@h-rig/runtime 0.0.6-alpha.3 → 0.0.6-alpha.30

package/dist/src/control-plane/hooks/completion-verification.js

@@ -2,7 +2,7 @@
 // @bun
 
 // packages/runtime/src/control-plane/hooks/completion-verification.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync21, mkdirSync as mkdirSync11, readFileSync as readFileSync12, writeFileSync as writeFileSync11 } from "fs";
+import { appendFileSync as appendFileSync2, existsSync as existsSync21, mkdirSync as mkdirSync13, readFileSync as readFileSync13, writeFileSync as writeFileSync13 } from "fs";
 import { resolve as resolve24 } from "path";
 import {
   escapeRegExp as escapeRegExp2,
@@ -13,10 +13,15 @@ import {
   resolvePolicyContent
 } from "@rig/hook-kit";
 
-// packages/runtime/src/control-plane/runtime/events.ts
-import { appendFile, mkdir } from "fs/promises";
-import { randomUUID } from "crypto";
-import { dirname as dirname2, resolve as resolve2 } from "path";
+// packages/runtime/src/control-plane/runtime/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync as existsSync4, readFileSync as readFileSync2, statSync as statSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+
+// packages/runtime/src/control-plane/native/utils.ts
+import { ptr as ptr2 } from "bun:ffi";
+import { existsSync as existsSync3, readFileSync } from "fs";
+import { resolve as resolve3 } from "path";
 
 // packages/runtime/src/layout.ts
 import { existsSync } from "fs";
@@ -127,126 +132,13 @@ function resolveRigLayout(projectRoot) {
   };
 }
 
-// packages/runtime/src/control-plane/runtime/events.ts
-async function appendEvent(eventsFile, event) {
-  await mkdir(dirname2(eventsFile), { recursive: true });
-  await appendFile(eventsFile, `${JSON.stringify(event)}
-`, "utf-8");
-}
-function createEvent(runId, type, payload) {
-  return {
-    id: randomUUID(),
-    runId,
-    timestamp: new Date().toISOString(),
-    type,
-    payload
-  };
-}
-
-class RuntimeEventBus {
-  runId;
-  eventsFile;
-  memoryEvents = [];
-  constructor(options) {
-    this.runId = options.runId || randomUUID();
-    this.eventsFile = options.eventsFile ?? resolveRigLayout(options.projectRoot).controlPlaneEventsFile;
-  }
-  getRunId() {
-    return this.runId;
-  }
-  getEventsFile() {
-    return this.eventsFile;
-  }
-  getMemoryEvents() {
-    return [...this.memoryEvents];
-  }
-  async attachRuntimeBus(runtimeBus) {
-    if (runtimeBus.getEventsFile() === this.eventsFile) {
-      return;
-    }
-    for (const event of this.memoryEvents) {
-      await runtimeBus.ingest(event);
-    }
-  }
-  async attachRuntimeWorkspace(projectRoot) {
-    const runtimeBus = new RuntimeEventBus({ projectRoot, runId: this.runId });
-    await this.attachRuntimeBus(runtimeBus);
-    return runtimeBus;
-  }
-  async ingest(event) {
-    this.memoryEvents.push(event);
-    await appendEvent(this.eventsFile, event);
-  }
-  async emit(type, payload) {
-    const event = createEvent(this.runId, type, payload);
-    await this.ingest(event);
-    return event;
-  }
-}
-
-class GeneralCliEventBus {
-  runId;
-  eventsFile;
-  memoryEvents = [];
-  runtimeBuses = new Map;
-  constructor(options) {
-    this.runId = options.runId || randomUUID();
-    this.eventsFile = options.eventsFile ?? resolve2(options.projectRoot, ".rig", "logs", "control-plane.events.jsonl");
-  }
-  getRunId() {
-    return this.runId;
-  }
-  getEventsFile() {
-    return this.eventsFile;
-  }
-  getMemoryEvents() {
-    return [...this.memoryEvents];
-  }
-  async attachRuntimeBus(runtimeBus) {
-    const key = runtimeBus.getEventsFile();
-    if (this.runtimeBuses.has(key)) {
-      return;
-    }
-    this.runtimeBuses.set(key, runtimeBus);
-    for (const event of this.memoryEvents) {
-      await runtimeBus.ingest(event);
-    }
-  }
-  async attachRuntimeWorkspace(projectRoot) {
-    const runtimeBus = new RuntimeEventBus({ projectRoot, runId: this.runId });
-    await this.attachRuntimeBus(runtimeBus);
-    return runtimeBus;
-  }
-  async emit(type, payload) {
-    const event = createEvent(this.runId, type, payload);
-    this.memoryEvents.push(event);
-    await appendEvent(this.eventsFile, event);
-    await Promise.all(Array.from(this.runtimeBuses.values()).map((bus) => bus.ingest(event)));
-    return event;
-  }
-}
-
-// packages/runtime/src/control-plane/runtime/plugins.ts
-import { existsSync as existsSync5, readdirSync } from "fs";
-import { resolve as resolve6, basename as basename2 } from "path";
-
-// packages/runtime/src/control-plane/runtime/guard.ts
-import { optimizeNextInvocation } from "bun:jsc";
-import { existsSync as existsSync4, readFileSync as readFileSync2, statSync as statSync2 } from "fs";
-import { resolve as resolve5 } from "path";
-
-// packages/runtime/src/control-plane/native/utils.ts
-import { ptr as ptr2 } from "bun:ffi";
-import { existsSync as existsSync3, readFileSync } from "fs";
-import { resolve as resolve4 } from "path";
-
 // packages/runtime/src/control-plane/native/runtime-native.ts
 import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
 import { copyFileSync, existsSync as existsSync2, mkdirSync, renameSync, rmSync, statSync } from "fs";
 import { tmpdir } from "os";
-import { dirname as dirname3, resolve as resolve3 } from "path";
-var sharedNativeRuntimeOutputDir = resolve3(tmpdir(), "rig-native");
-var sharedNativeRuntimeOutputPath = resolve3(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+import { dirname as dirname2, resolve as resolve2 } from "path";
+var sharedNativeRuntimeOutputDir = resolve2(tmpdir(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve2(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
 var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
 var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
 function requireNativeRuntimeLibrary(feature) {
@@ -282,12 +174,12 @@ async function loadNativeRuntimeLibrary() {
 }
 function nativePackageLibraryCandidates(fromDir, names) {
   const candidates = [];
-  let cursor = resolve3(fromDir);
+  let cursor = resolve2(fromDir);
   for (let index = 0;index < 8; index += 1) {
     for (const name of names) {
-      candidates.push(resolve3(cursor, "native", `${process.platform}-${process.arch}`, name), resolve3(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve3(cursor, "native", name), resolve3(cursor, "native", "lib", name));
+      candidates.push(resolve2(cursor, "native", `${process.platform}-${process.arch}`, name), resolve2(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve2(cursor, "native", name), resolve2(cursor, "native", "lib", name));
     }
-    const parent = dirname3(cursor);
+    const parent = dirname2(cursor);
     if (parent === cursor)
       break;
     cursor = parent;
@@ -296,17 +188,17 @@ function nativePackageLibraryCandidates(fromDir, names) {
 }
 function nativeRuntimeLibraryCandidates() {
   const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
-  const execDir = process.execPath?.trim() ? dirname3(process.execPath.trim()) : "";
+  const execDir = process.execPath?.trim() ? dirname2(process.execPath.trim()) : "";
   const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
   return [...new Set([
     explicit,
     ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
-    execDir ? resolve3(execDir, colocatedNativeRuntimeFileName) : "",
-    execDir ? resolve3(execDir, platformSpecific) : "",
-    execDir ? resolve3(execDir, "..", colocatedNativeRuntimeFileName) : "",
-    execDir ? resolve3(execDir, "..", platformSpecific) : "",
-    execDir ? resolve3(execDir, "lib", colocatedNativeRuntimeFileName) : "",
-    execDir ? resolve3(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, platformSpecific) : "",
+    execDir ? resolve2(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", platformSpecific) : "",
+    execDir ? resolve2(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
     sharedNativeRuntimeOutputPath
   ].filter(Boolean))];
 }
@@ -315,7 +207,7 @@ function resolveNativeRuntimeSourcePath() {
   if (explicit && existsSync2(explicit)) {
     return explicit;
   }
-  const bundled = resolve3(import.meta.dir, "../../../native/snapshot.zig");
+  const bundled = resolve2(import.meta.dir, "../../../native/snapshot.zig");
   return existsSync2(bundled) ? bundled : null;
 }
 async function buildNativeRuntimeLibrary(outputPath, options = {}) {
@@ -329,7 +221,7 @@ async function buildNativeRuntimeLibrary(outputPath, options = {}) {
   }
   const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
   try {
-    mkdirSync(dirname3(outputPath), { recursive: true });
+    mkdirSync(dirname2(outputPath), { recursive: true });
     const needsBuild = options.force === true || !existsSync2(outputPath) || statSync(sourcePath).mtimeMs > statSync(outputPath).mtimeMs;
     if (!needsBuild) {
       return true;
@@ -506,31 +398,31 @@ function unique(values) {
 function resolveHarnessPaths(projectRoot) {
   const hasRuntimeWorkspace = Boolean(process.env.RIG_TASK_WORKSPACE?.trim());
   const monorepoRoot = resolveMonorepoRoot2(projectRoot);
-  const harnessRoot = resolve4(projectRoot, "rig");
-  const stateRoot = resolve4(projectRoot, ".rig");
+  const harnessRoot = resolve3(projectRoot, "rig");
+  const stateRoot = resolve3(projectRoot, ".rig");
   const layout = hasRuntimeWorkspace ? resolveRigLayout(projectRoot) : null;
-  const stateDir = layout?.stateDir ?? resolve4(stateRoot, "state");
-  const logsDir = layout?.logsDir ?? resolve4(stateRoot, "logs");
-  const artifactsDir = layout?.artifactsRoot ?? resolve4(monorepoRoot, "artifacts");
-  const taskConfigPath = layout?.taskConfigPath ?? resolve4(monorepoRoot, ".rig", "task-config.json");
-  const binDir = layout?.binDir ?? resolve4(stateRoot, "bin");
+  const stateDir = layout?.stateDir ?? resolve3(stateRoot, "state");
+  const logsDir = layout?.logsDir ?? resolve3(stateRoot, "logs");
+  const artifactsDir = layout?.artifactsRoot ?? resolve3(monorepoRoot, "artifacts");
+  const taskConfigPath = layout?.taskConfigPath ?? resolve3(monorepoRoot, ".rig", "task-config.json");
+  const binDir = layout?.binDir ?? resolve3(stateRoot, "bin");
   return {
     harnessRoot,
     stateDir: process.env.RIG_STATE_DIR || stateDir,
     artifactsDir,
     logsDir: process.env.RIG_LOGS_DIR || logsDir,
     binDir,
-    hooksDir: resolve4(harnessRoot, "hooks"),
-    validationDir: resolve4(harnessRoot, "validation"),
+    hooksDir: resolve3(harnessRoot, "hooks"),
+    validationDir: resolve3(harnessRoot, "validation"),
     taskConfigPath,
-    sessionPath: process.env.RIG_SESSION_FILE || resolve4(stateRoot, "session", "session.json"),
+    sessionPath: process.env.RIG_SESSION_FILE || resolve3(stateRoot, "session", "session.json"),
     monorepoRoot,
-    tsApiTestsDir: process.env.TS_API_TESTS_DIR || resolve4(monorepoRoot, "TSAPITests"),
-    taskRepoCommitsPath: resolve4(stateDir, "task-repo-commits.json"),
-    baseRepoPinsPath: resolve4(stateDir, "base-repo-pins.json"),
-    failedApproachesPath: resolve4(stateDir, "failed_approaches.md"),
-    agentProfilePath: resolve4(stateDir, "agent-profile.json"),
-    reviewProfilePath: resolve4(stateDir, "review-profile.json")
+    tsApiTestsDir: process.env.TS_API_TESTS_DIR || resolve3(monorepoRoot, "TSAPITests"),
+    taskRepoCommitsPath: resolve3(stateDir, "task-repo-commits.json"),
+    baseRepoPinsPath: resolve3(stateDir, "base-repo-pins.json"),
+    failedApproachesPath: resolve3(stateDir, "failed_approaches.md"),
+    agentProfilePath: resolve3(stateDir, "agent-profile.json"),
+    reviewProfilePath: resolve3(stateDir, "review-profile.json")
   };
 }
 function normalizeRelativeScopePath(inputPath) {
@@ -658,7 +550,7 @@ function loadPolicy(projectRoot) {
   if (seededPolicyConfig) {
     return seededPolicyConfig;
   }
-  const configPath = resolve5(projectRoot, "rig/policy/policy.json");
+  const configPath = resolve4(projectRoot, "rig/policy/policy.json");
   if (!existsSync4(configPath)) {
     return defaultPolicy();
   }
@@ -889,28 +781,28 @@ function resolveAction(mode, matched) {
 }
 function resolveAbsolutePath(projectRoot, rawPath) {
   if (rawPath.startsWith("/"))
-    return resolve5(rawPath);
-  return resolve5(projectRoot, rawPath);
+    return resolve4(rawPath);
+  return resolve4(projectRoot, rawPath);
 }
 function isHarnessPath(projectRoot, rawPath) {
   const absPath = resolveAbsolutePath(projectRoot, rawPath);
   const managedRoots = [
-    resolve5(projectRoot, "rig"),
-    resolve5(projectRoot, ".rig"),
-    resolve5(projectRoot, "artifacts")
+    resolve4(projectRoot, "rig"),
+    resolve4(projectRoot, ".rig"),
+    resolve4(projectRoot, "artifacts")
   ];
   return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
 }
 function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
   const absPath = resolveAbsolutePath(projectRoot, rawPath);
   if (taskWorkspace) {
-    const workspaceRigRoot = resolve5(taskWorkspace, ".rig");
-    const workspaceArtifactsRoot = resolve5(taskWorkspace, "artifacts");
+    const workspaceRigRoot = resolve4(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve4(taskWorkspace, "artifacts");
     if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
       return true;
     }
   }
-  const runtimeRoot = resolve5(projectRoot, ".rig/runtime/agents");
+  const runtimeRoot = resolve4(projectRoot, ".rig/runtime/agents");
   return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
 }
 function isTestFile(path) {
@@ -958,7 +850,7 @@ function evaluateScope(policy, context, filePath, access) {
     return allowed();
   }
   if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
-    const absPath = resolve5(filePath);
+    const absPath = resolve4(filePath);
     if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
       const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
       const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
@@ -1167,12 +1059,6 @@ function extractContentFromToolInput(input) {
     return input.new_string;
   return "";
 }
-function loadRuntimeImageConfig(projectRoot) {
-  return loadPolicy(projectRoot).runtime_image ?? {
-    deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
-    plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
-  };
-}
 var guardHotPathPrimed = false;
 function primeGuardHotPaths() {
   if (guardHotPathPrimed) {
@@ -1186,290 +1072,99 @@ function primeGuardHotPaths() {
 }
 primeGuardHotPaths();
 
-// packages/runtime/src/control-plane/runtime/plugin-mode.ts
-var LEGACY_PLUGIN_SCAN_ENV = "RIG_LEGACY_PLUGIN_SCAN";
-function isLegacyPluginScanEnabled(env = process.env) {
-  const value = env[LEGACY_PLUGIN_SCAN_ENV]?.trim().toLowerCase();
-  return value === "1" || value === "true" || value === "yes" || value === "on";
-}
+// packages/runtime/src/control-plane/native/git-ops.ts
+import { existsSync as existsSync20, lstatSync, mkdirSync as mkdirSync12, readFileSync as readFileSync12, writeFileSync as writeFileSync12 } from "fs";
+import { dirname as dirname10, isAbsolute as isAbsolute2, resolve as resolve23 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
 
-// packages/runtime/src/control-plane/runtime/plugins.ts
-class PluginManager {
-  eventBus;
-  context;
-  pluginDir;
-  pluginFiles;
-  pluginNames;
-  localBinDir;
-  pluginsRequireBinaries;
-  plugins;
-  loadPromise;
-  constructor(options) {
-    this.eventBus = options.eventBus;
-    this.context = options.context;
-    this.pluginDir = options.pluginDir;
-    this.pluginFiles = options.pluginFiles;
-    this.pluginNames = options.pluginNames;
-    this.localBinDir = options.localBinDir;
-    this.pluginsRequireBinaries = options.pluginsRequireBinaries;
-    this.plugins = options.preloadedPlugins ?? null;
-    this.loadPromise = null;
-  }
-  static disabled(options) {
-    const validatorProjectRoot = options.runtimeContext?.workspaceDir || options.projectRoot;
-    return new PluginManager({
-      eventBus: options.eventBus,
-      context: {
-        projectRoot: validatorProjectRoot,
-        runId: options.runId,
-        eventBus: options.eventBus
-      },
-      pluginDir: resolve6(options.projectRoot, "rig/plugins"),
-      pluginFiles: [],
-      pluginNames: [],
-      localBinDir: options.runtimeContext ? resolve6(options.runtimeContext.binDir, "plugins") : resolve6(options.projectRoot, "rig/plugins"),
-      pluginsRequireBinaries: false,
-      preloadedPlugins: []
-    });
-  }
-  static async load(options) {
-    const pluginDir = resolve6(options.projectRoot, "rig/plugins");
-    const runtimeImageConfig = loadRuntimeImageConfig(options.projectRoot);
-    const localBinDir = options.runtimeContext ? resolve6(options.runtimeContext.binDir, "plugins") : resolve6(options.projectRoot, "rig/plugins");
-    const legacyPluginScan = options.legacyPluginScan ?? isLegacyPluginScanEnabled(options.env);
-    const files = legacyPluginScan ? safeReadDir(pluginDir).filter((entry) => /\.(ts|js|mjs|cjs)$/.test(entry)) : [];
-    const pluginNames = files.map((file) => basename2(file).replace(/\.plugin\.(ts|js|mjs|cjs)$/, ""));
-    const validatorProjectRoot = options.runtimeContext?.workspaceDir || options.projectRoot;
-    const context = {
-      projectRoot: validatorProjectRoot,
-      runId: options.runId,
-      eventBus: options.eventBus
-    };
-    return new PluginManager({
-      eventBus: options.eventBus,
-      context,
-      pluginDir,
-      pluginFiles: files,
-      pluginNames,
-      localBinDir,
-      pluginsRequireBinaries: options.pluginsRequireBinaries ?? (runtimeImageConfig.plugins_require_binaries && Boolean(options.runtimeContext))
-    });
-  }
-  list() {
-    if (this.plugins) {
-      return this.plugins.map((plugin) => ({
-        name: plugin.name,
-        validators: plugin.validators?.map((validator) => validator.id) ?? []
-      }));
-    }
-    return this.pluginNames.map((name) => ({
-      name,
-      validators: []
-    }));
-  }
-  async beforeCommand(ctx) {
-    const plugins = await this.ensureLoaded();
-    for (const plugin of plugins) {
-      if (!plugin.beforeCommand) {
-        continue;
-      }
-      await this.safeInvoke(plugin.name, "beforeCommand", () => plugin.beforeCommand?.(ctx, this.context));
-    }
-  }
-  async afterCommand(result) {
-    const plugins = await this.ensureLoaded();
-    for (const plugin of plugins) {
-      if (!plugin.afterCommand) {
-        continue;
-      }
-      await this.safeInvoke(plugin.name, "afterCommand", () => plugin.afterCommand?.(result, this.context));
+// packages/runtime/src/control-plane/runtime/baked-secrets.ts
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { resolve as resolve5 } from "path";
+var BAKED_RUNTIME_SECRETS = {
+  ANTHROPIC_API_KEY: typeof RIG_BAKED_ANTHROPIC_API_KEY !== "undefined" ? RIG_BAKED_ANTHROPIC_API_KEY : "",
+  OPENAI_API_KEY: typeof RIG_BAKED_OPENAI_API_KEY !== "undefined" ? RIG_BAKED_OPENAI_API_KEY : "",
+  OPENROUTER_API_KEY: typeof RIG_BAKED_OPENROUTER_API_KEY !== "undefined" ? RIG_BAKED_OPENROUTER_API_KEY : "",
+  AI_REVIEW_MODE: typeof RIG_BAKED_AI_REVIEW_MODE !== "undefined" ? RIG_BAKED_AI_REVIEW_MODE : "",
+  AI_REVIEW_PROVIDER: typeof RIG_BAKED_AI_REVIEW_PROVIDER !== "undefined" ? RIG_BAKED_AI_REVIEW_PROVIDER : "",
+  GREPTILE_API_BASE: typeof RIG_BAKED_GREPTILE_API_BASE !== "undefined" ? RIG_BAKED_GREPTILE_API_BASE : "",
+  GREPTILE_REMOTE: typeof RIG_BAKED_GREPTILE_REMOTE !== "undefined" ? RIG_BAKED_GREPTILE_REMOTE : "",
+  GREPTILE_REPOSITORY: typeof RIG_BAKED_GREPTILE_REPOSITORY !== "undefined" ? RIG_BAKED_GREPTILE_REPOSITORY : "",
+  GREPTILE_CONTEXT_BRANCH: typeof RIG_BAKED_GREPTILE_CONTEXT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_CONTEXT_BRANCH : "",
+  GREPTILE_DEFAULT_BRANCH: typeof RIG_BAKED_GREPTILE_DEFAULT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_DEFAULT_BRANCH : "",
+  GREPTILE_API_KEY: typeof RIG_BAKED_GREPTILE_API_KEY !== "undefined" ? RIG_BAKED_GREPTILE_API_KEY : "",
+  GREPTILE_GITHUB_TOKEN: typeof RIG_BAKED_GREPTILE_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GREPTILE_GITHUB_TOKEN : "",
+  GREPTILE_POLL_ATTEMPTS: typeof RIG_BAKED_GREPTILE_POLL_ATTEMPTS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_ATTEMPTS : "",
+  GREPTILE_POLL_INTERVAL_MS: typeof RIG_BAKED_GREPTILE_POLL_INTERVAL_MS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_INTERVAL_MS : "",
+  GH_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_SSH_KEY: typeof RIG_BAKED_GITHUB_SSH_KEY !== "undefined" ? RIG_BAKED_GITHUB_SSH_KEY : "",
+  AWS_ACCESS_KEY_ID: typeof RIG_BAKED_AWS_ACCESS_KEY_ID !== "undefined" ? RIG_BAKED_AWS_ACCESS_KEY_ID : "",
+  AWS_SECRET_ACCESS_KEY: typeof RIG_BAKED_AWS_SECRET_ACCESS_KEY !== "undefined" ? RIG_BAKED_AWS_SECRET_ACCESS_KEY : "",
+  AWS_REGION: typeof RIG_BAKED_AWS_REGION !== "undefined" ? RIG_BAKED_AWS_REGION : "",
+  LINEAR_API_KEY: typeof RIG_BAKED_LINEAR_API_KEY !== "undefined" ? RIG_BAKED_LINEAR_API_KEY : "",
+  LINEAR_WEBHOOK_SECRET: typeof RIG_BAKED_LINEAR_WEBHOOK_SECRET !== "undefined" ? RIG_BAKED_LINEAR_WEBHOOK_SECRET : ""
+};
+function resolveRuntimeSecrets(env, baked = BAKED_RUNTIME_SECRETS) {
+  const resolved = {};
+  const keys = new Set([
+    ...Object.keys(BAKED_RUNTIME_SECRETS),
+    ...Object.keys(baked)
+  ]);
+  for (const key of keys) {
+    const envValue = env[key]?.trim();
+    const bakedValue = baked[key]?.trim();
+    if (envValue) {
+      resolved[key] = envValue;
+    } else if (bakedValue) {
+      resolved[key] = bakedValue;
     }
   }
-  async onEvent(event) {
-    const plugins = this.plugins;
-    if (!plugins) {
-      return;
-    }
-    for (const plugin of plugins) {
-      if (!plugin.onEvent) {
-        continue;
-      }
-      await this.safeInvoke(plugin.name, "onEvent", () => plugin.onEvent?.(event, this.context));
-    }
-  }
-  async runValidators(taskId) {
-    const plugins = await this.ensureLoaded();
-    const results = [];
-    for (const plugin of plugins) {
-      for (const validator of plugin.validators ?? []) {
-        await this.eventBus.emit("validator.started", {
-          plugin: plugin.name,
-          validator: validator.id,
-          taskId
-        });
-        try {
-          const result = await validator.run({ taskId, projectRoot: this.context.projectRoot }, this.context);
-          results.push(result);
-          await this.eventBus.emit("validator.finished", {
-            plugin: plugin.name,
-            validator: validator.id,
-            taskId,
-            passed: result.passed,
-            summary: result.summary
-          });
-        } catch (error) {
-          const failed = {
-            id: validator.id,
-            passed: false,
-            summary: `${plugin.name}/${validator.id} failed unexpectedly`,
-            details: `${error}`
-          };
-          results.push(failed);
-          await this.eventBus.emit("validator.finished", {
-            plugin: plugin.name,
-            validator: validator.id,
-            taskId,
-            passed: false,
-            summary: failed.summary,
-            details: failed.details
-          });
-        }
-      }
-    }
-    return results;
+  return resolved;
+}
+function loadDotEnvSecrets(projectRoot, env = process.env) {
+  const dotenvPath = resolve5(projectRoot, ".env");
+  if (!existsSync5(dotenvPath)) {
+    return {};
   }
-  async safeInvoke(pluginName, hook, call) {
-    try {
-      await call();
-    } catch (error) {
-      await this.eventBus.emit("plugin.error", {
-        plugin: pluginName,
-        phase: hook,
-        error: `${error}`
-      });
+  const parsed = {};
+  const lines = readFileSync3(dotenvPath, "utf-8").split(/\r?\n/);
+  for (const rawLine of lines) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) {
+      continue;
     }
-  }
-  async ensureLoaded() {
-    if (this.plugins) {
-      return this.plugins;
+    const exportMatch = line.match(/^(?:export\s+)?([A-Z0-9_]+)\s*=\s*(.*)$/);
+    if (!exportMatch) {
+      continue;
     }
-    if (this.loadPromise) {
-      return this.loadPromise;
+    const key = exportMatch[1];
+    if (!(key in BAKED_RUNTIME_SECRETS)) {
+      continue;
     }
-    this.loadPromise = this.loadCompiledPlugins();
-    try {
-      this.plugins = await this.loadPromise;
-      return this.plugins;
-    } finally {
-      this.loadPromise = null;
-    }
-  }
-  resolveBinPath(binName) {
-    const candidates = [this.localBinDir].filter(Boolean).map((dir) => resolve6(dir, binName));
-    return candidates.find((candidate) => existsSync5(candidate));
-  }
-  async loadCompiledPlugins() {
-    const plugins = [];
-    for (const file of this.pluginFiles) {
-      const binName = basename2(file).replace(/\.plugin\.(ts|js|mjs|cjs)$/, "");
-      let binPath = this.resolveBinPath(binName);
-      if (!binPath) {
-        const triedPaths = [this.localBinDir].filter(Boolean).map((dir) => resolve6(dir, binName));
-        const missingError = `Compiled plugin binary not found for '${binName}'. Tried: ${triedPaths.join(", ")}`;
-        await this.eventBus.emit("plugin.error", {
-          file: resolve6(this.pluginDir, file),
-          phase: "load",
-          error: missingError
-        });
-        if (this.pluginsRequireBinaries) {
-          throw new Error(missingError);
-        }
-        plugins.push({
-          name: binName,
-          validators: []
-        });
-        await this.eventBus.emit("plugin.loaded", {
-          plugin: binName,
-          file: resolve6(this.pluginDir, file),
-          source: "metadata-only"
-        });
-        continue;
-      }
-      const wrapper = createBinaryPluginWrapper(binName, binPath, this.context.projectRoot);
-      plugins.push(wrapper);
-      await this.eventBus.emit("plugin.loaded", {
-        plugin: wrapper.name,
-        file: binPath,
-        source: "compiled-binary"
-      });
+    const value = expandShellValue(exportMatch[2] ?? "", { ...env, ...parsed });
+    if (value) {
+      parsed[key] = value;
     }
-    return plugins;
   }
+  return parsed;
 }
-function createBinaryPluginWrapper(name, binPath, projectRoot) {
-  return {
-    name,
-    validators: [
-      {
-        id: `${name}:compiled`,
-        async run(ctx) {
-          const proc = Bun.spawn([binPath, "--validate", ctx.taskId, ctx.projectRoot], {
-            cwd: projectRoot,
-            stdout: "pipe",
-            stderr: "pipe"
-          });
-          const exitCode = await proc.exited;
-          const stdout = await new Response(proc.stdout).text();
-          const stderr = await new Response(proc.stderr).text();
-          if (exitCode !== 0) {
-            return {
-              id: `${name}:compiled`,
-              passed: false,
-              summary: `Plugin binary ${name} exited with code ${exitCode}`,
-              details: stderr || stdout
-            };
-          }
-          try {
-            const results = JSON.parse(stdout.trim());
-            const failed = results.filter((r) => !r.passed);
-            if (failed.length > 0) {
-              return {
-                id: `${name}:compiled`,
-                passed: false,
-                summary: `${failed.length} of ${results.length} validator(s) failed`,
-                details: failed.map((f) => `${f.id}: ${f.summary}`).join(`
-`)
-              };
-            }
-            return {
-              id: `${name}:compiled`,
-              passed: true,
-              summary: `All ${results.length} validator(s) passed`
-            };
-          } catch {
-            return {
-              id: `${name}:compiled`,
-              passed: false,
-              summary: `Failed to parse output from compiled plugin ${name}`,
-              details: stdout.slice(0, 500)
-            };
-          }
-        }
-      }
-    ]
-  };
-}
-function safeReadDir(path) {
-  try {
-    return readdirSync(path, { withFileTypes: true }).filter((entry) => entry.isFile()).map((entry) => entry.name).sort();
-  } catch {
-    return [];
+function expandShellValue(rawValue, env) {
+  let value = rawValue.trim();
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    value = value.slice(1, -1);
   }
+  return value.replace(/\$\{([A-Z0-9_]+)(:-([^}]*))?\}/g, (_match, name, _defaultGroup, fallback) => {
+    const envValue = env[name]?.trim();
+    if (envValue) {
+      return envValue;
+    }
+    return fallback ?? "";
+  });
 }
 
 // packages/runtime/src/control-plane/runtime/context.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync } from "fs";
-import { dirname as dirname4, resolve as resolve7 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync } from "fs";
+import { dirname as dirname3, resolve as resolve6 } from "path";
 var RUNTIME_CONTEXT_ENV = "RIG_RUNTIME_CONTEXT_FILE";
 var runtimeContextStringFields = [
   "runtimeId",
@@ -1493,13 +1188,13 @@ var runtimeContextOptionalStringFields = [
   "monorepoBaseCommit"
 ];
 function loadRuntimeContext(path) {
-  const absPath = resolve7(path);
+  const absPath = resolve6(path);
   if (!existsSync6(absPath)) {
     throw new Error(`RuntimeTaskContext file not found: ${absPath}`);
   }
   let raw;
   try {
-    raw = JSON.parse(readFileSync3(absPath, "utf8"));
+    raw = JSON.parse(readFileSync4(absPath, "utf8"));
   } catch (err) {
     throw new Error(`Failed to parse RuntimeTaskContext at ${absPath}: ${String(err)}`);
   }
@@ -1622,13 +1317,13 @@ function loadRuntimeContextFromEnv(env = process.env) {
   return loadRuntimeContext(inferred);
 }
 function findRuntimeContextFile(startPath) {
-  let current = resolve7(startPath);
+  let current = resolve6(startPath);
   while (true) {
-    const candidate = resolve7(current, "runtime-context.json");
+    const candidate = resolve6(current, "runtime-context.json");
     if (existsSync6(candidate) && isAgentRuntimeContextPath(candidate)) {
       return candidate;
     }
-    const parent = dirname4(current);
+    const parent = dirname3(current);
     if (parent === current) {
       return "";
     }
@@ -1640,98 +1335,8 @@ function isAgentRuntimeContextPath(path) {
   return /\/\.rig\/runtime-context\.json$/.test(normalized);
 }
 
-// packages/runtime/src/control-plane/native/git-ops.ts
-import { existsSync as existsSync20, lstatSync, mkdirSync as mkdirSync10, readFileSync as readFileSync11, writeFileSync as writeFileSync10 } from "fs";
-import { dirname as dirname11, isAbsolute as isAbsolute2, resolve as resolve23 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-
-// packages/runtime/src/control-plane/runtime/baked-secrets.ts
-import { existsSync as existsSync7, readFileSync as readFileSync4 } from "fs";
-import { resolve as resolve8 } from "path";
-var BAKED_RUNTIME_SECRETS = {
-  ANTHROPIC_API_KEY: typeof RIG_BAKED_ANTHROPIC_API_KEY !== "undefined" ? RIG_BAKED_ANTHROPIC_API_KEY : "",
-  OPENAI_API_KEY: typeof RIG_BAKED_OPENAI_API_KEY !== "undefined" ? RIG_BAKED_OPENAI_API_KEY : "",
-  OPENROUTER_API_KEY: typeof RIG_BAKED_OPENROUTER_API_KEY !== "undefined" ? RIG_BAKED_OPENROUTER_API_KEY : "",
-  AI_REVIEW_MODE: typeof RIG_BAKED_AI_REVIEW_MODE !== "undefined" ? RIG_BAKED_AI_REVIEW_MODE : "",
-  AI_REVIEW_PROVIDER: typeof RIG_BAKED_AI_REVIEW_PROVIDER !== "undefined" ? RIG_BAKED_AI_REVIEW_PROVIDER : "",
-  GREPTILE_API_BASE: typeof RIG_BAKED_GREPTILE_API_BASE !== "undefined" ? RIG_BAKED_GREPTILE_API_BASE : "",
-  GREPTILE_REMOTE: typeof RIG_BAKED_GREPTILE_REMOTE !== "undefined" ? RIG_BAKED_GREPTILE_REMOTE : "",
-  GREPTILE_REPOSITORY: typeof RIG_BAKED_GREPTILE_REPOSITORY !== "undefined" ? RIG_BAKED_GREPTILE_REPOSITORY : "",
-  GREPTILE_CONTEXT_BRANCH: typeof RIG_BAKED_GREPTILE_CONTEXT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_CONTEXT_BRANCH : "",
-  GREPTILE_DEFAULT_BRANCH: typeof RIG_BAKED_GREPTILE_DEFAULT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_DEFAULT_BRANCH : "",
-  GREPTILE_API_KEY: typeof RIG_BAKED_GREPTILE_API_KEY !== "undefined" ? RIG_BAKED_GREPTILE_API_KEY : "",
-  GREPTILE_GITHUB_TOKEN: typeof RIG_BAKED_GREPTILE_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GREPTILE_GITHUB_TOKEN : "",
-  GREPTILE_POLL_ATTEMPTS: typeof RIG_BAKED_GREPTILE_POLL_ATTEMPTS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_ATTEMPTS : "",
-  GREPTILE_POLL_INTERVAL_MS: typeof RIG_BAKED_GREPTILE_POLL_INTERVAL_MS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_INTERVAL_MS : "",
-  GH_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
-  GITHUB_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
-  GITHUB_SSH_KEY: typeof RIG_BAKED_GITHUB_SSH_KEY !== "undefined" ? RIG_BAKED_GITHUB_SSH_KEY : "",
-  AWS_ACCESS_KEY_ID: typeof RIG_BAKED_AWS_ACCESS_KEY_ID !== "undefined" ? RIG_BAKED_AWS_ACCESS_KEY_ID : "",
-  AWS_SECRET_ACCESS_KEY: typeof RIG_BAKED_AWS_SECRET_ACCESS_KEY !== "undefined" ? RIG_BAKED_AWS_SECRET_ACCESS_KEY : "",
-  AWS_REGION: typeof RIG_BAKED_AWS_REGION !== "undefined" ? RIG_BAKED_AWS_REGION : "",
-  LINEAR_API_KEY: typeof RIG_BAKED_LINEAR_API_KEY !== "undefined" ? RIG_BAKED_LINEAR_API_KEY : "",
-  LINEAR_WEBHOOK_SECRET: typeof RIG_BAKED_LINEAR_WEBHOOK_SECRET !== "undefined" ? RIG_BAKED_LINEAR_WEBHOOK_SECRET : ""
-};
-function resolveRuntimeSecrets(env, baked = BAKED_RUNTIME_SECRETS) {
-  const resolved = {};
-  const keys = new Set([
-    ...Object.keys(BAKED_RUNTIME_SECRETS),
-    ...Object.keys(baked)
-  ]);
-  for (const key of keys) {
-    const envValue = env[key]?.trim();
-    const bakedValue = baked[key]?.trim();
-    if (envValue) {
-      resolved[key] = envValue;
-    } else if (bakedValue) {
-      resolved[key] = bakedValue;
-    }
-  }
-  return resolved;
-}
-function loadDotEnvSecrets(projectRoot, env = process.env) {
-  const dotenvPath = resolve8(projectRoot, ".env");
-  if (!existsSync7(dotenvPath)) {
-    return {};
-  }
-  const parsed = {};
-  const lines = readFileSync4(dotenvPath, "utf-8").split(/\r?\n/);
-  for (const rawLine of lines) {
-    const line = rawLine.trim();
-    if (!line || line.startsWith("#")) {
-      continue;
-    }
-    const exportMatch = line.match(/^(?:export\s+)?([A-Z0-9_]+)\s*=\s*(.*)$/);
-    if (!exportMatch) {
-      continue;
-    }
-    const key = exportMatch[1];
-    if (!(key in BAKED_RUNTIME_SECRETS)) {
-      continue;
-    }
-    const value = expandShellValue(exportMatch[2] ?? "", { ...env, ...parsed });
-    if (value) {
-      parsed[key] = value;
-    }
-  }
-  return parsed;
-}
-function expandShellValue(rawValue, env) {
-  let value = rawValue.trim();
-  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-    value = value.slice(1, -1);
-  }
-  return value.replace(/\$\{([A-Z0-9_]+)(:-([^}]*))?\}/g, (_match, name, _defaultGroup, fallback) => {
-    const envValue = env[name]?.trim();
-    if (envValue) {
-      return envValue;
-    }
-    return fallback ?? "";
-  });
-}
-
 // packages/runtime/src/control-plane/native/task-ops.ts
-import { appendFileSync, existsSync as existsSync19, mkdirSync as mkdirSync9, readFileSync as readFileSync10, writeFileSync as writeFileSync9 } from "fs";
+import { appendFileSync, existsSync as existsSync19, mkdirSync as mkdirSync11, readFileSync as readFileSync11, writeFileSync as writeFileSync11 } from "fs";
 import { resolve as resolve22 } from "path";
 
 // packages/runtime/src/build-time-config.ts
@@ -1758,14 +1363,14 @@ function readBuildConfig() {
 
 // packages/runtime/src/control-plane/runtime/tooling/shell.ts
 import { tmpdir as tmpdir2 } from "os";
-import { basename as basename3, dirname as dirname5, resolve as resolve9 } from "path";
-var sharedNativeShellOutputDir = resolve9(tmpdir2(), "rig-native");
-var sharedNativeShellOutputPath = resolve9(sharedNativeShellOutputDir, `rig-shell-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+import { basename as basename2, dirname as dirname4, resolve as resolve7 } from "path";
+var sharedNativeShellOutputDir = resolve7(tmpdir2(), "rig-native");
+var sharedNativeShellOutputPath = resolve7(sharedNativeShellOutputDir, `rig-shell-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
 // packages/runtime/src/control-plane/runtime/tooling/file-tools.ts
 import { tmpdir as tmpdir3 } from "os";
-import { basename as basename4, dirname as dirname6, resolve as resolve10 } from "path";
-var sharedNativeToolsOutputDir = resolve10(tmpdir3(), "rig-native");
-var sharedNativeToolsOutputPath = resolve10(sharedNativeToolsOutputDir, `rig-tools-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+import { basename as basename3, dirname as dirname5, resolve as resolve8 } from "path";
+var sharedNativeToolsOutputDir = resolve8(tmpdir3(), "rig-native");
+var sharedNativeToolsOutputPath = resolve8(sharedNativeToolsOutputDir, `rig-tools-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
 // packages/runtime/src/control-plane/plugin-host-context.ts
 import { createPluginHost } from "@rig/core";
 import { loadConfig } from "@rig/core/load-config";
@@ -1912,7 +1517,7 @@ function createTaskFieldRegistry(extensions) {
 }
 
 // packages/runtime/src/control-plane/validators/runtime-registration.ts
-import { existsSync as existsSync8 } from "fs";
+import { existsSync as existsSync7 } from "fs";
 import { join } from "path";
 function createValidatorRegistry() {
   const map = new Map;
@@ -1945,7 +1550,7 @@ function registerBuiltInValidators(registry) {
 }
 async function runStdTypecheck(ctx) {
   const packageJsonPath = join(ctx.workspaceRoot, "package.json");
-  if (!existsSync8(packageJsonPath)) {
+  if (!existsSync7(packageJsonPath)) {
     return {
       id: "std:typecheck",
       passed: false,
@@ -1973,8 +1578,8 @@ async function runStdTypecheck(ctx) {
 }
 
 // packages/runtime/src/control-plane/hook-materializer.ts
-import { existsSync as existsSync9, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
-import { dirname as dirname7, resolve as resolve11 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname6, resolve as resolve9 } from "path";
 var MARKER_PLUGIN = "_rigPlugin";
 var MARKER_HOOK_ID = "_rigHookId";
 function matcherToString(matcher) {
@@ -1988,8 +1593,8 @@ function isPluginOwned(cmd) {
   return typeof cmd[MARKER_PLUGIN] === "string";
 }
 function materializeHooks(projectRoot, entries) {
-  const settingsPath = resolve11(projectRoot, ".claude", "settings.json");
-  const existing = existsSync9(settingsPath) ? safeReadJson(settingsPath) : {};
+  const settingsPath = resolve9(projectRoot, ".claude", "settings.json");
+  const existing = existsSync8(settingsPath) ? safeReadJson(settingsPath) : {};
   const hooks = existing.hooks ?? {};
   for (const event of Object.keys(hooks)) {
     const groups = hooks[event] ?? [];
@@ -2031,7 +1636,7 @@ function materializeHooks(projectRoot, entries) {
   } else {
     delete next.hooks;
   }
-  mkdirSync3(dirname7(settingsPath), { recursive: true });
+  mkdirSync3(dirname6(settingsPath), { recursive: true });
   writeFileSync2(settingsPath, `${JSON.stringify(next, null, 2)}
 `, "utf-8");
   return settingsPath;
@@ -2044,6 +1649,49 @@ function safeReadJson(path) {
   }
 }
 
+// packages/runtime/src/control-plane/skill-materializer.ts
+import { existsSync as existsSync9, mkdirSync as mkdirSync4, readFileSync as readFileSync6, readdirSync, rmSync as rmSync2, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve10 } from "path";
+import { loadSkill } from "@rig/skill-loader";
+var MARKER_FILENAME = ".rig-plugin";
+function skillDirName(id) {
+  return id.replace(/[^a-zA-Z0-9._-]+/g, "-");
+}
+async function materializeSkills(projectRoot, entries) {
+  const skillsRoot = resolve10(projectRoot, ".pi", "skills");
+  if (existsSync9(skillsRoot)) {
+    for (const name of readdirSync(skillsRoot)) {
+      const dir = resolve10(skillsRoot, name);
+      if (existsSync9(resolve10(dir, MARKER_FILENAME))) {
+        rmSync2(dir, { recursive: true, force: true });
+      }
+    }
+  }
+  const written = [];
+  for (const { pluginName, skill } of entries) {
+    const sourcePath = resolve10(projectRoot, skill.path);
+    if (!existsSync9(sourcePath)) {
+      console.warn(`[plugin-host] skill "${skill.id}" from plugin "${pluginName}" not materialized: ${sourcePath} does not exist`);
+      continue;
+    }
+    let body;
+    try {
+      await loadSkill(sourcePath);
+      body = readFileSync6(sourcePath, "utf-8");
+    } catch (err) {
+      console.warn(`[plugin-host] skill "${skill.id}" from plugin "${pluginName}" not materialized: ${err instanceof Error ? err.message : err}`);
+      continue;
+    }
+    const dir = resolve10(skillsRoot, skillDirName(skill.id));
+    mkdirSync4(dir, { recursive: true });
+    writeFileSync3(resolve10(dir, "SKILL.md"), body, "utf-8");
+    writeFileSync3(resolve10(dir, MARKER_FILENAME), `${JSON.stringify({ plugin: pluginName, skillId: skill.id }, null, 2)}
+`, "utf-8");
+    written.push({ id: skill.id, pluginName, directory: dir });
+  }
+  return written;
+}
+
 // packages/runtime/src/control-plane/plugin-host-context.ts
 async function buildPluginHostContext(projectRoot) {
   let config;
@@ -2080,6 +1728,17 @@ async function buildPluginHostContext(projectRoot) {
   } catch (err) {
     console.warn(`[plugin-host] hook materialization failed: ${err instanceof Error ? err.message : err}`);
   }
+  try {
+    const skillEntries = config.plugins.flatMap((plugin) => (plugin.contributes?.skills ?? []).map((skill) => ({
+      pluginName: plugin.name,
+      skill
+    })));
+    if (skillEntries.length > 0) {
+      await materializeSkills(projectRoot, skillEntries);
+    }
+  } catch (err) {
+    console.warn(`[plugin-host] skill materialization failed: ${err instanceof Error ? err.message : err}`);
+  }
   return {
     config,
     pluginHost,
@@ -2093,12 +1752,12 @@ async function buildPluginHostContext(projectRoot) {
 
 // packages/runtime/src/control-plane/tasks/source-aware-task-config-source.ts
 import { spawnSync } from "child_process";
-import { existsSync as existsSync11, readFileSync as readFileSync7, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync3 } from "fs";
-import { basename as basename5, join as join2, resolve as resolve13 } from "path";
+import { existsSync as existsSync11, readFileSync as readFileSync8, readdirSync as readdirSync2, statSync as statSync3, writeFileSync as writeFileSync4 } from "fs";
+import { basename as basename4, join as join2, resolve as resolve12 } from "path";
 
 // packages/runtime/src/control-plane/tasks/legacy-task-config-source.ts
-import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
-import { resolve as resolve12 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync7 } from "fs";
+import { resolve as resolve11 } from "path";
 
 // packages/runtime/src/control-plane/tasks/task-record-reader.ts
 async function findTaskById(reader, id) {
@@ -2121,7 +1780,7 @@ class LegacyTaskConfigReadError extends Error {
   }
 }
 function createLegacyTaskConfigRecordReader(projectRoot, options = {}) {
-  const configPath = options.configPath ?? resolve12(projectRoot, ".rig", "task-config.json");
+  const configPath = options.configPath ?? resolve11(projectRoot, ".rig", "task-config.json");
   const reader = {
     async listTasks() {
       return readLegacyTaskRecords(projectRoot, configPath);
@@ -2132,7 +1791,7 @@ function createLegacyTaskConfigRecordReader(projectRoot, options = {}) {
   };
   return reader;
 }
-function readLegacyTaskRecords(projectRoot, configPath = resolve12(projectRoot, ".rig", "task-config.json")) {
+function readLegacyTaskRecords(projectRoot, configPath = resolve11(projectRoot, ".rig", "task-config.json")) {
   if (!existsSync10(configPath)) {
     return [];
   }
@@ -2141,7 +1800,7 @@ function readLegacyTaskRecords(projectRoot, configPath = resolve12(projectRoot,
 }
 function readLegacyTaskConfigJson(projectRoot, configPath) {
   try {
-    const parsed = JSON.parse(readFileSync6(configPath, "utf8"));
+    const parsed = JSON.parse(readFileSync7(configPath, "utf8"));
     if (isPlainRecord(parsed)) {
       return parsed;
     }
@@ -2225,7 +1884,7 @@ function isPlainRecord(candidate) {
 var STATUS_LABELS = new Set(["ready", "blocked", "in-progress", "under-review", "failed", "cancelled"]);
 var FILE_TASK_PATTERN = /\.(task\.)?json$/;
 function createSourceAwareTaskConfigRecordReader(projectRoot, options = {}) {
-  const configPath = options.configPath ?? resolve13(projectRoot, ".rig", "task-config.json");
+  const configPath = options.configPath ?? resolve12(projectRoot, ".rig", "task-config.json");
   const legacy = createLegacyTaskConfigRecordReader(projectRoot, { configPath });
   const spawnFn = options.spawn ?? spawnSync;
   const ghBinary = options.ghBinary ?? "gh";
@@ -2291,7 +1950,7 @@ async function readSourceAwareTaskStatus(projectRoot, taskId, options = {}) {
   }
 }
 function updateSourceAwareTaskConfigTask(projectRoot, taskId, update, options = {}) {
-  const configPath = options.configPath ?? resolve13(projectRoot, ".rig", "task-config.json");
+  const configPath = options.configPath ?? resolve12(projectRoot, ".rig", "task-config.json");
   const rawEntry = readRawTaskEntry(configPath, taskId);
   if (!rawEntry) {
     const configuredFilesPath = readConfiguredFilesTaskSourcePath(projectRoot);
@@ -2344,10 +2003,10 @@ function readMaterializedTaskMetadata(entry) {
   return metadata;
 }
 function readConfiguredFilesTaskSourcePath(projectRoot) {
-  const jsonPath = resolve13(projectRoot, "rig.config.json");
+  const jsonPath = resolve12(projectRoot, "rig.config.json");
   if (existsSync11(jsonPath)) {
     try {
-      const parsed = JSON.parse(readFileSync7(jsonPath, "utf8"));
+      const parsed = JSON.parse(readFileSync8(jsonPath, "utf8"));
       if (isPlainRecord2(parsed) && isPlainRecord2(parsed.taskSource)) {
         const source = parsed.taskSource;
         return source.kind === "files" && typeof source.path === "string" ? source.path : null;
@@ -2356,12 +2015,12 @@ function readConfiguredFilesTaskSourcePath(projectRoot) {
       return null;
     }
   }
-  const tsPath = resolve13(projectRoot, "rig.config.ts");
+  const tsPath = resolve12(projectRoot, "rig.config.ts");
   if (!existsSync11(tsPath)) {
     return null;
   }
   try {
-    const source = readFileSync7(tsPath, "utf8");
+    const source = readFileSync8(tsPath, "utf8");
     const taskSourceBlock = source.match(/taskSource\s*:\s*\{[\s\S]*?\}/m)?.[0] ?? "";
     const kind = taskSourceBlock.match(/kind\s*:\s*["']([^"']+)["']/)?.[1];
     if (kind !== "files") {
@@ -2384,7 +2043,7 @@ function readRawTaskConfig(configPath) {
   if (!existsSync11(configPath)) {
     return null;
   }
-  const parsed = JSON.parse(readFileSync7(configPath, "utf8"));
+  const parsed = JSON.parse(readFileSync8(configPath, "utf8"));
   return isPlainRecord2(parsed) ? parsed : null;
 }
 function stripLegacyTaskConfigMetadata2(raw) {
@@ -2401,16 +2060,16 @@ function writeLegacyTaskStatus(configPath, taskId, status) {
     return;
   }
   entry.status = status;
-  writeFileSync3(configPath, `${JSON.stringify(rawConfig, null, 2)}
+  writeFileSync4(configPath, `${JSON.stringify(rawConfig, null, 2)}
 `, "utf8");
 }
 function updateFileBackedTask(projectRoot, sourcePath, taskId, update) {
-  const directory = resolve13(projectRoot, sourcePath);
+  const directory = resolve12(projectRoot, sourcePath);
   const file = findFileBackedTaskFile(directory, taskId);
   if (!file) {
     return false;
   }
-  const raw = JSON.parse(readFileSync7(file, "utf8"));
+  const raw = JSON.parse(readFileSync8(file, "utf8"));
   if (!isPlainRecord2(raw)) {
     return false;
   }
@@ -2427,12 +2086,12 @@ function updateFileBackedTask(projectRoot, sourcePath, taskId, update) {
       { body: update.comment, createdAt: new Date().toISOString(), source: "rig" }
     ];
   }
-  writeFileSync3(file, `${JSON.stringify(raw, null, 2)}
+  writeFileSync4(file, `${JSON.stringify(raw, null, 2)}
 `, "utf8");
   return true;
 }
 function listFileBackedTasks(projectRoot, sourcePath) {
-  const directory = resolve13(projectRoot, sourcePath);
+  const directory = resolve12(projectRoot, sourcePath);
   if (!existsSync11(directory)) {
     return [];
   }
@@ -2440,7 +2099,7 @@ function listFileBackedTasks(projectRoot, sourcePath) {
   for (const name of readdirSync2(directory)) {
     if (!FILE_TASK_PATTERN.test(name))
       continue;
-    const inferredId = basename5(name).replace(FILE_TASK_PATTERN, "");
+    const inferredId = basename4(name).replace(FILE_TASK_PATTERN, "");
     const task = readFileBackedTask(projectRoot, sourcePath, inferredId, {});
     if (task)
       tasks.push(task);
@@ -2448,11 +2107,11 @@ function listFileBackedTasks(projectRoot, sourcePath) {
   return tasks;
 }
 function readFileBackedTask(projectRoot, sourcePath, taskId, rawEntry) {
-  const file = findFileBackedTaskFile(resolve13(projectRoot, sourcePath), taskId);
+  const file = findFileBackedTaskFile(resolve12(projectRoot, sourcePath), taskId);
   if (!file) {
     return null;
   }
-  const raw = JSON.parse(readFileSync7(file, "utf8"));
+  const raw = JSON.parse(readFileSync8(file, "utf8"));
   if (!isPlainRecord2(raw)) {
     return null;
   }
@@ -2475,8 +2134,8 @@ function findFileBackedTaskFile(directory, taskId) {
     try {
       if (!statSync3(file).isFile())
         continue;
-      const raw = JSON.parse(readFileSync7(file, "utf8"));
-      const inferredId = basename5(file).replace(FILE_TASK_PATTERN, "");
+      const raw = JSON.parse(readFileSync8(file, "utf8"));
+      const inferredId = basename4(file).replace(FILE_TASK_PATTERN, "");
       const id = isPlainRecord2(raw) && typeof raw.id === "string" ? raw.id : inferredId;
       if (id === taskId) {
         return file;
@@ -2645,8 +2304,8 @@ function ensureStatusLabel(bin, repo, spawnFn, label) {
   }
 }
 function selectedGitHubEnv() {
-  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() ?? "";
-  return { GH_TOKEN: token, GITHUB_TOKEN: token };
+  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() || process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  return { GH_TOKEN: token, GITHUB_TOKEN: token, RIG_GITHUB_TOKEN: token };
 }
 function ghSpawnOptions() {
   return { encoding: "utf-8", env: { ...process.env, ...selectedGitHubEnv() } };
@@ -2824,8 +2483,8 @@ function buildTaskRunLifecycleComment(input) {
 }
 
 // packages/runtime/src/control-plane/native/task-state.ts
-import { existsSync as existsSync13, readFileSync as readFileSync9, readdirSync as readdirSync3, statSync as statSync4, writeFileSync as writeFileSync5 } from "fs";
-import { basename as basename6, resolve as resolve15 } from "path";
+import { existsSync as existsSync13, readFileSync as readFileSync10, readdirSync as readdirSync3, statSync as statSync4, writeFileSync as writeFileSync6 } from "fs";
+import { basename as basename5, resolve as resolve14 } from "path";
 
 // packages/runtime/src/control-plane/state-sync/types.ts
 var CANONICAL_TASK_LIFECYCLE_STATUSES = new Set([
@@ -2840,23 +2499,23 @@ var CANONICAL_TASK_LIFECYCLE_STATUSES = new Set([
   "cancelled"
 ]);
 // packages/runtime/src/control-plane/native/git-native.ts
-import { chmodSync, copyFileSync as copyFileSync2, existsSync as existsSync12, mkdirSync as mkdirSync4, readFileSync as readFileSync8, renameSync as renameSync2, rmSync as rmSync2, writeFileSync as writeFileSync4 } from "fs";
+import { chmodSync, copyFileSync as copyFileSync2, existsSync as existsSync12, mkdirSync as mkdirSync5, readFileSync as readFileSync9, renameSync as renameSync2, rmSync as rmSync3, writeFileSync as writeFileSync5 } from "fs";
 import { tmpdir as tmpdir4 } from "os";
-import { dirname as dirname8, isAbsolute, resolve as resolve14 } from "path";
+import { dirname as dirname7, isAbsolute, resolve as resolve13 } from "path";
 import { createHash } from "crypto";
-var sharedGitNativeOutputDir = resolve14(tmpdir4(), "rig-native");
-var sharedGitNativeOutputPath = resolve14(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+var sharedGitNativeOutputDir = resolve13(tmpdir4(), "rig-native");
+var sharedGitNativeOutputPath = resolve13(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
 var trackerCommandUsageProbe = "usage: rig-git fetch-ref <repo-path> <remote> <branch>";
 function temporaryGitBinaryOutputPath(outputPath) {
   const suffix2 = process.platform === "win32" ? ".exe" : "";
-  return resolve14(dirname8(outputPath), `.rig-git-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}${suffix2}`);
+  return resolve13(dirname7(outputPath), `.rig-git-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}${suffix2}`);
 }
 function publishGitBinary(tempOutputPath, outputPath) {
   try {
     renameSync2(tempOutputPath, outputPath);
   } catch (error) {
     if (process.platform === "win32" && existsSync12(outputPath)) {
-      rmSync2(outputPath, { force: true });
+      rmSync3(outputPath, { force: true });
       renameSync2(tempOutputPath, outputPath);
       return;
     }
@@ -2867,27 +2526,27 @@ function runtimeRigGitFileName() {
   return `rig-git${process.platform === "win32" ? ".exe" : ""}`;
 }
 function rigGitSourceCandidates() {
-  const execDir = process.execPath?.trim() ? dirname8(process.execPath.trim()) : "";
+  const execDir = process.execPath?.trim() ? dirname7(process.execPath.trim()) : "";
   const cwd = process.cwd()?.trim() || "";
   const projectRoot = process.env.PROJECT_RIG_ROOT?.trim() || "";
   const hostProjectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || "";
-  const moduleRelativeSource = resolve14(import.meta.dir, "../../../native/rig-git.zig");
+  const moduleRelativeSource = resolve13(import.meta.dir, "../../../native/rig-git.zig");
   return [...new Set([
     process.env.RIG_NATIVE_GIT_SOURCE?.trim() || "",
     moduleRelativeSource,
-    projectRoot ? resolve14(projectRoot, "packages/runtime/native/rig-git.zig") : "",
-    hostProjectRoot ? resolve14(hostProjectRoot, "packages/runtime/native/rig-git.zig") : "",
-    cwd ? resolve14(cwd, "packages/runtime/native/rig-git.zig") : "",
-    execDir ? resolve14(execDir, "..", "..", "packages/runtime/native/rig-git.zig") : "",
-    execDir ? resolve14(execDir, "..", "native", "rig-git.zig") : ""
+    projectRoot ? resolve13(projectRoot, "packages/runtime/native/rig-git.zig") : "",
+    hostProjectRoot ? resolve13(hostProjectRoot, "packages/runtime/native/rig-git.zig") : "",
+    cwd ? resolve13(cwd, "packages/runtime/native/rig-git.zig") : "",
+    execDir ? resolve13(execDir, "..", "..", "packages/runtime/native/rig-git.zig") : "",
+    execDir ? resolve13(execDir, "..", "native", "rig-git.zig") : ""
   ].filter(Boolean))];
 }
 function nativePackageBinaryCandidates(fromDir, fileName) {
   const candidates = [];
-  let cursor = resolve14(fromDir);
+  let cursor = resolve13(fromDir);
   for (let index = 0;index < 8; index += 1) {
-    candidates.push(resolve14(cursor, "native", `${process.platform}-${process.arch}`, fileName), resolve14(cursor, "native", `${process.platform}-${process.arch}`, "bin", fileName), resolve14(cursor, "native", fileName), resolve14(cursor, "native", "bin", fileName));
-    const parent = dirname8(cursor);
+    candidates.push(resolve13(cursor, "native", `${process.platform}-${process.arch}`, fileName), resolve13(cursor, "native", `${process.platform}-${process.arch}`, "bin", fileName), resolve13(cursor, "native", fileName), resolve13(cursor, "native", "bin", fileName));
+    const parent = dirname7(cursor);
     if (parent === cursor)
       break;
     cursor = parent;
@@ -2895,15 +2554,15 @@ function nativePackageBinaryCandidates(fromDir, fileName) {
   return candidates;
 }
 function rigGitBinaryCandidates() {
-  const execDir = process.execPath?.trim() ? dirname8(process.execPath.trim()) : "";
+  const execDir = process.execPath?.trim() ? dirname7(process.execPath.trim()) : "";
   const fileName = runtimeRigGitFileName();
   const explicit = process.env.RIG_NATIVE_GIT_BIN?.trim() || "";
   return [...new Set([
     explicit,
     ...nativePackageBinaryCandidates(import.meta.dir, fileName),
-    execDir ? resolve14(execDir, fileName) : "",
-    execDir ? resolve14(execDir, "..", fileName) : "",
-    execDir ? resolve14(execDir, "..", "bin", fileName) : "",
+    execDir ? resolve13(execDir, fileName) : "",
+    execDir ? resolve13(execDir, "..", fileName) : "",
+    execDir ? resolve13(execDir, "..", "bin", fileName) : "",
     sharedGitNativeOutputPath
   ].filter(Boolean))];
 }
@@ -2954,14 +2613,14 @@ function hasMatchingNativeBuildManifestSync(manifestPath, buildKey) {
     return false;
   }
   try {
-    const manifest = JSON.parse(readFileSync8(manifestPath, "utf8"));
+    const manifest = JSON.parse(readFileSync9(manifestPath, "utf8"));
     return manifest.version === 1 && manifest.buildKey === buildKey;
   } catch {
     return false;
   }
 }
 function sha256FileSync(path) {
-  return createHash("sha256").update(readFileSync8(path)).digest("hex");
+  return createHash("sha256").update(readFileSync9(path)).digest("hex");
 }
 function ensureRigGitBinaryPathSync(outputPath = preferredGitBinaryOutputPath()) {
   if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
@@ -2979,7 +2638,7 @@ function ensureRigGitBinaryPathSync(outputPath = preferredGitBinaryOutputPath())
   if (!zigBinary) {
     throw new Error("zig is required to build native Rig git tools.");
   }
-  mkdirSync4(dirname8(outputPath), { recursive: true });
+  mkdirSync5(dirname7(outputPath), { recursive: true });
   const sourceDigest = sha256FileSync(sourcePath);
   const buildKey = JSON.stringify({
     version: 1,
@@ -3004,7 +2663,7 @@ function ensureRigGitBinaryPathSync(outputPath = preferredGitBinaryOutputPath())
     "ReleaseFast",
     `-femit-bin=${tempOutputPath}`
   ], {
-    cwd: dirname8(sourcePath),
+    cwd: dirname7(sourcePath),
     stdout: "pipe",
     stderr: "pipe"
   });
@@ -3017,16 +2676,16 @@ function ensureRigGitBinaryPathSync(outputPath = preferredGitBinaryOutputPath())
   }
   chmodSync(tempOutputPath, 493);
   if (existsSync12(outputPath) && hasMatchingNativeBuildManifestSync(manifestPath, buildKey)) {
-    rmSync2(tempOutputPath, { force: true });
+    rmSync3(tempOutputPath, { force: true });
     chmodSync(outputPath, 493);
     return outputPath;
   }
   publishGitBinary(tempOutputPath, outputPath);
   if (!binarySupportsTrackerCommandsSync(outputPath)) {
-    rmSync2(outputPath, { force: true });
+    rmSync3(outputPath, { force: true });
     throw new Error("Failed to build native Rig git tools: tracker command probe failed");
   }
-  writeFileSync4(manifestPath, `${JSON.stringify({ version: 1, buildKey }, null, 2)}
+  writeFileSync5(manifestPath, `${JSON.stringify({ version: 1, buildKey }, null, 2)}
 `, "utf8");
   return outputPath;
 }
@@ -3135,7 +2794,7 @@ function readValidationDescriptions(projectRoot) {
   return readValidationDescriptionMap(raw);
 }
 function readSourceValidationDescriptions(projectRoot) {
-  const rootRaw = readJsonFile(resolve15(projectRoot, "rig", "task-config.json"), {});
+  const rootRaw = readJsonFile(resolve14(projectRoot, "rig", "task-config.json"), {});
   const sourcePath = findSourceTaskConfigPath(projectRoot);
   const sourceRaw = sourcePath ? readJsonFile(sourcePath, {}) : {};
   const rootDescriptions = readValidationDescriptionMap(rootRaw);
@@ -3226,16 +2885,16 @@ function lookupTask(projectRoot, input) {
 function artifactDirForId(projectRoot, id) {
   const workspaceDir = process.env.RIG_TASK_WORKSPACE?.trim();
   if (workspaceDir) {
-    const worktreeArtifacts = resolve15(workspaceDir, "artifacts", id);
-    if (existsSync13(worktreeArtifacts) || existsSync13(resolve15(workspaceDir, "artifacts"))) {
+    const worktreeArtifacts = resolve14(workspaceDir, "artifacts", id);
+    if (existsSync13(worktreeArtifacts) || existsSync13(resolve14(workspaceDir, "artifacts"))) {
       return worktreeArtifacts;
     }
   }
   try {
     const paths = resolveHarnessPaths(projectRoot);
-    return resolve15(paths.artifactsDir, id);
+    return resolve14(paths.artifactsDir, id);
   } catch {
-    return resolve15(resolveMonorepoRoot2(projectRoot), "artifacts", id);
+    return resolve14(resolveMonorepoRoot2(projectRoot), "artifacts", id);
   }
 }
 function resolveTaskConfigPath(projectRoot) {
@@ -3265,7 +2924,7 @@ function readAndSyncSourceTaskConfig(projectRoot) {
   const synced = synchronizeTaskConfigWithTracker(projectRoot, raw);
   if (sourcePath && synced.updated) {
     try {
-      writeFileSync5(sourcePath, `${JSON.stringify(synced.config, null, 2)}
+      writeFileSync6(sourcePath, `${JSON.stringify(synced.config, null, 2)}
 `, "utf-8");
     } catch {}
   }
@@ -3317,12 +2976,12 @@ function shouldRefreshAutoSyncedTaskConfigEntry(entry) {
   return !candidate.role;
 }
 function readSourceIssueRecords(projectRoot) {
-  const issuesPath = resolve15(resolveMonorepoRoot2(projectRoot), ".beads", "issues.jsonl");
+  const issuesPath = resolve14(resolveMonorepoRoot2(projectRoot), ".beads", "issues.jsonl");
   if (!existsSync13(issuesPath)) {
     return [];
   }
   const records = [];
-  for (const line of readFileSync9(issuesPath, "utf-8").split(/\r?\n/)) {
+  for (const line of readFileSync10(issuesPath, "utf-8").split(/\r?\n/)) {
     const trimmed = line.trim();
     if (!trimmed) {
       continue;
@@ -3378,7 +3037,7 @@ function readConfiguredFileTaskConfig(projectRoot) {
   if (!sourcePath) {
     return {};
   }
-  const directory = resolve15(projectRoot, sourcePath);
+  const directory = resolve14(projectRoot, sourcePath);
   if (!existsSync13(directory)) {
     return {};
   }
@@ -3386,15 +3045,15 @@ function readConfiguredFileTaskConfig(projectRoot) {
   for (const name of readdirSync3(directory)) {
     if (!FILE_TASK_PATTERN2.test(name))
       continue;
-    const file = resolve15(directory, name);
+    const file = resolve14(directory, name);
     try {
       if (!statSync4(file).isFile())
         continue;
-      const raw = JSON.parse(readFileSync9(file, "utf8"));
+      const raw = JSON.parse(readFileSync10(file, "utf8"));
       if (!raw || typeof raw !== "object" || Array.isArray(raw))
         continue;
       const record = raw;
-      const inferredId = basename6(name).replace(FILE_TASK_PATTERN2, "");
+      const inferredId = basename5(name).replace(FILE_TASK_PATTERN2, "");
       const id = typeof record.id === "string" && record.id.trim().length > 0 ? record.id.trim() : inferredId;
       config[id] = fileTaskToConfigEntry(record, { kind: "files", path: sourcePath });
     } catch {}
@@ -3432,10 +3091,10 @@ function firstStringList2(...candidates) {
   return [];
 }
 function readConfiguredFilesTaskSourcePath2(projectRoot) {
-  const jsonPath = resolve15(projectRoot, "rig.config.json");
+  const jsonPath = resolve14(projectRoot, "rig.config.json");
   if (existsSync13(jsonPath)) {
     try {
-      const parsed = JSON.parse(readFileSync9(jsonPath, "utf8"));
+      const parsed = JSON.parse(readFileSync10(jsonPath, "utf8"));
       if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
         const taskSource = parsed.taskSource;
         if (taskSource && typeof taskSource === "object" && !Array.isArray(taskSource)) {
@@ -3447,12 +3106,12 @@ function readConfiguredFilesTaskSourcePath2(projectRoot) {
       return null;
     }
   }
-  const tsPath = resolve15(projectRoot, "rig.config.ts");
+  const tsPath = resolve14(projectRoot, "rig.config.ts");
   if (!existsSync13(tsPath)) {
     return null;
   }
   try {
-    const source = readFileSync9(tsPath, "utf8");
+    const source = readFileSync10(tsPath, "utf8");
     const taskSourceBlock = source.match(/taskSource\s*:\s*\{[\s\S]*?\}/m)?.[0] ?? "";
     const kind = taskSourceBlock.match(/kind\s*:\s*["']([^"']+)["']/)?.[1];
     if (kind !== "files") {
@@ -3466,23 +3125,23 @@ function readConfiguredFilesTaskSourcePath2(projectRoot) {
 function sourceTaskConfigCandidates(projectRoot) {
   const runtimeContext = loadRuntimeContextFromEnv();
   return [
-    runtimeContext?.monorepoMainRoot ? resolve15(runtimeContext.monorepoMainRoot, ".rig", "task-config.json") : "",
-    process.env.MONOREPO_MAIN_ROOT?.trim() ? resolve15(process.env.MONOREPO_MAIN_ROOT.trim(), ".rig", "task-config.json") : "",
-    resolve15(resolveMonorepoRoot2(projectRoot), ".rig", "task-config.json")
+    runtimeContext?.monorepoMainRoot ? resolve14(runtimeContext.monorepoMainRoot, ".rig", "task-config.json") : "",
+    process.env.MONOREPO_MAIN_ROOT?.trim() ? resolve14(process.env.MONOREPO_MAIN_ROOT.trim(), ".rig", "task-config.json") : "",
+    resolve14(resolveMonorepoRoot2(projectRoot), ".rig", "task-config.json")
   ].filter(Boolean);
 }
 
 // packages/runtime/src/control-plane/native/validator.ts
-import { existsSync as existsSync17, mkdirSync as mkdirSync7, writeFileSync as writeFileSync7 } from "fs";
-import { resolve as resolve20 } from "path";
+import { existsSync as existsSync17, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
+import { resolve as resolve19 } from "path";
 
 // packages/runtime/src/control-plane/native/validator-binaries.ts
-import { existsSync as existsSync16, mkdirSync as mkdirSync6, rmSync as rmSync4, statSync as statSync5 } from "fs";
-import { dirname as dirname10, resolve as resolve19 } from "path";
+import { existsSync as existsSync16, mkdirSync as mkdirSync7, rmSync as rmSync5, statSync as statSync5 } from "fs";
+import { dirname as dirname9, resolve as resolve18 } from "path";
 
 // packages/runtime/src/binary-run.ts
-import { chmodSync as chmodSync2, cpSync, existsSync as existsSync14, mkdirSync as mkdirSync5, renameSync as renameSync3, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "fs";
-import { basename as basename7, dirname as dirname9, resolve as resolve16 } from "path";
+import { chmodSync as chmodSync2, cpSync, existsSync as existsSync14, mkdirSync as mkdirSync6, renameSync as renameSync3, rmSync as rmSync4, writeFileSync as writeFileSync7 } from "fs";
+import { basename as basename6, dirname as dirname8, resolve as resolve15 } from "path";
 import { fileURLToPath } from "url";
 import { drainMicrotasks, gcAndSweep } from "bun:jsc";
 var runtimeBinaryBuildQueue = Promise.resolve();
@@ -3508,9 +3167,9 @@ async function buildRuntimeBinary(options) {
   });
 }
 async function buildRuntimeBinaryInProcess(options, manifest) {
-  const tempBuildDir = resolve16(dirname9(options.outputPath), `.bun-build-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
-  const tempOutputPath = resolve16(tempBuildDir, basename7(options.outputPath));
-  mkdirSync5(tempBuildDir, { recursive: true });
+  const tempBuildDir = resolve15(dirname8(options.outputPath), `.bun-build-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+  const tempOutputPath = resolve15(tempBuildDir, basename6(options.outputPath));
+  mkdirSync6(tempBuildDir, { recursive: true });
   await withTemporaryEnv({
     ...options.env,
     ...options.define ? { RIG_BUILD_CONFIG_JSON: JSON.stringify(options.define) } : {}
@@ -3550,7 +3209,7 @@ async function buildRuntimeBinaryInProcess(options, manifest) {
       });
     }
   })).finally(() => {
-    rmSync3(tempBuildDir, { recursive: true, force: true });
+    rmSync4(tempBuildDir, { recursive: true, force: true });
   });
 }
 function runBestEffortBuildGc() {
@@ -3567,8 +3226,8 @@ function runtimeBinaryCacheManifestPath(outputPath) {
 function resolveRuntimeBinaryBuildOptions(options) {
   return {
     ...options,
-    entrypoint: resolve16(options.cwd, options.sourcePath),
-    outputPath: resolve16(options.outputPath)
+    entrypoint: resolve15(options.cwd, options.sourcePath),
+    outputPath: resolve15(options.outputPath)
   };
 }
 function shouldUseRuntimeBinaryBuildWorker() {
@@ -3613,13 +3272,13 @@ async function buildRuntimeBinaryViaWorker(options) {
     new Response(build.stdout).text(),
     new Response(build.stderr).text()
   ]);
-  rmSync3(payloadPath, { force: true });
+  rmSync4(payloadPath, { force: true });
   if (exitCode !== 0) {
     throw new Error(`Failed to build ${options.entrypoint}: ${(stderr || stdout || `worker exited ${exitCode}`).trim()}`);
   }
 }
 function createRuntimeBinaryBuildWorkerPayloadPath(outputPath) {
-  return resolve16(dirname9(outputPath), `.bun-build-worker-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+  return resolve15(dirname8(outputPath), `.bun-build-worker-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
 }
 function resolveRuntimeBinaryBuildWorkerSourcePath(options) {
   const envRoots = [
@@ -3628,12 +3287,12 @@ function resolveRuntimeBinaryBuildWorkerSourcePath(options) {
     process.env.PROJECT_RIG_ROOT?.trim()
   ].filter(Boolean);
   for (const root of envRoots) {
-    const candidate = resolve16(root, "packages/runtime/src/binary-build-worker.ts");
+    const candidate = resolve15(root, "packages/runtime/src/binary-build-worker.ts");
     if (existsSync14(candidate)) {
       return candidate;
     }
   }
-  const localCandidate = resolve16(import.meta.dir, "binary-build-worker.ts");
+  const localCandidate = resolve15(import.meta.dir, "binary-build-worker.ts");
   return existsSync14(localCandidate) ? localCandidate : null;
 }
 function resolveRuntimeBinaryBuildWorkerInvocation() {
@@ -3719,7 +3378,7 @@ function normalizeBuildInputPath(cwd, inputPath) {
   if (inputPath.startsWith("<")) {
     return null;
   }
-  return resolve16(cwd, inputPath);
+  return resolve15(cwd, inputPath);
 }
 async function sha256File(path) {
   const hasher = new Bun.CryptoHasher("sha256");
@@ -3735,8 +3394,8 @@ function sortRecord(value) {
 async function runSerializedRuntimeBinaryBuild(action) {
   const previous = runtimeBinaryBuildQueue;
   let release;
-  runtimeBinaryBuildQueue = new Promise((resolve17) => {
-    release = resolve17;
+  runtimeBinaryBuildQueue = new Promise((resolve16) => {
+    release = resolve16;
   });
   await previous;
   try {
@@ -3781,11 +3440,11 @@ async function withTemporaryCwd(cwd, action) {
 }
 
 // packages/runtime/src/control-plane/runtime/provisioning-env.ts
-import { delimiter, resolve as resolve18 } from "path";
+import { delimiter, resolve as resolve17 } from "path";
 
 // packages/runtime/src/control-plane/runtime/runtime-paths.ts
 import { existsSync as existsSync15, readdirSync as readdirSync4, realpathSync } from "fs";
-import { resolve as resolve17 } from "path";
+import { resolve as resolve16 } from "path";
 
 // packages/runtime/src/control-plane/runtime/sandbox/utils.ts
 function uniq(values) {
@@ -3803,7 +3462,7 @@ function resolveBunBinaryPath() {
   }
   const home = process.env.HOME?.trim();
   const fallbackCandidates = [
-    home ? resolve17(home, ".bun/bin/bun") : "",
+    home ? resolve16(home, ".bun/bin/bun") : "",
     "/opt/homebrew/bin/bun",
     "/usr/local/bin/bun",
     "/usr/bin/bun"
@@ -3831,8 +3490,8 @@ function resolveClaudeBinaryPath() {
   }
   const home = process.env.HOME?.trim();
   const fallbackCandidates = [
-    home ? resolve17(home, ".local/bin/claude") : "",
-    home ? resolve17(home, ".local/share/claude/local/claude") : "",
+    home ? resolve16(home, ".local/bin/claude") : "",
+    home ? resolve16(home, ".local/share/claude/local/claude") : "",
     "/opt/homebrew/bin/claude",
     "/usr/local/bin/claude",
     "/usr/bin/claude"
@@ -3846,51 +3505,51 @@ function resolveClaudeBinaryPath() {
   throw new Error("claude not found in PATH");
 }
 function resolveBunInstallDir(bunBinaryPath = resolveBunBinaryPath()) {
-  return resolve17(bunBinaryPath, "../..");
+  return resolve16(bunBinaryPath, "../..");
 }
 function resolveClaudeInstallDir() {
   const realPath = resolveClaudeBinaryPath();
-  return resolve17(realPath, "..");
+  return resolve16(realPath, "..");
 }
 function resolveNodeInstallDir() {
   const preferredNode = resolvePreferredNodeBinary();
   if (!preferredNode)
     return null;
   const explicitNode = process.env.RIG_NODE_BIN?.trim();
-  if (explicitNode && resolve17(explicitNode) === resolve17(preferredNode)) {
-    return preferredNode.endsWith("/bin/node") ? resolve17(preferredNode, "../..") : resolve17(preferredNode, "..");
+  if (explicitNode && resolve16(explicitNode) === resolve16(preferredNode)) {
+    return preferredNode.endsWith("/bin/node") ? resolve16(preferredNode, "../..") : resolve16(preferredNode, "..");
   }
   try {
     const realPath = realpathSync(preferredNode);
     if (realPath.endsWith("/bin/node")) {
-      return resolve17(realPath, "../..");
+      return resolve16(realPath, "../..");
     }
-    return resolve17(realPath, "..");
+    return resolve16(realPath, "..");
   } catch {
-    return resolve17(preferredNode, "..");
+    return resolve16(preferredNode, "..");
   }
 }
 function resolvePreferredNodeBinary() {
   const candidates = [];
   const envNode = process.env.RIG_NODE_BIN?.trim();
   if (envNode) {
-    const explicit = resolve17(envNode);
+    const explicit = resolve16(envNode);
     if (existsSync15(explicit)) {
       return explicit;
     }
   }
   const nvmBin = process.env.NVM_BIN?.trim();
   if (nvmBin) {
-    candidates.push(resolve17(nvmBin, "node"));
+    candidates.push(resolve16(nvmBin, "node"));
   }
   const home = process.env.HOME?.trim();
   if (home) {
-    const nvmVersionsDir = resolve17(home, ".nvm/versions/node");
+    const nvmVersionsDir = resolve16(home, ".nvm/versions/node");
     if (existsSync15(nvmVersionsDir)) {
       try {
         const versionDirs = readdirSync4(nvmVersionsDir).map((entry) => entry.trim()).filter((entry) => /^v\d+\.\d+\.\d+$/.test(entry)).sort((a, b) => Bun.semver.order(b.replace(/^v/, ""), a.replace(/^v/, "")));
         for (const versionDir of versionDirs) {
-          candidates.push(resolve17(nvmVersionsDir, versionDir, "bin/node"));
+          candidates.push(resolve16(nvmVersionsDir, versionDir, "bin/node"));
         }
       } catch {}
     }
@@ -3899,7 +3558,7 @@ function resolvePreferredNodeBinary() {
   if (whichNode) {
     candidates.push(whichNode);
   }
-  const deduped = uniq(candidates.map((candidate) => resolve17(candidate)));
+  const deduped = uniq(candidates.map((candidate) => resolve16(candidate)));
   const existing = deduped.filter((candidate) => existsSync15(candidate));
   if (existing.length === 0) {
     return null;
@@ -3914,7 +3573,7 @@ function resolvePreferredNodeBinary() {
   return existing[0] ?? null;
 }
 function inferNodeMajor(nodeBinaryPath) {
-  const normalized = resolve17(nodeBinaryPath).replace(/\\/g, "/");
+  const normalized = resolve16(nodeBinaryPath).replace(/\\/g, "/");
   const match = normalized.match(/(?:^|\/)(?:node-)?v?(\d+)\.\d+\.\d+(?:\/|$)/);
   if (!match) {
     return null;
@@ -3926,7 +3585,7 @@ function normalizeExecutablePath(candidate) {
   if (!candidate) {
     return "";
   }
-  const normalized = resolve17(candidate);
+  const normalized = resolve16(candidate);
   if (!existsSync15(normalized)) {
     return "";
   }
@@ -3937,7 +3596,7 @@ function normalizeExecutablePath(candidate) {
   }
 }
 function looksLikeRuntimeGateway(candidate) {
-  const normalized = resolve17(candidate).replace(/\\/g, "/");
+  const normalized = resolve16(candidate).replace(/\\/g, "/");
   return normalized.includes("/.rig/bin/") || normalized.endsWith("/rig-shell") || normalized.endsWith("/rig-agent");
 }
 
@@ -3958,7 +3617,7 @@ function runtimeProvisioningEnv(baseEnv = process.env) {
     try {
       return resolveClaudeInstallDir();
     } catch {
-      return resolve18(claudeBinary, "..");
+      return resolve17(claudeBinary, "..");
     }
   })() : "";
   const nodeDir = resolveNodeInstallDir();
@@ -3968,8 +3627,8 @@ function runtimeProvisioningEnv(baseEnv = process.env) {
     `${bunDir}/bin`,
     claudeDir,
     nodeDir ? `${nodeDir}/bin` : "",
-    realHome ? resolve18(realHome, ".local/bin") : "",
-    realHome ? resolve18(realHome, ".cargo/bin") : "",
+    realHome ? resolve17(realHome, ".local/bin") : "",
+    realHome ? resolve17(realHome, ".cargo/bin") : "",
     ...inheritedPath,
     "/usr/local/bin",
     "/usr/local/sbin",
@@ -4000,9 +3659,9 @@ function runtimeProvisioningEnv(baseEnv = process.env) {
 // packages/runtime/src/control-plane/native/validator-binaries.ts
 function resolveValidatorBinaryPath(projectRoot, binaryName, runtimeContext) {
   if (runtimeContext) {
-    return resolve19(runtimeContext.binDir, "validators", binaryName);
+    return resolve18(runtimeContext.binDir, "validators", binaryName);
   }
-  return resolve19(resolveHarnessPaths(projectRoot).binDir, "validators", binaryName);
+  return resolve18(resolveHarnessPaths(projectRoot).binDir, "validators", binaryName);
 }
 async function ensureValidatorBinary(projectRoot, checkId, runtimeContext) {
   const match = checkId.match(/^([a-z][\w-]*):([a-z][\w-]*)$/);
@@ -4017,7 +3676,7 @@ async function ensureValidatorBinary(projectRoot, checkId, runtimeContext) {
   const binaryName = `${category}-${check}`;
   const binaryPath = resolveValidatorBinaryPath(projectRoot, binaryName, runtimeContext);
   const hostProjectRoot = runtimeContext?.hostProjectRoot?.trim() || projectRoot;
-  const sourcePath = resolve19(hostProjectRoot, "packages/runtime/src/control-plane/validators", category, `${check}.ts`);
+  const sourcePath = resolve18(hostProjectRoot, "packages/runtime/src/control-plane/validators", category, `${check}.ts`);
   if (!existsSync16(sourcePath)) {
     return null;
   }
@@ -4026,10 +3685,10 @@ async function ensureValidatorBinary(projectRoot, checkId, runtimeContext) {
   const binaryMtime = binaryExists ? statSync5(binaryPath).mtimeMs : 0;
   if (!binaryExists || sourceMtime > binaryMtime) {
     if (binaryExists) {
-      rmSync4(binaryPath, { force: true });
-      rmSync4(`${binaryPath}.build-manifest.json`, { force: true });
+      rmSync5(binaryPath, { force: true });
+      rmSync5(`${binaryPath}.build-manifest.json`, { force: true });
     }
-    mkdirSync6(dirname10(binaryPath), { recursive: true });
+    mkdirSync7(dirname9(binaryPath), { recursive: true });
     await buildRuntimeBinary({
       sourcePath: `packages/runtime/src/control-plane/validators/${category}/${check}.ts`,
       outputPath: binaryPath,
@@ -4075,14 +3734,14 @@ async function readTaskSourceValidation(projectRoot, taskId) {
 function resolveValidationPaths(projectRoot, taskId, runtimeContext) {
   if (runtimeContext) {
     return {
-      taskLogDir: resolve20(runtimeContext.logsDir, taskId),
-      artifactDir: resolve20(runtimeContext.workspaceDir, "artifacts", taskId)
+      taskLogDir: resolve19(runtimeContext.logsDir, taskId),
+      artifactDir: resolve19(runtimeContext.workspaceDir, "artifacts", taskId)
     };
   }
   const paths = resolveHarnessPaths(projectRoot);
   return {
-    taskLogDir: resolve20(paths.logsDir, taskId),
-    artifactDir: resolve20(paths.artifactsDir, taskId)
+    taskLogDir: resolve19(paths.logsDir, taskId),
+    artifactDir: resolve19(paths.artifactsDir, taskId)
   };
 }
 async function runValidatorBinary(projectRoot, taskId, checkId, runtimeContext) {
@@ -4099,7 +3758,7 @@ async function runValidatorBinary(projectRoot, taskId, checkId, runtimeContext)
     };
   }
   const validatorCwd = runtimeContext?.workspaceDir || resolveMonorepoRoot(projectRoot);
-  const runtimeShellPath = runtimeContext ? resolve20(runtimeContext.binDir, "rig-shell") : "";
+  const runtimeShellPath = runtimeContext ? resolve19(runtimeContext.binDir, "rig-shell") : "";
   const monorepoMainRoot = runtimeContext?.monorepoMainRoot || process.env.MONOREPO_MAIN_ROOT?.trim() || resolveMonorepoRoot(projectRoot);
   const validatorEnv = {
     PROJECT_RIG_ROOT: runtimeContext?.hostProjectRoot || projectRoot,
@@ -4154,8 +3813,8 @@ async function validateTask(projectRoot, taskId, runtimeContext, registry, optio
   const configuredValidation = stringArray(taskConfig[taskId]?.validation);
   const commands = resolvedContext?.validation?.length ? resolvedContext.validation : configuredValidation.length > 0 ? configuredValidation : sourceValidation.validation;
   const { taskLogDir, artifactDir } = resolveValidationPaths(projectRoot, taskId, resolvedContext);
-  mkdirSync7(taskLogDir, { recursive: true });
-  mkdirSync7(artifactDir, { recursive: true });
+  mkdirSync8(taskLogDir, { recursive: true });
+  mkdirSync8(artifactDir, { recursive: true });
   if (commands.length === 0) {
     const skipped = {
       status: "skipped",
@@ -4164,89 +3823,1488 @@ async function validateTask(projectRoot, taskId, runtimeContext, registry, optio
       failed: 0,
       categories: []
     };
-    writeFileSync7(resolve20(artifactDir, "validation-summary.json"), `${JSON.stringify(skipped, null, 2)}
+    writeFileSync8(resolve19(artifactDir, "validation-summary.json"), `${JSON.stringify(skipped, null, 2)}
 `, "utf-8");
     return skipped;
   }
-  const effectiveRegistry = registry ?? createValidatorRegistry();
-  const workspaceRoot = resolvedContext?.workspaceDir ?? resolveMonorepoRoot(projectRoot);
-  const monorepoRoot = resolvedContext?.monorepoMainRoot ?? process.env.MONOREPO_MAIN_ROOT?.trim() ?? resolveMonorepoRoot(projectRoot);
-  const validatorCtx = {
-    taskId,
-    workspaceRoot,
-    scope: resolvedContext?.scopes ?? (stringArray(taskConfig[taskId]?.scope).length > 0 ? stringArray(taskConfig[taskId]?.scope) : sourceValidation.scope),
-    monorepoRoot,
-    artifactsDir: artifactDir,
-    taskConfig: sourceValidation.taskConfig ?? taskConfig[taskId] ?? undefined
+  const effectiveRegistry = registry ?? createValidatorRegistry();
+  const workspaceRoot = resolvedContext?.workspaceDir ?? resolveMonorepoRoot(projectRoot);
+  const monorepoRoot = resolvedContext?.monorepoMainRoot ?? process.env.MONOREPO_MAIN_ROOT?.trim() ?? resolveMonorepoRoot(projectRoot);
+  const validatorCtx = {
+    taskId,
+    workspaceRoot,
+    scope: resolvedContext?.scopes ?? (stringArray(taskConfig[taskId]?.scope).length > 0 ? stringArray(taskConfig[taskId]?.scope) : sourceValidation.scope),
+    monorepoRoot,
+    artifactsDir: artifactDir,
+    taskConfig: sourceValidation.taskConfig ?? taskConfig[taskId] ?? undefined
+  };
+  const valDescriptions = resolvedContext ? {} : options.validationDescriptions ?? (() => {
+    try {
+      return readValidationDescriptions(projectRoot);
+    } catch {
+      return {};
+    }
+  })();
+  const categories = [];
+  let passed = 0;
+  let failed = 0;
+  for (const cmd of commands) {
+    const startedAt = Date.now();
+    if (!isCheckId(cmd)) {
+      failed += 1;
+      categories.push({
+        category: cmd,
+        status: "fail",
+        exit_code: 2,
+        duration_seconds: 0
+      });
+      const logFile2 = resolve19(taskLogDir, `invalid-entry-validation.log`);
+      mkdirSync8(taskLogDir, { recursive: true });
+      writeFileSync8(logFile2, `=== ${nowIso()} :: ${cmd} ===
+Invalid validation entry: not a check-ID. All entries must use format "category:check-name".
+`, "utf-8");
+      continue;
+    }
+    const { result, exitCode } = await dispatchValidator(cmd, effectiveRegistry, validatorCtx, (id) => runValidatorBinary(projectRoot, taskId, id, resolvedContext));
+    const durationSeconds = Math.max(0, Math.round((Date.now() - startedAt) / 1000));
+    const logFile = resolve19(taskLogDir, `${cmd.replace(":", "-")}-validation.log`);
+    mkdirSync8(taskLogDir, { recursive: true });
+    writeFileSync8(logFile, `=== ${nowIso()} :: ${cmd} ===
+${JSON.stringify(result, null, 2)}
+`, "utf-8");
+    if (result.passed) {
+      passed += 1;
+      categories.push({ category: cmd, status: "pass", duration_seconds: durationSeconds });
+    } else {
+      failed += 1;
+      categories.push({ category: cmd, status: "fail", exit_code: exitCode, duration_seconds: durationSeconds });
+      const desc = valDescriptions[cmd];
+      if (desc) {
+        console.log(`  What this checks (${cmd}): ${desc}`);
+      }
+    }
+  }
+  const summary = {
+    status: failed === 0 ? "pass" : "fail",
+    total: commands.length,
+    passed,
+    failed,
+    categories
+  };
+  mkdirSync8(artifactDir, { recursive: true });
+  writeFileSync8(resolve19(artifactDir, "validation-summary.json"), `${JSON.stringify(summary, null, 2)}
+`, "utf-8");
+  return summary;
+}
+
+// packages/runtime/src/control-plane/native/verifier.ts
+import { existsSync as existsSync18, mkdirSync as mkdirSync10, writeFileSync as writeFileSync10 } from "fs";
+import { resolve as resolve21 } from "path";
+
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+import { mkdirSync as mkdirSync9, writeFileSync as writeFileSync9 } from "fs";
+import { resolve as resolve20 } from "path";
+function parseJsonObject(value) {
+  if (!value?.trim())
+    return { value: {}, error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? { value: parsed } : { value: {}, error: "JSON output was not an object" };
+  } catch (error) {
+    return { value: {}, error: error instanceof Error ? error.message : String(error) };
+  }
+}
+function flattenPaginatedArray(value) {
+  if (!Array.isArray(value))
+    return null;
+  if (value.every((entry) => Array.isArray(entry))) {
+    return value.flatMap((entry) => entry);
+  }
+  return value;
+}
+function parseConcatenatedJsonValues(value) {
+  const text = value.trim();
+  const docs = [];
+  let start = null;
+  let depth = 0;
+  let inString = false;
+  let escape = false;
+  for (let index = 0;index < text.length; index += 1) {
+    const char = text[index];
+    if (start === null) {
+      if (/\s/.test(char))
+        continue;
+      start = index;
+    }
+    if (inString) {
+      if (escape) {
+        escape = false;
+      } else if (char === "\\") {
+        escape = true;
+      } else if (char === '"') {
+        inString = false;
+      }
+      continue;
+    }
+    if (char === '"') {
+      inString = true;
+      continue;
+    }
+    if (char === "{" || char === "[") {
+      depth += 1;
+      continue;
+    }
+    if (char === "}" || char === "]") {
+      depth -= 1;
+      if (depth < 0)
+        return { value: docs, error: "unexpected JSON close delimiter" };
+      if (depth === 0 && start !== null) {
+        const segment = text.slice(start, index + 1);
+        try {
+          docs.push(JSON.parse(segment));
+        } catch (error) {
+          return { value: docs, error: error instanceof Error ? error.message : String(error) };
+        }
+        start = null;
+      }
+    }
+  }
+  if (inString || depth !== 0 || start !== null)
+    return { value: docs, error: "incomplete JSON stream" };
+  return { value: docs };
+}
+function parseJsonArray(value) {
+  if (!value?.trim())
+    return { value: [], error: "empty JSON output" };
+  try {
+    const parsed = JSON.parse(value);
+    const flattened = flattenPaginatedArray(parsed);
+    return flattened ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  } catch (error) {
+    const streamed = parseConcatenatedJsonValues(value);
+    if (streamed.error)
+      return { value: [], error: error instanceof Error ? error.message : String(error) };
+    const flattened = streamed.value.flatMap((entry) => flattenPaginatedArray(entry) ?? []);
+    return flattened.length > 0 || streamed.value.length === 0 ? { value: flattened } : { value: [], error: "JSON output was not an array" };
+  }
+}
+function parseGithubPrUrl(prUrl) {
+  const match = /^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)\/?$/i.exec(prUrl.trim());
+  if (!match)
+    return null;
+  const prNumber = Number.parseInt(match[3], 10);
+  if (!Number.isFinite(prNumber))
+    return null;
+  return { owner: match[1], repo: match[2], repoName: `${match[1]}/${match[2]}`, prNumber };
+}
+function checkName(check) {
+  return String(check.name ?? check.context ?? "").trim();
+}
+function checkState(check) {
+  return String(check.conclusion ?? check.state ?? check.status ?? "").trim().toLowerCase();
+}
+function isGreptileLabel(value) {
+  return String(value ?? "").toLowerCase().includes("greptile");
+}
+function isGreptileGithubLogin(value) {
+  const login = String(value ?? "").toLowerCase().replace(/\[bot\]$/, "");
+  return login === "greptile" || login === "greptile-ai" || login === "greptileai" || login === "greptile-apps";
+}
+function isPassingCheck(check) {
+  const state = checkState(check);
+  return ["success", "successful", "passed", "neutral", "skipped", "completed"].includes(state);
+}
+function isPendingCheck(check) {
+  const state = checkState(check);
+  return ["pending", "queued", "in_progress", "waiting", "requested", "expected", "action_required"].includes(state);
+}
+function isFailingCheck(check) {
+  const state = checkState(check);
+  return ["failure", "failed", "timed_out", "action_required", "cancelled", "canceled", "error"].includes(state);
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  return new RegExp(`^${escaped}$`, "i");
+}
+function isAllowedFailure(name, allowedFailures) {
+  return allowedFailures.some((pattern) => wildcardToRegExp(pattern).test(name));
+}
+function greptileScorePatterns() {
+  return [
+    /\b(?:confidence\s+score|confidence|rating|score)\s*:?\s*(\d+)\s*\/\s*(\d+)/gi,
+    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|rating|score)/gi,
+    /\bgreptile[^\n]{0,80}?(\d+)\s*\/\s*(\d+)/gi
+  ];
+}
+function parseGreptileScores(input) {
+  const text = stripHtml(input);
+  const seen = new Set;
+  const scores = [];
+  for (const pattern of greptileScorePatterns()) {
+    for (const match of text.matchAll(pattern)) {
+      const value = Number.parseInt(match[1] || "", 10);
+      const scale = Number.parseInt(match[2] || "", 10);
+      if (!Number.isFinite(value) || !Number.isFinite(scale) || scale <= 0)
+        continue;
+      const raw = match[0] || `${value}/${scale}`;
+      const key = `${match.index ?? -1}:${value}/${scale}:${raw.toLowerCase()}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      scores.push({ value, scale, raw });
+    }
+  }
+  return scores;
+}
+function parseGreptileScore(input) {
+  return parseGreptileScores(input)[0] ?? null;
+}
+function stripHtml(input) {
+  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
+
+`).trim();
+}
+function containsBlockerText(input) {
+  const text = stripHtml(input).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  return /not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(text);
+}
+function isStrictFiveOfFive(score) {
+  return score.value === 5 && score.scale === 5;
+}
+function containsConflictingScoreText(input) {
+  return parseGreptileScores(input).some((score) => !isStrictFiveOfFive(score));
+}
+function extractGreptileCommentBlock(input) {
+  const match = input.match(/<!--\s*greptile_comment\s*-->([\s\S]*?)<!--\s*\/greptile_comment\s*-->/i);
+  return match?.[1]?.trim() ?? null;
+}
+function extractGreptileBodyReviewedSha(input) {
+  const block = extractGreptileCommentBlock(input);
+  if (!block)
+    return null;
+  const commitLink = block.match(/\/commit\/([0-9a-f]{40})(?:\b|[^0-9a-f])/i);
+  return commitLink?.[1]?.toLowerCase() ?? null;
+}
+function isoAtOrAfter(value, floor) {
+  if (!value || !floor)
+    return false;
+  const valueMs = Date.parse(value);
+  const floorMs = Date.parse(floor);
+  return Number.isFinite(valueMs) && Number.isFinite(floorMs) && valueMs >= floorMs;
+}
+function greptileStatusVerdict(status) {
+  const normalized = String(status ?? "").trim().toUpperCase().replace(/[\s-]+/g, "_");
+  if (!normalized)
+    return null;
+  if (["APPROVE", "APPROVED"].includes(normalized))
+    return "approved";
+  if (["REJECT", "REJECTED", "CHANGES_REQUESTED", "CHANGE_REQUESTED"].includes(normalized))
+    return "rejected";
+  if (["SKIP", "SKIPPED"].includes(normalized))
+    return "skipped";
+  if (["FAIL", "FAILED", "FAILURE", "ERROR"].includes(normalized))
+    return "failed";
+  if (["PENDING", "QUEUED", "IN_PROGRESS", "RUNNING", "STARTED", "REQUESTED", "REVIEWING_FILES", "GENERATING_SUMMARY"].includes(normalized))
+    return "pending";
+  if (["COMPLETE", "COMPLETED"].includes(normalized))
+    return "completed";
+  return null;
+}
+function isBlockingGreptileVerdict(verdict) {
+  return verdict === "rejected" || verdict === "skipped" || verdict === "failed";
+}
+function greptileRequestTimeoutMs(env) {
+  const fallback = 30000;
+  const parsed = Number.parseInt(env.GREPTILE_REQUEST_TIMEOUT_MS || `${fallback}`, 10);
+  return Number.isFinite(parsed) && parsed >= 1000 ? parsed : fallback;
+}
+function normalizeGreptileMcpCodeReview(entry, fallbackId) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const id = typeof record.id === "string" ? record.id.trim() : fallbackId?.trim() ?? "";
+  if (!id)
+    return null;
+  const metadataRecord = record.metadata && typeof record.metadata === "object" && !Array.isArray(record.metadata) ? record.metadata : null;
+  return {
+    id,
+    status: typeof record.status === "string" ? record.status : null,
+    createdAt: typeof record.createdAt === "string" ? record.createdAt : null,
+    body: typeof record.body === "string" ? record.body : null,
+    metadata: metadataRecord ? { checkHeadSha: typeof metadataRecord.checkHeadSha === "string" ? metadataRecord.checkHeadSha : null } : null
+  };
+}
+function uniqueGreptileCodeReviews(reviews) {
+  const seen = new Set;
+  const unique2 = [];
+  for (const review of reviews) {
+    if (seen.has(review.id))
+      continue;
+    seen.add(review.id);
+    unique2.push(review);
+  }
+  return unique2;
+}
+function selectGreptileApiReviewsForGate(reviews, headSha) {
+  const sorted = [...reviews].sort((left, right) => Date.parse(right.createdAt ?? "") - Date.parse(left.createdAt ?? ""));
+  const current = headSha ? sorted.filter((review) => review.metadata?.checkHeadSha === headSha) : [];
+  const untied = sorted.filter((review) => !review.metadata?.checkHeadSha);
+  const latest = sorted.slice(0, 1);
+  return uniqueGreptileCodeReviews([...current, ...untied, ...latest]);
+}
+function greptileApiSignalFromCodeReview(review, details) {
+  const selected = details ?? review;
+  return {
+    id: selected.id || review.id,
+    body: selected.body ?? review.body ?? null,
+    reviewedSha: selected.metadata?.checkHeadSha ?? review.metadata?.checkHeadSha ?? null,
+    status: selected.status ?? review.status ?? null
+  };
+}
+async function callGreptileMcpToolForGate(input) {
+  const controller = new AbortController;
+  const timeoutId = setTimeout(() => {
+    controller.abort(new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`));
+  }, input.timeoutMs);
+  let response;
+  try {
+    response = await input.fetchFn(input.apiBase, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: `rig-strict-gate-${input.name}-${Date.now()}`,
+        method: "tools/call",
+        params: { name: input.name, arguments: input.args }
+      }),
+      signal: controller.signal
+    });
+  } catch (error) {
+    if (controller.signal.aborted) {
+      throw controller.signal.reason instanceof Error ? controller.signal.reason : new Error(`Greptile MCP tool ${input.name} timed out after ${input.timeoutMs}ms.`);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  const raw = await response.text();
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}: ${raw}`);
+  }
+  let envelope;
+  try {
+    envelope = JSON.parse(raw);
+  } catch {
+    throw new Error(`Malformed MCP response: ${raw}`);
+  }
+  if (envelope.error?.message) {
+    throw new Error(envelope.error.message);
+  }
+  const text = (envelope.result?.content ?? []).filter((item) => item.type === "text" && typeof item.text === "string").map((item) => item.text ?? "").join(`
+`).trim();
+  if (!text) {
+    throw new Error(`MCP tool ${input.name} returned no text payload.`);
+  }
+  return text;
+}
+async function callGreptileMcpToolJsonForGate(input) {
+  const text = await callGreptileMcpToolForGate(input);
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`MCP tool ${input.name} returned malformed JSON: ${text}`);
+  }
+}
+async function collectConfiguredGreptileApiSignals(input) {
+  if (!input.enabled || input.options?.enabled === false) {
+    return { signals: [], errors: [] };
+  }
+  const env = input.options?.env ?? process.env;
+  const secrets = resolveRuntimeSecrets(env);
+  const apiKey = secrets.GREPTILE_API_KEY?.trim() ?? "";
+  if (!apiKey) {
+    return { signals: [], errors: [] };
+  }
+  const fetchFn = input.options?.fetch ?? globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    return { signals: [], errors: ["Greptile API/MCP evidence read failed: fetch is not available."] };
+  }
+  const apiBase = secrets.GREPTILE_API_BASE?.trim() || "https://api.greptile.com/mcp";
+  const remote = secrets.GREPTILE_REMOTE?.trim() || "github";
+  const repository = secrets.GREPTILE_REPOSITORY?.trim() || input.repoName;
+  const defaultBranch = secrets.GREPTILE_DEFAULT_BRANCH?.trim() || input.baseRefName?.trim() || "main";
+  const timeoutMs = greptileRequestTimeoutMs(env);
+  try {
+    const listPayload = await callGreptileMcpToolJsonForGate({
+      apiBase,
+      apiKey,
+      name: "list_code_reviews",
+      args: {
+        name: repository,
+        remote,
+        defaultBranch,
+        prNumber: input.prNumber,
+        limit: 20
+      },
+      timeoutMs,
+      fetchFn
+    });
+    const reviews = (listPayload.codeReviews ?? []).map((entry) => normalizeGreptileMcpCodeReview(entry)).filter((review) => !!review);
+    const selectedReviews = selectGreptileApiReviewsForGate(reviews, input.headSha);
+    const signals = [];
+    for (const review of selectedReviews) {
+      const detailsPayload = await callGreptileMcpToolJsonForGate({
+        apiBase,
+        apiKey,
+        name: "get_code_review",
+        args: { codeReviewId: review.id },
+        timeoutMs,
+        fetchFn
+      });
+      const details = normalizeGreptileMcpCodeReview(detailsPayload.codeReview, review.id) ?? review;
+      signals.push(greptileApiSignalFromCodeReview(review, details));
+    }
+    return { signals, errors: [] };
+  } catch (error) {
+    return {
+      signals: [],
+      errors: [`Greptile API/MCP evidence read failed: ${error instanceof Error ? error.message : String(error)}`]
+    };
+  }
+}
+function firstString(record, keys) {
+  for (const key of keys) {
+    const value = record[key];
+    if (typeof value === "string")
+      return value;
+  }
+  return "";
+}
+function arrayField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value : [];
+}
+async function runJsonArray(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: [], error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonArray(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+async function runJsonObject(command, args, cwd) {
+  const result = await command(args, { cwd });
+  const label = `gh ${args.join(" ")}`;
+  if (result.exitCode !== 0) {
+    return { value: {}, error: `${label} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim() };
+  }
+  const parsed = parseJsonObject(result.stdout);
+  return parsed.error ? { value: parsed.value, error: `${label} returned invalid JSON: ${parsed.error}` } : { value: parsed.value };
+}
+function normalizeStatusCheck(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const name = firstString(record, ["name", "context"]);
+  if (!name.trim())
+    return null;
+  const output = record.output && typeof record.output === "object" && !Array.isArray(record.output) ? record.output : null;
+  const app = record.app && typeof record.app === "object" && !Array.isArray(record.app) ? record.app : null;
+  return {
+    __typename: typeof record.__typename === "string" ? record.__typename : null,
+    name,
+    context: typeof record.context === "string" ? record.context : null,
+    status: typeof record.status === "string" ? record.status : null,
+    state: typeof record.state === "string" ? record.state : null,
+    conclusion: typeof record.conclusion === "string" ? record.conclusion : null,
+    detailsUrl: typeof record.detailsUrl === "string" ? record.detailsUrl : typeof record.details_url === "string" ? record.details_url : typeof record.html_url === "string" ? record.html_url : typeof record.link === "string" ? record.link : null,
+    link: typeof record.link === "string" ? record.link : typeof record.html_url === "string" ? record.html_url : null,
+    headSha: typeof record.headSha === "string" ? record.headSha : null,
+    head_sha: typeof record.head_sha === "string" ? record.head_sha : null,
+    output: output ? {
+      title: typeof output.title === "string" ? output.title : null,
+      summary: typeof output.summary === "string" ? output.summary : null,
+      text: typeof output.text === "string" ? output.text : null
+    } : null,
+    app: app ? {
+      slug: typeof app.slug === "string" ? app.slug : null,
+      name: typeof app.name === "string" ? app.name : null,
+      owner: app.owner && typeof app.owner === "object" ? app.owner : null
+    } : null
+  };
+}
+function normalizeReview(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : typeof record.id === "number" ? String(record.id) : null,
+    state: typeof record.state === "string" ? record.state : null,
+    body: typeof record.body === "string" ? record.body : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : typeof record.commitId === "string" ? record.commitId : record.commit && typeof record.commit === "object" && typeof record.commit.oid === "string" ? record.commit.oid : null,
+    html_url: typeof record.html_url === "string" ? record.html_url : typeof record.url === "string" ? record.url : null,
+    author: record.author && typeof record.author === "object" ? record.author : record.user && typeof record.user === "object" ? record.user : null
+  };
+}
+function normalizeReviewComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  const path = typeof record.path === "string" ? record.path : null;
+  if (!body && !path)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    path,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    commit_id: typeof record.commit_id === "string" ? record.commit_id : null,
+    original_commit_id: typeof record.original_commit_id === "string" ? record.original_commit_id : null
+  };
+}
+function normalizeIssueComment(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  const body = typeof record.body === "string" ? record.body : null;
+  if (!body)
+    return null;
+  return {
+    id: typeof record.id === "string" || typeof record.id === "number" ? record.id : null,
+    user: record.user && typeof record.user === "object" ? record.user : null,
+    author: record.author && typeof record.author === "object" ? record.author : null,
+    body,
+    html_url: typeof record.html_url === "string" ? record.html_url : null,
+    url: typeof record.url === "string" ? record.url : null,
+    created_at: typeof record.created_at === "string" ? record.created_at : null
+  };
+}
+function normalizeReviewThread(entry) {
+  if (!entry || typeof entry !== "object" || Array.isArray(entry))
+    return null;
+  const record = entry;
+  return {
+    id: typeof record.id === "string" ? record.id : null,
+    isResolved: typeof record.isResolved === "boolean" ? record.isResolved : null,
+    isOutdated: typeof record.isOutdated === "boolean" ? record.isOutdated : null,
+    comments: record.comments && typeof record.comments === "object" ? record.comments : null
+  };
+}
+function relevantIssueComment(comment) {
+  const login = comment.user?.login ?? comment.author?.login ?? "";
+  const body = comment.body ?? "";
+  return isGreptileGithubLogin(login) || containsBlockerText(body) || /greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(body);
+}
+function latestThreadComment(thread) {
+  const nodes = thread.comments?.nodes ?? [];
+  return nodes.length > 0 ? nodes[nodes.length - 1] : null;
+}
+function unresolvedThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function collectBodies(evidence) {
+  return [
+    evidence.title ?? "",
+    evidence.body,
+    ...evidence.reviews.map((review) => review.body ?? ""),
+    ...evidence.changedFileReviewComments.map((comment) => comment.body ?? ""),
+    ...evidence.relevantIssueComments.map((comment) => comment.body ?? ""),
+    ...evidence.reviewThreads.flatMap((thread) => thread.comments?.nodes?.map((comment) => comment.body ?? "") ?? []),
+    ...(evidence.apiSignals ?? []).map((signal) => signal.body ?? "")
+  ].filter((body) => body.trim().length > 0);
+}
+function bodyExcerpt(body) {
+  const text = stripHtml(body).replace(/\s+/g, " ").trim();
+  return text.length > 240 ? `${text.slice(0, 237)}...` : text;
+}
+function makeGreptileSignal(input) {
+  const scores = parseGreptileScores(input.body);
+  const reviewedSha = input.reviewedSha?.trim() || null;
+  const current = reviewedSha ? reviewedSha === input.currentHeadSha : null;
+  const verdict = input.verdict ?? null;
+  const blocker = input.blocker ?? (isBlockingGreptileVerdict(verdict) || containsBlockerText(input.body));
+  const explicitApproval = input.explicitApproval ?? false;
+  return {
+    source: input.source,
+    trusted: input.trusted,
+    authorLogin: input.authorLogin ?? null,
+    reviewedSha,
+    current,
+    stale: current === false,
+    score: scores[0] ?? null,
+    scores,
+    explicitApproval,
+    verdict,
+    blocker,
+    actionable: input.actionable ?? blocker,
+    bodyExcerpt: bodyExcerpt(input.body),
+    body: input.body,
+    allScores: scores
+  };
+}
+function reviewAuthorLogin(review) {
+  return review.author?.login ?? null;
+}
+function commentAuthorLogin(comment) {
+  return comment.user?.login ?? comment.author?.login ?? null;
+}
+function collectGreptileSignals(evidence) {
+  const signals = [];
+  const greptileBodyReviewedSha = extractGreptileBodyReviewedSha(evidence.body);
+  const trustedGreptileBody = Boolean(greptileBodyReviewedSha && isGreptileGithubLogin(evidence.bodyEditorLogin) && isoAtOrAfter(evidence.bodyLastEditedAt, evidence.headCommittedDate));
+  const contextSources = [
+    { source: "pr-title", body: evidence.title ?? "" },
+    {
+      source: "pr-body",
+      body: evidence.body,
+      trusted: trustedGreptileBody,
+      authorLogin: trustedGreptileBody ? evidence.bodyEditorLogin ?? null : null,
+      reviewedSha: greptileBodyReviewedSha,
+      verdict: trustedGreptileBody ? "completed" : null
+    }
+  ];
+  for (const context of contextSources) {
+    if (!context.body.trim())
+      continue;
+    const contextBlocker = containsBlockerText(context.body);
+    if (!contextBlocker && !/greptile|score|confidence|\b\d+\s*\/\s*5\b/i.test(context.body))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: context.source,
+      body: context.body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: context.trusted === true,
+      authorLogin: context.authorLogin,
+      reviewedSha: context.reviewedSha,
+      verdict: context.verdict,
+      blocker: contextBlocker,
+      actionable: contextBlocker
+    }));
+  }
+  for (const apiSignal of evidence.apiSignals ?? []) {
+    const body = [apiSignal.status ? `Status: ${apiSignal.status}` : "", apiSignal.body ?? ""].filter(Boolean).join(`
+
+`) || "Status: UNKNOWN";
+    const verdict = greptileStatusVerdict(apiSignal.status);
+    signals.push(makeGreptileSignal({
+      source: "api",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      reviewedSha: apiSignal.reviewedSha ?? null,
+      explicitApproval: verdict === "approved",
+      verdict
+    }));
+  }
+  for (const review of evidence.reviews) {
+    const login = reviewAuthorLogin(review);
+    if (!isGreptileGithubLogin(login))
+      continue;
+    const state = String(review.state ?? "").toUpperCase();
+    const body = [state ? `Review state: ${state}` : "", review.body ?? ""].filter(Boolean).join(`
+
+`);
+    if (!body.trim())
+      continue;
+    const dismissed = state === "DISMISSED";
+    signals.push(makeGreptileSignal({
+      source: "github-review",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: !dismissed,
+      authorLogin: login,
+      reviewedSha: review.commit_id ?? null,
+      explicitApproval: undefined,
+      blocker: state === "CHANGES_REQUESTED" || undefined
+    }));
+  }
+  for (const comment of evidence.relevantIssueComments) {
+    const login = commentAuthorLogin(comment);
+    const body = comment.body ?? "";
+    if (!body.trim() || !isGreptileGithubLogin(login))
+      continue;
+    signals.push(makeGreptileSignal({
+      source: "issue-comment",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: true,
+      authorLogin: login
+    }));
+  }
+  for (const thread of evidence.reviewThreads) {
+    if (thread.isOutdated === true || thread.isResolved === true)
+      continue;
+    for (const comment of thread.comments?.nodes ?? []) {
+      const login = comment.author?.login ?? null;
+      const body = comment.body ?? "";
+      if (!body.trim() || !isGreptileGithubLogin(login))
+        continue;
+      signals.push(makeGreptileSignal({
+        source: "review-thread",
+        body,
+        currentHeadSha: evidence.currentHeadSha,
+        trusted: true,
+        authorLogin: login
+      }));
+    }
+  }
+  for (const check of evidence.checks) {
+    if (!isGreptileLabel(checkName(check)))
+      continue;
+    const reviewedSha = check.headSha ?? check.head_sha ?? null;
+    const label = `${checkName(check)} (${checkState(check) || "unknown"})`;
+    const body = [label, check.output?.title ?? "", check.output?.summary ?? "", check.output?.text ?? ""].filter((entry) => entry.trim().length > 0).join(`
+
+`);
+    signals.push(makeGreptileSignal({
+      source: "github-check",
+      body,
+      currentHeadSha: evidence.currentHeadSha,
+      trusted: false,
+      reviewedSha,
+      explicitApproval: false,
+      blocker: isFailingCheck(check),
+      actionable: isFailingCheck(check)
+    }));
+  }
+  return signals;
+}
+function unresolvedGreptileThreadSummaries(threads) {
+  return threads.flatMap((thread) => {
+    if (thread.isResolved === true || thread.isOutdated === true)
+      return [];
+    const comments = thread.comments?.nodes ?? [];
+    if (!comments.some((comment) => isGreptileGithubLogin(comment.author?.login)))
+      return [];
+    const latest = latestThreadComment(thread);
+    if (!latest)
+      return ["Unresolved Greptile review thread"];
+    const path = latest.path ? ` on ${latest.path}` : "";
+    return [`Unresolved Greptile review thread${path}: ${(latest.body ?? "").trim() || "(empty comment)"}`];
+  });
+}
+function actionableChangedFileCommentSummaries(_comments) {
+  return [];
+}
+function issueLevelBlockerSummaries(comments) {
+  return comments.flatMap((comment) => {
+    const body = comment.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const login = commentAuthorLogin(comment) ?? "unknown";
+    const author = isGreptileGithubLogin(login) ? `Greptile issue comment by ${login}` : `Issue-level PR comment by ${login}`;
+    return [`${author}: ${body}`];
+  });
+}
+function reviewBodyBlockerSummaries(reviews) {
+  return reviews.flatMap((review) => {
+    const login = reviewAuthorLogin(review) ?? "unknown";
+    if (isGreptileGithubLogin(login))
+      return [];
+    const body = review.body?.trim() ?? "";
+    if (!body || !containsBlockerText(body) && !containsConflictingScoreText(body))
+      return [];
+    const state = review.state ? ` (${review.state})` : "";
+    return [`PR review summary by ${login}${state}: ${body}`];
+  });
+}
+function signalLabel(signal) {
+  const source = signal.source.replace(/-/g, " ");
+  const author = signal.authorLogin ? ` by ${signal.authorLogin}` : "";
+  const sha = signal.reviewedSha ? ` at ${signal.reviewedSha}` : "";
+  return `${source}${author}${sha}`;
+}
+function deriveGreptileEvidence(input) {
+  const rawBodies = collectBodies(input);
+  const signals = collectGreptileSignals(input);
+  const trustedSignals = signals.filter((signal) => signal.trusted);
+  const trustedScoreEntries = trustedSignals.flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const contextScoreEntries = signals.filter((signal) => !signal.trusted).flatMap((signal) => signal.allScores.map((score2) => ({ score: score2, signal })));
+  const allScoreEntries = [...trustedScoreEntries, ...contextScoreEntries];
+  const staleSignals = signals.filter((signal) => !!signal.reviewedSha && signal.reviewedSha !== input.currentHeadSha && (signal.trusted || signal.source === "github-check"));
+  const isCurrentOrUntied = (signal) => !signal.reviewedSha || signal.reviewedSha === input.currentHeadSha;
+  const currentOrUntiedScoreEntries = allScoreEntries.filter((entry) => isCurrentOrUntied(entry.signal));
+  const lowScoreEntries = currentOrUntiedScoreEntries.filter((entry) => !isStrictFiveOfFive(entry.score));
+  const currentPendingApiSignals = trustedSignals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && isCurrentOrUntied(signal));
+  const signalCanApproveByScore = (signal) => {
+    if (signal.source === "api")
+      return signal.verdict === "approved" || signal.verdict === "completed";
+    return signal.verdict !== "pending" && !isBlockingGreptileVerdict(signal.verdict);
+  };
+  const approvingScoreEntry = trustedScoreEntries.find((entry) => entry.signal.reviewedSha === input.currentHeadSha && entry.signal.source !== "github-check" && signalCanApproveByScore(entry.signal) && isStrictFiveOfFive(entry.score)) ?? null;
+  const approvingExplicitSignal = trustedSignals.find((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && signal.explicitApproval === true && !signal.blocker) ?? null;
+  const approvedByScore = !!approvingScoreEntry;
+  const approvedByExplicitMapping = !!approvingExplicitSignal;
+  const approvingSignal = approvingScoreEntry?.signal ?? approvingExplicitSignal;
+  const lowestScore = lowScoreEntries.map((entry) => entry.score).sort((left, right) => left.value - right.value)[0] ?? null;
+  const score = lowestScore ?? approvingScoreEntry?.score ?? trustedScoreEntries[0]?.score ?? contextScoreEntries[0]?.score ?? null;
+  const failedGreptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)) && isFailingCheck(check)).map((check) => `${checkName(check)} (${checkState(check) || "failed"})`);
+  const blockerSignals = signals.filter((signal) => (signal.blocker || signal.actionable) && (!signal.reviewedSha || signal.reviewedSha === input.currentHeadSha));
+  const staleBlockingSignals = [];
+  const blockers = [
+    ...blockerSignals.map((signal) => `${signalLabel(signal)}: ${signal.bodyExcerpt || "blocker text"}`),
+    ...reviewBodyBlockerSummaries(input.reviews),
+    ...issueLevelBlockerSummaries(input.relevantIssueComments),
+    ...lowScoreEntries.map((entry) => `Greptile score from ${signalLabel(entry.signal)} is ${entry.score.value}/${entry.score.scale}; strict merge requires trusted current-head 5/5.`),
+    ...staleBlockingSignals.map((signal) => `Greptile blocking signal from ${signalLabel(signal)} is stale; current PR head is ${input.currentHeadSha || "unknown"}.`),
+    ...failedGreptileChecks.map((entry) => `Greptile check failed: ${entry}`)
+  ];
+  const unresolvedComments = [
+    ...unresolvedGreptileThreadSummaries(input.reviewThreads),
+    ...actionableChangedFileCommentSummaries(input.changedFileReviewComments)
+  ];
+  const greptileChecks = input.checks.filter((check) => isGreptileLabel(checkName(check)));
+  const greptileReviews = input.reviews.filter((review) => isGreptileGithubLogin(review.author?.login));
+  const completedGreptileCheck = greptileChecks.some((check) => {
+    const reviewedSha2 = check.headSha ?? check.head_sha ?? null;
+    return reviewedSha2 === input.currentHeadSha && (isPassingCheck(check) || isFailingCheck(check));
+  });
+  const completedGreptileReview = greptileReviews.some((review) => {
+    const state = String(review.state ?? "").toUpperCase();
+    const completedState = ["APPROVED", "COMMENTED", "CHANGES_REQUESTED"].includes(state) || !!review.body?.trim();
+    return completedState && review.commit_id === input.currentHeadSha;
+  });
+  const completedGreptileApi = trustedSignals.some((signal) => signal.source === "api" && signal.reviewedSha === input.currentHeadSha && (signal.verdict === "approved" || signal.verdict === "rejected" || signal.verdict === "skipped" || signal.verdict === "failed" || signal.verdict === "completed"));
+  const approvalReviewedSha = approvingSignal?.reviewedSha ?? null;
+  const reviewedSha = approvalReviewedSha ?? staleSignals[0]?.reviewedSha ?? trustedSignals.map((signal) => signal.reviewedSha ?? null).find(Boolean) ?? null;
+  const fresh = !!approvalReviewedSha && approvalReviewedSha === input.currentHeadSha;
+  const completed = completedGreptileCheck || completedGreptileReview || completedGreptileApi || !!approvingSignal;
+  const hasGreptileEvidence = trustedSignals.length > 0 || signals.some((signal) => /greptile/i.test(signal.body));
+  const approved = fresh && completed && !blockers.length && !unresolvedComments.length && currentPendingApiSignals.length === 0 && (approvedByScore || approvedByExplicitMapping);
+  const mapping = !hasGreptileEvidence ? "missing" : staleSignals.length > 0 && !approvingSignal ? "stale" : approvedByScore ? "score-5-of-5" : approvedByExplicitMapping ? "explicit-approved" : "unproven";
+  const source = approvingSignal?.source === "api" ? "api" : approvingSignal?.source === "github-review" ? "github-review" : approvingSignal?.source === "pr-body" || approvingSignal?.source === "pr-title" ? "pr-body" : approvingSignal?.source === "changed-file-comment" || approvingSignal?.source === "issue-comment" || approvingSignal?.source === "review-thread" ? "github-comment" : greptileReviews.length > 0 && greptileChecks.length > 0 ? "combined" : greptileReviews.length > 0 ? "github-review" : greptileChecks.length > 0 ? "github-check" : signals.some((signal) => signal.source === "pr-body" || signal.source === "pr-title") ? "pr-body" : "missing";
+  return {
+    source,
+    currentHeadSha: input.currentHeadSha,
+    reviewedSha,
+    fresh,
+    completed,
+    approved,
+    score,
+    explicitApproval: approvedByExplicitMapping,
+    blockers,
+    unresolvedComments,
+    rawBodies,
+    signals: signals.map(({ body: _body, allScores: _allScores, ...signal }) => signal),
+    mapping
+  };
+}
+function isGreptileCheckDetail(check) {
+  return isGreptileLabel(checkName(check)) || isGreptileGithubLogin(check.app?.slug) || isGreptileGithubLogin(check.app?.owner?.login) || isGreptileLabel(check.app?.name);
+}
+async function collectGreptileCheckDetails(input) {
+  const checkRunsRead = await runJsonObject(input.command, [
+    "api",
+    `repos/${input.repoName}/commits/${input.headSha}/check-runs`,
+    "-F",
+    "per_page=100"
+  ], input.projectRoot);
+  const checkRuns = arrayField(checkRunsRead.value, "check_runs").map(normalizeStatusCheck).filter((entry) => !!entry).filter(isGreptileCheckDetail);
+  return checkRunsRead.error ? { value: checkRuns, error: checkRunsRead.error } : { value: checkRuns };
+}
+async function collectPullRequestProvenance(input) {
+  const response = await runJsonObject(input.command, [
+    "api",
+    "graphql",
+    "-F",
+    `owner=${input.owner}`,
+    "-F",
+    `name=${input.name}`,
+    "-F",
+    `prNumber=${input.prNumber}`,
+    "-f",
+    "query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { lastEditedAt editor { login } commits(last: 1) { nodes { commit { oid committedDate } } } } } }"
+  ], input.projectRoot);
+  if (response.error)
+    return { value: {}, error: response.error };
+  const data = response.value.data;
+  const repository = data?.repository;
+  const pullRequest = repository?.pullRequest;
+  if (!pullRequest)
+    return { value: {}, error: "GitHub pullRequest provenance response did not include a pullRequest object" };
+  const editor = pullRequest.editor;
+  const commits = pullRequest.commits;
+  const nodes = Array.isArray(commits?.nodes) ? commits.nodes : [];
+  const latestCommitNode = nodes[nodes.length - 1];
+  const latestCommit = latestCommitNode?.commit;
+  return {
+    value: {
+      bodyEditorLogin: typeof editor?.login === "string" ? editor.login : null,
+      bodyLastEditedAt: typeof pullRequest.lastEditedAt === "string" ? pullRequest.lastEditedAt : null,
+      headCommittedDate: typeof latestCommit?.committedDate === "string" ? latestCommit.committedDate : null
+    }
+  };
+}
+async function collectReviewThreads(input) {
+  const reviewThreads = [];
+  let afterCursor = null;
+  for (let page = 0;page < 100; page += 1) {
+    const afterLiteral = afterCursor ? JSON.stringify(afterCursor) : "null";
+    const threadsResponse = await runJsonObject(input.command, [
+      "api",
+      "graphql",
+      "-F",
+      `owner=${input.owner}`,
+      "-F",
+      `name=${input.name}`,
+      "-F",
+      `prNumber=${input.prNumber}`,
+      "-f",
+      `query=query($owner: String!, $name: String!, $prNumber: Int!) { repository(owner:$owner, name:$name) { pullRequest(number:$prNumber) { reviewThreads(first: 100, after: ${afterLiteral}) { nodes { id isResolved isOutdated comments(first: 100) { nodes { author { login } body path url createdAt } pageInfo { hasNextPage endCursor } } } pageInfo { hasNextPage endCursor } } } } }`
+    ], input.projectRoot);
+    if (threadsResponse.error) {
+      return { value: reviewThreads, error: threadsResponse.error };
+    }
+    const data = threadsResponse.value.data;
+    const repository = data?.repository;
+    const pullRequest = repository?.pullRequest;
+    const threads = pullRequest?.reviewThreads;
+    const nodes = threads?.nodes;
+    if (!Array.isArray(nodes)) {
+      return { value: reviewThreads, error: "GitHub reviewThreads response did not include a nodes array" };
+    }
+    const normalized = nodes.map(normalizeReviewThread).filter((entry) => !!entry);
+    reviewThreads.push(...normalized);
+    const truncatedCommentThread = normalized.find((thread) => thread.comments?.pageInfo?.hasNextPage === true);
+    if (truncatedCommentThread) {
+      return { value: reviewThreads, error: `GitHub review thread ${truncatedCommentThread.id ?? "unknown"} has more than 100 comments; nested pagination is incomplete` };
+    }
+    const pageInfo = threads?.pageInfo;
+    if (!pageInfo) {
+      if (nodes.length >= 100) {
+        return { value: reviewThreads, error: "GitHub reviewThreads pagination metadata missing after a full page" };
+      }
+      return { value: reviewThreads };
+    }
+    if (pageInfo.hasNextPage !== true) {
+      return { value: reviewThreads };
+    }
+    if (typeof pageInfo.endCursor !== "string" || !pageInfo.endCursor.trim()) {
+      return { value: reviewThreads, error: "GitHub reviewThreads pagination reported hasNextPage without endCursor" };
+    }
+    afterCursor = pageInfo.endCursor;
+  }
+  return { value: reviewThreads, error: "GitHub reviewThreads pagination exceeded 100 pages" };
+}
+async function collectPrReviewEvidence(input) {
+  const parsed = parseGithubPrUrl(input.prUrl);
+  if (!parsed) {
+    throw new Error(`Cannot parse GitHub PR URL: ${input.prUrl}`);
+  }
+  const readErrors = [];
+  const viewRead = await runJsonObject(input.command, [
+    "pr",
+    "view",
+    input.prUrl,
+    "--json",
+    "title,body,headRefOid,headRefName,baseRefName,state,isDraft,mergeable,mergeStateStatus,reviewDecision,reviews,statusCheckRollup"
+  ], input.projectRoot);
+  if (viewRead.error)
+    readErrors.push(viewRead.error);
+  const view = viewRead.value;
+  if (!Array.isArray(view.statusCheckRollup)) {
+    readErrors.push("gh pr view did not return required statusCheckRollup array");
+  }
+  if (!Array.isArray(view.reviews)) {
+    readErrors.push("gh pr view did not return required reviews array");
+  }
+  const headSha = firstString(view, ["headRefOid", "headSha", "head_sha"]);
+  const baseRefName = firstString(view, ["baseRefName"]);
+  const statusCheckRollup = arrayField(view, "statusCheckRollup").map(normalizeStatusCheck).filter((entry) => !!entry);
+  const reviews = arrayField(view, "reviews").map(normalizeReview).filter((entry) => !!entry);
+  const provenanceRead = await collectPullRequestProvenance({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  const provenance = provenanceRead.value;
+  const reviewCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/pulls/${parsed.prNumber}/comments`, "--paginate"], input.projectRoot);
+  if (reviewCommentsRead.error)
+    readErrors.push(reviewCommentsRead.error);
+  const reviewComments = reviewCommentsRead.value.map(normalizeReviewComment).filter((entry) => !!entry);
+  const issueCommentsRead = await runJsonArray(input.command, ["api", `repos/${parsed.repoName}/issues/${parsed.prNumber}/comments`, "--paginate"], input.projectRoot);
+  if (issueCommentsRead.error)
+    readErrors.push(issueCommentsRead.error);
+  const issueComments = issueCommentsRead.value.map(normalizeIssueComment).filter((entry) => !!entry).filter(relevantIssueComment);
+  const reviewThreadsRead = await collectReviewThreads({
+    command: input.command,
+    projectRoot: input.projectRoot,
+    owner: parsed.owner,
+    name: parsed.repo,
+    prNumber: parsed.prNumber
+  });
+  if (reviewThreadsRead.error)
+    readErrors.push(reviewThreadsRead.error);
+  const reviewThreads = reviewThreadsRead.value;
+  const greptileRollupChecks = statusCheckRollup.filter((check) => isGreptileLabel(checkName(check)));
+  let greptileCheckDetails = [];
+  if (headSha && greptileRollupChecks.length > 0) {
+    const checkDetailsRead = await collectGreptileCheckDetails({
+      command: input.command,
+      projectRoot: input.projectRoot,
+      repoName: parsed.repoName,
+      headSha
+    });
+    greptileCheckDetails = checkDetailsRead.value;
+  }
+  const checksWithGreptileDetails = [...statusCheckRollup, ...greptileCheckDetails];
+  const shouldCollectConfiguredGreptileApi = input.greptileApi?.enabled !== false;
+  const configuredGreptileApiRead = await collectConfiguredGreptileApiSignals({
+    enabled: shouldCollectConfiguredGreptileApi,
+    options: input.greptileApi,
+    repoName: parsed.repoName,
+    prNumber: parsed.prNumber,
+    headSha,
+    baseRefName
+  });
+  readErrors.push(...configuredGreptileApiRead.errors);
+  const apiSignals = [...input.apiSignals ?? [], ...configuredGreptileApiRead.signals];
+  const checkFailures = statusCheckRollup.filter((check) => !isGreptileLabel(checkName(check)) && isFailingCheck(check) && !isAllowedFailure(checkName(check), input.allowedFailures ?? [])).map((check) => `Check failed: ${checkName(check)}${check.detailsUrl || check.link ? ` (${check.detailsUrl ?? check.link})` : ""}`);
+  const pendingChecks = statusCheckRollup.filter((check) => isPendingCheck(check) && (isGreptileLabel(checkName(check)) || !isAllowedFailure(checkName(check), input.allowedFailures ?? []))).map((check) => `Check pending: ${checkName(check)}`);
+  const evidenceBase = {
+    title: firstString(view, ["title"]),
+    body: firstString(view, ["body"]),
+    bodyEditorLogin: provenance.bodyEditorLogin ?? null,
+    bodyLastEditedAt: provenance.bodyLastEditedAt ?? null,
+    headCommittedDate: provenance.headCommittedDate ?? null,
+    reviews,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    reviewThreads,
+    checks: checksWithGreptileDetails,
+    currentHeadSha: headSha,
+    apiSignals
+  };
+  const greptile = deriveGreptileEvidence(evidenceBase);
+  return {
+    prUrl: input.prUrl,
+    prNumber: parsed.prNumber,
+    repoName: parsed.repoName,
+    title: evidenceBase.title,
+    body: evidenceBase.body,
+    bodyEditorLogin: evidenceBase.bodyEditorLogin,
+    bodyLastEditedAt: evidenceBase.bodyLastEditedAt,
+    headCommittedDate: evidenceBase.headCommittedDate,
+    headSha,
+    headRefName: firstString(view, ["headRefName"]),
+    baseRefName,
+    state: firstString(view, ["state"]),
+    isDraft: typeof view.isDraft === "boolean" ? view.isDraft : null,
+    mergeable: firstString(view, ["mergeable"]),
+    mergeStateStatus: firstString(view, ["mergeStateStatus"]),
+    reviewDecision: firstString(view, ["reviewDecision"]),
+    reviews,
+    reviewThreads,
+    changedFileReviewComments: reviewComments,
+    relevantIssueComments: issueComments,
+    statusCheckRollup: checksWithGreptileDetails,
+    checkFailures,
+    pendingChecks,
+    readErrors,
+    greptile
+  };
+}
+function capGateMessage(value, maxChars = 1200) {
+  const normalized = value.trim();
+  return normalized.length > maxChars ? `${normalized.slice(0, maxChars)}
+[truncated for gate summary; see full evidence artifact]` : normalized;
+}
+function evaluateEvidence(evidence) {
+  const reasonDetails = [];
+  const warnings = [];
+  const seen = new Set;
+  const addReason = (reason) => {
+    const capped = { ...reason, message: capGateMessage(reason.message) };
+    const key = `${capped.code}:${capped.message}`;
+    if (seen.has(key))
+      return;
+    seen.add(key);
+    reasonDetails.push(capped);
+  };
+  const greptile = evidence.greptile;
+  const staleSignal = greptile.signals.find((signal) => signal.reviewedSha && signal.reviewedSha !== evidence.headSha);
+  const hasPendingGreptileCheck = evidence.pendingChecks.some((check) => /greptile/i.test(check));
+  const pendingGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && signal.verdict === "pending" && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const unknownGreptileApiSignals = greptile.signals.filter((signal) => signal.source === "api" && !signal.verdict && (!signal.reviewedSha || signal.reviewedSha === evidence.headSha));
+  const awaitingFreshGreptileProof = hasPendingGreptileCheck || pendingGreptileApiSignals.length > 0 || !greptile.completed || greptile.mapping === "missing" || greptile.mapping === "stale";
+  for (const error of evidence.readErrors) {
+    addReason({
+      code: "read_error",
+      reasonClass: "reject",
+      surface: error.startsWith("Greptile API/MCP") ? "greptile" : "github",
+      suggestedAction: "needs_attention",
+      message: `Required PR evidence surface could not be read completely: ${error}`,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (!evidence.headSha) {
+    addReason({
+      code: "missing_head_sha",
+      reasonClass: "reject",
+      surface: "github",
+      suggestedAction: "needs_attention",
+      message: "PR head SHA could not be read; current-head Greptile approval cannot be proven.",
+      headSha: null
+    });
+  }
+  for (const failure of evidence.checkFailures) {
+    addReason({
+      code: "ci_failed",
+      reasonClass: "reject",
+      surface: "ci",
+      suggestedAction: "fix",
+      message: failure,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const pendingCheck of evidence.pendingChecks) {
+    addReason({
+      code: "check_pending",
+      reasonClass: "pending",
+      surface: "ci",
+      suggestedAction: "wait",
+      message: pendingCheck,
+      headSha: evidence.headSha || null
+    });
+  }
+  const reviewDecision = String(evidence.reviewDecision ?? "").toUpperCase();
+  if (reviewDecision === "CHANGES_REQUESTED" || reviewDecision === "REVIEW_REQUIRED") {
+    addReason({
+      code: "review_decision_blocking",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: `Required review is unresolved (${evidence.reviewDecision}).`,
+      headSha: evidence.headSha || null
+    });
+  }
+  for (const thread of unresolvedThreadSummaries(evidence.reviewThreads)) {
+    addReason({
+      code: "review_thread_unresolved",
+      reasonClass: "reject",
+      surface: "review",
+      suggestedAction: "fix",
+      message: thread,
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "missing") {
+    addReason({
+      code: "greptile_missing",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Missing Greptile check/review evidence for this PR.",
+      headSha: evidence.headSha || null
+    });
+  }
+  if (greptile.mapping === "stale" || greptile.reviewedSha && greptile.reviewedSha !== evidence.headSha || !greptile.approved && staleSignal) {
+    addReason({
+      code: "greptile_stale",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile evidence is stale (reviewed ${greptile.reviewedSha ?? staleSignal?.reviewedSha ?? "unknown"}, current ${evidence.headSha || "unknown"}).`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? staleSignal?.reviewedSha ?? null
+    });
+  }
+  for (const signal of pendingGreptileApiSignals) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: `Greptile API/MCP review is pending for the current PR head${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  for (const signal of unknownGreptileApiSignals) {
+    addReason({
+      code: "greptile_api_status_unknown",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "needs_attention",
+      message: `Greptile API/MCP review status is unknown; merge requires a known terminal APPROVED/COMPLETED 5/5 result or a known conservative status${signal.bodyExcerpt ? `: ${signal.bodyExcerpt}` : "."}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: signal.reviewedSha ?? null
+    });
+  }
+  if (!greptile.completed) {
+    addReason({
+      code: "greptile_pending",
+      reasonClass: "pending",
+      surface: "greptile",
+      suggestedAction: "wait",
+      message: "Greptile check/review has not completed for the current PR head.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.fresh) {
+    addReason({
+      code: "greptile_not_current_head",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval is not tied to the current PR head SHA.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.score && !(greptile.score.scale === 5 && greptile.score.value === 5)) {
+    addReason({
+      code: "greptile_score_not_5",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile score is ${greptile.score.value}/${greptile.score.scale}; strict merge requires trusted current-head 5/5.`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  const hasApprovedMapping = greptile.mapping === "score-5-of-5" || greptile.mapping === "explicit-approved";
+  if (!greptile.score && !hasApprovedMapping) {
+    addReason({
+      code: "greptile_score_missing",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "No parseable Greptile 5/5 score or direct current-head Greptile API APPROVED mapping was found from trusted evidence; merge is blocked.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (greptile.mapping === "unproven") {
+    addReason({
+      code: "greptile_mapping_unproven",
+      reasonClass: awaitingFreshGreptileProof ? "pending" : "reject",
+      surface: "greptile",
+      suggestedAction: awaitingFreshGreptileProof ? "wait" : "ask_greptile",
+      message: "Greptile approval mapping is unproven; PR body/title or a green check alone cannot approve merge.",
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const blocker of greptile.blockers) {
+    addReason({
+      code: "greptile_blocker_text",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: `Greptile/blocker text: ${blocker}`,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  for (const comment of greptile.unresolvedComments) {
+    addReason({
+      code: "greptile_unresolved_comment",
+      reasonClass: "reject",
+      surface: "greptile",
+      suggestedAction: "fix",
+      message: comment,
+      headSha: evidence.headSha || null,
+      reviewedSha: greptile.reviewedSha ?? null
+    });
+  }
+  if (!greptile.approved)
+    warnings.push(`Greptile approval mapping is ${greptile.mapping}.`);
+  const pending = reasonDetails.length > 0 && reasonDetails.every((reason) => reason.reasonClass === "pending");
+  return { reasons: reasonDetails.map((reason) => reason.message), reasonDetails, warnings, pending };
+}
+function evaluateStrictPrMergeGate(evidence) {
+  const evaluated = evaluateEvidence(evidence);
+  const approved = evaluated.reasonDetails.length === 0 && evidence.greptile.approved;
+  return {
+    approved,
+    pending: evaluated.pending,
+    reasons: evaluated.reasons,
+    reasonDetails: evaluated.reasonDetails,
+    warnings: evaluated.warnings,
+    actionableFeedback: evaluated.reasons,
+    evidence
+  };
+}
+function strictMergeHeadShaFromGate(result, prUrl) {
+  if (!result.approved) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate is not approved.`);
+  }
+  if (result.evidence.prUrl !== prUrl) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate evidence belongs to ${result.evidence.prUrl}.`);
+  }
+  const headSha = result.evidence.headSha?.trim();
+  if (!headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate did not provide a current head SHA.`);
+  }
+  if (!/^[0-9a-f]{40}$/i.test(headSha)) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate head is not a raw 40-character commit SHA.`);
+  }
+  if (!result.evidence.greptile.fresh || result.evidence.greptile.currentHeadSha !== headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate approval is not tied to head ${headSha}.`);
+  }
+  if (result.evidence.greptile.mapping !== "score-5-of-5" && result.evidence.greptile.mapping !== "explicit-approved") {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate mapping is ${result.evidence.greptile.mapping}.`);
+  }
+  return headSha;
+}
+function promptExcerpt(value, maxChars = 4000) {
+  return value.length > maxChars ? `${value.slice(0, maxChars)}
+
+[truncated for prompt; see full evidence artifact]` : value;
+}
+function promptJsonExcerpt(value, maxChars = 6000) {
+  return promptExcerpt(JSON.stringify(value, null, 2), maxChars);
+}
+function buildStrictPrGateSteeringPrompt(result) {
+  const evidence = result.evidence;
+  const unresolvedReviewThreads = evidence.reviewThreads.filter((thread) => thread.isResolved !== true && thread.isOutdated !== true);
+  const displayedReasons = result.reasons.slice(0, 20).map((reason) => `- ${promptExcerpt(reason, 1200)}`);
+  if (result.reasons.length > displayedReasons.length) {
+    displayedReasons.push(`- ${result.reasons.length - displayedReasons.length} additional gate reasons omitted from prompt; see merge-gate-result.json.`);
+  }
+  const lines = [
+    `Strict PR merge gate blocked ${evidence.prUrl}.`,
+    `PR title: ${evidence.title || "(empty)"}`,
+    `Current PR head SHA: ${evidence.headSha || "unknown"}`,
+    `Greptile mapping: ${evidence.greptile.mapping}`,
+    evidence.greptile.score ? `Greptile score: ${evidence.greptile.score.value}/${evidence.greptile.score.scale}` : "Greptile score: not proven",
+    "",
+    "Gate reasons:",
+    ...displayedReasons.length ? displayedReasons : ["- No reasons recorded"],
+    "",
+    "Structured gate reason details:",
+    result.reasonDetails.length ? promptJsonExcerpt(result.reasonDetails, 4000) : "[]",
+    "",
+    "Required evidence read status:",
+    evidence.readErrors.length ? promptJsonExcerpt(evidence.readErrors, 2000) : "All required PR evidence surfaces were read completely.",
+    "",
+    "Full PR title:",
+    evidence.title || "(empty)",
+    "",
+    "PR body excerpt:",
+    evidence.body ? promptExcerpt(evidence.body) : "(empty)",
+    "",
+    "All review comments on changed files:",
+    evidence.changedFileReviewComments.length ? promptJsonExcerpt(evidence.changedFileReviewComments) : "[]",
+    "",
+    "Unresolved review threads:",
+    unresolvedReviewThreads.length ? promptJsonExcerpt(unresolvedReviewThreads) : "[]",
+    "",
+    "Relevant issue-level PR comments:",
+    evidence.relevantIssueComments.length ? promptJsonExcerpt(evidence.relevantIssueComments) : "[]",
+    "",
+    "CI/check failures and pending checks:",
+    promptJsonExcerpt({ failures: evidence.checkFailures, pending: evidence.pendingChecks, rollup: evidence.statusCheckRollup }),
+    "",
+    "Greptile evidence:",
+    promptJsonExcerpt(evidence.greptile)
+  ];
+  if (result.artifacts) {
+    lines.push("", "Full evidence artifacts:", JSON.stringify(result.artifacts, null, 2));
+  }
+  return lines.join(`
+`);
+}
+function persistPrReviewCycleArtifacts(input) {
+  const cycleName = input.final ? `${input.cycle}-final` : String(input.cycle);
+  const taskArtifactRoot = input.artifactRoot?.trim() ? input.artifactRoot : resolve20(input.projectRoot, "artifacts", input.taskId);
+  const root = resolve20(taskArtifactRoot, "pr-review-cycles", cycleName);
+  mkdirSync9(root, { recursive: true });
+  const finalMergeGateResultPath = input.final ? resolve20(taskArtifactRoot, "merge-gate-final.json") : undefined;
+  const paths = {
+    root,
+    prTitlePath: resolve20(root, "pr-title.md"),
+    prBodyPath: resolve20(root, "pr-body.md"),
+    prCommentsPath: resolve20(root, "pr-comments.json"),
+    reviewThreadsPath: resolve20(root, "review-threads.json"),
+    reviewCommentsPath: resolve20(root, "review-comments.json"),
+    checkRollupPath: resolve20(root, "check-rollup.json"),
+    greptileEvidencePath: resolve20(root, "greptile-evidence.json"),
+    mergeGateResultPath: resolve20(root, "merge-gate-result.json"),
+    steeringPromptPath: resolve20(root, "agent-steering-prompt.md"),
+    ...finalMergeGateResultPath ? { finalMergeGateResultPath } : {}
   };
-  const valDescriptions = resolvedContext ? {} : options.validationDescriptions ?? (() => {
-    try {
-      return readValidationDescriptions(projectRoot);
-    } catch {
-      return {};
-    }
-  })();
-  const categories = [];
-  let passed = 0;
-  let failed = 0;
-  for (const cmd of commands) {
-    const startedAt = Date.now();
-    if (!isCheckId(cmd)) {
-      failed += 1;
-      categories.push({
-        category: cmd,
-        status: "fail",
-        exit_code: 2,
-        duration_seconds: 0
-      });
-      const logFile2 = resolve20(taskLogDir, `invalid-entry-validation.log`);
-      mkdirSync7(taskLogDir, { recursive: true });
-      writeFileSync7(logFile2, `=== ${nowIso()} :: ${cmd} ===
-Invalid validation entry: not a check-ID. All entries must use format "category:check-name".
-`, "utf-8");
-      continue;
-    }
-    const { result, exitCode } = await dispatchValidator(cmd, effectiveRegistry, validatorCtx, (id) => runValidatorBinary(projectRoot, taskId, id, resolvedContext));
-    const durationSeconds = Math.max(0, Math.round((Date.now() - startedAt) / 1000));
-    const logFile = resolve20(taskLogDir, `${cmd.replace(":", "-")}-validation.log`);
-    mkdirSync7(taskLogDir, { recursive: true });
-    writeFileSync7(logFile, `=== ${nowIso()} :: ${cmd} ===
-${JSON.stringify(result, null, 2)}
-`, "utf-8");
-    if (result.passed) {
-      passed += 1;
-      categories.push({ category: cmd, status: "pass", duration_seconds: durationSeconds });
-    } else {
-      failed += 1;
-      categories.push({ category: cmd, status: "fail", exit_code: exitCode, duration_seconds: durationSeconds });
-      const desc = valDescriptions[cmd];
-      if (desc) {
-        console.log(`  What this checks (${cmd}): ${desc}`);
-      }
-    }
-  }
-  const summary = {
-    status: failed === 0 ? "pass" : "fail",
-    total: commands.length,
-    passed,
-    failed,
-    categories
+  writeFileSync9(paths.prTitlePath, input.result.evidence.title || "", "utf8");
+  writeFileSync9(paths.prBodyPath, input.result.evidence.body || "", "utf8");
+  writeFileSync9(paths.prCommentsPath, `${JSON.stringify(input.result.evidence.relevantIssueComments, null, 2)}
+`, "utf8");
+  writeFileSync9(paths.reviewThreadsPath, `${JSON.stringify(input.result.evidence.reviewThreads, null, 2)}
+`, "utf8");
+  writeFileSync9(paths.reviewCommentsPath, `${JSON.stringify(input.result.evidence.changedFileReviewComments, null, 2)}
+`, "utf8");
+  writeFileSync9(paths.checkRollupPath, `${JSON.stringify(input.result.evidence.statusCheckRollup, null, 2)}
+`, "utf8");
+  writeFileSync9(paths.greptileEvidencePath, `${JSON.stringify(input.result.evidence.greptile, null, 2)}
+`, "utf8");
+  const mergeGatePayload = {
+    approved: input.result.approved,
+    pending: input.result.pending,
+    reasons: input.result.reasons,
+    reasonDetails: input.result.reasonDetails,
+    warnings: input.result.warnings,
+    actionableFeedback: input.result.actionableFeedback,
+    prUrl: input.result.evidence.prUrl,
+    title: input.result.evidence.title,
+    headSha: input.result.evidence.headSha,
+    readErrors: input.result.evidence.readErrors,
+    greptile: input.result.evidence.greptile,
+    evidence: input.result.evidence,
+    cycleArtifactRoot: root
   };
-  mkdirSync7(artifactDir, { recursive: true });
-  writeFileSync7(resolve20(artifactDir, "validation-summary.json"), `${JSON.stringify(summary, null, 2)}
-`, "utf-8");
-  return summary;
+  writeFileSync9(paths.mergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  if (paths.finalMergeGateResultPath) {
+    writeFileSync9(paths.finalMergeGateResultPath, `${JSON.stringify(mergeGatePayload, null, 2)}
+`, "utf8");
+  }
+  writeFileSync9(paths.steeringPromptPath, input.steeringPrompt, "utf8");
+  return paths;
+}
+async function runStrictPrMergeGate(input) {
+  const evidence = await collectPrReviewEvidence(input);
+  const base = evaluateStrictPrMergeGate(evidence);
+  const preliminaryPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts: undefined });
+  const artifacts = persistPrReviewCycleArtifacts({
+    projectRoot: input.projectRoot,
+    taskId: input.taskId,
+    cycle: input.cycle,
+    artifactRoot: input.artifactRoot,
+    result: base,
+    steeringPrompt: preliminaryPrompt,
+    final: input.final
+  });
+  const steeringPrompt = buildStrictPrGateSteeringPrompt({ ...base, artifacts });
+  writeFileSync9(artifacts.steeringPromptPath, steeringPrompt, "utf8");
+  return { ...base, artifacts, steeringPrompt };
 }
 
 // packages/runtime/src/control-plane/native/verifier.ts
-import { existsSync as existsSync18, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
-import { resolve as resolve21 } from "path";
 async function verifyTask(options) {
   const paths = resolveHarnessPaths(options.projectRoot);
   const taskId = options.taskId;
   const normalizedTaskId = lookupTask(options.projectRoot, taskId);
   const artifactDir = artifactDirForId(options.projectRoot, taskId);
-  mkdirSync8(artifactDir, { recursive: true });
+  mkdirSync10(artifactDir, { recursive: true });
   const validationSummaryPath = resolve21(artifactDir, "validation-summary.json");
   const reviewFeedbackPath = resolve21(artifactDir, "review-feedback.md");
   const reviewStatePath = resolve21(artifactDir, "review-state.json");
@@ -4304,12 +5362,6 @@ async function verifyTask(options) {
   if (sourceCloseoutIssueId) {
     localReasons.push(...evaluateGithubSourceIssuePrCloseout(options.projectRoot, prStates, sourceCloseoutIssueId));
   }
-  const pluginResults = await options.plugins.runValidators(taskId);
-  for (const result of pluginResults) {
-    if (!result.passed) {
-      localReasons.push(`[Plugin Validator] ${result.id}: ${result.summary}`);
-    }
-  }
   const reviewMode = await loadReviewMode(paths.reviewProfilePath, process.env.AI_REVIEW_MODE || "advisory");
   const reviewProvider = await loadReviewProvider(paths.reviewProfilePath, process.env.AI_REVIEW_PROVIDER || "greptile");
   if (!options.skipAiReview && localReasons.length === 0 && reviewProvider === "greptile" && reviewMode !== "off") {
@@ -4328,7 +5380,7 @@ async function verifyTask(options) {
       aiReasons.push(`[AI Review] Required mode needs a completed Greptile approval; current verdict is ${ai.verdict}.`);
     }
     if (persistArtifacts && ai.rawResponse) {
-      writeFileSync8(greptileRawPath, `${ai.rawResponse}
+      writeFileSync10(greptileRawPath, `${ai.rawResponse}
 `, "utf-8");
     }
   } else if (!options.skipAiReview && reviewMode === "off") {
@@ -4837,7 +5889,7 @@ function writeFeedbackFile(options) {
   if (options.aiRawFeedback) {
     lines.push("## Raw Reviewer Feedback", "", "```text", options.aiRawFeedback, "```", "");
   }
-  writeFileSync8(options.output, `${lines.join(`
+  writeFileSync10(options.output, `${lines.join(`
 `)}
 `, "utf-8");
 }
@@ -4854,7 +5906,7 @@ function writeReviewStateFile(options) {
     ai_warnings: options.aiWarnings,
     updated_at: nowIso()
   };
-  writeFileSync8(options.output, `${JSON.stringify(payload, null, 2)}
+  writeFileSync10(options.output, `${JSON.stringify(payload, null, 2)}
 `, "utf-8");
 }
 async function runGreptileReviewForPr(options) {
@@ -5036,7 +6088,8 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (/not safe to merge|unsafe to merge|do not merge|blocker/i.test(reviewBody)) {
+  const blockerScanBody = stripHtml(reviewBody).replace(/\b(?:no|without|zero)\s+blockers?\b/gi, " ").replace(/\bno\s+changes\s+requested\b/gi, " ");
+  if (/not safe(?: to merge)?|unsafe(?: to merge)?|do not merge|cannot merge|blockers?|must fix|changes requested|please fix|needs? fix|fix this|address this|\breject(?:ed|ion)?\b|\bskip(?:ped)?\b|status\s*:\s*(?:reject(?:ed)?|skip(?:ped)?|failed)/i.test(blockerScanBody)) {
     reasons.push(`[AI Review] ${repoName}#${prNumber} summary indicates the PR is not safe to merge.`);
     return {
       verdict: "REJECT",
@@ -5052,44 +6105,79 @@ async function runGreptileReviewForPr(options) {
       }
     };
   }
-  if (score) {
-    if (score.scale === 5 && score.value < 5 && options.reviewMode === "required") {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; required mode needs 5/5 before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
-        }
-      };
-    }
-    if (score.scale === 5 && score.value <= 2) {
-      reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; this requires rework before merge.`);
-      return {
-        verdict: "REJECT",
-        feedback,
-        reasons,
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          codeReviews: reviewsPayload,
-          selectedReview,
-          reviewDetails,
-          comments: commentsPayload,
-          score
+  if (score?.scale === 5 && score.value < 5) {
+    reasons.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; strict review requires 5/5 before merge.`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate = null;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl,
+      apiSignals: [{
+        id: selectedReview.id,
+        body: reviewBody,
+        reviewedSha: selectedReview.metadata?.checkHeadSha ?? null,
+        status: selectedReview.status
+      }]
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
+    reasons.push(`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`);
+    return {
+      verdict: "REJECT",
+      feedback,
+      reasons,
+      warnings,
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score
+      }
+    };
+  }
+  if (!strictGate.approved) {
+    return {
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
+      feedback,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
+      rawPayload: {
+        pr: options.prState,
+        codeReviews: reviewsPayload,
+        selectedReview,
+        reviewDetails,
+        comments: commentsPayload,
+        score,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          reasonDetails: strictGate.reasonDetails,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile,
+          readErrors: strictGate.evidence.readErrors
         }
-      };
-    }
-    if (score.scale === 5 && score.value < 5) {
-      warnings.push(`[AI Review] ${repoName}#${prNumber} completed with Greptile confidence ${score.value}/${score.scale}; continue only after reviewing remaining risk.`);
-    }
+      }
+    };
   }
   return {
     verdict: "APPROVE",
@@ -5101,7 +6189,16 @@ async function runGreptileReviewForPr(options) {
       codeReviews: reviewsPayload,
       selectedReview,
       reviewDetails,
-      comments: commentsPayload
+      comments: commentsPayload,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        reasonDetails: strictGate.reasonDetails,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile,
+        readErrors: strictGate.evidence.readErrors
+      }
     }
   };
 }
@@ -5125,7 +6222,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   let threads = [];
   let actionableThreads = [];
   let checkRollup = [];
-  let checkState = { pending: false, completed: false };
+  let checkState2 = { pending: false, completed: false };
   for (let attempt = 0;; attempt += 1) {
     reviews = runGhJson(options.projectRoot, ["api", `repos/${repoName}/pulls/${prNumber}/reviews`]);
     selectedReview = pickRelevantGithubGreptileReview(reviews, expectedHeadSha);
@@ -5134,15 +6231,15 @@ async function runGithubGreptileFallbackReviewForPr(options) {
     threads = loadGithubReviewThreads(options.projectRoot, repoName, prNumber);
     actionableThreads = filterActionableGithubGreptileThreads(threads);
     checkRollup = loadGithubPullRequestCheckRollup(options.projectRoot, repoName, prNumber);
-    checkState = classifyGithubGreptileCheckState(checkRollup);
-    const approvedViaReviewedAncestor2 = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
+    checkState2 = classifyGithubGreptileCheckState(checkRollup);
+    const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview?.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
     if (!shouldContinueGithubGreptileFallbackPolling({
       attempt,
       pollAttempts: options.pollAttempts,
-      checkState,
+      checkState: checkState2,
       fallbackReview,
       selectedReview,
-      approvedViaReviewedAncestor: approvedViaReviewedAncestor2
+      approvedViaReviewedAncestor
     })) {
       break;
     }
@@ -5170,7 +6267,7 @@ async function runGithubGreptileFallbackReviewForPr(options) {
   ].filter(Boolean).join(`
 `);
   const warnings = buildGithubGreptileFallbackWarnings(options);
-  if (checkState.pending) {
+  if (checkState2.pending) {
     return {
       verdict: "SKIP",
       feedback,
@@ -5181,34 +6278,20 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
     };
   }
-  const approvedViaCompletedCheck = isGithubGreptileCheckApproved(checkRollup);
-  if (!fallbackReview) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no GitHub Greptile review object, but the Greptile check completed successfully and no unresolved Greptile threads remain.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-      };
-    }
-    return {
-      verdict: "SKIP",
-      feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available.`
-      ],
-      warnings,
-      rawPayload: { ...buildGithubGreptileFallbackRawPayload(options), reviews, threads, checkRollup }
-    };
-  }
-  const approvedViaReviewedAncestor = !selectedReview && !!fallbackReview.commit_id && !!expectedHeadSha && isCommitAncestorOfPrHead(options.projectRoot, options.prState, fallbackReview.commit_id, expectedHeadSha);
-  if (actionableThreads.length > 0) {
+  const prUrl = options.prState.url || `https://github.com/${repoName}/pull/${prNumber}`;
+  let strictGate;
+  try {
+    const strictEvidence = await collectStrictPrEvidenceForVerifier({
+      projectRoot: options.projectRoot,
+      taskId: options.taskId,
+      prUrl
+    });
+    strictGate = evaluateStrictPrMergeGate(strictEvidence);
+  } catch (error) {
     return {
       verdict: "REJECT",
       feedback,
-      reasons: actionableThreads.map((comment) => `[AI Review] ${repoName}#${prNumber} has unresolved Greptile comment on ${comment.path}: ${summarizeComment(comment.body || "")}`),
+      reasons: [`[AI Review] Strict Greptile evidence collection failed for ${repoName}#${prNumber}: ${error instanceof Error ? error.message : String(error)}`],
       warnings,
       rawPayload: {
         pr: options.prState,
@@ -5221,44 +6304,31 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       }
     };
   }
-  if (!selectedReview && !approvedViaReviewedAncestor) {
-    if (approvedViaCompletedCheck) {
-      warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile GitHub review on the current head, but the Greptile check completed successfully and all Greptile threads are resolved.`);
-      return {
-        verdict: "APPROVE",
-        feedback,
-        reasons: [],
-        warnings,
-        rawPayload: {
-          pr: options.prState,
-          selectedReview: fallbackReview,
-          reviews,
-          threads,
-          checkRollup,
-          ...buildGithubGreptileFallbackRawPayload(options)
-        }
-      };
-    }
+  if (!strictGate.approved) {
     return {
-      verdict: "SKIP",
+      verdict: strictGate.pending ? "SKIP" : "REJECT",
       feedback,
-      reasons: [
-        `[AI Review] Greptile GitHub review for ${repoName}#${prNumber} is not available for the current head.`
-      ],
-      warnings,
+      reasons: strictGate.reasons.map((reason) => reason.startsWith("[AI Review]") ? reason : `[AI Review] ${reason}`),
+      warnings: [...warnings, ...strictGate.warnings],
       rawPayload: {
         pr: options.prState,
         selectedReview: fallbackReview,
         reviews,
         threads,
         checkRollup,
+        actionableThreads,
+        strictGate: {
+          approved: strictGate.approved,
+          pending: strictGate.pending,
+          reasons: strictGate.reasons,
+          reasonDetails: strictGate.reasonDetails,
+          warnings: strictGate.warnings,
+          greptile: strictGate.evidence.greptile
+        },
         ...buildGithubGreptileFallbackRawPayload(options)
       }
     };
   }
-  if (approvedViaReviewedAncestor) {
-    warnings.push(`[AI Review Warning] ${repoName}#${prNumber} has no fresh Greptile review on the current head, but the latest reviewed commit is an ancestor and all Greptile threads are resolved.`);
-  }
   return {
     verdict: "APPROVE",
     feedback,
@@ -5270,6 +6340,14 @@ async function runGithubGreptileFallbackReviewForPr(options) {
       reviews,
       threads,
       checkRollup,
+      strictGate: {
+        approved: strictGate.approved,
+        pending: strictGate.pending,
+        reasons: strictGate.reasons,
+        reasonDetails: strictGate.reasonDetails,
+        warnings: strictGate.warnings,
+        greptile: strictGate.evidence.greptile
+      },
       ...buildGithubGreptileFallbackRawPayload(options)
     }
   };
@@ -5382,19 +6460,25 @@ function shouldTriggerGreptileReview(existingReview, expectedHeadSha) {
   if ((existingReview.metadata?.checkHeadSha || "") !== expectedHeadSha) {
     return true;
   }
-  return isGreptileReviewTerminal(existingReview.status);
+  return false;
 }
 function shouldContinueGreptileMcpPolling(options) {
   if (options.githubCheckState.completed) {
     return false;
   }
+  if (options.attempt + 1 >= options.pollAttempts) {
+    return false;
+  }
   if (options.selectedReview && !isGreptileReviewTerminal(options.selectedReview.status)) {
     return true;
   }
-  return options.attempt + 1 < options.pollAttempts;
+  return true;
 }
 function shouldContinueGithubGreptileFallbackPolling(options) {
   const waitingForVisiblePendingReview = options.checkState.pending && (!options.fallbackReview || !options.selectedReview && !options.approvedViaReviewedAncestor);
+  if (options.attempt + 1 >= options.pollAttempts) {
+    return false;
+  }
   if (waitingForVisiblePendingReview) {
     return true;
   }
@@ -5455,6 +6539,20 @@ function runGhJson(projectRoot, args) {
     throw new Error(`gh ${args.join(" ")} returned malformed JSON: ${result.stdout}`);
   }
 }
+async function collectStrictPrEvidenceForVerifier(input) {
+  return collectPrReviewEvidence({
+    projectRoot: input.projectRoot,
+    prUrl: input.prUrl,
+    taskId: input.taskId,
+    runId: "verifier",
+    cycle: 0,
+    apiSignals: input.apiSignals ?? [],
+    command: async (args, options) => {
+      const result = runCapture(["gh", ...args], options?.cwd ?? input.projectRoot);
+      return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+    }
+  });
+}
 function deriveRepoName(projectRoot, prState) {
   const fromUrl = /github\.com\/([^/]+\/[^/]+)\/pull\/\d+/.exec(prState.url || "");
   if (fromUrl?.[1]) {
@@ -5469,8 +6567,9 @@ function resolvePrHeadSha(projectRoot, prState) {
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "rev-parse", "HEAD"], projectRoot).stdout.trim();
 }
-function isGreptileGithubLogin(login) {
-  return (login || "").replace(/\[bot\]$/, "") === "greptile-apps";
+function isGreptileGithubLogin2(login) {
+  const normalized = (login || "").toLowerCase().replace(/\[bot\]$/, "");
+  return normalized === "greptile" || normalized === "greptile-ai" || normalized === "greptileai" || normalized === "greptile-apps";
 }
 function pickRelevantGithubGreptileReview(reviews, expectedHeadSha) {
   const matching = sortGithubGreptileReviews(reviews);
@@ -5487,7 +6586,7 @@ function pickLatestGithubGreptileReview(reviews) {
   return sortGithubGreptileReviews(reviews)[0] || null;
 }
 function sortGithubGreptileReviews(reviews) {
-  return reviews.filter((review) => isGreptileGithubLogin(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
+  return reviews.filter((review) => isGreptileGithubLogin2(review.user?.login)).sort((left, right) => Date.parse(right.submitted_at || "") - Date.parse(left.submitted_at || ""));
 }
 function loadGithubPullRequestCheckRollup(projectRoot, repoName, prNumber) {
   const response = runGhJson(projectRoot, [
@@ -5560,32 +6659,6 @@ function classifyGithubGreptileCheckState(checks) {
   }
   return { pending: false, completed: false };
 }
-function isGithubGreptileCheckApproved(checks) {
-  const greptileChecks = checks.filter((check) => {
-    const label = (check.name || check.context || "").toLowerCase();
-    return label.includes("greptile");
-  });
-  if (greptileChecks.length === 0) {
-    return false;
-  }
-  for (const check of greptileChecks) {
-    if ((check.__typename || "") === "CheckRun") {
-      if ((check.status || "").toUpperCase() !== "COMPLETED") {
-        return false;
-      }
-      const conclusion = (check.conclusion || "").toUpperCase();
-      if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(conclusion)) {
-        return false;
-      }
-      continue;
-    }
-    const state = (check.state || "").toUpperCase();
-    if (!["SUCCESS", "NEUTRAL", "SKIPPED"].includes(state)) {
-      return false;
-    }
-  }
-  return true;
-}
 function loadGithubReviewThreads(projectRoot, repoName, prNumber) {
   const [owner, name] = repoName.split("/");
   if (!owner || !name) {
@@ -5611,7 +6684,7 @@ function filterActionableGithubGreptileThreads(threads) {
       return [];
     }
     const comments = thread.comments?.nodes || [];
-    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin(comment.author?.login));
+    const latestGreptileComment = [...comments].reverse().find((comment) => isGreptileGithubLogin2(comment.author?.login));
     if (!latestGreptileComment?.path?.trim()) {
       return [];
     }
@@ -5633,11 +6706,6 @@ function isCommitAncestorOfPrHead(projectRoot, prState, reviewedCommit, headComm
   const repoRoot = resolvePrRepoRoot(projectRoot, prState);
   return runCapture(["git", "-C", repoRoot, "merge-base", "--is-ancestor", reviewedCommit, headCommit], projectRoot).exitCode === 0;
 }
-function stripHtml(input) {
-  return input.replace(/<[^>]+>/g, " ").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/\r/g, "").replace(/\n{3,}/g, `
-
-`).trim();
-}
 function summarizeComment(input) {
   const text = stripHtml(input).replace(/\s+/g, " ").trim();
   return text.length > 160 ? `${text.slice(0, 157)}...` : text;
@@ -5646,31 +6714,14 @@ function asGreptileInfrastructureWarning(reason) {
   return reason.startsWith("[AI Review]") ? reason.replace("[AI Review]", "[AI Review Warning]") : reason;
 }
 function isAiReviewApproved(input) {
+  if (input.aiVerdict === "REJECT" && input.aiReasons.length > 0) {
+    return false;
+  }
   if (input.reviewMode !== "required") {
     return true;
   }
   return input.aiVerdict === "APPROVE" && input.aiReasons.length === 0;
 }
-function parseGreptileScore(input) {
-  const text = stripHtml(input);
-  const patterns = [
-    /confidence score:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\bscore:\s*(\d+)\s*\/\s*(\d+)/i,
-    /\b(\d+)\s*\/\s*(\d+)\s*(?:confidence|score)/i
-  ];
-  for (const pattern of patterns) {
-    const match = pattern.exec(text);
-    if (!match) {
-      continue;
-    }
-    const value = Number.parseInt(match[1] || "", 10);
-    const scale = Number.parseInt(match[2] || "", 10);
-    if (Number.isFinite(value) && Number.isFinite(scale) && scale > 0) {
-      return { value, scale };
-    }
-  }
-  return null;
-}
 
 // packages/runtime/src/control-plane/provider/runtime-instructions.ts
 var CLAUDE_ROUTER_TOOL_NAMES = [
@@ -5711,9 +6762,9 @@ function taskArtifacts(projectRoot, taskId) {
   }
   const paths = resolveHarnessPaths(projectRoot);
   const artifactDir = resolve22(paths.artifactsDir, activeTask);
-  mkdirSync9(artifactDir, { recursive: true });
+  mkdirSync11(artifactDir, { recursive: true });
   const changed = changedFilesForTask(projectRoot, activeTask, true);
-  writeFileSync9(resolve22(artifactDir, "changed-files.txt"), `${changed.join(`
+  writeFileSync11(resolve22(artifactDir, "changed-files.txt"), `${changed.join(`
 `)}
 `, "utf-8");
   console.log(`changed-files.txt: ${changed.length} files`);
@@ -5725,7 +6776,7 @@ function taskArtifacts(projectRoot, taskId) {
       summary: "TODO: Write a one-line summary of what you did",
       completed_at: nowIso()
     };
-    writeFileSync9(taskResultPath, `${JSON.stringify(template, null, 2)}
+    writeFileSync11(taskResultPath, `${JSON.stringify(template, null, 2)}
 `, "utf-8");
     console.log("task-result.json: created (update the summary!)");
   } else {
@@ -5737,7 +6788,7 @@ function taskArtifacts(projectRoot, taskId) {
 
 Record key decisions here using: rig-agent record decision "..."
 `;
-    writeFileSync9(decisionLogPath, content, "utf-8");
+    writeFileSync11(decisionLogPath, content, "utf-8");
     console.log("decision-log.md: created (record your decisions!)");
   } else {
     console.log("decision-log.md: already exists");
@@ -5760,7 +6811,7 @@ Record key decisions here using: rig-agent record decision "..."
       ""
     ].join(`
 `);
-    writeFileSync9(nextActionsPath, content, "utf-8");
+    writeFileSync11(nextActionsPath, content, "utf-8");
     console.log("next-actions.md: created (add recommendations for downstream tasks!)");
   } else {
     console.log("next-actions.md: already exists");
@@ -5993,12 +7044,12 @@ var TASK_ARTIFACT_STAGE_FALLBACK = new Set([
   "task-result.json",
   "validation-summary.json"
 ]);
-function resolveHostRigBinDir(root) {
-  return resolve23(root, ".rig", "bin");
-}
 function isRuntimeGatewayGitPath(candidate) {
   return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
 }
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
 function resolveOptionalMonorepoRoot(projectRoot) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
   if (runtimeWorkspace && existsSync20(resolve23(runtimeWorkspace, ".git"))) {
@@ -6033,6 +7084,9 @@ function resolveGitBinary(projectRoot) {
   }
   return "git";
 }
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 function safeCurrentTaskId(projectRoot) {
   try {
     const taskId = currentTaskId(projectRoot);
@@ -6156,10 +7210,11 @@ function gitOpenPr(options) {
     "",
     "## Task",
     `- beads: ${taskId || "n/a"}`,
+    ...defaultPrRunLines(taskId, repoNameWithOwner),
     "",
     "## Review",
     "- Completion verification will run validation, verifier review, and PR policy checks.",
-    "- When repository policy allows it, Rig enables GitHub auto-merge after approval."
+    "- When repository policy allows it, Rig attempts an immediate strict-gated, head-locked merge after approval."
   ].join(`
 `);
   const preCheck = runCapture2(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
@@ -6247,6 +7302,30 @@ function gitOpenPr(options) {
   }
   return result;
 }
+function defaultPrRunLines(taskId, repoNameWithOwner) {
+  const lines = [];
+  const runId = process.env.RIG_SERVER_RUN_ID?.trim();
+  if (runId) {
+    lines.push(`- Run: ${runId}`);
+  }
+  const closeout = defaultPrCloseoutLine(taskId, repoNameWithOwner);
+  if (closeout) {
+    lines.push(`- ${closeout}`);
+  }
+  return lines;
+}
+function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
+  const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  if (sourceIssueId) {
+    const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
+      return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
+    }
+  }
+  return /^\d+$/.test(taskId) ? `Closes #${taskId}` : "";
+}
 function resolveTaskBranchRef(projectRoot, taskId) {
   return `rig/${resolveTaskBranchId(projectRoot, taskId)}`;
 }
@@ -6331,61 +7410,45 @@ function gitMergePr(options) {
     return { status: "already-merged", url: options.pr.url };
   }
   if (state !== "OPEN") {
-    throw new Error(`Cannot auto-merge PR ${options.pr.url}: state is ${state}.`);
+    throw new Error(`Cannot merge PR ${options.pr.url}: state is ${state}.`);
   }
   if (isDraft) {
-    throw new Error(`Cannot auto-merge draft PR ${options.pr.url}.`);
+    throw new Error(`Cannot merge draft PR ${options.pr.url}.`);
   }
+  const strictGateHeadSha = strictMergeHeadShaFromGate(options.strictGate, options.pr.url);
   const mergeArgs = withGhRepo([gh, "pr", "merge", options.pr.url], repoNameWithOwner);
   const method = options.method || "squash";
   mergeArgs.push(method === "merge" ? "--merge" : method === "rebase" ? "--rebase" : "--squash");
+  mergeArgs.push("--match-head-commit", strictGateHeadSha);
   if (options.deleteBranch !== false) {
     mergeArgs.push("--delete-branch");
   }
-  const autoMergeArgs = [...mergeArgs, "--auto"];
-  const autoMerge = runCapture2(autoMergeArgs, repoRoot);
-  if (autoMerge.exitCode === 0) {
-    const postAutoMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-    if (postAutoMergeState.state === "MERGED" || postAutoMergeState.mergedAt) {
-      console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "merged", url: options.pr.url };
-    }
-    if (postAutoMergeState.state === "OPEN" && postAutoMergeState.autoMergeRequest) {
-      if (canAdminMergeApprovedPr(postAutoMergeState)) {
-        const adminMergeArgs = [...mergeArgs];
-        if (postAutoMergeState.headRefOid) {
-          adminMergeArgs.push("--match-head-commit", postAutoMergeState.headRefOid);
-        }
-        adminMergeArgs.push("--admin");
-        const adminMerge = runCapture2(adminMergeArgs, repoRoot);
-        if (adminMerge.exitCode === 0) {
-          const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-          if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
-            console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
-            return { status: "merged", url: options.pr.url };
-          }
-          throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
-        }
-        const adminMergeMessage = `${adminMerge.stderr}
-${adminMerge.stdout}`.trim();
-        if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
-          throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
-        }
+  const directMerge = runCapture2(mergeArgs, repoRoot);
+  if (directMerge.exitCode === 0) {
+    console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "merged", url: options.pr.url };
+  }
+  const postDirectState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  if (canAdminMergeApprovedPr(postDirectState)) {
+    const adminMergeArgs = [...mergeArgs, "--admin"];
+    const adminMerge = runCapture2(adminMergeArgs, repoRoot);
+    if (adminMerge.exitCode === 0) {
+      const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+      if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
+        console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
+        return { status: "merged", url: options.pr.url };
       }
-      console.log(`Auto-merge enabled (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "auto-merge-enabled", url: options.pr.url };
+      throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
+    }
+    const adminMergeMessage = `${adminMerge.stderr}
+${adminMerge.stdout}`.trim();
+    if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
+      throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
     }
-    throw new Error(`Auto-merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub did not report a merged or auto-merge-enabled state.`);
-  }
-  const autoMergeMessage = `${autoMerge.stderr}
-${autoMerge.stdout}`.trim();
-  const autoMergeUnsupported = /auto.?merge.*(not enabled|not allowed|disabled|unsupported)|enablePullRequestAutoMerge|Auto merge is not allowed/i.test(autoMergeMessage);
-  if (!autoMergeUnsupported) {
-    throw new Error(`Failed to auto-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${autoMergeMessage}`);
   }
-  runOrThrow(options.projectRoot, mergeArgs, `Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}`);
-  console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-  return { status: "merged", url: options.pr.url };
+  const directMergeMessage = `${directMerge.stderr}
+${directMerge.stdout}`.trim();
+  throw new Error(`Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${directMergeMessage}`);
 }
 function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
   const mergeable = prState.mergeable.toUpperCase();
@@ -6396,12 +7459,12 @@ function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
 }
 function writePrMetadata(projectRoot, taskId, result) {
   const dir = artifactDirForId(projectRoot, taskId);
-  mkdirSync10(dir, { recursive: true });
+  mkdirSync12(dir, { recursive: true });
   const path = resolve23(dir, "pr-state.json");
   let prs = {};
   if (existsSync20(path)) {
     try {
-      const parsed = JSON.parse(readFileSync11(path, "utf-8"));
+      const parsed = JSON.parse(readFileSync12(path, "utf-8"));
       if (parsed && typeof parsed === "object" && parsed.prs && typeof parsed.prs === "object") {
         prs = parsed.prs;
       }
@@ -6417,7 +7480,7 @@ function writePrMetadata(projectRoot, taskId, result) {
     ...primary || {},
     updated_at: nowIso()
   };
-  writeFileSync10(path, `${JSON.stringify(artifact, null, 2)}
+  writeFileSync12(path, `${JSON.stringify(artifact, null, 2)}
 `, "utf-8");
 }
 function readPrMetadata(projectRoot, taskId) {
@@ -6426,7 +7489,7 @@ function readPrMetadata(projectRoot, taskId) {
     return [];
   }
   try {
-    const parsed = JSON.parse(readFileSync11(path, "utf-8"));
+    const parsed = JSON.parse(readFileSync12(path, "utf-8"));
     if (!parsed || typeof parsed !== "object") {
       return [];
     }
@@ -6493,32 +7556,19 @@ function resolveGithubCliBinary(projectRoot) {
   if (explicit) {
     candidates.add(explicit);
   }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
   const explicitPathEntries = (process.env.PATH || "").split(":").map((entry) => entry.trim()).filter(Boolean);
   for (const entry of explicitPathEntries) {
     candidates.add(resolve23(entry, "gh"));
   }
-  const hostProjectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim();
-  if (hostProjectRoot) {
-    candidates.add(resolve23(resolveHostRigBinDir(hostProjectRoot), "gh"));
-  }
-  candidates.add(resolve23(resolveHostRigBinDir(projectRoot), "gh"));
-  const runtimeContext = loadRuntimeContextFromEnv();
-  if (runtimeContext?.binDir) {
-    candidates.add(resolve23(runtimeContext.binDir, "gh"));
-  }
-  const runtimeHome = process.env.RIG_RUNTIME_HOME?.trim();
-  if (runtimeHome) {
-    candidates.add(resolve23(runtimeHome, "bin", "gh"));
-  }
-  for (const candidate of ["/opt/homebrew/bin/gh", "/usr/local/bin/gh", "/usr/bin/gh"]) {
-    candidates.add(candidate);
-  }
   const bunResolved = Bun.which("gh");
   if (bunResolved) {
     candidates.add(bunResolved);
   }
   for (const candidate of candidates) {
-    if (candidate && existsSync20(candidate)) {
+    if (candidate && existsSync20(candidate) && !isRuntimeGatewayGhPath(candidate)) {
       return candidate;
     }
   }
@@ -6803,14 +7853,14 @@ function readChangedFilesManifest(projectRoot, taskId) {
   if (!existsSync20(manifestPath)) {
     return [];
   }
-  const files = readFileSync11(manifestPath, "utf-8").split(/\r?\n/).map((line) => normalizeChangedFilePath2(line)).filter(Boolean);
+  const files = readFileSync12(manifestPath, "utf-8").split(/\r?\n/).map((line) => normalizeChangedFilePath2(line)).filter(Boolean);
   return [...new Set(files)];
 }
 function refreshChangedFilesManifest(projectRoot, taskId) {
   const manifestPath = resolve23(artifactDirForId(projectRoot, taskId), "changed-files.txt");
-  mkdirSync10(dirname11(manifestPath), { recursive: true });
+  mkdirSync12(dirname10(manifestPath), { recursive: true });
   const changedFiles = changedFilesForTask(projectRoot, taskId, true);
-  writeFileSync10(manifestPath, `${changedFiles.join(`
+  writeFileSync12(manifestPath, `${changedFiles.join(`
 `)}
 `, "utf-8");
   return manifestPath;
@@ -7104,7 +8154,7 @@ function loadPersistedRuntimeSecrets(runtimeRoot) {
     return {};
   }
   try {
-    const parsed = JSON.parse(readFileSync11(path, "utf-8"));
+    const parsed = JSON.parse(readFileSync12(path, "utf-8"));
     const entries = Object.entries(parsed).filter((entry) => typeof entry[1] === "string");
     return Object.fromEntries(entries);
   } catch {
@@ -7115,10 +8165,10 @@ function ensureRuntimeOpenSslConfig(runtimeHome) {
   const sslDir = resolve23(runtimeHome, ".ssl");
   const sslConfig = resolve23(sslDir, "openssl.cnf");
   if (!existsSync20(sslDir)) {
-    mkdirSync10(sslDir, { recursive: true });
+    mkdirSync12(sslDir, { recursive: true });
   }
   if (!existsSync20(sslConfig)) {
-    writeFileSync10(sslConfig, `# Rig runtime OpenSSL config placeholder
+    writeFileSync12(sslConfig, `# Rig runtime OpenSSL config placeholder
 `);
   }
   return sslConfig;
@@ -7136,7 +8186,7 @@ function resolveRuntimeMetadata(projectRoot) {
   if (contextFile) {
     return {
       ctx,
-      runtimeRoot: dirname11(resolve23(contextFile))
+      runtimeRoot: dirname10(resolve23(contextFile))
     };
   }
   const inferredContextFile = findRuntimeContextFile2(projectRoot);
@@ -7146,7 +8196,7 @@ function resolveRuntimeMetadata(projectRoot) {
     } catch {}
     return {
       ctx,
-      runtimeRoot: dirname11(inferredContextFile)
+      runtimeRoot: dirname10(inferredContextFile)
     };
   }
   return { ctx, runtimeRoot: "" };
@@ -7158,7 +8208,7 @@ function findRuntimeContextFile2(startPath) {
     if (existsSync20(candidate)) {
       return candidate;
     }
-    const parent = dirname11(current);
+    const parent = dirname10(current);
     if (parent === current) {
       return "";
     }
@@ -7207,6 +8257,7 @@ async function main() {
   }
   const paths = resolveHarnessPaths(projectRoot);
   let failed = false;
+  let sourceCloseoutAllowed = false;
   console.log(`=== Completion Verification: ${taskId} ===`);
   const scopes = await resolveTaskScopes(projectRoot, taskId);
   const taskChangedFiles = changedFilesForTask(projectRoot, taskId, true);
@@ -7245,21 +8296,12 @@ async function main() {
   const policy = loadPolicy(projectRoot);
   const openPrEnabled = policy.completion.checks.includes("open-pr");
   const autoMergeEnabled = policy.completion.checks.includes("auto-merge");
-  const eventBus = new RuntimeEventBus({ projectRoot });
-  const runtimeContext = loadRuntimeContextFromEnv() ?? undefined;
-  const plugins = await PluginManager.load({
-    projectRoot,
-    runId: eventBus.getRunId(),
-    eventBus,
-    runtimeContext
-  });
   console.log(`
 [2/3] Verifier preflight...`);
   if (!failed) {
     const localVerifyOutcome = await verifyTask({
       projectRoot,
       taskId,
-      plugins,
       skipAiReview: true,
       persistArtifacts: false
     });
@@ -7330,8 +8372,7 @@ async function main() {
 [3/3] Verifier review...`);
   const verifyOutcome = await verifyTask({
     projectRoot,
-    taskId,
-    plugins
+    taskId
   });
   if (!verifyOutcome.approved) {
     console.log("REJECT:");
@@ -7355,22 +8396,42 @@ async function main() {
       if (prs.length === 0) {
         console.log("Auto-merge: skipped (no PR metadata found)");
       } else {
-        let mergePending = false;
+        let cycle = 0;
         for (const pr of prs) {
+          cycle += 1;
+          const gate = await runStrictPrMergeGate({
+            projectRoot,
+            prUrl: pr.url,
+            taskId,
+            runId: "completion-verification",
+            cycle,
+            final: true,
+            command: async (args, options) => {
+              const result = runCapture(["gh", ...args], options?.cwd ?? projectRoot);
+              return { exitCode: result.exitCode, stdout: result.stdout, stderr: result.stderr };
+            }
+          });
+          if (!gate.approved) {
+            console.log(`FAIL: Strict merge gate blocked PR (${pr.repoLabel}): ${pr.url}`);
+            for (const reason of gate.reasons) {
+              console.log(`- ${reason}`);
+            }
+            failed = true;
+            continue;
+          }
           const mergeResult = gitMergePr({
             projectRoot,
             pr,
             method: "squash",
-            deleteBranch: true
+            deleteBranch: true,
+            strictGate: gate
           });
-          if (mergeResult.status === "auto-merge-enabled") {
-            mergePending = true;
-            console.log(`WAIT: Auto-merge enabled but PR is still open (${pr.repoLabel}): ${pr.url}`);
+          if (mergeResult.status === "merged" || mergeResult.status === "already-merged") {
+            console.log(`OK: PR merge confirmed (${pr.repoLabel}): ${pr.url}`);
           }
         }
-        if (mergePending) {
-          failed = true;
-        } else {
+        if (!failed) {
+          sourceCloseoutAllowed = true;
           console.log("OK: Auto-merge complete");
         }
       }
@@ -7384,18 +8445,22 @@ async function main() {
 [post] Auto-merge: skipped (not in policy completion.checks)`);
   }
   const artifactDir = resolve24(paths.artifactsDir, taskId);
-  mkdirSync11(artifactDir, { recursive: true });
-  writeFileSync11(resolve24(artifactDir, "review-status.txt"), failed ? `REJECTED
+  mkdirSync13(artifactDir, { recursive: true });
+  writeFileSync13(resolve24(artifactDir, "review-status.txt"), failed ? `REJECTED
 ` : `APPROVED
 `, "utf-8");
   if (!failed) {
     await recordTaskRepoCommits(projectRoot, taskId, paths);
-    const closeout = await closeCompletedTaskSource(projectRoot, taskId);
-    if (!closeout.ok) {
-      console.log(`FAIL: ${closeout.message}`);
-      failed = true;
+    if (sourceCloseoutAllowed) {
+      const closeout = await closeCompletedTaskSource(projectRoot, taskId);
+      if (!closeout.ok) {
+        console.log(`FAIL: ${closeout.message}`);
+        failed = true;
+      } else {
+        console.log(`OK: ${closeout.message}`);
+      }
     } else {
-      console.log(`OK: ${closeout.message}`);
+      console.log("Task source closeout skipped until an approved PR merge completes.");
     }
   }
   if (!failed) {
@@ -7482,7 +8547,7 @@ async function runProtoQualityGate(monorepoRoot) {
     console.log(`FAIL: Missing workflow gate file at ${workflowPath}`);
     ok = false;
   } else {
-    const workflow = readFileSync12(workflowPath, "utf-8");
+    const workflow = readFileSync13(workflowPath, "utf-8");
     if (workflow.includes("if: false && needs.detect.outputs.protos_changed == 'true'")) {
       console.log("FAIL: Proto quality CI gate is disabled in pull-request-gate.yml");
       ok = false;
@@ -7535,11 +8600,11 @@ async function recordVerifierFailure(projectRoot, taskId, paths) {
   }
   let attempts = 1;
   if (existsSync21(failedApproachesPath)) {
-    const content = readFileSync12(failedApproachesPath, "utf-8");
+    const content = readFileSync13(failedApproachesPath, "utf-8");
     attempts = (content.match(new RegExp(`^## ${escapeRegExp2(taskId)}\\b`, "gm")) || []).length + 1;
   } else {
-    mkdirSync11(resolve24(failedApproachesPath, ".."), { recursive: true });
-    writeFileSync11(failedApproachesPath, `# Failed Approaches
+    mkdirSync13(resolve24(failedApproachesPath, ".."), { recursive: true });
+    writeFileSync13(failedApproachesPath, `# Failed Approaches
 
 `, "utf-8");
   }
@@ -7577,8 +8642,8 @@ async function recordTaskRepoCommits(projectRoot, taskId, paths) {
       recorded_at: new Date().toISOString(),
       repos
     };
-    mkdirSync11(resolve24(statePath, ".."), { recursive: true });
-    writeFileSync11(statePath, `${JSON.stringify(state, null, 2)}
+    mkdirSync13(resolve24(statePath, ".."), { recursive: true });
+    writeFileSync13(statePath, `${JSON.stringify(state, null, 2)}
 `, "utf-8");
   }
 }