@h-rig/runtime 0.0.6-alpha.10 → 0.0.6-alpha.12

package/dist/src/control-plane/hooks/completion-verification.js

@@ -2,8 +2,8 @@
 // @bun
 
 // packages/runtime/src/control-plane/hooks/completion-verification.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync21, mkdirSync as mkdirSync11, readFileSync as readFileSync12, writeFileSync as writeFileSync11 } from "fs";
-import { resolve as resolve24 } from "path";
+import { appendFileSync as appendFileSync2, existsSync as existsSync21, mkdirSync as mkdirSync12, readFileSync as readFileSync12, writeFileSync as writeFileSync12 } from "fs";
+import { resolve as resolve25 } from "path";
 import {
   escapeRegExp as escapeRegExp2,
   resolveBunCli,
@@ -1641,8 +1641,8 @@ function isAgentRuntimeContextPath(path) {
 }
 
 // packages/runtime/src/control-plane/native/git-ops.ts
-import { existsSync as existsSync20, lstatSync, mkdirSync as mkdirSync10, readFileSync as readFileSync11, writeFileSync as writeFileSync10 } from "fs";
-import { dirname as dirname11, isAbsolute as isAbsolute2, resolve as resolve23 } from "path";
+import { existsSync as existsSync20, lstatSync, mkdirSync as mkdirSync11, readFileSync as readFileSync11, writeFileSync as writeFileSync11 } from "fs";
+import { dirname as dirname11, isAbsolute as isAbsolute2, resolve as resolve24 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // packages/runtime/src/control-plane/runtime/baked-secrets.ts
@@ -1731,8 +1731,8 @@ function expandShellValue(rawValue, env) {
 }
 
 // packages/runtime/src/control-plane/native/task-ops.ts
-import { appendFileSync, existsSync as existsSync19, mkdirSync as mkdirSync9, readFileSync as readFileSync10, writeFileSync as writeFileSync9 } from "fs";
-import { resolve as resolve22 } from "path";
+import { appendFileSync, existsSync as existsSync19, mkdirSync as mkdirSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync10 } from "fs";
+import { resolve as resolve23 } from "path";
 
 // packages/runtime/src/build-time-config.ts
 function normalizeBuildConfig(value) {
@@ -4239,18 +4239,915 @@ ${JSON.stringify(result, null, 2)}
 }
 
 // packages/runtime/src/control-plane/native/verifier.ts
-import { existsSync as existsSync18, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
+import { existsSync as existsSync18, mkdirSync as mkdirSync9, writeFileSync as writeFileSync9 } from "fs";
+import { resolve as resolve22 } from "path";
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+import { mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
 import { resolve as resolve21 } from "path";
+function parseJsonObject(value) {
+  if (!value?.trim())
+    return { value: {}, error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? { value: parsed } : { value: {}, error: "JSON output was not an object" };
+  } catch (error) {
+    return { value: {}, error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function flattenPaginatedArray(value) {
+  if (!Array.isArray(value))
+    return null;
+  if (value.every((entry) => Array.isArray(entry))) {
+    return value.flatMap((entry) => entry);
+  }
+  return value;
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return { value: [], error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    const flattened = flattenPaginatedArray(parsed);
+    return flattened ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  } catch (error) {
+    return { value: [], error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function parseGithubPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i.exec(prUrl.trim());
+  if (!match)
+    return null;
+  const prNumber = Number.parseInt(match[3], 10);
+  if (!Number.isFinite(prNumber))
+    return null;
+  return { owner: match[1], repo: match[2], repoName: `${match[1]}/${match[2]}`, prNumber };
+}
+function checkName(check) {
+  return String(check.name ?? check.context ?? "").trim();
+}
+function checkState(check) {
+  return String(check.conclusion ?? check.state ?? check.status ?? "").trim().toLowerCase();
+}
+function isGreptileLabel(value) {
+  return String(value ?? "").toLowerCase().includes("greptile");
+}
+function isGreptileGithubLogin(value) {
+  const login = String(value ?? "").toLowerCase().replace(/\[bot\]$/, "");
+  return login === "greptile" || login === "greptile-ai" || login === "greptileai" || login === "greptile-apps";
+}
+function isPassingCheck(check) {
+  const state = checkState(check);
+  return ["success", "successful", "passed", "neutral", "skipped", "completed"].includes(state);
+}
+function isPendingCheck(check) {
+  const state = checkState(check);
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(state);
+}
+function isFailingCheck(check) {
+  const state = checkState(check);
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "canceled", "error"].includes(state);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function greptileScorePatterns() {
+  return [
+    /\b(?:confidence\s+score|confidence|rating|score)\s*:?\s*(\d+)\s*\/\s*(\d+)/gi,
+    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|rating|score)/gi,
+    /\bgreptile[^\n]{0,80}?(\d+)\s*\/\s*(\d+)/gi
+  ];
+}
+function parseGreptileScores(input) {
+  const text = stripHtml(input);
+  const seen = new Set;
+  const scores = [];
+  for (const pattern of greptileScorePatterns()) {
+    for (const match of text.matchAll(pattern)) {
+      const value = Number.parseInt(match[1] || "", 10);
+      const scale = Number.parseInt(match[2] || "", 10);
+      if (!Number.isFinite(value) || !Number.isFinite(scale) || scale <= 0)
+        continue;
+      const raw = match[0] || `${value}/${scale}`;
+      const key = `${match.index ?? -1}:${value}/${scale}:${raw.toLowerCase()}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      scores.push({ value, scale, raw });
+    }
+  }
+  return scores;
+}
+function parseGreptileScore(input) {
+  return parseGreptileScores(input)[0] ?? null;
+}
+function stripHtml(input) {
+  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
+
+`).trim();
+}
+function containsBlockerText(input) {
+  const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this/i.test(text);
+}
+function containsGreptileNegativeVerdict(input) {
+  const text = stripHtml(input).replace(/\s+/g, " ").trim();
+  if (!text)
+    return false;
+  return /\b(?:status|verdict|review state|state|conclusion|result)\s*:?\s*(?:reject(?:ed|ion)?|skip(?:ped)?|fail(?:ed|ure)?|changes[_ ]requested|not approved)\b/i.test(text) || /\bgreptile\b.{0,160}\b(?:reject(?:ed|s|ion)?|skip(?:ped|s)?|fail(?:ed|s|ure)?|changes requested|did not approve|not approved)\b/i.test(text);
+}
+function isStrictFiveOfFive(score) {
+  return score.value === 5 && score.scale === 5;
+}
+function containsConflictingScoreText(input) {
+  return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
+}
+function firstString(record, keys) {
+  for (const key of keys) {
+    const value = record[key];
+    if (typeof value === "string")
+      return value;
+  }
+  return "";
+}
+function arrayField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value : [];
+}
+async function runJsonArray(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: [], error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonArray(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+async function runJsonObject(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: {}, error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonObject(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+function normalizeStatusCheck(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const name = firstString(record, ["name", "context"]);
+  if (!name.trim())
+    return null;
+  const output = record.output && typeof record.output === "object" && !Array.isArray(record.output) ? record.output : null;
+  const app = record.app && typeof record.app === "object" && !Array.isArray(record.app) ? record.app : null;
+  return {
+    __typename: typeof record.__typename === "string" ? record.__typename : null,
+    name,
+    context: typeof record.context === "string" ? record.context : null,
+    status: typeof record.status === "string" ? record.status : null,
+    state: typeof record.state === "string" ? record.state : null,
+    conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+    detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.details_url === "string" ? record.details_url : typeof record.html_url === "string" ? record.html_url : typeof record.link === "string" ? record.link : null,
+    link: typeof record.link === "string" ? record.link : typeof record.html_url === "string" ? record.html_url : null,
+    headSha: typeof record.headSha === "string" ? record.headSha : null,
+    head_sha: typeof record.head_sha === "string" ? record.head_sha : null,
+    output: output ? {
+      title: typeof output.title === "string" ? output.title : null,
+      summary: typeof output.summary === "string" ? output.summary : null,
+      text: typeof output.text === "string" ? output.text : null
+    } : null,
+    app: app ? {
+      slug: typeof app.slug === "string" ? app.slug : null,
+      name: typeof app.name === "string" ? app.name : null,
+      owner: app.owner && typeof app.owner === "object" ? app.owner : null
+    } : null
+  };
+}
+function normalizeReview(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : typeof record.id === "number" ? String(record.id) : null,
+    state: typeof record.state === "string" ? record.state : null,
+    body: typeof record.body === "string" ? record.body : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : typeof record.commitId === "string" ? record.commitId : record.commit && typeof record.commit === "object" && typeof record.commit.oid === "string" ? record.commit.oid : null,
+    html_url: typeof record.html_url === "string" ? record.html_url : typeof record.url === "string" ? record.url : null,
+    author: record.author && typeof record.author === "object" ? record.author : record.user && typeof record.user === "object" ? record.user : null
+  };
+}
+function normalizeReviewComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  const path = typeof record.path === "string" ? record.path : null;
+  if (!body && !path)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    path,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : null,
+    original_commit_id: typeof record.original_commit_id === "string" ? record.original_commit_id : null
+  };
+}
+function normalizeIssueComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  if (!body)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    created_at: typeof record.created_at === "string" ? record.created_at : null
+  };
+}
+function normalizeReviewThread(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : null,
+    isResolved: typeof record.isResolved === "boolean" ? record.isResolved : null,
+    isOutdated: typeof record.isOutdated === "boolean" ? record.isOutdated : null,
+    comments: record.comments && typeof record.comments === "object" ? record.comments : null
+  };
+}
+function relevantIssueComment(comment) {
+  const login = comment.user?.login ?? comment.author?.login ?? "";
+  const body = comment.body ?? "";
+  return isGreptileGithubLogin(login) || /greptile|blocker|unsafe|not safe|do not merge|must fix|please fix|changes requested|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+}
+function latestThreadComment(thread) {
+  const nodes = thread.comments?.nodes ?? [];
+  return nodes.length > 0 ? nodes[nodes.length - 1] : null;
+}
+function unresolvedThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function collectBodies(evidence) {
+  return [
+    evidence.title ?? "",
+    evidence.body,
+    ...evidence.reviews.map((review) => review.body ?? ""),
+    ...evidence.changedFileReviewComments.map((comment) => comment.body ?? ""),
+    ...evidence.relevantIssueComments.map((comment) => comment.body ?? ""),
+    ...evidence.reviewThreads.flatMap((thread) => thread.comments?.nodes?.map((comment) => comment.body ?? "") ?? []),
+    ...(evidence.apiSignals ?? []).map((signal) => signal.body ?? "")
+  ].filter((body) => body.trim().length > 0);
+}
+function bodyExcerpt(body) {
+  const text = stripHtml(body).replace(/\s+/g, " ").trim();
+  return text.length > 240 ? `${text.slice(0, 237)}...` : text;
+}
+function makeGreptileSignal(input) {
+  const scores = parseGreptileScores(input.body);
+  const reviewedSha = input.reviewedSha?.trim() || null;
+  const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
+  const blocker = input.blocker ?? (containsBlockerText(input.body) || containsGreptileNegativeVerdict(input.body));
+  const explicitApproval = input.explicitApproval ?? false;
+  return {
+    source: input.source,
+    trusted: input.trusted,
+    authorLogin: input.authorLogin ?? null,
+    reviewedSha,
+    current,
+    stale: current === false,
+    score: scores[0] ?? null,
+    scores,
+    explicitApproval,
+    blocker,
+    actionable: input.actionable ?? blocker,
+    bodyExcerpt: bodyExcerpt(input.body),
+    body: input.body,
+    allScores: scores
+  };
+}
+function reviewAuthorLogin(review) {
+  return review.author?.login ?? null;
+}
+function commentAuthorLogin(comment) {
+  return comment.user?.login ?? comment.author?.login ?? null;
+}
+function collectGreptileSignals(evidence) {
+  const signals = [];
+  const contextSources = [
+    { source: "pr-title", body: evidence.title ?? "" },
+    { source: "pr-body", body: evidence.body }
+  ];
+  for (const context of contextSources) {
+    if (!context.body.trim())
+      continue;
+    if (!/greptile|score|confidence|\b\d+\s*\/\s*5\b|blocker|unsafe|not safe|do not merge|changes requested/i.test(context.body))
+      continue;
+    const contextBlocker = containsBlockerText(context.body);
+    signals.push(makeGreptileSignal({
+      source: context.source,
+      body: context.body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      blocker: contextBlocker,
+      actionable: contextBlocker
+    }));
+  }
+  for (const apiSignal of evidence.apiSignals ?? []) {
+    const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "api",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      reviewedSha: apiSignal.reviewedSha ?? null,
+      explicitApproval: false
+    }));
+  }
+  for (const review of evidence.reviews) {
+    const login = reviewAuthorLogin(review);
+    if (!isGreptileGithubLogin(login))
+      continue;
+    const state = String(review.state ?? "").toUpperCase();
+    const body = [state ? `Review state: ${state}` : "", review.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    const dismissed = state === "DISMISSED";
+    signals.push(makeGreptileSignal({
+      source: "github-review",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: !dismissed,
+      authorLogin: login,
+      reviewedSha: review.commit_id ?? null,
+      explicitApproval: undefined,
+      blocker: state === "CHANGES_REQUESTED" || undefined
+    }));
+  }
+  for (const comment of evidence.changedFileReviewComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "changed-file-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login,
+      reviewedSha: comment.commit_id ?? comment.original_commit_id ?? null
+    }));
+  }
+  for (const comment of evidence.relevantIssueComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "issue-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login
+    }));
+  }
+  for (const thread of evidence.reviewThreads) {
+    if (thread.isOutdated === true || thread.isResolved === true)
+      continue;
+    for (const comment of thread.comments?.nodes ?? []) {
+      const login = comment.author?.login ?? null;
+      const body = comment.body ?? "";
+      if (!body.trim() || !isGreptileGithubLogin(login))
+        continue;
+      signals.push(makeGreptileSignal({
+        source: "review-thread",
+        body,
+        currentHeadSha: evidence.currentHeadSha,
+        trusted: true,
+        authorLogin: login
+      }));
+    }
+  }
+  for (const check of evidence.checks) {
+    if (!isGreptileLabel(checkName(check)))
+      continue;
+    const reviewedSha = check.headSha ?? check.head_sha ?? null;
+    const label = `${checkName(check)} (${checkState(check) || "unknown"})`;
+    const body = [label, check.output?.title ?? "", check.output?.summary ?? "", check.output?.text ?? ""].filter((entry) => entry.trim().length > 0).join(`
+
+`);
+    signals.push(makeGreptileSignal({
+      source: "github-check",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      reviewedSha,
+      explicitApproval: false,
+      blocker: isFailingCheck(check),
+      actionable: isFailingCheck(check)
+    }));
+  }
+  return signals;
+}
+function unresolvedGreptileThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const comments = thread.comments?.nodes ?? [];
+    if (!comments.some((comment) => isGreptileGithubLogin(comment.author?.login)))
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved Greptile review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved Greptile review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function issueLevelBlockerSummaries(comments) {
+  return comments.flatMap((comment) => {
+    const body = comment.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const login = commentAuthorLogin(comment) ?? "unknown";
+    const author = isGreptileGithubLogin(login) ? `Greptile issue comment by ${login}` : `Issue-level PR comment by ${login}`;
+    return [`${author}: ${body}`];
+  });
+}
+function reviewBodyBlockerSummaries(reviews) {
+  return reviews.flatMap((review) => {
+    const login = reviewAuthorLogin(review) ?? "unknown";
+    if (isGreptileGithubLogin(login))
+      return [];
+    const body = review.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const state = review.state ? ` (${review.state})` : "";
+    return [`PR review summary by ${login}${state}: ${body}`];
+  });
+}
+function signalLabel(signal) {
+  const source = signal.source.replace(/-/g, " ");
+  const author = signal.authorLogin ? ` by ${signal.authorLogin}` : "";
+  const sha = signal.reviewedSha ? ` at ${signal.reviewedSha}` : "";
+  return `${source}${author}${sha}`;
+}
+function deriveGreptileEvidence(input) {
+  const rawBodies = collectBodies(input);
+  const signals = collectGreptileSignals(input);
+  const trustedSignals = signals.filter((signal) => signal.trusted);
+  const trustedScoreEntries = trustedSignals.flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const contextScoreEntries = signals.filter((signal) => !signal.trusted).flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const allScoreEntries = [...trustedScoreEntries, ...contextScoreEntries];
+  const staleSignals = signals.filter((signal) => !!signal.reviewedSha && signal.reviewedSha !== input.currentHeadSha && (signal.trusted || signal.source === "github-check"));
+  const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
+  const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
+  const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvedByScore = !!approvingScoreEntry;
+  const approvedByExplicitMapping = false;
+  const approvingSignal = approvingScoreEntry?.signal ?? null;
+  const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
+  const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
+  const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
+  const blockerSignals = signals.filter((signal) => signal.source !== "changed-file-comment" && (signal.blocker || signal.actionable) && (!signal.reviewedSha || signal.reviewedSha === input.currentHeadSha));
+  const staleBlockingSignals = [];
+  const blockers = [
+    ...blockerSignals.map((signal) => `${signalLabel(signal)}: ${signal.bodyExcerpt || "blocker text"}`),
+    ...reviewBodyBlockerSummaries(input.reviews),
+    ...issueLevelBlockerSummaries(input.relevantIssueComments),
+    ...lowScoreEntries.map((entry) => `Greptile score from ${signalLabel(entry.signal)} is ${entry.score.value}/${entry.score.scale}; strict merge requires trusted current-head 5/5.`),
+    ...staleBlockingSignals.map((signal) => `Greptile blocking signal from ${signalLabel(signal)} is stale; current PR head is ${input.currentHeadSha || "unknown"}.`),
+    ...failedGreptileChecks.map((entry) => `Greptile check failed: ${entry}`)
+  ];
+  const unresolvedComments = [
+    ...unresolvedGreptileThreadSummaries(input.reviewThreads)
+  ];
+  const greptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)));
+  const greptileReviews = input.reviews.filter((review) => isGreptileGithubLogin(review.author?.login));
+  const completedGreptileCheck = greptileChecks.some((check) => {
+    const reviewedSha2 = check.headSha ?? check.head_sha ?? null;
+    return reviewedSha2 === input.currentHeadSha && (isPassingCheck(check) || isFailingCheck(check));
+  });
+  const completedGreptileReview = greptileReviews.some((review) => {
+    const state = String(review.state ?? "").toUpperCase();
+    const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
+    return completedState && review.commit_id === input.currentHeadSha;
+  });
+  const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
+  const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
+  const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
+  const completed = completedGreptileCheck || completedGreptileReview || !!approvingSignal || trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha);
+  const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : "unproven";
+  const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
+  return {
+    source,
+    currentHeadSha: input.currentHeadSha,
+    reviewedSha,
+    fresh,
+    completed,
+    approved,
+    score,
+    explicitApproval: approvedByExplicitMapping,
+    blockers,
+    unresolvedComments,
+    rawBodies,
+    signals: signals.map(({ body: _body, allScores: _allScores, ...signal }) => signal),
+    mapping
+  };
+}
+function isGreptileCheckDetail(check) {
+  return isGreptileLabel(checkName(check)) || isGreptileGithubLogin(check.app?.slug) || isGreptileGithubLogin(check.app?.owner?.login) || isGreptileLabel(check.app?.name);
+}
+async function collectGreptileCheckDetails(input) {
+  const checkRunsRead = await runJsonArray(input.command, [
+    "api",
+    `repos/${input.repoName}/commits/${input.headSha}/check-runs`,
+    "--paginate",
+    "--slurp",
+    "--jq",
+    "map(.check_runs // []) | add // []"
+  ], input.projectRoot);
+  const checkRuns = checkRunsRead.value.map(normalizeStatusCheck).filter((entry) => !!entry).filter(isGreptileCheckDetail);
+  return checkRunsRead.error ? { value: checkRuns, error: checkRunsRead.error } : { value: checkRuns };
+}
+async function collectReviewThreads(input) {
+  const reviewThreads = [];
+  let afterCursor = null;
+  for (let page = 0;page < 100; page += 1) {
+    const afterLiteral = afterCursor ? JSON.stringify(afterCursor) : "null";
+    const threadsResponse = await runJsonObject(input.command, [
+      "api",
+      "graphql",
+      "-F",
+      `owner=${input.owner}`,
+      "-F",
+      `name=${input.name}`,
+      "-F",
+      `prNumber=${input.prNumber}`,
+      "-f",
+      `query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { reviewThreads(first: 100, after: ${afterLiteral}) { nodes { id isResolved isOutdated comments(first: 100) { nodes { author { login } body path url createdAt } pageInfo { hasNextPage endCursor } } } pageInfo { hasNextPage endCursor } } } } }`
+    ], input.projectRoot);
+    if (threadsResponse.error) {
+      return { value: reviewThreads, error: threadsResponse.error };
+    }
+    const data = threadsResponse.value.data;
+    const repository = data?.repository;
+    const pullRequest = repository?.pullRequest;
+    const threads = pullRequest?.reviewThreads;
+    const nodes = threads?.nodes;
+    if (!Array.isArray(nodes)) {
+      return { value: reviewThreads, error: "GitHub reviewThreads response did not include a nodes array" };
+    }
+    const normalized = nodes.map(normalizeReviewThread).filter((entry) => !!entry);
+    reviewThreads.push(...normalized);
+    const truncatedCommentThread = normalized.find((thread) => thread.comments?.pageInfo?.hasNextPage === true);
+    if (truncatedCommentThread) {
+      return { value: reviewThreads, error: `GitHub review thread ${truncatedCommentThread.id ?? "unknown"} has more than 100 comments; nested pagination is incomplete` };
+    }
+    const pageInfo = threads?.pageInfo;
+    if (!pageInfo) {
+      if (nodes.length >= 100) {
+        return { value: reviewThreads, error: "GitHub reviewThreads pagination metadata missing after a full page" };
+      }
+      return { value: reviewThreads };
+    }
+    if (pageInfo.hasNextPage !== true) {
+      return { value: reviewThreads };
+    }
+    if (typeof pageInfo.endCursor !== "string" || !pageInfo.endCursor.trim()) {
+      return { value: reviewThreads, error: "GitHub reviewThreads pagination reported hasNextPage without endCursor" };
+    }
+    afterCursor = pageInfo.endCursor;
+  }
+  return { value: reviewThreads, error: "GitHub reviewThreads pagination exceeded 100 pages" };
+}
+async function collectPrReviewEvidence(input) {
+  const parsed = parseGithubPrUrl(input.prUrl);
+  if (!parsed) {
+    throw new Error(`Cannot parse GitHub PR URL: ${input.prUrl}`);
+  }
+  const readErrors = [];
+  const viewRead = await runJsonObject(input.command, [
+    "pr",
+    "view",
+    input.prUrl,
+    "--json",
+    "title,body,headRefOid,headRefName,baseRefName,state,isDraft,mergeable,mergeStateStatus,reviewDecision,reviews,statusCheckRollup"
+  ], input.projectRoot);
+  if (viewRead.error)
+    readErrors.push(viewRead.error);
+  const view = viewRead.value;
+  if (!Array.isArray(view.statusCheckRollup)) {
+    readErrors.push("gh pr view did not return required statusCheckRollup array");
+  }
+  if (!Array.isArray(view.reviews)) {
+    readErrors.push("gh pr view did not return required reviews array");
+  }
+  const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
+  const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
+  const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (reviewCommentsRead.error)
+    readErrors.push(reviewCommentsRead.error);
+  const reviewComments = reviewCommentsRead.value.map(normalizeReviewComment).filter((entry) => !!entry);
+  const issueCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/issues/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (issueCommentsRead.error)
+    readErrors.push(issueCommentsRead.error);
+  const issueComments = issueCommentsRead.value.map(normalizeIssueComment).filter((entry) => !!entry).filter(relevantIssueComment);
+  const reviewThreadsRead = await collectReviewThreads({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  if (reviewThreadsRead.error)
+    readErrors.push(reviewThreadsRead.error);
+  const reviewThreads = reviewThreadsRead.value;
+  const greptileRollupChecks = statusCheckRollup.filter((check) => isGreptileLabel(checkName(check)));
+  let greptileCheckDetails = [];
+  if (headSha && greptileRollupChecks.length > 0) {
+    const checkDetailsRead = await collectGreptileCheckDetails({
+      command: input.command,
+      projectRoot: input.projectRoot,
+      repoName: parsed.repoName,
+      headSha
+    });
+    if (checkDetailsRead.error)
+      readErrors.push(checkDetailsRead.error);
+    greptileCheckDetails = checkDetailsRead.value;
+    if (!checkDetailsRead.error && greptileCheckDetails.length === 0) {
+      readErrors.push("Greptile check details could not be found for the current PR head");
+    }
+  }
+  const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
+  const evidenceBase = {
+    title: firstString(view, ["title"]),
+    body: firstString(view, ["body"]),
+    reviews,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    reviewThreads,
+    checks: checksWithGreptileDetails,
+    currentHeadSha: headSha,
+    apiSignals: input.apiSignals ?? []
+  };
+  const greptile = deriveGreptileEvidence(evidenceBase);
+  return {
+    prUrl: input.prUrl,
+    prNumber: parsed.prNumber,
+    repoName: parsed.repoName,
+    title: evidenceBase.title,
+    body: evidenceBase.body,
+    headSha,
+    headRefName: firstString(view, ["headRefName"]),
+    baseRefName: firstString(view, ["baseRefName"]),
+    state: firstString(view, ["state"]),
+    isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
+    mergeable: firstString(view, ["mergeable"]),
+    mergeStateStatus: firstString(view, ["mergeStateStatus"]),
+    reviewDecision: firstString(view, ["reviewDecision"]),
+    reviews,
+    reviewThreads,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    statusCheckRollup: checksWithGreptileDetails,
+    checkFailures,
+    pendingChecks,
+    readErrors,
+    greptile
+  };
+}
+function evaluateEvidence(evidence) {
+  const reasons = [];
+  const warnings = [];
+  let pending = false;
+  if (evidence.readErrors.length > 0) {
+    reasons.push(...evidence.readErrors.map((error) => `Required PR evidence surface could not be read completely: ${error}`));
+  }
+  if (!evidence.headSha)
+    reasons.push("PR head SHA could not be read; current-head Greptile approval cannot be proven.");
+  if (evidence.checkFailures.length > 0)
+    reasons.push(...evidence.checkFailures);
+  if (evidence.pendingChecks.length > 0) {
+    pending = true;
+    reasons.push(...evidence.pendingChecks);
+  }
+  const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
+  if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
+    reasons.push(`Required review is unresolved (${evidence.reviewDecision}).`);
+  }
+  const unresolvedThreads = unresolvedThreadSummaries(evidence.reviewThreads);
+  if (unresolvedThreads.length > 0)
+    reasons.push(...unresolvedThreads);
+  const greptile = evidence.greptile;
+  if (greptile.mapping === "missing")
+    reasons.push("Missing Greptile check/review evidence for this PR.");
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
+    reasons.push(`Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`);
+  }
+  if (!greptile.completed) {
+    pending = true;
+    reasons.push("Greptile check/review has not completed for the current PR head.");
+  }
+  if (!greptile.fresh)
+    reasons.push("Greptile approval is not tied to the current PR head SHA.");
+  if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
+    reasons.push(`Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`);
+  }
+  if (!greptile.score && greptile.mapping !== "score-5-of-5") {
+    reasons.push("No parseable Greptile 5/5 score or explicit approved mapping was found from trusted current-head evidence; merge is blocked.");
+  }
+  if (greptile.mapping === "unproven") {
+    reasons.push("Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.");
+  }
+  if (greptile.blockers.length > 0) {
+    reasons.push(...greptile.blockers.map((entry) => `Greptile/blocker text: ${entry.trim().slice(0, 500)}`));
+  }
+  if (greptile.unresolvedComments.length > 0)
+    reasons.push(...greptile.unresolvedComments);
+  if (!greptile.approved)
+    warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
+  return { reasons: Array.from(new Set(reasons)), warnings, pending };
+}
+function evaluateStrictPrMergeGate(evidence) {
+  const evaluated = evaluateEvidence(evidence);
+  const approved = evaluated.reasons.length === 0 && evidence.greptile.approved;
+  return {
+    approved,
+    pending: evaluated.pending,
+    reasons: evaluated.reasons,
+    warnings: evaluated.warnings,
+    actionableFeedback: evaluated.reasons,
+    evidence
+  };
+}
+function promptExcerpt(value, maxChars = 4000) {
+  return value.length > maxChars ? `${value.slice(0, maxChars)}
+
+[truncated for prompt; see full evidence artifact]` : value;
+}
+function promptJsonExcerpt(value, maxChars = 6000) {
+  return promptExcerpt(JSON.stringify(value, null, 2), maxChars);
+}
+function buildStrictPrGateSteeringPrompt(result) {
+  const evidence = result.evidence;
+  const unresolvedReviewThreads = evidence.reviewThreads.filter((thread) => thread.isResolved !== true && thread.isOutdated !== true);
+  const lines = [
+    `Strict PR merge gate blocked ${evidence.prUrl}.`,
+    `PR title: ${evidence.title || "(empty)"}`,
+    `Current PR head SHA: ${evidence.headSha || "unknown"}`,
+    `Greptile mapping: ${evidence.greptile.mapping}`,
+    evidence.greptile.score ? `Greptile score: ${evidence.greptile.score.value}/${evidence.greptile.score.scale}` : "Greptile score: not proven",
+    "",
+    "Gate reasons:",
+    ...result.reasons.length ? result.reasons.map((reason) => `- ${reason}`) : ["- No reasons recorded"],
+    "",
+    "Required evidence read status:",
+    evidence.readErrors.length ? JSON.stringify(evidence.readErrors, null, 2) : "All required PR evidence surfaces were read completely.",
+    "",
+    "Full PR title:",
+    evidence.title || "(empty)",
+    "",
+    "PR body excerpt:",
+    evidence.body ? promptExcerpt(evidence.body) : "(empty)",
+    "",
+    "All review comments on changed files:",
+    evidence.changedFileReviewComments.length ? promptJsonExcerpt(evidence.changedFileReviewComments) : "[]",
+    "",
+    "Unresolved review threads:",
+    unresolvedReviewThreads.length ? promptJsonExcerpt(unresolvedReviewThreads) : "[]",
+    "",
+    "Relevant issue-level PR comments:",
+    evidence.relevantIssueComments.length ? promptJsonExcerpt(evidence.relevantIssueComments) : "[]",
+    "",
+    "CI/check failures and pending checks:",
+    promptJsonExcerpt({ failures: evidence.checkFailures, pending: evidence.pendingChecks, rollup: evidence.statusCheckRollup }),
+    "",
+    "Greptile evidence:",
+    promptJsonExcerpt(evidence.greptile)
+  ];
+  if (result.artifacts) {
+    lines.push("", "Full evidence artifacts:", JSON.stringify(result.artifacts, null, 2));
+  }
+  return lines.join(`
+`);
+}
+function persistPrReviewCycleArtifacts(input) {
+  const cycleName = input.final ? `${input.cycle}-final` : String(input.cycle);
+  const taskArtifactRoot = input.artifactRoot?.trim() ? input.artifactRoot : resolve21(input.projectRoot, "artifacts", input.taskId);
+  const root = resolve21(taskArtifactRoot, "pr-review-cycles", cycleName);
+  mkdirSync8(root, { recursive: true });
+  const finalMergeGateResultPath = input.final ? resolve21(taskArtifactRoot, "merge-gate-final.json") : undefined;
+  const paths = {
+    root,
+    prTitlePath: resolve21(root, "pr-title.md"),
+    prBodyPath: resolve21(root, "pr-body.md"),
+    prCommentsPath: resolve21(root, "pr-comments.json"),
+    reviewThreadsPath: resolve21(root, "review-threads.json"),
+    reviewCommentsPath: resolve21(root, "review-comments.json"),
+    checkRollupPath: resolve21(root, "check-rollup.json"),
+    greptileEvidencePath: resolve21(root, "greptile-evidence.json"),
+    mergeGateResultPath: resolve21(root, "merge-gate-result.json"),
+    steeringPromptPath: resolve21(root, "agent-steering-prompt.md"),
+    ...finalMergeGateResultPath ? { finalMergeGateResultPath } : {}
+  };
+  writeFileSync8(paths.prTitlePath, input.result.evidence.title || "", "utf8");
+  writeFileSync8(paths.prBodyPath, input.result.evidence.body || "", "utf8");
+  writeFileSync8(paths.prCommentsPath, `${JSON.stringify(input.result.evidence.relevantIssueComments, null, 2)}
+`, "utf8");
+  writeFileSync8(paths.reviewThreadsPath, `${JSON.stringify(input.result.evidence.reviewThreads, null, 2)}
+`, "utf8");
+  writeFileSync8(paths.reviewCommentsPath, `${JSON.stringify(input.result.evidence.changedFileReviewComments, null, 2)}
+`, "utf8");
+  writeFileSync8(paths.checkRollupPath, `${JSON.stringify(input.result.evidence.statusCheckRollup, null, 2)}
+`, "utf8");
+  writeFileSync8(paths.greptileEvidencePath, `${JSON.stringify(input.result.evidence.greptile, null, 2)}
+`, "utf8");
+  const mergeGatePayload = {
+    approved: input.result.approved,
+    pending: input.result.pending,
+    reasons: input.result.reasons,
+    warnings: input.result.warnings,
+    actionableFeedback: input.result.actionableFeedback,
+    prUrl: input.result.evidence.prUrl,
+    title: input.result.evidence.title,
+    headSha: input.result.evidence.headSha,
+    readErrors: input.result.evidence.readErrors,
+    greptile: input.result.evidence.greptile,
+    evidence: input.result.evidence,
+    cycleArtifactRoot: root
+  };
+  writeFileSync8(paths.mergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  if (paths.finalMergeGateResultPath) {
+    writeFileSync8(paths.finalMergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  }
+  writeFileSync8(paths.steeringPromptPath, input.steeringPrompt, "utf8");
+  return paths;
+}
+async function runStrictPrMergeGate(input) {
+  const evidence = await collectPrReviewEvidence(input);
+  const base = evaluateStrictPrMergeGate(evidence);
+  const preliminaryPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts: undefined });
+  const artifacts = persistPrReviewCycleArtifacts({
+    projectRoot: input.projectRoot,
+    taskId: input.taskId,
+    cycle: input.cycle,
+    artifactRoot: input.artifactRoot,
+    result: base,
+    steeringPrompt: preliminaryPrompt,
+    final: input.final
+  });
+  const steeringPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts });
+  writeFileSync8(artifacts.steeringPromptPath, steeringPrompt, "utf8");
+  return { ...base, artifacts, steeringPrompt };
+}
+
+// packages/runtime/src/control-plane/native/verifier.ts
 async function verifyTask(options) {
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
   const normalizedTaskId = lookupTask(options.projectRoot, taskId);
   const artifactDir = artifactDirForId(options.projectRoot, taskId);
-  mkdirSync8(artifactDir, { recursive: true });
-  const validationSummaryPath = resolve21(artifactDir, "validation-summary.json");
-  const reviewFeedbackPath = resolve21(artifactDir, "review-feedback.md");
-  const reviewStatePath = resolve21(artifactDir, "review-state.json");
-  const greptileRawPath = resolve21(artifactDir, "review-greptile-raw.json");
+  mkdirSync9(artifactDir, { recursive: true });
+  const validationSummaryPath = resolve22(artifactDir, "validation-summary.json");
+  const reviewFeedbackPath = resolve22(artifactDir, "review-feedback.md");
+  const reviewStatePath = resolve22(artifactDir, "review-state.json");
+  const greptileRawPath = resolve22(artifactDir, "review-greptile-raw.json");
   const prStates = readPrMetadata(options.projectRoot, taskId);
   const prState = prStates[0] || null;
   const localReasons = [];
@@ -4271,12 +5168,12 @@ async function verifyTask(options) {
     }
   }
   for (const file of ["task-result.json", "decision-log.md", "next-actions.md", "changed-files.txt"]) {
-    const requiredPath = resolve21(artifactDir, file);
+    const requiredPath = resolve22(artifactDir, file);
     if (!existsSync18(requiredPath)) {
       localReasons.push(`[Artifact Quality] Missing required artifact file: ${requiredPath}`);
     }
   }
-  const taskResultPath = resolve21(artifactDir, "task-result.json");
+  const taskResultPath = resolve22(artifactDir, "task-result.json");
   if (existsSync18(taskResultPath)) {
     const taskResult = await readJsonFile2(taskResultPath);
     const artifactStatus = typeof taskResult?.status === "string" ? taskResult.status.trim().toLowerCase() : "";
@@ -4290,7 +5187,7 @@ async function verifyTask(options) {
       localReasons.push("[Artifact Quality] task-result.json next actions indicate remaining implementation scope.");
     }
   }
-  const nextActionsPath = resolve21(artifactDir, "next-actions.md");
+  const nextActionsPath = resolve22(artifactDir, "next-actions.md");
   if (existsSync18(nextActionsPath)) {
     const nextActionsContent = await Bun.file(nextActionsPath).text();
     if (nextActionsContent.includes("TODO: Replace this scaffold") || nextActionsContent.includes("bd-<downstream-task-id>")) {
@@ -4328,7 +5225,7 @@ async function verifyTask(options) {
       aiReasons.push(`[AI Review] Required mode needs a completed Greptile approval; current verdict is ${ai.verdict}.`);
     }
     if (persistArtifacts && ai.rawResponse) {
-      writeFileSync8(greptileRawPath, `${ai.rawResponse}
+      writeFileSync9(greptileRawPath, `${ai.rawResponse}
 `, "utf-8");
     }
   } else if (!options.skipAiReview && reviewMode === "off") {
@@ -4837,7 +5734,7 @@ function writeFeedbackFile(options) {
   if (options.aiRawFeedback) {
     lines.push("## Raw Reviewer Feedback", "", "```text", options.aiRawFeedback, "```", "");
   }
-  writeFileSync8(options.output, `${lines.join(`
+  writeFileSync9(options.output, `${lines.join(`
 `)}
 `, "utf-8");
 }
@@ -4854,7 +5751,7 @@ function writeReviewStateFile(options) {
     ai_warnings: options.aiWarnings,
     updated_at: nowIso()
   };
-  writeFileSync8(options.output, `${JSON.stringify(payload, null, 2)}
+  writeFileSync9(options.output, `${JSON.stringify(payload, null, 2)}
 `, "utf-8");
 }
 async function runGreptileReviewForPr(options) {
@@ -5036,7 +5933,8 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (/not safe to merge|unsafe to merge|do not merge|blocker/i.test(reviewBody)) {
+  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
       verdict: "REJECT",
@@ -5052,44 +5950,78 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (score) {
-    if (score.scale === 5 && score.value < 5 && options.reviewMode === "required") {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; required mode needs 5/5 before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
-        }
-      };
-    }
-    if (score.scale === 5 && score.value <= 2) {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; this requires rework before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
+  if (score?.scale === 5 && score.value < 5) {
+    reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; strict review requires 5/5 before merge.`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate = null;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl,
+      apiSignals: [{
+        id: selectedReview.id,
+        body: reviewBody,
+        reviewedSha: selectedReview.metadata?.checkHeadSha ?? null,
+        status: selectedReview.status
+      }]
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
+    reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  if (!strictGate.approved) {
+    return {
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
+      feedback,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile,
+          readErrors: strictGate.evidence.readErrors
         }
-      };
-    }
-    if (score.scale === 5 && score.value < 5) {
-      warnings.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; continue only after reviewing remaining risk.`);
-    }
+      }
+    };
   }
   return {
     verdict: "APPROVE",
@@ -5101,7 +6033,15 @@ async function runGreptileReviewForPr(options) {
       codeReviews: reviewsPayload,
       selectedReview,
       reviewDetails,
-      comments: commentsPayload
+      comments: commentsPayload,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile,
+        readErrors: strictGate.evidence.readErrors
+      }
     }
   };
 }
@@ -5125,7 +6065,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   let threads = [];
   let actionableThreads = [];
   let checkRollup = [];
-  let checkState = { pending: false, completed: false };
+  let checkState2 = { pending: false, completed: false };
   for (let attempt = 0;; attempt += 1) {
     reviews = runGhJson(options.projectRoot, ["api", `repos/${repoName}/pulls/${prNumber}/reviews`]);
     selectedReview = pickRelevantGithubGreptileReview(reviews, expectedHeadSha);
@@ -5134,15 +6074,15 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     threads = loadGithubReviewThreads(options.projectRoot, repoName, prNumber);
     actionableThreads = filterActionableGithubGreptileThreads(threads);
     checkRollup = loadGithubPullRequestCheckRollup(options.projectRoot, repoName, prNumber);
-    checkState = classifyGithubGreptileCheckState(checkRollup);
-    const approvedViaReviewedAncestor2 = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
+    checkState2 = classifyGithubGreptileCheckState(checkRollup);
+    const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
     if (!shouldContinueGithubGreptileFallbackPolling({
       attempt,
       pollAttempts: options.pollAttempts,
-      checkState,
+      checkState: checkState2,
       fallbackReview,
       selectedReview,
-      approvedViaReviewedAncestor: approvedViaReviewedAncestor2
+      approvedViaReviewedAncestor
     })) {
       break;
     }
@@ -5170,7 +6110,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
-  if (checkState.pending) {
+  if (checkState2.pending) {
     return {
       verdict: "SKIP",
       feedback,
@@ -5181,34 +6121,20 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
     };
   }
-  const approvedViaCompletedCheck = isGithubGreptileCheckApproved(checkRollup);
-  if (!fallbackReview) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no GitHub Greptile review object, but the Greptile check completed successfully and no unresolved Greptile threads remain.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-      };
-    }
-    return {
-      verdict: "SKIP",
-      feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available.`
-      ],
-      warnings,
-      rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-    };
-  }
-  const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
-  if (actionableThreads.length > 0) {
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
     return {
       verdict: "REJECT",
       feedback,
-      reasons: actionableThreads.map((comment) => `[AI Review] ${repoName}#${prNumber} has unresolved Greptile comment on ${comment.path}: ${summarizeComment(comment.body || "")}`),
+      reasons: [`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`],
       warnings,
       rawPayload: {
         pr: options.prState,
@@ -5221,44 +6147,30 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       }
     };
   }
-  if (!selectedReview && !approvedViaReviewedAncestor) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile GitHub review on the current head, but the Greptile check completed successfully and all Greptile threads are resolved.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          selectedReview: fallbackReview,
-          reviews,
-          threads,
-          checkRollup,
-          ...buildGithubGreptileFallbackRawPayload(options)
-        }
-      };
-    }
+  if (!strictGate.approved) {
     return {
-      verdict: "SKIP",
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
       feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available for the current head.`
-      ],
-      warnings,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
       rawPayload: {
         pr: options.prState,
         selectedReview: fallbackReview,
         reviews,
         threads,
         checkRollup,
+        actionableThreads,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile
+        },
         ...buildGithubGreptileFallbackRawPayload(options)
       }
     };
   }
-  if (approvedViaReviewedAncestor) {
-    warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile review on the current head, but the latest reviewed commit is an ancestor and all Greptile threads are resolved.`);
-  }
   return {
     verdict: "APPROVE",
     feedback,
@@ -5270,6 +6182,13 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       reviews,
       threads,
       checkRollup,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile
+      },
       ...buildGithubGreptileFallbackRawPayload(options)
     }
   };
@@ -5382,21 +6301,25 @@ function shouldTriggerGreptileReview(existingReview, expectedHeadSha) {
   if ((existingReview.metadata?.checkHeadSha || "") !== expectedHeadSha) {
     return true;
   }
-  return isGreptileReviewTerminal(existingReview.status);
+  return false;
 }
 function shouldContinueGreptileMcpPolling(options) {
   if (options.githubCheckState.completed) {
     return false;
   }
+  const hasRemainingBudget = options.attempt + 1 < options.pollAttempts;
+  if (!hasRemainingBudget) {
+    return false;
+  }
   if (options.selectedReview && !isGreptileReviewTerminal(options.selectedReview.status)) {
     return true;
   }
-  return options.attempt + 1 < options.pollAttempts;
+  return true;
 }
 function shouldContinueGithubGreptileFallbackPolling(options) {
   const waitingForVisiblePendingReview = options.checkState.pending && (!options.fallbackReview || !options.selectedReview && !options.approvedViaReviewedAncestor);
   if (waitingForVisiblePendingReview) {
-    return true;
+    return options.attempt + 1 < options.pollAttempts;
   }
   const reviewNotVisibleYet = !options.fallbackReview && !options.checkState.pending && !options.checkState.completed;
   if (reviewNotVisibleYet) {
@@ -5455,6 +6378,20 @@ function runGhJson(projectRoot, args) {
     throw new Error(`gh ${args.join(" ")} returned malformed JSON: ${result.stdout}`);
   }
 }
+async function collectStrictPrEvidenceForVerifier(input) {
+  return collectPrReviewEvidence({
+    projectRoot: input.projectRoot,
+    prUrl: input.prUrl,
+    taskId: input.taskId,
+    runId: "verifier",
+    cycle: 0,
+    apiSignals: input.apiSignals ?? [],
+    command: async (args, options) => {
+      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+    }
+  });
+}
 function deriveRepoName(projectRoot, prState) {
   const fromUrl = /github\.com\/([^/]+\/[^/]+)\/pull\/\d+/.exec(prState.url || "");
   if (fromUrl?.[1]) {
@@ -5469,8 +6406,9 @@ function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
-function isGreptileGithubLogin(login) {
-  return (login || "").replace(/\[bot\]$/, "") === "greptile-apps";
+function isGreptileGithubLogin2(login) {
+  const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
+  return normalized === "greptile" || normalized === "greptile-ai" || normalized === "greptileai" || normalized === "greptile-apps";
 }
 function pickRelevantGithubGreptileReview(reviews, expectedHeadSha) {
   const matching = sortGithubGreptileReviews(reviews);
@@ -5487,7 +6425,7 @@ function pickLatestGithubGreptileReview(reviews) {
   return sortGithubGreptileReviews(reviews)[0] || null;
 }
 function sortGithubGreptileReviews(reviews) {
-  return reviews.filter((review) => isGreptileGithubLogin(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
+  return reviews.filter((review) => isGreptileGithubLogin2(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
 }
 function loadGithubPullRequestCheckRollup(projectRoot, repoName, prNumber) {
   const response = runGhJson(projectRoot, [
@@ -5560,32 +6498,6 @@ function classifyGithubGreptileCheckState(checks) {
   }
   return { pending: false, completed: false };
 }
-function isGithubGreptileCheckApproved(checks) {
-  const greptileChecks = checks.filter((check) => {
-    const label = (check.name || check.context || "").toLowerCase();
-    return label.includes("greptile");
-  });
-  if (greptileChecks.length === 0) {
-    return false;
-  }
-  for (const check of greptileChecks) {
-    if ((check.__typename || "") === "CheckRun") {
-      if ((check.status || "").toUpperCase() !== "COMPLETED") {
-        return false;
-      }
-      const conclusion = (check.conclusion || "").toUpperCase();
-      if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(conclusion)) {
-        return false;
-      }
-      continue;
-    }
-    const state = (check.state || "").toUpperCase();
-    if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(state)) {
-      return false;
-    }
-  }
-  return true;
-}
 function loadGithubReviewThreads(projectRoot, repoName, prNumber) {
   const [owner, name] = repoName.split("/");
   if (!owner || !name) {
@@ -5611,7 +6523,7 @@ function filterActionableGithubGreptileThreads(threads) {
       return [];
     }
     const comments = thread.comments?.nodes || [];
-    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin(comment.author?.login));
+    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin2(comment.author?.login));
     if (!latestGreptileComment?.path?.trim()) {
       return [];
     }
@@ -5620,7 +6532,7 @@ function filterActionableGithubGreptileThreads(threads) {
 }
 function resolvePrRepoRoot(projectRoot, prState) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
-  if (prState.target === "monorepo" && runtimeWorkspace && existsSync18(resolve21(runtimeWorkspace, ".git"))) {
+  if (prState.target === "monorepo" && runtimeWorkspace && existsSync18(resolve22(runtimeWorkspace, ".git"))) {
     return runtimeWorkspace;
   }
   const paths = resolveHarnessPaths(projectRoot);
@@ -5633,11 +6545,6 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
-function stripHtml(input) {
-  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
-
-`).trim();
-}
 function summarizeComment(input) {
   const text = stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
@@ -5646,31 +6553,14 @@ function asGreptileInfrastructureWarning(reason) {
   return reason.startsWith("[AI Review]") ? reason.replace("[AI Review]", "[AI Review Warning]") : reason;
 }
 function isAiReviewApproved(input) {
+  if (input.aiVerdict === "REJECT" && input.aiReasons.length > 0) {
+    return false;
+  }
   if (input.reviewMode !== "required") {
     return true;
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-function parseGreptileScore(input) {
-  const text = stripHtml(input);
-  const patterns = [
-    /confidence score:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\bscore:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|score)/i
-  ];
-  for (const pattern of patterns) {
-    const match = pattern.exec(text);
-    if (!match) {
-      continue;
-    }
-    const value = Number.parseInt(match[1] || "", 10);
-    const scale = Number.parseInt(match[2] || "", 10);
-    if (Number.isFinite(value) && Number.isFinite(scale) && scale > 0) {
-      return { value, scale };
-    }
-  }
-  return null;
-}
 
 // packages/runtime/src/control-plane/provider/runtime-instructions.ts
 var CLAUDE_ROUTER_TOOL_NAMES = [
@@ -5710,14 +6600,14 @@ function taskArtifacts(projectRoot, taskId) {
     throw new Error("No active task.");
   }
   const paths = resolveHarnessPaths(projectRoot);
-  const artifactDir = resolve22(paths.artifactsDir, activeTask);
-  mkdirSync9(artifactDir, { recursive: true });
+  const artifactDir = resolve23(paths.artifactsDir, activeTask);
+  mkdirSync10(artifactDir, { recursive: true });
   const changed = changedFilesForTask(projectRoot, activeTask, true);
-  writeFileSync9(resolve22(artifactDir, "changed-files.txt"), `${changed.join(`
+  writeFileSync10(resolve23(artifactDir, "changed-files.txt"), `${changed.join(`
 `)}
 `, "utf-8");
   console.log(`changed-files.txt: ${changed.length} files`);
-  const taskResultPath = resolve22(artifactDir, "task-result.json");
+  const taskResultPath = resolve23(artifactDir, "task-result.json");
   if (!existsSync19(taskResultPath)) {
     const template = {
       task_id: activeTask,
@@ -5725,24 +6615,24 @@ function taskArtifacts(projectRoot, taskId) {
       summary: "TODO: Write a one-line summary of what you did",
       completed_at: nowIso()
     };
-    writeFileSync9(taskResultPath, `${JSON.stringify(template, null, 2)}
+    writeFileSync10(taskResultPath, `${JSON.stringify(template, null, 2)}
 `, "utf-8");
     console.log("task-result.json: created (update the summary!)");
   } else {
     console.log("task-result.json: already exists");
   }
-  const decisionLogPath = resolve22(artifactDir, "decision-log.md");
+  const decisionLogPath = resolve23(artifactDir, "decision-log.md");
   if (!existsSync19(decisionLogPath)) {
     const content = `# Decision Log: ${activeTask}
 
 Record key decisions here using: rig-agent record decision "..."
 `;
-    writeFileSync9(decisionLogPath, content, "utf-8");
+    writeFileSync10(decisionLogPath, content, "utf-8");
     console.log("decision-log.md: created (record your decisions!)");
   } else {
     console.log("decision-log.md: already exists");
   }
-  const nextActionsPath = resolve22(artifactDir, "next-actions.md");
+  const nextActionsPath = resolve23(artifactDir, "next-actions.md");
   if (!existsSync19(nextActionsPath)) {
     const content = [
       `# Next Actions: ${activeTask}`,
@@ -5760,12 +6650,12 @@ Record key decisions here using: rig-agent record decision "..."
       ""
     ].join(`
 `);
-    writeFileSync9(nextActionsPath, content, "utf-8");
+    writeFileSync10(nextActionsPath, content, "utf-8");
     console.log("next-actions.md: created (add recommendations for downstream tasks!)");
   } else {
     console.log("next-actions.md: already exists");
   }
-  const validationSummaryPath = resolve22(artifactDir, "validation-summary.json");
+  const validationSummaryPath = resolve23(artifactDir, "validation-summary.json");
   if (existsSync19(validationSummaryPath)) {
     console.log("validation-summary.json: already exists");
   } else {
@@ -5832,7 +6722,7 @@ function collectTaskChangedFiles(projectRoot, taskId, includeCommitted) {
     [projectRoot, ""],
     [monorepoRepoRoot, ""]
   ]) {
-    if (!existsSync19(resolve22(repo, ".git"))) {
+    if (!existsSync19(resolve23(repo, ".git"))) {
       continue;
     }
     if (includeCommitted && repo === monorepoRepoRoot) {
@@ -5870,8 +6760,8 @@ function filterTaskChangedFiles(projectRoot, taskId, files, scoped) {
 }
 function resolveTaskMonorepoRoot(projectRoot) {
   const runtimeWorkspace = loadRuntimeContextFromEnv()?.workspaceDir || process.env.RIG_TASK_WORKSPACE?.trim();
-  if (runtimeWorkspace && existsSync19(resolve22(runtimeWorkspace, ".git"))) {
-    return resolve22(runtimeWorkspace);
+  if (runtimeWorkspace && existsSync19(resolve23(runtimeWorkspace, ".git"))) {
+    return resolve23(runtimeWorkspace);
   }
   return resolveHarnessPaths(projectRoot).monorepoRoot;
 }
@@ -5899,7 +6789,7 @@ function resolveRuntimeInitialHeadCommit(projectRoot, repo) {
   const runtimeContext = loadRuntimeContextFromEnv();
   if (runtimeContext?.initialHeadCommits?.monorepo?.trim()) {
     const monorepoRoot = resolveTaskMonorepoRoot(projectRoot);
-    if (resolve22(monorepoRoot) === resolve22(repo)) {
+    if (resolve23(monorepoRoot) === resolve23(repo)) {
       return runtimeContext.initialHeadCommits.monorepo.trim();
     }
   }
@@ -5909,7 +6799,7 @@ function resolveMonorepoBaseCommit(projectRoot, repo) {
   const runtimeContext = loadRuntimeContextFromEnv();
   if (runtimeContext?.monorepoBaseCommit?.trim()) {
     const monorepoRoot = resolveTaskMonorepoRoot(projectRoot);
-    if (resolve22(monorepoRoot) === resolve22(repo)) {
+    if (resolve23(monorepoRoot) === resolve23(repo)) {
       return runtimeContext.monorepoBaseCommit.trim();
     }
   }
@@ -5943,7 +6833,7 @@ function resolveRuntimeDirtyBaseline(projectRoot, repo) {
     return new Set;
   }
   const monorepoRoot = resolveTaskMonorepoRoot(projectRoot);
-  const selected = resolve22(repo) === resolve22(monorepoRoot) ? dirtyFiles.monorepo : resolve22(repo) === resolve22(projectRoot) ? dirtyFiles.project : undefined;
+  const selected = resolve23(repo) === resolve23(monorepoRoot) ? dirtyFiles.monorepo : resolve23(repo) === resolve23(projectRoot) ? dirtyFiles.project : undefined;
   return new Set((selected || []).map((file) => normalizeChangedFilePath(file)).filter(Boolean));
 }
 function normalizeChangedFilePath(file) {
@@ -6001,8 +6891,8 @@ function isRuntimeGatewayGhPath(candidate) {
 }
 function resolveOptionalMonorepoRoot(projectRoot) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
-  if (runtimeWorkspace && existsSync20(resolve23(runtimeWorkspace, ".git"))) {
-    return resolve23(runtimeWorkspace);
+  if (runtimeWorkspace && existsSync20(resolve24(runtimeWorkspace, ".git"))) {
+    return resolve24(runtimeWorkspace);
   }
   try {
     return resolveMonorepoRoot2(projectRoot);
@@ -6054,7 +6944,7 @@ function gitSyncBranch(projectRoot, taskId, targetRepo = "monorepo") {
   }
   const repoRoot = targetRepo === "monorepo" ? resolveOptionalMonorepoRoot(projectRoot) || resolveMonorepoRoot2(projectRoot) : projectRoot;
   const repoLabel = targetRepo === "monorepo" ? "Monorepo" : "Project";
-  if (!existsSync20(resolve23(repoRoot, ".git"))) {
+  if (!existsSync20(resolve24(repoRoot, ".git"))) {
     throw new Error(`${repoLabel} repo not found at ${repoRoot}`);
   }
   const branchId = resolveTaskBranchId(projectRoot, resolvedTask);
@@ -6114,7 +7004,7 @@ function gitOpenPr(options) {
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
   }
-  if (!existsSync20(resolve23(repoRoot, ".git"))) {
+  if (!existsSync20(resolve24(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
   }
   const branch = branchName(options.projectRoot, repoRoot);
@@ -6267,8 +7157,9 @@ function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
   const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
   if (sourceIssueId) {
     const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
-    if (match) {
-      const [, sourceRepo, issueNumber] = match;
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
       return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
     }
   }
@@ -6346,7 +7237,7 @@ function gitMergePr(options) {
   }
   const repoRoot = resolveRepoRoot(options.projectRoot, options.pr.target);
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
-  if (!existsSync20(resolve23(repoRoot, ".git"))) {
+  if (!existsSync20(resolve24(repoRoot, ".git"))) {
     throw new Error(`Repository not available for merge-pr target ${options.pr.target}: ${repoRoot}`);
   }
   const prState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
@@ -6363,56 +7254,43 @@ function gitMergePr(options) {
   if (isDraft) {
     throw new Error(`Cannot auto-merge draft PR ${options.pr.url}.`);
   }
+  const strictGateHeadSha = options.strictGateHeadSha?.trim();
+  if (!strictGateHeadSha) {
+    throw new Error(`Refusing to merge PR ${options.pr.url}: strict merge gate did not provide a current head SHA.`);
+  }
   const mergeArgs = withGhRepo([gh, "pr", "merge", options.pr.url], repoNameWithOwner);
   const method = options.method || "squash";
   mergeArgs.push(method === "merge" ? "--merge" : method === "rebase" ? "--rebase" : "--squash");
+  mergeArgs.push("--match-head-commit", strictGateHeadSha);
   if (options.deleteBranch !== false) {
     mergeArgs.push("--delete-branch");
   }
-  const autoMergeArgs = [...mergeArgs, "--auto"];
-  const autoMerge = runCapture2(autoMergeArgs, repoRoot);
-  if (autoMerge.exitCode === 0) {
-    const postAutoMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-    if (postAutoMergeState.state === "MERGED" || postAutoMergeState.mergedAt) {
-      console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "merged", url: options.pr.url };
-    }
-    if (postAutoMergeState.state === "OPEN" && postAutoMergeState.autoMergeRequest) {
-      if (canAdminMergeApprovedPr(postAutoMergeState)) {
-        const adminMergeArgs = [...mergeArgs];
-        if (postAutoMergeState.headRefOid) {
-          adminMergeArgs.push("--match-head-commit", postAutoMergeState.headRefOid);
-        }
-        adminMergeArgs.push("--admin");
-        const adminMerge = runCapture2(adminMergeArgs, repoRoot);
-        if (adminMerge.exitCode === 0) {
-          const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-          if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
-            console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
-            return { status: "merged", url: options.pr.url };
-          }
-          throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
-        }
-        const adminMergeMessage = `${adminMerge.stderr}
-${adminMerge.stdout}`.trim();
-        if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
-          throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
-        }
+  const directMerge = runCapture2(mergeArgs, repoRoot);
+  if (directMerge.exitCode === 0) {
+    console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "merged", url: options.pr.url };
+  }
+  const postDirectState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  if (canAdminMergeApprovedPr(postDirectState)) {
+    const adminMergeArgs = [...mergeArgs, "--admin"];
+    const adminMerge = runCapture2(adminMergeArgs, repoRoot);
+    if (adminMerge.exitCode === 0) {
+      const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+      if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
+        console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
+        return { status: "merged", url: options.pr.url };
       }
-      console.log(`Auto-merge enabled (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "auto-merge-enabled", url: options.pr.url };
+      throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
+    }
+    const adminMergeMessage = `${adminMerge.stderr}
+${adminMerge.stdout}`.trim();
+    if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
+      throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
     }
-    throw new Error(`Auto-merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub did not report a merged or auto-merge-enabled state.`);
-  }
-  const autoMergeMessage = `${autoMerge.stderr}
-${autoMerge.stdout}`.trim();
-  const autoMergeUnsupported = /auto.?merge.*(not enabled|not allowed|disabled|unsupported)|enablePullRequestAutoMerge|Auto merge is not allowed/i.test(autoMergeMessage);
-  if (!autoMergeUnsupported) {
-    throw new Error(`Failed to auto-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${autoMergeMessage}`);
   }
-  runOrThrow(options.projectRoot, mergeArgs, `Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}`);
-  console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-  return { status: "merged", url: options.pr.url };
+  const directMergeMessage = `${directMerge.stderr}
+${directMerge.stdout}`.trim();
+  throw new Error(`Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${directMergeMessage}`);
 }
 function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
   const mergeable = prState.mergeable.toUpperCase();
@@ -6423,8 +7301,8 @@ function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
 }
 function writePrMetadata(projectRoot, taskId, result) {
   const dir = artifactDirForId(projectRoot, taskId);
-  mkdirSync10(dir, { recursive: true });
-  const path = resolve23(dir, "pr-state.json");
+  mkdirSync11(dir, { recursive: true });
+  const path = resolve24(dir, "pr-state.json");
   let prs = {};
   if (existsSync20(path)) {
     try {
@@ -6444,11 +7322,11 @@ function writePrMetadata(projectRoot, taskId, result) {
     ...primary || {},
     updated_at: nowIso()
   };
-  writeFileSync10(path, `${JSON.stringify(artifact, null, 2)}
+  writeFileSync11(path, `${JSON.stringify(artifact, null, 2)}
 `, "utf-8");
 }
 function readPrMetadata(projectRoot, taskId) {
-  const path = resolve23(artifactDirForId(projectRoot, taskId), "pr-state.json");
+  const path = resolve24(artifactDirForId(projectRoot, taskId), "pr-state.json");
   if (!existsSync20(path)) {
     return [];
   }
@@ -6525,7 +7403,7 @@ function resolveGithubCliBinary(projectRoot) {
   }
   const explicitPathEntries = (process.env.PATH || "").split(":").map((entry) => entry.trim()).filter(Boolean);
   for (const entry of explicitPathEntries) {
-    candidates.add(resolve23(entry, "gh"));
+    candidates.add(resolve24(entry, "gh"));
   }
   const bunResolved = Bun.which("gh");
   if (bunResolved) {
@@ -6562,7 +7440,7 @@ function resolveRepoNameWithOwner(projectRoot, repoRoot) {
   return resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, repoRoot, repoRoot, visited);
 }
 function resolveGithubRepoNameWithOwnerFromGitRoot(projectRoot, gitRoot, cwd, visited) {
-  const normalizedGitRoot = resolve23(gitRoot);
+  const normalizedGitRoot = resolve24(gitRoot);
   if (visited.has(normalizedGitRoot)) {
     return "";
   }
@@ -6634,7 +7512,7 @@ function resolveNetworkRemoteName(projectRoot, repoRoot, repoNameWithOwner) {
   return remotes.includes("origin") ? "origin" : remotes[0];
 }
 function gitQuery(projectRoot, gitRoot, cwd, ...args) {
-  const gitArgs = existsSync20(resolve23(gitRoot, ".git")) ? gitCmd(projectRoot, gitRoot, ...args) : [resolveGitBinary(projectRoot), "--git-dir", gitRoot, ...args];
+  const gitArgs = existsSync20(resolve24(gitRoot, ".git")) ? gitCmd(projectRoot, gitRoot, ...args) : [resolveGitBinary(projectRoot), "--git-dir", gitRoot, ...args];
   return runCapture2(gitArgs, cwd, projectRoot);
 }
 function resolveLocalGitRemoteRoot(remoteUrl, gitRoot) {
@@ -6652,7 +7530,7 @@ function resolveLocalGitRemoteRoot(remoteUrl, gitRoot) {
   } else if (/^[a-z][a-z0-9+.-]*:\/\//i.test(normalized) || /^[^@]+@[^:]+:.+$/.test(normalized)) {
     return "";
   } else if (!isAbsolute2(normalized)) {
-    candidate = resolve23(gitRoot, normalized);
+    candidate = resolve24(gitRoot, normalized);
   }
   return existsSync20(candidate) ? candidate : "";
 }
@@ -6781,7 +7659,7 @@ function inferReviewerFromChangedFiles(projectRoot, repoRoot, baseRef, branchRef
   return best;
 }
 function commitRepo(projectRoot, repo, label, message, allowEmpty, scoped, files, changedFilesManifest) {
-  if (!existsSync20(resolve23(repo, ".git"))) {
+  if (!existsSync20(resolve24(repo, ".git"))) {
     console.log(`Skipping ${label}: repo not available (${repo})`);
     return;
   }
@@ -6813,7 +7691,7 @@ function commitRepo(projectRoot, repo, label, message, allowEmpty, scoped, files
   console.log(`Committed ${label}: ${message}`);
 }
 function readChangedFilesManifest(projectRoot, taskId) {
-  const manifestPath = resolve23(artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  const manifestPath = resolve24(artifactDirForId(projectRoot, taskId), "changed-files.txt");
   if (!existsSync20(manifestPath)) {
     return [];
   }
@@ -6821,10 +7699,10 @@ function readChangedFilesManifest(projectRoot, taskId) {
   return [...new Set(files)];
 }
 function refreshChangedFilesManifest(projectRoot, taskId) {
-  const manifestPath = resolve23(artifactDirForId(projectRoot, taskId), "changed-files.txt");
-  mkdirSync10(dirname11(manifestPath), { recursive: true });
+  const manifestPath = resolve24(artifactDirForId(projectRoot, taskId), "changed-files.txt");
+  mkdirSync11(dirname11(manifestPath), { recursive: true });
   const changedFiles = changedFilesForTask(projectRoot, taskId, true);
-  writeFileSync10(manifestPath, `${changedFiles.join(`
+  writeFileSync11(manifestPath, `${changedFiles.join(`
 `)}
 `, "utf-8");
   return manifestPath;
@@ -6937,7 +7815,7 @@ function repoHasPathChange(projectRoot, repoRoot, relativePath) {
   return result.exitCode === 0 && result.stdout.trim().length > 0;
 }
 function stageExcludePathspecs(repoRoot) {
-  const patterns = existsSync20(resolve23(repoRoot, ".rig", "task-config.json")) ? [...TASK_RUNTIME_STAGE_EXCLUDES, ...GENERATED_STAGE_EXCLUDES] : [".rig/**", ...GENERATED_STAGE_EXCLUDES];
+  const patterns = existsSync20(resolve24(repoRoot, ".rig", "task-config.json")) ? [...TASK_RUNTIME_STAGE_EXCLUDES, ...GENERATED_STAGE_EXCLUDES] : [".rig/**", ...GENERATED_STAGE_EXCLUDES];
   return patterns.map((pattern) => `:(glob,exclude)${pattern}`);
 }
 function pathResolvesBeyondSymlink(repoRoot, relativePath) {
@@ -6947,7 +7825,7 @@ function pathResolvesBeyondSymlink(repoRoot, relativePath) {
   }
   let current = repoRoot;
   for (let index = 0;index < parts.length - 1; index += 1) {
-    current = resolve23(current, parts[index]);
+    current = resolve24(current, parts[index]);
     try {
       if (lstatSync(current).isSymbolicLink()) {
         return true;
@@ -7017,11 +7895,11 @@ function runCapture2(command, cwd, projectRoot = cwd) {
 }
 function runtimeGitEnv(projectRoot) {
   const { ctx, runtimeRoot } = resolveRuntimeMetadata(projectRoot);
-  const runtimeHome = runtimeRoot ? resolve23(runtimeRoot, "home") : "";
-  const runtimeTmp = runtimeRoot ? resolve23(runtimeRoot, "tmp") : "";
-  const runtimeCache = runtimeRoot ? resolve23(runtimeRoot, "cache") : "";
-  const runtimeKnownHosts = runtimeHome ? resolve23(runtimeHome, ".ssh", "known_hosts") : "";
-  const runtimeKey = runtimeHome ? resolve23(runtimeHome, ".ssh", "rig-agent-key") : "";
+  const runtimeHome = runtimeRoot ? resolve24(runtimeRoot, "home") : "";
+  const runtimeTmp = runtimeRoot ? resolve24(runtimeRoot, "tmp") : "";
+  const runtimeCache = runtimeRoot ? resolve24(runtimeRoot, "cache") : "";
+  const runtimeKnownHosts = runtimeHome ? resolve24(runtimeHome, ".ssh", "known_hosts") : "";
+  const runtimeKey = runtimeHome ? resolve24(runtimeHome, ".ssh", "rig-agent-key") : "";
   const env = {};
   if (ctx?.workspaceDir) {
     env.PROJECT_RIG_ROOT = projectRoot;
@@ -7113,7 +7991,7 @@ function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};
   }
-  const path = resolve23(runtimeRoot, "runtime-secrets.json");
+  const path = resolve24(runtimeRoot, "runtime-secrets.json");
   if (!existsSync20(path)) {
     return {};
   }
@@ -7126,13 +8004,13 @@ function loadPersistedRuntimeSecrets(runtimeRoot) {
   }
 }
 function ensureRuntimeOpenSslConfig(runtimeHome) {
-  const sslDir = resolve23(runtimeHome, ".ssl");
-  const sslConfig = resolve23(sslDir, "openssl.cnf");
+  const sslDir = resolve24(runtimeHome, ".ssl");
+  const sslConfig = resolve24(sslDir, "openssl.cnf");
   if (!existsSync20(sslDir)) {
-    mkdirSync10(sslDir, { recursive: true });
+    mkdirSync11(sslDir, { recursive: true });
   }
   if (!existsSync20(sslConfig)) {
-    writeFileSync10(sslConfig, `# Rig runtime OpenSSL config placeholder
+    writeFileSync11(sslConfig, `# Rig runtime OpenSSL config placeholder
 `);
   }
   return sslConfig;
@@ -7150,7 +8028,7 @@ function resolveRuntimeMetadata(projectRoot) {
   if (contextFile) {
     return {
       ctx,
-      runtimeRoot: dirname11(resolve23(contextFile))
+      runtimeRoot: dirname11(resolve24(contextFile))
     };
   }
   const inferredContextFile = findRuntimeContextFile2(projectRoot);
@@ -7166,9 +8044,9 @@ function resolveRuntimeMetadata(projectRoot) {
   return { ctx, runtimeRoot: "" };
 }
 function findRuntimeContextFile2(startPath) {
-  let current = resolve23(startPath);
+  let current = resolve24(startPath);
   while (true) {
-    const candidate = resolve23(current, "runtime-context.json");
+    const candidate = resolve24(current, "runtime-context.json");
     if (existsSync20(candidate)) {
       return candidate;
     }
@@ -7221,6 +8099,7 @@ async function main() {
   }
   const paths = resolveHarnessPaths(projectRoot);
   let failed = false;
+  let sourceCloseoutAllowed = false;
   console.log(`=== Completion Verification: ${taskId} ===`);
   const scopes = await resolveTaskScopes(projectRoot, taskId);
   const taskChangedFiles = changedFilesForTask(projectRoot, taskId, true);
@@ -7370,12 +8249,35 @@ async function main() {
         console.log("Auto-merge: skipped (no PR metadata found)");
       } else {
         let mergePending = false;
+        let cycle = 0;
         for (const pr of prs) {
+          cycle += 1;
+          const gate = await runStrictPrMergeGate({
+            projectRoot,
+            prUrl: pr.url,
+            taskId,
+            runId: "completion-verification",
+            cycle,
+            final: true,
+            command: async (args, options) => {
+              const result = runCapture(["gh", ...args], options?.cwd ?? projectRoot);
+              return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+            }
+          });
+          if (!gate.approved) {
+            console.log(`FAIL: Strict merge gate blocked PR (${pr.repoLabel}): ${pr.url}`);
+            for (const reason of gate.reasons) {
+              console.log(`- ${reason}`);
+            }
+            failed = true;
+            continue;
+          }
           const mergeResult = gitMergePr({
             projectRoot,
             pr,
             method: "squash",
-            deleteBranch: true
+            deleteBranch: true,
+            strictGateHeadSha: gate.evidence.headSha
           });
           if (mergeResult.status === "auto-merge-enabled") {
             mergePending = true;
@@ -7384,7 +8286,8 @@ async function main() {
         }
         if (mergePending) {
           failed = true;
-        } else {
+        } else if (!failed) {
+          sourceCloseoutAllowed = true;
           console.log("OK: Auto-merge complete");
         }
       }
@@ -7397,19 +8300,23 @@ async function main() {
     console.log(`
 [post] Auto-merge: skipped (not in policy completion.checks)`);
   }
-  const artifactDir = resolve24(paths.artifactsDir, taskId);
-  mkdirSync11(artifactDir, { recursive: true });
-  writeFileSync11(resolve24(artifactDir, "review-status.txt"), failed ? `REJECTED
+  const artifactDir = resolve25(paths.artifactsDir, taskId);
+  mkdirSync12(artifactDir, { recursive: true });
+  writeFileSync12(resolve25(artifactDir, "review-status.txt"), failed ? `REJECTED
 ` : `APPROVED
 `, "utf-8");
   if (!failed) {
     await recordTaskRepoCommits(projectRoot, taskId, paths);
-    const closeout = await closeCompletedTaskSource(projectRoot, taskId);
-    if (!closeout.ok) {
-      console.log(`FAIL: ${closeout.message}`);
-      failed = true;
+    if (sourceCloseoutAllowed) {
+      const closeout = await closeCompletedTaskSource(projectRoot, taskId);
+      if (!closeout.ok) {
+        console.log(`FAIL: ${closeout.message}`);
+        failed = true;
+      } else {
+        console.log(`OK: ${closeout.message}`);
+      }
     } else {
-      console.log(`OK: ${closeout.message}`);
+      console.log("Task source closeout skipped until an approved PR merge completes.");
     }
   }
   if (!failed) {
@@ -7442,7 +8349,7 @@ async function runBunTool(args, cwd) {
   };
 }
 async function runProtoQualityGate(monorepoRoot) {
-  const protosDir = resolve24(monorepoRoot, "packages", "protos");
+  const protosDir = resolve25(monorepoRoot, "packages", "protos");
   if (!existsSync21(protosDir)) {
     console.log(`FAIL: Proto workspace not found at ${protosDir}`);
     return false;
@@ -7491,7 +8398,7 @@ async function runProtoQualityGate(monorepoRoot) {
   } else {
     console.log("OK: Generated TypeScript compiles");
   }
-  const workflowPath = resolve24(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
+  const workflowPath = resolve25(monorepoRoot, ".github", "workflows", "pull-request-gate.yml");
   if (!existsSync21(workflowPath)) {
     console.log(`FAIL: Missing workflow gate file at ${workflowPath}`);
     ok = false;
@@ -7536,9 +8443,9 @@ async function readJsonFileIfPresent(path) {
 }
 async function recordVerifierFailure(projectRoot, taskId, paths) {
   const failedApproachesPath = paths.failedApproachesPath;
-  const artifactDir = resolve24(paths.artifactsDir, taskId);
-  const reviewStatePath = resolve24(artifactDir, "review-state.json");
-  const reviewFeedbackPath = resolve24(artifactDir, "review-feedback.md");
+  const artifactDir = resolve25(paths.artifactsDir, taskId);
+  const reviewStatePath = resolve25(artifactDir, "review-state.json");
+  const reviewFeedbackPath = resolve25(artifactDir, "review-feedback.md");
   let summary = "Verifier rejected completion. Read review-feedback.md for required fixes.";
   const parsedReviewState = await readJsonFileIfPresent(reviewStatePath);
   if (parsedReviewState) {
@@ -7552,8 +8459,8 @@ async function recordVerifierFailure(projectRoot, taskId, paths) {
     const content = readFileSync12(failedApproachesPath, "utf-8");
     attempts = (content.match(new RegExp(`^## ${escapeRegExp2(taskId)}\\b`, "gm")) || []).length + 1;
   } else {
-    mkdirSync11(resolve24(failedApproachesPath, ".."), { recursive: true });
-    writeFileSync11(failedApproachesPath, `# Failed Approaches
+    mkdirSync12(resolve25(failedApproachesPath, ".."), { recursive: true });
+    writeFileSync12(failedApproachesPath, `# Failed Approaches
 
 `, "utf-8");
   }
@@ -7591,8 +8498,8 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
       recorded_at: new Date().toISOString(),
       repos
     };
-    mkdirSync11(resolve24(statePath, ".."), { recursive: true });
-    writeFileSync11(statePath, `${JSON.stringify(state, null, 2)}
+    mkdirSync12(resolve25(statePath, ".."), { recursive: true });
+    writeFileSync12(statePath, `${JSON.stringify(state, null, 2)}
 `, "utf-8");
   }
 }