resolve3(repoRoot, ".git"))) {
+    throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
+  }
+  const branch = branchName(options.projectRoot, repoRoot);
+  if (!branch || branch === "HEAD") {
+    throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
+  }
+  const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
+  const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
+  refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
+  let reviewer = (options.reviewer || "").trim();
+  let reviewerSource = reviewer ? "flag" : undefined;
+  if (!reviewer && taskId) {
+    reviewer = defaultReviewerForTask(options.projectRoot, taskId);
+    if (reviewer) {
+      reviewerSource = "task-config";
+    }
+  }
+  if (!reviewer) {
+    reviewer = inferReviewerFromChangedFiles(options.projectRoot, repoRoot, base, branch);
+    if (reviewer) {
+      reviewerSource = "changed-files";
+    }
+  }
+  if (!reviewer) {
+    reviewer = (process.env.RIG_PR_REVIEWER || "").trim();
+    if (reviewer) {
+      reviewerSource = "env";
+    }
+  }
+  let title = options.title || "";
+  if (!title) {
+    if (taskId) {
+      title = `rig: ${taskId}`;
+    } else {
+      title = `rig: update ${branch}`;
+    }
+  }
+  const body = options.body || [
+    "## Summary",
+    "- Automated task output prepared in isolated runtime.",
+    "",
+    "## Task",
+    `- beads: ${taskId || "n/a"}`,
+    ...defaultPrRunLines(taskId, repoNameWithOwner),
+    "",
+    "## Review",
+    "- Completion verification will run validation, verifier review, and PR policy checks.",
+    "- When repository policy allows it, Rig attempts an immediate strict-gated, head-locked merge after approval."
+  ].join(`
+`);
+  const preCheck = runCapture(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
+  const preCheckEntry = preCheck.exitCode === 0 ? preCheck.stdout.trim() : "";
+  if (preCheckEntry && preCheckEntry !== "null" && currentHeadMatchesMergedBase(options.projectRoot, repoRoot, base, networkRemote)) {
+    const mergedPr = JSON.parse(preCheckEntry);
+    console.log(`Branch ${branch} was already merged: ${mergedPr.url}`);
+    const result2 = { url: mergedPr.url, target, repoLabel, branch, base };
+    if (taskId)
+      writePrMetadata(options.projectRoot, taskId, result2);
+    return result2;
+  }
+  const pushArgs = gitCmd(options.projectRoot, repoRoot, "push", "-u", networkRemote, branch);
+  const fetchResult = runCapture(gitCmd(options.projectRoot, repoRoot, "fetch", networkRemote, branch), repoRoot);
+  if (fetchResult.exitCode === 0) {
+    const remoteAhead = runCapture(gitCmd(options.projectRoot, repoRoot, "log", "--oneline", `HEAD..${networkRemote}/${branch}`), repoRoot);
+    if (remoteAhead.exitCode === 0 && remoteAhead.stdout.trim()) {
+      console.log(`Remote branch has diverged \u2014 force pushing task-owned branch ${branch} with --force-with-lease...`);
+      pushArgs.splice(4, 0, "--force-with-lease");
+    }
+  }
+  runOrThrow(options.projectRoot, pushArgs, `Failed to push branch ${branch} in ${repoLabel}`);
+  const existing = runCapture(withGhRepo([gh, "pr", "list", "--state", "open", "--head", branch, "--json", "url", "--jq", ".[0].url"], repoNameWithOwner), repoRoot);
+  const existingUrl = existing.exitCode === 0 ? existing.stdout.trim() : "";
+  if (!existingUrl || existingUrl === "null") {
+    const merged = runCapture(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
+    const mergedEntry = merged.exitCode === 0 ? merged.stdout.trim() : "";
+    if (mergedEntry && mergedEntry !== "null" && currentHeadMatchesMergedBase(options.projectRoot, repoRoot, base, networkRemote)) {
+      const mergedPr = JSON.parse(mergedEntry);
+      console.log(`Branch ${branch} was already merged: ${mergedPr.url}`);
+      const result2 = { url: mergedPr.url, target, repoLabel, branch, base };
+      if (taskId)
+        writePrMetadata(options.projectRoot, taskId, result2);
+      return result2;
+    }
+  }
+  let prUrl = "";
+  if (existingUrl && existingUrl !== "null") {
+    prUrl = existingUrl;
+  } else {
+    const createArgs = [
+      gh,
+      "pr",
+      "create",
+      ...ghRepoArgs(repoNameWithOwner),
+      "--base",
+      base,
+      "--head",
+      branch,
+      "--title",
+      title,
+      "--body",
+      body
+    ];
+    if (options.draft) {
+      createArgs.push("--draft");
+    }
+    const created = runCapture(createArgs, repoRoot);
+    if (created.exitCode !== 0) {
+      throw new Error(`Failed to create PR in ${repoLabel}: ${created.stderr || created.stdout}`);
+    }
+    prUrl = created.stdout.trim();
+  }
+  if (!prUrl) {
+    throw new Error(`Failed to resolve PR URL for branch ${branch}.`);
+  }
+  assertPrHasNoGitConflicts(readPrViewState(gh, repoRoot, repoNameWithOwner, prUrl), repoLabel, base);
+  if (reviewer) {
+    const edit = runCapture(withGhRepo([gh, "pr", "edit", prUrl, "--add-reviewer", reviewer], repoNameWithOwner), repoRoot);
+    if (edit.exitCode !== 0) {
+      throw new Error(`Failed to assign reviewer '${reviewer}': ${edit.stderr || edit.stdout}`);
+    }
+  }
+  const result = {
+    url: prUrl,
+    ...reviewer ? { reviewer } : {},
+    ...reviewerSource ? { reviewerSource } : {},
+    target,
+    repoLabel,
+    branch,
+    base
+  };
+  if (taskId) {
+    writePrMetadata(options.projectRoot, taskId, result);
+  }
+  return result;
+}
+function defaultPrRunLines(taskId, repoNameWithOwner) {
+  const lines = [];
+  const runId = process.env.RIG_SERVER_RUN_ID?.trim();
+  if (runId) {
+    lines.push(`- Run: ${runId}`);
+  }
+  const closeout = defaultPrCloseoutLine(taskId, repoNameWithOwner);
+  if (closeout) {
+    lines.push(`- ${closeout}`);
+  }
+  return lines;
+}
+function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
+  const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  if (sourceIssueId) {
+    const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
+      return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
+    }
+  }
+  return /^\d+$/.test(taskId) ? `Closes #${taskId}` : "";
+}
+function resolveTaskBranchRef(projectRoot, taskId) {
+  return `rig/${resolveTaskBranchId(projectRoot, taskId)}`;
+}
+function readPrViewState(gh, repoRoot, repoNameWithOwner, prUrl) {
+  const view = runCapture(withGhRepo([
+    gh,
+    "pr",
+    "view",
+    prUrl,
+    "--json",
+    "state,isDraft,url,mergedAt,autoMergeRequest,mergeable,mergeStateStatus,reviewDecision,headRefOid,statusCheckRollup",
+    "--jq",
+    "."
+  ], repoNameWithOwner), repoRoot);
+  if (view.exitCode !== 0) {
+    throw new Error(`Failed to inspect PR ${prUrl}: ${view.stderr || view.stdout}`);
+  }
+  try {
+    const parsed = JSON.parse(view.stdout);
+    return {
+      state: parsed.state || "OPEN",
+      isDraft: parsed.isDraft === true,
+      url: typeof parsed.url === "string" ? parsed.url : prUrl,
+      mergedAt: typeof parsed.mergedAt === "string" ? parsed.mergedAt : null,
+      autoMergeRequest: parsed.autoMergeRequest ?? null,
+      mergeable: typeof parsed.mergeable === "string" ? parsed.mergeable : "",
+      mergeStateStatus: typeof parsed.mergeStateStatus === "string" ? parsed.mergeStateStatus : "",
+      reviewDecision: typeof parsed.reviewDecision === "string" ? parsed.reviewDecision : "",
+      headRefOid: typeof parsed.headRefOid === "string" ? parsed.headRefOid : null,
+      statusCheckRollup: Array.isArray(parsed.statusCheckRollup) ? parsed.statusCheckRollup : []
+    };
+  } catch {
+    return {
+      state: "OPEN",
+      isDraft: false,
+      url: prUrl,
+      mergedAt: null,
+      autoMergeRequest: null,
+      mergeable: "",
+      mergeStateStatus: "",
+      reviewDecision: "",
+      headRefOid: null,
+      statusCheckRollup: []
+    };
+  }
+}
+function hasSatisfiedStatusChecks(prState) {
+  if (prState.statusCheckRollup.length === 0) {
+    return false;
+  }
+  return prState.statusCheckRollup.every((entry) => {
+    if (entry.__typename === "CheckRun") {
+      const status = entry.status?.toUpperCase() || "";
+      const conclusion = entry.conclusion?.toUpperCase() || "";
+      return status === "COMPLETED" && (conclusion === "SUCCESS" || conclusion === "SKIPPED" || conclusion === "NEUTRAL");
+    }
+    if (entry.__typename === "StatusContext") {
+      return (entry.state?.toUpperCase() || "") === "SUCCESS";
+    }
+    return false;
+  });
+}
+function canAdminMergeApprovedPr(prState) {
+  return prState.state === "OPEN" && prState.autoMergeRequest !== null && prState.mergeable.toUpperCase() === "MERGEABLE" && prState.reviewDecision.toUpperCase() === "APPROVED" && hasSatisfiedStatusChecks(prState);
+}
+function gitMergePr(options) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    throw new Error("gh CLI is required for merge-pr. Install and authenticate with: gh auth login");
+  }
+  const repoRoot = resolveRepoRoot(options.projectRoot, options.pr.target);
+  const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
+  if (!existsSync3(resolve3(repoRoot, ".git"))) {
+    throw new Error(`Repository not available for merge-pr target ${options.pr.target}: ${repoRoot}`);
+  }
+  const prState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  const state = prState.state;
+  const isDraft = prState.isDraft;
+  assertPrHasNoGitConflicts(prState, options.pr.repoLabel, options.pr.base);
+  if (state === "MERGED") {
+    console.log(`PR already merged (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "already-merged", url: options.pr.url };
+  }
+  if (state !== "OPEN") {
+    throw new Error(`Cannot merge PR ${options.pr.url}: state is ${state}.`);
+  }
+  if (isDraft) {
+    throw new Error(`Cannot merge draft PR ${options.pr.url}.`);
+  }
+  const mergeArgs = withGhRepo([gh, "pr", "merge", options.pr.url], repoNameWithOwner);
+  const method = options.method || "squash";
+  mergeArgs.push(method === "merge" ? "--merge" : method === "rebase" ? "--rebase" : "--squash");
+  mergeArgs.push("--match-head-commit", options.matchHeadCommit);
+  if (options.deleteBranch !== false) {
+    mergeArgs.push("--delete-branch");
+  }
+  const directMerge = runCapture(mergeArgs, repoRoot);
+  if (directMerge.exitCode === 0) {
+    console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "merged", url: options.pr.url };
+  }
+  const postDirectState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  if (canAdminMergeApprovedPr(postDirectState)) {
+    const adminMergeArgs = [...mergeArgs, "--admin"];
+    const adminMerge = runCapture(adminMergeArgs, repoRoot);
+    if (adminMerge.exitCode === 0) {
+      const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+      if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
+        console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
+        return { status: "merged", url: options.pr.url };
+      }
+      throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
+    }
+    const adminMergeMessage = `${adminMerge.stderr}
+${adminMerge.stdout}`.trim();
+    if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
+      throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
+    }
+  }
+  const directMergeMessage = `${directMerge.stderr}
+${directMerge.stdout}`.trim();
+  throw new Error(`Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${directMergeMessage}`);
+}
+function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
+  const mergeable = prState.mergeable.toUpperCase();
+  const mergeStateStatus = prState.mergeStateStatus.toUpperCase();
+  if (mergeable === "CONFLICTING" || mergeStateStatus === "DIRTY") {
+    throw new Error(`PR ${prState.url || "unknown"} conflicts with ${baseRef} in ${repoLabel} (mergeable=${prState.mergeable || "unknown"}, mergeStateStatus=${prState.mergeStateStatus || "unknown"}). Rebase or merge ${baseRef} and resolve conflicts before completion-verification.`);
+  }
+}
+function writePrMetadata(projectRoot, taskId, result) {
+  const dir = taskData().artifactDirForId(projectRoot, taskId);
+  mkdirSync(dir, { recursive: true });
+  const path = resolve3(dir, "pr-state.json");
+  let prs = {};
+  if (existsSync3(path)) {
+    try {
+      const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+      if (parsed && typeof parsed === "object" && parsed.prs && typeof parsed.prs === "object") {
+        prs = parsed.prs;
+      }
+    } catch {
+      prs = {};
+    }
+  }
+  prs[result.target] = result;
+  const primary = prs.monorepo || prs.project;
+  const artifact = {
+    task_id: taskId,
+    prs,
+    ...primary || {},
+    updated_at: nowIso()
+  };
+  writeFileSync(path, `${JSON.stringify(artifact, null, 2)}
+`, "utf-8");
+}
+function readPrMetadata(projectRoot, taskId) {
+  const path = resolve3(taskData().artifactDirForId(projectRoot, taskId), "pr-state.json");
+  if (!existsSync3(path)) {
+    return [];
+  }
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    if (!parsed || typeof parsed !== "object") {
+      return [];
+    }
+    if (parsed.prs && typeof parsed.prs === "object") {
+      return Object.values(parsed.prs).filter(isGitOpenPrResult);
+    }
+    return isGitOpenPrResult(parsed) ? [parsed] : [];
+  } catch {
+    return [];
+  }
+}
+function resolveArtifactSnapshot(projectRoot, taskId) {
+  return resolve3(taskData().artifactDirForId(projectRoot, taskId), "git-state.txt");
+}
+function isGitOpenPrResult(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const record = value;
+  return typeof record.url === "string" && typeof record.branch === "string" && typeof record.base === "string" && (record.target === "project" || record.target === "monorepo") && typeof record.repoLabel === "string";
+}
+function resolveRepoRoot(projectRoot, target) {
+  return target === "monorepo" ? resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot) : projectRoot;
+}
+function ensureFullGitHistory(projectRoot, repoRoot, remoteName = "origin") {
+  const shallow = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--is-shallow-repository"), projectRoot);
+  if (shallow.exitCode !== 0 || shallow.stdout.trim() !== "true") {
+    return;
+  }
+  const unshallow = runCapture(gitCmd(projectRoot, repoRoot, "fetch", "--unshallow", "--tags", remoteName), projectRoot);
+  if (unshallow.exitCode === 0) {
+    return;
+  }
+  const output = `${unshallow.stderr}
+${unshallow.stdout}`.trim();
+  if (/--unshallow on a complete repository|does not make sense/i.test(output)) {
+    return;
+  }
+  throw new Error(`Failed to expand git history for ${repoRoot}: ${output}`);
+}
+function refreshRemoteBaseRef(projectRoot, repoRoot, baseRef, repoNameWithOwner = "") {
+  const remoteName = resolveNetworkRemoteName(projectRoot, repoRoot, repoNameWithOwner || resolveRepoNameWithOwner(projectRoot, repoRoot));
+  const remoteUrl = runCapture(gitCmd(projectRoot, repoRoot, "remote", "get-url", remoteName), projectRoot);
+  if (remoteUrl.exitCode !== 0) {
+    return "";
+  }
+  ensureFullGitHistory(projectRoot, repoRoot, remoteName);
+  const fetch2 = runCapture(gitCmd(projectRoot, repoRoot, "fetch", "--prune", "--tags", remoteName, `+refs/heads/${baseRef}:refs/remotes/${remoteName}/${baseRef}`), projectRoot);
+  if (fetch2.exitCode !== 0) {
+    throw new Error(`Failed to refresh ${remoteName}/${baseRef} at ${repoRoot}: ${fetch2.stderr || fetch2.stdout}`);
+  }
+  return remoteName;
+}
+function currentHeadMatchesMergedBase(projectRoot, repoRoot, baseRef, remoteName = "origin") {
+  const activeRemote = refreshRemoteBaseRef(projectRoot, repoRoot, baseRef) || remoteName;
+  const remoteBase = `${activeRemote}/${baseRef}`;
+  const hasRemoteBase = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", remoteBase), repoRoot).exitCode === 0;
+  const targetRef = hasRemoteBase ? remoteBase : baseRef;
+  if (runCapture(gitCmd(projectRoot, repoRoot, "merge-base", "--is-ancestor", "HEAD", targetRef), repoRoot).exitCode === 0) {
+    return true;
+  }
+  return runCapture(gitCmd(projectRoot, repoRoot, "diff", "--quiet", "HEAD", targetRef, "--"), repoRoot).exitCode === 0;
+}
+function defaultReviewerForTask(projectRoot, taskId) {
+  if (!taskId) {
+    return "";
+  }
+  const entry = taskData().readTaskConfig(projectRoot)[taskId];
+  const reviewer = entry?.reviewer;
+  if (typeof reviewer === "string" && reviewer.trim()) {
+    return reviewer.trim();
+  }
+  const responsibleReviewer = entry?.responsible_reviewer;
+  if (typeof responsibleReviewer === "string" && responsibleReviewer.trim()) {
+    return responsibleReviewer.trim();
+  }
+  return "";
+}
+function resolveRepoNameWithOwner(projectRoot, repoRoot) {
+  const explicit = normalizeGithubRepoNameWithOwner(process.env.GH_REPO || "");
+  if (explicit) {
+    return explicit;
+  }
+  const visited = new Set;
+  return resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, repoRoot, repoRoot, visited);
+}
+function resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, gitRoot, cwd, visited) {
+  const normalizedGitRoot = resolve3(gitRoot);
+  if (visited.has(normalizedGitRoot)) {
+    return "";
+  }
+  visited.add(normalizedGitRoot);
+  const remotes = listGitRemotes(projectRoot, gitRoot, cwd);
+  for (const remote of remotes) {
+    const urls = listGitRemoteUrls(projectRoot, gitRoot, cwd, remote);
+    for (const url of urls) {
+      const direct = normalizeGithubRepoNameWithOwner(url);
+      if (direct) {
+        return direct;
+      }
+      const localGitRoot = resolveLocalGitRemoteRoot(url, gitRoot);
+      if (!localGitRoot) {
+        continue;
+      }
+      const viaMirror = resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, localGitRoot, cwd, visited);
+      if (viaMirror) {
+        return viaMirror;
+      }
+    }
+  }
+  return "";
+}
+function listGitRemotes(projectRoot, gitRoot, cwd) {
+  const result = gitQuery(projectRoot, gitRoot, cwd, "remote");
+  if (result.exitCode !== 0) {
+    return [];
+  }
+  return result.stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+function listGitRemoteUrls(projectRoot, gitRoot, cwd, remote) {
+  const result = gitQuery(projectRoot, gitRoot, cwd, "remote", "get-url", "--all", remote);
+  if (result.exitCode !== 0) {
+    return [];
+  }
+  return result.stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+function resolveNetworkRemoteName(projectRoot, repoRoot, repoNameWithOwner) {
+  const remotes = listGitRemotes(projectRoot, repoRoot, repoRoot);
+  if (remotes.length === 0) {
+    return "origin";
+  }
+  if (!repoNameWithOwner) {
+    return remotes.includes("origin") ? "origin" : remotes[0];
+  }
+  const expectedRepo = normalizeGithubRepoNameWithOwner(repoNameWithOwner).toLowerCase();
+  let directMatch = "";
+  for (const remote of remotes) {
+    const urls = listGitRemoteUrls(projectRoot, repoRoot, repoRoot, remote);
+    for (const url of urls) {
+      const direct = normalizeGithubRepoNameWithOwner(url);
+      if (direct && direct.toLowerCase() === expectedRepo) {
+        if (remote === "github") {
+          return remote;
+        }
+        if (!directMatch) {
+          directMatch = remote;
+        }
+      }
+    }
+  }
+  if (remotes.includes("github")) {
+    return "github";
+  }
+  if (directMatch) {
+    return directMatch;
+  }
+  return remotes.includes("origin") ? "origin" : remotes[0];
+}
+function gitQuery(projectRoot, gitRoot, cwd, ...args) {
+  const gitArgs = existsSync3(resolve3(gitRoot, ".git")) ? gitCmd(projectRoot, gitRoot, ...args) : [resolveHostGitBinary(), "--git-dir", gitRoot, ...args];
+  return runCapture(gitArgs, cwd, projectRoot);
+}
+function resolveLocalGitRemoteRoot(remoteUrl, gitRoot) {
+  const normalized = remoteUrl.trim();
+  if (!normalized) {
+    return "";
+  }
+  let candidate = normalized;
+  if (normalized.startsWith("file://")) {
+    try {
+      candidate = fileURLToPath(normalized);
+    } catch {
+      return "";
+    }
+  } else if (/^[a-z][a-z0-9+.-]*:\/\//i.test(normalized) || /^[^@]+@[^:]+:.+$/.test(normalized)) {
+    return "";
+  } else if (!isAbsolute(normalized)) {
+    candidate = resolve3(gitRoot, normalized);
+  }
+  return existsSync3(candidate) ? candidate : "";
+}
+function normalizeGithubRepoNameWithOwner(value) {
+  const normalized = value.trim();
+  if (!normalized) {
+    return "";
+  }
+  const scpMatch = normalized.match(/^(?:ssh:\/\/)?git@github\.com[:/](.+?)(?:\.git)?$/i);
+  if (scpMatch?.[1]) {
+    return scpMatch[1].replace(/^\/+|\/+$/g, "");
+  }
+  const httpMatch = normalized.match(/^https?:\/\/github\.com\/(.+?)(?:\.git)?(?:\/)?$/i);
+  if (httpMatch?.[1]) {
+    return httpMatch[1].replace(/^\/+|\/+$/g, "");
+  }
+  const bareMatch = normalized.match(/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/);
+  return bareMatch ? bareMatch[0] : "";
+}
+function ghRepoArgs(repoNameWithOwner) {
+  return repoNameWithOwner ? ["-R", repoNameWithOwner] : [];
+}
+function withGhRepo(command, repoNameWithOwner) {
+  if (!repoNameWithOwner || command.length < 3) {
+    return command;
+  }
+  return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
+}
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (gh && repoNameWithOwner) {
+    const api = runCapture(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
+function inferProjectBase(projectRoot, fallback) {
+  const containing = runCapture(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
+  if (containing.exitCode !== 0) {
+    return fallback;
+  }
+  const candidates = containing.stdout.split(/\r?\n/).map((line) => line.replace(/^\*/, "").trim()).filter(Boolean).map((line) => line.replace(/^origin\//, "")).filter((line) => line !== "HEAD" && !line.startsWith("rig/"));
+  return candidates[0] || fallback;
+}
+function currentGithubLogin(repoRoot) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    return "";
+  }
+  const result = runCapture([gh, "api", "user", "--jq", ".login"], repoRoot);
+  return result.exitCode === 0 ? result.stdout.trim() : "";
+}
+function collectPrChangedFiles(projectRoot, repoRoot, baseRef, branchRef) {
+  const repoNameWithOwner = resolveRepoNameWithOwner(projectRoot, repoRoot);
+  const remoteName = refreshRemoteBaseRef(projectRoot, repoRoot, baseRef, repoNameWithOwner);
+  const hasRemoteBase = remoteName ? runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", `${remoteName}/${baseRef}`), projectRoot).exitCode === 0 : false;
+  const hasLocalBase = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", baseRef), projectRoot).exitCode === 0;
+  let changed = "";
+  if (hasRemoteBase) {
+    changed = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `${remoteName}/${baseRef}...${branchRef}`), projectRoot).stdout;
+  } else if (hasLocalBase) {
+    changed = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `${baseRef}...${branchRef}`), projectRoot).stdout;
+  } else {
+    const fallback = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `HEAD~1..${branchRef}`), projectRoot);
+    changed = fallback.exitCode === 0 ? fallback.stdout : runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only"), projectRoot).stdout;
+  }
+  return changed.split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(0, 60);
+}
+function inferReviewerFromChangedFiles(projectRoot, repoRoot, baseRef, branchRef) {
+  const repoNameWithOwner = resolveRepoNameWithOwner(projectRoot, repoRoot);
+  if (!repoNameWithOwner) {
+    return "";
+  }
+  const actorLogin = currentGithubLogin(repoRoot);
+  const changedFiles = collectPrChangedFiles(projectRoot, repoRoot, baseRef, branchRef);
+  if (changedFiles.length === 0) {
+    return "";
+  }
+  const counts = new Map;
+  for (const path of changedFiles) {
+    const result = runCapture([
+      resolveGithubCliBinary({ scanPath: true }) || "gh",
+      "api",
+      `repos/${repoNameWithOwner}/commits`,
+      "-f",
+      `path=${path}`,
+      "-f",
+      `sha=${baseRef}`,
+      "-f",
+      "per_page=1",
+      "--jq",
+      ".[0].author.login // empty"
+    ], repoRoot);
+    const author = result.exitCode === 0 ? result.stdout.trim() : "";
+    if (!author || author === actorLogin) {
+      continue;
+    }
+    counts.set(author, (counts.get(author) || 0) + 1);
+  }
+  let best = "";
+  let max = -1;
+  for (const [author, count] of counts.entries()) {
+    if (count > max || count === max && author < best) {
+      best = author;
+      max = count;
+    }
+  }
+  return best;
+}
+function snapshotRepo(projectRoot, label, repo) {
+  if (!existsSync3(resolve3(repo, ".git"))) {
+    return [`## ${label}`, `repo: ${repo}`, "status: unavailable", ""];
+  }
+  const status = runCapture(gitCmd(projectRoot, repo, "status", "--short"), projectRoot).stdout.trim();
+  const branch = branchName(projectRoot, repo);
+  const head = runCapture(gitCmd(projectRoot, repo, "rev-parse", "HEAD"), projectRoot).stdout.trim();
+  return [
+    `## ${label}`,
+    `repo: ${repo}`,
+    `branch: ${branch}`,
+    `head: ${head}`,
+    "status:",
+    status || "(clean)",
+    ""
+  ];
+}
+function commitRepo(projectRoot, repo, label, message, allowEmpty, scoped, files, changedFilesManifest) {
+  if (!existsSync3(resolve3(repo, ".git"))) {
+    console.log(`Skipping ${label}: repo not available (${repo})`);
+    return;
+  }
+  const scopedFiles = (files || []).filter(Boolean).filter((file) => !pathResolvesBeyondSymlink(repo, file));
+  const repoChanges = changeCount(projectRoot, repo);
+  if (scopedFiles.length === 0 && repoChanges === 0 && !allowEmpty) {
+    console.log(`Skipping ${label}: no changes to commit.`);
+    return;
+  }
+  if (scopedFiles.length > 0) {
+    const indexFiles = new Set(runCapture(gitCmd(projectRoot, repo, "ls-files"), projectRoot).stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean));
+    const stageable = scopedFiles.filter((file) => indexFiles.has(file) || existsSync3(resolve3(repo, file)));
+    if (stageable.length === 0) {
+      console.log(`Skipping ${label}: collected change list matched no stageable paths in ${repo}.`);
+      return;
+    }
+    const pathspecFile = resolve3(tmpdir(), `rig-stage-${process.pid}-${Date.now()}.txt`);
+    writeFileSync(pathspecFile, `${stageable.join(`
+`)}
+`, "utf-8");
+    try {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, "add", `--pathspec-from-file=${pathspecFile}`), `Failed to stage changes for ${label}`);
+    } finally {
+      try {
+        unlinkSync(pathspecFile);
+      } catch {}
+    }
+  } else {
+    const addArgs = buildStageAddArgs(repo, scopedFiles, scoped);
+    if (addArgs) {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, ...addArgs), `Failed to stage changes for ${label}`);
+    }
+  }
+  const stagedChanges = stagedChangeCount(projectRoot, repo);
+  if (stagedChanges === 0) {
+    if (allowEmpty) {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, "commit", "--allow-empty", "-m", message), `Failed to commit ${label}`);
+      console.log(`Committed ${label}: ${message}`);
+      return;
+    }
+    if (scoped && repoChanges > 0) {
+      const manifestHint = changedFilesManifest ? ` Refresh ${changedFilesManifest} and retry, or use --all/--unscoped intentionally.` : "";
+      throw new Error(`Scoped commit for ${label} resolved no stageable files.${manifestHint}`);
+    }
+    console.log(`Skipping ${label}: no stageable changes to commit.`);
+    return;
+  }
+  runOrThrow(projectRoot, gitCmd(projectRoot, repo, "commit", ...allowEmpty ? ["--allow-empty"] : [], "-m", message), `Failed to commit ${label}`);
+  console.log(`Committed ${label}: ${message}`);
+}
+function readChangedFilesManifest(projectRoot, taskId) {
+  const manifestPath = resolve3(taskData().artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  if (!existsSync3(manifestPath)) {
+    return [];
+  }
+  const files = readFileSync2(manifestPath, "utf-8").split(/\r?\n/).map((line) => normalizeChangedFilePath(line)).filter(Boolean);
+  return [...new Set(files)];
+}
+function refreshChangedFilesManifest(projectRoot, taskId) {
+  const manifestPath = resolve3(taskData().artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  mkdirSync(dirname(manifestPath), { recursive: true });
+  const changedFiles = taskData().changedFilesForTask(projectRoot, taskId, true);
+  writeFileSync(manifestPath, `${changedFiles.join(`
+`)}
+`, "utf-8");
+  return manifestPath;
+}
+function normalizeChangedFilePath(file) {
+  return file.trim().replace(/\\/g, "/").replace(/^\.\//, "");
+}
+function buildStageAddArgs(repoRoot, files, scoped) {
+  if (files.length > 0) {
+    return ["add", "--", ...files];
+  }
+  if (scoped) {
+    return null;
+  }
+  return ["add", "-A", "--", ".", ...stageExcludePathspecs(repoRoot)];
+}
+function resolveScopedStageFilesForRepo(projectRoot, repoRoot, taskId, files) {
+  const resolvedManifestFiles = resolveScopedFilesForRepo(projectRoot, repoRoot, files);
+  if (resolvedManifestFiles.length > 0 || !taskId) {
+    return resolvedManifestFiles;
+  }
+  return resolveChangedTaskArtifactFiles(projectRoot, repoRoot, taskId);
+}
+function resolveScopedFilesForRepo(projectRoot, repoRoot, files) {
+  const resolvedFiles = [];
+  const seen = new Set;
+  for (const file of files) {
+    const candidate = resolveScopedRepoPath(repoRoot, file);
+    if (!candidate || seen.has(candidate) || pathResolvesBeyondSymlink(repoRoot, candidate)) {
+      continue;
+    }
+    if (!repoHasPathChange(projectRoot, repoRoot, candidate)) {
+      continue;
+    }
+    seen.add(candidate);
+    resolvedFiles.push(candidate);
+  }
+  return resolvedFiles;
+}
+function resolveChangedTaskArtifactFiles(projectRoot, repoRoot, taskId) {
+  const safeTaskId = safePathSegment(taskId, { fallback: "task", maxLength: 96 });
+  const artifactPrefix = `artifacts/${safeTaskId}/`;
+  const resolvedFiles = [];
+  const seen = new Set;
+  for (const file of collectRepoPendingFiles(projectRoot, repoRoot)) {
+    if (!file.startsWith(artifactPrefix)) {
+      continue;
+    }
+    const artifactRelativePath = file.slice(artifactPrefix.length);
+    if (!TASK_ARTIFACT_STAGE_FALLBACK.has(artifactRelativePath)) {
+      continue;
+    }
+    if (seen.has(file) || pathResolvesBeyondSymlink(repoRoot, file)) {
+      continue;
+    }
+    seen.add(file);
+    resolvedFiles.push(file);
+  }
+  return resolvedFiles.sort();
+}
+function collectRepoPendingFiles(projectRoot, repoRoot) {
+  const files = new Set;
+  for (const args of [
+    ["diff", "--name-only"],
+    ["diff", "--cached", "--name-only"],
+    ["ls-files", "--others", "--exclude-standard"]
+  ]) {
+    const result = runCapture(gitCmd(projectRoot, repoRoot, ...args), projectRoot);
+    if (result.exitCode !== 0) {
+      continue;
+    }
+    for (const line of result.stdout.split(/\r?\n/)) {
+      const normalized = normalizeChangedFilePath(line);
+      if (!normalized) {
+        continue;
+      }
+      files.add(normalized);
+    }
+  }
+  return [...files].sort();
+}
+function resolveScopedRepoPath(repoRoot, file) {
+  const normalized = normalizeChangedFilePath(file);
+  if (!normalized) {
+    return "";
+  }
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    let result = normalized;
+    for (const prefix of rules.stripPrefixes) {
+      if (result.startsWith(prefix)) {
+        result = result.slice(prefix.length);
+      }
+    }
+    return result;
+  }
+  return normalized;
+}
+function repoHasPathChange(projectRoot, repoRoot, relativePath) {
+  const result = runCapture(gitCmd(projectRoot, repoRoot, "status", "--short", "--", relativePath), projectRoot);
+  return result.exitCode === 0 && result.stdout.trim().length > 0;
+}
+function stageExcludePathspecs(repoRoot) {
+  const patterns = existsSync3(resolve3(repoRoot, ".rig", "task-config.json")) ? [...TASK_RUNTIME_STAGE_EXCLUDES, ...GENERATED_STAGE_EXCLUDES] : [".rig/**", ...GENERATED_STAGE_EXCLUDES];
+  return patterns.map((pattern) => `:(glob,exclude)${pattern}`);
+}
+function pathResolvesBeyondSymlink(repoRoot, relativePath) {
+  const parts = relativePath.split("/").filter(Boolean);
+  if (parts.length <= 1) {
+    return false;
+  }
+  let current = repoRoot;
+  for (let index = 0;index < parts.length - 1; index += 1) {
+    current = resolve3(current, parts[index]);
+    try {
+      if (lstatSync(current).isSymbolicLink()) {
+        return true;
+      }
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function printRepoStatus(projectRoot, label, repo, expectedBranch) {
+  if (!existsSync3(resolve3(repo, ".git"))) {
+    console.log(`${label}: unavailable (${repo})`);
+    return;
+  }
+  const branch = branchName(projectRoot, repo);
+  const changes = changeCount(projectRoot, repo);
+  console.log(`${label}:`);
+  console.log(`  branch: ${branch || "unknown"}`);
+  console.log(`  changed files: ${changes}`);
+  if (expectedBranch && label !== "project-rig" && branch !== expectedBranch) {
+    console.log(`  warning: branch mismatch (expected ${expectedBranch})`);
+  }
+}
+function resolveTaskBranchId(projectRoot, taskId) {
+  if (/^bd-[a-z0-9-]+$/.test(taskId)) {
+    return taskId;
+  }
+  const normalizedTaskId = taskData().lookupTask(projectRoot, taskId);
+  if (normalizedTaskId) {
+    return normalizedTaskId;
+  }
+  const currentTask = taskData().currentTaskId(projectRoot);
+  if (currentTask && currentTask === taskId) {
+    return currentTask;
+  }
+  const runtimeIdFromEnv = (process.env.RIG_TASK_RUNTIME_ID || "").trim();
+  if (runtimeIdFromEnv.startsWith("task-") && runtimeIdFromEnv.length > "task-".length) {
+    return runtimeIdFromEnv.slice("task-".length);
+  }
+  try {
+    const runtimeIdFromContext = loadRuntimeContextFromEnv()?.runtimeId || "";
+    if (runtimeIdFromContext.startsWith("task-") && runtimeIdFromContext.length > "task-".length) {
+      return runtimeIdFromContext.slice("task-".length);
+    }
+  } catch {}
+  const artifactDir = taskData().artifactDirForId(projectRoot, taskId);
+  if (existsSync3(artifactDir)) {
+    return taskId;
+  }
+  throw new Error(`Unknown task id: ${taskId}`);
+}
+function branchName(projectRoot, repo) {
+  return runCapture(gitCmd(projectRoot, repo, "rev-parse", "--abbrev-ref", "HEAD"), projectRoot).stdout.trim();
+}
+function changeCount(projectRoot, repo) {
+  const status = runCapture(gitCmd(projectRoot, repo, "status", "--short"), projectRoot).stdout.trim();
+  return status ? status.split(/\r?\n/).filter(Boolean).length : 0;
+}
+function stagedChangeCount(projectRoot, repo) {
+  const staged = runCapture(gitCmd(projectRoot, repo, "diff", "--cached", "--name-only"), projectRoot).stdout.trim();
+  return staged ? staged.split(/\r?\n/).filter(Boolean).length : 0;
+}
+function runOrThrow(projectRoot, command, errorPrefix) {
+  const result = runCapture(command, projectRoot);
+  if (result.exitCode !== 0) {
+    throw new Error(`${errorPrefix}:
+${result.stderr || result.stdout}`);
+  }
+}
+function runCapture(command, cwd, projectRoot = cwd) {
+  return baseRunCapture(command, cwd, runtimeGitEnv(projectRoot));
+}
+function runtimeGitEnv(projectRoot) {
+  const { ctx, runtimeRoot } = resolveRuntimeMetadata(projectRoot);
+  const runtimeHome = runtimeRoot ? resolve3(runtimeRoot, "home") : "";
+  const runtimeTmp = runtimeRoot ? resolve3(runtimeRoot, "tmp") : "";
+  const runtimeCache = runtimeRoot ? resolve3(runtimeRoot, "cache") : "";
+  const runtimeKnownHosts = runtimeHome ? resolve3(runtimeHome, ".ssh", "known_hosts") : "";
+  const runtimeKey = runtimeHome ? resolve3(runtimeHome, ".ssh", "rig-agent-key") : "";
+  const env = {};
+  if (ctx?.workspaceDir) {
+    env.PROJECT_RIG_ROOT = projectRoot;
+    env.RIG_TASK_WORKSPACE = ctx.workspaceDir;
+    env.MONOREPO_ROOT = ctx.workspaceDir;
+    env.MONOREPO_MAIN_ROOT = resolveMonorepoRoot(projectRoot);
+  } else if (projectRoot) {
+    env.PROJECT_RIG_ROOT = projectRoot;
+  }
+  if (runtimeRoot) {
+    env.RIG_RUNTIME_HOME = runtimeRoot;
+  }
+  if (runtimeHome && existsSync3(runtimeHome)) {
+    env.HOME = runtimeHome;
+    env.OPENSSL_CONF = ensureRuntimeOpenSslConfig(runtimeHome);
+  }
+  if (runtimeTmp && existsSync3(runtimeTmp)) {
+    env.TMPDIR = runtimeTmp;
+  }
+  if (runtimeCache && existsSync3(runtimeCache)) {
+    env.XDG_CACHE_HOME = runtimeCache;
+  }
+  const workspaceSecrets = loadDotEnvSecrets(ctx?.workspaceDir || projectRoot, process.env);
+  for (const [key, value] of Object.entries(resolveRuntimeSecrets(process.env, workspaceSecrets))) {
+    if (key === "GITHUB_SSH_KEY" || !value) {
+      continue;
+    }
+    env[key] = value;
+  }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || authStateToken(process.env) || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
+    env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
+  }
+  const persistedSecrets = loadPersistedRuntimeSecrets(runtimeRoot);
+  for (const [key, value] of Object.entries(persistedSecrets)) {
+    if (!value)
+      continue;
+    if (!env[key]) {
+      env[key] = value;
+    }
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
+  if (runtimeKnownHosts && existsSync3(runtimeKnownHosts)) {
+    const sshParts = [
+      "ssh",
+      `-o UserKnownHostsFile="${runtimeKnownHosts}"`,
+      "-o StrictHostKeyChecking=yes",
+      "-F /dev/null"
+    ];
+    if (runtimeKey && existsSync3(runtimeKey)) {
+      sshParts.splice(1, 0, `-i "${runtimeKey}"`, "-o IdentitiesOnly=yes");
+    }
+    env.GIT_SSH_COMMAND = sshParts.join(" ");
+  } else if (process.env.GIT_SSH_COMMAND?.trim()) {
+    env.GIT_SSH_COMMAND = process.env.GIT_SSH_COMMAND;
+  }
+  return Object.keys(env).length > 0 ? env : undefined;
+}
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
+function loadPersistedRuntimeSecrets(runtimeRoot) {
+  if (!runtimeRoot) {
+    return {};
+  }
+  const path = resolve3(runtimeRoot, "runtime-secrets.json");
+  if (!existsSync3(path)) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    const allowed = new Set(["GITHUB_TOKEN", "GH_TOKEN", "RIG_GITHUB_TOKEN"]);
+    const entries = Object.entries(parsed).filter((entry) => typeof entry[1] === "string" && allowed.has(entry[0]));
+    return Object.fromEntries(entries);
+  } catch {
+    return {};
+  }
+}
+function ensureRuntimeOpenSslConfig(runtimeHome) {
+  const sslDir = resolve3(runtimeHome, ".ssl");
+  const sslConfig = resolve3(sslDir, "openssl.cnf");
+  if (!existsSync3(sslDir)) {
+    mkdirSync(sslDir, { recursive: true });
+  }
+  if (!existsSync3(sslConfig)) {
+    writeFileSync(sslConfig, `# Rig runtime OpenSSL config placeholder
+`);
+  }
+  return sslConfig;
+}
+function resolveRuntimeMetadata(projectRoot) {
+  const contextFile = process.env.RIG_RUNTIME_CONTEXT_FILE?.trim();
+  const runtimeHome = process.env.RIG_RUNTIME_HOME?.trim();
+  let ctx = loadRuntimeContextFromEnv();
+  if (runtimeHome) {
+    return {
+      ctx,
+      runtimeRoot: runtimeHome
+    };
+  }
+  if (contextFile) {
+    return {
+      ctx,
+      runtimeRoot: dirname(resolve3(contextFile))
+    };
+  }
+  const inferredContextFile = findRuntimeContextFile(projectRoot);
+  if (existsSync3(inferredContextFile)) {
+    try {
+      ctx = loadRuntimeContext(inferredContextFile);
+    } catch {}
+    return {
+      ctx,
+      runtimeRoot: dirname(inferredContextFile)
+    };
+  }
+  return { ctx, runtimeRoot: "" };
+}
+function findRuntimeContextFile(startPath) {
+  let current = resolve3(startPath);
+  while (true) {
+    const candidate = resolve3(current, "runtime-context.json");
+    if (existsSync3(candidate)) {
+      return candidate;
+    }
+    const parent = dirname(current);
+    if (parent === current) {
+      return "";
+    }
+    current = parent;
+  }
+}
+var TASK_RUNTIME_STAGE_EXCLUDES, GENERATED_STAGE_EXCLUDES, TASK_ARTIFACT_STAGE_FALLBACK;
+var init_git_ops = __esm(() => {
+  init_task_data();
+  init_github_auth_env();
+  init_host_git();
+  TASK_RUNTIME_STAGE_EXCLUDES = [
+    ".rig/bin/**",
+    ".rig/cache/**",
+    ".rig/home/**",
+    ".rig/logs/**",
+    ".rig/runtime/**",
+    ".rig/session/**",
+    ".rig/state/**",
+    ".rig/runtime-context.json"
+  ];
+  GENERATED_STAGE_EXCLUDES = ["artifacts/*/runtime-snapshots/**"];
+  TASK_ARTIFACT_STAGE_FALLBACK = new Set([
+    "changed-files.txt",
+    "contract-changes.md",
+    "decision-log.md",
+    "git-state.txt",
+    "next-actions.md",
+    "pr-state.json",
+    "task-result.json",
+    "validation-summary.json"
+  ]);
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/policy.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3, statSync } from "fs";
+import { resolve as resolve4 } from "path";
 import {
-  collectPrReviewEvidence,
-  evaluateStrictPrMergeGate,
-  parseGreptileScore,
-  stripHtml
-} from "@rig/pr-review-plugin";
+  POLICY_VERSION
+} from "@rig/contracts";
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function seedPolicyFromContent(rawJson) {
+  try {
+    seededPolicyConfig = mergeWithDefaults(JSON.parse(rawJson));
+  } catch {
+    seededPolicyConfig = null;
+  }
+}
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve4(projectRoot, "rig/policy/policy.json");
+  if (!existsSync4(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  try {
+    const config = mergeWithDefaults(JSON.parse(readFileSync3(configPath, "utf-8")));
+    policyCache = { mtimeMs, config };
+    policyCachePath = configPath;
+    return config;
+  } catch {
+    return defaultPolicy();
+  }
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const scope = parsed.scope;
+    if (typeof scope.fail_closed === "boolean")
+      base.scope.fail_closed = scope.fail_closed;
+    if (typeof scope.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = scope.harness_paths_exempt;
+    if (typeof scope.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = scope.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sandbox = parsed.sandbox;
+    if (typeof sandbox.mode === "string" && isValidMode(sandbox.mode))
+      base.sandbox.mode = sandbox.mode;
+    if (typeof sandbox.network === "boolean")
+      base.sandbox.network = sandbox.network;
+    if (Array.isArray(sandbox.read_deny))
+      base.sandbox.read_deny = sandbox.read_deny.filter((value) => typeof value === "string");
+    if (typeof sandbox.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sandbox.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const isolation = parsed.isolation;
+    if (isolation.default_mode === "worktree")
+      base.isolation.default_mode = isolation.default_mode;
+    if (typeof isolation.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = isolation.repo_symlink_fallback;
+    if (typeof isolation.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = isolation.strict_provisioning;
+    if (typeof isolation.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = isolation.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const completion = parsed.completion;
+    if (typeof completion.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = completion.derive_checks_from_scope;
+    if (Array.isArray(completion.checks))
+      base.completion.checks = completion.checks.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.typescript_config_probe))
+      base.completion.typescript_config_probe = completion.typescript_config_probe.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.eslint_config_probe))
+      base.completion.eslint_config_probe = completion.eslint_config_probe.filter((value) => typeof value === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean")
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      if (typeof deps.hp_next_install === "boolean")
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean")
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const rule = value;
+  return typeof rule.id === "string" && typeof rule.category === "string" && !!rule.match && typeof rule.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    const rule = {
+      id: entry.id,
+      category: "command",
+      match,
+      action: entry.action === "warn" ? "warn" : "block"
+    };
+    if (typeof entry.reason === "string") {
+      rule.description = entry.reason;
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiled = { ...rule };
+    const matchRegex = compileRegex(rule.match?.regex);
+    const unlessRegex = compileRegex(rule.unless?.regex);
+    if (matchRegex) {
+      compiled.compiledRegex = matchRegex;
+    }
+    if (unlessRegex) {
+      compiled.compiledUnlessRegex = unlessRegex;
+    }
+    return compiled;
+  });
+}
+function compileRegex(pattern) {
+  if (!pattern)
+    return;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return;
+  }
+}
+var DEFAULT_SCOPE, DEFAULT_SANDBOX, DEFAULT_ISOLATION, DEFAULT_COMPLETION, DEFAULT_RUNTIME_IMAGE, DEFAULT_RUNTIME_SNAPSHOT, policyCache = null, policyCachePath = null, seededPolicyConfig = null;
+var init_policy = __esm(() => {
+  DEFAULT_SCOPE = {
+    fail_closed: true,
+    harness_paths_exempt: true,
+    runtime_paths_exempt: true
+  };
+  DEFAULT_SANDBOX = {
+    mode: "enforce",
+    network: true,
+    read_deny: [],
+    write_allow_from_runtime: true
+  };
+  DEFAULT_ISOLATION = {
+    default_mode: "worktree",
+    repo_symlink_fallback: false,
+    strict_provisioning: true,
+    fail_closed_on_provision_error: true
+  };
+  DEFAULT_COMPLETION = {
+    derive_checks_from_scope: true,
+    checks: [],
+    typescript_config_probe: ["tsconfig.json"],
+    eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+  };
+  DEFAULT_RUNTIME_IMAGE = {
+    deps: {
+      monorepo_install: false,
+      hp_next_install: false
+    },
+    plugins_require_binaries: true
+  };
+  DEFAULT_RUNTIME_SNAPSHOT = {
+    enabled: true
+  };
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/verifier.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+import { resolveRuntimeSecrets as resolveRuntimeSecrets2 } from "@rig/core/baked-secrets";
+import { loadRuntimeContextFromEnv as loadRuntimeContextFromEnv2 } from "@rig/core/runtime-context";
+import { nowIso as nowIso2, runCapture as runCapture2 } from "@rig/core/exec";
+import { resolveHarnessPaths } from "@rig/core/harness-paths";
+async function ensureMergeGate(projectRoot) {
+  mergeGateHolder = await resolvePrMergeGateService(projectRoot);
+  return mergeGateHolder;
+}
+function mg() {
+  if (!mergeGateHolder) {
+    throw new Error("PR merge-gate capability not resolved (verifyTask must run first).");
+  }
+  return mergeGateHolder;
+}
 async function verifyTask(options) {
+  await ensureMergeGate(options.projectRoot);
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
-  const normalizedTaskId = lookupTask(options.projectRoot, taskId);
-  const artifactDir = artifactDirForId(options.projectRoot, taskId);
-  mkdirSync(artifactDir, { recursive: true });
-  const validationSummaryPath = resolve(artifactDir, "validation-summary.json");
-  const reviewFeedbackPath = resolve(artifactDir, "review-feedback.md");
-  const reviewStatePath = resolve(artifactDir, "review-state.json");
-  const greptileRawPath = resolve(artifactDir, "review-greptile-raw.json");
+  const normalizedTaskId = taskData().lookupTask(options.projectRoot, taskId);
+  const artifactDir = taskData().artifactDirForId(options.projectRoot, taskId);
+  mkdirSync2(artifactDir, { recursive: true });
+  const validationSummaryPath = resolve5(artifactDir, "validation-summary.json");
+  const reviewFeedbackPath = resolve5(artifactDir, "review-feedback.md");
+  const reviewStatePath = resolve5(artifactDir, "review-state.json");
+  const greptileRawPath = resolve5(artifactDir, "review-greptile-raw.json");
   const prStates = readPrMetadata(options.projectRoot, taskId);
   const prState = prStates[0] || null;
   const localReasons = [];
@@ -51,7 +2308,7 @@ async function verifyTask(options) {
   if (!normalizedTaskId && !await hasConfiguredSourceTask(options.projectRoot, taskId)) {
     localReasons.push(`[Task Config] Unknown task id '${taskId}' in task-config or configured task source.`);
   }
-  if (!existsSync(validationSummaryPath)) {
+  if (!existsSync5(validationSummaryPath)) {
     localReasons.push(`[Artifact Quality] validation-summary.json not found at ${validationSummaryPath}.`);
   } else {
     const summary = await parseValidationSummary(validationSummaryPath);
@@ -60,13 +2317,13 @@ async function verifyTask(options) {
     }
   }
   for (const file of ["task-result.json", "decision-log.md", "next-actions.md", "changed-files.txt"]) {
-    const requiredPath = resolve(artifactDir, file);
-    if (!existsSync(requiredPath)) {
+    const requiredPath = resolve5(artifactDir, file);
+    if (!existsSync5(requiredPath)) {
       localReasons.push(`[Artifact Quality] Missing required artifact file: ${requiredPath}`);
     }
   }
-  const taskResultPath = resolve(artifactDir, "task-result.json");
-  if (existsSync(taskResultPath)) {
+  const taskResultPath = resolve5(artifactDir, "task-result.json");
+  if (existsSync5(taskResultPath)) {
     const taskResult = await readJsonFile(taskResultPath);
     const artifactStatus = typeof taskResult?.status === "string" ? taskResult.status.trim().toLowerCase() : "";
     if (artifactStatus === "partial") {
@@ -79,8 +2336,8 @@ async function verifyTask(options) {
       localReasons.push("[Artifact Quality] task-result.json next actions indicate remaining implementation scope.");
     }
   }
-  const nextActionsPath = resolve(artifactDir, "next-actions.md");
-  if (existsSync(nextActionsPath)) {
+  const nextActionsPath = resolve5(artifactDir, "next-actions.md");
+  if (existsSync5(nextActionsPath)) {
     const nextActionsContent = await Bun.file(nextActionsPath).text();
     if (nextActionsContent.includes("TODO: Replace this scaffold") || nextActionsContent.includes("bd-<downstream-task-id>")) {
       localReasons.push("[Artifact Quality] next-actions.md still contains scaffold placeholder text. Replace with real recommendations.");
@@ -111,7 +2368,7 @@ async function verifyTask(options) {
       aiReasons.push(`[AI Review] Required mode needs a completed Greptile approval; current verdict is ${ai.verdict}.`);
     }
     if (persistArtifacts && ai.rawResponse) {
-      writeFileSync(greptileRawPath, `${ai.rawResponse}
+      writeFileSync2(greptileRawPath, `${ai.rawResponse}
 `, "utf-8");
     }
   } else if (!options.skipAiReview && reviewMode === "off") {
@@ -233,15 +2490,15 @@ function nextActionsIndicateRemainingScope(content) {
   return /^\s*- \[ \]/m.test(normalized) || /\b(remaining scope|still need|needs? to be implemented|not yet implemented|not implemented|follow[- ]?up required|blocked by|blocker:)\b/i.test(lower);
 }
 async function hasConfiguredSourceTask(projectRoot, taskId) {
-  return readConfiguredTaskSourceTask(projectRoot, taskId).then((result) => result.task !== null).catch(() => false);
+  return taskData().readConfiguredTaskSourceTask(projectRoot, taskId).then((result) => result.task !== null).catch(() => false);
 }
 function resolveGithubSourceIssueId(projectRoot, taskId) {
-  const fromRuntime = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  const fromRuntime = loadRuntimeContextFromEnv2()?.sourceTask?.sourceIssueId;
   if (typeof fromRuntime === "string" && isGithubSourceIssueId(fromRuntime)) {
     return fromRuntime;
   }
   try {
-    const taskConfig = readTaskConfig(projectRoot);
+    const taskConfig = taskData().readTaskConfig(projectRoot);
     const entry = taskConfig[taskId];
     const sourceIssueId = typeof entry?.sourceIssueId === "string" ? entry.sourceIssueId : typeof entry?.source_issue_id === "string" ? entry.source_issue_id : null;
     if (sourceIssueId && isGithubSourceIssueId(sourceIssueId)) {
@@ -312,14 +2569,15 @@ function loadGithubPullRequestCloseoutSnapshot(projectRoot, prState) {
       "--json",
       "state,isDraft,mergeable,mergeStateStatus,reviewDecision,title,body,statusCheckRollup"
     ]);
+    const isDraft = booleanField(view, "isDraft");
     return {
-      state: stringField(view, "state"),
-      isDraft: booleanField(view, "isDraft"),
-      mergeable: stringField(view, "mergeable"),
-      mergeStateStatus: stringField(view, "mergeStateStatus"),
-      reviewDecision: stringField(view, "reviewDecision"),
-      title: stringField(view, "title"),
-      body: stringField(view, "body"),
+      ...objectField("state", stringField(view, "state")),
+      ...isDraft !== undefined ? { isDraft } : {},
+      ...objectField("mergeable", stringField(view, "mergeable")),
+      ...objectField("mergeStateStatus", stringField(view, "mergeStateStatus")),
+      ...objectField("reviewDecision", stringField(view, "reviewDecision")),
+      ...objectField("title", stringField(view, "title")),
+      ...objectField("body", stringField(view, "body")),
       statusCheckRollup: statusCheckRollupField(view, "statusCheckRollup"),
       reviewThreads: loadGithubReviewThreads(projectRoot, repoName, prNumber)
     };
@@ -394,6 +2652,9 @@ function stringField(record, key) {
   const value = record[key];
   return typeof value === "string" ? value : undefined;
 }
+function objectField(key, value) {
+  return value === undefined ? {} : { [key]: value };
+}
 function booleanField(record, key) {
   const value = record[key];
   return typeof value === "boolean" ? value : undefined;
@@ -450,7 +2711,7 @@ function isAcceptedValidationSummary(summary) {
   return summary.status === "skipped" && summary.total === 0 && summary.failed === 0;
 }
 async function loadReviewMode(reviewProfilePath, fallback) {
-  const parsed = existsSync(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
+  const parsed = existsSync5(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
   const mode = parsed?.mode;
   if (mode === "off" || mode === "advisory" || mode === "required") {
     return mode;
@@ -461,7 +2722,7 @@ async function loadReviewMode(reviewProfilePath, fallback) {
   return "advisory";
 }
 async function loadReviewProvider(reviewProfilePath, fallback) {
-  const parsed = existsSync(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
+  const parsed = existsSync5(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
   const provider = parsed?.provider;
   if (typeof provider === "string" && provider.trim().length > 0) {
     return provider;
@@ -470,7 +2731,7 @@ async function loadReviewProvider(reviewProfilePath, fallback) {
 }
 function resolveRepoSlug(projectRoot) {
   const paths = resolveHarnessPaths(projectRoot);
-  const remote = runCapture(["git", "-C", paths.monorepoRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim() || runCapture(["git", "-C", projectRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim();
+  const remote = runCapture2(["git", "-C", paths.monorepoRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim() || runCapture2(["git", "-C", projectRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim();
   if (!remote) {
     return "";
   }
@@ -484,7 +2745,7 @@ function resolveRepoSlug(projectRoot) {
 async function runGreptileReview(options) {
   const reasons = [];
   const warnings = [];
-  const secrets = resolveRuntimeSecrets(process.env);
+  const secrets = resolveRuntimeSecrets2(process.env);
   const apiKey = secrets.GREPTILE_API_KEY || "";
   const apiBase = secrets.GREPTILE_API_BASE || "https://api.greptile.com/mcp";
   const remote = secrets.GREPTILE_REMOTE || "github";
@@ -620,7 +2881,7 @@ function writeFeedbackFile(options) {
   if (options.aiRawFeedback) {
     lines.push("## Raw Reviewer Feedback", "", "```text", options.aiRawFeedback, "```", "");
   }
-  writeFileSync(options.output, `${lines.join(`
+  writeFileSync2(options.output, `${lines.join(`
 `)}
 `, "utf-8");
 }
@@ -635,9 +2896,9 @@ function writeReviewStateFile(options) {
     local_reasons: options.localReasons,
     ai_reasons: options.aiReasons,
     ai_warnings: options.aiWarnings,
-    updated_at: nowIso()
+    updated_at: nowIso2()
   };
-  writeFileSync(options.output, `${JSON.stringify(payload, null, 2)}
+  writeFileSync2(options.output, `${JSON.stringify(payload, null, 2)}
 `, "utf-8");
 }
 async function runGreptileReviewForPr(options) {
@@ -662,7 +2923,6 @@ async function runGreptileReviewForPr(options) {
       taskId: options.taskId,
       prState: options.prState,
       reviewMode: options.reviewMode,
-      infrastructureError: undefined,
       pollAttempts: options.pollAttempts,
       pollIntervalMs: options.pollIntervalMs
     });
@@ -790,7 +3050,7 @@ async function runGreptileReviewForPr(options) {
   });
   const actionableComments = filterActionableGreptileComments(commentsPayload.comments || []);
   const reviewBody = reviewDetails.codeReview?.body || "";
-  const score = parseGreptileScore(reviewBody);
+  const score = mg().parseGreptileScore(reviewBody);
   const feedback = [
     `## ${options.prState.repoLabel || repoName} PR Review`,
     "",
@@ -798,7 +3058,7 @@ async function runGreptileReviewForPr(options) {
     `- Review ID: ${selectedReview.id}`,
     `- Status: ${selectedReview.status}`,
     "",
-    reviewBody ? stripHtml(reviewBody).trim() : "Greptile completed without summary body."
+    reviewBody ? mg().stripHtml(reviewBody).trim() : "Greptile completed without summary body."
   ].filter(Boolean).join(`
 `);
   if (actionableComments.length > 0) {
@@ -819,7 +3079,7 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  const blockerScanBody = mg().stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
   if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
@@ -867,7 +3127,7 @@ async function runGreptileReviewForPr(options) {
         status: selectedReview.status
       }]
     });
-    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+    strictGate = mg().evaluateGate(strictEvidence);
   } catch (error) {
     reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
     return {
@@ -994,7 +3254,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     fallbackReview?.html_url ? `- Review: ${fallbackReview.html_url}` : "",
     fallbackReview?.state ? `- Status: ${fallbackReview.state}` : "",
     "",
-    fallbackReview?.body?.trim() ? stripHtml(fallbackReview.body).trim() : "Greptile MCP was unavailable, so verification used GitHub review threads instead."
+    fallbackReview?.body?.trim() ? mg().stripHtml(fallbackReview.body).trim() : "Greptile MCP was unavailable, so verification used GitHub review threads instead."
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
@@ -1017,7 +3277,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       taskId: options.taskId,
       prUrl
     });
-    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+    strictGate = mg().evaluateGate(strictEvidence);
   } catch (error) {
     return {
       verdict: "REJECT",
@@ -1242,7 +3502,7 @@ function loadGithubPullRequestState(projectRoot, repoName, prNumber) {
   ]);
   return {
     state: response.state || "",
-    merged: response.merged,
+    ...response.merged !== undefined ? { merged: response.merged } : {},
     merged_at: response.merged_at ?? null
   };
 }
@@ -1260,7 +3520,7 @@ function parsePullRequestNumber(url) {
   return match ? Number.parseInt(match[1] || "0", 10) : 0;
 }
 function runGhJson(projectRoot, args) {
-  const result = runCapture(["gh", ...args], projectRoot);
+  const result = runCapture2(["gh", ...args], projectRoot);
   if (result.exitCode !== 0) {
     throw new Error(result.stderr || result.stdout || `gh ${args.join(" ")} failed`);
   }
@@ -1271,7 +3531,7 @@ function runGhJson(projectRoot, args) {
   }
 }
 async function collectStrictPrEvidenceForVerifier(input) {
-  return collectPrReviewEvidence({
+  return mg().collectEvidence({
     projectRoot: input.projectRoot,
     prUrl: input.prUrl,
     taskId: input.taskId,
@@ -1279,7 +3539,7 @@ async function collectStrictPrEvidenceForVerifier(input) {
     cycle: 0,
     apiSignals: input.apiSignals ?? [],
     command: async (args, options) => {
-      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      const result = runCapture2(["gh", ...args], options?.cwd ?? input.projectRoot);
       return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
     }
   });
@@ -1292,11 +3552,11 @@ function deriveRepoName(projectRoot, prState) {
   if (prState.target === "monorepo") {
     return resolveRepoSlug(projectRoot);
   }
-  return runCapture(["gh", "repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"], projectRoot).stdout.trim();
+  return runCapture2(["gh", "repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"], projectRoot).stdout.trim();
 }
 function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
-  return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
+  return runCapture2(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
 function isGreptileGithubLogin(login) {
   const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
@@ -1332,7 +3592,7 @@ function loadGithubPullRequestCheckRollup(projectRoot, repoName, prNumber) {
   return response.statusCheckRollup || [];
 }
 function evaluatePullRequestCiChecks(checks, repoName, prNumber, options = {}) {
-  const isPendingCheck = (check) => {
+  const isPendingCheck2 = (check) => {
     if ((check.__typename || "") === "CheckRun") {
       return (check.status || "").toUpperCase() !== "COMPLETED";
     }
@@ -1341,7 +3601,7 @@ function evaluatePullRequestCiChecks(checks, repoName, prNumber, options = {}) {
   };
   const pendingGreptile = checks.filter((check) => {
     const label = (check.name || check.context || "").toLowerCase();
-    return label.includes("greptile") && isPendingCheck(check);
+    return label.includes("greptile") && isPendingCheck2(check);
   });
   if (pendingGreptile.length > 0) {
     return {
@@ -1353,7 +3613,7 @@ function evaluatePullRequestCiChecks(checks, repoName, prNumber, options = {}) {
     const label = (check.name || check.context || "").toLowerCase();
     return label.length > 0 && !label.includes("greptile");
   });
-  const pending = nonGreptileChecks.filter(isPendingCheck);
+  const pending = nonGreptileChecks.filter(isPendingCheck2);
   const mergeClean = (options.mergeStateStatus || "").toUpperCase() === "CLEAN";
   if (pending.length > 0 && !mergeClean) {
     return {
@@ -1436,7 +3696,7 @@ function filterActionableGithubGreptileThreads(threads) {
 }
 function resolvePrRepoRoot(projectRoot, prState) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
-  if (prState.target === "monorepo" && runtimeWorkspace && existsSync(resolve(runtimeWorkspace, ".git"))) {
+  if (prState.target === "monorepo" && runtimeWorkspace && existsSync5(resolve5(runtimeWorkspace, ".git"))) {
     return runtimeWorkspace;
   }
   const paths = resolveHarnessPaths(projectRoot);
@@ -1447,10 +3707,10 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
     return false;
   }
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
-  return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
+  return runCapture2(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
 function summarizeComment(input) {
-  const text = stripHtml(input).replace(/\s+/g, " ").trim();
+  const text = mg().stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
 }
 function asGreptileInfrastructureWarning(reason) {
@@ -1465,7 +3725,12 @@ function isAiReviewApproved(input) {
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-var init_verifier = () => {};
+var mergeGateHolder = null;
+var init_verifier = __esm(() => {
+  init_git_ops();
+  init_task_data();
+  init_pr_merge_gate_cap();
+});
 
 // packages/bundle-default-lifecycle/src/control-plane/completion-verification.ts
 var exports_completion_verification = {};
@@ -1474,43 +3739,33 @@ __export(exports_completion_verification, {
   formatCompletionBlockedMessage: () => formatCompletionBlockedMessage,
   closeCompletedTaskSource: () => closeCompletedTaskSource
 });
-import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
-import { safePathSegment } from "@rig/shared/safe-identifiers";
+import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve6 } from "path";
+import { safePathSegment as safePathSegment2 } from "@rig/core/safe-identifiers";
 import {
-  escapeRegExp,
+  escapeRegExp as escapeRegExp2,
   resolveBunCli,
   resolveBunCliInvocation,
   resolveTaskScopes,
   resolvePolicyContent
 } from "@rig/hook-kit";
-import { loadPolicy, seedPolicyFromContent } from "@rig/runtime/control-plane/runtime/guard";
-import { gitCommit, gitMergePr, gitOpenPr, readPrMetadata as readPrMetadata2, resolveTaskBranchRef } from "@rig/runtime/control-plane/native/git-ops";
-import { runStrictPrMergeGate } from "@rig/pr-review-plugin";
-import { strictMergeHeadShaFromGate } from "@rig/contracts";
-import { changedFilesForTask, pendingFilesForTask, taskArtifacts, taskValidate } from "@rig/runtime/control-plane/native/task-ops";
-import { currentTaskId } from "@rig/runtime/control-plane/native/task-state";
-import { resolveHarnessPaths as resolveHarnessPaths2, runCapture as runCapture2 } from "@rig/runtime/control-plane/native/utils";
-import { readSourceAwareTaskStatus } from "@rig/runtime/control-plane/tasks/source-aware-task-config-source";
-import {
-  buildTaskRunLifecycleComment,
-  updateConfiguredTaskSourceTask
-} from "@rig/runtime/control-plane/tasks/source-lifecycle";
-import { buildPluginHostContext } from "@rig/runtime/control-plane/plugin-host-context";
+import { runCapture as runCapture3 } from "@rig/core/exec";
+import { resolveHarnessPaths as resolveHarnessPaths2 } from "@rig/core/harness-paths";
+import { buildPluginHostContext as buildPluginHostContext2 } from "@rig/core/plugin-host-context";
 async function closeCompletedTaskSource(projectRoot, taskId) {
-  const comment = buildTaskRunLifecycleComment({
+  const comment = taskData().buildTaskRunLifecycleComment({
     runId: process.env.RIG_SERVER_RUN_ID || taskId,
     status: "closed",
     summary: "Rig completion verification approved and closed this task.",
-    runtimeWorkspace: process.env.RIG_TASK_WORKSPACE,
-    logsDir: process.env.RIG_LOGS_DIR,
-    sessionDir: process.env.RIG_SESSION_FILE
+    ...process.env.RIG_TASK_WORKSPACE !== undefined ? { runtimeWorkspace: process.env.RIG_TASK_WORKSPACE } : {},
+    ...process.env.RIG_LOGS_DIR !== undefined ? { logsDir: process.env.RIG_LOGS_DIR } : {},
+    ...process.env.RIG_SESSION_FILE !== undefined ? { sessionDir: process.env.RIG_SESSION_FILE } : {}
   });
-  const result = await updateConfiguredTaskSourceTask(projectRoot, {
+  const result = await taskData().updateConfiguredTaskSourceTask(projectRoot, {
     taskId,
     update: { status: "closed", comment }
   });
-  const status = result.status ?? await readSourceAwareTaskStatus(projectRoot, result.taskId);
+  const status = result.status ?? await taskData().readSourceAwareTaskStatus(projectRoot, result.taskId);
   if (!result.updated && status == null) {
     return {
       ok: true,
@@ -1530,7 +3785,7 @@ function isClosedStatus(status) {
 }
 async function runCompletionVerificationGate(projectRoot) {
   seedPolicyFromContent(resolvePolicyContent(projectRoot));
-  const taskId = currentTaskId(projectRoot);
+  const taskId = taskData().currentTaskId(projectRoot);
   if (!taskId) {
     return { ok: true };
   }
@@ -1539,7 +3794,7 @@ async function runCompletionVerificationGate(projectRoot) {
   let sourceCloseoutAllowed = false;
   console.log(`=== Completion Verification: ${taskId} ===`);
   const scopes = await resolveTaskScopes(projectRoot, taskId);
-  const taskChangedFiles = changedFilesForTask(projectRoot, taskId, true);
+  const taskChangedFiles = taskData().changedFilesForTask(projectRoot, taskId, true);
   const sourceInArtifacts = taskChangedFiles.filter((file) => /^artifacts\//.test(file) && /\.(ts|tsx|js|jsx|mjs|cjs)$/.test(file));
   if (sourceInArtifacts.length > 0) {
     console.log(`
@@ -1552,13 +3807,13 @@ async function runCompletionVerificationGate(projectRoot) {
     }
     failed = true;
   }
-  const pluginHostCtx = await buildPluginHostContext(projectRoot).catch((error) => {
+  const pluginHostCtx = await buildPluginHostContext2(projectRoot).catch((error) => {
     console.warn(`[completion-verification] plugin host unavailable for validators: ${error instanceof Error ? error.message : String(error)}`);
     return null;
   });
   console.log(`
 [1/3] Task validation...`);
-  if (!await taskValidate(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined)) {
+  if (!await taskData().taskValidate(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined)) {
     console.log(`FAIL: Validation failed for ${taskId}`);
     failed = true;
   } else {
@@ -1571,7 +3826,7 @@ async function runCompletionVerificationGate(projectRoot) {
       failed = true;
     }
   }
-  taskArtifacts(projectRoot, taskId);
+  taskData().taskArtifacts(projectRoot, taskId);
   const policy = loadPolicy(projectRoot);
   const openPrEnabled = policy.completion.checks.includes("open-pr");
   const autoMergeEnabled = policy.completion.checks.includes("auto-merge");
@@ -1598,7 +3853,7 @@ async function runCompletionVerificationGate(projectRoot) {
   } else {
     console.log("Verifier preflight: skipped (earlier checks failed)");
   }
-  const pendingTaskChangedFiles = pendingFilesForTask(projectRoot, taskId, true);
+  const pendingTaskChangedFiles = taskData().pendingFilesForTask(projectRoot, taskId, true);
   const hasLocalChanges = pendingTaskChangedFiles.length > 0;
   console.log(`
 [post] Auto-committing task changes...`);
@@ -1671,14 +3926,15 @@ async function runCompletionVerificationGate(projectRoot) {
     console.log(`
 [post] Auto-merge...`);
     try {
-      const prs = readPrMetadata2(projectRoot, taskId);
+      const prs = readPrMetadata(projectRoot, taskId);
       if (prs.length === 0) {
         console.log("Auto-merge: skipped (no PR metadata found)");
       } else {
+        const mergeGate = await resolvePrMergeGateService(projectRoot);
         let cycle = 0;
         for (const pr of prs) {
           cycle += 1;
-          const gate = await runStrictPrMergeGate({
+          const gate = await mergeGate.runGate({
             projectRoot,
             prUrl: pr.url,
             taskId,
@@ -1686,7 +3942,7 @@ async function runCompletionVerificationGate(projectRoot) {
             cycle,
             final: true,
             command: async (args, options) => {
-              const result = runCapture2(["gh", ...args], options?.cwd ?? projectRoot);
+              const result = runCapture3(["gh", ...args], options?.cwd ?? projectRoot);
               return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
             }
           });
@@ -1703,7 +3959,7 @@ async function runCompletionVerificationGate(projectRoot) {
             pr,
             method: "squash",
             deleteBranch: true,
-            matchHeadCommit: strictMergeHeadShaFromGate(gate, pr.url)
+            matchHeadCommit: mergeGate.resolveHeadSha({ result: gate, prUrl: pr.url })
           });
           if (mergeResult.status === "merged" || mergeResult.status === "already-merged") {
             console.log(`OK: PR merge confirmed (${pr.repoLabel}): ${pr.url}`);
@@ -1723,9 +3979,9 @@ async function runCompletionVerificationGate(projectRoot) {
     console.log(`
 [post] Auto-merge: skipped (not in policy completion.checks)`);
   }
-  const artifactDir = resolve2(paths.artifactsDir, safePathSegment(taskId, { fallback: "task", maxLength: 96 }));
-  mkdirSync2(artifactDir, { recursive: true });
-  writeFileSync2(resolve2(artifactDir, "review-status.txt"), failed ? `REJECTED
+  const artifactDir = resolve6(paths.artifactsDir, safePathSegment2(taskId, { fallback: "task", maxLength: 96 }));
+  mkdirSync3(artifactDir, { recursive: true });
+  writeFileSync3(resolve6(artifactDir, "review-status.txt"), failed ? `REJECTED
 ` : `APPROVED
 `, "utf-8");
   if (!failed) {
@@ -1775,8 +4031,8 @@ async function runBunTool(args, cwd) {
   };
 }
 async function runProtoQualityGate(monorepoRoot) {
-  const protosDir = resolve2(monorepoRoot, "packages", "protos");
-  if (!existsSync2(protosDir)) {
+  const protosDir = resolve6(monorepoRoot, "packages", "protos");
+  if (!existsSync6(protosDir)) {
     console.log(`FAIL: Proto workspace not found at ${protosDir}`);
     return false;
   }
@@ -1803,7 +4059,7 @@ async function runProtoQualityGate(monorepoRoot) {
     console.log(generate.stderr || generate.stdout);
     ok = false;
   } else {
-    const drift = runCapture2(["git", "-C", protosDir, "status", "--porcelain", "--", "gen/ts"], monorepoRoot);
+    const drift = runCapture3(["git", "-C", protosDir, "status", "--porcelain", "--", "gen/ts"], monorepoRoot);
     if (drift.exitCode !== 0) {
       console.log("FAIL: Could not inspect generated proto drift");
       console.log(drift.stderr || drift.stdout);
@@ -1824,12 +4080,12 @@ async function runProtoQualityGate(monorepoRoot) {
   } else {
     console.log("OK: Generated TypeScript compiles");
   }
-  const workflowPath = resolve2(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
-  if (!existsSync2(workflowPath)) {
+  const workflowPath = resolve6(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
+  if (!existsSync6(workflowPath)) {
     console.log(`FAIL: Missing workflow gate file at ${workflowPath}`);
     ok = false;
   } else {
-    const workflow = readFileSync(workflowPath, "utf-8");
+    const workflow = readFileSync4(workflowPath, "utf-8");
     if (workflow.includes("if: false && needs.detect.outputs.protos_changed == 'true'")) {
       console.log("FAIL: Proto quality CI gate is disabled in pull-request-gate.yml");
       ok = false;
@@ -1840,13 +4096,13 @@ async function runProtoQualityGate(monorepoRoot) {
   return ok;
 }
 function repoHasRemoteRelevantCommits(projectRoot, repoRoot) {
-  const unpushed = runCapture2(["git", "-C", repoRoot, "log", "@{u}..HEAD", "--oneline"], projectRoot);
+  const unpushed = runCapture3(["git", "-C", repoRoot, "log", "@{u}..HEAD", "--oneline"], projectRoot);
   if (unpushed.exitCode === 0 && unpushed.stdout.trim().length > 0)
     return true;
   if (unpushed.exitCode !== 0) {
-    const branch = runCapture2(["git", "-C", repoRoot, "rev-parse", "--abbrev-ref", "HEAD"], projectRoot);
+    const branch = runCapture3(["git", "-C", repoRoot, "rev-parse", "--abbrev-ref", "HEAD"], projectRoot);
     if (branch.exitCode === 0 && branch.stdout.trim()) {
-      const remote = runCapture2(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branch.stdout.trim()}`], projectRoot);
+      const remote = runCapture3(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branch.stdout.trim()}`], projectRoot);
       if (remote.exitCode !== 0)
         return true;
     }
@@ -1855,10 +4111,10 @@ function repoHasRemoteRelevantCommits(projectRoot, repoRoot) {
 }
 function repoHasPublishedTaskBranch(projectRoot, repoRoot, taskId) {
   const branchRef = resolveTaskBranchRef(projectRoot, taskId);
-  return runCapture2(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branchRef}`], projectRoot).exitCode === 0;
+  return runCapture3(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branchRef}`], projectRoot).exitCode === 0;
 }
 async function readJsonFileIfPresent(path) {
-  if (!existsSync2(path)) {
+  if (!existsSync6(path)) {
     return null;
   }
   try {
@@ -1869,9 +4125,9 @@ async function readJsonFileIfPresent(path) {
 }
 async function recordVerifierFailure(projectRoot, taskId, paths) {
   const failedApproachesPath = paths.failedApproachesPath;
-  const artifactDir = resolve2(paths.artifactsDir, safePathSegment(taskId, { fallback: "task", maxLength: 96 }));
-  const reviewStatePath = resolve2(artifactDir, "review-state.json");
-  const reviewFeedbackPath = resolve2(artifactDir, "review-feedback.md");
+  const artifactDir = resolve6(paths.artifactsDir, safePathSegment2(taskId, { fallback: "task", maxLength: 96 }));
+  const reviewStatePath = resolve6(artifactDir, "review-state.json");
+  const reviewFeedbackPath = resolve6(artifactDir, "review-feedback.md");
   let summary = "Verifier rejected completion. Read review-feedback.md for required fixes.";
   const parsedReviewState = await readJsonFileIfPresent(reviewStatePath);
   if (parsedReviewState) {
@@ -1881,12 +4137,12 @@ async function recordVerifierFailure(projectRoot, taskId, paths) {
     }
   }
   let attempts = 1;
-  if (existsSync2(failedApproachesPath)) {
-    const content = readFileSync(failedApproachesPath, "utf-8");
-    attempts = (content.match(new RegExp(`^## ${escapeRegExp(taskId)}\\b`, "gm")) || []).length + 1;
+  if (existsSync6(failedApproachesPath)) {
+    const content = readFileSync4(failedApproachesPath, "utf-8");
+    attempts = (content.match(new RegExp(`^## ${escapeRegExp2(taskId)}\\b`, "gm")) || []).length + 1;
   } else {
-    mkdirSync2(resolve2(failedApproachesPath, ".."), { recursive: true });
-    writeFileSync2(failedApproachesPath, `# Failed Approaches
+    mkdirSync3(resolve6(failedApproachesPath, ".."), { recursive: true });
+    writeFileSync3(failedApproachesPath, `# Failed Approaches
 
 `, "utf-8");
   }
@@ -1910,7 +4166,7 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
     statePaths.add(resolveHarnessPaths2(hostProjectRoot).taskRepoCommitsPath);
   }
   const repos = {};
-  const monoHead = runCapture2(["git", "-C", paths.monorepoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
+  const monoHead = runCapture3(["git", "-C", paths.monorepoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
   if (monoHead) {
     repos["monorepo"] = monoHead;
   }
@@ -1924,13 +4180,17 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
       recorded_at: new Date().toISOString(),
       repos
     };
-    mkdirSync2(resolve2(statePath, ".."), { recursive: true });
-    writeFileSync2(statePath, `${JSON.stringify(state, null, 2)}
+    mkdirSync3(resolve6(statePath, ".."), { recursive: true });
+    writeFileSync3(statePath, `${JSON.stringify(state, null, 2)}
 `, "utf-8");
   }
 }
 var init_completion_verification = __esm(() => {
+  init_policy();
+  init_git_ops();
+  init_pr_merge_gate_cap();
   init_verifier();
+  init_task_data();
 });
 
 // packages/bundle-default-lifecycle/src/control-plane/task-verify.ts
@@ -1938,9 +4198,8 @@ var exports_task_verify = {};
 __export(exports_task_verify, {
   taskVerify: () => taskVerify
 });
-import { currentTaskId as currentTaskId2 } from "@rig/runtime/control-plane/native/task-state";
 async function taskVerify(projectRoot, taskId) {
-  const activeTask = taskId || currentTaskId2(projectRoot);
+  const activeTask = taskId || taskData().currentTaskId(projectRoot);
   if (!activeTask) {
     throw new Error("No active task.");
   }
@@ -1965,19 +4224,24 @@ async function taskVerify(projectRoot, taskId) {
   return true;
 }
 var init_task_verify = __esm(() => {
+  init_task_data();
   init_verifier();
 });
 
 // packages/bundle-default-lifecycle/src/plugin.ts
 import { definePlugin } from "@rig/core/config";
+import { defineCapability as defineCapability4 } from "@rig/core/capability";
 import {
-  COMPLETION_VERIFICATION_CAPABILITY_ID,
-  TASK_VERIFY_CAPABILITY_ID
+  COMPLETION_VERIFICATION_CAPABILITY,
+  LIFECYCLE_GIT_AGENT,
+  LIFECYCLE_TOOLCHAIN_SOURCES,
+  RUN_CLOSEOUT_CAPABILITY,
+  TASK_VERIFY_CAPABILITY
 } from "@rig/contracts";
 
 // packages/bundle-default-lifecycle/src/defaultPipeline.ts
-import { resolveKernelStages } from "@rig/kernel/resolver";
-import { createDefaultKernelPlugin } from "@rig/kernel/default-kernel";
+import { createDefaultKernelPlugin } from "@rig/kernel-seed/default-kernel";
+import { resolveKernelStages } from "@rig/kernel-seed/resolver";
 
 // packages/bundle-default-lifecycle/src/stages/types.ts
 function defineDefaultLifecycleStage(input) {
@@ -1995,6 +4259,10 @@ var autoMergeStage = defineDefaultLifecycleStage({
   description: "Merge an approved PR using the repository default merge method through the runtime helper.",
   calls: ["runRepoDefaultMerge"]
 });
+async function runAutoMergeStage(input) {
+  const { runRepoDefaultMerge: runRepoDefaultMerge2 } = await Promise.resolve().then(() => (init_pr_automation(), exports_pr_automation));
+  await runRepoDefaultMerge2(input);
+}
 
 // packages/bundle-default-lifecycle/src/stages/commit.ts
 var commitStage = defineDefaultLifecycleStage({
@@ -2003,8 +4271,15 @@ var commitStage = defineDefaultLifecycleStage({
   description: "Commit the agent worktree changes using the runtime git closeout helper.",
   calls: ["commitRunChanges"]
 });
+async function runCommitStage(input) {
+  const { commitRunChanges: commitRunChanges2 } = await Promise.resolve().then(() => (init_pr_automation(), exports_pr_automation));
+  return await commitRunChanges2(input);
+}
 
 // packages/bundle-default-lifecycle/src/stages/isolation.ts
+import { ISOLATION_BACKEND } from "@rig/contracts";
+import { defineCapability as defineCapability2 } from "@rig/core/capability";
+import { requireCapabilityForRoot } from "@rig/core/capability-loaders";
 var isolationStage = defineDefaultLifecycleStage({
   id: "isolation",
   kind: "transform",
@@ -2027,6 +4302,23 @@ var mergeGateStage = defineDefaultLifecycleStage({
   description: "Enforce GitHub review state, required checks, and configured review gates through runtime PR automation.",
   calls: ["runStrictPrMergeGate"]
 });
+async function runMergeGateStage(input) {
+  const { resolvePrMergeGateService: resolvePrMergeGateService2 } = await Promise.resolve().then(() => (init_pr_merge_gate_cap(), exports_pr_merge_gate_cap));
+  const mergeGate = await resolvePrMergeGateService2(input.projectRoot);
+  return await mergeGate.runGate({
+    projectRoot: input.projectRoot,
+    prUrl: input.prUrl,
+    taskId: input.taskId,
+    runId: input.runId,
+    cycle: input.cycle,
+    command: input.command,
+    ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
+    ...input.allowedFailures !== undefined ? { allowedFailures: input.allowedFailures } : {},
+    ...input.greptileApi !== undefined ? { greptileApi: input.greptileApi } : {},
+    ...input.final !== undefined ? { final: input.final } : {},
+    ...input.requireGreptile !== undefined ? { requireGreptile: input.requireGreptile } : {}
+  });
+}
 
 // packages/bundle-default-lifecycle/src/stages/open-pr.ts
 var openPrStage = defineDefaultLifecycleStage({
@@ -2035,6 +4327,24 @@ var openPrStage = defineDefaultLifecycleStage({
   description: "Open or reuse the closeout PR through the existing runtime PR automation seam.",
   calls: ["runPrAutomation"]
 });
+async function runOpenPrStage(input) {
+  const { runPrAutomation: runPrAutomation2 } = await Promise.resolve().then(() => (init_pr_automation(), exports_pr_automation));
+  return await runPrAutomation2({
+    projectRoot: input.workspace,
+    taskId: input.taskId,
+    runId: input.runId,
+    branch: input.branch,
+    sourceTask: input.sourceTask ? { title: typeof input.sourceTask.title === "string" ? input.sourceTask.title : null } : null,
+    command: input.command,
+    gitCommand: input.gitCommand,
+    steerPi: input.steerPi,
+    ...input.config ? { config: input.config } : {},
+    ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
+    ...input.greptileApi !== undefined ? { greptileApi: input.greptileApi } : {},
+    ...input.lifecycle !== undefined ? { lifecycle: input.lifecycle } : {},
+    ...input.uploadedSnapshot !== undefined ? { uploadedSnapshot: input.uploadedSnapshot } : {}
+  });
+}
 
 // packages/bundle-default-lifecycle/src/stages/push.ts
 var pushStage = defineDefaultLifecycleStage({
@@ -2043,6 +4353,10 @@ var pushStage = defineDefaultLifecycleStage({
   description: "Synchronize and push the task branch using the runtime closeout git helper.",
   calls: ["pushBranchSyncedWithOrigin"]
 });
+async function runPushStage(input) {
+  const { pushBranchSyncedWithOrigin: pushBranchSyncedWithOrigin2 } = await Promise.resolve().then(() => (init_pr_automation(), exports_pr_automation));
+  await pushBranchSyncedWithOrigin2(input);
+}
 
 // packages/bundle-default-lifecycle/src/stages/source-closeout.ts
 var sourceCloseoutStage = defineDefaultLifecycleStage({
@@ -2051,6 +4365,19 @@ var sourceCloseoutStage = defineDefaultLifecycleStage({
   description: "Reflect the merged PR into the task source using the existing runtime closeout helper.",
   calls: ["closeIssueAfterMergedPr"]
 });
+async function runSourceCloseoutStage(input) {
+  if (input.pr.status !== "merged" || !input.pr.prUrl)
+    return;
+  const { closeIssueAfterMergedPr: closeIssueAfterMergedPr2 } = await Promise.resolve().then(() => (init_pr_automation(), exports_pr_automation));
+  await closeIssueAfterMergedPr2({
+    projectRoot: input.projectRoot,
+    taskId: input.taskId,
+    runId: input.runId,
+    prUrl: input.pr.prUrl,
+    updateTaskSource: input.updateTaskSource,
+    ...input.sourceTask !== undefined ? { sourceTask: input.sourceTask } : {}
+  });
+}
 
 // packages/bundle-default-lifecycle/src/stages/validate.ts
 var validateStage = defineDefaultLifecycleStage({
@@ -2059,6 +4386,9 @@ var validateStage = defineDefaultLifecycleStage({
   description: "Run plugin-host validators against the isolated worktree before closeout side effects.",
   calls: ["taskValidate"]
 });
+async function runValidateStage(input, runner) {
+  return await runner(input);
+}
 
 // packages/bundle-default-lifecycle/src/stages/verify.ts
 var verifyStage = defineDefaultLifecycleStage({
@@ -2237,7 +4567,306 @@ var defaultLifecycleCliCommands = [
   }
 ];
 
+// packages/bundle-default-lifecycle/src/pipelineCloseout.ts
+import { resolve } from "path";
+import { loadConfig } from "@rig/core/load-config";
+import { resolvePluginHost as resolvePluginHost2 } from "@rig/core/project-plugins";
+import { createDefaultKernel } from "@rig/kernel-seed/default-kernel";
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
+
+// packages/bundle-default-lifecycle/src/native/in-process-closeout.ts
+class CloseoutValidationError extends Error {
+  name = "CloseoutValidationError";
+}
+
+// packages/bundle-default-lifecycle/src/pipelineCloseout.ts
+init_task_data();
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function closeoutOutcome(status) {
+  switch (status) {
+    case "completed":
+      return "completed";
+    case "failed":
+    case "needs-attention":
+      return "failed";
+    case "pending":
+    case "running":
+      return "started";
+  }
+}
+async function loadRigAutomationConfig(projectRoot) {
+  return await loadConfig(projectRoot);
+}
+async function runRigProjectValidation({ projectRoot, taskId }) {
+  const pluginHostCtx = await buildPluginHostContext(projectRoot);
+  return taskData().taskValidate(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined);
+}
+function shouldAttemptRigMerge2(config) {
+  const mode = config.merge?.mode;
+  return mode !== "off" && mode !== "pr-ready";
+}
+async function loadPluginStageContributions(projectRoot) {
+  const { host } = await resolvePluginHost2(projectRoot);
+  return { executors: host.listStageExecutors(), mutations: host.listStageMutations() };
+}
+async function runPipelineCloseout(input) {
+  const taskId = cleanString(input.taskId);
+  if (!taskId) {
+    throw new Error("Pipeline closeout requires a task id.");
+  }
+  const loadedConfig = input.config ?? await loadRigAutomationConfig(input.projectRoot);
+  const prMode = loadedConfig?.pr?.mode ?? "off";
+  const reviewProvider = loadedConfig?.review?.provider ?? "github";
+  const effectiveConfig = {
+    ...loadedConfig ?? {},
+    pr: { ...loadedConfig?.pr ?? {}, mode: prMode },
+    review: { ...loadedConfig?.review ?? {}, provider: reviewProvider }
+  };
+  const openOnlyConfig = {
+    ...effectiveConfig,
+    merge: { ...effectiveConfig.merge ?? {}, mode: "pr-ready" }
+  };
+  const shouldMerge = shouldAttemptRigMerge2(effectiveConfig);
+  const workspace = input.workspace;
+  const artifactRoot = input.artifactRoot ?? resolve(input.projectRoot, "artifacts", taskId);
+  const journal = async (phase, status, detail) => {
+    await input.journalPhase(phase, closeoutOutcome(status), detail ?? null);
+  };
+  if (prMode === "off" || prMode === "ask") {
+    const reason = prMode === "ask" ? "PR creation awaits operator approval." : "PR automation disabled.";
+    await input.reflect("under_review", reason);
+    await journal("completed", "completed", reason);
+    return {
+      mode: "pipeline",
+      pipelineStageIds: [...resolveDefaultLifecycle().order],
+      result: { status: "skipped", iterations: 0, feedback: [] }
+    };
+  }
+  const state = {
+    branch: input.branch,
+    validationPassed: false,
+    committed: false,
+    pushed: false,
+    prUrl: null,
+    prReady: false,
+    pr: null,
+    gate: null,
+    mergeGate: null,
+    merged: false,
+    iterations: 0,
+    feedback: [],
+    blockedDetail: null
+  };
+  const cont = (ctx2) => ({ kind: "continue", ctx: ctx2 });
+  const executors = {
+    isolation: (ctx2) => cont(ctx2),
+    validate: async (ctx2) => {
+      await input.onValidationStart?.();
+      await journal("queued", "running", `Validating task ${taskId} before closeout.`);
+      let passed = false;
+      try {
+        passed = await runValidateStage({ projectRoot: input.projectRoot, taskId }, input.runValidation ?? runRigProjectValidation);
+      } catch (error) {
+        const detail = `Rig validation failed before closeout: ${error instanceof Error ? error.message : String(error)}`;
+        await input.reflect("needs_attention", "Rig validation failed before closeout; commit/push/PR automation is blocked.", { errorText: detail });
+        throw new CloseoutValidationError(detail);
+      }
+      if (!passed) {
+        const detail = `Rig validation failed for task ${taskId}; closeout blocked before commit.`;
+        await input.reflect("needs_attention", "Rig validation failed before closeout; commit/push/PR automation is blocked.", { errorText: detail });
+        throw new CloseoutValidationError(detail);
+      }
+      state.validationPassed = true;
+      await journal("queued", "completed", `Validation passed for task ${taskId}.`);
+      const workspaceBranch = await input.gitCommand(["rev-parse", "--abbrev-ref", "HEAD"], { cwd: workspace });
+      const currentWorkspaceBranch = workspaceBranch.exitCode === 0 ? cleanString(workspaceBranch.stdout) : null;
+      if (currentWorkspaceBranch && currentWorkspaceBranch !== "HEAD" && currentWorkspaceBranch !== state.branch) {
+        state.branch = currentWorkspaceBranch;
+      }
+      return cont(ctx2);
+    },
+    verify: () => state.validationPassed ? { kind: "allow" } : { kind: "block", reason: "validation did not pass" },
+    commit: async (ctx2) => {
+      await journal("commit", "running", `Committing changes in ${workspace}.`);
+      const committed = await runCommitStage({ cwd: workspace, message: `rig: complete task ${taskId}`, command: input.gitCommand });
+      state.committed = committed.committed;
+      return cont(ctx2);
+    },
+    push: async (ctx2) => {
+      await journal("push", "running", `Pushing branch ${state.branch}.`);
+      await runPushStage({ projectRoot: workspace, branch: state.branch, gitCommand: input.gitCommand });
+      state.pushed = true;
+      return cont(ctx2);
+    },
+    "open-pr": async (ctx2) => {
+      await journal("pr-review-merge", "running", `Opening a pull request for ${state.branch}.`);
+      const pr = await runOpenPrStage({
+        ...input,
+        taskId,
+        branch: state.branch,
+        artifactRoot,
+        config: openOnlyConfig,
+        sourceTask: { title: cleanString(input.sourceTask?.title) },
+        lifecycle: {
+          onPrOpened: async ({ prUrl }) => {
+            await journal("pr-opened", "running", prUrl);
+            await input.reflect("under_review", "Rig opened a pull request for this task.");
+          },
+          onFeedback: async ({ feedback }) => {
+            await input.reflect("ci_fixing", "Rig is fixing CI/review feedback for this task.", { errorText: feedback.join(`
+`) || null });
+          }
+        }
+      });
+      state.pr = pr;
+      state.prUrl = pr.prUrl ?? null;
+      state.prReady = pr.status === "opened" || pr.status === "merged";
+      state.iterations = pr.iterations;
+      state.feedback = [...pr.actionableFeedback];
+      if (pr.status === "needs_attention") {
+        state.blockedDetail = pr.actionableFeedback.join(`
+`) || "PR automation did not produce a mergeable PR.";
+      }
+      return cont(ctx2);
+    },
+    "merge-gate": async (ctx2) => {
+      if (!shouldMerge || !state.prReady || !state.prUrl) {
+        state.mergeGate = state.prReady ? "skipped" : null;
+        return state.prReady ? cont(ctx2) : { kind: "block", reason: state.blockedDetail ?? "no mergeable PR to gate" };
+      }
+      const gate = await runMergeGateStage({
+        projectRoot: workspace,
+        prUrl: state.prUrl,
+        taskId,
+        runId: input.runId,
+        cycle: 1,
+        command: input.command,
+        artifactRoot,
+        final: true,
+        ...effectiveConfig.merge?.allowedFailures ? { allowedFailures: effectiveConfig.merge.allowedFailures } : {},
+        ...input.greptileApi !== undefined ? { greptileApi: input.greptileApi } : {},
+        requireGreptile: reviewProvider === "greptile"
+      });
+      state.gate = gate;
+      if (gate.approved) {
+        state.mergeGate = "passed";
+        return cont(ctx2);
+      }
+      state.mergeGate = "blocked";
+      const detail = gate.actionableFeedback.join(`
+`) || gate.reasons.join("; ") || "merge gate blocked the PR.";
+      state.blockedDetail = detail;
+      await input.reflect("needs_attention", "Rig needs operator attention before this task can merge.", { errorText: detail });
+      await journal("pr-review-merge", "needs-attention", detail);
+      return { kind: "block", reason: detail };
+    },
+    "auto-merge": async (ctx2) => {
+      if (!shouldMerge || state.mergeGate !== "passed" || !state.prUrl || !state.gate) {
+        return cont(ctx2);
+      }
+      await journal("merge", "running", state.prUrl);
+      await input.reflect("merging", "Rig is merging the pull request for this task.");
+      await runAutoMergeStage({ prUrl: state.prUrl, config: effectiveConfig, command: input.command, cwd: workspace, strictGate: state.gate });
+      state.merged = true;
+      return cont(ctx2);
+    },
+    "source-closeout": async (ctx2) => {
+      if (!state.merged || !state.prUrl)
+        return cont(ctx2);
+      await journal("close-source", "running", state.prUrl);
+      const mergedPr = { ...state.pr ?? { iterations: state.iterations, actionableFeedback: state.feedback }, status: "merged", prUrl: state.prUrl, merged: true };
+      await runSourceCloseoutStage({
+        projectRoot: input.projectRoot,
+        taskId,
+        runId: input.runId,
+        pr: mergedPr,
+        ...input.sourceTask !== undefined ? { sourceTask: input.sourceTask } : {},
+        updateTaskSource: async () => {
+          await input.reflect("closed", "Rig merged the pull request and closed this task source.");
+          return { updated: true, taskId, status: "closed", source: "runtime", sourceKind: "runtime" };
+        }
+      });
+      return cont(ctx2);
+    },
+    "journal-append": (ctx2) => cont(ctx2)
+  };
+  const defaultLifecyclePlugin = createDefaultLifecyclePlugin(executors);
+  const pluginStages = await loadPluginStageContributions(input.projectRoot);
+  const kernel = createDefaultKernel({ ...input.kernelJournal ? { journal: input.kernelJournal } : {}, stageExecutors: { ...executors, ...pluginStages.executors } });
+  const resolved = kernel.stageRunner.resolve(defaultLifecyclePlugin.contributes?.stages ?? [], pluginStages.mutations);
+  const ctx = {
+    runId: input.runId,
+    taskId,
+    state,
+    metadata: { projectRoot: input.projectRoot, workspace, closeoutState: state }
+  };
+  await kernel.stageRunner.runPipeline(input.runId, resolved, ctx);
+  const result = mapStateToResult(state);
+  if (result.status === "merged" || result.status === "opened") {
+    await journal("completed", "completed", result.prUrl ? `${result.status === "merged" ? "PR merged and issue closed" : "PR ready without merge"}: ${result.prUrl}` : result.status);
+  }
+  return { mode: "pipeline", pipelineStageIds: [...resolved.order], result };
+}
+function mapStateToResult(state) {
+  if (state.merged && state.prUrl) {
+    return { status: "merged", prUrl: state.prUrl, iterations: state.iterations, feedback: state.feedback };
+  }
+  if (state.mergeGate === "blocked" || state.blockedDetail) {
+    return {
+      status: "needs-attention",
+      ...state.prUrl ? { prUrl: state.prUrl } : {},
+      iterations: state.iterations,
+      feedback: state.feedback
+    };
+  }
+  if (state.prReady && state.prUrl) {
+    return { status: "opened", prUrl: state.prUrl, iterations: state.iterations, feedback: state.feedback };
+  }
+  return { status: "needs-attention", ...state.prUrl ? { prUrl: state.prUrl } : {}, iterations: state.iterations, feedback: state.feedback };
+}
+
+// packages/bundle-default-lifecycle/src/native/closeout-runners.ts
+init_github_auth_env();
+function commandEnv(env) {
+  const token = resolveGitHubAuthToken(env);
+  return token ? { ...env, RIG_GITHUB_TOKEN: token, GH_TOKEN: token, GITHUB_TOKEN: token } : { ...env };
+}
+function createBunCommandRunner(binary, env) {
+  return async (args, options) => {
+    try {
+      const child = Bun.spawn([binary, ...args], {
+        ...options?.cwd !== undefined ? { cwd: options.cwd } : {},
+        env: commandEnv(env),
+        stdin: "ignore",
+        stdout: "pipe",
+        stderr: "pipe"
+      });
+      const [exitCode, stdout, stderr] = await Promise.all([
+        child.exited,
+        new Response(child.stdout).text(),
+        new Response(child.stderr).text()
+      ]);
+      return { exitCode, stdout, stderr };
+    } catch (error) {
+      return {
+        exitCode: 1,
+        stdout: "",
+        stderr: error instanceof Error ? error.message : String(error)
+      };
+    }
+  };
+}
+function createEnvCloseoutRunners(env = process.env) {
+  return {
+    command: createBunCommandRunner("gh", env),
+    gitCommand: createBunCommandRunner("git", env)
+  };
+}
+
 // packages/bundle-default-lifecycle/src/plugin.ts
+init_git_ops();
 var DEFAULT_LIFECYCLE_PLUGIN_ID = "@rig/bundle-default-lifecycle";
 var COMPLETION_VERIFICATION_HOOK_ID = "@rig/bundle-default-lifecycle:completion-verification";
 async function runCompletionGate(projectRoot) {
@@ -2261,26 +4890,85 @@ var LIFECYCLE_HOOKS = [
     handler: completionVerificationStopHandler
   }
 ];
+var TaskVerifyCap = defineCapability4(TASK_VERIFY_CAPABILITY);
+var CompletionVerificationCap = defineCapability4(COMPLETION_VERIFICATION_CAPABILITY);
+var RunCloseoutCap = defineCapability4(RUN_CLOSEOUT_CAPABILITY);
+var LifecycleGitAgentCap = defineCapability4(LIFECYCLE_GIT_AGENT);
+var ToolchainSourcesCap = defineCapability4(LIFECYCLE_TOOLCHAIN_SOURCES);
+var LIFECYCLE_TOOLCHAIN_SOURCE_CONTRIBUTION = {
+  hookBinaries: [
+    {
+      name: "inject-context",
+      source: "packages/bundle-default-lifecycle/src/control-plane/hooks/inject-context.ts"
+    },
+    {
+      name: "task-runtime-start",
+      source: "packages/bundle-default-lifecycle/src/control-plane/hooks/task-runtime-start.ts"
+    }
+  ]
+};
 var LIFECYCLE_CAPABILITIES = [
   { id: "default-lifecycle.pipeline", title: "Default lifecycle pipeline", commandId: DEFAULT_PIPELINE_CLI_ID },
   { id: "default-lifecycle.kernel-status", title: "Default kernel status", commandId: DEFAULT_KERNEL_CLI_ID },
-  {
-    id: TASK_VERIFY_CAPABILITY_ID,
+  TaskVerifyCap.provide(() => async (input) => {
+    const { taskVerify: taskVerify2 } = await Promise.resolve().then(() => (init_task_verify(), exports_task_verify));
+    return taskVerify2(input.projectRoot, input.taskId);
+  }, {
     title: "Task verification",
-    description: "Verify a task's changes (local checks + AI review) and report approval.",
-    run: async (input) => {
-      const { projectRoot, taskId } = input;
-      const { taskVerify: taskVerify2 } = await Promise.resolve().then(() => (init_task_verify(), exports_task_verify));
-      return taskVerify2(projectRoot, taskId);
+    description: "Verify a task's changes (local checks + AI review) and report approval."
+  }),
+  CompletionVerificationCap.provide(() => async (input) => runCompletionGate(input.projectRoot), {
+    title: "Completion verification gate",
+    description: "Run the full completion gate for the active task and report whether it passed."
+  }),
+  RunCloseoutCap.provide(() => async (input) => {
+    const closeout = await runPipelineCloseout({ ...input, ...createEnvCloseoutRunners(process.env) });
+    return closeout.result;
+  }, {
+    title: "Run closeout",
+    description: "Run the default lifecycle closeout driver for a completed OMP run."
+  }),
+  LifecycleGitAgentCap.provide(() => ({
+    shouldScopeGitCommit,
+    gitStatus,
+    gitChanged,
+    gitPreflight,
+    gitSyncBranch,
+    gitCommit,
+    gitSnapshot,
+    gitOpenPr
+  }), {
+    title: "Lifecycle git agent commands",
+    description: "Task-aware git helpers used by the provider-owned rig-agent command surface."
+  }),
+  ToolchainSourcesCap.provide(() => LIFECYCLE_TOOLCHAIN_SOURCE_CONTRIBUTION, {
+    title: "Lifecycle toolchain sources",
+    description: "Source paths for the lifecycle control-plane hook binaries (inject-context, task-runtime-start), compiled by the isolation runtime toolchain."
+  })
+];
+async function runLifecycleHookRunner(hookId, role) {
+  process.env.RIG_HOOK_ROLE = role;
+  const { main } = await import("@rig/core/hook-runner");
+  await main(["--plugin", DEFAULT_LIFECYCLE_PLUGIN_ID, "--hook", hookId]);
+}
+var LIFECYCLE_SEED_ENTRYPOINTS = [
+  {
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:completion-verification-entrypoint`,
+    basename: "completion-verification",
+    run: ({ basename }) => runLifecycleHookRunner(COMPLETION_VERIFICATION_HOOK_ID, basename ?? "completion-verification")
+  },
+  {
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:inject-context-entrypoint`,
+    basename: "inject-context",
+    run: async () => {
+      await import("@rig/bundle-default-lifecycle/control-plane/hooks/inject-context");
     }
   },
   {
-    id: COMPLETION_VERIFICATION_CAPABILITY_ID,
-    title: "Completion verification gate",
-    description: "Run the full completion gate for the active task and report whether it passed.",
-    run: async (input) => {
-      const { projectRoot } = input;
-      return runCompletionGate(projectRoot);
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:task-runtime-start-entrypoint`,
+    basename: "task-runtime-start",
+    run: async () => {
+      await import("@rig/bundle-default-lifecycle/control-plane/hooks/task-runtime-start");
     }
   }
 ];
@@ -2290,10 +4978,20 @@ function createDefaultLifecyclePlugin(stages = {}) {
     version: "0.0.0-alpha.1",
     provides: [],
     contributes: {
-      stages: defaultLifecycleStages.map((stage) => stages[stage.id] ? { ...stage, run: stages[stage.id] } : stage),
+      stages: defaultLifecycleStages.map((stage) => {
+        const run = Object.prototype.hasOwnProperty.call(stages, stage.id) ? stages[stage.id] : undefined;
+        return run ? { ...stage, run } : stage;
+      }),
       hooks: LIFECYCLE_HOOKS,
       capabilities: LIFECYCLE_CAPABILITIES,
-      cliCommands: defaultLifecycleCliCommands
+      cliCommands: defaultLifecycleCliCommands,
+      seedEntrypoints: LIFECYCLE_SEED_ENTRYPOINTS,
+      config: {
+        defaults: () => ({
+          merge: { mode: "auto", method: "repo-default", deleteBranch: "repo-default", bypass: false },
+          automation: { maxValidationAttempts: 30, maxPrFixIterations: 100500 }
+        })
+      }
     }
   });
 }