@h-rig/runtime 0.0.6-alpha.3 → 0.0.6-alpha.30

package/dist/src/control-plane/native/pr-review-gate.js

@@ -0,0 +1,1455 @@
+// @bun
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+import { mkdirSync, writeFileSync } from "fs";
+import { resolve } from "path";
+
+// packages/runtime/src/control-plane/runtime/baked-secrets.ts
+var BAKED_RUNTIME_SECRETS = {
+  ANTHROPIC_API_KEY: typeof RIG_BAKED_ANTHROPIC_API_KEY !== "undefined" ? RIG_BAKED_ANTHROPIC_API_KEY : "",
+  OPENAI_API_KEY: typeof RIG_BAKED_OPENAI_API_KEY !== "undefined" ? RIG_BAKED_OPENAI_API_KEY : "",
+  OPENROUTER_API_KEY: typeof RIG_BAKED_OPENROUTER_API_KEY !== "undefined" ? RIG_BAKED_OPENROUTER_API_KEY : "",
+  AI_REVIEW_MODE: typeof RIG_BAKED_AI_REVIEW_MODE !== "undefined" ? RIG_BAKED_AI_REVIEW_MODE : "",
+  AI_REVIEW_PROVIDER: typeof RIG_BAKED_AI_REVIEW_PROVIDER !== "undefined" ? RIG_BAKED_AI_REVIEW_PROVIDER : "",
+  GREPTILE_API_BASE: typeof RIG_BAKED_GREPTILE_API_BASE !== "undefined" ? RIG_BAKED_GREPTILE_API_BASE : "",
+  GREPTILE_REMOTE: typeof RIG_BAKED_GREPTILE_REMOTE !== "undefined" ? RIG_BAKED_GREPTILE_REMOTE : "",
+  GREPTILE_REPOSITORY: typeof RIG_BAKED_GREPTILE_REPOSITORY !== "undefined" ? RIG_BAKED_GREPTILE_REPOSITORY : "",
+  GREPTILE_CONTEXT_BRANCH: typeof RIG_BAKED_GREPTILE_CONTEXT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_CONTEXT_BRANCH : "",
+  GREPTILE_DEFAULT_BRANCH: typeof RIG_BAKED_GREPTILE_DEFAULT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_DEFAULT_BRANCH : "",
+  GREPTILE_API_KEY: typeof RIG_BAKED_GREPTILE_API_KEY !== "undefined" ? RIG_BAKED_GREPTILE_API_KEY : "",
+  GREPTILE_GITHUB_TOKEN: typeof RIG_BAKED_GREPTILE_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GREPTILE_GITHUB_TOKEN : "",
+  GREPTILE_POLL_ATTEMPTS: typeof RIG_BAKED_GREPTILE_POLL_ATTEMPTS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_ATTEMPTS : "",
+  GREPTILE_POLL_INTERVAL_MS: typeof RIG_BAKED_GREPTILE_POLL_INTERVAL_MS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_INTERVAL_MS : "",
+  GH_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_SSH_KEY: typeof RIG_BAKED_GITHUB_SSH_KEY !== "undefined" ? RIG_BAKED_GITHUB_SSH_KEY : "",
+  AWS_ACCESS_KEY_ID: typeof RIG_BAKED_AWS_ACCESS_KEY_ID !== "undefined" ? RIG_BAKED_AWS_ACCESS_KEY_ID : "",
+  AWS_SECRET_ACCESS_KEY: typeof RIG_BAKED_AWS_SECRET_ACCESS_KEY !== "undefined" ? RIG_BAKED_AWS_SECRET_ACCESS_KEY : "",
+  AWS_REGION: typeof RIG_BAKED_AWS_REGION !== "undefined" ? RIG_BAKED_AWS_REGION : "",
+  LINEAR_API_KEY: typeof RIG_BAKED_LINEAR_API_KEY !== "undefined" ? RIG_BAKED_LINEAR_API_KEY : "",
+  LINEAR_WEBHOOK_SECRET: typeof RIG_BAKED_LINEAR_WEBHOOK_SECRET !== "undefined" ? RIG_BAKED_LINEAR_WEBHOOK_SECRET : ""
+};
+function resolveRuntimeSecrets(env, baked = BAKED_RUNTIME_SECRETS) {
+  const resolved = {};
+  const keys = new Set([
+    ...Object.keys(BAKED_RUNTIME_SECRETS),
+    ...Object.keys(baked)
+  ]);
+  for (const key of keys) {
+    const envValue = env[key]?.trim();
+    const bakedValue = baked[key]?.trim();
+    if (envValue) {
+      resolved[key] = envValue;
+    } else if (bakedValue) {
+      resolved[key] = bakedValue;
+    }
+  }
+  return resolved;
+}
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+function parseJsonObject(value) {
+  if (!value?.trim())
+    return { value: {}, error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? { value: parsed } : { value: {}, error: "JSON output was not an object" };
+  } catch (error) {
+    return { value: {}, error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function flattenPaginatedArray(value) {
+  if (!Array.isArray(value))
+    return null;
+  if (value.every((entry) => Array.isArray(entry))) {
+    return value.flatMap((entry) => entry);
+  }
+  return value;
+}
+function parseConcatenatedJsonValues(value) {
+  const text = value.trim();
+  const docs = [];
+  let start = null;
+  let depth = 0;
+  let inString = false;
+  let escape = false;
+  for (let index = 0;index < text.length; index += 1) {
+    const char = text[index];
+    if (start === null) {
+      if (/\s/.test(char))
+        continue;
+      start = index;
+    }
+    if (inString) {
+      if (escape) {
+        escape = false;
+      } else if (char === "\\") {
+        escape = true;
+      } else if (char === '"') {
+        inString = false;
+      }
+      continue;
+    }
+    if (char === '"') {
+      inString = true;
+      continue;
+    }
+    if (char === "{" || char === "[") {
+      depth += 1;
+      continue;
+    }
+    if (char === "}" || char === "]") {
+      depth -= 1;
+      if (depth < 0)
+        return { value: docs, error: "unexpected JSON close delimiter" };
+      if (depth === 0 && start !== null) {
+        const segment = text.slice(start, index + 1);
+        try {
+          docs.push(JSON.parse(segment));
+        } catch (error) {
+          return { value: docs, error: error instanceof Error ? error.message : String(error) };
+        }
+        start = null;
+      }
+    }
+  }
+  if (inString || depth !== 0 || start !== null)
+    return { value: docs, error: "incomplete JSON stream" };
+  return { value: docs };
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return { value: [], error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    const flattened = flattenPaginatedArray(parsed);
+    return flattened ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  } catch (error) {
+    const streamed = parseConcatenatedJsonValues(value);
+    if (streamed.error)
+      return { value: [], error: error instanceof Error ? error.message : String(error) };
+    const flattened = streamed.value.flatMap((entry) => flattenPaginatedArray(entry) ?? []);
+    return flattened.length > 0 || streamed.value.length === 0 ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  }
+}
+function parseGithubPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i.exec(prUrl.trim());
+  if (!match)
+    return null;
+  const prNumber = Number.parseInt(match[3], 10);
+  if (!Number.isFinite(prNumber))
+    return null;
+  return { owner: match[1], repo: match[2], repoName: `${match[1]}/${match[2]}`, prNumber };
+}
+function checkName(check) {
+  return String(check.name ?? check.context ?? "").trim();
+}
+function checkState(check) {
+  return String(check.conclusion ?? check.state ?? check.status ?? "").trim().toLowerCase();
+}
+function isGreptileLabel(value) {
+  return String(value ?? "").toLowerCase().includes("greptile");
+}
+function isGreptileGithubLogin(value) {
+  const login = String(value ?? "").toLowerCase().replace(/\[bot\]$/, "");
+  return login === "greptile" || login === "greptile-ai" || login === "greptileai" || login === "greptile-apps";
+}
+function isPassingCheck(check) {
+  const state = checkState(check);
+  return ["success", "successful", "passed", "neutral", "skipped", "completed"].includes(state);
+}
+function isPendingCheck(check) {
+  const state = checkState(check);
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(state);
+}
+function isFailingCheck(check) {
+  const state = checkState(check);
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "canceled", "error"].includes(state);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function greptileScorePatterns() {
+  return [
+    /\b(?:confidence\s+score|confidence|rating|score)\s*:?\s*(\d+)\s*\/\s*(\d+)/gi,
+    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|rating|score)/gi,
+    /\bgreptile[^\n]{0,80}?(\d+)\s*\/\s*(\d+)/gi
+  ];
+}
+function parseGreptileScores(input) {
+  const text = stripHtml(input);
+  const seen = new Set;
+  const scores = [];
+  for (const pattern of greptileScorePatterns()) {
+    for (const match of text.matchAll(pattern)) {
+      const value = Number.parseInt(match[1] || "", 10);
+      const scale = Number.parseInt(match[2] || "", 10);
+      if (!Number.isFinite(value) || !Number.isFinite(scale) || scale <= 0)
+        continue;
+      const raw = match[0] || `${value}/${scale}`;
+      const key = `${match.index ?? -1}:${value}/${scale}:${raw.toLowerCase()}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      scores.push({ value, scale, raw });
+    }
+  }
+  return scores;
+}
+function parseGreptileScore(input) {
+  return parseGreptileScores(input)[0] ?? null;
+}
+function stripHtml(input) {
+  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
+
+`).trim();
+}
+function containsBlockerText(input) {
+  const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(text);
+}
+function isStrictFiveOfFive(score) {
+  return score.value === 5 && score.scale === 5;
+}
+function containsConflictingScoreText(input) {
+  return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
+}
+function extractGreptileCommentBlock(input) {
+  const match = input.match(/<!--\s*greptile_comment\s*-->([\s\S]*?)<!--\s*\/greptile_comment\s*-->/i);
+  return match?.[1]?.trim() ?? null;
+}
+function extractGreptileBodyReviewedSha(input) {
+  const block = extractGreptileCommentBlock(input);
+  if (!block)
+    return null;
+  const commitLink = block.match(/\/commit\/([0-9a-f]{40})(?:\b|[^0-9a-f])/i);
+  return commitLink?.[1]?.toLowerCase() ?? null;
+}
+function isoAtOrAfter(value, floor) {
+  if (!value || !floor)
+    return false;
+  const valueMs = Date.parse(value);
+  const floorMs = Date.parse(floor);
+  return Number.isFinite(valueMs) && Number.isFinite(floorMs) && valueMs >= floorMs;
+}
+function greptileStatusVerdict(status) {
+  const normalized = String(status ?? "").trim().toUpperCase().replace(/[\s-]+/g, "_");
+  if (!normalized)
+    return null;
+  if (["APPROVE", "APPROVED"].includes(normalized))
+    return "approved";
+  if (["REJECT", "REJECTED", "CHANGES_REQUESTED", "CHANGE_REQUESTED"].includes(normalized))
+    return "rejected";
+  if (["SKIP", "SKIPPED"].includes(normalized))
+    return "skipped";
+  if (["FAIL", "FAILED", "FAILURE", "ERROR"].includes(normalized))
+    return "failed";
+  if (["PENDING", "QUEUED", "IN_PROGRESS", "RUNNING", "STARTED", "REQUESTED", "REVIEWING_FILES", "GENERATING_SUMMARY"].includes(normalized))
+    return "pending";
+  if (["COMPLETE", "COMPLETED"].includes(normalized))
+    return "completed";
+  return null;
+}
+function isBlockingGreptileVerdict(verdict) {
+  return verdict === "rejected" || verdict === "skipped" || verdict === "failed";
+}
+function greptileRequestTimeoutMs(env) {
+  const fallback = 30000;
+  const parsed = Number.parseInt(env.GREPTILE_REQUEST_TIMEOUT_MS || `${fallback}`, 10);
+  return Number.isFinite(parsed) && parsed >= 1000 ? parsed : fallback;
+}
+function normalizeGreptileMcpCodeReview(entry, fallbackId) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const id = typeof record.id === "string" ? record.id.trim() : fallbackId?.trim() ?? "";
+  if (!id)
+    return null;
+  const metadataRecord = record.metadata && typeof record.metadata === "object" && !Array.isArray(record.metadata) ? record.metadata : null;
+  return {
+    id,
+    status: typeof record.status === "string" ? record.status : null,
+    createdAt: typeof record.createdAt === "string" ? record.createdAt : null,
+    body: typeof record.body === "string" ? record.body : null,
+    metadata: metadataRecord ? { checkHeadSha: typeof metadataRecord.checkHeadSha === "string" ? metadataRecord.checkHeadSha : null } : null
+  };
+}
+function uniqueGreptileCodeReviews(reviews) {
+  const seen = new Set;
+  const unique = [];
+  for (const review of reviews) {
+    if (seen.has(review.id))
+      continue;
+    seen.add(review.id);
+    unique.push(review);
+  }
+  return unique;
+}
+function selectGreptileApiReviewsForGate(reviews, headSha) {
+  const sorted = [...reviews].sort((left, right) => Date.parse(right.createdAt ?? "") - Date.parse(left.createdAt ?? ""));
+  const current = headSha ? sorted.filter((review) => review.metadata?.checkHeadSha === headSha) : [];
+  const untied = sorted.filter((review) => !review.metadata?.checkHeadSha);
+  const latest = sorted.slice(0, 1);
+  return uniqueGreptileCodeReviews([...current, ...untied, ...latest]);
+}
+function greptileApiSignalFromCodeReview(review, details) {
+  const selected = details ?? review;
+  return {
+    id: selected.id || review.id,
+    body: selected.body ?? review.body ?? null,
+    reviewedSha: selected.metadata?.checkHeadSha ?? review.metadata?.checkHeadSha ?? null,
+    status: selected.status ?? review.status ?? null
+  };
+}
+async function callGreptileMcpToolForGate(input) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => {
+    controller.abort(new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`));
+  }, input.timeoutMs);
+  let response;
+  try {
+    response = await input.fetchFn(input.apiBase, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `rig-strict-gate-${input.name}-${Date.now()}`,
+        method: "tools/call",
+        params: { name: input.name, arguments: input.args }
+      }),
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (controller.signal.aborted) {
+      throw controller.signal.reason instanceof Error ? controller.signal.reason : new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  const raw = await response.text();
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}: ${raw}`);
+  }
+  let envelope;
+  try {
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new Error(`Malformed MCP response: ${raw}`);
+  }
+  if (envelope.error?.message) {
+    throw new Error(envelope.error.message);
+  }
+  const text = (envelope.result?.content ?? []).filter((item) => item.type === "text" && typeof item.text === "string").map((item) => item.text ?? "").join(`
+`).trim();
+  if (!text) {
+    throw new Error(`MCP tool ${input.name} returned no text payload.`);
+  }
+  return text;
+}
+async function callGreptileMcpToolJsonForGate(input) {
+  const text = await callGreptileMcpToolForGate(input);
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`MCP tool ${input.name} returned malformed JSON: ${text}`);
+  }
+}
+async function collectConfiguredGreptileApiSignals(input) {
+  if (!input.enabled || input.options?.enabled === false) {
+    return { signals: [], errors: [] };
+  }
+  const env = input.options?.env ?? process.env;
+  const secrets = resolveRuntimeSecrets(env);
+  const apiKey = secrets.GREPTILE_API_KEY?.trim() ?? "";
+  if (!apiKey) {
+    return { signals: [], errors: [] };
+  }
+  const fetchFn = input.options?.fetch ?? globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    return { signals: [], errors: ["Greptile API/MCP evidence read failed: fetch is not available."] };
+  }
+  const apiBase = secrets.GREPTILE_API_BASE?.trim() || "https://api.greptile.com/mcp";
+  const remote = secrets.GREPTILE_REMOTE?.trim() || "github";
+  const repository = secrets.GREPTILE_REPOSITORY?.trim() || input.repoName;
+  const defaultBranch = secrets.GREPTILE_DEFAULT_BRANCH?.trim() || input.baseRefName?.trim() || "main";
+  const timeoutMs = greptileRequestTimeoutMs(env);
+  try {
+    const listPayload = await callGreptileMcpToolJsonForGate({
+      apiBase,
+      apiKey,
+      name: "list_code_reviews",
+      args: {
+        name: repository,
+        remote,
+        defaultBranch,
+        prNumber: input.prNumber,
+        limit: 20
+      },
+      timeoutMs,
+      fetchFn
+    });
+    const reviews = (listPayload.codeReviews ?? []).map((entry) => normalizeGreptileMcpCodeReview(entry)).filter((review) => !!review);
+    const selectedReviews = selectGreptileApiReviewsForGate(reviews, input.headSha);
+    const signals = [];
+    for (const review of selectedReviews) {
+      const detailsPayload = await callGreptileMcpToolJsonForGate({
+        apiBase,
+        apiKey,
+        name: "get_code_review",
+        args: { codeReviewId: review.id },
+        timeoutMs,
+        fetchFn
+      });
+      const details = normalizeGreptileMcpCodeReview(detailsPayload.codeReview, review.id) ?? review;
+      signals.push(greptileApiSignalFromCodeReview(review, details));
+    }
+    return { signals, errors: [] };
+  } catch (error) {
+    return {
+      signals: [],
+      errors: [`Greptile API/MCP evidence read failed: ${error instanceof Error ? error.message : String(error)}`]
+    };
+  }
+}
+function firstString(record, keys) {
+  for (const key of keys) {
+    const value = record[key];
+    if (typeof value === "string")
+      return value;
+  }
+  return "";
+}
+function arrayField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value : [];
+}
+async function runJsonArray(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: [], error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonArray(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+async function runJsonObject(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: {}, error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonObject(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+function normalizeStatusCheck(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const name = firstString(record, ["name", "context"]);
+  if (!name.trim())
+    return null;
+  const output = record.output && typeof record.output === "object" && !Array.isArray(record.output) ? record.output : null;
+  const app = record.app && typeof record.app === "object" && !Array.isArray(record.app) ? record.app : null;
+  return {
+    __typename: typeof record.__typename === "string" ? record.__typename : null,
+    name,
+    context: typeof record.context === "string" ? record.context : null,
+    status: typeof record.status === "string" ? record.status : null,
+    state: typeof record.state === "string" ? record.state : null,
+    conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+    detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.details_url === "string" ? record.details_url : typeof record.html_url === "string" ? record.html_url : typeof record.link === "string" ? record.link : null,
+    link: typeof record.link === "string" ? record.link : typeof record.html_url === "string" ? record.html_url : null,
+    headSha: typeof record.headSha === "string" ? record.headSha : null,
+    head_sha: typeof record.head_sha === "string" ? record.head_sha : null,
+    output: output ? {
+      title: typeof output.title === "string" ? output.title : null,
+      summary: typeof output.summary === "string" ? output.summary : null,
+      text: typeof output.text === "string" ? output.text : null
+    } : null,
+    app: app ? {
+      slug: typeof app.slug === "string" ? app.slug : null,
+      name: typeof app.name === "string" ? app.name : null,
+      owner: app.owner && typeof app.owner === "object" ? app.owner : null
+    } : null
+  };
+}
+function normalizeReview(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : typeof record.id === "number" ? String(record.id) : null,
+    state: typeof record.state === "string" ? record.state : null,
+    body: typeof record.body === "string" ? record.body : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : typeof record.commitId === "string" ? record.commitId : record.commit && typeof record.commit === "object" && typeof record.commit.oid === "string" ? record.commit.oid : null,
+    html_url: typeof record.html_url === "string" ? record.html_url : typeof record.url === "string" ? record.url : null,
+    author: record.author && typeof record.author === "object" ? record.author : record.user && typeof record.user === "object" ? record.user : null
+  };
+}
+function normalizeReviewComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  const path = typeof record.path === "string" ? record.path : null;
+  if (!body && !path)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    path,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : null,
+    original_commit_id: typeof record.original_commit_id === "string" ? record.original_commit_id : null
+  };
+}
+function normalizeIssueComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  if (!body)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    created_at: typeof record.created_at === "string" ? record.created_at : null
+  };
+}
+function normalizeReviewThread(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : null,
+    isResolved: typeof record.isResolved === "boolean" ? record.isResolved : null,
+    isOutdated: typeof record.isOutdated === "boolean" ? record.isOutdated : null,
+    comments: record.comments && typeof record.comments === "object" ? record.comments : null
+  };
+}
+function relevantIssueComment(comment) {
+  const login = comment.user?.login ?? comment.author?.login ?? "";
+  const body = comment.body ?? "";
+  return isGreptileGithubLogin(login) || containsBlockerText(body) || /greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+}
+function latestThreadComment(thread) {
+  const nodes = thread.comments?.nodes ?? [];
+  return nodes.length > 0 ? nodes[nodes.length - 1] : null;
+}
+function unresolvedThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function collectBodies(evidence) {
+  return [
+    evidence.title ?? "",
+    evidence.body,
+    ...evidence.reviews.map((review) => review.body ?? ""),
+    ...evidence.changedFileReviewComments.map((comment) => comment.body ?? ""),
+    ...evidence.relevantIssueComments.map((comment) => comment.body ?? ""),
+    ...evidence.reviewThreads.flatMap((thread) => thread.comments?.nodes?.map((comment) => comment.body ?? "") ?? []),
+    ...(evidence.apiSignals ?? []).map((signal) => signal.body ?? "")
+  ].filter((body) => body.trim().length > 0);
+}
+function bodyExcerpt(body) {
+  const text = stripHtml(body).replace(/\s+/g, " ").trim();
+  return text.length > 240 ? `${text.slice(0, 237)}...` : text;
+}
+function makeGreptileSignal(input) {
+  const scores = parseGreptileScores(input.body);
+  const reviewedSha = input.reviewedSha?.trim() || null;
+  const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
+  const verdict = input.verdict ?? null;
+  const blocker = input.blocker ?? (isBlockingGreptileVerdict(verdict) || containsBlockerText(input.body));
+  const explicitApproval = input.explicitApproval ?? false;
+  return {
+    source: input.source,
+    trusted: input.trusted,
+    authorLogin: input.authorLogin ?? null,
+    reviewedSha,
+    current,
+    stale: current === false,
+    score: scores[0] ?? null,
+    scores,
+    explicitApproval,
+    verdict,
+    blocker,
+    actionable: input.actionable ?? blocker,
+    bodyExcerpt: bodyExcerpt(input.body),
+    body: input.body,
+    allScores: scores
+  };
+}
+function reviewAuthorLogin(review) {
+  return review.author?.login ?? null;
+}
+function commentAuthorLogin(comment) {
+  return comment.user?.login ?? comment.author?.login ?? null;
+}
+function collectGreptileSignals(evidence) {
+  const signals = [];
+  const greptileBodyReviewedSha = extractGreptileBodyReviewedSha(evidence.body);
+  const trustedGreptileBody = Boolean(greptileBodyReviewedSha && isGreptileGithubLogin(evidence.bodyEditorLogin) && isoAtOrAfter(evidence.bodyLastEditedAt, evidence.headCommittedDate));
+  const contextSources = [
+    { source: "pr-title", body: evidence.title ?? "" },
+    {
+      source: "pr-body",
+      body: evidence.body,
+      trusted: trustedGreptileBody,
+      authorLogin: trustedGreptileBody ? evidence.bodyEditorLogin ?? null : null,
+      reviewedSha: greptileBodyReviewedSha,
+      verdict: trustedGreptileBody ? "completed" : null
+    }
+  ];
+  for (const context of contextSources) {
+    if (!context.body.trim())
+      continue;
+    const contextBlocker = containsBlockerText(context.body);
+    if (!contextBlocker && !/greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(context.body))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: context.source,
+      body: context.body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: context.trusted === true,
+      authorLogin: context.authorLogin,
+      reviewedSha: context.reviewedSha,
+      verdict: context.verdict,
+      blocker: contextBlocker,
+      actionable: contextBlocker
+    }));
+  }
+  for (const apiSignal of evidence.apiSignals ?? []) {
+    const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
+
+`) || "Status: UNKNOWN";
+    const verdict = greptileStatusVerdict(apiSignal.status);
+    signals.push(makeGreptileSignal({
+      source: "api",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      reviewedSha: apiSignal.reviewedSha ?? null,
+      explicitApproval: verdict === "approved",
+      verdict
+    }));
+  }
+  for (const review of evidence.reviews) {
+    const login = reviewAuthorLogin(review);
+    if (!isGreptileGithubLogin(login))
+      continue;
+    const state = String(review.state ?? "").toUpperCase();
+    const body = [state ? `Review state: ${state}` : "", review.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    const dismissed = state === "DISMISSED";
+    signals.push(makeGreptileSignal({
+      source: "github-review",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: !dismissed,
+      authorLogin: login,
+      reviewedSha: review.commit_id ?? null,
+      explicitApproval: undefined,
+      blocker: state === "CHANGES_REQUESTED" || undefined
+    }));
+  }
+  for (const comment of evidence.relevantIssueComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "issue-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login
+    }));
+  }
+  for (const thread of evidence.reviewThreads) {
+    if (thread.isOutdated === true || thread.isResolved === true)
+      continue;
+    for (const comment of thread.comments?.nodes ?? []) {
+      const login = comment.author?.login ?? null;
+      const body = comment.body ?? "";
+      if (!body.trim() || !isGreptileGithubLogin(login))
+        continue;
+      signals.push(makeGreptileSignal({
+        source: "review-thread",
+        body,
+        currentHeadSha: evidence.currentHeadSha,
+        trusted: true,
+        authorLogin: login
+      }));
+    }
+  }
+  for (const check of evidence.checks) {
+    if (!isGreptileLabel(checkName(check)))
+      continue;
+    const reviewedSha = check.headSha ?? check.head_sha ?? null;
+    const label = `${checkName(check)} (${checkState(check) || "unknown"})`;
+    const body = [label, check.output?.title ?? "", check.output?.summary ?? "", check.output?.text ?? ""].filter((entry) => entry.trim().length > 0).join(`
+
+`);
+    signals.push(makeGreptileSignal({
+      source: "github-check",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      reviewedSha,
+      explicitApproval: false,
+      blocker: isFailingCheck(check),
+      actionable: isFailingCheck(check)
+    }));
+  }
+  return signals;
+}
+function unresolvedGreptileThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const comments = thread.comments?.nodes ?? [];
+    if (!comments.some((comment) => isGreptileGithubLogin(comment.author?.login)))
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved Greptile review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved Greptile review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function actionableChangedFileCommentSummaries(_comments) {
+  return [];
+}
+function issueLevelBlockerSummaries(comments) {
+  return comments.flatMap((comment) => {
+    const body = comment.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const login = commentAuthorLogin(comment) ?? "unknown";
+    const author = isGreptileGithubLogin(login) ? `Greptile issue comment by ${login}` : `Issue-level PR comment by ${login}`;
+    return [`${author}: ${body}`];
+  });
+}
+function reviewBodyBlockerSummaries(reviews) {
+  return reviews.flatMap((review) => {
+    const login = reviewAuthorLogin(review) ?? "unknown";
+    if (isGreptileGithubLogin(login))
+      return [];
+    const body = review.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const state = review.state ? ` (${review.state})` : "";
+    return [`PR review summary by ${login}${state}: ${body}`];
+  });
+}
+function signalLabel(signal) {
+  const source = signal.source.replace(/-/g, " ");
+  const author = signal.authorLogin ? ` by ${signal.authorLogin}` : "";
+  const sha = signal.reviewedSha ? ` at ${signal.reviewedSha}` : "";
+  return `${source}${author}${sha}`;
+}
+function deriveGreptileEvidence(input) {
+  const rawBodies = collectBodies(input);
+  const signals = collectGreptileSignals(input);
+  const trustedSignals = signals.filter((signal) => signal.trusted);
+  const trustedScoreEntries = trustedSignals.flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const contextScoreEntries = signals.filter((signal) => !signal.trusted).flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const allScoreEntries = [...trustedScoreEntries, ...contextScoreEntries];
+  const staleSignals = signals.filter((signal) => !!signal.reviewedSha && signal.reviewedSha !== input.currentHeadSha && (signal.trusted || signal.source === "github-check"));
+  const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
+  const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
+  const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
+  const currentPendingApiSignals = trustedSignals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && isCurrentOrUntied(signal));
+  const signalCanApproveByScore = (signal) => {
+    if (signal.source === "api")
+      return signal.verdict === "approved" || signal.verdict === "completed";
+    return signal.verdict !== "pending" && !isBlockingGreptileVerdict(signal.verdict);
+  };
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && signalCanApproveByScore(entry.signal) && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvingExplicitSignal = trustedSignals.find((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && signal.explicitApproval === true && !signal.blocker) ?? null;
+  const approvedByScore = !!approvingScoreEntry;
+  const approvedByExplicitMapping = !!approvingExplicitSignal;
+  const approvingSignal = approvingScoreEntry?.signal ?? approvingExplicitSignal;
+  const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
+  const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
+  const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
+  const blockerSignals = signals.filter((signal) => (signal.blocker || signal.actionable) && (!signal.reviewedSha || signal.reviewedSha === input.currentHeadSha));
+  const staleBlockingSignals = [];
+  const blockers = [
+    ...blockerSignals.map((signal) => `${signalLabel(signal)}: ${signal.bodyExcerpt || "blocker text"}`),
+    ...reviewBodyBlockerSummaries(input.reviews),
+    ...issueLevelBlockerSummaries(input.relevantIssueComments),
+    ...lowScoreEntries.map((entry) => `Greptile score from ${signalLabel(entry.signal)} is ${entry.score.value}/${entry.score.scale}; strict merge requires trusted current-head 5/5.`),
+    ...staleBlockingSignals.map((signal) => `Greptile blocking signal from ${signalLabel(signal)} is stale; current PR head is ${input.currentHeadSha || "unknown"}.`),
+    ...failedGreptileChecks.map((entry) => `Greptile check failed: ${entry}`)
+  ];
+  const unresolvedComments = [
+    ...unresolvedGreptileThreadSummaries(input.reviewThreads),
+    ...actionableChangedFileCommentSummaries(input.changedFileReviewComments)
+  ];
+  const greptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)));
+  const greptileReviews = input.reviews.filter((review) => isGreptileGithubLogin(review.author?.login));
+  const completedGreptileCheck = greptileChecks.some((check) => {
+    const reviewedSha2 = check.headSha ?? check.head_sha ?? null;
+    return reviewedSha2 === input.currentHeadSha && (isPassingCheck(check) || isFailingCheck(check));
+  });
+  const completedGreptileReview = greptileReviews.some((review) => {
+    const state = String(review.state ?? "").toUpperCase();
+    const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
+    return completedState && review.commit_id === input.currentHeadSha;
+  });
+  const completedGreptileApi = trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && (signal.verdict === "approved" || signal.verdict === "rejected" || signal.verdict === "skipped" || signal.verdict === "failed" || signal.verdict === "completed"));
+  const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
+  const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
+  const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
+  const completed = completedGreptileCheck || completedGreptileReview || completedGreptileApi || !!approvingSignal;
+  const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && currentPendingApiSignals.length === 0 && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : approvedByExplicitMapping ? "explicit-approved" : "unproven";
+  const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "pr-body" || approvingSignal?.source === "pr-title" ? "pr-body" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
+  return {
+    source,
+    currentHeadSha: input.currentHeadSha,
+    reviewedSha,
+    fresh,
+    completed,
+    approved,
+    score,
+    explicitApproval: approvedByExplicitMapping,
+    blockers,
+    unresolvedComments,
+    rawBodies,
+    signals: signals.map(({ body: _body, allScores: _allScores, ...signal }) => signal),
+    mapping
+  };
+}
+function isGreptileCheckDetail(check) {
+  return isGreptileLabel(checkName(check)) || isGreptileGithubLogin(check.app?.slug) || isGreptileGithubLogin(check.app?.owner?.login) || isGreptileLabel(check.app?.name);
+}
+async function collectGreptileCheckDetails(input) {
+  const checkRunsRead = await runJsonObject(input.command, [
+    "api",
+    `repos/${input.repoName}/commits/${input.headSha}/check-runs`,
+    "-F",
+    "per_page=100"
+  ], input.projectRoot);
+  const checkRuns = arrayField(checkRunsRead.value, "check_runs").map(normalizeStatusCheck).filter((entry) => !!entry).filter(isGreptileCheckDetail);
+  return checkRunsRead.error ? { value: checkRuns, error: checkRunsRead.error } : { value: checkRuns };
+}
+async function collectPullRequestProvenance(input) {
+  const response = await runJsonObject(input.command, [
+    "api",
+    "graphql",
+    "-F",
+    `owner=${input.owner}`,
+    "-F",
+    `name=${input.name}`,
+    "-F",
+    `prNumber=${input.prNumber}`,
+    "-f",
+    "query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { lastEditedAt editor { login } commits(last: 1) { nodes { commit { oid committedDate } } } } } }"
+  ], input.projectRoot);
+  if (response.error)
+    return { value: {}, error: response.error };
+  const data = response.value.data;
+  const repository = data?.repository;
+  const pullRequest = repository?.pullRequest;
+  if (!pullRequest)
+    return { value: {}, error: "GitHub pullRequest provenance response did not include a pullRequest object" };
+  const editor = pullRequest.editor;
+  const commits = pullRequest.commits;
+  const nodes = Array.isArray(commits?.nodes) ? commits.nodes : [];
+  const latestCommitNode = nodes[nodes.length - 1];
+  const latestCommit = latestCommitNode?.commit;
+  return {
+    value: {
+      bodyEditorLogin: typeof editor?.login === "string" ? editor.login : null,
+      bodyLastEditedAt: typeof pullRequest.lastEditedAt === "string" ? pullRequest.lastEditedAt : null,
+      headCommittedDate: typeof latestCommit?.committedDate === "string" ? latestCommit.committedDate : null
+    }
+  };
+}
+async function collectReviewThreads(input) {
+  const reviewThreads = [];
+  let afterCursor = null;
+  for (let page = 0;page < 100; page += 1) {
+    const afterLiteral = afterCursor ? JSON.stringify(afterCursor) : "null";
+    const threadsResponse = await runJsonObject(input.command, [
+      "api",
+      "graphql",
+      "-F",
+      `owner=${input.owner}`,
+      "-F",
+      `name=${input.name}`,
+      "-F",
+      `prNumber=${input.prNumber}`,
+      "-f",
+      `query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { reviewThreads(first: 100, after: ${afterLiteral}) { nodes { id isResolved isOutdated comments(first: 100) { nodes { author { login } body path url createdAt } pageInfo { hasNextPage endCursor } } } pageInfo { hasNextPage endCursor } } } } }`
+    ], input.projectRoot);
+    if (threadsResponse.error) {
+      return { value: reviewThreads, error: threadsResponse.error };
+    }
+    const data = threadsResponse.value.data;
+    const repository = data?.repository;
+    const pullRequest = repository?.pullRequest;
+    const threads = pullRequest?.reviewThreads;
+    const nodes = threads?.nodes;
+    if (!Array.isArray(nodes)) {
+      return { value: reviewThreads, error: "GitHub reviewThreads response did not include a nodes array" };
+    }
+    const normalized = nodes.map(normalizeReviewThread).filter((entry) => !!entry);
+    reviewThreads.push(...normalized);
+    const truncatedCommentThread = normalized.find((thread) => thread.comments?.pageInfo?.hasNextPage === true);
+    if (truncatedCommentThread) {
+      return { value: reviewThreads, error: `GitHub review thread ${truncatedCommentThread.id ?? "unknown"} has more than 100 comments; nested pagination is incomplete` };
+    }
+    const pageInfo = threads?.pageInfo;
+    if (!pageInfo) {
+      if (nodes.length >= 100) {
+        return { value: reviewThreads, error: "GitHub reviewThreads pagination metadata missing after a full page" };
+      }
+      return { value: reviewThreads };
+    }
+    if (pageInfo.hasNextPage !== true) {
+      return { value: reviewThreads };
+    }
+    if (typeof pageInfo.endCursor !== "string" || !pageInfo.endCursor.trim()) {
+      return { value: reviewThreads, error: "GitHub reviewThreads pagination reported hasNextPage without endCursor" };
+    }
+    afterCursor = pageInfo.endCursor;
+  }
+  return { value: reviewThreads, error: "GitHub reviewThreads pagination exceeded 100 pages" };
+}
+async function collectPrReviewEvidence(input) {
+  const parsed = parseGithubPrUrl(input.prUrl);
+  if (!parsed) {
+    throw new Error(`Cannot parse GitHub PR URL: ${input.prUrl}`);
+  }
+  const readErrors = [];
+  const viewRead = await runJsonObject(input.command, [
+    "pr",
+    "view",
+    input.prUrl,
+    "--json",
+    "title,body,headRefOid,headRefName,baseRefName,state,isDraft,mergeable,mergeStateStatus,reviewDecision,reviews,statusCheckRollup"
+  ], input.projectRoot);
+  if (viewRead.error)
+    readErrors.push(viewRead.error);
+  const view = viewRead.value;
+  if (!Array.isArray(view.statusCheckRollup)) {
+    readErrors.push("gh pr view did not return required statusCheckRollup array");
+  }
+  if (!Array.isArray(view.reviews)) {
+    readErrors.push("gh pr view did not return required reviews array");
+  }
+  const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const baseRefName = firstString(view, ["baseRefName"]);
+  const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
+  const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
+  const provenanceRead = await collectPullRequestProvenance({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  const provenance = provenanceRead.value;
+  const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate"], input.projectRoot);
+  if (reviewCommentsRead.error)
+    readErrors.push(reviewCommentsRead.error);
+  const reviewComments = reviewCommentsRead.value.map(normalizeReviewComment).filter((entry) => !!entry);
+  const issueCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/issues/${parsed.prNumber}/comments`, "--paginate"], input.projectRoot);
+  if (issueCommentsRead.error)
+    readErrors.push(issueCommentsRead.error);
+  const issueComments = issueCommentsRead.value.map(normalizeIssueComment).filter((entry) => !!entry).filter(relevantIssueComment);
+  const reviewThreadsRead = await collectReviewThreads({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  if (reviewThreadsRead.error)
+    readErrors.push(reviewThreadsRead.error);
+  const reviewThreads = reviewThreadsRead.value;
+  const greptileRollupChecks = statusCheckRollup.filter((check) => isGreptileLabel(checkName(check)));
+  let greptileCheckDetails = [];
+  if (headSha && greptileRollupChecks.length > 0) {
+    const checkDetailsRead = await collectGreptileCheckDetails({
+      command: input.command,
+      projectRoot: input.projectRoot,
+      repoName: parsed.repoName,
+      headSha
+    });
+    greptileCheckDetails = checkDetailsRead.value;
+  }
+  const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const shouldCollectConfiguredGreptileApi = input.greptileApi?.enabled !== false;
+  const configuredGreptileApiRead = await collectConfiguredGreptileApiSignals({
+    enabled: shouldCollectConfiguredGreptileApi,
+    options: input.greptileApi,
+    repoName: parsed.repoName,
+    prNumber: parsed.prNumber,
+    headSha,
+    baseRefName
+  });
+  readErrors.push(...configuredGreptileApiRead.errors);
+  const apiSignals = [...input.apiSignals ?? [], ...configuredGreptileApiRead.signals];
+  const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
+  const evidenceBase = {
+    title: firstString(view, ["title"]),
+    body: firstString(view, ["body"]),
+    bodyEditorLogin: provenance.bodyEditorLogin ?? null,
+    bodyLastEditedAt: provenance.bodyLastEditedAt ?? null,
+    headCommittedDate: provenance.headCommittedDate ?? null,
+    reviews,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    reviewThreads,
+    checks: checksWithGreptileDetails,
+    currentHeadSha: headSha,
+    apiSignals
+  };
+  const greptile = deriveGreptileEvidence(evidenceBase);
+  return {
+    prUrl: input.prUrl,
+    prNumber: parsed.prNumber,
+    repoName: parsed.repoName,
+    title: evidenceBase.title,
+    body: evidenceBase.body,
+    bodyEditorLogin: evidenceBase.bodyEditorLogin,
+    bodyLastEditedAt: evidenceBase.bodyLastEditedAt,
+    headCommittedDate: evidenceBase.headCommittedDate,
+    headSha,
+    headRefName: firstString(view, ["headRefName"]),
+    baseRefName,
+    state: firstString(view, ["state"]),
+    isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
+    mergeable: firstString(view, ["mergeable"]),
+    mergeStateStatus: firstString(view, ["mergeStateStatus"]),
+    reviewDecision: firstString(view, ["reviewDecision"]),
+    reviews,
+    reviewThreads,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    statusCheckRollup: checksWithGreptileDetails,
+    checkFailures,
+    pendingChecks,
+    readErrors,
+    greptile
+  };
+}
+function capGateMessage(value, maxChars = 1200) {
+  const normalized = value.trim();
+  return normalized.length > maxChars ? `${normalized.slice(0, maxChars)}
+[truncated for gate summary; see full evidence artifact]` : normalized;
+}
+function evaluateEvidence(evidence) {
+  const reasonDetails = [];
+  const warnings = [];
+  const seen = new Set;
+  const addReason = (reason) => {
+    const capped = { ...reason, message: capGateMessage(reason.message) };
+    const key = `${capped.code}:${capped.message}`;
+    if (seen.has(key))
+      return;
+    seen.add(key);
+    reasonDetails.push(capped);
+  };
+  const greptile = evidence.greptile;
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  const hasPendingGreptileCheck = evidence.pendingChecks.some((check) => /greptile/i.test(check));
+  const pendingGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const unknownGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && !signal.verdict && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const awaitingFreshGreptileProof = hasPendingGreptileCheck || pendingGreptileApiSignals.length > 0 || !greptile.completed || greptile.mapping === "missing" || greptile.mapping === "stale";
+  for (const error of evidence.readErrors) {
+    addReason({
+      code: "read_error",
+      reasonClass: "reject",
+      surface: error.startsWith("Greptile API/MCP") ? "greptile" : "github",
+      suggestedAction: "needs_attention",
+      message: `Required PR evidence surface could not be read completely: ${error}`,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (!evidence.headSha) {
+    addReason({
+      code: "missing_head_sha",
+      reasonClass: "reject",
+      surface: "github",
+      suggestedAction: "needs_attention",
+      message: "PR head SHA could not be read; current-head Greptile approval cannot be proven.",
+      headSha: null
+    });
+  }
+  for (const failure of evidence.checkFailures) {
+    addReason({
+      code: "ci_failed",
+      reasonClass: "reject",
+      surface: "ci",
+      suggestedAction: "fix",
+      message: failure,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const pendingCheck of evidence.pendingChecks) {
+    addReason({
+      code: "check_pending",
+      reasonClass: "pending",
+      surface: "ci",
+      suggestedAction: "wait",
+      message: pendingCheck,
+      headSha: evidence.headSha || null
+    });
+  }
+  const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
+  if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
+    addReason({
+      code: "review_decision_blocking",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: `Required review is unresolved (${evidence.reviewDecision}).`,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const thread of unresolvedThreadSummaries(evidence.reviewThreads)) {
+    addReason({
+      code: "review_thread_unresolved",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: thread,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "missing") {
+    addReason({
+      code: "greptile_missing",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Missing Greptile check/review evidence for this PR.",
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
+    addReason({
+      code: "greptile_stale",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? staleSignal?.reviewedSha ?? null
+    });
+  }
+  for (const signal of pendingGreptileApiSignals) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile API/MCP review is pending for the current PR head${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  for (const signal of unknownGreptileApiSignals) {
+    addReason({
+      code: "greptile_api_status_unknown",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "needs_attention",
+      message: `Greptile API/MCP review status is unknown; merge requires a known terminal APPROVED/COMPLETED 5/5 result or a known conservative status${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  if (!greptile.completed) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Greptile check/review has not completed for the current PR head.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.fresh) {
+    addReason({
+      code: "greptile_not_current_head",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval is not tied to the current PR head SHA.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
+    addReason({
+      code: "greptile_score_not_5",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  const hasApprovedMapping = greptile.mapping === "score-5-of-5" || greptile.mapping === "explicit-approved";
+  if (!greptile.score && !hasApprovedMapping) {
+    addReason({
+      code: "greptile_score_missing",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "No parseable Greptile 5/5 score or direct current-head Greptile API APPROVED mapping was found from trusted evidence; merge is blocked.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.mapping === "unproven") {
+    addReason({
+      code: "greptile_mapping_unproven",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const blocker of greptile.blockers) {
+    addReason({
+      code: "greptile_blocker_text",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile/blocker text: ${blocker}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const comment of greptile.unresolvedComments) {
+    addReason({
+      code: "greptile_unresolved_comment",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: comment,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.approved)
+    warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
+  const pending = reasonDetails.length > 0 && reasonDetails.every((reason) => reason.reasonClass === "pending");
+  return { reasons: reasonDetails.map((reason) => reason.message), reasonDetails, warnings, pending };
+}
+function evaluateStrictPrMergeGate(evidence) {
+  const evaluated = evaluateEvidence(evidence);
+  const approved = evaluated.reasonDetails.length === 0 && evidence.greptile.approved;
+  return {
+    approved,
+    pending: evaluated.pending,
+    reasons: evaluated.reasons,
+    reasonDetails: evaluated.reasonDetails,
+    warnings: evaluated.warnings,
+    actionableFeedback: evaluated.reasons,
+    evidence
+  };
+}
+function strictMergeHeadShaFromGate(result, prUrl) {
+  if (!result.approved) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate is not approved.`);
+  }
+  if (result.evidence.prUrl !== prUrl) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate evidence belongs to ${result.evidence.prUrl}.`);
+  }
+  const headSha = result.evidence.headSha?.trim();
+  if (!headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate did not provide a current head SHA.`);
+  }
+  if (!/^[0-9a-f]{40}$/i.test(headSha)) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate head is not a raw 40-character commit SHA.`);
+  }
+  if (!result.evidence.greptile.fresh || result.evidence.greptile.currentHeadSha !== headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate approval is not tied to head ${headSha}.`);
+  }
+  if (result.evidence.greptile.mapping !== "score-5-of-5" && result.evidence.greptile.mapping !== "explicit-approved") {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate mapping is ${result.evidence.greptile.mapping}.`);
+  }
+  return headSha;
+}
+function promptExcerpt(value, maxChars = 4000) {
+  return value.length > maxChars ? `${value.slice(0, maxChars)}
+
+[truncated for prompt; see full evidence artifact]` : value;
+}
+function promptJsonExcerpt(value, maxChars = 6000) {
+  return promptExcerpt(JSON.stringify(value, null, 2), maxChars);
+}
+function buildStrictPrGateSteeringPrompt(result) {
+  const evidence = result.evidence;
+  const unresolvedReviewThreads = evidence.reviewThreads.filter((thread) => thread.isResolved !== true && thread.isOutdated !== true);
+  const displayedReasons = result.reasons.slice(0, 20).map((reason) => `- ${promptExcerpt(reason, 1200)}`);
+  if (result.reasons.length > displayedReasons.length) {
+    displayedReasons.push(`- ${result.reasons.length - displayedReasons.length} additional gate reasons omitted from prompt; see merge-gate-result.json.`);
+  }
+  const lines = [
+    `Strict PR merge gate blocked ${evidence.prUrl}.`,
+    `PR title: ${evidence.title || "(empty)"}`,
+    `Current PR head SHA: ${evidence.headSha || "unknown"}`,
+    `Greptile mapping: ${evidence.greptile.mapping}`,
+    evidence.greptile.score ? `Greptile score: ${evidence.greptile.score.value}/${evidence.greptile.score.scale}` : "Greptile score: not proven",
+    "",
+    "Gate reasons:",
+    ...displayedReasons.length ? displayedReasons : ["- No reasons recorded"],
+    "",
+    "Structured gate reason details:",
+    result.reasonDetails.length ? promptJsonExcerpt(result.reasonDetails, 4000) : "[]",
+    "",
+    "Required evidence read status:",
+    evidence.readErrors.length ? promptJsonExcerpt(evidence.readErrors, 2000) : "All required PR evidence surfaces were read completely.",
+    "",
+    "Full PR title:",
+    evidence.title || "(empty)",
+    "",
+    "PR body excerpt:",
+    evidence.body ? promptExcerpt(evidence.body) : "(empty)",
+    "",
+    "All review comments on changed files:",
+    evidence.changedFileReviewComments.length ? promptJsonExcerpt(evidence.changedFileReviewComments) : "[]",
+    "",
+    "Unresolved review threads:",
+    unresolvedReviewThreads.length ? promptJsonExcerpt(unresolvedReviewThreads) : "[]",
+    "",
+    "Relevant issue-level PR comments:",
+    evidence.relevantIssueComments.length ? promptJsonExcerpt(evidence.relevantIssueComments) : "[]",
+    "",
+    "CI/check failures and pending checks:",
+    promptJsonExcerpt({ failures: evidence.checkFailures, pending: evidence.pendingChecks, rollup: evidence.statusCheckRollup }),
+    "",
+    "Greptile evidence:",
+    promptJsonExcerpt(evidence.greptile)
+  ];
+  if (result.artifacts) {
+    lines.push("", "Full evidence artifacts:", JSON.stringify(result.artifacts, null, 2));
+  }
+  return lines.join(`
+`);
+}
+function persistPrReviewCycleArtifacts(input) {
+  const cycleName = input.final ? `${input.cycle}-final` : String(input.cycle);
+  const taskArtifactRoot = input.artifactRoot?.trim() ? input.artifactRoot : resolve(input.projectRoot, "artifacts", input.taskId);
+  const root = resolve(taskArtifactRoot, "pr-review-cycles", cycleName);
+  mkdirSync(root, { recursive: true });
+  const finalMergeGateResultPath = input.final ? resolve(taskArtifactRoot, "merge-gate-final.json") : undefined;
+  const paths = {
+    root,
+    prTitlePath: resolve(root, "pr-title.md"),
+    prBodyPath: resolve(root, "pr-body.md"),
+    prCommentsPath: resolve(root, "pr-comments.json"),
+    reviewThreadsPath: resolve(root, "review-threads.json"),
+    reviewCommentsPath: resolve(root, "review-comments.json"),
+    checkRollupPath: resolve(root, "check-rollup.json"),
+    greptileEvidencePath: resolve(root, "greptile-evidence.json"),
+    mergeGateResultPath: resolve(root, "merge-gate-result.json"),
+    steeringPromptPath: resolve(root, "agent-steering-prompt.md"),
+    ...finalMergeGateResultPath ? { finalMergeGateResultPath } : {}
+  };
+  writeFileSync(paths.prTitlePath, input.result.evidence.title || "", "utf8");
+  writeFileSync(paths.prBodyPath, input.result.evidence.body || "", "utf8");
+  writeFileSync(paths.prCommentsPath, `${JSON.stringify(input.result.evidence.relevantIssueComments, null, 2)}
+`, "utf8");
+  writeFileSync(paths.reviewThreadsPath, `${JSON.stringify(input.result.evidence.reviewThreads, null, 2)}
+`, "utf8");
+  writeFileSync(paths.reviewCommentsPath, `${JSON.stringify(input.result.evidence.changedFileReviewComments, null, 2)}
+`, "utf8");
+  writeFileSync(paths.checkRollupPath, `${JSON.stringify(input.result.evidence.statusCheckRollup, null, 2)}
+`, "utf8");
+  writeFileSync(paths.greptileEvidencePath, `${JSON.stringify(input.result.evidence.greptile, null, 2)}
+`, "utf8");
+  const mergeGatePayload = {
+    approved: input.result.approved,
+    pending: input.result.pending,
+    reasons: input.result.reasons,
+    reasonDetails: input.result.reasonDetails,
+    warnings: input.result.warnings,
+    actionableFeedback: input.result.actionableFeedback,
+    prUrl: input.result.evidence.prUrl,
+    title: input.result.evidence.title,
+    headSha: input.result.evidence.headSha,
+    readErrors: input.result.evidence.readErrors,
+    greptile: input.result.evidence.greptile,
+    evidence: input.result.evidence,
+    cycleArtifactRoot: root
+  };
+  writeFileSync(paths.mergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  if (paths.finalMergeGateResultPath) {
+    writeFileSync(paths.finalMergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  }
+  writeFileSync(paths.steeringPromptPath, input.steeringPrompt, "utf8");
+  return paths;
+}
+async function runStrictPrMergeGate(input) {
+  const evidence = await collectPrReviewEvidence(input);
+  const base = evaluateStrictPrMergeGate(evidence);
+  const preliminaryPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts: undefined });
+  const artifacts = persistPrReviewCycleArtifacts({
+    projectRoot: input.projectRoot,
+    taskId: input.taskId,
+    cycle: input.cycle,
+    artifactRoot: input.artifactRoot,
+    result: base,
+    steeringPrompt: preliminaryPrompt,
+    final: input.final
+  });
+  const steeringPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts });
+  writeFileSync(artifacts.steeringPromptPath, steeringPrompt, "utf8");
+  return { ...base, artifacts, steeringPrompt };
+}
+export {
+  stripHtml,
+  strictMergeHeadShaFromGate,
+  runStrictPrMergeGate,
+  persistPrReviewCycleArtifacts,
+  parseGreptileScore,
+  parseGithubPrUrl,
+  isGreptileGithubLogin,
+  evaluateStrictPrMergeGate,
+  deriveGreptileEvidence,
+  collectPrReviewEvidence,
+  buildStrictPrGateSteeringPrompt
+};