@h-rig/runtime 0.0.6-alpha.13 → 0.0.6-alpha.15

package/dist/src/control-plane/native/pr-review-gate.js

@@ -2,6 +2,51 @@
 // packages/runtime/src/control-plane/native/pr-review-gate.ts
 import { mkdirSync, writeFileSync } from "fs";
 import { resolve } from "path";
+
+// packages/runtime/src/control-plane/runtime/baked-secrets.ts
+var BAKED_RUNTIME_SECRETS = {
+  ANTHROPIC_API_KEY: typeof RIG_BAKED_ANTHROPIC_API_KEY !== "undefined" ? RIG_BAKED_ANTHROPIC_API_KEY : "",
+  OPENAI_API_KEY: typeof RIG_BAKED_OPENAI_API_KEY !== "undefined" ? RIG_BAKED_OPENAI_API_KEY : "",
+  OPENROUTER_API_KEY: typeof RIG_BAKED_OPENROUTER_API_KEY !== "undefined" ? RIG_BAKED_OPENROUTER_API_KEY : "",
+  AI_REVIEW_MODE: typeof RIG_BAKED_AI_REVIEW_MODE !== "undefined" ? RIG_BAKED_AI_REVIEW_MODE : "",
+  AI_REVIEW_PROVIDER: typeof RIG_BAKED_AI_REVIEW_PROVIDER !== "undefined" ? RIG_BAKED_AI_REVIEW_PROVIDER : "",
+  GREPTILE_API_BASE: typeof RIG_BAKED_GREPTILE_API_BASE !== "undefined" ? RIG_BAKED_GREPTILE_API_BASE : "",
+  GREPTILE_REMOTE: typeof RIG_BAKED_GREPTILE_REMOTE !== "undefined" ? RIG_BAKED_GREPTILE_REMOTE : "",
+  GREPTILE_REPOSITORY: typeof RIG_BAKED_GREPTILE_REPOSITORY !== "undefined" ? RIG_BAKED_GREPTILE_REPOSITORY : "",
+  GREPTILE_CONTEXT_BRANCH: typeof RIG_BAKED_GREPTILE_CONTEXT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_CONTEXT_BRANCH : "",
+  GREPTILE_DEFAULT_BRANCH: typeof RIG_BAKED_GREPTILE_DEFAULT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_DEFAULT_BRANCH : "",
+  GREPTILE_API_KEY: typeof RIG_BAKED_GREPTILE_API_KEY !== "undefined" ? RIG_BAKED_GREPTILE_API_KEY : "",
+  GREPTILE_GITHUB_TOKEN: typeof RIG_BAKED_GREPTILE_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GREPTILE_GITHUB_TOKEN : "",
+  GREPTILE_POLL_ATTEMPTS: typeof RIG_BAKED_GREPTILE_POLL_ATTEMPTS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_ATTEMPTS : "",
+  GREPTILE_POLL_INTERVAL_MS: typeof RIG_BAKED_GREPTILE_POLL_INTERVAL_MS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_INTERVAL_MS : "",
+  GH_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_SSH_KEY: typeof RIG_BAKED_GITHUB_SSH_KEY !== "undefined" ? RIG_BAKED_GITHUB_SSH_KEY : "",
+  AWS_ACCESS_KEY_ID: typeof RIG_BAKED_AWS_ACCESS_KEY_ID !== "undefined" ? RIG_BAKED_AWS_ACCESS_KEY_ID : "",
+  AWS_SECRET_ACCESS_KEY: typeof RIG_BAKED_AWS_SECRET_ACCESS_KEY !== "undefined" ? RIG_BAKED_AWS_SECRET_ACCESS_KEY : "",
+  AWS_REGION: typeof RIG_BAKED_AWS_REGION !== "undefined" ? RIG_BAKED_AWS_REGION : "",
+  LINEAR_API_KEY: typeof RIG_BAKED_LINEAR_API_KEY !== "undefined" ? RIG_BAKED_LINEAR_API_KEY : "",
+  LINEAR_WEBHOOK_SECRET: typeof RIG_BAKED_LINEAR_WEBHOOK_SECRET !== "undefined" ? RIG_BAKED_LINEAR_WEBHOOK_SECRET : ""
+};
+function resolveRuntimeSecrets(env, baked = BAKED_RUNTIME_SECRETS) {
+  const resolved = {};
+  const keys = new Set([
+    ...Object.keys(BAKED_RUNTIME_SECRETS),
+    ...Object.keys(baked)
+  ]);
+  for (const key of keys) {
+    const envValue = env[key]?.trim();
+    const bakedValue = baked[key]?.trim();
+    if (envValue) {
+      resolved[key] = envValue;
+    } else if (bakedValue) {
+      resolved[key] = bakedValue;
+    }
+  }
+  return resolved;
+}
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
 function parseJsonObject(value) {
   if (!value?.trim())
     return { value: {}, error: "empty JSON output" };
@@ -109,7 +154,7 @@ function stripHtml(input) {
 }
 function containsBlockerText(input) {
   const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
-  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this/i.test(text);
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(text);
 }
 function isStrictFiveOfFive(score) {
   return score.value === 5 && score.scale === 5;
@@ -117,6 +162,189 @@ function isStrictFiveOfFive(score) {
 function containsConflictingScoreText(input) {
   return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
 }
+function greptileStatusVerdict(status) {
+  const normalized = String(status ?? "").trim().toUpperCase().replace(/[\s-]+/g, "_");
+  if (!normalized)
+    return null;
+  if (["APPROVE", "APPROVED"].includes(normalized))
+    return "approved";
+  if (["REJECT", "REJECTED", "CHANGES_REQUESTED", "CHANGE_REQUESTED"].includes(normalized))
+    return "rejected";
+  if (["SKIP", "SKIPPED"].includes(normalized))
+    return "skipped";
+  if (["FAIL", "FAILED", "FAILURE", "ERROR"].includes(normalized))
+    return "failed";
+  if (["PENDING", "QUEUED", "IN_PROGRESS", "RUNNING", "STARTED", "REQUESTED", "REVIEWING_FILES", "GENERATING_SUMMARY"].includes(normalized))
+    return "pending";
+  if (["COMPLETE", "COMPLETED"].includes(normalized))
+    return "completed";
+  return null;
+}
+function isBlockingGreptileVerdict(verdict) {
+  return verdict === "rejected" || verdict === "skipped" || verdict === "failed";
+}
+function greptileRequestTimeoutMs(env) {
+  const fallback = 30000;
+  const parsed = Number.parseInt(env.GREPTILE_REQUEST_TIMEOUT_MS || `${fallback}`, 10);
+  return Number.isFinite(parsed) && parsed >= 1000 ? parsed : fallback;
+}
+function normalizeGreptileMcpCodeReview(entry, fallbackId) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const id = typeof record.id === "string" ? record.id.trim() : fallbackId?.trim() ?? "";
+  if (!id)
+    return null;
+  const metadataRecord = record.metadata && typeof record.metadata === "object" && !Array.isArray(record.metadata) ? record.metadata : null;
+  return {
+    id,
+    status: typeof record.status === "string" ? record.status : null,
+    createdAt: typeof record.createdAt === "string" ? record.createdAt : null,
+    body: typeof record.body === "string" ? record.body : null,
+    metadata: metadataRecord ? { checkHeadSha: typeof metadataRecord.checkHeadSha === "string" ? metadataRecord.checkHeadSha : null } : null
+  };
+}
+function uniqueGreptileCodeReviews(reviews) {
+  const seen = new Set;
+  const unique = [];
+  for (const review of reviews) {
+    if (seen.has(review.id))
+      continue;
+    seen.add(review.id);
+    unique.push(review);
+  }
+  return unique;
+}
+function selectGreptileApiReviewsForGate(reviews, headSha) {
+  const sorted = [...reviews].sort((left, right) => Date.parse(right.createdAt ?? "") - Date.parse(left.createdAt ?? ""));
+  const current = headSha ? sorted.filter((review) => review.metadata?.checkHeadSha === headSha) : [];
+  const untied = sorted.filter((review) => !review.metadata?.checkHeadSha);
+  const latest = sorted.slice(0, 1);
+  return uniqueGreptileCodeReviews([...current, ...untied, ...latest]);
+}
+function greptileApiSignalFromCodeReview(review, details) {
+  const selected = details ?? review;
+  return {
+    id: selected.id || review.id,
+    body: selected.body ?? review.body ?? null,
+    reviewedSha: selected.metadata?.checkHeadSha ?? review.metadata?.checkHeadSha ?? null,
+    status: selected.status ?? review.status ?? null
+  };
+}
+async function callGreptileMcpToolForGate(input) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => {
+    controller.abort(new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`));
+  }, input.timeoutMs);
+  let response;
+  try {
+    response = await input.fetchFn(input.apiBase, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `rig-strict-gate-${input.name}-${Date.now()}`,
+        method: "tools/call",
+        params: { name: input.name, arguments: input.args }
+      }),
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (controller.signal.aborted) {
+      throw controller.signal.reason instanceof Error ? controller.signal.reason : new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  const raw = await response.text();
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}: ${raw}`);
+  }
+  let envelope;
+  try {
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new Error(`Malformed MCP response: ${raw}`);
+  }
+  if (envelope.error?.message) {
+    throw new Error(envelope.error.message);
+  }
+  const text = (envelope.result?.content ?? []).filter((item) => item.type === "text" && typeof item.text === "string").map((item) => item.text ?? "").join(`
+`).trim();
+  if (!text) {
+    throw new Error(`MCP tool ${input.name} returned no text payload.`);
+  }
+  return text;
+}
+async function callGreptileMcpToolJsonForGate(input) {
+  const text = await callGreptileMcpToolForGate(input);
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`MCP tool ${input.name} returned malformed JSON: ${text}`);
+  }
+}
+async function collectConfiguredGreptileApiSignals(input) {
+  if (!input.enabled || input.options?.enabled === false) {
+    return { signals: [], errors: [] };
+  }
+  const env = input.options?.env ?? process.env;
+  const secrets = resolveRuntimeSecrets(env);
+  const apiKey = secrets.GREPTILE_API_KEY?.trim() ?? "";
+  if (!apiKey) {
+    return { signals: [], errors: [] };
+  }
+  const fetchFn = input.options?.fetch ?? globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    return { signals: [], errors: ["Greptile API/MCP evidence read failed: fetch is not available."] };
+  }
+  const apiBase = secrets.GREPTILE_API_BASE?.trim() || "https://api.greptile.com/mcp";
+  const remote = secrets.GREPTILE_REMOTE?.trim() || "github";
+  const repository = secrets.GREPTILE_REPOSITORY?.trim() || input.repoName;
+  const defaultBranch = secrets.GREPTILE_DEFAULT_BRANCH?.trim() || input.baseRefName?.trim() || "main";
+  const timeoutMs = greptileRequestTimeoutMs(env);
+  try {
+    const listPayload = await callGreptileMcpToolJsonForGate({
+      apiBase,
+      apiKey,
+      name: "list_code_reviews",
+      args: {
+        name: repository,
+        remote,
+        defaultBranch,
+        prNumber: input.prNumber,
+        limit: 20
+      },
+      timeoutMs,
+      fetchFn
+    });
+    const reviews = (listPayload.codeReviews ?? []).map((entry) => normalizeGreptileMcpCodeReview(entry)).filter((review) => !!review);
+    const selectedReviews = selectGreptileApiReviewsForGate(reviews, input.headSha);
+    const signals = [];
+    for (const review of selectedReviews) {
+      const detailsPayload = await callGreptileMcpToolJsonForGate({
+        apiBase,
+        apiKey,
+        name: "get_code_review",
+        args: { codeReviewId: review.id },
+        timeoutMs,
+        fetchFn
+      });
+      const details = normalizeGreptileMcpCodeReview(detailsPayload.codeReview, review.id) ?? review;
+      signals.push(greptileApiSignalFromCodeReview(review, details));
+    }
+    return { signals, errors: [] };
+  } catch (error) {
+    return {
+      signals: [],
+      errors: [`Greptile API/MCP evidence read failed: ${error instanceof Error ? error.message : String(error)}`]
+    };
+  }
+}
 function firstString(record, keys) {
   for (const key of keys) {
     const value = record[key];
@@ -243,7 +471,7 @@ function normalizeReviewThread(entry) {
 function relevantIssueComment(comment) {
   const login = comment.user?.login ?? comment.author?.login ?? "";
   const body = comment.body ?? "";
-  return isGreptileGithubLogin(login) || /greptile|blocker|unsafe|not safe|do not merge|must fix|please fix|changes requested|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+  return isGreptileGithubLogin(login) || containsBlockerText(body) || /greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
 }
 function latestThreadComment(thread) {
   const nodes = thread.comments?.nodes ?? [];
@@ -279,7 +507,8 @@ function makeGreptileSignal(input) {
   const scores = parseGreptileScores(input.body);
   const reviewedSha = input.reviewedSha?.trim() || null;
   const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
-  const blocker = input.blocker ?? containsBlockerText(input.body);
+  const verdict = input.verdict ?? null;
+  const blocker = input.blocker ?? (isBlockingGreptileVerdict(verdict) || containsBlockerText(input.body));
   const explicitApproval = input.explicitApproval ?? false;
   return {
     source: input.source,
@@ -291,6 +520,7 @@ function makeGreptileSignal(input) {
     score: scores[0] ?? null,
     scores,
     explicitApproval,
+    verdict,
     blocker,
     actionable: input.actionable ?? blocker,
     bodyExcerpt: bodyExcerpt(input.body),
@@ -313,9 +543,9 @@ function collectGreptileSignals(evidence) {
   for (const context of contextSources) {
     if (!context.body.trim())
       continue;
-    if (!/greptile|score|confidence|\b\d+\s*\/\s*5\b|blocker|unsafe|not safe|do not merge|changes requested/i.test(context.body))
-      continue;
     const contextBlocker = containsBlockerText(context.body);
+    if (!contextBlocker && !/greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(context.body))
+      continue;
     signals.push(makeGreptileSignal({
       source: context.source,
       body: context.body,
@@ -328,16 +558,16 @@ function collectGreptileSignals(evidence) {
   for (const apiSignal of evidence.apiSignals ?? []) {
     const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
 
-`);
-    if (!body.trim())
-      continue;
+`) || "Status: UNKNOWN";
+    const verdict = greptileStatusVerdict(apiSignal.status);
     signals.push(makeGreptileSignal({
       source: "api",
       body,
       currentHeadSha: evidence.currentHeadSha,
       trusted: true,
       reviewedSha: apiSignal.reviewedSha ?? null,
-      explicitApproval: false
+      explicitApproval: verdict === "approved",
+      verdict
     }));
   }
   for (const review of evidence.reviews) {
@@ -362,20 +592,6 @@ function collectGreptileSignals(evidence) {
       blocker: state === "CHANGES_REQUESTED" || undefined
     }));
   }
-  for (const comment of evidence.changedFileReviewComments) {
-    const login = commentAuthorLogin(comment);
-    const body = comment.body ?? "";
-    if (!body.trim() || !isGreptileGithubLogin(login))
-      continue;
-    signals.push(makeGreptileSignal({
-      source: "changed-file-comment",
-      body,
-      currentHeadSha: evidence.currentHeadSha,
-      trusted: true,
-      authorLogin: login,
-      reviewedSha: comment.commit_id ?? comment.original_commit_id ?? null
-    }));
-  }
   for (const comment of evidence.relevantIssueComments) {
     const login = commentAuthorLogin(comment);
     const body = comment.body ?? "";
@@ -483,10 +699,17 @@ function deriveGreptileEvidence(input) {
   const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
   const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
   const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
-  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && isStrictFiveOfFive(entry.score)) ?? null;
+  const currentPendingApiSignals = trustedSignals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && isCurrentOrUntied(signal));
+  const signalCanApproveByScore = (signal) => {
+    if (signal.source === "api")
+      return signal.verdict === "approved" || signal.verdict === "completed";
+    return signal.verdict !== "pending" && !isBlockingGreptileVerdict(signal.verdict);
+  };
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && signalCanApproveByScore(entry.signal) && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvingExplicitSignal = trustedSignals.find((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && signal.explicitApproval === true && !signal.blocker) ?? null;
   const approvedByScore = !!approvingScoreEntry;
-  const approvedByExplicitMapping = false;
-  const approvingSignal = approvingScoreEntry?.signal ?? null;
+  const approvedByExplicitMapping = !!approvingExplicitSignal;
+  const approvingSignal = approvingScoreEntry?.signal ?? approvingExplicitSignal;
   const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
   const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
   const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
@@ -515,13 +738,14 @@ function deriveGreptileEvidence(input) {
     const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
     return completedState && review.commit_id === input.currentHeadSha;
   });
+  const completedGreptileApi = trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && (signal.verdict === "approved" || signal.verdict === "rejected" || signal.verdict === "skipped" || signal.verdict === "failed" || signal.verdict === "completed"));
   const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
   const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
   const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
-  const completed = completedGreptileCheck || completedGreptileReview || !!approvingSignal || trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha);
+  const completed = completedGreptileCheck || completedGreptileReview || completedGreptileApi || !!approvingSignal;
   const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
-  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && (approvedByScore || approvedByExplicitMapping);
-  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : "unproven";
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && currentPendingApiSignals.length === 0 && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : approvedByExplicitMapping ? "explicit-approved" : "unproven";
   const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
   return {
     source,
@@ -628,6 +852,7 @@ async function collectPrReviewEvidence(input) {
     readErrors.push("gh pr view did not return required reviews array");
   }
   const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const baseRefName = firstString(view, ["baseRefName"]);
   const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
   const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
   const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
@@ -665,8 +890,19 @@ async function collectPrReviewEvidence(input) {
     }
   }
   const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const shouldCollectConfiguredGreptileApi = input.greptileApi?.enabled !== false;
+  const configuredGreptileApiRead = await collectConfiguredGreptileApiSignals({
+    enabled: shouldCollectConfiguredGreptileApi,
+    options: input.greptileApi,
+    repoName: parsed.repoName,
+    prNumber: parsed.prNumber,
+    headSha,
+    baseRefName
+  });
+  readErrors.push(...configuredGreptileApiRead.errors);
+  const apiSignals = [...input.apiSignals ?? [], ...configuredGreptileApiRead.signals];
   const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
-  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check pending: ${checkName(check)}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
   const evidenceBase = {
     title: firstString(view, ["title"]),
     body: firstString(view, ["body"]),
@@ -676,7 +912,7 @@ async function collectPrReviewEvidence(input) {
     reviewThreads,
     checks: checksWithGreptileDetails,
     currentHeadSha: headSha,
-    apiSignals: input.apiSignals ?? []
+    apiSignals
   };
   const greptile = deriveGreptileEvidence(evidenceBase);
   return {
@@ -687,7 +923,7 @@ async function collectPrReviewEvidence(input) {
     body: evidenceBase.body,
     headSha,
     headRefName: firstString(view, ["headRefName"]),
-    baseRefName: firstString(view, ["baseRefName"]),
+    baseRefName,
     state: firstString(view, ["state"]),
     isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
     mergeable: firstString(view, ["mergeable"]),
@@ -704,71 +940,251 @@ async function collectPrReviewEvidence(input) {
     greptile
   };
 }
+function capGateMessage(value, maxChars = 1200) {
+  const normalized = value.trim();
+  return normalized.length > maxChars ? `${normalized.slice(0, maxChars)}
+[truncated for gate summary; see full evidence artifact]` : normalized;
+}
 function evaluateEvidence(evidence) {
-  const reasons = [];
+  const reasonDetails = [];
   const warnings = [];
-  let pending = false;
-  if (evidence.readErrors.length > 0) {
-    reasons.push(...evidence.readErrors.map((error) => `Required PR evidence surface could not be read completely: ${error}`));
-  }
-  if (!evidence.headSha)
-    reasons.push("PR head SHA could not be read; current-head Greptile approval cannot be proven.");
-  if (evidence.checkFailures.length > 0)
-    reasons.push(...evidence.checkFailures);
-  if (evidence.pendingChecks.length > 0) {
-    pending = true;
-    reasons.push(...evidence.pendingChecks);
+  const seen = new Set;
+  const addReason = (reason) => {
+    const capped = { ...reason, message: capGateMessage(reason.message) };
+    const key = `${capped.code}:${capped.message}`;
+    if (seen.has(key))
+      return;
+    seen.add(key);
+    reasonDetails.push(capped);
+  };
+  const greptile = evidence.greptile;
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  const hasPendingGreptileCheck = evidence.pendingChecks.some((check) => /greptile/i.test(check));
+  const pendingGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const unknownGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && !signal.verdict && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const awaitingFreshGreptileProof = hasPendingGreptileCheck || pendingGreptileApiSignals.length > 0 || !greptile.completed || greptile.mapping === "missing" || greptile.mapping === "stale";
+  for (const error of evidence.readErrors) {
+    addReason({
+      code: "read_error",
+      reasonClass: "reject",
+      surface: error.startsWith("Greptile API/MCP") ? "greptile" : "github",
+      suggestedAction: "needs_attention",
+      message: `Required PR evidence surface could not be read completely: ${error}`,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (!evidence.headSha) {
+    addReason({
+      code: "missing_head_sha",
+      reasonClass: "reject",
+      surface: "github",
+      suggestedAction: "needs_attention",
+      message: "PR head SHA could not be read; current-head Greptile approval cannot be proven.",
+      headSha: null
+    });
+  }
+  for (const failure of evidence.checkFailures) {
+    addReason({
+      code: "ci_failed",
+      reasonClass: "reject",
+      surface: "ci",
+      suggestedAction: "fix",
+      message: failure,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const pendingCheck of evidence.pendingChecks) {
+    addReason({
+      code: "check_pending",
+      reasonClass: "pending",
+      surface: "ci",
+      suggestedAction: "wait",
+      message: pendingCheck,
+      headSha: evidence.headSha || null
+    });
   }
   const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
   if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
-    reasons.push(`Required review is unresolved (${evidence.reviewDecision}).`);
+    addReason({
+      code: "review_decision_blocking",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: `Required review is unresolved (${evidence.reviewDecision}).`,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const thread of unresolvedThreadSummaries(evidence.reviewThreads)) {
+    addReason({
+      code: "review_thread_unresolved",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: thread,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "missing") {
+    addReason({
+      code: "greptile_missing",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Missing Greptile check/review evidence for this PR.",
+      headSha: evidence.headSha || null
+    });
   }
-  const unresolvedThreads = unresolvedThreadSummaries(evidence.reviewThreads);
-  if (unresolvedThreads.length > 0)
-    reasons.push(...unresolvedThreads);
-  const greptile = evidence.greptile;
-  if (greptile.mapping === "missing")
-    reasons.push("Missing Greptile check/review evidence for this PR.");
-  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
   if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
-    reasons.push(`Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`);
+    addReason({
+      code: "greptile_stale",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? staleSignal?.reviewedSha ?? null
+    });
+  }
+  for (const signal of pendingGreptileApiSignals) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile API/MCP review is pending for the current PR head${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  for (const signal of unknownGreptileApiSignals) {
+    addReason({
+      code: "greptile_api_status_unknown",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "needs_attention",
+      message: `Greptile API/MCP review status is unknown; merge requires a known terminal APPROVED/COMPLETED 5/5 result or a known conservative status${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
   }
   if (!greptile.completed) {
-    pending = true;
-    reasons.push("Greptile check/review has not completed for the current PR head.");
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Greptile check/review has not completed for the current PR head.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.fresh) {
+    addReason({
+      code: "greptile_not_current_head",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval is not tied to the current PR head SHA.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
   }
-  if (!greptile.fresh)
-    reasons.push("Greptile approval is not tied to the current PR head SHA.");
   if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
-    reasons.push(`Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`);
+    addReason({
+      code: "greptile_score_not_5",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
   }
-  if (!greptile.score && greptile.mapping !== "score-5-of-5") {
-    reasons.push("No parseable Greptile 5/5 score or explicit approved mapping was found from trusted current-head evidence; merge is blocked.");
+  const hasApprovedMapping = greptile.mapping === "score-5-of-5" || greptile.mapping === "explicit-approved";
+  if (!greptile.score && !hasApprovedMapping) {
+    addReason({
+      code: "greptile_score_missing",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "No parseable Greptile 5/5 score or direct current-head Greptile API APPROVED mapping was found from trusted evidence; merge is blocked.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
   }
   if (greptile.mapping === "unproven") {
-    reasons.push("Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.");
+    addReason({
+      code: "greptile_mapping_unproven",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
   }
-  if (greptile.blockers.length > 0) {
-    reasons.push(...greptile.blockers.map((entry) => `Greptile/blocker text: ${entry.trim().slice(0, 500)}`));
+  for (const blocker of greptile.blockers) {
+    addReason({
+      code: "greptile_blocker_text",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile/blocker text: ${blocker}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const comment of greptile.unresolvedComments) {
+    addReason({
+      code: "greptile_unresolved_comment",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: comment,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
   }
-  if (greptile.unresolvedComments.length > 0)
-    reasons.push(...greptile.unresolvedComments);
   if (!greptile.approved)
     warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
-  return { reasons: Array.from(new Set(reasons)), warnings, pending };
+  const pending = reasonDetails.length > 0 && reasonDetails.every((reason) => reason.reasonClass === "pending");
+  return { reasons: reasonDetails.map((reason) => reason.message), reasonDetails, warnings, pending };
 }
 function evaluateStrictPrMergeGate(evidence) {
   const evaluated = evaluateEvidence(evidence);
-  const approved = evaluated.reasons.length === 0 && evidence.greptile.approved;
+  const approved = evaluated.reasonDetails.length === 0 && evidence.greptile.approved;
   return {
     approved,
     pending: evaluated.pending,
     reasons: evaluated.reasons,
+    reasonDetails: evaluated.reasonDetails,
     warnings: evaluated.warnings,
     actionableFeedback: evaluated.reasons,
     evidence
   };
 }
+function strictMergeHeadShaFromGate(result, prUrl) {
+  if (!result.approved) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate is not approved.`);
+  }
+  if (result.evidence.prUrl !== prUrl) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate evidence belongs to ${result.evidence.prUrl}.`);
+  }
+  const headSha = result.evidence.headSha?.trim();
+  if (!headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate did not provide a current head SHA.`);
+  }
+  if (!/^[0-9a-f]{40}$/i.test(headSha)) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate head is not a raw 40-character commit SHA.`);
+  }
+  if (!result.evidence.greptile.fresh || result.evidence.greptile.currentHeadSha !== headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate approval is not tied to head ${headSha}.`);
+  }
+  if (result.evidence.greptile.mapping !== "score-5-of-5" && result.evidence.greptile.mapping !== "explicit-approved") {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate mapping is ${result.evidence.greptile.mapping}.`);
+  }
+  return headSha;
+}
 function promptExcerpt(value, maxChars = 4000) {
   return value.length > maxChars ? `${value.slice(0, maxChars)}
 
@@ -780,6 +1196,10 @@ function promptJsonExcerpt(value, maxChars = 6000) {
 function buildStrictPrGateSteeringPrompt(result) {
   const evidence = result.evidence;
   const unresolvedReviewThreads = evidence.reviewThreads.filter((thread) => thread.isResolved !== true && thread.isOutdated !== true);
+  const displayedReasons = result.reasons.slice(0, 20).map((reason) => `- ${promptExcerpt(reason, 1200)}`);
+  if (result.reasons.length > displayedReasons.length) {
+    displayedReasons.push(`- ${result.reasons.length - displayedReasons.length} additional gate reasons omitted from prompt; see merge-gate-result.json.`);
+  }
   const lines = [
     `Strict PR merge gate blocked ${evidence.prUrl}.`,
     `PR title: ${evidence.title || "(empty)"}`,
@@ -788,10 +1208,13 @@ function buildStrictPrGateSteeringPrompt(result) {
     evidence.greptile.score ? `Greptile score: ${evidence.greptile.score.value}/${evidence.greptile.score.scale}` : "Greptile score: not proven",
     "",
     "Gate reasons:",
-    ...result.reasons.length ? result.reasons.map((reason) => `- ${reason}`) : ["- No reasons recorded"],
+    ...displayedReasons.length ? displayedReasons : ["- No reasons recorded"],
+    "",
+    "Structured gate reason details:",
+    result.reasonDetails.length ? promptJsonExcerpt(result.reasonDetails, 4000) : "[]",
     "",
     "Required evidence read status:",
-    evidence.readErrors.length ? JSON.stringify(evidence.readErrors, null, 2) : "All required PR evidence surfaces were read completely.",
+    evidence.readErrors.length ? promptJsonExcerpt(evidence.readErrors, 2000) : "All required PR evidence surfaces were read completely.",
     "",
     "Full PR title:",
     evidence.title || "(empty)",
@@ -855,6 +1278,7 @@ function persistPrReviewCycleArtifacts(input) {
     approved: input.result.approved,
     pending: input.result.pending,
     reasons: input.result.reasons,
+    reasonDetails: input.result.reasonDetails,
     warnings: input.result.warnings,
     actionableFeedback: input.result.actionableFeedback,
     prUrl: input.result.evidence.prUrl,
@@ -893,6 +1317,7 @@ async function runStrictPrMergeGate(input) {
 }
 export {
   stripHtml,
+  strictMergeHeadShaFromGate,
   runStrictPrMergeGate,
   persistPrReviewCycleArtifacts,
   parseGreptileScore,