@h-rig/bundle-default-lifecycle 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/index.js

@@ -16,6 +16,23 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = import.meta.require;
 
+// packages/bundle-default-lifecycle/src/control-plane/pr-merge-gate-cap.ts
+var exports_pr_merge_gate_cap = {};
+__export(exports_pr_merge_gate_cap, {
+  resolvePrMergeGateService: () => resolvePrMergeGateService
+});
+import { PR_MERGE_GATE } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { resolvePluginHost } from "@rig/core/project-plugins";
+async function resolvePrMergeGateService(projectRoot) {
+  const { host } = await resolvePluginHost(projectRoot);
+  return PrMergeGateCap.require(host);
+}
+var PrMergeGateCap;
+var init_pr_merge_gate_cap = __esm(() => {
+  PrMergeGateCap = defineCapability(PR_MERGE_GATE);
+});
+
 // packages/bundle-default-lifecycle/src/control-plane/pr-automation.ts
 var exports_pr_automation = {};
 __export(exports_pr_automation, {
@@ -33,11 +50,7 @@ __export(exports_pr_automation, {
   buildPrAutomationBody: () => buildPrAutomationBody,
   UPLOADED_SNAPSHOT_PR_MARKER: () => UPLOADED_SNAPSHOT_PR_MARKER
 });
-import { assertSafeGitBranchName } from "@rig/shared/safe-identifiers";
-import { runStrictPrMergeGate } from "@rig/pr-review-plugin";
-import {
-  strictMergeHeadShaFromGate
-} from "@rig/contracts";
+import { assertSafeGitBranchName } from "@rig/core/safe-identifiers";
 function positiveInt(value, fallback) {
   return typeof value === "number" && Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
 }
@@ -340,7 +353,7 @@ async function commitRunChanges(input) {
 async function closeIssueAfterMergedPr(input) {
   await input.updateTaskSource(input.projectRoot, {
     taskId: input.taskId,
-    sourceTask: input.sourceTask,
+    ...input.sourceTask !== undefined ? { sourceTask: input.sourceTask } : {},
     update: {
       status: "closed",
       comment: [
@@ -386,11 +399,12 @@ async function runRepoDefaultMerge(input) {
   if (merge.mode === "off")
     return;
   const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
-  const matchHeadSha = strictMergeHeadShaFromGate(input.strictGate, input.prUrl, requireGreptile);
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot ?? input.cwd ?? process.cwd());
+  const matchHeadSha = mergeGate.resolveHeadSha({ result: input.strictGate, prUrl: input.prUrl, requireGreptile });
   const method = merge.method ?? "repo-default";
   const args = ["pr", "merge", input.prUrl];
   if (method === "repo-default") {
-    args.push(await resolveRepoDefaultMergeFlag({ prUrl: input.prUrl, command: input.command, cwd: input.cwd }));
+    args.push(await resolveRepoDefaultMergeFlag({ prUrl: input.prUrl, command: input.command, ...input.cwd !== undefined ? { cwd: input.cwd } : {} }));
   } else {
     args.push(`--${method}`);
   }
@@ -467,6 +481,7 @@ async function syncBranchAfterPrFeedback(input) {
 }
 async function runPrAutomation(input) {
   const branch = assertSafeGitBranchName(input.branch, "PR branch");
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot);
   const prConfig = input.config?.pr ?? {};
   const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
   if (prConfig.mode === "off" || prConfig.mode === "ask") {
@@ -476,7 +491,7 @@ async function runPrAutomation(input) {
     taskId: input.taskId,
     runId: input.runId,
     summary: input.sourceTask?.title ? `Rig completed: ${input.sourceTask.title}` : null,
-    uploadedSnapshot: input.uploadedSnapshot
+    ...input.uploadedSnapshot !== undefined ? { uploadedSnapshot: input.uploadedSnapshot } : {}
   });
   if (input.gitCommand) {
     await pushBranchSyncedWithOrigin({ projectRoot: input.projectRoot, branch, gitCommand: input.gitCommand });
@@ -548,16 +563,16 @@ ${createResult.stdout ?? ""}`) : null;
       await syncBranchAfterPrFeedback({ projectRoot: input.projectRoot, taskId: input.taskId, branch, gitCommand: input.gitCommand });
       continue;
     }
-    const gate = await runStrictPrMergeGate({
+    const gate = await mergeGate.runGate({
       projectRoot: input.projectRoot,
       prUrl,
       taskId: input.taskId,
       runId: input.runId,
       cycle: iteration,
       command: input.command,
-      artifactRoot: input.artifactRoot,
+      ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
       allowedFailures: input.config?.merge?.allowedFailures ?? [],
-      greptileApi: requireGreptile ? input.greptileApi : undefined,
+      ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
       requireGreptile
     });
     latestFeedback = [...gate.actionableFeedback];
@@ -587,22 +602,22 @@ ${createResult.stdout ?? ""}`) : null;
     }
     if (gate.approved) {
       pendingElapsedMs = 0;
-      const finalGate = await runStrictPrMergeGate({
+      const finalGate = await mergeGate.runGate({
         projectRoot: input.projectRoot,
         prUrl,
         taskId: input.taskId,
         runId: input.runId,
         cycle: iteration,
         command: input.command,
-        artifactRoot: input.artifactRoot,
+        ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
         allowedFailures: input.config?.merge?.allowedFailures ?? [],
-        greptileApi: requireGreptile ? input.greptileApi : undefined,
+        ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
         requireGreptile,
         final: true
       });
       if (finalGate.approved) {
         await input.lifecycle?.onMergeStarted?.({ prUrl });
-        await runRepoDefaultMerge({ prUrl, config: input.config, command: input.command, cwd: input.projectRoot, strictGate: finalGate });
+        await runRepoDefaultMerge({ prUrl, ...input.config !== undefined ? { config: input.config } : {}, command: input.command, cwd: input.projectRoot, strictGate: finalGate });
         await input.lifecycle?.onMerged?.({ prUrl });
         return { status: "merged", prUrl, iterations: iteration, actionableFeedback: [], merged: true };
       }
@@ -649,6 +664,7 @@ ${createResult.stdout ?? ""}`) : null;
 }
 var UPLOADED_SNAPSHOT_PR_MARKER = "<!-- rig:uploaded-snapshot -->", RIG_RUNTIME_COMMIT_EXCLUDES, GREPTILE_REREVIEW_MARKER_PREFIX = "rig:greptile-rereview";
 var init_pr_automation = __esm(() => {
+  init_pr_merge_gate_cap();
   RIG_RUNTIME_COMMIT_EXCLUDES = [
     ".rig",
     "artifacts",
@@ -656,31 +672,1631 @@ var init_pr_automation = __esm(() => {
   ];
 });
 
-// packages/bundle-default-lifecycle/src/control-plane/verifier.ts
-import { existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
-import { resolve as resolve2 } from "path";
-import { resolveRuntimeSecrets } from "@rig/runtime/control-plane/runtime/baked-secrets";
-import { readPrMetadata } from "@rig/runtime/control-plane/native/git-ops";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
-import { readConfiguredTaskSourceTask } from "@rig/runtime/control-plane/tasks/source-lifecycle";
-import { artifactDirForId, lookupTask, readTaskConfig } from "@rig/runtime/control-plane/native/task-state";
-import { nowIso, resolveHarnessPaths, runCapture } from "@rig/runtime/control-plane/native/utils";
+// packages/bundle-default-lifecycle/src/control-plane/task-data.ts
+import { TASK_DATA_SERVICE_CAPABILITY } from "@rig/contracts";
+import { defineCapability as defineCapability3 } from "@rig/core/capability";
+import { requireInstalledCapability } from "@rig/core/capability-loaders";
+function taskData() {
+  return requireInstalledCapability(TaskDataCap, "task-data capability unavailable: load @rig/task-sources-plugin (default bundle) before running the lifecycle.");
+}
+var TaskDataCap;
+var init_task_data = __esm(() => {
+  TaskDataCap = defineCapability3(TASK_DATA_SERVICE_CAPABILITY);
+});
+
+// packages/bundle-default-lifecycle/src/native/github-auth-env.ts
+import { existsSync, readFileSync } from "fs";
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function authStateToken(env = process.env) {
+  const file = env.RIG_GITHUB_AUTH_STATE_FILE?.trim();
+  if (!file || !existsSync(file))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(file, "utf8"));
+    return cleanToken(typeof parsed.token === "string" ? parsed.token : undefined);
+  } catch {
+    return null;
+  }
+}
+function resolveGitHubAuthToken(env = process.env) {
+  return cleanToken(env.RIG_GITHUB_TOKEN) ?? cleanToken(env.GH_TOKEN) ?? cleanToken(env.GITHUB_TOKEN) ?? authStateToken(env);
+}
+var init_github_auth_env = () => {};
+
+// packages/bundle-default-lifecycle/src/native/host-git.ts
+import { existsSync as existsSync2 } from "fs";
+import { resolve } from "path";
+function isRuntimeGatewayGitPath(candidate) {
+  return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
+}
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
+function resolveHostGitBinary() {
+  const candidates = [
+    process.env.RIG_GIT_BIN?.trim() || "",
+    "/usr/bin/git",
+    "/opt/homebrew/bin/git",
+    "/usr/local/bin/git"
+  ];
+  const bunResolved = Bun.which("git");
+  if (bunResolved && !isRuntimeGatewayGitPath(bunResolved)) {
+    candidates.push(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (!candidate || isRuntimeGatewayGitPath(candidate)) {
+      continue;
+    }
+    if (existsSync2(candidate)) {
+      return candidate;
+    }
+  }
+  return "git";
+}
+function resolveGithubCliBinary(options = {}) {
+  const candidates = new Set;
+  const explicit = process.env.RIG_GH_BIN?.trim();
+  if (explicit) {
+    candidates.add(explicit);
+  }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
+  if (options.scanPath) {
+    for (const entry of (process.env.PATH || "").split(":").map((e) => e.trim()).filter(Boolean)) {
+      candidates.add(resolve(entry, "gh"));
+    }
+  }
+  const bunResolved = Bun.which("gh");
+  if (bunResolved) {
+    candidates.add(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && existsSync2(candidate) && !isRuntimeGatewayGhPath(candidate)) {
+      return candidate;
+    }
+  }
+  return "";
+}
+var init_host_git = () => {};
+
+// packages/bundle-default-lifecycle/src/control-plane/native/git-ops.ts
+import { existsSync as existsSync3, lstatSync, mkdirSync, readFileSync as readFileSync2, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { dirname, isAbsolute, resolve as resolve2 } from "path";
+import { fileURLToPath } from "url";
+import { loadDotEnvSecrets, resolveRuntimeSecrets } from "@rig/core/baked-secrets";
+import { loadRuntimeContext, loadRuntimeContextFromEnv } from "@rig/core/runtime-context";
+import { nowIso, runCapture as baseRunCapture } from "@rig/core/exec";
+import { resolveCheckoutRoot as resolveMonorepoRoot } from "@rig/core/checkout-root";
+import { getScopeRules } from "@rig/core/scope-rules";
+import { safePathSegment } from "@rig/core/safe-identifiers";
+function resolveOptionalMonorepoRoot(projectRoot) {
+  const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
+  if (runtimeWorkspace && existsSync3(resolve2(runtimeWorkspace, ".git"))) {
+    return resolve2(runtimeWorkspace);
+  }
+  try {
+    return resolveMonorepoRoot(projectRoot);
+  } catch {
+    return null;
+  }
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function safeCurrentTaskId(projectRoot) {
+  try {
+    const taskId = taskData().currentTaskId(projectRoot);
+    return /^bd-[a-z0-9-]+$/.test(taskId) ? taskId : "";
+  } catch {
+    return "";
+  }
+}
+function gitCmd(projectRoot, repoRoot, ...args) {
+  return [resolveHostGitBinary(), "-C", repoRoot, ...args];
+}
+function shouldScopeGitCommit(args, hasTaskContext) {
+  if (!hasTaskContext) {
+    return false;
+  }
+  return args.includes("--scoped");
+}
+function gitStatus(projectRoot, taskId) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const expected = resolvedTask ? `rig/${resolveTaskBranchId(projectRoot, resolvedTask)}` : "";
+  console.log("=== Git Flow Status ===");
+  if (resolvedTask) {
+    console.log(`Task: ${resolvedTask}`);
+    console.log(`Expected monorepo branch: ${expected}`);
+  } else {
+    console.log("Task: (none active)");
+  }
+  console.log("");
+  printRepoStatus(projectRoot, "project-rig", projectRoot, "");
+  const monorepoPath = monorepoRoot || resolveMonorepoRoot(projectRoot);
+  if (monorepoPath !== projectRoot) {
+    printRepoStatus(projectRoot, "monorepo", monorepoPath, expected);
+  }
+}
+function gitChanged(projectRoot, taskId, scoped) {
+  if (scoped) {
+    const resolvedTask = taskId || taskData().currentTaskId(projectRoot);
+    if (!resolvedTask) {
+      throw new Error("No task specified and no active task in session. Use --task or omit --scoped.");
+    }
+    return taskData().changedFilesForTask(projectRoot, resolvedTask, true);
+  }
+  return taskData().changedFilesForTask(projectRoot, taskId || taskData().currentTaskId(projectRoot) || "", false);
+}
+function gitPreflight(projectRoot, taskId, strict) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const expected = resolvedTask ? `rig/${resolveTaskBranchId(projectRoot, resolvedTask)}` : "";
+  console.log("=== Git Flow Preflight ===");
+  let issues = 0;
+  if (!existsSync3(resolve2(projectRoot, ".git"))) {
+    console.log(`ERROR: project root is not a git repo (${projectRoot})`);
+    issues += 1;
+  }
+  if (monorepoRoot && existsSync3(resolve2(monorepoRoot, ".git"))) {
+    const monoBranch = branchName(projectRoot, monorepoRoot);
+    if (expected && monoBranch !== expected) {
+      console.log(`WARN: monorepo branch is ${monoBranch}, expected ${expected} for task ${resolvedTask}`);
+      if (strict) {
+        issues += 1;
+      }
+    }
+    const monoChanges = changeCount(projectRoot, monorepoRoot);
+    if (monoChanges > 0 && !monoBranch.startsWith("rig/")) {
+      console.log(`WARN: monorepo has uncommitted changes on non-rig branch (${monoBranch})`);
+      issues += 1;
+    }
+  } else {
+    console.log(`WARN: monorepo repo unavailable.`);
+  }
+  const projectChanges = changeCount(projectRoot, projectRoot);
+  if (projectChanges > 0) {
+    console.log(`INFO: project-rig has ${projectChanges} changed file(s).`);
+  }
+  if (issues > 0) {
+    console.log(`Preflight: ${issues} issue(s) detected.`);
+    return false;
+  }
+  console.log("Preflight: OK");
+  return true;
+}
+function gitSyncBranch(projectRoot, taskId, targetRepo = "monorepo") {
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  if (!resolvedTask) {
+    throw new Error("No task specified and no active task in session.");
+  }
+  const repoRoot = targetRepo === "monorepo" ? resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot) : projectRoot;
+  const repoLabel = targetRepo === "monorepo" ? "Monorepo" : "Project";
+  if (!existsSync3(resolve2(repoRoot, ".git"))) {
+    throw new Error(`${repoLabel} repo not found at ${repoRoot}`);
+  }
+  const branchId = resolveTaskBranchId(projectRoot, resolvedTask);
+  const branchTarget = `rig/${branchId}`;
+  const current = branchName(projectRoot, repoRoot);
+  if (current === branchTarget) {
+    console.log(`${repoLabel} branch: already on ${branchTarget}`);
+    return;
+  }
+  const hasBranch = runCapture(gitCmd(projectRoot, repoRoot, "show-ref", "--verify", "--quiet", `refs/heads/${branchTarget}`), projectRoot).exitCode === 0;
+  const cmd = hasBranch && current === "HEAD" ? gitCmd(projectRoot, repoRoot, "checkout", "-B", branchTarget) : hasBranch ? gitCmd(projectRoot, repoRoot, "checkout", branchTarget) : gitCmd(projectRoot, repoRoot, "checkout", "-b", branchTarget);
+  const checkout = runCapture(cmd, projectRoot);
+  if (checkout.exitCode !== 0) {
+    throw new Error(`Failed to sync ${repoLabel.toLowerCase()} branch: ${checkout.stderr || checkout.stdout}`);
+  }
+  const action = hasBranch && current === "HEAD" ? "reset" : hasBranch ? "checked out" : "created";
+  console.log(`${repoLabel} branch: ${action} ${branchTarget}`);
+}
+function gitCommit(options) {
+  const { projectRoot } = options;
+  const resolvedTask = options.taskId || safeCurrentTaskId(projectRoot);
+  const baseMessage = options.message || (resolvedTask ? `rig: ${resolvedTask}` : "rig: harness update");
+  const changedFilesManifest = resolvedTask && options.scoped === true ? refreshChangedFilesManifest(projectRoot, resolvedTask) : "";
+  const changedFiles = resolvedTask && options.scoped === true ? readChangedFilesManifest(projectRoot, resolvedTask) : resolvedTask ? taskData().changedFilesForTask(projectRoot, resolvedTask, false) : [];
+  if (options.target === "project" || options.target === "both") {
+    if (resolvedTask) {
+      gitSyncBranch(projectRoot, resolvedTask, "project");
+    }
+    const projectFiles = resolveScopedStageFilesForRepo(projectRoot, projectRoot, resolvedTask, changedFiles);
+    commitRepo(projectRoot, projectRoot, "project-rig", options.target === "both" ? `${baseMessage} [harness]` : baseMessage, options.allowEmpty, options.scoped === true, projectFiles, changedFilesManifest);
+  }
+  if (options.target === "monorepo" || options.target === "both") {
+    const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot);
+    if (resolvedTask) {
+      gitSyncBranch(projectRoot, resolvedTask, "monorepo");
+    }
+    const monorepoFiles = resolveScopedStageFilesForRepo(projectRoot, monorepoRoot, resolvedTask, changedFiles);
+    commitRepo(projectRoot, monorepoRoot, "monorepo", options.target === "both" ? `${baseMessage} [monorepo]` : baseMessage, options.allowEmpty, options.scoped === true, monorepoFiles, changedFilesManifest);
+  }
+}
+function gitSnapshot(projectRoot, taskId, outputPath) {
+  const monorepoRoot = resolveOptionalMonorepoRoot(projectRoot);
+  const resolvedTask = taskId || safeCurrentTaskId(projectRoot);
+  const output = outputPath || (resolvedTask ? resolveArtifactSnapshot(projectRoot, resolvedTask) : resolve2(resolve2(projectRoot, ".rig", "state"), "git-state.txt"));
+  mkdirSync(dirname(output), { recursive: true });
+  const lines = ["# Git Snapshot", `timestamp: ${nowIso()}`];
+  if (resolvedTask) {
+    lines.push(`task: ${resolvedTask}`);
+  }
+  lines.push("");
+  lines.push(...snapshotRepo(projectRoot, "project-rig", projectRoot));
+  if (monorepoRoot && monorepoRoot !== projectRoot) {
+    lines.push(...snapshotRepo(projectRoot, "monorepo", monorepoRoot));
+  }
+  writeFileSync(output, `${lines.join(`
+`)}
+`, "utf-8");
+  return output;
+}
+function gitOpenPr(options) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    throw new Error("gh CLI is required for open-pr. Install and authenticate with: gh auth login");
+  }
+  const taskId = options.taskId || safeCurrentTaskId(options.projectRoot);
+  const target = options.target || (taskId ? "monorepo" : "project");
+  let repoRoot = options.projectRoot;
+  let repoLabel = "project-rig";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
+  if (target === "monorepo") {
+    repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot(options.projectRoot);
+    repoLabel = "monorepo";
+    if (taskId) {
+      gitSyncBranch(options.projectRoot, taskId, "monorepo");
+    }
+  } else if (taskId) {
+    gitSyncBranch(options.projectRoot, taskId, "project");
+  }
+  if (!existsSync3(resolve2(repoRoot, ".git"))) {
+    throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
+  }
+  const branch = branchName(options.projectRoot, repoRoot);
+  if (!branch || branch === "HEAD") {
+    throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
+  }
+  const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
+  const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
+  refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
+  let reviewer = (options.reviewer || "").trim();
+  let reviewerSource = reviewer ? "flag" : undefined;
+  if (!reviewer && taskId) {
+    reviewer = defaultReviewerForTask(options.projectRoot, taskId);
+    if (reviewer) {
+      reviewerSource = "task-config";
+    }
+  }
+  if (!reviewer) {
+    reviewer = inferReviewerFromChangedFiles(options.projectRoot, repoRoot, base, branch);
+    if (reviewer) {
+      reviewerSource = "changed-files";
+    }
+  }
+  if (!reviewer) {
+    reviewer = (process.env.RIG_PR_REVIEWER || "").trim();
+    if (reviewer) {
+      reviewerSource = "env";
+    }
+  }
+  let title = options.title || "";
+  if (!title) {
+    if (taskId) {
+      title = `rig: ${taskId}`;
+    } else {
+      title = `rig: update ${branch}`;
+    }
+  }
+  const body = options.body || [
+    "## Summary",
+    "- Automated task output prepared in isolated runtime.",
+    "",
+    "## Task",
+    `- beads: ${taskId || "n/a"}`,
+    ...defaultPrRunLines(taskId, repoNameWithOwner),
+    "",
+    "## Review",
+    "- Completion verification will run validation, verifier review, and PR policy checks.",
+    "- When repository policy allows it, Rig attempts an immediate strict-gated, head-locked merge after approval."
+  ].join(`
+`);
+  const preCheck = runCapture(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
+  const preCheckEntry = preCheck.exitCode === 0 ? preCheck.stdout.trim() : "";
+  if (preCheckEntry && preCheckEntry !== "null" && currentHeadMatchesMergedBase(options.projectRoot, repoRoot, base, networkRemote)) {
+    const mergedPr = JSON.parse(preCheckEntry);
+    console.log(`Branch ${branch} was already merged: ${mergedPr.url}`);
+    const result2 = { url: mergedPr.url, target, repoLabel, branch, base };
+    if (taskId)
+      writePrMetadata(options.projectRoot, taskId, result2);
+    return result2;
+  }
+  const pushArgs = gitCmd(options.projectRoot, repoRoot, "push", "-u", networkRemote, branch);
+  const fetchResult = runCapture(gitCmd(options.projectRoot, repoRoot, "fetch", networkRemote, branch), repoRoot);
+  if (fetchResult.exitCode === 0) {
+    const remoteAhead = runCapture(gitCmd(options.projectRoot, repoRoot, "log", "--oneline", `HEAD..${networkRemote}/${branch}`), repoRoot);
+    if (remoteAhead.exitCode === 0 && remoteAhead.stdout.trim()) {
+      console.log(`Remote branch has diverged \u2014 force pushing task-owned branch ${branch} with --force-with-lease...`);
+      pushArgs.splice(4, 0, "--force-with-lease");
+    }
+  }
+  runOrThrow(options.projectRoot, pushArgs, `Failed to push branch ${branch} in ${repoLabel}`);
+  const existing = runCapture(withGhRepo([gh, "pr", "list", "--state", "open", "--head", branch, "--json", "url", "--jq", ".[0].url"], repoNameWithOwner), repoRoot);
+  const existingUrl = existing.exitCode === 0 ? existing.stdout.trim() : "";
+  if (!existingUrl || existingUrl === "null") {
+    const merged = runCapture(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
+    const mergedEntry = merged.exitCode === 0 ? merged.stdout.trim() : "";
+    if (mergedEntry && mergedEntry !== "null" && currentHeadMatchesMergedBase(options.projectRoot, repoRoot, base, networkRemote)) {
+      const mergedPr = JSON.parse(mergedEntry);
+      console.log(`Branch ${branch} was already merged: ${mergedPr.url}`);
+      const result2 = { url: mergedPr.url, target, repoLabel, branch, base };
+      if (taskId)
+        writePrMetadata(options.projectRoot, taskId, result2);
+      return result2;
+    }
+  }
+  let prUrl = "";
+  if (existingUrl && existingUrl !== "null") {
+    prUrl = existingUrl;
+  } else {
+    const createArgs = [
+      gh,
+      "pr",
+      "create",
+      ...ghRepoArgs(repoNameWithOwner),
+      "--base",
+      base,
+      "--head",
+      branch,
+      "--title",
+      title,
+      "--body",
+      body
+    ];
+    if (options.draft) {
+      createArgs.push("--draft");
+    }
+    const created = runCapture(createArgs, repoRoot);
+    if (created.exitCode !== 0) {
+      throw new Error(`Failed to create PR in ${repoLabel}: ${created.stderr || created.stdout}`);
+    }
+    prUrl = created.stdout.trim();
+  }
+  if (!prUrl) {
+    throw new Error(`Failed to resolve PR URL for branch ${branch}.`);
+  }
+  assertPrHasNoGitConflicts(readPrViewState(gh, repoRoot, repoNameWithOwner, prUrl), repoLabel, base);
+  if (reviewer) {
+    const edit = runCapture(withGhRepo([gh, "pr", "edit", prUrl, "--add-reviewer", reviewer], repoNameWithOwner), repoRoot);
+    if (edit.exitCode !== 0) {
+      throw new Error(`Failed to assign reviewer '${reviewer}': ${edit.stderr || edit.stdout}`);
+    }
+  }
+  const result = {
+    url: prUrl,
+    ...reviewer ? { reviewer } : {},
+    ...reviewerSource ? { reviewerSource } : {},
+    target,
+    repoLabel,
+    branch,
+    base
+  };
+  if (taskId) {
+    writePrMetadata(options.projectRoot, taskId, result);
+  }
+  return result;
+}
+function defaultPrRunLines(taskId, repoNameWithOwner) {
+  const lines = [];
+  const runId = process.env.RIG_SERVER_RUN_ID?.trim();
+  if (runId) {
+    lines.push(`- Run: ${runId}`);
+  }
+  const closeout = defaultPrCloseoutLine(taskId, repoNameWithOwner);
+  if (closeout) {
+    lines.push(`- ${closeout}`);
+  }
+  return lines;
+}
+function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
+  const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  if (sourceIssueId) {
+    const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
+      return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
+    }
+  }
+  return /^\d+$/.test(taskId) ? `Closes #${taskId}` : "";
+}
+function resolveTaskBranchRef(projectRoot, taskId) {
+  return `rig/${resolveTaskBranchId(projectRoot, taskId)}`;
+}
+function readPrViewState(gh, repoRoot, repoNameWithOwner, prUrl) {
+  const view = runCapture(withGhRepo([
+    gh,
+    "pr",
+    "view",
+    prUrl,
+    "--json",
+    "state,isDraft,url,mergedAt,autoMergeRequest,mergeable,mergeStateStatus,reviewDecision,headRefOid,statusCheckRollup",
+    "--jq",
+    "."
+  ], repoNameWithOwner), repoRoot);
+  if (view.exitCode !== 0) {
+    throw new Error(`Failed to inspect PR ${prUrl}: ${view.stderr || view.stdout}`);
+  }
+  try {
+    const parsed = JSON.parse(view.stdout);
+    return {
+      state: parsed.state || "OPEN",
+      isDraft: parsed.isDraft === true,
+      url: typeof parsed.url === "string" ? parsed.url : prUrl,
+      mergedAt: typeof parsed.mergedAt === "string" ? parsed.mergedAt : null,
+      autoMergeRequest: parsed.autoMergeRequest ?? null,
+      mergeable: typeof parsed.mergeable === "string" ? parsed.mergeable : "",
+      mergeStateStatus: typeof parsed.mergeStateStatus === "string" ? parsed.mergeStateStatus : "",
+      reviewDecision: typeof parsed.reviewDecision === "string" ? parsed.reviewDecision : "",
+      headRefOid: typeof parsed.headRefOid === "string" ? parsed.headRefOid : null,
+      statusCheckRollup: Array.isArray(parsed.statusCheckRollup) ? parsed.statusCheckRollup : []
+    };
+  } catch {
+    return {
+      state: "OPEN",
+      isDraft: false,
+      url: prUrl,
+      mergedAt: null,
+      autoMergeRequest: null,
+      mergeable: "",
+      mergeStateStatus: "",
+      reviewDecision: "",
+      headRefOid: null,
+      statusCheckRollup: []
+    };
+  }
+}
+function hasSatisfiedStatusChecks(prState) {
+  if (prState.statusCheckRollup.length === 0) {
+    return false;
+  }
+  return prState.statusCheckRollup.every((entry) => {
+    if (entry.__typename === "CheckRun") {
+      const status = entry.status?.toUpperCase() || "";
+      const conclusion = entry.conclusion?.toUpperCase() || "";
+      return status === "COMPLETED" && (conclusion === "SUCCESS" || conclusion === "SKIPPED" || conclusion === "NEUTRAL");
+    }
+    if (entry.__typename === "StatusContext") {
+      return (entry.state?.toUpperCase() || "") === "SUCCESS";
+    }
+    return false;
+  });
+}
+function canAdminMergeApprovedPr(prState) {
+  return prState.state === "OPEN" && prState.autoMergeRequest !== null && prState.mergeable.toUpperCase() === "MERGEABLE" && prState.reviewDecision.toUpperCase() === "APPROVED" && hasSatisfiedStatusChecks(prState);
+}
+function gitMergePr(options) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    throw new Error("gh CLI is required for merge-pr. Install and authenticate with: gh auth login");
+  }
+  const repoRoot = resolveRepoRoot(options.projectRoot, options.pr.target);
+  const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
+  if (!existsSync3(resolve2(repoRoot, ".git"))) {
+    throw new Error(`Repository not available for merge-pr target ${options.pr.target}: ${repoRoot}`);
+  }
+  const prState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  const state = prState.state;
+  const isDraft = prState.isDraft;
+  assertPrHasNoGitConflicts(prState, options.pr.repoLabel, options.pr.base);
+  if (state === "MERGED") {
+    console.log(`PR already merged (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "already-merged", url: options.pr.url };
+  }
+  if (state !== "OPEN") {
+    throw new Error(`Cannot merge PR ${options.pr.url}: state is ${state}.`);
+  }
+  if (isDraft) {
+    throw new Error(`Cannot merge draft PR ${options.pr.url}.`);
+  }
+  const mergeArgs = withGhRepo([gh, "pr", "merge", options.pr.url], repoNameWithOwner);
+  const method = options.method || "squash";
+  mergeArgs.push(method === "merge" ? "--merge" : method === "rebase" ? "--rebase" : "--squash");
+  mergeArgs.push("--match-head-commit", options.matchHeadCommit);
+  if (options.deleteBranch !== false) {
+    mergeArgs.push("--delete-branch");
+  }
+  const directMerge = runCapture(mergeArgs, repoRoot);
+  if (directMerge.exitCode === 0) {
+    console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "merged", url: options.pr.url };
+  }
+  const postDirectState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  if (canAdminMergeApprovedPr(postDirectState)) {
+    const adminMergeArgs = [...mergeArgs, "--admin"];
+    const adminMerge = runCapture(adminMergeArgs, repoRoot);
+    if (adminMerge.exitCode === 0) {
+      const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+      if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
+        console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
+        return { status: "merged", url: options.pr.url };
+      }
+      throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
+    }
+    const adminMergeMessage = `${adminMerge.stderr}
+${adminMerge.stdout}`.trim();
+    if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
+      throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
+    }
+  }
+  const directMergeMessage = `${directMerge.stderr}
+${directMerge.stdout}`.trim();
+  throw new Error(`Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${directMergeMessage}`);
+}
+function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
+  const mergeable = prState.mergeable.toUpperCase();
+  const mergeStateStatus = prState.mergeStateStatus.toUpperCase();
+  if (mergeable === "CONFLICTING" || mergeStateStatus === "DIRTY") {
+    throw new Error(`PR ${prState.url || "unknown"} conflicts with ${baseRef} in ${repoLabel} (mergeable=${prState.mergeable || "unknown"}, mergeStateStatus=${prState.mergeStateStatus || "unknown"}). Rebase or merge ${baseRef} and resolve conflicts before completion-verification.`);
+  }
+}
+function writePrMetadata(projectRoot, taskId, result) {
+  const dir = taskData().artifactDirForId(projectRoot, taskId);
+  mkdirSync(dir, { recursive: true });
+  const path = resolve2(dir, "pr-state.json");
+  let prs = {};
+  if (existsSync3(path)) {
+    try {
+      const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+      if (parsed && typeof parsed === "object" && parsed.prs && typeof parsed.prs === "object") {
+        prs = parsed.prs;
+      }
+    } catch {
+      prs = {};
+    }
+  }
+  prs[result.target] = result;
+  const primary = prs.monorepo || prs.project;
+  const artifact = {
+    task_id: taskId,
+    prs,
+    ...primary || {},
+    updated_at: nowIso()
+  };
+  writeFileSync(path, `${JSON.stringify(artifact, null, 2)}
+`, "utf-8");
+}
+function readPrMetadata(projectRoot, taskId) {
+  const path = resolve2(taskData().artifactDirForId(projectRoot, taskId), "pr-state.json");
+  if (!existsSync3(path)) {
+    return [];
+  }
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    if (!parsed || typeof parsed !== "object") {
+      return [];
+    }
+    if (parsed.prs && typeof parsed.prs === "object") {
+      return Object.values(parsed.prs).filter(isGitOpenPrResult);
+    }
+    return isGitOpenPrResult(parsed) ? [parsed] : [];
+  } catch {
+    return [];
+  }
+}
+function resolveArtifactSnapshot(projectRoot, taskId) {
+  return resolve2(taskData().artifactDirForId(projectRoot, taskId), "git-state.txt");
+}
+function isGitOpenPrResult(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const record = value;
+  return typeof record.url === "string" && typeof record.branch === "string" && typeof record.base === "string" && (record.target === "project" || record.target === "monorepo") && typeof record.repoLabel === "string";
+}
+function resolveRepoRoot(projectRoot, target) {
+  return target === "monorepo" ? resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot(projectRoot) : projectRoot;
+}
+function ensureFullGitHistory(projectRoot, repoRoot, remoteName = "origin") {
+  const shallow = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--is-shallow-repository"), projectRoot);
+  if (shallow.exitCode !== 0 || shallow.stdout.trim() !== "true") {
+    return;
+  }
+  const unshallow = runCapture(gitCmd(projectRoot, repoRoot, "fetch", "--unshallow", "--tags", remoteName), projectRoot);
+  if (unshallow.exitCode === 0) {
+    return;
+  }
+  const output = `${unshallow.stderr}
+${unshallow.stdout}`.trim();
+  if (/--unshallow on a complete repository|does not make sense/i.test(output)) {
+    return;
+  }
+  throw new Error(`Failed to expand git history for ${repoRoot}: ${output}`);
+}
+function refreshRemoteBaseRef(projectRoot, repoRoot, baseRef, repoNameWithOwner = "") {
+  const remoteName = resolveNetworkRemoteName(projectRoot, repoRoot, repoNameWithOwner || resolveRepoNameWithOwner(projectRoot, repoRoot));
+  const remoteUrl = runCapture(gitCmd(projectRoot, repoRoot, "remote", "get-url", remoteName), projectRoot);
+  if (remoteUrl.exitCode !== 0) {
+    return "";
+  }
+  ensureFullGitHistory(projectRoot, repoRoot, remoteName);
+  const fetch2 = runCapture(gitCmd(projectRoot, repoRoot, "fetch", "--prune", "--tags", remoteName, `+refs/heads/${baseRef}:refs/remotes/${remoteName}/${baseRef}`), projectRoot);
+  if (fetch2.exitCode !== 0) {
+    throw new Error(`Failed to refresh ${remoteName}/${baseRef} at ${repoRoot}: ${fetch2.stderr || fetch2.stdout}`);
+  }
+  return remoteName;
+}
+function currentHeadMatchesMergedBase(projectRoot, repoRoot, baseRef, remoteName = "origin") {
+  const activeRemote = refreshRemoteBaseRef(projectRoot, repoRoot, baseRef) || remoteName;
+  const remoteBase = `${activeRemote}/${baseRef}`;
+  const hasRemoteBase = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", remoteBase), repoRoot).exitCode === 0;
+  const targetRef = hasRemoteBase ? remoteBase : baseRef;
+  if (runCapture(gitCmd(projectRoot, repoRoot, "merge-base", "--is-ancestor", "HEAD", targetRef), repoRoot).exitCode === 0) {
+    return true;
+  }
+  return runCapture(gitCmd(projectRoot, repoRoot, "diff", "--quiet", "HEAD", targetRef, "--"), repoRoot).exitCode === 0;
+}
+function defaultReviewerForTask(projectRoot, taskId) {
+  if (!taskId) {
+    return "";
+  }
+  const entry = taskData().readTaskConfig(projectRoot)[taskId];
+  const reviewer = entry?.reviewer;
+  if (typeof reviewer === "string" && reviewer.trim()) {
+    return reviewer.trim();
+  }
+  const responsibleReviewer = entry?.responsible_reviewer;
+  if (typeof responsibleReviewer === "string" && responsibleReviewer.trim()) {
+    return responsibleReviewer.trim();
+  }
+  return "";
+}
+function resolveRepoNameWithOwner(projectRoot, repoRoot) {
+  const explicit = normalizeGithubRepoNameWithOwner(process.env.GH_REPO || "");
+  if (explicit) {
+    return explicit;
+  }
+  const visited = new Set;
+  return resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, repoRoot, repoRoot, visited);
+}
+function resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, gitRoot, cwd, visited) {
+  const normalizedGitRoot = resolve2(gitRoot);
+  if (visited.has(normalizedGitRoot)) {
+    return "";
+  }
+  visited.add(normalizedGitRoot);
+  const remotes = listGitRemotes(projectRoot, gitRoot, cwd);
+  for (const remote of remotes) {
+    const urls = listGitRemoteUrls(projectRoot, gitRoot, cwd, remote);
+    for (const url of urls) {
+      const direct = normalizeGithubRepoNameWithOwner(url);
+      if (direct) {
+        return direct;
+      }
+      const localGitRoot = resolveLocalGitRemoteRoot(url, gitRoot);
+      if (!localGitRoot) {
+        continue;
+      }
+      const viaMirror = resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, localGitRoot, cwd, visited);
+      if (viaMirror) {
+        return viaMirror;
+      }
+    }
+  }
+  return "";
+}
+function listGitRemotes(projectRoot, gitRoot, cwd) {
+  const result = gitQuery(projectRoot, gitRoot, cwd, "remote");
+  if (result.exitCode !== 0) {
+    return [];
+  }
+  return result.stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+function listGitRemoteUrls(projectRoot, gitRoot, cwd, remote) {
+  const result = gitQuery(projectRoot, gitRoot, cwd, "remote", "get-url", "--all", remote);
+  if (result.exitCode !== 0) {
+    return [];
+  }
+  return result.stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+function resolveNetworkRemoteName(projectRoot, repoRoot, repoNameWithOwner) {
+  const remotes = listGitRemotes(projectRoot, repoRoot, repoRoot);
+  if (remotes.length === 0) {
+    return "origin";
+  }
+  if (!repoNameWithOwner) {
+    return remotes.includes("origin") ? "origin" : remotes[0];
+  }
+  const expectedRepo = normalizeGithubRepoNameWithOwner(repoNameWithOwner).toLowerCase();
+  let directMatch = "";
+  for (const remote of remotes) {
+    const urls = listGitRemoteUrls(projectRoot, repoRoot, repoRoot, remote);
+    for (const url of urls) {
+      const direct = normalizeGithubRepoNameWithOwner(url);
+      if (direct && direct.toLowerCase() === expectedRepo) {
+        if (remote === "github") {
+          return remote;
+        }
+        if (!directMatch) {
+          directMatch = remote;
+        }
+      }
+    }
+  }
+  if (remotes.includes("github")) {
+    return "github";
+  }
+  if (directMatch) {
+    return directMatch;
+  }
+  return remotes.includes("origin") ? "origin" : remotes[0];
+}
+function gitQuery(projectRoot, gitRoot, cwd, ...args) {
+  const gitArgs = existsSync3(resolve2(gitRoot, ".git")) ? gitCmd(projectRoot, gitRoot, ...args) : [resolveHostGitBinary(), "--git-dir", gitRoot, ...args];
+  return runCapture(gitArgs, cwd, projectRoot);
+}
+function resolveLocalGitRemoteRoot(remoteUrl, gitRoot) {
+  const normalized = remoteUrl.trim();
+  if (!normalized) {
+    return "";
+  }
+  let candidate = normalized;
+  if (normalized.startsWith("file://")) {
+    try {
+      candidate = fileURLToPath(normalized);
+    } catch {
+      return "";
+    }
+  } else if (/^[a-z][a-z0-9+.-]*:\/\//i.test(normalized) || /^[^@]+@[^:]+:.+$/.test(normalized)) {
+    return "";
+  } else if (!isAbsolute(normalized)) {
+    candidate = resolve2(gitRoot, normalized);
+  }
+  return existsSync3(candidate) ? candidate : "";
+}
+function normalizeGithubRepoNameWithOwner(value) {
+  const normalized = value.trim();
+  if (!normalized) {
+    return "";
+  }
+  const scpMatch = normalized.match(/^(?:ssh:\/\/)?git@github\.com[:/](.+?)(?:\.git)?$/i);
+  if (scpMatch?.[1]) {
+    return scpMatch[1].replace(/^\/+|\/+$/g, "");
+  }
+  const httpMatch = normalized.match(/^https?:\/\/github\.com\/(.+?)(?:\.git)?(?:\/)?$/i);
+  if (httpMatch?.[1]) {
+    return httpMatch[1].replace(/^\/+|\/+$/g, "");
+  }
+  const bareMatch = normalized.match(/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/);
+  return bareMatch ? bareMatch[0] : "";
+}
+function ghRepoArgs(repoNameWithOwner) {
+  return repoNameWithOwner ? ["-R", repoNameWithOwner] : [];
+}
+function withGhRepo(command, repoNameWithOwner) {
+  if (!repoNameWithOwner || command.length < 3) {
+    return command;
+  }
+  return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
+}
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (gh && repoNameWithOwner) {
+    const api = runCapture(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
+function inferProjectBase(projectRoot, fallback) {
+  const containing = runCapture(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
+  if (containing.exitCode !== 0) {
+    return fallback;
+  }
+  const candidates = containing.stdout.split(/\r?\n/).map((line) => line.replace(/^\*/, "").trim()).filter(Boolean).map((line) => line.replace(/^origin\//, "")).filter((line) => line !== "HEAD" && !line.startsWith("rig/"));
+  return candidates[0] || fallback;
+}
+function currentGithubLogin(repoRoot) {
+  const gh = resolveGithubCliBinary({ scanPath: true });
+  if (!gh) {
+    return "";
+  }
+  const result = runCapture([gh, "api", "user", "--jq", ".login"], repoRoot);
+  return result.exitCode === 0 ? result.stdout.trim() : "";
+}
+function collectPrChangedFiles(projectRoot, repoRoot, baseRef, branchRef) {
+  const repoNameWithOwner = resolveRepoNameWithOwner(projectRoot, repoRoot);
+  const remoteName = refreshRemoteBaseRef(projectRoot, repoRoot, baseRef, repoNameWithOwner);
+  const hasRemoteBase = remoteName ? runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", `${remoteName}/${baseRef}`), projectRoot).exitCode === 0 : false;
+  const hasLocalBase = runCapture(gitCmd(projectRoot, repoRoot, "rev-parse", "--verify", "--quiet", baseRef), projectRoot).exitCode === 0;
+  let changed = "";
+  if (hasRemoteBase) {
+    changed = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `${remoteName}/${baseRef}...${branchRef}`), projectRoot).stdout;
+  } else if (hasLocalBase) {
+    changed = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `${baseRef}...${branchRef}`), projectRoot).stdout;
+  } else {
+    const fallback = runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only", `HEAD~1..${branchRef}`), projectRoot);
+    changed = fallback.exitCode === 0 ? fallback.stdout : runCapture(gitCmd(projectRoot, repoRoot, "diff", "--name-only"), projectRoot).stdout;
+  }
+  return changed.split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(0, 60);
+}
+function inferReviewerFromChangedFiles(projectRoot, repoRoot, baseRef, branchRef) {
+  const repoNameWithOwner = resolveRepoNameWithOwner(projectRoot, repoRoot);
+  if (!repoNameWithOwner) {
+    return "";
+  }
+  const actorLogin = currentGithubLogin(repoRoot);
+  const changedFiles = collectPrChangedFiles(projectRoot, repoRoot, baseRef, branchRef);
+  if (changedFiles.length === 0) {
+    return "";
+  }
+  const counts = new Map;
+  for (const path of changedFiles) {
+    const result = runCapture([
+      resolveGithubCliBinary({ scanPath: true }) || "gh",
+      "api",
+      `repos/${repoNameWithOwner}/commits`,
+      "-f",
+      `path=${path}`,
+      "-f",
+      `sha=${baseRef}`,
+      "-f",
+      "per_page=1",
+      "--jq",
+      ".[0].author.login // empty"
+    ], repoRoot);
+    const author = result.exitCode === 0 ? result.stdout.trim() : "";
+    if (!author || author === actorLogin) {
+      continue;
+    }
+    counts.set(author, (counts.get(author) || 0) + 1);
+  }
+  let best = "";
+  let max = -1;
+  for (const [author, count] of counts.entries()) {
+    if (count > max || count === max && author < best) {
+      best = author;
+      max = count;
+    }
+  }
+  return best;
+}
+function snapshotRepo(projectRoot, label, repo) {
+  if (!existsSync3(resolve2(repo, ".git"))) {
+    return [`## ${label}`, `repo: ${repo}`, "status: unavailable", ""];
+  }
+  const status = runCapture(gitCmd(projectRoot, repo, "status", "--short"), projectRoot).stdout.trim();
+  const branch = branchName(projectRoot, repo);
+  const head = runCapture(gitCmd(projectRoot, repo, "rev-parse", "HEAD"), projectRoot).stdout.trim();
+  return [
+    `## ${label}`,
+    `repo: ${repo}`,
+    `branch: ${branch}`,
+    `head: ${head}`,
+    "status:",
+    status || "(clean)",
+    ""
+  ];
+}
+function commitRepo(projectRoot, repo, label, message, allowEmpty, scoped, files, changedFilesManifest) {
+  if (!existsSync3(resolve2(repo, ".git"))) {
+    console.log(`Skipping ${label}: repo not available (${repo})`);
+    return;
+  }
+  const scopedFiles = (files || []).filter(Boolean).filter((file) => !pathResolvesBeyondSymlink(repo, file));
+  const repoChanges = changeCount(projectRoot, repo);
+  if (scopedFiles.length === 0 && repoChanges === 0 && !allowEmpty) {
+    console.log(`Skipping ${label}: no changes to commit.`);
+    return;
+  }
+  if (scopedFiles.length > 0) {
+    const indexFiles = new Set(runCapture(gitCmd(projectRoot, repo, "ls-files"), projectRoot).stdout.split(/\r?\n/).map((line) => line.trim()).filter(Boolean));
+    const stageable = scopedFiles.filter((file) => indexFiles.has(file) || existsSync3(resolve2(repo, file)));
+    if (stageable.length === 0) {
+      console.log(`Skipping ${label}: collected change list matched no stageable paths in ${repo}.`);
+      return;
+    }
+    const pathspecFile = resolve2(tmpdir(), `rig-stage-${process.pid}-${Date.now()}.txt`);
+    writeFileSync(pathspecFile, `${stageable.join(`
+`)}
+`, "utf-8");
+    try {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, "add", `--pathspec-from-file=${pathspecFile}`), `Failed to stage changes for ${label}`);
+    } finally {
+      try {
+        unlinkSync(pathspecFile);
+      } catch {}
+    }
+  } else {
+    const addArgs = buildStageAddArgs(repo, scopedFiles, scoped);
+    if (addArgs) {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, ...addArgs), `Failed to stage changes for ${label}`);
+    }
+  }
+  const stagedChanges = stagedChangeCount(projectRoot, repo);
+  if (stagedChanges === 0) {
+    if (allowEmpty) {
+      runOrThrow(projectRoot, gitCmd(projectRoot, repo, "commit", "--allow-empty", "-m", message), `Failed to commit ${label}`);
+      console.log(`Committed ${label}: ${message}`);
+      return;
+    }
+    if (scoped && repoChanges > 0) {
+      const manifestHint = changedFilesManifest ? ` Refresh ${changedFilesManifest} and retry, or use --all/--unscoped intentionally.` : "";
+      throw new Error(`Scoped commit for ${label} resolved no stageable files.${manifestHint}`);
+    }
+    console.log(`Skipping ${label}: no stageable changes to commit.`);
+    return;
+  }
+  runOrThrow(projectRoot, gitCmd(projectRoot, repo, "commit", ...allowEmpty ? ["--allow-empty"] : [], "-m", message), `Failed to commit ${label}`);
+  console.log(`Committed ${label}: ${message}`);
+}
+function readChangedFilesManifest(projectRoot, taskId) {
+  const manifestPath = resolve2(taskData().artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  if (!existsSync3(manifestPath)) {
+    return [];
+  }
+  const files = readFileSync2(manifestPath, "utf-8").split(/\r?\n/).map((line) => normalizeChangedFilePath(line)).filter(Boolean);
+  return [...new Set(files)];
+}
+function refreshChangedFilesManifest(projectRoot, taskId) {
+  const manifestPath = resolve2(taskData().artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  mkdirSync(dirname(manifestPath), { recursive: true });
+  const changedFiles = taskData().changedFilesForTask(projectRoot, taskId, true);
+  writeFileSync(manifestPath, `${changedFiles.join(`
+`)}
+`, "utf-8");
+  return manifestPath;
+}
+function normalizeChangedFilePath(file) {
+  return file.trim().replace(/\\/g, "/").replace(/^\.\//, "");
+}
+function buildStageAddArgs(repoRoot, files, scoped) {
+  if (files.length > 0) {
+    return ["add", "--", ...files];
+  }
+  if (scoped) {
+    return null;
+  }
+  return ["add", "-A", "--", ".", ...stageExcludePathspecs(repoRoot)];
+}
+function resolveScopedStageFilesForRepo(projectRoot, repoRoot, taskId, files) {
+  const resolvedManifestFiles = resolveScopedFilesForRepo(projectRoot, repoRoot, files);
+  if (resolvedManifestFiles.length > 0 || !taskId) {
+    return resolvedManifestFiles;
+  }
+  return resolveChangedTaskArtifactFiles(projectRoot, repoRoot, taskId);
+}
+function resolveScopedFilesForRepo(projectRoot, repoRoot, files) {
+  const resolvedFiles = [];
+  const seen = new Set;
+  for (const file of files) {
+    const candidate = resolveScopedRepoPath(repoRoot, file);
+    if (!candidate || seen.has(candidate) || pathResolvesBeyondSymlink(repoRoot, candidate)) {
+      continue;
+    }
+    if (!repoHasPathChange(projectRoot, repoRoot, candidate)) {
+      continue;
+    }
+    seen.add(candidate);
+    resolvedFiles.push(candidate);
+  }
+  return resolvedFiles;
+}
+function resolveChangedTaskArtifactFiles(projectRoot, repoRoot, taskId) {
+  const safeTaskId = safePathSegment(taskId, { fallback: "task", maxLength: 96 });
+  const artifactPrefix = `artifacts/${safeTaskId}/`;
+  const resolvedFiles = [];
+  const seen = new Set;
+  for (const file of collectRepoPendingFiles(projectRoot, repoRoot)) {
+    if (!file.startsWith(artifactPrefix)) {
+      continue;
+    }
+    const artifactRelativePath = file.slice(artifactPrefix.length);
+    if (!TASK_ARTIFACT_STAGE_FALLBACK.has(artifactRelativePath)) {
+      continue;
+    }
+    if (seen.has(file) || pathResolvesBeyondSymlink(repoRoot, file)) {
+      continue;
+    }
+    seen.add(file);
+    resolvedFiles.push(file);
+  }
+  return resolvedFiles.sort();
+}
+function collectRepoPendingFiles(projectRoot, repoRoot) {
+  const files = new Set;
+  for (const args of [
+    ["diff", "--name-only"],
+    ["diff", "--cached", "--name-only"],
+    ["ls-files", "--others", "--exclude-standard"]
+  ]) {
+    const result = runCapture(gitCmd(projectRoot, repoRoot, ...args), projectRoot);
+    if (result.exitCode !== 0) {
+      continue;
+    }
+    for (const line of result.stdout.split(/\r?\n/)) {
+      const normalized = normalizeChangedFilePath(line);
+      if (!normalized) {
+        continue;
+      }
+      files.add(normalized);
+    }
+  }
+  return [...files].sort();
+}
+function resolveScopedRepoPath(repoRoot, file) {
+  const normalized = normalizeChangedFilePath(file);
+  if (!normalized) {
+    return "";
+  }
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    let result = normalized;
+    for (const prefix of rules.stripPrefixes) {
+      if (result.startsWith(prefix)) {
+        result = result.slice(prefix.length);
+      }
+    }
+    return result;
+  }
+  return normalized;
+}
+function repoHasPathChange(projectRoot, repoRoot, relativePath) {
+  const result = runCapture(gitCmd(projectRoot, repoRoot, "status", "--short", "--", relativePath), projectRoot);
+  return result.exitCode === 0 && result.stdout.trim().length > 0;
+}
+function stageExcludePathspecs(repoRoot) {
+  const patterns = existsSync3(resolve2(repoRoot, ".rig", "task-config.json")) ? [...TASK_RUNTIME_STAGE_EXCLUDES, ...GENERATED_STAGE_EXCLUDES] : [".rig/**", ...GENERATED_STAGE_EXCLUDES];
+  return patterns.map((pattern) => `:(glob,exclude)${pattern}`);
+}
+function pathResolvesBeyondSymlink(repoRoot, relativePath) {
+  const parts = relativePath.split("/").filter(Boolean);
+  if (parts.length <= 1) {
+    return false;
+  }
+  let current = repoRoot;
+  for (let index = 0;index < parts.length - 1; index += 1) {
+    current = resolve2(current, parts[index]);
+    try {
+      if (lstatSync(current).isSymbolicLink()) {
+        return true;
+      }
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function printRepoStatus(projectRoot, label, repo, expectedBranch) {
+  if (!existsSync3(resolve2(repo, ".git"))) {
+    console.log(`${label}: unavailable (${repo})`);
+    return;
+  }
+  const branch = branchName(projectRoot, repo);
+  const changes = changeCount(projectRoot, repo);
+  console.log(`${label}:`);
+  console.log(`  branch: ${branch || "unknown"}`);
+  console.log(`  changed files: ${changes}`);
+  if (expectedBranch && label !== "project-rig" && branch !== expectedBranch) {
+    console.log(`  warning: branch mismatch (expected ${expectedBranch})`);
+  }
+}
+function resolveTaskBranchId(projectRoot, taskId) {
+  if (/^bd-[a-z0-9-]+$/.test(taskId)) {
+    return taskId;
+  }
+  const normalizedTaskId = taskData().lookupTask(projectRoot, taskId);
+  if (normalizedTaskId) {
+    return normalizedTaskId;
+  }
+  const currentTask = taskData().currentTaskId(projectRoot);
+  if (currentTask && currentTask === taskId) {
+    return currentTask;
+  }
+  const runtimeIdFromEnv = (process.env.RIG_TASK_RUNTIME_ID || "").trim();
+  if (runtimeIdFromEnv.startsWith("task-") && runtimeIdFromEnv.length > "task-".length) {
+    return runtimeIdFromEnv.slice("task-".length);
+  }
+  try {
+    const runtimeIdFromContext = loadRuntimeContextFromEnv()?.runtimeId || "";
+    if (runtimeIdFromContext.startsWith("task-") && runtimeIdFromContext.length > "task-".length) {
+      return runtimeIdFromContext.slice("task-".length);
+    }
+  } catch {}
+  const artifactDir = taskData().artifactDirForId(projectRoot, taskId);
+  if (existsSync3(artifactDir)) {
+    return taskId;
+  }
+  throw new Error(`Unknown task id: ${taskId}`);
+}
+function branchName(projectRoot, repo) {
+  return runCapture(gitCmd(projectRoot, repo, "rev-parse", "--abbrev-ref", "HEAD"), projectRoot).stdout.trim();
+}
+function changeCount(projectRoot, repo) {
+  const status = runCapture(gitCmd(projectRoot, repo, "status", "--short"), projectRoot).stdout.trim();
+  return status ? status.split(/\r?\n/).filter(Boolean).length : 0;
+}
+function stagedChangeCount(projectRoot, repo) {
+  const staged = runCapture(gitCmd(projectRoot, repo, "diff", "--cached", "--name-only"), projectRoot).stdout.trim();
+  return staged ? staged.split(/\r?\n/).filter(Boolean).length : 0;
+}
+function runOrThrow(projectRoot, command, errorPrefix) {
+  const result = runCapture(command, projectRoot);
+  if (result.exitCode !== 0) {
+    throw new Error(`${errorPrefix}:
+${result.stderr || result.stdout}`);
+  }
+}
+function runCapture(command, cwd, projectRoot = cwd) {
+  return baseRunCapture(command, cwd, runtimeGitEnv(projectRoot));
+}
+function runtimeGitEnv(projectRoot) {
+  const { ctx, runtimeRoot } = resolveRuntimeMetadata(projectRoot);
+  const runtimeHome = runtimeRoot ? resolve2(runtimeRoot, "home") : "";
+  const runtimeTmp = runtimeRoot ? resolve2(runtimeRoot, "tmp") : "";
+  const runtimeCache = runtimeRoot ? resolve2(runtimeRoot, "cache") : "";
+  const runtimeKnownHosts = runtimeHome ? resolve2(runtimeHome, ".ssh", "known_hosts") : "";
+  const runtimeKey = runtimeHome ? resolve2(runtimeHome, ".ssh", "rig-agent-key") : "";
+  const env = {};
+  if (ctx?.workspaceDir) {
+    env.PROJECT_RIG_ROOT = projectRoot;
+    env.RIG_TASK_WORKSPACE = ctx.workspaceDir;
+    env.MONOREPO_ROOT = ctx.workspaceDir;
+    env.MONOREPO_MAIN_ROOT = resolveMonorepoRoot(projectRoot);
+  } else if (projectRoot) {
+    env.PROJECT_RIG_ROOT = projectRoot;
+  }
+  if (runtimeRoot) {
+    env.RIG_RUNTIME_HOME = runtimeRoot;
+  }
+  if (runtimeHome && existsSync3(runtimeHome)) {
+    env.HOME = runtimeHome;
+    env.OPENSSL_CONF = ensureRuntimeOpenSslConfig(runtimeHome);
+  }
+  if (runtimeTmp && existsSync3(runtimeTmp)) {
+    env.TMPDIR = runtimeTmp;
+  }
+  if (runtimeCache && existsSync3(runtimeCache)) {
+    env.XDG_CACHE_HOME = runtimeCache;
+  }
+  const workspaceSecrets = loadDotEnvSecrets(ctx?.workspaceDir || projectRoot, process.env);
+  for (const [key, value] of Object.entries(resolveRuntimeSecrets(process.env, workspaceSecrets))) {
+    if (key === "GITHUB_SSH_KEY" || !value) {
+      continue;
+    }
+    env[key] = value;
+  }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || authStateToken(process.env) || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
+    env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
+  }
+  const persistedSecrets = loadPersistedRuntimeSecrets(runtimeRoot);
+  for (const [key, value] of Object.entries(persistedSecrets)) {
+    if (!value)
+      continue;
+    if (!env[key]) {
+      env[key] = value;
+    }
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
+  if (runtimeKnownHosts && existsSync3(runtimeKnownHosts)) {
+    const sshParts = [
+      "ssh",
+      `-o UserKnownHostsFile="${runtimeKnownHosts}"`,
+      "-o StrictHostKeyChecking=yes",
+      "-F /dev/null"
+    ];
+    if (runtimeKey && existsSync3(runtimeKey)) {
+      sshParts.splice(1, 0, `-i "${runtimeKey}"`, "-o IdentitiesOnly=yes");
+    }
+    env.GIT_SSH_COMMAND = sshParts.join(" ");
+  } else if (process.env.GIT_SSH_COMMAND?.trim()) {
+    env.GIT_SSH_COMMAND = process.env.GIT_SSH_COMMAND;
+  }
+  return Object.keys(env).length > 0 ? env : undefined;
+}
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
+function loadPersistedRuntimeSecrets(runtimeRoot) {
+  if (!runtimeRoot) {
+    return {};
+  }
+  const path = resolve2(runtimeRoot, "runtime-secrets.json");
+  if (!existsSync3(path)) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+    const allowed = new Set(["GITHUB_TOKEN", "GH_TOKEN", "RIG_GITHUB_TOKEN"]);
+    const entries = Object.entries(parsed).filter((entry) => typeof entry[1] === "string" && allowed.has(entry[0]));
+    return Object.fromEntries(entries);
+  } catch {
+    return {};
+  }
+}
+function ensureRuntimeOpenSslConfig(runtimeHome) {
+  const sslDir = resolve2(runtimeHome, ".ssl");
+  const sslConfig = resolve2(sslDir, "openssl.cnf");
+  if (!existsSync3(sslDir)) {
+    mkdirSync(sslDir, { recursive: true });
+  }
+  if (!existsSync3(sslConfig)) {
+    writeFileSync(sslConfig, `# Rig runtime OpenSSL config placeholder
+`);
+  }
+  return sslConfig;
+}
+function resolveRuntimeMetadata(projectRoot) {
+  const contextFile = process.env.RIG_RUNTIME_CONTEXT_FILE?.trim();
+  const runtimeHome = process.env.RIG_RUNTIME_HOME?.trim();
+  let ctx = loadRuntimeContextFromEnv();
+  if (runtimeHome) {
+    return {
+      ctx,
+      runtimeRoot: runtimeHome
+    };
+  }
+  if (contextFile) {
+    return {
+      ctx,
+      runtimeRoot: dirname(resolve2(contextFile))
+    };
+  }
+  const inferredContextFile = findRuntimeContextFile(projectRoot);
+  if (existsSync3(inferredContextFile)) {
+    try {
+      ctx = loadRuntimeContext(inferredContextFile);
+    } catch {}
+    return {
+      ctx,
+      runtimeRoot: dirname(inferredContextFile)
+    };
+  }
+  return { ctx, runtimeRoot: "" };
+}
+function findRuntimeContextFile(startPath) {
+  let current = resolve2(startPath);
+  while (true) {
+    const candidate = resolve2(current, "runtime-context.json");
+    if (existsSync3(candidate)) {
+      return candidate;
+    }
+    const parent = dirname(current);
+    if (parent === current) {
+      return "";
+    }
+    current = parent;
+  }
+}
+var TASK_RUNTIME_STAGE_EXCLUDES, GENERATED_STAGE_EXCLUDES, TASK_ARTIFACT_STAGE_FALLBACK;
+var init_git_ops = __esm(() => {
+  init_task_data();
+  init_github_auth_env();
+  init_host_git();
+  TASK_RUNTIME_STAGE_EXCLUDES = [
+    ".rig/bin/**",
+    ".rig/cache/**",
+    ".rig/home/**",
+    ".rig/logs/**",
+    ".rig/runtime/**",
+    ".rig/session/**",
+    ".rig/state/**",
+    ".rig/runtime-context.json"
+  ];
+  GENERATED_STAGE_EXCLUDES = ["artifacts/*/runtime-snapshots/**"];
+  TASK_ARTIFACT_STAGE_FALLBACK = new Set([
+    "changed-files.txt",
+    "contract-changes.md",
+    "decision-log.md",
+    "git-state.txt",
+    "next-actions.md",
+    "pr-state.json",
+    "task-result.json",
+    "validation-summary.json"
+  ]);
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/policy.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3, statSync } from "fs";
+import { resolve as resolve3 } from "path";
 import {
-  collectPrReviewEvidence,
-  evaluateStrictPrMergeGate,
-  parseGreptileScore,
-  stripHtml
-} from "@rig/pr-review-plugin";
+  POLICY_VERSION
+} from "@rig/contracts";
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function seedPolicyFromContent(rawJson) {
+  try {
+    seededPolicyConfig = mergeWithDefaults(JSON.parse(rawJson));
+  } catch {
+    seededPolicyConfig = null;
+  }
+}
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve3(projectRoot, "rig/policy/policy.json");
+  if (!existsSync4(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  try {
+    const config = mergeWithDefaults(JSON.parse(readFileSync3(configPath, "utf-8")));
+    policyCache = { mtimeMs, config };
+    policyCachePath = configPath;
+    return config;
+  } catch {
+    return defaultPolicy();
+  }
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const scope = parsed.scope;
+    if (typeof scope.fail_closed === "boolean")
+      base.scope.fail_closed = scope.fail_closed;
+    if (typeof scope.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = scope.harness_paths_exempt;
+    if (typeof scope.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = scope.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sandbox = parsed.sandbox;
+    if (typeof sandbox.mode === "string" && isValidMode(sandbox.mode))
+      base.sandbox.mode = sandbox.mode;
+    if (typeof sandbox.network === "boolean")
+      base.sandbox.network = sandbox.network;
+    if (Array.isArray(sandbox.read_deny))
+      base.sandbox.read_deny = sandbox.read_deny.filter((value) => typeof value === "string");
+    if (typeof sandbox.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sandbox.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const isolation = parsed.isolation;
+    if (isolation.default_mode === "worktree")
+      base.isolation.default_mode = isolation.default_mode;
+    if (typeof isolation.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = isolation.repo_symlink_fallback;
+    if (typeof isolation.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = isolation.strict_provisioning;
+    if (typeof isolation.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = isolation.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const completion = parsed.completion;
+    if (typeof completion.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = completion.derive_checks_from_scope;
+    if (Array.isArray(completion.checks))
+      base.completion.checks = completion.checks.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.typescript_config_probe))
+      base.completion.typescript_config_probe = completion.typescript_config_probe.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.eslint_config_probe))
+      base.completion.eslint_config_probe = completion.eslint_config_probe.filter((value) => typeof value === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean")
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      if (typeof deps.hp_next_install === "boolean")
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean")
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const rule = value;
+  return typeof rule.id === "string" && typeof rule.category === "string" && !!rule.match && typeof rule.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    const rule = {
+      id: entry.id,
+      category: "command",
+      match,
+      action: entry.action === "warn" ? "warn" : "block"
+    };
+    if (typeof entry.reason === "string") {
+      rule.description = entry.reason;
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiled = { ...rule };
+    const matchRegex = compileRegex(rule.match?.regex);
+    const unlessRegex = compileRegex(rule.unless?.regex);
+    if (matchRegex) {
+      compiled.compiledRegex = matchRegex;
+    }
+    if (unlessRegex) {
+      compiled.compiledUnlessRegex = unlessRegex;
+    }
+    return compiled;
+  });
+}
+function compileRegex(pattern) {
+  if (!pattern)
+    return;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return;
+  }
+}
+var DEFAULT_SCOPE, DEFAULT_SANDBOX, DEFAULT_ISOLATION, DEFAULT_COMPLETION, DEFAULT_RUNTIME_IMAGE, DEFAULT_RUNTIME_SNAPSHOT, policyCache = null, policyCachePath = null, seededPolicyConfig = null;
+var init_policy = __esm(() => {
+  DEFAULT_SCOPE = {
+    fail_closed: true,
+    harness_paths_exempt: true,
+    runtime_paths_exempt: true
+  };
+  DEFAULT_SANDBOX = {
+    mode: "enforce",
+    network: true,
+    read_deny: [],
+    write_allow_from_runtime: true
+  };
+  DEFAULT_ISOLATION = {
+    default_mode: "worktree",
+    repo_symlink_fallback: false,
+    strict_provisioning: true,
+    fail_closed_on_provision_error: true
+  };
+  DEFAULT_COMPLETION = {
+    derive_checks_from_scope: true,
+    checks: [],
+    typescript_config_probe: ["tsconfig.json"],
+    eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+  };
+  DEFAULT_RUNTIME_IMAGE = {
+    deps: {
+      monorepo_install: false,
+      hp_next_install: false
+    },
+    plugins_require_binaries: true
+  };
+  DEFAULT_RUNTIME_SNAPSHOT = {
+    enabled: true
+  };
+});
+
+// packages/bundle-default-lifecycle/src/control-plane/verifier.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+import { resolveRuntimeSecrets as resolveRuntimeSecrets2 } from "@rig/core/baked-secrets";
+import { loadRuntimeContextFromEnv as loadRuntimeContextFromEnv2 } from "@rig/core/runtime-context";
+import { nowIso as nowIso2, runCapture as runCapture2 } from "@rig/core/exec";
+import { resolveHarnessPaths } from "@rig/core/harness-paths";
+async function ensureMergeGate(projectRoot) {
+  mergeGateHolder = await resolvePrMergeGateService(projectRoot);
+  return mergeGateHolder;
+}
+function mg() {
+  if (!mergeGateHolder) {
+    throw new Error("PR merge-gate capability not resolved (verifyTask must run first).");
+  }
+  return mergeGateHolder;
+}
 async function verifyTask(options) {
+  await ensureMergeGate(options.projectRoot);
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
-  const normalizedTaskId = lookupTask(options.projectRoot, taskId);
-  const artifactDir = artifactDirForId(options.projectRoot, taskId);
-  mkdirSync(artifactDir, { recursive: true });
-  const validationSummaryPath = resolve2(artifactDir, "validation-summary.json");
-  const reviewFeedbackPath = resolve2(artifactDir, "review-feedback.md");
-  const reviewStatePath = resolve2(artifactDir, "review-state.json");
-  const greptileRawPath = resolve2(artifactDir, "review-greptile-raw.json");
+  const normalizedTaskId = taskData().lookupTask(options.projectRoot, taskId);
+  const artifactDir = taskData().artifactDirForId(options.projectRoot, taskId);
+  mkdirSync2(artifactDir, { recursive: true });
+  const validationSummaryPath = resolve4(artifactDir, "validation-summary.json");
+  const reviewFeedbackPath = resolve4(artifactDir, "review-feedback.md");
+  const reviewStatePath = resolve4(artifactDir, "review-state.json");
+  const greptileRawPath = resolve4(artifactDir, "review-greptile-raw.json");
   const prStates = readPrMetadata(options.projectRoot, taskId);
   const prState = prStates[0] || null;
   const localReasons = [];
@@ -692,7 +2308,7 @@ async function verifyTask(options) {
   if (!normalizedTaskId && !await hasConfiguredSourceTask(options.projectRoot, taskId)) {
     localReasons.push(`[Task Config] Unknown task id '${taskId}' in task-config or configured task source.`);
   }
-  if (!existsSync2(validationSummaryPath)) {
+  if (!existsSync5(validationSummaryPath)) {
     localReasons.push(`[Artifact Quality] validation-summary.json not found at ${validationSummaryPath}.`);
   } else {
     const summary = await parseValidationSummary(validationSummaryPath);
@@ -701,13 +2317,13 @@ async function verifyTask(options) {
     }
   }
   for (const file of ["task-result.json", "decision-log.md", "next-actions.md", "changed-files.txt"]) {
-    const requiredPath = resolve2(artifactDir, file);
-    if (!existsSync2(requiredPath)) {
+    const requiredPath = resolve4(artifactDir, file);
+    if (!existsSync5(requiredPath)) {
       localReasons.push(`[Artifact Quality] Missing required artifact file: ${requiredPath}`);
     }
   }
-  const taskResultPath = resolve2(artifactDir, "task-result.json");
-  if (existsSync2(taskResultPath)) {
+  const taskResultPath = resolve4(artifactDir, "task-result.json");
+  if (existsSync5(taskResultPath)) {
     const taskResult = await readJsonFile(taskResultPath);
     const artifactStatus = typeof taskResult?.status === "string" ? taskResult.status.trim().toLowerCase() : "";
     if (artifactStatus === "partial") {
@@ -720,8 +2336,8 @@ async function verifyTask(options) {
       localReasons.push("[Artifact Quality] task-result.json next actions indicate remaining implementation scope.");
     }
   }
-  const nextActionsPath = resolve2(artifactDir, "next-actions.md");
-  if (existsSync2(nextActionsPath)) {
+  const nextActionsPath = resolve4(artifactDir, "next-actions.md");
+  if (existsSync5(nextActionsPath)) {
     const nextActionsContent = await Bun.file(nextActionsPath).text();
     if (nextActionsContent.includes("TODO: Replace this scaffold") || nextActionsContent.includes("bd-<downstream-task-id>")) {
       localReasons.push("[Artifact Quality] next-actions.md still contains scaffold placeholder text. Replace with real recommendations.");
@@ -752,7 +2368,7 @@ async function verifyTask(options) {
       aiReasons.push(`[AI Review] Required mode needs a completed Greptile approval; current verdict is ${ai.verdict}.`);
     }
     if (persistArtifacts && ai.rawResponse) {
-      writeFileSync(greptileRawPath, `${ai.rawResponse}
+      writeFileSync2(greptileRawPath, `${ai.rawResponse}
 `, "utf-8");
     }
   } else if (!options.skipAiReview && reviewMode === "off") {
@@ -874,15 +2490,15 @@ function nextActionsIndicateRemainingScope(content) {
   return /^\s*- \[ \]/m.test(normalized) || /\b(remaining scope|still need|needs? to be implemented|not yet implemented|not implemented|follow[- ]?up required|blocked by|blocker:)\b/i.test(lower);
 }
 async function hasConfiguredSourceTask(projectRoot, taskId) {
-  return readConfiguredTaskSourceTask(projectRoot, taskId).then((result) => result.task !== null).catch(() => false);
+  return taskData().readConfiguredTaskSourceTask(projectRoot, taskId).then((result) => result.task !== null).catch(() => false);
 }
 function resolveGithubSourceIssueId(projectRoot, taskId) {
-  const fromRuntime = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  const fromRuntime = loadRuntimeContextFromEnv2()?.sourceTask?.sourceIssueId;
   if (typeof fromRuntime === "string" && isGithubSourceIssueId(fromRuntime)) {
     return fromRuntime;
   }
   try {
-    const taskConfig = readTaskConfig(projectRoot);
+    const taskConfig = taskData().readTaskConfig(projectRoot);
     const entry = taskConfig[taskId];
     const sourceIssueId = typeof entry?.sourceIssueId === "string" ? entry.sourceIssueId : typeof entry?.source_issue_id === "string" ? entry.source_issue_id : null;
     if (sourceIssueId && isGithubSourceIssueId(sourceIssueId)) {
@@ -953,14 +2569,15 @@ function loadGithubPullRequestCloseoutSnapshot(projectRoot, prState) {
       "--json",
       "state,isDraft,mergeable,mergeStateStatus,reviewDecision,title,body,statusCheckRollup"
     ]);
+    const isDraft = booleanField(view, "isDraft");
     return {
-      state: stringField(view, "state"),
-      isDraft: booleanField(view, "isDraft"),
-      mergeable: stringField(view, "mergeable"),
-      mergeStateStatus: stringField(view, "mergeStateStatus"),
-      reviewDecision: stringField(view, "reviewDecision"),
-      title: stringField(view, "title"),
-      body: stringField(view, "body"),
+      ...objectField("state", stringField(view, "state")),
+      ...isDraft !== undefined ? { isDraft } : {},
+      ...objectField("mergeable", stringField(view, "mergeable")),
+      ...objectField("mergeStateStatus", stringField(view, "mergeStateStatus")),
+      ...objectField("reviewDecision", stringField(view, "reviewDecision")),
+      ...objectField("title", stringField(view, "title")),
+      ...objectField("body", stringField(view, "body")),
       statusCheckRollup: statusCheckRollupField(view, "statusCheckRollup"),
       reviewThreads: loadGithubReviewThreads(projectRoot, repoName, prNumber)
     };
@@ -1035,6 +2652,9 @@ function stringField(record, key) {
   const value = record[key];
   return typeof value === "string" ? value : undefined;
 }
+function objectField(key, value) {
+  return value === undefined ? {} : { [key]: value };
+}
 function booleanField(record, key) {
   const value = record[key];
   return typeof value === "boolean" ? value : undefined;
@@ -1091,7 +2711,7 @@ function isAcceptedValidationSummary(summary) {
   return summary.status === "skipped" && summary.total === 0 && summary.failed === 0;
 }
 async function loadReviewMode(reviewProfilePath, fallback) {
-  const parsed = existsSync2(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
+  const parsed = existsSync5(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
   const mode = parsed?.mode;
   if (mode === "off" || mode === "advisory" || mode === "required") {
     return mode;
@@ -1102,7 +2722,7 @@ async function loadReviewMode(reviewProfilePath, fallback) {
   return "advisory";
 }
 async function loadReviewProvider(reviewProfilePath, fallback) {
-  const parsed = existsSync2(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
+  const parsed = existsSync5(reviewProfilePath) ? await readJsonFile(reviewProfilePath) : null;
   const provider = parsed?.provider;
   if (typeof provider === "string" && provider.trim().length > 0) {
     return provider;
@@ -1111,7 +2731,7 @@ async function loadReviewProvider(reviewProfilePath, fallback) {
 }
 function resolveRepoSlug(projectRoot) {
   const paths = resolveHarnessPaths(projectRoot);
-  const remote = runCapture(["git", "-C", paths.monorepoRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim() || runCapture(["git", "-C", projectRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim();
+  const remote = runCapture2(["git", "-C", paths.monorepoRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim() || runCapture2(["git", "-C", projectRoot, "remote", "get-url", "origin"], projectRoot).stdout.trim();
   if (!remote) {
     return "";
   }
@@ -1125,7 +2745,7 @@ function resolveRepoSlug(projectRoot) {
 async function runGreptileReview(options) {
   const reasons = [];
   const warnings = [];
-  const secrets = resolveRuntimeSecrets(process.env);
+  const secrets = resolveRuntimeSecrets2(process.env);
   const apiKey = secrets.GREPTILE_API_KEY || "";
   const apiBase = secrets.GREPTILE_API_BASE || "https://api.greptile.com/mcp";
   const remote = secrets.GREPTILE_REMOTE || "github";
@@ -1261,7 +2881,7 @@ function writeFeedbackFile(options) {
   if (options.aiRawFeedback) {
     lines.push("## Raw Reviewer Feedback", "", "```text", options.aiRawFeedback, "```", "");
   }
-  writeFileSync(options.output, `${lines.join(`
+  writeFileSync2(options.output, `${lines.join(`
 `)}
 `, "utf-8");
 }
@@ -1276,9 +2896,9 @@ function writeReviewStateFile(options) {
     local_reasons: options.localReasons,
     ai_reasons: options.aiReasons,
     ai_warnings: options.aiWarnings,
-    updated_at: nowIso()
+    updated_at: nowIso2()
   };
-  writeFileSync(options.output, `${JSON.stringify(payload, null, 2)}
+  writeFileSync2(options.output, `${JSON.stringify(payload, null, 2)}
 `, "utf-8");
 }
 async function runGreptileReviewForPr(options) {
@@ -1303,7 +2923,6 @@ async function runGreptileReviewForPr(options) {
       taskId: options.taskId,
       prState: options.prState,
       reviewMode: options.reviewMode,
-      infrastructureError: undefined,
       pollAttempts: options.pollAttempts,
       pollIntervalMs: options.pollIntervalMs
     });
@@ -1431,7 +3050,7 @@ async function runGreptileReviewForPr(options) {
   });
   const actionableComments = filterActionableGreptileComments(commentsPayload.comments || []);
   const reviewBody = reviewDetails.codeReview?.body || "";
-  const score = parseGreptileScore(reviewBody);
+  const score = mg().parseGreptileScore(reviewBody);
   const feedback = [
     `## ${options.prState.repoLabel || repoName} PR Review`,
     "",
@@ -1439,7 +3058,7 @@ async function runGreptileReviewForPr(options) {
     `- Review ID: ${selectedReview.id}`,
     `- Status: ${selectedReview.status}`,
     "",
-    reviewBody ? stripHtml(reviewBody).trim() : "Greptile completed without summary body."
+    reviewBody ? mg().stripHtml(reviewBody).trim() : "Greptile completed without summary body."
   ].filter(Boolean).join(`
 `);
   if (actionableComments.length > 0) {
@@ -1460,7 +3079,7 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  const blockerScanBody = mg().stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
   if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
@@ -1508,7 +3127,7 @@ async function runGreptileReviewForPr(options) {
         status: selectedReview.status
       }]
     });
-    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+    strictGate = mg().evaluateGate(strictEvidence);
   } catch (error) {
     reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
     return {
@@ -1635,7 +3254,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     fallbackReview?.html_url ? `- Review: ${fallbackReview.html_url}` : "",
     fallbackReview?.state ? `- Status: ${fallbackReview.state}` : "",
     "",
-    fallbackReview?.body?.trim() ? stripHtml(fallbackReview.body).trim() : "Greptile MCP was unavailable, so verification used GitHub review threads instead."
+    fallbackReview?.body?.trim() ? mg().stripHtml(fallbackReview.body).trim() : "Greptile MCP was unavailable, so verification used GitHub review threads instead."
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
@@ -1658,7 +3277,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       taskId: options.taskId,
       prUrl
     });
-    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+    strictGate = mg().evaluateGate(strictEvidence);
   } catch (error) {
     return {
       verdict: "REJECT",
@@ -1883,7 +3502,7 @@ function loadGithubPullRequestState(projectRoot, repoName, prNumber) {
   ]);
   return {
     state: response.state || "",
-    merged: response.merged,
+    ...response.merged !== undefined ? { merged: response.merged } : {},
     merged_at: response.merged_at ?? null
   };
 }
@@ -1901,7 +3520,7 @@ function parsePullRequestNumber(url) {
   return match ? Number.parseInt(match[1] || "0", 10) : 0;
 }
 function runGhJson(projectRoot, args) {
-  const result = runCapture(["gh", ...args], projectRoot);
+  const result = runCapture2(["gh", ...args], projectRoot);
   if (result.exitCode !== 0) {
     throw new Error(result.stderr || result.stdout || `gh ${args.join(" ")} failed`);
   }
@@ -1912,7 +3531,7 @@ function runGhJson(projectRoot, args) {
   }
 }
 async function collectStrictPrEvidenceForVerifier(input) {
-  return collectPrReviewEvidence({
+  return mg().collectEvidence({
     projectRoot: input.projectRoot,
     prUrl: input.prUrl,
     taskId: input.taskId,
@@ -1920,7 +3539,7 @@ async function collectStrictPrEvidenceForVerifier(input) {
     cycle: 0,
     apiSignals: input.apiSignals ?? [],
     command: async (args, options) => {
-      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      const result = runCapture2(["gh", ...args], options?.cwd ?? input.projectRoot);
       return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
     }
   });
@@ -1933,11 +3552,11 @@ function deriveRepoName(projectRoot, prState) {
   if (prState.target === "monorepo") {
     return resolveRepoSlug(projectRoot);
   }
-  return runCapture(["gh", "repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"], projectRoot).stdout.trim();
+  return runCapture2(["gh", "repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"], projectRoot).stdout.trim();
 }
 function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
-  return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
+  return runCapture2(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
 function isGreptileGithubLogin(login) {
   const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
@@ -2077,7 +3696,7 @@ function filterActionableGithubGreptileThreads(threads) {
 }
 function resolvePrRepoRoot(projectRoot, prState) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
-  if (prState.target === "monorepo" && runtimeWorkspace && existsSync2(resolve2(runtimeWorkspace, ".git"))) {
+  if (prState.target === "monorepo" && runtimeWorkspace && existsSync5(resolve4(runtimeWorkspace, ".git"))) {
     return runtimeWorkspace;
   }
   const paths = resolveHarnessPaths(projectRoot);
@@ -2088,10 +3707,10 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
     return false;
   }
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
-  return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
+  return runCapture2(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
 function summarizeComment(input) {
-  const text = stripHtml(input).replace(/\s+/g, " ").trim();
+  const text = mg().stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
 }
 function asGreptileInfrastructureWarning(reason) {
@@ -2106,7 +3725,12 @@ function isAiReviewApproved(input) {
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-var init_verifier = () => {};
+var mergeGateHolder = null;
+var init_verifier = __esm(() => {
+  init_git_ops();
+  init_task_data();
+  init_pr_merge_gate_cap();
+});
 
 // packages/bundle-default-lifecycle/src/control-plane/completion-verification.ts
 var exports_completion_verification = {};
@@ -2115,43 +3739,33 @@ __export(exports_completion_verification, {
   formatCompletionBlockedMessage: () => formatCompletionBlockedMessage,
   closeCompletedTaskSource: () => closeCompletedTaskSource
 });
-import { appendFileSync, existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve3 } from "path";
-import { safePathSegment } from "@rig/shared/safe-identifiers";
+import { appendFileSync, existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve5 } from "path";
+import { safePathSegment as safePathSegment2 } from "@rig/core/safe-identifiers";
 import {
-  escapeRegExp,
+  escapeRegExp as escapeRegExp2,
   resolveBunCli,
   resolveBunCliInvocation,
   resolveTaskScopes,
   resolvePolicyContent
 } from "@rig/hook-kit";
-import { loadPolicy, seedPolicyFromContent } from "@rig/runtime/control-plane/runtime/guard";
-import { gitCommit, gitMergePr, gitOpenPr, readPrMetadata as readPrMetadata2, resolveTaskBranchRef } from "@rig/runtime/control-plane/native/git-ops";
-import { runStrictPrMergeGate as runStrictPrMergeGate2 } from "@rig/pr-review-plugin";
-import { strictMergeHeadShaFromGate as strictMergeHeadShaFromGate2 } from "@rig/contracts";
-import { changedFilesForTask, pendingFilesForTask, taskArtifacts, taskValidate as taskValidate2 } from "@rig/runtime/control-plane/native/task-ops";
-import { currentTaskId } from "@rig/runtime/control-plane/native/task-state";
-import { resolveHarnessPaths as resolveHarnessPaths2, runCapture as runCapture2 } from "@rig/runtime/control-plane/native/utils";
-import { readSourceAwareTaskStatus } from "@rig/runtime/control-plane/tasks/source-aware-task-config-source";
-import {
-  buildTaskRunLifecycleComment,
-  updateConfiguredTaskSourceTask
-} from "@rig/runtime/control-plane/tasks/source-lifecycle";
-import { buildPluginHostContext as buildPluginHostContext2 } from "@rig/runtime/control-plane/plugin-host-context";
+import { runCapture as runCapture3 } from "@rig/core/exec";
+import { resolveHarnessPaths as resolveHarnessPaths2 } from "@rig/core/harness-paths";
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
 async function closeCompletedTaskSource(projectRoot, taskId) {
-  const comment = buildTaskRunLifecycleComment({
+  const comment = taskData().buildTaskRunLifecycleComment({
     runId: process.env.RIG_SERVER_RUN_ID || taskId,
     status: "closed",
     summary: "Rig completion verification approved and closed this task.",
-    runtimeWorkspace: process.env.RIG_TASK_WORKSPACE,
-    logsDir: process.env.RIG_LOGS_DIR,
-    sessionDir: process.env.RIG_SESSION_FILE
+    ...process.env.RIG_TASK_WORKSPACE !== undefined ? { runtimeWorkspace: process.env.RIG_TASK_WORKSPACE } : {},
+    ...process.env.RIG_LOGS_DIR !== undefined ? { logsDir: process.env.RIG_LOGS_DIR } : {},
+    ...process.env.RIG_SESSION_FILE !== undefined ? { sessionDir: process.env.RIG_SESSION_FILE } : {}
   });
-  const result = await updateConfiguredTaskSourceTask(projectRoot, {
+  const result = await taskData().updateConfiguredTaskSourceTask(projectRoot, {
     taskId,
     update: { status: "closed", comment }
   });
-  const status = result.status ?? await readSourceAwareTaskStatus(projectRoot, result.taskId);
+  const status = result.status ?? await taskData().readSourceAwareTaskStatus(projectRoot, result.taskId);
   if (!result.updated && status == null) {
     return {
       ok: true,
@@ -2171,7 +3785,7 @@ function isClosedStatus(status) {
 }
 async function runCompletionVerificationGate(projectRoot) {
   seedPolicyFromContent(resolvePolicyContent(projectRoot));
-  const taskId = currentTaskId(projectRoot);
+  const taskId = taskData().currentTaskId(projectRoot);
   if (!taskId) {
     return { ok: true };
   }
@@ -2180,7 +3794,7 @@ async function runCompletionVerificationGate(projectRoot) {
   let sourceCloseoutAllowed = false;
   console.log(`=== Completion Verification: ${taskId} ===`);
   const scopes = await resolveTaskScopes(projectRoot, taskId);
-  const taskChangedFiles = changedFilesForTask(projectRoot, taskId, true);
+  const taskChangedFiles = taskData().changedFilesForTask(projectRoot, taskId, true);
   const sourceInArtifacts = taskChangedFiles.filter((file) => /^artifacts\//.test(file) && /\.(ts|tsx|js|jsx|mjs|cjs)$/.test(file));
   if (sourceInArtifacts.length > 0) {
     console.log(`
@@ -2193,13 +3807,13 @@ async function runCompletionVerificationGate(projectRoot) {
     }
     failed = true;
   }
-  const pluginHostCtx = await buildPluginHostContext2(projectRoot).catch((error) => {
+  const pluginHostCtx = await buildPluginHostContext(projectRoot).catch((error) => {
     console.warn(`[completion-verification] plugin host unavailable for validators: ${error instanceof Error ? error.message : String(error)}`);
     return null;
   });
   console.log(`
 [1/3] Task validation...`);
-  if (!await taskValidate2(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined)) {
+  if (!await taskData().taskValidate(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined)) {
     console.log(`FAIL: Validation failed for ${taskId}`);
     failed = true;
   } else {
@@ -2212,7 +3826,7 @@ async function runCompletionVerificationGate(projectRoot) {
       failed = true;
     }
   }
-  taskArtifacts(projectRoot, taskId);
+  taskData().taskArtifacts(projectRoot, taskId);
   const policy = loadPolicy(projectRoot);
   const openPrEnabled = policy.completion.checks.includes("open-pr");
   const autoMergeEnabled = policy.completion.checks.includes("auto-merge");
@@ -2239,7 +3853,7 @@ async function runCompletionVerificationGate(projectRoot) {
   } else {
     console.log("Verifier preflight: skipped (earlier checks failed)");
   }
-  const pendingTaskChangedFiles = pendingFilesForTask(projectRoot, taskId, true);
+  const pendingTaskChangedFiles = taskData().pendingFilesForTask(projectRoot, taskId, true);
   const hasLocalChanges = pendingTaskChangedFiles.length > 0;
   console.log(`
 [post] Auto-committing task changes...`);
@@ -2312,14 +3926,15 @@ async function runCompletionVerificationGate(projectRoot) {
     console.log(`
 [post] Auto-merge...`);
     try {
-      const prs = readPrMetadata2(projectRoot, taskId);
+      const prs = readPrMetadata(projectRoot, taskId);
       if (prs.length === 0) {
         console.log("Auto-merge: skipped (no PR metadata found)");
       } else {
+        const mergeGate = await resolvePrMergeGateService(projectRoot);
         let cycle = 0;
         for (const pr of prs) {
           cycle += 1;
-          const gate = await runStrictPrMergeGate2({
+          const gate = await mergeGate.runGate({
             projectRoot,
             prUrl: pr.url,
             taskId,
@@ -2327,7 +3942,7 @@ async function runCompletionVerificationGate(projectRoot) {
             cycle,
             final: true,
             command: async (args, options) => {
-              const result = runCapture2(["gh", ...args], options?.cwd ?? projectRoot);
+              const result = runCapture3(["gh", ...args], options?.cwd ?? projectRoot);
               return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
             }
           });
@@ -2344,7 +3959,7 @@ async function runCompletionVerificationGate(projectRoot) {
             pr,
             method: "squash",
             deleteBranch: true,
-            matchHeadCommit: strictMergeHeadShaFromGate2(gate, pr.url)
+            matchHeadCommit: mergeGate.resolveHeadSha({ result: gate, prUrl: pr.url })
           });
           if (mergeResult.status === "merged" || mergeResult.status === "already-merged") {
             console.log(`OK: PR merge confirmed (${pr.repoLabel}): ${pr.url}`);
@@ -2364,9 +3979,9 @@ async function runCompletionVerificationGate(projectRoot) {
     console.log(`
 [post] Auto-merge: skipped (not in policy completion.checks)`);
   }
-  const artifactDir = resolve3(paths.artifactsDir, safePathSegment(taskId, { fallback: "task", maxLength: 96 }));
-  mkdirSync2(artifactDir, { recursive: true });
-  writeFileSync2(resolve3(artifactDir, "review-status.txt"), failed ? `REJECTED
+  const artifactDir = resolve5(paths.artifactsDir, safePathSegment2(taskId, { fallback: "task", maxLength: 96 }));
+  mkdirSync3(artifactDir, { recursive: true });
+  writeFileSync3(resolve5(artifactDir, "review-status.txt"), failed ? `REJECTED
 ` : `APPROVED
 `, "utf-8");
   if (!failed) {
@@ -2416,8 +4031,8 @@ async function runBunTool(args, cwd) {
   };
 }
 async function runProtoQualityGate(monorepoRoot) {
-  const protosDir = resolve3(monorepoRoot, "packages", "protos");
-  if (!existsSync3(protosDir)) {
+  const protosDir = resolve5(monorepoRoot, "packages", "protos");
+  if (!existsSync6(protosDir)) {
     console.log(`FAIL: Proto workspace not found at ${protosDir}`);
     return false;
   }
@@ -2444,7 +4059,7 @@ async function runProtoQualityGate(monorepoRoot) {
     console.log(generate.stderr || generate.stdout);
     ok = false;
   } else {
-    const drift = runCapture2(["git", "-C", protosDir, "status", "--porcelain", "--", "gen/ts"], monorepoRoot);
+    const drift = runCapture3(["git", "-C", protosDir, "status", "--porcelain", "--", "gen/ts"], monorepoRoot);
     if (drift.exitCode !== 0) {
       console.log("FAIL: Could not inspect generated proto drift");
       console.log(drift.stderr || drift.stdout);
@@ -2465,12 +4080,12 @@ async function runProtoQualityGate(monorepoRoot) {
   } else {
     console.log("OK: Generated TypeScript compiles");
   }
-  const workflowPath = resolve3(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
-  if (!existsSync3(workflowPath)) {
+  const workflowPath = resolve5(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
+  if (!existsSync6(workflowPath)) {
     console.log(`FAIL: Missing workflow gate file at ${workflowPath}`);
     ok = false;
   } else {
-    const workflow = readFileSync2(workflowPath, "utf-8");
+    const workflow = readFileSync4(workflowPath, "utf-8");
     if (workflow.includes("if: false && needs.detect.outputs.protos_changed == 'true'")) {
       console.log("FAIL: Proto quality CI gate is disabled in pull-request-gate.yml");
       ok = false;
@@ -2481,13 +4096,13 @@ async function runProtoQualityGate(monorepoRoot) {
   return ok;
 }
 function repoHasRemoteRelevantCommits(projectRoot, repoRoot) {
-  const unpushed = runCapture2(["git", "-C", repoRoot, "log", "@{u}..HEAD", "--oneline"], projectRoot);
+  const unpushed = runCapture3(["git", "-C", repoRoot, "log", "@{u}..HEAD", "--oneline"], projectRoot);
   if (unpushed.exitCode === 0 && unpushed.stdout.trim().length > 0)
     return true;
   if (unpushed.exitCode !== 0) {
-    const branch = runCapture2(["git", "-C", repoRoot, "rev-parse", "--abbrev-ref", "HEAD"], projectRoot);
+    const branch = runCapture3(["git", "-C", repoRoot, "rev-parse", "--abbrev-ref", "HEAD"], projectRoot);
     if (branch.exitCode === 0 && branch.stdout.trim()) {
-      const remote = runCapture2(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branch.stdout.trim()}`], projectRoot);
+      const remote = runCapture3(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branch.stdout.trim()}`], projectRoot);
       if (remote.exitCode !== 0)
         return true;
     }
@@ -2496,10 +4111,10 @@ function repoHasRemoteRelevantCommits(projectRoot, repoRoot) {
 }
 function repoHasPublishedTaskBranch(projectRoot, repoRoot, taskId) {
   const branchRef = resolveTaskBranchRef(projectRoot, taskId);
-  return runCapture2(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branchRef}`], projectRoot).exitCode === 0;
+  return runCapture3(["git", "-C", repoRoot, "ls-remote", "--exit-code", "origin", `refs/heads/${branchRef}`], projectRoot).exitCode === 0;
 }
 async function readJsonFileIfPresent(path) {
-  if (!existsSync3(path)) {
+  if (!existsSync6(path)) {
     return null;
   }
   try {
@@ -2510,9 +4125,9 @@ async function readJsonFileIfPresent(path) {
 }
 async function recordVerifierFailure(projectRoot, taskId, paths) {
   const failedApproachesPath = paths.failedApproachesPath;
-  const artifactDir = resolve3(paths.artifactsDir, safePathSegment(taskId, { fallback: "task", maxLength: 96 }));
-  const reviewStatePath = resolve3(artifactDir, "review-state.json");
-  const reviewFeedbackPath = resolve3(artifactDir, "review-feedback.md");
+  const artifactDir = resolve5(paths.artifactsDir, safePathSegment2(taskId, { fallback: "task", maxLength: 96 }));
+  const reviewStatePath = resolve5(artifactDir, "review-state.json");
+  const reviewFeedbackPath = resolve5(artifactDir, "review-feedback.md");
   let summary = "Verifier rejected completion. Read review-feedback.md for required fixes.";
   const parsedReviewState = await readJsonFileIfPresent(reviewStatePath);
   if (parsedReviewState) {
@@ -2522,12 +4137,12 @@ async function recordVerifierFailure(projectRoot, taskId, paths) {
     }
   }
   let attempts = 1;
-  if (existsSync3(failedApproachesPath)) {
-    const content = readFileSync2(failedApproachesPath, "utf-8");
-    attempts = (content.match(new RegExp(`^## ${escapeRegExp(taskId)}\\b`, "gm")) || []).length + 1;
+  if (existsSync6(failedApproachesPath)) {
+    const content = readFileSync4(failedApproachesPath, "utf-8");
+    attempts = (content.match(new RegExp(`^## ${escapeRegExp2(taskId)}\\b`, "gm")) || []).length + 1;
   } else {
-    mkdirSync2(resolve3(failedApproachesPath, ".."), { recursive: true });
-    writeFileSync2(failedApproachesPath, `# Failed Approaches
+    mkdirSync3(resolve5(failedApproachesPath, ".."), { recursive: true });
+    writeFileSync3(failedApproachesPath, `# Failed Approaches
 
 `, "utf-8");
   }
@@ -2551,7 +4166,7 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
     statePaths.add(resolveHarnessPaths2(hostProjectRoot).taskRepoCommitsPath);
   }
   const repos = {};
-  const monoHead = runCapture2(["git", "-C", paths.monorepoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
+  const monoHead = runCapture3(["git", "-C", paths.monorepoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
   if (monoHead) {
     repos["monorepo"] = monoHead;
   }
@@ -2565,13 +4180,17 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
       recorded_at: new Date().toISOString(),
       repos
     };
-    mkdirSync2(resolve3(statePath, ".."), { recursive: true });
-    writeFileSync2(statePath, `${JSON.stringify(state, null, 2)}
+    mkdirSync3(resolve5(statePath, ".."), { recursive: true });
+    writeFileSync3(statePath, `${JSON.stringify(state, null, 2)}
 `, "utf-8");
   }
 }
 var init_completion_verification = __esm(() => {
+  init_policy();
+  init_git_ops();
+  init_pr_merge_gate_cap();
   init_verifier();
+  init_task_data();
 });
 
 // packages/bundle-default-lifecycle/src/control-plane/task-verify.ts
@@ -2579,9 +4198,8 @@ var exports_task_verify = {};
 __export(exports_task_verify, {
   taskVerify: () => taskVerify
 });
-import { currentTaskId as currentTaskId2 } from "@rig/runtime/control-plane/native/task-state";
 async function taskVerify(projectRoot, taskId) {
-  const activeTask = taskId || currentTaskId2(projectRoot);
+  const activeTask = taskId || taskData().currentTaskId(projectRoot);
   if (!activeTask) {
     throw new Error("No active task.");
   }
@@ -2606,107 +4224,13 @@ async function taskVerify(projectRoot, taskId) {
   return true;
 }
 var init_task_verify = __esm(() => {
+  init_task_data();
   init_verifier();
 });
 
-// packages/bundle-default-lifecycle/src/closeoutEquivalence.ts
-import { existsSync, readFileSync } from "fs";
-import { resolve } from "path";
-var CLOSEOUT_EQUIVALENCE_ARTIFACTS = [
-  "review-status.txt",
-  "review-feedback.md",
-  "review-state.json",
-  "pr-state.json",
-  "git-state.txt",
-  "validation-summary.json"
-];
-var CLOSEOUT_EQUIVALENCE_STATE_FILES = [
-  "task-repo-commits.json",
-  "failed_approaches.md"
-];
-function snapshotCloseoutArtifacts(input) {
-  const artifactRoot = input.artifactRoot ?? resolve(input.projectRoot, "artifacts", input.taskId);
-  const stateRoot = input.stateRoot ?? resolve(input.projectRoot, ".rig", "state");
-  const entries = [
-    ...CLOSEOUT_EQUIVALENCE_ARTIFACTS.map((name) => {
-      const path = resolve(artifactRoot, name);
-      return [name, existsSync(path) ? readFileSync(path, "utf-8") : null];
-    }),
-    ...CLOSEOUT_EQUIVALENCE_STATE_FILES.map((name) => {
-      const path = resolve(stateRoot, name);
-      return [name, existsSync(path) ? readFileSync(path, "utf-8") : null];
-    })
-  ];
-  return Object.fromEntries(entries);
-}
-function compareCloseoutEquivalence(input) {
-  const diffs = [];
-  for (const name of [...CLOSEOUT_EQUIVALENCE_ARTIFACTS, ...CLOSEOUT_EQUIVALENCE_STATE_FILES]) {
-    const imperative = input.imperative.artifacts[name];
-    const staged = input.staged.artifacts[name];
-    if (imperative !== staged) {
-      diffs.push({ kind: "artifact", path: name, imperative, staged });
-    }
-  }
-  const imperativeCalls = JSON.stringify(input.imperative.taskSourceCalls.map((call) => ({
-    method: call.method,
-    taskId: call.taskId,
-    status: call.status ?? null,
-    summary: call.summary ?? null
-  })));
-  const stagedCalls = JSON.stringify(input.staged.taskSourceCalls.map((call) => ({
-    method: call.method,
-    taskId: call.taskId,
-    status: call.status ?? null,
-    summary: call.summary ?? null
-  })));
-  if (imperativeCalls !== stagedCalls) {
-    diffs.push({ kind: "task-source", path: "task-source-calls", imperative: imperativeCalls, staged: stagedCalls });
-  }
-  const imperativeResult = JSON.stringify({
-    status: input.imperative.result.status,
-    prUrl: input.imperative.result.prUrl ?? null,
-    iterations: input.imperative.result.iterations,
-    feedback: [...input.imperative.result.feedback]
-  });
-  const stagedResult = JSON.stringify({
-    status: input.staged.result.status,
-    prUrl: input.staged.result.prUrl ?? null,
-    iterations: input.staged.result.iterations,
-    feedback: [...input.staged.result.feedback]
-  });
-  if (imperativeResult !== stagedResult) {
-    diffs.push({ kind: "result", path: "closeout-result", imperative: imperativeResult, staged: stagedResult });
-  }
-  return { equivalent: diffs.length === 0, diffs };
-}
-// packages/bundle-default-lifecycle/src/closeoutShadowHarness.ts
-function effectKey(effect) {
-  return effect === null ? null : JSON.stringify({ kind: effect.kind, target: effect.target, detail: effect.detail ?? null });
-}
-function compareCloseoutShadowRuns(input) {
-  const max = Math.max(input.imperative.effects.length, input.staged.effects.length);
-  const diffs = [];
-  for (let index = 0;index < max; index += 1) {
-    const imperative = input.imperative.effects[index] ?? null;
-    const staged = input.staged.effects[index] ?? null;
-    if (effectKey(imperative) !== effectKey(staged)) {
-      diffs.push({ index, imperative, staged });
-    }
-  }
-  return { equivalent: diffs.length === 0, diffs };
-}
-function assertCloseoutShadowEquivalent(input) {
-  const comparison = compareCloseoutShadowRuns(input);
-  if (!comparison.equivalent) {
-    const details = comparison.diffs.map((diff) => `#${diff.index}: imperative=${effectKey(diff.imperative) ?? "<missing>"} staged=${effectKey(diff.staged) ?? "<missing>"}`).join("; ");
-    throw new Error(`Closeout shadow side effects differ: ${details}`);
-  }
-  return comparison;
-}
 // packages/bundle-default-lifecycle/src/defaultPipeline.ts
-import { resolveKernelStages } from "@rig/kernel/resolver";
-import { createDefaultKernelPlugin } from "@rig/kernel/default-kernel";
+import { createDefaultKernelPlugin } from "@rig/kernel-seed/default-kernel";
+import { resolveKernelStages } from "@rig/kernel-seed/resolver";
 
 // packages/bundle-default-lifecycle/src/stages/types.ts
 function defineDefaultLifecycleStage(input) {
@@ -2742,6 +4266,9 @@ async function runCommitStage(input) {
 }
 
 // packages/bundle-default-lifecycle/src/stages/isolation.ts
+import { ISOLATION_BACKEND } from "@rig/contracts";
+import { defineCapability as defineCapability2 } from "@rig/core/capability";
+import { requireCapabilityForRoot } from "@rig/core/capability-loaders";
 var isolationStage = defineDefaultLifecycleStage({
   id: "isolation",
   kind: "transform",
@@ -2749,8 +4276,7 @@ var isolationStage = defineDefaultLifecycleStage({
   calls: ["ensureAgentRuntime"]
 });
 async function runIsolationStage(input) {
-  const { requireIsolationBackend } = await import("@rig/runtime/control-plane/isolation-backend-port");
-  const backend = await requireIsolationBackend(input.projectRoot);
+  const backend = await requireCapabilityForRoot(input.projectRoot, defineCapability2(ISOLATION_BACKEND), `No ISOLATION_BACKEND capability is registered for project root "${input.projectRoot}". ` + "Install @rig/isolation-plugin (it ships in the default bundle) so runtime provisioning can resolve a backend.");
   return await backend.ensureAgentRuntime(input);
 }
 
@@ -2773,8 +4299,9 @@ var mergeGateStage = defineDefaultLifecycleStage({
   calls: ["runStrictPrMergeGate"]
 });
 async function runMergeGateStage(input) {
-  const { runStrictPrMergeGate: runStrictPrMergeGate2 } = await import("@rig/pr-review-plugin");
-  return await runStrictPrMergeGate2({
+  const { resolvePrMergeGateService: resolvePrMergeGateService2 } = await Promise.resolve().then(() => (init_pr_merge_gate_cap(), exports_pr_merge_gate_cap));
+  const mergeGate = await resolvePrMergeGateService2(input.projectRoot);
+  return await mergeGate.runGate({
     projectRoot: input.projectRoot,
     prUrl: input.prUrl,
     taskId: input.taskId,
@@ -2985,40 +4512,29 @@ function formatDefaultPipelineShow(input = {}) {
 `);
 }
 // packages/bundle-default-lifecycle/src/pipelineCloseout.ts
-import { resolve as resolve4 } from "path";
-import { loadConfig as loadConfig2 } from "@rig/core/load-config";
-import { resolvePluginHost } from "@rig/core/project-plugins";
-import { createDefaultKernel } from "@rig/kernel/default-kernel";
-import { buildPluginHostContext as buildPluginHostContext3 } from "@rig/runtime/control-plane/plugin-host-context";
-
-// packages/bundle-default-lifecycle/src/native/in-process-closeout.ts
-init_pr_automation();
+import { resolve as resolve6 } from "path";
 import { loadConfig } from "@rig/core/load-config";
-import { buildPluginHostContext } from "@rig/runtime/control-plane/plugin-host-context";
-import { taskValidate } from "@rig/runtime/control-plane/native/task-ops";
-var CLOSEOUT_PHASES = new Set([
-  "queued",
-  "commit",
-  "push",
-  "pr-review-merge",
-  "pr-opened",
-  "merge",
-  "close-source",
-  "completed"
-]);
+import { resolvePluginHost as resolvePluginHost2 } from "@rig/core/project-plugins";
+import { createDefaultKernel } from "@rig/kernel-seed/default-kernel";
+import { buildPluginHostContext as buildPluginHostContext2 } from "@rig/core/plugin-host-context";
 
+// packages/bundle-default-lifecycle/src/native/in-process-closeout.ts
 class CloseoutValidationError extends Error {
   name = "CloseoutValidationError";
 }
 
 // packages/bundle-default-lifecycle/src/pipelineCloseout.ts
-import { taskValidate as taskValidate3 } from "@rig/runtime/control-plane/native/task-ops";
+init_task_data();
 
 // packages/bundle-default-lifecycle/src/plugin.ts
 import { definePlugin } from "@rig/core/config";
+import { defineCapability as defineCapability4 } from "@rig/core/capability";
 import {
-  COMPLETION_VERIFICATION_CAPABILITY_ID,
-  TASK_VERIFY_CAPABILITY_ID
+  COMPLETION_VERIFICATION_CAPABILITY,
+  LIFECYCLE_GIT_AGENT,
+  LIFECYCLE_TOOLCHAIN_SOURCES,
+  RUN_CLOSEOUT_CAPABILITY,
+  TASK_VERIFY_CAPABILITY
 } from "@rig/contracts";
 
 // packages/bundle-default-lifecycle/src/cli.ts
@@ -3093,7 +4609,46 @@ var defaultLifecycleCliCommands = [
   }
 ];
 
+// packages/bundle-default-lifecycle/src/native/closeout-runners.ts
+init_github_auth_env();
+function commandEnv(env) {
+  const token = resolveGitHubAuthToken(env);
+  return token ? { ...env, RIG_GITHUB_TOKEN: token, GH_TOKEN: token, GITHUB_TOKEN: token } : { ...env };
+}
+function createBunCommandRunner(binary, env) {
+  return async (args, options) => {
+    try {
+      const child = Bun.spawn([binary, ...args], {
+        ...options?.cwd !== undefined ? { cwd: options.cwd } : {},
+        env: commandEnv(env),
+        stdin: "ignore",
+        stdout: "pipe",
+        stderr: "pipe"
+      });
+      const [exitCode, stdout, stderr] = await Promise.all([
+        child.exited,
+        new Response(child.stdout).text(),
+        new Response(child.stderr).text()
+      ]);
+      return { exitCode, stdout, stderr };
+    } catch (error) {
+      return {
+        exitCode: 1,
+        stdout: "",
+        stderr: error instanceof Error ? error.message : String(error)
+      };
+    }
+  };
+}
+function createEnvCloseoutRunners(env = process.env) {
+  return {
+    command: createBunCommandRunner("gh", env),
+    gitCommand: createBunCommandRunner("git", env)
+  };
+}
+
 // packages/bundle-default-lifecycle/src/plugin.ts
+init_git_ops();
 var DEFAULT_LIFECYCLE_PLUGIN_ID = "@rig/bundle-default-lifecycle";
 var COMPLETION_VERIFICATION_HOOK_ID = "@rig/bundle-default-lifecycle:completion-verification";
 async function runCompletionGate(projectRoot) {
@@ -3117,26 +4672,85 @@ var LIFECYCLE_HOOKS = [
     handler: completionVerificationStopHandler
   }
 ];
+var TaskVerifyCap = defineCapability4(TASK_VERIFY_CAPABILITY);
+var CompletionVerificationCap = defineCapability4(COMPLETION_VERIFICATION_CAPABILITY);
+var RunCloseoutCap = defineCapability4(RUN_CLOSEOUT_CAPABILITY);
+var LifecycleGitAgentCap = defineCapability4(LIFECYCLE_GIT_AGENT);
+var ToolchainSourcesCap = defineCapability4(LIFECYCLE_TOOLCHAIN_SOURCES);
+var LIFECYCLE_TOOLCHAIN_SOURCE_CONTRIBUTION = {
+  hookBinaries: [
+    {
+      name: "inject-context",
+      source: "packages/bundle-default-lifecycle/src/control-plane/hooks/inject-context.ts"
+    },
+    {
+      name: "task-runtime-start",
+      source: "packages/bundle-default-lifecycle/src/control-plane/hooks/task-runtime-start.ts"
+    }
+  ]
+};
 var LIFECYCLE_CAPABILITIES = [
   { id: "default-lifecycle.pipeline", title: "Default lifecycle pipeline", commandId: DEFAULT_PIPELINE_CLI_ID },
   { id: "default-lifecycle.kernel-status", title: "Default kernel status", commandId: DEFAULT_KERNEL_CLI_ID },
-  {
-    id: TASK_VERIFY_CAPABILITY_ID,
+  TaskVerifyCap.provide(() => async (input) => {
+    const { taskVerify: taskVerify2 } = await Promise.resolve().then(() => (init_task_verify(), exports_task_verify));
+    return taskVerify2(input.projectRoot, input.taskId);
+  }, {
     title: "Task verification",
-    description: "Verify a task's changes (local checks + AI review) and report approval.",
-    run: async (input) => {
-      const { projectRoot, taskId } = input;
-      const { taskVerify: taskVerify2 } = await Promise.resolve().then(() => (init_task_verify(), exports_task_verify));
-      return taskVerify2(projectRoot, taskId);
+    description: "Verify a task's changes (local checks + AI review) and report approval."
+  }),
+  CompletionVerificationCap.provide(() => async (input) => runCompletionGate(input.projectRoot), {
+    title: "Completion verification gate",
+    description: "Run the full completion gate for the active task and report whether it passed."
+  }),
+  RunCloseoutCap.provide(() => async (input) => {
+    const closeout = await runPipelineCloseout({ ...input, ...createEnvCloseoutRunners(process.env) });
+    return closeout.result;
+  }, {
+    title: "Run closeout",
+    description: "Run the default lifecycle closeout driver for a completed OMP run."
+  }),
+  LifecycleGitAgentCap.provide(() => ({
+    shouldScopeGitCommit,
+    gitStatus,
+    gitChanged,
+    gitPreflight,
+    gitSyncBranch,
+    gitCommit,
+    gitSnapshot,
+    gitOpenPr
+  }), {
+    title: "Lifecycle git agent commands",
+    description: "Task-aware git helpers used by the provider-owned rig-agent command surface."
+  }),
+  ToolchainSourcesCap.provide(() => LIFECYCLE_TOOLCHAIN_SOURCE_CONTRIBUTION, {
+    title: "Lifecycle toolchain sources",
+    description: "Source paths for the lifecycle control-plane hook binaries (inject-context, task-runtime-start), compiled by the isolation runtime toolchain."
+  })
+];
+async function runLifecycleHookRunner(hookId, role) {
+  process.env.RIG_HOOK_ROLE = role;
+  const { main } = await import("@rig/core/hook-runner");
+  await main(["--plugin", DEFAULT_LIFECYCLE_PLUGIN_ID, "--hook", hookId]);
+}
+var LIFECYCLE_SEED_ENTRYPOINTS = [
+  {
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:completion-verification-entrypoint`,
+    basename: "completion-verification",
+    run: ({ basename }) => runLifecycleHookRunner(COMPLETION_VERIFICATION_HOOK_ID, basename ?? "completion-verification")
+  },
+  {
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:inject-context-entrypoint`,
+    basename: "inject-context",
+    run: async () => {
+      await import("@rig/bundle-default-lifecycle/control-plane/hooks/inject-context");
     }
   },
   {
-    id: COMPLETION_VERIFICATION_CAPABILITY_ID,
-    title: "Completion verification gate",
-    description: "Run the full completion gate for the active task and report whether it passed.",
-    run: async (input) => {
-      const { projectRoot } = input;
-      return runCompletionGate(projectRoot);
+    id: `${DEFAULT_LIFECYCLE_PLUGIN_ID}:task-runtime-start-entrypoint`,
+    basename: "task-runtime-start",
+    run: async () => {
+      await import("@rig/bundle-default-lifecycle/control-plane/hooks/task-runtime-start");
     }
   }
 ];
@@ -3146,10 +4760,20 @@ function createDefaultLifecyclePlugin(stages = {}) {
     version: "0.0.0-alpha.1",
     provides: [],
     contributes: {
-      stages: defaultLifecycleStages.map((stage) => stages[stage.id] ? { ...stage, run: stages[stage.id] } : stage),
+      stages: defaultLifecycleStages.map((stage) => {
+        const run = Object.prototype.hasOwnProperty.call(stages, stage.id) ? stages[stage.id] : undefined;
+        return run ? { ...stage, run } : stage;
+      }),
       hooks: LIFECYCLE_HOOKS,
       capabilities: LIFECYCLE_CAPABILITIES,
-      cliCommands: defaultLifecycleCliCommands
+      cliCommands: defaultLifecycleCliCommands,
+      seedEntrypoints: LIFECYCLE_SEED_ENTRYPOINTS,
+      config: {
+        defaults: () => ({
+          merge: { mode: "auto", method: "repo-default", deleteBranch: "repo-default", bypass: false },
+          automation: { maxValidationAttempts: 30, maxPrFixIterations: 100500 }
+        })
+      }
     }
   });
 }
@@ -3172,18 +4796,18 @@ function closeoutOutcome(status) {
   }
 }
 async function loadRigAutomationConfig(projectRoot) {
-  return await loadConfig2(projectRoot);
+  return await loadConfig(projectRoot);
 }
 async function runRigProjectValidation({ projectRoot, taskId }) {
-  const pluginHostCtx = await buildPluginHostContext3(projectRoot);
-  return taskValidate3(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined);
+  const pluginHostCtx = await buildPluginHostContext2(projectRoot);
+  return taskData().taskValidate(projectRoot, taskId, pluginHostCtx?.validatorRegistry ?? undefined);
 }
 function shouldAttemptRigMerge2(config) {
   const mode = config.merge?.mode;
   return mode !== "off" && mode !== "pr-ready";
 }
 async function loadPluginStageContributions(projectRoot) {
-  const { host } = await resolvePluginHost(projectRoot);
+  const { host } = await resolvePluginHost2(projectRoot);
   return { executors: host.listStageExecutors(), mutations: host.listStageMutations() };
 }
 async function runPipelineCloseout(input) {
@@ -3205,7 +4829,7 @@ async function runPipelineCloseout(input) {
   };
   const shouldMerge = shouldAttemptRigMerge2(effectiveConfig);
   const workspace = input.workspace;
-  const artifactRoot = input.artifactRoot ?? resolve4(input.projectRoot, "artifacts", taskId);
+  const artifactRoot = input.artifactRoot ?? resolve6(input.projectRoot, "artifacts", taskId);
   const journal = async (phase, status, detail) => {
     await input.journalPhase(phase, closeoutOutcome(status), detail ?? null);
   };
@@ -3405,7 +5029,6 @@ export {
   verifyStage,
   validateStage,
   sourceCloseoutStage,
-  snapshotCloseoutArtifacts,
   runVerifyStage,
   runValidateStage,
   runSourceCloseoutStage,
@@ -3435,16 +5058,11 @@ export {
   defaultLifecycleCliCommands,
   defaultKernelStatusData,
   createDefaultLifecyclePlugin,
-  compareCloseoutShadowRuns,
-  compareCloseoutEquivalence,
   commitStage,
   autoMergeStage,
-  assertCloseoutShadowEquivalent,
   DEFAULT_PIPELINE_CLI_ID,
   DEFAULT_LIFECYCLE_STAGE_IDS,
   DEFAULT_LIFECYCLE_PLUGIN_ID,
   DEFAULT_KERNEL_CLI_ID,
-  COMPLETION_VERIFICATION_HOOK_ID,
-  CLOSEOUT_EQUIVALENCE_STATE_FILES,
-  CLOSEOUT_EQUIVALENCE_ARTIFACTS
+  COMPLETION_VERIFICATION_HOOK_ID
 };