@h-rig/runtime 0.0.6-alpha.10 → 0.0.6-alpha.12

package/dist/src/control-plane/native/harness-cli.js

@@ -3605,6 +3605,779 @@ ${JSON.stringify(result, null, 2)}
 // packages/runtime/src/control-plane/native/verifier.ts
 import { existsSync as existsSync19, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
 import { resolve as resolve22 } from "path";
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+function parseJsonObject(value) {
+  if (!value?.trim())
+    return { value: {}, error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? { value: parsed } : { value: {}, error: "JSON output was not an object" };
+  } catch (error) {
+    return { value: {}, error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function flattenPaginatedArray(value) {
+  if (!Array.isArray(value))
+    return null;
+  if (value.every((entry) => Array.isArray(entry))) {
+    return value.flatMap((entry) => entry);
+  }
+  return value;
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return { value: [], error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    const flattened = flattenPaginatedArray(parsed);
+    return flattened ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  } catch (error) {
+    return { value: [], error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function parseGithubPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i.exec(prUrl.trim());
+  if (!match)
+    return null;
+  const prNumber = Number.parseInt(match[3], 10);
+  if (!Number.isFinite(prNumber))
+    return null;
+  return { owner: match[1], repo: match[2], repoName: `${match[1]}/${match[2]}`, prNumber };
+}
+function checkName(check) {
+  return String(check.name ?? check.context ?? "").trim();
+}
+function checkState(check) {
+  return String(check.conclusion ?? check.state ?? check.status ?? "").trim().toLowerCase();
+}
+function isGreptileLabel(value) {
+  return String(value ?? "").toLowerCase().includes("greptile");
+}
+function isGreptileGithubLogin(value) {
+  const login = String(value ?? "").toLowerCase().replace(/\[bot\]$/, "");
+  return login === "greptile" || login === "greptile-ai" || login === "greptileai" || login === "greptile-apps";
+}
+function isPassingCheck(check) {
+  const state = checkState(check);
+  return ["success", "successful", "passed", "neutral", "skipped", "completed"].includes(state);
+}
+function isPendingCheck(check) {
+  const state = checkState(check);
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(state);
+}
+function isFailingCheck(check) {
+  const state = checkState(check);
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "canceled", "error"].includes(state);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function greptileScorePatterns() {
+  return [
+    /\b(?:confidence\s+score|confidence|rating|score)\s*:?\s*(\d+)\s*\/\s*(\d+)/gi,
+    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|rating|score)/gi,
+    /\bgreptile[^\n]{0,80}?(\d+)\s*\/\s*(\d+)/gi
+  ];
+}
+function parseGreptileScores(input) {
+  const text = stripHtml(input);
+  const seen = new Set;
+  const scores = [];
+  for (const pattern of greptileScorePatterns()) {
+    for (const match of text.matchAll(pattern)) {
+      const value = Number.parseInt(match[1] || "", 10);
+      const scale = Number.parseInt(match[2] || "", 10);
+      if (!Number.isFinite(value) || !Number.isFinite(scale) || scale <= 0)
+        continue;
+      const raw = match[0] || `${value}/${scale}`;
+      const key = `${match.index ?? -1}:${value}/${scale}:${raw.toLowerCase()}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      scores.push({ value, scale, raw });
+    }
+  }
+  return scores;
+}
+function parseGreptileScore(input) {
+  return parseGreptileScores(input)[0] ?? null;
+}
+function stripHtml(input) {
+  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
+
+`).trim();
+}
+function containsBlockerText(input) {
+  const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this/i.test(text);
+}
+function containsGreptileNegativeVerdict(input) {
+  const text = stripHtml(input).replace(/\s+/g, " ").trim();
+  if (!text)
+    return false;
+  return /\b(?:status|verdict|review state|state|conclusion|result)\s*:?\s*(?:reject(?:ed|ion)?|skip(?:ped)?|fail(?:ed|ure)?|changes[_ ]requested|not approved)\b/i.test(text) || /\bgreptile\b.{0,160}\b(?:reject(?:ed|s|ion)?|skip(?:ped|s)?|fail(?:ed|s|ure)?|changes requested|did not approve|not approved)\b/i.test(text);
+}
+function isStrictFiveOfFive(score) {
+  return score.value === 5 && score.scale === 5;
+}
+function containsConflictingScoreText(input) {
+  return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
+}
+function firstString(record, keys) {
+  for (const key of keys) {
+    const value = record[key];
+    if (typeof value === "string")
+      return value;
+  }
+  return "";
+}
+function arrayField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value : [];
+}
+async function runJsonArray(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: [], error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonArray(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+async function runJsonObject(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: {}, error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonObject(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+function normalizeStatusCheck(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const name = firstString(record, ["name", "context"]);
+  if (!name.trim())
+    return null;
+  const output = record.output && typeof record.output === "object" && !Array.isArray(record.output) ? record.output : null;
+  const app = record.app && typeof record.app === "object" && !Array.isArray(record.app) ? record.app : null;
+  return {
+    __typename: typeof record.__typename === "string" ? record.__typename : null,
+    name,
+    context: typeof record.context === "string" ? record.context : null,
+    status: typeof record.status === "string" ? record.status : null,
+    state: typeof record.state === "string" ? record.state : null,
+    conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+    detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.details_url === "string" ? record.details_url : typeof record.html_url === "string" ? record.html_url : typeof record.link === "string" ? record.link : null,
+    link: typeof record.link === "string" ? record.link : typeof record.html_url === "string" ? record.html_url : null,
+    headSha: typeof record.headSha === "string" ? record.headSha : null,
+    head_sha: typeof record.head_sha === "string" ? record.head_sha : null,
+    output: output ? {
+      title: typeof output.title === "string" ? output.title : null,
+      summary: typeof output.summary === "string" ? output.summary : null,
+      text: typeof output.text === "string" ? output.text : null
+    } : null,
+    app: app ? {
+      slug: typeof app.slug === "string" ? app.slug : null,
+      name: typeof app.name === "string" ? app.name : null,
+      owner: app.owner && typeof app.owner === "object" ? app.owner : null
+    } : null
+  };
+}
+function normalizeReview(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : typeof record.id === "number" ? String(record.id) : null,
+    state: typeof record.state === "string" ? record.state : null,
+    body: typeof record.body === "string" ? record.body : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : typeof record.commitId === "string" ? record.commitId : record.commit && typeof record.commit === "object" && typeof record.commit.oid === "string" ? record.commit.oid : null,
+    html_url: typeof record.html_url === "string" ? record.html_url : typeof record.url === "string" ? record.url : null,
+    author: record.author && typeof record.author === "object" ? record.author : record.user && typeof record.user === "object" ? record.user : null
+  };
+}
+function normalizeReviewComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  const path = typeof record.path === "string" ? record.path : null;
+  if (!body && !path)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    path,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : null,
+    original_commit_id: typeof record.original_commit_id === "string" ? record.original_commit_id : null
+  };
+}
+function normalizeIssueComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  if (!body)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    created_at: typeof record.created_at === "string" ? record.created_at : null
+  };
+}
+function normalizeReviewThread(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : null,
+    isResolved: typeof record.isResolved === "boolean" ? record.isResolved : null,
+    isOutdated: typeof record.isOutdated === "boolean" ? record.isOutdated : null,
+    comments: record.comments && typeof record.comments === "object" ? record.comments : null
+  };
+}
+function relevantIssueComment(comment) {
+  const login = comment.user?.login ?? comment.author?.login ?? "";
+  const body = comment.body ?? "";
+  return isGreptileGithubLogin(login) || /greptile|blocker|unsafe|not safe|do not merge|must fix|please fix|changes requested|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+}
+function latestThreadComment(thread) {
+  const nodes = thread.comments?.nodes ?? [];
+  return nodes.length > 0 ? nodes[nodes.length - 1] : null;
+}
+function unresolvedThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function collectBodies(evidence) {
+  return [
+    evidence.title ?? "",
+    evidence.body,
+    ...evidence.reviews.map((review) => review.body ?? ""),
+    ...evidence.changedFileReviewComments.map((comment) => comment.body ?? ""),
+    ...evidence.relevantIssueComments.map((comment) => comment.body ?? ""),
+    ...evidence.reviewThreads.flatMap((thread) => thread.comments?.nodes?.map((comment) => comment.body ?? "") ?? []),
+    ...(evidence.apiSignals ?? []).map((signal) => signal.body ?? "")
+  ].filter((body) => body.trim().length > 0);
+}
+function bodyExcerpt(body) {
+  const text = stripHtml(body).replace(/\s+/g, " ").trim();
+  return text.length > 240 ? `${text.slice(0, 237)}...` : text;
+}
+function makeGreptileSignal(input) {
+  const scores = parseGreptileScores(input.body);
+  const reviewedSha = input.reviewedSha?.trim() || null;
+  const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
+  const blocker = input.blocker ?? (containsBlockerText(input.body) || containsGreptileNegativeVerdict(input.body));
+  const explicitApproval = input.explicitApproval ?? false;
+  return {
+    source: input.source,
+    trusted: input.trusted,
+    authorLogin: input.authorLogin ?? null,
+    reviewedSha,
+    current,
+    stale: current === false,
+    score: scores[0] ?? null,
+    scores,
+    explicitApproval,
+    blocker,
+    actionable: input.actionable ?? blocker,
+    bodyExcerpt: bodyExcerpt(input.body),
+    body: input.body,
+    allScores: scores
+  };
+}
+function reviewAuthorLogin(review) {
+  return review.author?.login ?? null;
+}
+function commentAuthorLogin(comment) {
+  return comment.user?.login ?? comment.author?.login ?? null;
+}
+function collectGreptileSignals(evidence) {
+  const signals = [];
+  const contextSources = [
+    { source: "pr-title", body: evidence.title ?? "" },
+    { source: "pr-body", body: evidence.body }
+  ];
+  for (const context of contextSources) {
+    if (!context.body.trim())
+      continue;
+    if (!/greptile|score|confidence|\b\d+\s*\/\s*5\b|blocker|unsafe|not safe|do not merge|changes requested/i.test(context.body))
+      continue;
+    const contextBlocker = containsBlockerText(context.body);
+    signals.push(makeGreptileSignal({
+      source: context.source,
+      body: context.body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      blocker: contextBlocker,
+      actionable: contextBlocker
+    }));
+  }
+  for (const apiSignal of evidence.apiSignals ?? []) {
+    const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "api",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      reviewedSha: apiSignal.reviewedSha ?? null,
+      explicitApproval: false
+    }));
+  }
+  for (const review of evidence.reviews) {
+    const login = reviewAuthorLogin(review);
+    if (!isGreptileGithubLogin(login))
+      continue;
+    const state = String(review.state ?? "").toUpperCase();
+    const body = [state ? `Review state: ${state}` : "", review.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    const dismissed = state === "DISMISSED";
+    signals.push(makeGreptileSignal({
+      source: "github-review",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: !dismissed,
+      authorLogin: login,
+      reviewedSha: review.commit_id ?? null,
+      explicitApproval: undefined,
+      blocker: state === "CHANGES_REQUESTED" || undefined
+    }));
+  }
+  for (const comment of evidence.changedFileReviewComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "changed-file-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login,
+      reviewedSha: comment.commit_id ?? comment.original_commit_id ?? null
+    }));
+  }
+  for (const comment of evidence.relevantIssueComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "issue-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login
+    }));
+  }
+  for (const thread of evidence.reviewThreads) {
+    if (thread.isOutdated === true || thread.isResolved === true)
+      continue;
+    for (const comment of thread.comments?.nodes ?? []) {
+      const login = comment.author?.login ?? null;
+      const body = comment.body ?? "";
+      if (!body.trim() || !isGreptileGithubLogin(login))
+        continue;
+      signals.push(makeGreptileSignal({
+        source: "review-thread",
+        body,
+        currentHeadSha: evidence.currentHeadSha,
+        trusted: true,
+        authorLogin: login
+      }));
+    }
+  }
+  for (const check of evidence.checks) {
+    if (!isGreptileLabel(checkName(check)))
+      continue;
+    const reviewedSha = check.headSha ?? check.head_sha ?? null;
+    const label = `${checkName(check)} (${checkState(check) || "unknown"})`;
+    const body = [label, check.output?.title ?? "", check.output?.summary ?? "", check.output?.text ?? ""].filter((entry) => entry.trim().length > 0).join(`
+
+`);
+    signals.push(makeGreptileSignal({
+      source: "github-check",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      reviewedSha,
+      explicitApproval: false,
+      blocker: isFailingCheck(check),
+      actionable: isFailingCheck(check)
+    }));
+  }
+  return signals;
+}
+function unresolvedGreptileThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const comments = thread.comments?.nodes ?? [];
+    if (!comments.some((comment) => isGreptileGithubLogin(comment.author?.login)))
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved Greptile review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved Greptile review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function issueLevelBlockerSummaries(comments) {
+  return comments.flatMap((comment) => {
+    const body = comment.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const login = commentAuthorLogin(comment) ?? "unknown";
+    const author = isGreptileGithubLogin(login) ? `Greptile issue comment by ${login}` : `Issue-level PR comment by ${login}`;
+    return [`${author}: ${body}`];
+  });
+}
+function reviewBodyBlockerSummaries(reviews) {
+  return reviews.flatMap((review) => {
+    const login = reviewAuthorLogin(review) ?? "unknown";
+    if (isGreptileGithubLogin(login))
+      return [];
+    const body = review.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const state = review.state ? ` (${review.state})` : "";
+    return [`PR review summary by ${login}${state}: ${body}`];
+  });
+}
+function signalLabel(signal) {
+  const source = signal.source.replace(/-/g, " ");
+  const author = signal.authorLogin ? ` by ${signal.authorLogin}` : "";
+  const sha = signal.reviewedSha ? ` at ${signal.reviewedSha}` : "";
+  return `${source}${author}${sha}`;
+}
+function deriveGreptileEvidence(input) {
+  const rawBodies = collectBodies(input);
+  const signals = collectGreptileSignals(input);
+  const trustedSignals = signals.filter((signal) => signal.trusted);
+  const trustedScoreEntries = trustedSignals.flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const contextScoreEntries = signals.filter((signal) => !signal.trusted).flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const allScoreEntries = [...trustedScoreEntries, ...contextScoreEntries];
+  const staleSignals = signals.filter((signal) => !!signal.reviewedSha && signal.reviewedSha !== input.currentHeadSha && (signal.trusted || signal.source === "github-check"));
+  const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
+  const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
+  const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvedByScore = !!approvingScoreEntry;
+  const approvedByExplicitMapping = false;
+  const approvingSignal = approvingScoreEntry?.signal ?? null;
+  const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
+  const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
+  const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
+  const blockerSignals = signals.filter((signal) => signal.source !== "changed-file-comment" && (signal.blocker || signal.actionable) && (!signal.reviewedSha || signal.reviewedSha === input.currentHeadSha));
+  const staleBlockingSignals = [];
+  const blockers = [
+    ...blockerSignals.map((signal) => `${signalLabel(signal)}: ${signal.bodyExcerpt || "blocker text"}`),
+    ...reviewBodyBlockerSummaries(input.reviews),
+    ...issueLevelBlockerSummaries(input.relevantIssueComments),
+    ...lowScoreEntries.map((entry) => `Greptile score from ${signalLabel(entry.signal)} is ${entry.score.value}/${entry.score.scale}; strict merge requires trusted current-head 5/5.`),
+    ...staleBlockingSignals.map((signal) => `Greptile blocking signal from ${signalLabel(signal)} is stale; current PR head is ${input.currentHeadSha || "unknown"}.`),
+    ...failedGreptileChecks.map((entry) => `Greptile check failed: ${entry}`)
+  ];
+  const unresolvedComments = [
+    ...unresolvedGreptileThreadSummaries(input.reviewThreads)
+  ];
+  const greptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)));
+  const greptileReviews = input.reviews.filter((review) => isGreptileGithubLogin(review.author?.login));
+  const completedGreptileCheck = greptileChecks.some((check) => {
+    const reviewedSha2 = check.headSha ?? check.head_sha ?? null;
+    return reviewedSha2 === input.currentHeadSha && (isPassingCheck(check) || isFailingCheck(check));
+  });
+  const completedGreptileReview = greptileReviews.some((review) => {
+    const state = String(review.state ?? "").toUpperCase();
+    const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
+    return completedState && review.commit_id === input.currentHeadSha;
+  });
+  const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
+  const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
+  const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
+  const completed = completedGreptileCheck || completedGreptileReview || !!approvingSignal || trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha);
+  const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : "unproven";
+  const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
+  return {
+    source,
+    currentHeadSha: input.currentHeadSha,
+    reviewedSha,
+    fresh,
+    completed,
+    approved,
+    score,
+    explicitApproval: approvedByExplicitMapping,
+    blockers,
+    unresolvedComments,
+    rawBodies,
+    signals: signals.map(({ body: _body, allScores: _allScores, ...signal }) => signal),
+    mapping
+  };
+}
+function isGreptileCheckDetail(check) {
+  return isGreptileLabel(checkName(check)) || isGreptileGithubLogin(check.app?.slug) || isGreptileGithubLogin(check.app?.owner?.login) || isGreptileLabel(check.app?.name);
+}
+async function collectGreptileCheckDetails(input) {
+  const checkRunsRead = await runJsonArray(input.command, [
+    "api",
+    `repos/${input.repoName}/commits/${input.headSha}/check-runs`,
+    "--paginate",
+    "--slurp",
+    "--jq",
+    "map(.check_runs // []) | add // []"
+  ], input.projectRoot);
+  const checkRuns = checkRunsRead.value.map(normalizeStatusCheck).filter((entry) => !!entry).filter(isGreptileCheckDetail);
+  return checkRunsRead.error ? { value: checkRuns, error: checkRunsRead.error } : { value: checkRuns };
+}
+async function collectReviewThreads(input) {
+  const reviewThreads = [];
+  let afterCursor = null;
+  for (let page = 0;page < 100; page += 1) {
+    const afterLiteral = afterCursor ? JSON.stringify(afterCursor) : "null";
+    const threadsResponse = await runJsonObject(input.command, [
+      "api",
+      "graphql",
+      "-F",
+      `owner=${input.owner}`,
+      "-F",
+      `name=${input.name}`,
+      "-F",
+      `prNumber=${input.prNumber}`,
+      "-f",
+      `query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { reviewThreads(first: 100, after: ${afterLiteral}) { nodes { id isResolved isOutdated comments(first: 100) { nodes { author { login } body path url createdAt } pageInfo { hasNextPage endCursor } } } pageInfo { hasNextPage endCursor } } } } }`
+    ], input.projectRoot);
+    if (threadsResponse.error) {
+      return { value: reviewThreads, error: threadsResponse.error };
+    }
+    const data = threadsResponse.value.data;
+    const repository = data?.repository;
+    const pullRequest = repository?.pullRequest;
+    const threads = pullRequest?.reviewThreads;
+    const nodes = threads?.nodes;
+    if (!Array.isArray(nodes)) {
+      return { value: reviewThreads, error: "GitHub reviewThreads response did not include a nodes array" };
+    }
+    const normalized = nodes.map(normalizeReviewThread).filter((entry) => !!entry);
+    reviewThreads.push(...normalized);
+    const truncatedCommentThread = normalized.find((thread) => thread.comments?.pageInfo?.hasNextPage === true);
+    if (truncatedCommentThread) {
+      return { value: reviewThreads, error: `GitHub review thread ${truncatedCommentThread.id ?? "unknown"} has more than 100 comments; nested pagination is incomplete` };
+    }
+    const pageInfo = threads?.pageInfo;
+    if (!pageInfo) {
+      if (nodes.length >= 100) {
+        return { value: reviewThreads, error: "GitHub reviewThreads pagination metadata missing after a full page" };
+      }
+      return { value: reviewThreads };
+    }
+    if (pageInfo.hasNextPage !== true) {
+      return { value: reviewThreads };
+    }
+    if (typeof pageInfo.endCursor !== "string" || !pageInfo.endCursor.trim()) {
+      return { value: reviewThreads, error: "GitHub reviewThreads pagination reported hasNextPage without endCursor" };
+    }
+    afterCursor = pageInfo.endCursor;
+  }
+  return { value: reviewThreads, error: "GitHub reviewThreads pagination exceeded 100 pages" };
+}
+async function collectPrReviewEvidence(input) {
+  const parsed = parseGithubPrUrl(input.prUrl);
+  if (!parsed) {
+    throw new Error(`Cannot parse GitHub PR URL: ${input.prUrl}`);
+  }
+  const readErrors = [];
+  const viewRead = await runJsonObject(input.command, [
+    "pr",
+    "view",
+    input.prUrl,
+    "--json",
+    "title,body,headRefOid,headRefName,baseRefName,state,isDraft,mergeable,mergeStateStatus,reviewDecision,reviews,statusCheckRollup"
+  ], input.projectRoot);
+  if (viewRead.error)
+    readErrors.push(viewRead.error);
+  const view = viewRead.value;
+  if (!Array.isArray(view.statusCheckRollup)) {
+    readErrors.push("gh pr view did not return required statusCheckRollup array");
+  }
+  if (!Array.isArray(view.reviews)) {
+    readErrors.push("gh pr view did not return required reviews array");
+  }
+  const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
+  const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
+  const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (reviewCommentsRead.error)
+    readErrors.push(reviewCommentsRead.error);
+  const reviewComments = reviewCommentsRead.value.map(normalizeReviewComment).filter((entry) => !!entry);
+  const issueCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/issues/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (issueCommentsRead.error)
+    readErrors.push(issueCommentsRead.error);
+  const issueComments = issueCommentsRead.value.map(normalizeIssueComment).filter((entry) => !!entry).filter(relevantIssueComment);
+  const reviewThreadsRead = await collectReviewThreads({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  if (reviewThreadsRead.error)
+    readErrors.push(reviewThreadsRead.error);
+  const reviewThreads = reviewThreadsRead.value;
+  const greptileRollupChecks = statusCheckRollup.filter((check) => isGreptileLabel(checkName(check)));
+  let greptileCheckDetails = [];
+  if (headSha && greptileRollupChecks.length > 0) {
+    const checkDetailsRead = await collectGreptileCheckDetails({
+      command: input.command,
+      projectRoot: input.projectRoot,
+      repoName: parsed.repoName,
+      headSha
+    });
+    if (checkDetailsRead.error)
+      readErrors.push(checkDetailsRead.error);
+    greptileCheckDetails = checkDetailsRead.value;
+    if (!checkDetailsRead.error && greptileCheckDetails.length === 0) {
+      readErrors.push("Greptile check details could not be found for the current PR head");
+    }
+  }
+  const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
+  const evidenceBase = {
+    title: firstString(view, ["title"]),
+    body: firstString(view, ["body"]),
+    reviews,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    reviewThreads,
+    checks: checksWithGreptileDetails,
+    currentHeadSha: headSha,
+    apiSignals: input.apiSignals ?? []
+  };
+  const greptile = deriveGreptileEvidence(evidenceBase);
+  return {
+    prUrl: input.prUrl,
+    prNumber: parsed.prNumber,
+    repoName: parsed.repoName,
+    title: evidenceBase.title,
+    body: evidenceBase.body,
+    headSha,
+    headRefName: firstString(view, ["headRefName"]),
+    baseRefName: firstString(view, ["baseRefName"]),
+    state: firstString(view, ["state"]),
+    isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
+    mergeable: firstString(view, ["mergeable"]),
+    mergeStateStatus: firstString(view, ["mergeStateStatus"]),
+    reviewDecision: firstString(view, ["reviewDecision"]),
+    reviews,
+    reviewThreads,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    statusCheckRollup: checksWithGreptileDetails,
+    checkFailures,
+    pendingChecks,
+    readErrors,
+    greptile
+  };
+}
+function evaluateEvidence(evidence) {
+  const reasons = [];
+  const warnings = [];
+  let pending = false;
+  if (evidence.readErrors.length > 0) {
+    reasons.push(...evidence.readErrors.map((error) => `Required PR evidence surface could not be read completely: ${error}`));
+  }
+  if (!evidence.headSha)
+    reasons.push("PR head SHA could not be read; current-head Greptile approval cannot be proven.");
+  if (evidence.checkFailures.length > 0)
+    reasons.push(...evidence.checkFailures);
+  if (evidence.pendingChecks.length > 0) {
+    pending = true;
+    reasons.push(...evidence.pendingChecks);
+  }
+  const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
+  if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
+    reasons.push(`Required review is unresolved (${evidence.reviewDecision}).`);
+  }
+  const unresolvedThreads = unresolvedThreadSummaries(evidence.reviewThreads);
+  if (unresolvedThreads.length > 0)
+    reasons.push(...unresolvedThreads);
+  const greptile = evidence.greptile;
+  if (greptile.mapping === "missing")
+    reasons.push("Missing Greptile check/review evidence for this PR.");
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
+    reasons.push(`Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`);
+  }
+  if (!greptile.completed) {
+    pending = true;
+    reasons.push("Greptile check/review has not completed for the current PR head.");
+  }
+  if (!greptile.fresh)
+    reasons.push("Greptile approval is not tied to the current PR head SHA.");
+  if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
+    reasons.push(`Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`);
+  }
+  if (!greptile.score && greptile.mapping !== "score-5-of-5") {
+    reasons.push("No parseable Greptile 5/5 score or explicit approved mapping was found from trusted current-head evidence; merge is blocked.");
+  }
+  if (greptile.mapping === "unproven") {
+    reasons.push("Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.");
+  }
+  if (greptile.blockers.length > 0) {
+    reasons.push(...greptile.blockers.map((entry) => `Greptile/blocker text: ${entry.trim().slice(0, 500)}`));
+  }
+  if (greptile.unresolvedComments.length > 0)
+    reasons.push(...greptile.unresolvedComments);
+  if (!greptile.approved)
+    warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
+  return { reasons: Array.from(new Set(reasons)), warnings, pending };
+}
+function evaluateStrictPrMergeGate(evidence) {
+  const evaluated = evaluateEvidence(evidence);
+  const approved = evaluated.reasons.length === 0 && evidence.greptile.approved;
+  return {
+    approved,
+    pending: evaluated.pending,
+    reasons: evaluated.reasons,
+    warnings: evaluated.warnings,
+    actionableFeedback: evaluated.reasons,
+    evidence
+  };
+}
+
+// packages/runtime/src/control-plane/native/verifier.ts
 async function verifyTask(options) {
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
@@ -4400,7 +5173,8 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (/not safe to merge|unsafe to merge|do not merge|blocker/i.test(reviewBody)) {
+  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
       verdict: "REJECT",
@@ -4416,44 +5190,78 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (score) {
-    if (score.scale === 5 && score.value < 5 && options.reviewMode === "required") {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; required mode needs 5/5 before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
-        }
-      };
-    }
-    if (score.scale === 5 && score.value <= 2) {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; this requires rework before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
+  if (score?.scale === 5 && score.value < 5) {
+    reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; strict review requires 5/5 before merge.`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate = null;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl,
+      apiSignals: [{
+        id: selectedReview.id,
+        body: reviewBody,
+        reviewedSha: selectedReview.metadata?.checkHeadSha ?? null,
+        status: selectedReview.status
+      }]
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
+    reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  if (!strictGate.approved) {
+    return {
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
+      feedback,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile,
+          readErrors: strictGate.evidence.readErrors
         }
-      };
-    }
-    if (score.scale === 5 && score.value < 5) {
-      warnings.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; continue only after reviewing remaining risk.`);
-    }
+      }
+    };
   }
   return {
     verdict: "APPROVE",
@@ -4465,7 +5273,15 @@ async function runGreptileReviewForPr(options) {
       codeReviews: reviewsPayload,
       selectedReview,
       reviewDetails,
-      comments: commentsPayload
+      comments: commentsPayload,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile,
+        readErrors: strictGate.evidence.readErrors
+      }
     }
   };
 }
@@ -4489,7 +5305,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   let threads = [];
   let actionableThreads = [];
   let checkRollup = [];
-  let checkState = { pending: false, completed: false };
+  let checkState2 = { pending: false, completed: false };
   for (let attempt = 0;; attempt += 1) {
     reviews = runGhJson(options.projectRoot, ["api", `repos/${repoName}/pulls/${prNumber}/reviews`]);
     selectedReview = pickRelevantGithubGreptileReview(reviews, expectedHeadSha);
@@ -4498,15 +5314,15 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     threads = loadGithubReviewThreads(options.projectRoot, repoName, prNumber);
     actionableThreads = filterActionableGithubGreptileThreads(threads);
     checkRollup = loadGithubPullRequestCheckRollup(options.projectRoot, repoName, prNumber);
-    checkState = classifyGithubGreptileCheckState(checkRollup);
-    const approvedViaReviewedAncestor2 = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
+    checkState2 = classifyGithubGreptileCheckState(checkRollup);
+    const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
     if (!shouldContinueGithubGreptileFallbackPolling({
       attempt,
       pollAttempts: options.pollAttempts,
-      checkState,
+      checkState: checkState2,
       fallbackReview,
       selectedReview,
-      approvedViaReviewedAncestor: approvedViaReviewedAncestor2
+      approvedViaReviewedAncestor
     })) {
       break;
     }
@@ -4534,7 +5350,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
-  if (checkState.pending) {
+  if (checkState2.pending) {
     return {
       verdict: "SKIP",
       feedback,
@@ -4545,34 +5361,20 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
     };
   }
-  const approvedViaCompletedCheck = isGithubGreptileCheckApproved(checkRollup);
-  if (!fallbackReview) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no GitHub Greptile review object, but the Greptile check completed successfully and no unresolved Greptile threads remain.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-      };
-    }
-    return {
-      verdict: "SKIP",
-      feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available.`
-      ],
-      warnings,
-      rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-    };
-  }
-  const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
-  if (actionableThreads.length > 0) {
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
     return {
       verdict: "REJECT",
       feedback,
-      reasons: actionableThreads.map((comment) => `[AI Review] ${repoName}#${prNumber} has unresolved Greptile comment on ${comment.path}: ${summarizeComment(comment.body || "")}`),
+      reasons: [`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`],
       warnings,
       rawPayload: {
         pr: options.prState,
@@ -4585,44 +5387,30 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       }
     };
   }
-  if (!selectedReview && !approvedViaReviewedAncestor) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile GitHub review on the current head, but the Greptile check completed successfully and all Greptile threads are resolved.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          selectedReview: fallbackReview,
-          reviews,
-          threads,
-          checkRollup,
-          ...buildGithubGreptileFallbackRawPayload(options)
-        }
-      };
-    }
+  if (!strictGate.approved) {
     return {
-      verdict: "SKIP",
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
       feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available for the current head.`
-      ],
-      warnings,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
       rawPayload: {
         pr: options.prState,
         selectedReview: fallbackReview,
         reviews,
         threads,
         checkRollup,
+        actionableThreads,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile
+        },
         ...buildGithubGreptileFallbackRawPayload(options)
       }
     };
   }
-  if (approvedViaReviewedAncestor) {
-    warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile review on the current head, but the latest reviewed commit is an ancestor and all Greptile threads are resolved.`);
-  }
   return {
     verdict: "APPROVE",
     feedback,
@@ -4634,6 +5422,13 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       reviews,
       threads,
       checkRollup,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile
+      },
       ...buildGithubGreptileFallbackRawPayload(options)
     }
   };
@@ -4746,21 +5541,25 @@ function shouldTriggerGreptileReview(existingReview, expectedHeadSha) {
   if ((existingReview.metadata?.checkHeadSha || "") !== expectedHeadSha) {
     return true;
   }
-  return isGreptileReviewTerminal(existingReview.status);
+  return false;
 }
 function shouldContinueGreptileMcpPolling(options) {
   if (options.githubCheckState.completed) {
     return false;
   }
+  const hasRemainingBudget = options.attempt + 1 < options.pollAttempts;
+  if (!hasRemainingBudget) {
+    return false;
+  }
   if (options.selectedReview && !isGreptileReviewTerminal(options.selectedReview.status)) {
     return true;
   }
-  return options.attempt + 1 < options.pollAttempts;
+  return true;
 }
 function shouldContinueGithubGreptileFallbackPolling(options) {
   const waitingForVisiblePendingReview = options.checkState.pending && (!options.fallbackReview || !options.selectedReview && !options.approvedViaReviewedAncestor);
   if (waitingForVisiblePendingReview) {
-    return true;
+    return options.attempt + 1 < options.pollAttempts;
   }
   const reviewNotVisibleYet = !options.fallbackReview && !options.checkState.pending && !options.checkState.completed;
   if (reviewNotVisibleYet) {
@@ -4819,6 +5618,20 @@ function runGhJson(projectRoot, args) {
     throw new Error(`gh ${args.join(" ")} returned malformed JSON: ${result.stdout}`);
   }
 }
+async function collectStrictPrEvidenceForVerifier(input) {
+  return collectPrReviewEvidence({
+    projectRoot: input.projectRoot,
+    prUrl: input.prUrl,
+    taskId: input.taskId,
+    runId: "verifier",
+    cycle: 0,
+    apiSignals: input.apiSignals ?? [],
+    command: async (args, options) => {
+      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+    }
+  });
+}
 function deriveRepoName(projectRoot, prState) {
   const fromUrl = /github\.com\/([^/]+\/[^/]+)\/pull\/\d+/.exec(prState.url || "");
   if (fromUrl?.[1]) {
@@ -4833,8 +5646,9 @@ function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
-function isGreptileGithubLogin(login) {
-  return (login || "").replace(/\[bot\]$/, "") === "greptile-apps";
+function isGreptileGithubLogin2(login) {
+  const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
+  return normalized === "greptile" || normalized === "greptile-ai" || normalized === "greptileai" || normalized === "greptile-apps";
 }
 function pickRelevantGithubGreptileReview(reviews, expectedHeadSha) {
   const matching = sortGithubGreptileReviews(reviews);
@@ -4851,7 +5665,7 @@ function pickLatestGithubGreptileReview(reviews) {
   return sortGithubGreptileReviews(reviews)[0] || null;
 }
 function sortGithubGreptileReviews(reviews) {
-  return reviews.filter((review) => isGreptileGithubLogin(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
+  return reviews.filter((review) => isGreptileGithubLogin2(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
 }
 function loadGithubPullRequestCheckRollup(projectRoot, repoName, prNumber) {
   const response = runGhJson(projectRoot, [
@@ -4924,32 +5738,6 @@ function classifyGithubGreptileCheckState(checks) {
   }
   return { pending: false, completed: false };
 }
-function isGithubGreptileCheckApproved(checks) {
-  const greptileChecks = checks.filter((check) => {
-    const label = (check.name || check.context || "").toLowerCase();
-    return label.includes("greptile");
-  });
-  if (greptileChecks.length === 0) {
-    return false;
-  }
-  for (const check of greptileChecks) {
-    if ((check.__typename || "") === "CheckRun") {
-      if ((check.status || "").toUpperCase() !== "COMPLETED") {
-        return false;
-      }
-      const conclusion = (check.conclusion || "").toUpperCase();
-      if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(conclusion)) {
-        return false;
-      }
-      continue;
-    }
-    const state = (check.state || "").toUpperCase();
-    if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(state)) {
-      return false;
-    }
-  }
-  return true;
-}
 function loadGithubReviewThreads(projectRoot, repoName, prNumber) {
   const [owner, name] = repoName.split("/");
   if (!owner || !name) {
@@ -4975,7 +5763,7 @@ function filterActionableGithubGreptileThreads(threads) {
       return [];
     }
     const comments = thread.comments?.nodes || [];
-    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin(comment.author?.login));
+    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin2(comment.author?.login));
     if (!latestGreptileComment?.path?.trim()) {
       return [];
     }
@@ -4997,11 +5785,6 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
-function stripHtml(input) {
-  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
-
-`).trim();
-}
 function summarizeComment(input) {
   const text = stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
@@ -5010,31 +5793,14 @@ function asGreptileInfrastructureWarning(reason) {
   return reason.startsWith("[AI Review]") ? reason.replace("[AI Review]", "[AI Review Warning]") : reason;
 }
 function isAiReviewApproved(input) {
+  if (input.aiVerdict === "REJECT" && input.aiReasons.length > 0) {
+    return false;
+  }
   if (input.reviewMode !== "required") {
     return true;
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-function parseGreptileScore(input) {
-  const text = stripHtml(input);
-  const patterns = [
-    /confidence score:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\bscore:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|score)/i
-  ];
-  for (const pattern of patterns) {
-    const match = pattern.exec(text);
-    if (!match) {
-      continue;
-    }
-    const value = Number.parseInt(match[1] || "", 10);
-    const scale = Number.parseInt(match[2] || "", 10);
-    if (Number.isFinite(value) && Number.isFinite(scale) && scale > 0) {
-      return { value, scale };
-    }
-  }
-  return null;
-}
 
 // packages/runtime/src/control-plane/provider/runtime-instructions.ts
 var CLAUDE_ROUTER_TOOL_NAMES = [
@@ -6347,8 +7113,9 @@ function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
   const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
   if (sourceIssueId) {
     const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
-    if (match) {
-      const [, sourceRepo, issueNumber] = match;
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
       return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
     }
   }