@h-rig/runtime 0.0.6-alpha.2 → 0.0.6-alpha.21

package/dist/src/control-plane/native/harness-cli.js

@@ -1198,8 +1198,8 @@ function githubStatusFor(issue) {
   return "open";
 }
 function selectedGitHubEnv() {
-  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() ?? "";
-  return { GH_TOKEN: token, GITHUB_TOKEN: token };
+  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() || process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  return { GH_TOKEN: token, GITHUB_TOKEN: token, RIG_GITHUB_TOKEN: token };
 }
 function ghSpawnOptions() {
   return { encoding: "utf-8", env: { ...process.env, ...selectedGitHubEnv() } };
@@ -3605,6 +3605,1126 @@ ${JSON.stringify(result, null, 2)}
 // packages/runtime/src/control-plane/native/verifier.ts
 import { existsSync as existsSync19, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
 import { resolve as resolve22 } from "path";
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+function parseJsonObject(value) {
+  if (!value?.trim())
+    return { value: {}, error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? { value: parsed } : { value: {}, error: "JSON output was not an object" };
+  } catch (error) {
+    return { value: {}, error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function flattenPaginatedArray(value) {
+  if (!Array.isArray(value))
+    return null;
+  if (value.every((entry) => Array.isArray(entry))) {
+    return value.flatMap((entry) => entry);
+  }
+  return value;
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return { value: [], error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    const flattened = flattenPaginatedArray(parsed);
+    return flattened ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  } catch (error) {
+    return { value: [], error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function parseGithubPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i.exec(prUrl.trim());
+  if (!match)
+    return null;
+  const prNumber = Number.parseInt(match[3], 10);
+  if (!Number.isFinite(prNumber))
+    return null;
+  return { owner: match[1], repo: match[2], repoName: `${match[1]}/${match[2]}`, prNumber };
+}
+function checkName(check) {
+  return String(check.name ?? check.context ?? "").trim();
+}
+function checkState(check) {
+  return String(check.conclusion ?? check.state ?? check.status ?? "").trim().toLowerCase();
+}
+function isGreptileLabel(value) {
+  return String(value ?? "").toLowerCase().includes("greptile");
+}
+function isGreptileGithubLogin(value) {
+  const login = String(value ?? "").toLowerCase().replace(/\[bot\]$/, "");
+  return login === "greptile" || login === "greptile-ai" || login === "greptileai" || login === "greptile-apps";
+}
+function isPassingCheck(check) {
+  const state = checkState(check);
+  return ["success", "successful", "passed", "neutral", "skipped", "completed"].includes(state);
+}
+function isPendingCheck(check) {
+  const state = checkState(check);
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(state);
+}
+function isFailingCheck(check) {
+  const state = checkState(check);
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "canceled", "error"].includes(state);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function greptileScorePatterns() {
+  return [
+    /\b(?:confidence\s+score|confidence|rating|score)\s*:?\s*(\d+)\s*\/\s*(\d+)/gi,
+    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|rating|score)/gi,
+    /\bgreptile[^\n]{0,80}?(\d+)\s*\/\s*(\d+)/gi
+  ];
+}
+function parseGreptileScores(input) {
+  const text = stripHtml(input);
+  const seen = new Set;
+  const scores = [];
+  for (const pattern of greptileScorePatterns()) {
+    for (const match of text.matchAll(pattern)) {
+      const value = Number.parseInt(match[1] || "", 10);
+      const scale = Number.parseInt(match[2] || "", 10);
+      if (!Number.isFinite(value) || !Number.isFinite(scale) || scale <= 0)
+        continue;
+      const raw = match[0] || `${value}/${scale}`;
+      const key = `${match.index ?? -1}:${value}/${scale}:${raw.toLowerCase()}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      scores.push({ value, scale, raw });
+    }
+  }
+  return scores;
+}
+function parseGreptileScore(input) {
+  return parseGreptileScores(input)[0] ?? null;
+}
+function stripHtml(input) {
+  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
+
+`).trim();
+}
+function containsBlockerText(input) {
+  const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(text);
+}
+function isStrictFiveOfFive(score) {
+  return score.value === 5 && score.scale === 5;
+}
+function containsConflictingScoreText(input) {
+  return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
+}
+function greptileStatusVerdict(status) {
+  const normalized = String(status ?? "").trim().toUpperCase().replace(/[\s-]+/g, "_");
+  if (!normalized)
+    return null;
+  if (["APPROVE", "APPROVED"].includes(normalized))
+    return "approved";
+  if (["REJECT", "REJECTED", "CHANGES_REQUESTED", "CHANGE_REQUESTED"].includes(normalized))
+    return "rejected";
+  if (["SKIP", "SKIPPED"].includes(normalized))
+    return "skipped";
+  if (["FAIL", "FAILED", "FAILURE", "ERROR"].includes(normalized))
+    return "failed";
+  if (["PENDING", "QUEUED", "IN_PROGRESS", "RUNNING", "STARTED", "REQUESTED", "REVIEWING_FILES", "GENERATING_SUMMARY"].includes(normalized))
+    return "pending";
+  if (["COMPLETE", "COMPLETED"].includes(normalized))
+    return "completed";
+  return null;
+}
+function isBlockingGreptileVerdict(verdict) {
+  return verdict === "rejected" || verdict === "skipped" || verdict === "failed";
+}
+function greptileRequestTimeoutMs(env) {
+  const fallback = 30000;
+  const parsed = Number.parseInt(env.GREPTILE_REQUEST_TIMEOUT_MS || `${fallback}`, 10);
+  return Number.isFinite(parsed) && parsed >= 1000 ? parsed : fallback;
+}
+function normalizeGreptileMcpCodeReview(entry, fallbackId) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const id = typeof record.id === "string" ? record.id.trim() : fallbackId?.trim() ?? "";
+  if (!id)
+    return null;
+  const metadataRecord = record.metadata && typeof record.metadata === "object" && !Array.isArray(record.metadata) ? record.metadata : null;
+  return {
+    id,
+    status: typeof record.status === "string" ? record.status : null,
+    createdAt: typeof record.createdAt === "string" ? record.createdAt : null,
+    body: typeof record.body === "string" ? record.body : null,
+    metadata: metadataRecord ? { checkHeadSha: typeof metadataRecord.checkHeadSha === "string" ? metadataRecord.checkHeadSha : null } : null
+  };
+}
+function uniqueGreptileCodeReviews(reviews) {
+  const seen = new Set;
+  const unique2 = [];
+  for (const review of reviews) {
+    if (seen.has(review.id))
+      continue;
+    seen.add(review.id);
+    unique2.push(review);
+  }
+  return unique2;
+}
+function selectGreptileApiReviewsForGate(reviews, headSha) {
+  const sorted = [...reviews].sort((left, right) => Date.parse(right.createdAt ?? "") - Date.parse(left.createdAt ?? ""));
+  const current = headSha ? sorted.filter((review) => review.metadata?.checkHeadSha === headSha) : [];
+  const untied = sorted.filter((review) => !review.metadata?.checkHeadSha);
+  const latest = sorted.slice(0, 1);
+  return uniqueGreptileCodeReviews([...current, ...untied, ...latest]);
+}
+function greptileApiSignalFromCodeReview(review, details) {
+  const selected = details ?? review;
+  return {
+    id: selected.id || review.id,
+    body: selected.body ?? review.body ?? null,
+    reviewedSha: selected.metadata?.checkHeadSha ?? review.metadata?.checkHeadSha ?? null,
+    status: selected.status ?? review.status ?? null
+  };
+}
+async function callGreptileMcpToolForGate(input) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => {
+    controller.abort(new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`));
+  }, input.timeoutMs);
+  let response;
+  try {
+    response = await input.fetchFn(input.apiBase, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `rig-strict-gate-${input.name}-${Date.now()}`,
+        method: "tools/call",
+        params: { name: input.name, arguments: input.args }
+      }),
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (controller.signal.aborted) {
+      throw controller.signal.reason instanceof Error ? controller.signal.reason : new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  const raw = await response.text();
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}: ${raw}`);
+  }
+  let envelope;
+  try {
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new Error(`Malformed MCP response: ${raw}`);
+  }
+  if (envelope.error?.message) {
+    throw new Error(envelope.error.message);
+  }
+  const text = (envelope.result?.content ?? []).filter((item) => item.type === "text" && typeof item.text === "string").map((item) => item.text ?? "").join(`
+`).trim();
+  if (!text) {
+    throw new Error(`MCP tool ${input.name} returned no text payload.`);
+  }
+  return text;
+}
+async function callGreptileMcpToolJsonForGate(input) {
+  const text = await callGreptileMcpToolForGate(input);
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`MCP tool ${input.name} returned malformed JSON: ${text}`);
+  }
+}
+async function collectConfiguredGreptileApiSignals(input) {
+  if (!input.enabled || input.options?.enabled === false) {
+    return { signals: [], errors: [] };
+  }
+  const env = input.options?.env ?? process.env;
+  const secrets = resolveRuntimeSecrets(env);
+  const apiKey = secrets.GREPTILE_API_KEY?.trim() ?? "";
+  if (!apiKey) {
+    return { signals: [], errors: [] };
+  }
+  const fetchFn = input.options?.fetch ?? globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    return { signals: [], errors: ["Greptile API/MCP evidence read failed: fetch is not available."] };
+  }
+  const apiBase = secrets.GREPTILE_API_BASE?.trim() || "https://api.greptile.com/mcp";
+  const remote = secrets.GREPTILE_REMOTE?.trim() || "github";
+  const repository = secrets.GREPTILE_REPOSITORY?.trim() || input.repoName;
+  const defaultBranch = secrets.GREPTILE_DEFAULT_BRANCH?.trim() || input.baseRefName?.trim() || "main";
+  const timeoutMs = greptileRequestTimeoutMs(env);
+  try {
+    const listPayload = await callGreptileMcpToolJsonForGate({
+      apiBase,
+      apiKey,
+      name: "list_code_reviews",
+      args: {
+        name: repository,
+        remote,
+        defaultBranch,
+        prNumber: input.prNumber,
+        limit: 20
+      },
+      timeoutMs,
+      fetchFn
+    });
+    const reviews = (listPayload.codeReviews ?? []).map((entry) => normalizeGreptileMcpCodeReview(entry)).filter((review) => !!review);
+    const selectedReviews = selectGreptileApiReviewsForGate(reviews, input.headSha);
+    const signals = [];
+    for (const review of selectedReviews) {
+      const detailsPayload = await callGreptileMcpToolJsonForGate({
+        apiBase,
+        apiKey,
+        name: "get_code_review",
+        args: { codeReviewId: review.id },
+        timeoutMs,
+        fetchFn
+      });
+      const details = normalizeGreptileMcpCodeReview(detailsPayload.codeReview, review.id) ?? review;
+      signals.push(greptileApiSignalFromCodeReview(review, details));
+    }
+    return { signals, errors: [] };
+  } catch (error) {
+    return {
+      signals: [],
+      errors: [`Greptile API/MCP evidence read failed: ${error instanceof Error ? error.message : String(error)}`]
+    };
+  }
+}
+function firstString(record, keys) {
+  for (const key of keys) {
+    const value = record[key];
+    if (typeof value === "string")
+      return value;
+  }
+  return "";
+}
+function arrayField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value : [];
+}
+async function runJsonArray(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: [], error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonArray(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+async function runJsonObject(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: {}, error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonObject(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+function normalizeStatusCheck(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const name = firstString(record, ["name", "context"]);
+  if (!name.trim())
+    return null;
+  const output = record.output && typeof record.output === "object" && !Array.isArray(record.output) ? record.output : null;
+  const app = record.app && typeof record.app === "object" && !Array.isArray(record.app) ? record.app : null;
+  return {
+    __typename: typeof record.__typename === "string" ? record.__typename : null,
+    name,
+    context: typeof record.context === "string" ? record.context : null,
+    status: typeof record.status === "string" ? record.status : null,
+    state: typeof record.state === "string" ? record.state : null,
+    conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+    detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.details_url === "string" ? record.details_url : typeof record.html_url === "string" ? record.html_url : typeof record.link === "string" ? record.link : null,
+    link: typeof record.link === "string" ? record.link : typeof record.html_url === "string" ? record.html_url : null,
+    headSha: typeof record.headSha === "string" ? record.headSha : null,
+    head_sha: typeof record.head_sha === "string" ? record.head_sha : null,
+    output: output ? {
+      title: typeof output.title === "string" ? output.title : null,
+      summary: typeof output.summary === "string" ? output.summary : null,
+      text: typeof output.text === "string" ? output.text : null
+    } : null,
+    app: app ? {
+      slug: typeof app.slug === "string" ? app.slug : null,
+      name: typeof app.name === "string" ? app.name : null,
+      owner: app.owner && typeof app.owner === "object" ? app.owner : null
+    } : null
+  };
+}
+function normalizeReview(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : typeof record.id === "number" ? String(record.id) : null,
+    state: typeof record.state === "string" ? record.state : null,
+    body: typeof record.body === "string" ? record.body : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : typeof record.commitId === "string" ? record.commitId : record.commit && typeof record.commit === "object" && typeof record.commit.oid === "string" ? record.commit.oid : null,
+    html_url: typeof record.html_url === "string" ? record.html_url : typeof record.url === "string" ? record.url : null,
+    author: record.author && typeof record.author === "object" ? record.author : record.user && typeof record.user === "object" ? record.user : null
+  };
+}
+function normalizeReviewComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  const path = typeof record.path === "string" ? record.path : null;
+  if (!body && !path)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    path,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : null,
+    original_commit_id: typeof record.original_commit_id === "string" ? record.original_commit_id : null
+  };
+}
+function normalizeIssueComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  if (!body)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    created_at: typeof record.created_at === "string" ? record.created_at : null
+  };
+}
+function normalizeReviewThread(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : null,
+    isResolved: typeof record.isResolved === "boolean" ? record.isResolved : null,
+    isOutdated: typeof record.isOutdated === "boolean" ? record.isOutdated : null,
+    comments: record.comments && typeof record.comments === "object" ? record.comments : null
+  };
+}
+function relevantIssueComment(comment) {
+  const login = comment.user?.login ?? comment.author?.login ?? "";
+  const body = comment.body ?? "";
+  return isGreptileGithubLogin(login) || containsBlockerText(body) || /greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+}
+function latestThreadComment(thread) {
+  const nodes = thread.comments?.nodes ?? [];
+  return nodes.length > 0 ? nodes[nodes.length - 1] : null;
+}
+function unresolvedThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function collectBodies(evidence) {
+  return [
+    evidence.title ?? "",
+    evidence.body,
+    ...evidence.reviews.map((review) => review.body ?? ""),
+    ...evidence.changedFileReviewComments.map((comment) => comment.body ?? ""),
+    ...evidence.relevantIssueComments.map((comment) => comment.body ?? ""),
+    ...evidence.reviewThreads.flatMap((thread) => thread.comments?.nodes?.map((comment) => comment.body ?? "") ?? []),
+    ...(evidence.apiSignals ?? []).map((signal) => signal.body ?? "")
+  ].filter((body) => body.trim().length > 0);
+}
+function bodyExcerpt(body) {
+  const text = stripHtml(body).replace(/\s+/g, " ").trim();
+  return text.length > 240 ? `${text.slice(0, 237)}...` : text;
+}
+function makeGreptileSignal(input) {
+  const scores = parseGreptileScores(input.body);
+  const reviewedSha = input.reviewedSha?.trim() || null;
+  const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
+  const verdict = input.verdict ?? null;
+  const blocker = input.blocker ?? (isBlockingGreptileVerdict(verdict) || containsBlockerText(input.body));
+  const explicitApproval = input.explicitApproval ?? false;
+  return {
+    source: input.source,
+    trusted: input.trusted,
+    authorLogin: input.authorLogin ?? null,
+    reviewedSha,
+    current,
+    stale: current === false,
+    score: scores[0] ?? null,
+    scores,
+    explicitApproval,
+    verdict,
+    blocker,
+    actionable: input.actionable ?? blocker,
+    bodyExcerpt: bodyExcerpt(input.body),
+    body: input.body,
+    allScores: scores
+  };
+}
+function reviewAuthorLogin(review) {
+  return review.author?.login ?? null;
+}
+function commentAuthorLogin(comment) {
+  return comment.user?.login ?? comment.author?.login ?? null;
+}
+function collectGreptileSignals(evidence) {
+  const signals = [];
+  const contextSources = [
+    { source: "pr-title", body: evidence.title ?? "" },
+    { source: "pr-body", body: evidence.body }
+  ];
+  for (const context of contextSources) {
+    if (!context.body.trim())
+      continue;
+    const contextBlocker = containsBlockerText(context.body);
+    if (!contextBlocker && !/greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(context.body))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: context.source,
+      body: context.body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      blocker: contextBlocker,
+      actionable: contextBlocker
+    }));
+  }
+  for (const apiSignal of evidence.apiSignals ?? []) {
+    const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
+
+`) || "Status: UNKNOWN";
+    const verdict = greptileStatusVerdict(apiSignal.status);
+    signals.push(makeGreptileSignal({
+      source: "api",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      reviewedSha: apiSignal.reviewedSha ?? null,
+      explicitApproval: verdict === "approved",
+      verdict
+    }));
+  }
+  for (const review of evidence.reviews) {
+    const login = reviewAuthorLogin(review);
+    if (!isGreptileGithubLogin(login))
+      continue;
+    const state = String(review.state ?? "").toUpperCase();
+    const body = [state ? `Review state: ${state}` : "", review.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    const dismissed = state === "DISMISSED";
+    signals.push(makeGreptileSignal({
+      source: "github-review",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: !dismissed,
+      authorLogin: login,
+      reviewedSha: review.commit_id ?? null,
+      explicitApproval: undefined,
+      blocker: state === "CHANGES_REQUESTED" || undefined
+    }));
+  }
+  for (const comment of evidence.relevantIssueComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "issue-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login
+    }));
+  }
+  for (const thread of evidence.reviewThreads) {
+    if (thread.isOutdated === true || thread.isResolved === true)
+      continue;
+    for (const comment of thread.comments?.nodes ?? []) {
+      const login = comment.author?.login ?? null;
+      const body = comment.body ?? "";
+      if (!body.trim() || !isGreptileGithubLogin(login))
+        continue;
+      signals.push(makeGreptileSignal({
+        source: "review-thread",
+        body,
+        currentHeadSha: evidence.currentHeadSha,
+        trusted: true,
+        authorLogin: login
+      }));
+    }
+  }
+  for (const check of evidence.checks) {
+    if (!isGreptileLabel(checkName(check)))
+      continue;
+    const reviewedSha = check.headSha ?? check.head_sha ?? null;
+    const label = `${checkName(check)} (${checkState(check) || "unknown"})`;
+    const body = [label, check.output?.title ?? "", check.output?.summary ?? "", check.output?.text ?? ""].filter((entry) => entry.trim().length > 0).join(`
+
+`);
+    signals.push(makeGreptileSignal({
+      source: "github-check",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      reviewedSha,
+      explicitApproval: false,
+      blocker: isFailingCheck(check),
+      actionable: isFailingCheck(check)
+    }));
+  }
+  return signals;
+}
+function unresolvedGreptileThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const comments = thread.comments?.nodes ?? [];
+    if (!comments.some((comment) => isGreptileGithubLogin(comment.author?.login)))
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved Greptile review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved Greptile review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function actionableChangedFileCommentSummaries(_comments) {
+  return [];
+}
+function issueLevelBlockerSummaries(comments) {
+  return comments.flatMap((comment) => {
+    const body = comment.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const login = commentAuthorLogin(comment) ?? "unknown";
+    const author = isGreptileGithubLogin(login) ? `Greptile issue comment by ${login}` : `Issue-level PR comment by ${login}`;
+    return [`${author}: ${body}`];
+  });
+}
+function reviewBodyBlockerSummaries(reviews) {
+  return reviews.flatMap((review) => {
+    const login = reviewAuthorLogin(review) ?? "unknown";
+    if (isGreptileGithubLogin(login))
+      return [];
+    const body = review.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const state = review.state ? ` (${review.state})` : "";
+    return [`PR review summary by ${login}${state}: ${body}`];
+  });
+}
+function signalLabel(signal) {
+  const source = signal.source.replace(/-/g, " ");
+  const author = signal.authorLogin ? ` by ${signal.authorLogin}` : "";
+  const sha = signal.reviewedSha ? ` at ${signal.reviewedSha}` : "";
+  return `${source}${author}${sha}`;
+}
+function deriveGreptileEvidence(input) {
+  const rawBodies = collectBodies(input);
+  const signals = collectGreptileSignals(input);
+  const trustedSignals = signals.filter((signal) => signal.trusted);
+  const trustedScoreEntries = trustedSignals.flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const contextScoreEntries = signals.filter((signal) => !signal.trusted).flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const allScoreEntries = [...trustedScoreEntries, ...contextScoreEntries];
+  const staleSignals = signals.filter((signal) => !!signal.reviewedSha && signal.reviewedSha !== input.currentHeadSha && (signal.trusted || signal.source === "github-check"));
+  const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
+  const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
+  const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
+  const currentPendingApiSignals = trustedSignals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && isCurrentOrUntied(signal));
+  const signalCanApproveByScore = (signal) => {
+    if (signal.source === "api")
+      return signal.verdict === "approved" || signal.verdict === "completed";
+    return signal.verdict !== "pending" && !isBlockingGreptileVerdict(signal.verdict);
+  };
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && signalCanApproveByScore(entry.signal) && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvingExplicitSignal = trustedSignals.find((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && signal.explicitApproval === true && !signal.blocker) ?? null;
+  const approvedByScore = !!approvingScoreEntry;
+  const approvedByExplicitMapping = !!approvingExplicitSignal;
+  const approvingSignal = approvingScoreEntry?.signal ?? approvingExplicitSignal;
+  const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
+  const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
+  const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
+  const blockerSignals = signals.filter((signal) => (signal.blocker || signal.actionable) && (!signal.reviewedSha || signal.reviewedSha === input.currentHeadSha));
+  const staleBlockingSignals = [];
+  const blockers = [
+    ...blockerSignals.map((signal) => `${signalLabel(signal)}: ${signal.bodyExcerpt || "blocker text"}`),
+    ...reviewBodyBlockerSummaries(input.reviews),
+    ...issueLevelBlockerSummaries(input.relevantIssueComments),
+    ...lowScoreEntries.map((entry) => `Greptile score from ${signalLabel(entry.signal)} is ${entry.score.value}/${entry.score.scale}; strict merge requires trusted current-head 5/5.`),
+    ...staleBlockingSignals.map((signal) => `Greptile blocking signal from ${signalLabel(signal)} is stale; current PR head is ${input.currentHeadSha || "unknown"}.`),
+    ...failedGreptileChecks.map((entry) => `Greptile check failed: ${entry}`)
+  ];
+  const unresolvedComments = [
+    ...unresolvedGreptileThreadSummaries(input.reviewThreads),
+    ...actionableChangedFileCommentSummaries(input.changedFileReviewComments)
+  ];
+  const greptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)));
+  const greptileReviews = input.reviews.filter((review) => isGreptileGithubLogin(review.author?.login));
+  const completedGreptileCheck = greptileChecks.some((check) => {
+    const reviewedSha2 = check.headSha ?? check.head_sha ?? null;
+    return reviewedSha2 === input.currentHeadSha && (isPassingCheck(check) || isFailingCheck(check));
+  });
+  const completedGreptileReview = greptileReviews.some((review) => {
+    const state = String(review.state ?? "").toUpperCase();
+    const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
+    return completedState && review.commit_id === input.currentHeadSha;
+  });
+  const completedGreptileApi = trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && (signal.verdict === "approved" || signal.verdict === "rejected" || signal.verdict === "skipped" || signal.verdict === "failed" || signal.verdict === "completed"));
+  const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
+  const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
+  const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
+  const completed = completedGreptileCheck || completedGreptileReview || completedGreptileApi || !!approvingSignal;
+  const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && currentPendingApiSignals.length === 0 && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : approvedByExplicitMapping ? "explicit-approved" : "unproven";
+  const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
+  return {
+    source,
+    currentHeadSha: input.currentHeadSha,
+    reviewedSha,
+    fresh,
+    completed,
+    approved,
+    score,
+    explicitApproval: approvedByExplicitMapping,
+    blockers,
+    unresolvedComments,
+    rawBodies,
+    signals: signals.map(({ body: _body, allScores: _allScores, ...signal }) => signal),
+    mapping
+  };
+}
+function isGreptileCheckDetail(check) {
+  return isGreptileLabel(checkName(check)) || isGreptileGithubLogin(check.app?.slug) || isGreptileGithubLogin(check.app?.owner?.login) || isGreptileLabel(check.app?.name);
+}
+async function collectGreptileCheckDetails(input) {
+  const checkRunsRead = await runJsonArray(input.command, [
+    "api",
+    `repos/${input.repoName}/commits/${input.headSha}/check-runs`,
+    "--paginate",
+    "--slurp",
+    "--jq",
+    "map(.check_runs // []) | add // []"
+  ], input.projectRoot);
+  const checkRuns = checkRunsRead.value.map(normalizeStatusCheck).filter((entry) => !!entry).filter(isGreptileCheckDetail);
+  return checkRunsRead.error ? { value: checkRuns, error: checkRunsRead.error } : { value: checkRuns };
+}
+async function collectReviewThreads(input) {
+  const reviewThreads = [];
+  let afterCursor = null;
+  for (let page = 0;page < 100; page += 1) {
+    const afterLiteral = afterCursor ? JSON.stringify(afterCursor) : "null";
+    const threadsResponse = await runJsonObject(input.command, [
+      "api",
+      "graphql",
+      "-F",
+      `owner=${input.owner}`,
+      "-F",
+      `name=${input.name}`,
+      "-F",
+      `prNumber=${input.prNumber}`,
+      "-f",
+      `query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { reviewThreads(first: 100, after: ${afterLiteral}) { nodes { id isResolved isOutdated comments(first: 100) { nodes { author { login } body path url createdAt } pageInfo { hasNextPage endCursor } } } pageInfo { hasNextPage endCursor } } } } }`
+    ], input.projectRoot);
+    if (threadsResponse.error) {
+      return { value: reviewThreads, error: threadsResponse.error };
+    }
+    const data = threadsResponse.value.data;
+    const repository = data?.repository;
+    const pullRequest = repository?.pullRequest;
+    const threads = pullRequest?.reviewThreads;
+    const nodes = threads?.nodes;
+    if (!Array.isArray(nodes)) {
+      return { value: reviewThreads, error: "GitHub reviewThreads response did not include a nodes array" };
+    }
+    const normalized = nodes.map(normalizeReviewThread).filter((entry) => !!entry);
+    reviewThreads.push(...normalized);
+    const truncatedCommentThread = normalized.find((thread) => thread.comments?.pageInfo?.hasNextPage === true);
+    if (truncatedCommentThread) {
+      return { value: reviewThreads, error: `GitHub review thread ${truncatedCommentThread.id ?? "unknown"} has more than 100 comments; nested pagination is incomplete` };
+    }
+    const pageInfo = threads?.pageInfo;
+    if (!pageInfo) {
+      if (nodes.length >= 100) {
+        return { value: reviewThreads, error: "GitHub reviewThreads pagination metadata missing after a full page" };
+      }
+      return { value: reviewThreads };
+    }
+    if (pageInfo.hasNextPage !== true) {
+      return { value: reviewThreads };
+    }
+    if (typeof pageInfo.endCursor !== "string" || !pageInfo.endCursor.trim()) {
+      return { value: reviewThreads, error: "GitHub reviewThreads pagination reported hasNextPage without endCursor" };
+    }
+    afterCursor = pageInfo.endCursor;
+  }
+  return { value: reviewThreads, error: "GitHub reviewThreads pagination exceeded 100 pages" };
+}
+async function collectPrReviewEvidence(input) {
+  const parsed = parseGithubPrUrl(input.prUrl);
+  if (!parsed) {
+    throw new Error(`Cannot parse GitHub PR URL: ${input.prUrl}`);
+  }
+  const readErrors = [];
+  const viewRead = await runJsonObject(input.command, [
+    "pr",
+    "view",
+    input.prUrl,
+    "--json",
+    "title,body,headRefOid,headRefName,baseRefName,state,isDraft,mergeable,mergeStateStatus,reviewDecision,reviews,statusCheckRollup"
+  ], input.projectRoot);
+  if (viewRead.error)
+    readErrors.push(viewRead.error);
+  const view = viewRead.value;
+  if (!Array.isArray(view.statusCheckRollup)) {
+    readErrors.push("gh pr view did not return required statusCheckRollup array");
+  }
+  if (!Array.isArray(view.reviews)) {
+    readErrors.push("gh pr view did not return required reviews array");
+  }
+  const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const baseRefName = firstString(view, ["baseRefName"]);
+  const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
+  const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
+  const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (reviewCommentsRead.error)
+    readErrors.push(reviewCommentsRead.error);
+  const reviewComments = reviewCommentsRead.value.map(normalizeReviewComment).filter((entry) => !!entry);
+  const issueCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/issues/${parsed.prNumber}/comments`, "--paginate", "--slurp"], input.projectRoot);
+  if (issueCommentsRead.error)
+    readErrors.push(issueCommentsRead.error);
+  const issueComments = issueCommentsRead.value.map(normalizeIssueComment).filter((entry) => !!entry).filter(relevantIssueComment);
+  const reviewThreadsRead = await collectReviewThreads({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  if (reviewThreadsRead.error)
+    readErrors.push(reviewThreadsRead.error);
+  const reviewThreads = reviewThreadsRead.value;
+  const greptileRollupChecks = statusCheckRollup.filter((check) => isGreptileLabel(checkName(check)));
+  let greptileCheckDetails = [];
+  if (headSha && greptileRollupChecks.length > 0) {
+    const checkDetailsRead = await collectGreptileCheckDetails({
+      command: input.command,
+      projectRoot: input.projectRoot,
+      repoName: parsed.repoName,
+      headSha
+    });
+    if (checkDetailsRead.error)
+      readErrors.push(checkDetailsRead.error);
+    greptileCheckDetails = checkDetailsRead.value;
+    if (!checkDetailsRead.error && greptileCheckDetails.length === 0) {
+      readErrors.push("Greptile check details could not be found for the current PR head");
+    }
+  }
+  const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const shouldCollectConfiguredGreptileApi = input.greptileApi?.enabled !== false;
+  const configuredGreptileApiRead = await collectConfiguredGreptileApiSignals({
+    enabled: shouldCollectConfiguredGreptileApi,
+    options: input.greptileApi,
+    repoName: parsed.repoName,
+    prNumber: parsed.prNumber,
+    headSha,
+    baseRefName
+  });
+  readErrors.push(...configuredGreptileApiRead.errors);
+  const apiSignals = [...input.apiSignals ?? [], ...configuredGreptileApiRead.signals];
+  const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
+  const evidenceBase = {
+    title: firstString(view, ["title"]),
+    body: firstString(view, ["body"]),
+    reviews,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    reviewThreads,
+    checks: checksWithGreptileDetails,
+    currentHeadSha: headSha,
+    apiSignals
+  };
+  const greptile = deriveGreptileEvidence(evidenceBase);
+  return {
+    prUrl: input.prUrl,
+    prNumber: parsed.prNumber,
+    repoName: parsed.repoName,
+    title: evidenceBase.title,
+    body: evidenceBase.body,
+    headSha,
+    headRefName: firstString(view, ["headRefName"]),
+    baseRefName,
+    state: firstString(view, ["state"]),
+    isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
+    mergeable: firstString(view, ["mergeable"]),
+    mergeStateStatus: firstString(view, ["mergeStateStatus"]),
+    reviewDecision: firstString(view, ["reviewDecision"]),
+    reviews,
+    reviewThreads,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    statusCheckRollup: checksWithGreptileDetails,
+    checkFailures,
+    pendingChecks,
+    readErrors,
+    greptile
+  };
+}
+function capGateMessage(value, maxChars = 1200) {
+  const normalized = value.trim();
+  return normalized.length > maxChars ? `${normalized.slice(0, maxChars)}
+[truncated for gate summary; see full evidence artifact]` : normalized;
+}
+function evaluateEvidence(evidence) {
+  const reasonDetails = [];
+  const warnings = [];
+  const seen = new Set;
+  const addReason = (reason) => {
+    const capped = { ...reason, message: capGateMessage(reason.message) };
+    const key = `${capped.code}:${capped.message}`;
+    if (seen.has(key))
+      return;
+    seen.add(key);
+    reasonDetails.push(capped);
+  };
+  const greptile = evidence.greptile;
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  const hasPendingGreptileCheck = evidence.pendingChecks.some((check) => /greptile/i.test(check));
+  const pendingGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const unknownGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && !signal.verdict && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const awaitingFreshGreptileProof = hasPendingGreptileCheck || pendingGreptileApiSignals.length > 0 || !greptile.completed || greptile.mapping === "missing" || greptile.mapping === "stale";
+  for (const error of evidence.readErrors) {
+    addReason({
+      code: "read_error",
+      reasonClass: "reject",
+      surface: error.startsWith("Greptile API/MCP") ? "greptile" : "github",
+      suggestedAction: "needs_attention",
+      message: `Required PR evidence surface could not be read completely: ${error}`,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (!evidence.headSha) {
+    addReason({
+      code: "missing_head_sha",
+      reasonClass: "reject",
+      surface: "github",
+      suggestedAction: "needs_attention",
+      message: "PR head SHA could not be read; current-head Greptile approval cannot be proven.",
+      headSha: null
+    });
+  }
+  for (const failure of evidence.checkFailures) {
+    addReason({
+      code: "ci_failed",
+      reasonClass: "reject",
+      surface: "ci",
+      suggestedAction: "fix",
+      message: failure,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const pendingCheck of evidence.pendingChecks) {
+    addReason({
+      code: "check_pending",
+      reasonClass: "pending",
+      surface: "ci",
+      suggestedAction: "wait",
+      message: pendingCheck,
+      headSha: evidence.headSha || null
+    });
+  }
+  const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
+  if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
+    addReason({
+      code: "review_decision_blocking",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: `Required review is unresolved (${evidence.reviewDecision}).`,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const thread of unresolvedThreadSummaries(evidence.reviewThreads)) {
+    addReason({
+      code: "review_thread_unresolved",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: thread,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "missing") {
+    addReason({
+      code: "greptile_missing",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Missing Greptile check/review evidence for this PR.",
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
+    addReason({
+      code: "greptile_stale",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? staleSignal?.reviewedSha ?? null
+    });
+  }
+  for (const signal of pendingGreptileApiSignals) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile API/MCP review is pending for the current PR head${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  for (const signal of unknownGreptileApiSignals) {
+    addReason({
+      code: "greptile_api_status_unknown",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "needs_attention",
+      message: `Greptile API/MCP review status is unknown; merge requires a known terminal APPROVED/COMPLETED 5/5 result or a known conservative status${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  if (!greptile.completed) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Greptile check/review has not completed for the current PR head.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.fresh) {
+    addReason({
+      code: "greptile_not_current_head",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval is not tied to the current PR head SHA.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
+    addReason({
+      code: "greptile_score_not_5",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  const hasApprovedMapping = greptile.mapping === "score-5-of-5" || greptile.mapping === "explicit-approved";
+  if (!greptile.score && !hasApprovedMapping) {
+    addReason({
+      code: "greptile_score_missing",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "No parseable Greptile 5/5 score or direct current-head Greptile API APPROVED mapping was found from trusted evidence; merge is blocked.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.mapping === "unproven") {
+    addReason({
+      code: "greptile_mapping_unproven",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const blocker of greptile.blockers) {
+    addReason({
+      code: "greptile_blocker_text",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile/blocker text: ${blocker}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const comment of greptile.unresolvedComments) {
+    addReason({
+      code: "greptile_unresolved_comment",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: comment,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.approved)
+    warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
+  const pending = reasonDetails.length > 0 && reasonDetails.every((reason) => reason.reasonClass === "pending");
+  return { reasons: reasonDetails.map((reason) => reason.message), reasonDetails, warnings, pending };
+}
+function evaluateStrictPrMergeGate(evidence) {
+  const evaluated = evaluateEvidence(evidence);
+  const approved = evaluated.reasonDetails.length === 0 && evidence.greptile.approved;
+  return {
+    approved,
+    pending: evaluated.pending,
+    reasons: evaluated.reasons,
+    reasonDetails: evaluated.reasonDetails,
+    warnings: evaluated.warnings,
+    actionableFeedback: evaluated.reasons,
+    evidence
+  };
+}
+
+// packages/runtime/src/control-plane/native/verifier.ts
 async function verifyTask(options) {
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
@@ -4400,7 +5520,8 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (/not safe to merge|unsafe to merge|do not merge|blocker/i.test(reviewBody)) {
+  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
       verdict: "REJECT",
@@ -4416,44 +5537,79 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (score) {
-    if (score.scale === 5 && score.value < 5 && options.reviewMode === "required") {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; required mode needs 5/5 before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
-        }
-      };
-    }
-    if (score.scale === 5 && score.value <= 2) {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; this requires rework before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
+  if (score?.scale === 5 && score.value < 5) {
+    reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; strict review requires 5/5 before merge.`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate = null;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl,
+      apiSignals: [{
+        id: selectedReview.id,
+        body: reviewBody,
+        reviewedSha: selectedReview.metadata?.checkHeadSha ?? null,
+        status: selectedReview.status
+      }]
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
+    reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  if (!strictGate.approved) {
+    return {
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
+      feedback,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          reasonDetails: strictGate.reasonDetails,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile,
+          readErrors: strictGate.evidence.readErrors
         }
-      };
-    }
-    if (score.scale === 5 && score.value < 5) {
-      warnings.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; continue only after reviewing remaining risk.`);
-    }
+      }
+    };
   }
   return {
     verdict: "APPROVE",
@@ -4465,7 +5621,16 @@ async function runGreptileReviewForPr(options) {
       codeReviews: reviewsPayload,
       selectedReview,
       reviewDetails,
-      comments: commentsPayload
+      comments: commentsPayload,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        reasonDetails: strictGate.reasonDetails,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile,
+        readErrors: strictGate.evidence.readErrors
+      }
     }
   };
 }
@@ -4489,7 +5654,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   let threads = [];
   let actionableThreads = [];
   let checkRollup = [];
-  let checkState = { pending: false, completed: false };
+  let checkState2 = { pending: false, completed: false };
   for (let attempt = 0;; attempt += 1) {
     reviews = runGhJson(options.projectRoot, ["api", `repos/${repoName}/pulls/${prNumber}/reviews`]);
     selectedReview = pickRelevantGithubGreptileReview(reviews, expectedHeadSha);
@@ -4498,15 +5663,15 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     threads = loadGithubReviewThreads(options.projectRoot, repoName, prNumber);
     actionableThreads = filterActionableGithubGreptileThreads(threads);
     checkRollup = loadGithubPullRequestCheckRollup(options.projectRoot, repoName, prNumber);
-    checkState = classifyGithubGreptileCheckState(checkRollup);
-    const approvedViaReviewedAncestor2 = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
+    checkState2 = classifyGithubGreptileCheckState(checkRollup);
+    const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
     if (!shouldContinueGithubGreptileFallbackPolling({
       attempt,
       pollAttempts: options.pollAttempts,
-      checkState,
+      checkState: checkState2,
       fallbackReview,
       selectedReview,
-      approvedViaReviewedAncestor: approvedViaReviewedAncestor2
+      approvedViaReviewedAncestor
     })) {
       break;
     }
@@ -4534,7 +5699,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
-  if (checkState.pending) {
+  if (checkState2.pending) {
     return {
       verdict: "SKIP",
       feedback,
@@ -4545,34 +5710,20 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
     };
   }
-  const approvedViaCompletedCheck = isGithubGreptileCheckApproved(checkRollup);
-  if (!fallbackReview) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no GitHub Greptile review object, but the Greptile check completed successfully and no unresolved Greptile threads remain.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-      };
-    }
-    return {
-      verdict: "SKIP",
-      feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available.`
-      ],
-      warnings,
-      rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-    };
-  }
-  const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
-  if (actionableThreads.length > 0) {
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
     return {
       verdict: "REJECT",
       feedback,
-      reasons: actionableThreads.map((comment) => `[AI Review] ${repoName}#${prNumber} has unresolved Greptile comment on ${comment.path}: ${summarizeComment(comment.body || "")}`),
+      reasons: [`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`],
       warnings,
       rawPayload: {
         pr: options.prState,
@@ -4585,44 +5736,31 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       }
     };
   }
-  if (!selectedReview && !approvedViaReviewedAncestor) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile GitHub review on the current head, but the Greptile check completed successfully and all Greptile threads are resolved.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          selectedReview: fallbackReview,
-          reviews,
-          threads,
-          checkRollup,
-          ...buildGithubGreptileFallbackRawPayload(options)
-        }
-      };
-    }
+  if (!strictGate.approved) {
     return {
-      verdict: "SKIP",
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
       feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available for the current head.`
-      ],
-      warnings,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
       rawPayload: {
         pr: options.prState,
         selectedReview: fallbackReview,
         reviews,
         threads,
         checkRollup,
+        actionableThreads,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          reasonDetails: strictGate.reasonDetails,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile
+        },
         ...buildGithubGreptileFallbackRawPayload(options)
       }
     };
   }
-  if (approvedViaReviewedAncestor) {
-    warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile review on the current head, but the latest reviewed commit is an ancestor and all Greptile threads are resolved.`);
-  }
   return {
     verdict: "APPROVE",
     feedback,
@@ -4634,6 +5772,14 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       reviews,
       threads,
       checkRollup,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        reasonDetails: strictGate.reasonDetails,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile
+      },
       ...buildGithubGreptileFallbackRawPayload(options)
     }
   };
@@ -4746,19 +5892,25 @@ function shouldTriggerGreptileReview(existingReview, expectedHeadSha) {
   if ((existingReview.metadata?.checkHeadSha || "") !== expectedHeadSha) {
     return true;
   }
-  return isGreptileReviewTerminal(existingReview.status);
+  return false;
 }
 function shouldContinueGreptileMcpPolling(options) {
   if (options.githubCheckState.completed) {
     return false;
   }
+  if (options.attempt + 1 >= options.pollAttempts) {
+    return false;
+  }
   if (options.selectedReview && !isGreptileReviewTerminal(options.selectedReview.status)) {
     return true;
   }
-  return options.attempt + 1 < options.pollAttempts;
+  return true;
 }
 function shouldContinueGithubGreptileFallbackPolling(options) {
   const waitingForVisiblePendingReview = options.checkState.pending && (!options.fallbackReview || !options.selectedReview && !options.approvedViaReviewedAncestor);
+  if (options.attempt + 1 >= options.pollAttempts) {
+    return false;
+  }
   if (waitingForVisiblePendingReview) {
     return true;
   }
@@ -4819,6 +5971,20 @@ function runGhJson(projectRoot, args) {
     throw new Error(`gh ${args.join(" ")} returned malformed JSON: ${result.stdout}`);
   }
 }
+async function collectStrictPrEvidenceForVerifier(input) {
+  return collectPrReviewEvidence({
+    projectRoot: input.projectRoot,
+    prUrl: input.prUrl,
+    taskId: input.taskId,
+    runId: "verifier",
+    cycle: 0,
+    apiSignals: input.apiSignals ?? [],
+    command: async (args, options) => {
+      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+    }
+  });
+}
 function deriveRepoName(projectRoot, prState) {
   const fromUrl = /github\.com\/([^/]+\/[^/]+)\/pull\/\d+/.exec(prState.url || "");
   if (fromUrl?.[1]) {
@@ -4833,8 +5999,9 @@ function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
-function isGreptileGithubLogin(login) {
-  return (login || "").replace(/\[bot\]$/, "") === "greptile-apps";
+function isGreptileGithubLogin2(login) {
+  const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
+  return normalized === "greptile" || normalized === "greptile-ai" || normalized === "greptileai" || normalized === "greptile-apps";
 }
 function pickRelevantGithubGreptileReview(reviews, expectedHeadSha) {
   const matching = sortGithubGreptileReviews(reviews);
@@ -4851,7 +6018,7 @@ function pickLatestGithubGreptileReview(reviews) {
   return sortGithubGreptileReviews(reviews)[0] || null;
 }
 function sortGithubGreptileReviews(reviews) {
-  return reviews.filter((review) => isGreptileGithubLogin(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
+  return reviews.filter((review) => isGreptileGithubLogin2(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
 }
 function loadGithubPullRequestCheckRollup(projectRoot, repoName, prNumber) {
   const response = runGhJson(projectRoot, [
@@ -4924,32 +6091,6 @@ function classifyGithubGreptileCheckState(checks) {
   }
   return { pending: false, completed: false };
 }
-function isGithubGreptileCheckApproved(checks) {
-  const greptileChecks = checks.filter((check) => {
-    const label = (check.name || check.context || "").toLowerCase();
-    return label.includes("greptile");
-  });
-  if (greptileChecks.length === 0) {
-    return false;
-  }
-  for (const check of greptileChecks) {
-    if ((check.__typename || "") === "CheckRun") {
-      if ((check.status || "").toUpperCase() !== "COMPLETED") {
-        return false;
-      }
-      const conclusion = (check.conclusion || "").toUpperCase();
-      if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(conclusion)) {
-        return false;
-      }
-      continue;
-    }
-    const state = (check.state || "").toUpperCase();
-    if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(state)) {
-      return false;
-    }
-  }
-  return true;
-}
 function loadGithubReviewThreads(projectRoot, repoName, prNumber) {
   const [owner, name] = repoName.split("/");
   if (!owner || !name) {
@@ -4975,7 +6116,7 @@ function filterActionableGithubGreptileThreads(threads) {
       return [];
     }
     const comments = thread.comments?.nodes || [];
-    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin(comment.author?.login));
+    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin2(comment.author?.login));
     if (!latestGreptileComment?.path?.trim()) {
       return [];
     }
@@ -4997,11 +6138,6 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
-function stripHtml(input) {
-  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
-
-`).trim();
-}
 function summarizeComment(input) {
   const text = stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
@@ -5010,31 +6146,14 @@ function asGreptileInfrastructureWarning(reason) {
   return reason.startsWith("[AI Review]") ? reason.replace("[AI Review]", "[AI Review Warning]") : reason;
 }
 function isAiReviewApproved(input) {
+  if (input.aiVerdict === "REJECT" && input.aiReasons.length > 0) {
+    return false;
+  }
   if (input.reviewMode !== "required") {
     return true;
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-function parseGreptileScore(input) {
-  const text = stripHtml(input);
-  const patterns = [
-    /confidence score:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\bscore:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|score)/i
-  ];
-  for (const pattern of patterns) {
-    const match = pattern.exec(text);
-    if (!match) {
-      continue;
-    }
-    const value = Number.parseInt(match[1] || "", 10);
-    const scale = Number.parseInt(match[2] || "", 10);
-    if (Number.isFinite(value) && Number.isFinite(scale) && scale > 0) {
-      return { value, scale };
-    }
-  }
-  return null;
-}
 
 // packages/runtime/src/control-plane/provider/runtime-instructions.ts
 var CLAUDE_ROUTER_TOOL_NAMES = [
@@ -5983,12 +7102,12 @@ var TASK_ARTIFACT_STAGE_FALLBACK = new Set([
   "task-result.json",
   "validation-summary.json"
 ]);
-function resolveHostRigBinDir(root) {
-  return resolve24(root, ".rig", "bin");
-}
 function isRuntimeGatewayGitPath(candidate) {
   return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
 }
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
 function resolveOptionalMonorepoRoot(projectRoot) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
   if (runtimeWorkspace && existsSync21(resolve24(runtimeWorkspace, ".git"))) {
@@ -6023,6 +7142,9 @@ function resolveGitBinary(projectRoot) {
   }
   return "git";
 }
+function escapeRegExp2(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 function safeCurrentTaskId(projectRoot) {
   try {
     const taskId = currentTaskId(projectRoot);
@@ -6181,17 +7303,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync21(resolve24(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -6200,9 +7320,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -6238,10 +7358,11 @@ function gitOpenPr(options) {
     "",
     "## Task",
     `- beads: ${taskId || "n/a"}`,
+    ...defaultPrRunLines(taskId, repoNameWithOwner),
     "",
     "## Review",
     "- Completion verification will run validation, verifier review, and PR policy checks.",
-    "- When repository policy allows it, Rig enables GitHub auto-merge after approval."
+    "- When repository policy allows it, Rig attempts an immediate strict-gated, head-locked merge after approval."
   ].join(`
 `);
   const preCheck = runCapture2(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
@@ -6329,6 +7450,30 @@ function gitOpenPr(options) {
   }
   return result;
 }
+function defaultPrRunLines(taskId, repoNameWithOwner) {
+  const lines = [];
+  const runId = process.env.RIG_SERVER_RUN_ID?.trim();
+  if (runId) {
+    lines.push(`- Run: ${runId}`);
+  }
+  const closeout = defaultPrCloseoutLine(taskId, repoNameWithOwner);
+  if (closeout) {
+    lines.push(`- ${closeout}`);
+  }
+  return lines;
+}
+function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
+  const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  if (sourceIssueId) {
+    const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
+      return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
+    }
+  }
+  return /^\d+$/.test(taskId) ? `Closes #${taskId}` : "";
+}
 function readPrViewState(gh, repoRoot, repoNameWithOwner, prUrl) {
   const view = runCapture2(withGhRepo([
     gh,
@@ -6479,32 +7624,19 @@ function resolveGithubCliBinary(projectRoot) {
   if (explicit) {
     candidates.add(explicit);
   }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
   const explicitPathEntries = (process.env.PATH || "").split(":").map((entry) => entry.trim()).filter(Boolean);
   for (const entry of explicitPathEntries) {
     candidates.add(resolve24(entry, "gh"));
   }
-  const hostProjectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim();
-  if (hostProjectRoot) {
-    candidates.add(resolve24(resolveHostRigBinDir(hostProjectRoot), "gh"));
-  }
-  candidates.add(resolve24(resolveHostRigBinDir(projectRoot), "gh"));
-  const runtimeContext = loadRuntimeContextFromEnv();
-  if (runtimeContext?.binDir) {
-    candidates.add(resolve24(runtimeContext.binDir, "gh"));
-  }
-  const runtimeHome = process.env.RIG_RUNTIME_HOME?.trim();
-  if (runtimeHome) {
-    candidates.add(resolve24(runtimeHome, "bin", "gh"));
-  }
-  for (const candidate of ["/opt/homebrew/bin/gh", "/usr/local/bin/gh", "/usr/bin/gh"]) {
-    candidates.add(candidate);
-  }
   const bunResolved = Bun.which("gh");
   if (bunResolved) {
     candidates.add(bunResolved);
   }
   for (const candidate of candidates) {
-    if (candidate && existsSync21(candidate)) {
+    if (candidate && existsSync21(candidate) && !isRuntimeGatewayGhPath(candidate)) {
       return candidate;
     }
   }
@@ -6653,6 +7785,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp2(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -7034,6 +8192,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -7057,6 +8219,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync21(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -7073,6 +8242,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};