@neurcode/action 0.2.1

package/src/index.ts

@@ -0,0 +1,1677 @@
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import * as github from '@actions/github';
+import { parseCliVerifyJsonPayload } from '@neurcode-ai/contracts';
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join, resolve } from 'path';
+import {
+  buildVerifyArgs,
+  getVerifyFallbackDecision,
+  isMissingPlanVerificationFailure,
+} from './verify-mode';
+
+interface Violation {
+  file: string;
+  rule: string;
+  severity: string;
+  message: string;
+}
+
+interface NeurcodeVerifyResult {
+  grade: string;
+  score: number;
+  verdict: 'PASS' | 'FAIL' | 'WARN' | 'INFO';
+  violations: Violation[];
+  message: string;
+  verificationSource?: 'api' | 'local_fallback' | 'policy_only' | string;
+  tier?: string;
+  scopeGuardPassed?: boolean;
+  bloatCount?: number;
+  blastRadius?: {
+    riskScore?: 'low' | 'medium' | 'high';
+    filesChanged?: number;
+  };
+  suspiciousChange?: {
+    flagged?: boolean;
+    confidence?: 'low' | 'medium' | 'high';
+    unexpectedFiles?: string[];
+  };
+  governanceDecision?: {
+    decision?: 'allow' | 'warn' | 'manual_approval' | 'block';
+    averageRelevanceScore?: number;
+  };
+  aiChangeLog?: {
+    integrity?: {
+      valid?: boolean;
+      signed?: boolean;
+      required?: boolean;
+      issues?: string[];
+    };
+  };
+  orgGovernance?: {
+    requireSignedAiLogs?: boolean;
+    requireManualApproval?: boolean;
+    minimumManualApprovals?: number;
+  } | null;
+  policyCompilation?: {
+    fingerprint?: string;
+    deterministicRuleCount?: number;
+    unmatchedStatements?: number;
+    sourcePath?: string;
+    policyLockFingerprint?: string | null;
+  };
+  changeContract?: {
+    path?: string;
+    exists?: boolean;
+    enforced?: boolean;
+    valid?: boolean | null;
+    planId?: string | null;
+    contractId?: string | null;
+    violations?: Array<{
+      code?: string;
+      message?: string;
+    }>;
+  };
+}
+
+interface ShipSummaryResult {
+  status: 'READY_TO_MERGE' | 'BLOCKED';
+  finalPlanId: string;
+  mergeConfidence: number;
+  riskScore: number;
+  verification: {
+    verdict: string;
+    grade: string;
+    score: number;
+    violations: number;
+  };
+  tests: {
+    skipped: boolean;
+    passed: boolean;
+  };
+  artifacts?: {
+    jsonPath?: string;
+    markdownPath?: string;
+  };
+  shareCard?: {
+    id: string;
+    shareToken: string;
+    shareUrl: string;
+    createdAt: string;
+  } | null;
+}
+
+interface CommandResult {
+  exitCode: number;
+  output: string;
+}
+
+interface CliInvocation {
+  cmd: string;
+  argsPrefix: string[];
+  description: string;
+}
+
+type CliInstallSource = 'npm' | 'workspace';
+
+const ANSI_PATTERN = /\u001b\[[0-9;]*m/g;
+const NON_FAST_FORWARD_PATTERNS = [
+  'non-fast-forward',
+  '[rejected]',
+  'fetch first',
+  'would be overwritten by push',
+];
+const TRANSIENT_NETWORK_PATTERNS = [
+  'fetch failed',
+  'econnreset',
+  'etimedout',
+  'socket hang up',
+  'gateway time-out',
+  'gateway timeout',
+  '502',
+  '503',
+  '504',
+];
+const TIER_LIMITED_VERIFY_PATTERNS = [
+  'pro required for policy verification',
+  'basic file change summary',
+  'tier-limited',
+];
+const GRADE_ORDER: Record<string, number> = {
+  F: 1,
+  D: 2,
+  C: 3,
+  B: 4,
+  A: 5,
+};
+
+function stripAnsi(value: string): string {
+  return value.replace(ANSI_PATTERN, '');
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolvePromise) => setTimeout(resolvePromise, ms));
+}
+
+function parseBoolean(input: string | undefined, fallback: boolean): boolean {
+  if (input === undefined || input === null || input.trim() === '') {
+    return fallback;
+  }
+  const normalized = input.trim().toLowerCase();
+  if (['1', 'true', 'yes', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'off'].includes(normalized)) return false;
+  return fallback;
+}
+
+function parsePositiveInt(input: string | undefined, fallback: number, min: number, max: number): number {
+  const parsed = Number(input);
+  if (!Number.isFinite(parsed)) return fallback;
+  const rounded = Math.round(parsed);
+  if (rounded < min) return min;
+  if (rounded > max) return max;
+  return rounded;
+}
+
+function normalizeGrade(input: string | undefined): keyof typeof GRADE_ORDER | undefined {
+  const normalized = (input || '').trim().toUpperCase();
+  if (normalized in GRADE_ORDER) {
+    return normalized as keyof typeof GRADE_ORDER;
+  }
+  return undefined;
+}
+
+function isGradeBelowThreshold(
+  grade: string | undefined,
+  threshold: keyof typeof GRADE_ORDER
+): boolean | null {
+  const normalized = normalizeGrade(grade);
+  if (!normalized) {
+    return null;
+  }
+  return GRADE_ORDER[normalized] < GRADE_ORDER[threshold];
+}
+
+function parseCliInstallSource(input: string | undefined): CliInstallSource {
+  const normalized = (input || '').trim().toLowerCase();
+  if (normalized === 'workspace') {
+    return 'workspace';
+  }
+  return 'npm';
+}
+
+function withCommandTimeout(
+  cmd: string,
+  args: string[],
+  timeoutMinutes: number
+): {
+  cmd: string;
+  args: string[];
+  timeoutApplied: boolean;
+} {
+  if (timeoutMinutes > 0 && process.platform !== 'win32') {
+    return {
+      cmd: 'timeout',
+      args: [`${timeoutMinutes}m`, cmd, ...args],
+      timeoutApplied: true,
+    };
+  }
+  return {
+    cmd,
+    args,
+    timeoutApplied: false,
+  };
+}
+
+function hasWorkingTreeChanges(output: string): boolean {
+  return output
+    .split('\n')
+    .map((line) => line.trim())
+    .filter(Boolean).length > 0;
+}
+
+function countWorkingTreeChanges(output: string): number {
+  return output
+    .split('\n')
+    .map((line) => line.trim())
+    .filter(Boolean).length;
+}
+
+function normalizeRepoPath(path: string): string {
+  return path
+    .trim()
+    .replace(/^\.\/+/, '')
+    .replace(/^a\//, '')
+    .replace(/^b\//, '')
+    .replace(/\\/g, '/');
+}
+
+function parseChangedFiles(output: string): Set<string> {
+  const files = output
+    .split('\n')
+    .map((line) => normalizeRepoPath(line))
+    .filter(Boolean);
+  return new Set(files);
+}
+
+function collectActionableViolations(violations: Violation[], changedFiles: Set<string>): Violation[] {
+  if (changedFiles.size === 0) {
+    return [];
+  }
+  const changedList = [...changedFiles];
+  return violations.filter((violation) => {
+    const violationPath = normalizeRepoPath(violation.file || '');
+    if (!violationPath || violationPath === 'unknown') {
+      return false;
+    }
+    if (changedFiles.has(violationPath)) {
+      return true;
+    }
+    return changedList.some((changed) => violationPath.endsWith(changed));
+  });
+}
+
+function isNonFastForwardPushFailure(output: string): boolean {
+  const normalized = stripAnsi(output).toLowerCase();
+  return NON_FAST_FORWARD_PATTERNS.some((pattern) => normalized.includes(pattern));
+}
+
+function isLikelyTransientNetworkFailure(output: string): boolean {
+  const normalized = stripAnsi(output).toLowerCase();
+  return TRANSIENT_NETWORK_PATTERNS.some((pattern) => normalized.includes(pattern));
+}
+
+function isTierLimitedInfoVerifyResult(result: NeurcodeVerifyResult | null): boolean {
+  if (!result || result.verdict !== 'INFO') {
+    return false;
+  }
+  const tier = (result.tier || '').trim().toUpperCase();
+  if (tier === 'FREE') {
+    return true;
+  }
+  const message = (result.message || '').toLowerCase();
+  return TIER_LIMITED_VERIFY_PATTERNS.some((pattern) => message.includes(pattern));
+}
+
+function readJsonFile(path: string): Record<string, unknown> | null {
+  if (!existsSync(path)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, 'utf-8'));
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return null;
+    return parsed as Record<string, unknown>;
+  } catch {
+    return null;
+  }
+}
+
+function detectProjectOrgId(cwd: string): string | undefined {
+  const statePath = join(cwd, '.neurcode', 'config.json');
+  const state = readJsonFile(statePath);
+  const value = state?.orgId;
+  if (typeof value === 'string' && value.trim()) {
+    return value.trim();
+  }
+  return undefined;
+}
+
+function seedCiAuthFile(cwd: string, apiKey: string, preferredOrgId?: string): void {
+  const home = process.env.HOME || process.env.USERPROFILE;
+  if (!home) {
+    core.warning('Unable to seed ~/.neurcoderc (home directory not found).');
+    return;
+  }
+
+  const authPath = join(home, '.neurcoderc');
+  const existing = readJsonFile(authPath) || {};
+
+  const next: Record<string, unknown> = {
+    ...existing,
+    version: 2,
+    apiKey,
+  };
+
+  const orgId = preferredOrgId || detectProjectOrgId(cwd);
+  const apiKeysByOrgRaw = existing.apiKeysByOrg;
+  const apiKeysByOrg =
+    apiKeysByOrgRaw && typeof apiKeysByOrgRaw === 'object' && !Array.isArray(apiKeysByOrgRaw)
+      ? { ...(apiKeysByOrgRaw as Record<string, string>) }
+      : {};
+
+  if (orgId) {
+    apiKeysByOrg[orgId] = apiKey;
+    next.defaultOrgId = orgId;
+  }
+  next.apiKeysByOrg = apiKeysByOrg;
+
+  const apiUrl = process.env.NEURCODE_API_URL;
+  if (apiUrl && typeof apiUrl === 'string' && apiUrl.trim()) {
+    next.apiUrl = apiUrl.trim();
+  }
+
+  writeFileSync(authPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf-8', mode: 0o600 });
+  core.info(orgId
+    ? `Seeded CI auth key for org ${orgId}`
+    : 'Seeded CI auth key for default scope');
+}
+
+function canPushToPullRequestBranch(pr: any): boolean {
+  if (!pr) return false;
+  const repoFullName = `${github.context.repo.owner}/${github.context.repo.repo}`;
+  const prHeadFullName = pr?.head?.repo?.full_name;
+  if (!prHeadFullName || prHeadFullName !== repoFullName) {
+    return false;
+  }
+  return typeof pr?.head?.ref === 'string' && pr.head.ref.length > 0;
+}
+
+function extractLastJsonObject(output: string): unknown | null {
+  const clean = stripAnsi(output).trim();
+  const end = clean.lastIndexOf('}');
+  if (end < 0) return null;
+
+  let start = clean.lastIndexOf('{', end);
+  while (start >= 0) {
+    const candidate = clean.slice(start, end + 1).trim();
+    try {
+      return JSON.parse(candidate);
+    } catch {
+      start = clean.lastIndexOf('{', start - 1);
+    }
+  }
+
+  return null;
+}
+
+function parseVerifyResult(output: string): NeurcodeVerifyResult | null {
+  const parsed = extractLastJsonObject(output);
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return null;
+
+  const value = parsed as Record<string, unknown>;
+  let validated: ReturnType<typeof parseCliVerifyJsonPayload>;
+  try {
+    validated = parseCliVerifyJsonPayload(value, 'action-verify-result');
+  } catch {
+    return null;
+  }
+
+  const rawViolations = Array.isArray(value.violations) ? value.violations : [];
+  const violations: Violation[] = rawViolations
+    .filter((entry): entry is Record<string, unknown> => !!entry && typeof entry === 'object')
+    .map((entry) => ({
+      file: typeof entry.file === 'string' ? entry.file : 'unknown',
+      rule: typeof entry.rule === 'string' ? entry.rule : 'unknown',
+      severity: typeof entry.severity === 'string' ? entry.severity : 'warn',
+      message: typeof entry.message === 'string' ? entry.message : '',
+    }));
+
+  return {
+    grade: validated.grade,
+    score: validated.score,
+    verdict: validated.verdict as NeurcodeVerifyResult['verdict'],
+    violations,
+    message: validated.message,
+    verificationSource:
+      typeof (validated as Record<string, unknown>).verificationSource === 'string'
+        ? ((validated as Record<string, unknown>).verificationSource as string)
+        : undefined,
+    tier: typeof value.tier === 'string' ? value.tier : undefined,
+    scopeGuardPassed: validated.scopeGuardPassed,
+    bloatCount: typeof value.bloatCount === 'number' ? value.bloatCount : undefined,
+    blastRadius:
+      value.blastRadius && typeof value.blastRadius === 'object' && !Array.isArray(value.blastRadius)
+        ? {
+          riskScore: typeof (value.blastRadius as Record<string, unknown>).riskScore === 'string'
+            ? ((value.blastRadius as Record<string, unknown>).riskScore as 'low' | 'medium' | 'high')
+            : undefined,
+          filesChanged: typeof (value.blastRadius as Record<string, unknown>).filesChanged === 'number'
+            ? (value.blastRadius as Record<string, unknown>).filesChanged as number
+            : undefined,
+        }
+        : undefined,
+    suspiciousChange:
+      value.suspiciousChange && typeof value.suspiciousChange === 'object' && !Array.isArray(value.suspiciousChange)
+        ? {
+          flagged: (value.suspiciousChange as Record<string, unknown>).flagged === true,
+          confidence: typeof (value.suspiciousChange as Record<string, unknown>).confidence === 'string'
+            ? ((value.suspiciousChange as Record<string, unknown>).confidence as 'low' | 'medium' | 'high')
+            : undefined,
+          unexpectedFiles: Array.isArray((value.suspiciousChange as Record<string, unknown>).unexpectedFiles)
+            ? ((value.suspiciousChange as Record<string, unknown>).unexpectedFiles as unknown[])
+              .filter((item): item is string => typeof item === 'string')
+            : undefined,
+        }
+        : undefined,
+    governanceDecision:
+      value.governanceDecision && typeof value.governanceDecision === 'object' && !Array.isArray(value.governanceDecision)
+        ? {
+          decision: typeof (value.governanceDecision as Record<string, unknown>).decision === 'string'
+            ? ((value.governanceDecision as Record<string, unknown>).decision as 'allow' | 'warn' | 'manual_approval' | 'block')
+            : undefined,
+          averageRelevanceScore: typeof (value.governanceDecision as Record<string, unknown>).averageRelevanceScore === 'number'
+            ? (value.governanceDecision as Record<string, unknown>).averageRelevanceScore as number
+            : undefined,
+        }
+        : undefined,
+    aiChangeLog:
+      value.aiChangeLog && typeof value.aiChangeLog === 'object' && !Array.isArray(value.aiChangeLog)
+        ? (() => {
+            const aiLogRaw = value.aiChangeLog as Record<string, unknown>;
+            const integrityRaw =
+              aiLogRaw.integrity && typeof aiLogRaw.integrity === 'object' && !Array.isArray(aiLogRaw.integrity)
+                ? (aiLogRaw.integrity as Record<string, unknown>)
+                : null;
+            return {
+              integrity: integrityRaw
+                ? {
+                    valid: integrityRaw.valid === true,
+                    signed: integrityRaw.signed === true,
+                    required: integrityRaw.required === true,
+                    issues: Array.isArray(integrityRaw.issues)
+                      ? integrityRaw.issues.filter((item): item is string => typeof item === 'string')
+                      : [],
+                  }
+                : undefined,
+            };
+          })()
+        : undefined,
+    orgGovernance:
+      value.orgGovernance && typeof value.orgGovernance === 'object' && !Array.isArray(value.orgGovernance)
+        ? {
+            requireSignedAiLogs: (value.orgGovernance as Record<string, unknown>).requireSignedAiLogs === true,
+            requireManualApproval: (value.orgGovernance as Record<string, unknown>).requireManualApproval === true,
+            minimumManualApprovals:
+              typeof (value.orgGovernance as Record<string, unknown>).minimumManualApprovals === 'number'
+                ? Math.max(
+                    1,
+                    Math.min(
+                      5,
+                      Math.floor((value.orgGovernance as Record<string, unknown>).minimumManualApprovals as number)
+                    )
+                  )
+                : undefined,
+          }
+        : undefined,
+    policyCompilation:
+      value.policyCompilation && typeof value.policyCompilation === 'object' && !Array.isArray(value.policyCompilation)
+        ? {
+            fingerprint:
+              typeof (value.policyCompilation as Record<string, unknown>).fingerprint === 'string'
+                ? ((value.policyCompilation as Record<string, unknown>).fingerprint as string)
+                : undefined,
+            deterministicRuleCount:
+              typeof (value.policyCompilation as Record<string, unknown>).deterministicRuleCount === 'number'
+                ? ((value.policyCompilation as Record<string, unknown>).deterministicRuleCount as number)
+                : undefined,
+            unmatchedStatements:
+              typeof (value.policyCompilation as Record<string, unknown>).unmatchedStatements === 'number'
+                ? ((value.policyCompilation as Record<string, unknown>).unmatchedStatements as number)
+                : undefined,
+            sourcePath:
+              typeof (value.policyCompilation as Record<string, unknown>).sourcePath === 'string'
+                ? ((value.policyCompilation as Record<string, unknown>).sourcePath as string)
+                : undefined,
+            policyLockFingerprint:
+              typeof (value.policyCompilation as Record<string, unknown>).policyLockFingerprint === 'string'
+                ? ((value.policyCompilation as Record<string, unknown>).policyLockFingerprint as string)
+                : null,
+          }
+        : undefined,
+    changeContract:
+      value.changeContract && typeof value.changeContract === 'object' && !Array.isArray(value.changeContract)
+        ? {
+            path:
+              typeof (value.changeContract as Record<string, unknown>).path === 'string'
+                ? ((value.changeContract as Record<string, unknown>).path as string)
+                : undefined,
+            exists:
+              typeof (value.changeContract as Record<string, unknown>).exists === 'boolean'
+                ? ((value.changeContract as Record<string, unknown>).exists as boolean)
+                : undefined,
+            enforced:
+              typeof (value.changeContract as Record<string, unknown>).enforced === 'boolean'
+                ? ((value.changeContract as Record<string, unknown>).enforced as boolean)
+                : undefined,
+            valid:
+              typeof (value.changeContract as Record<string, unknown>).valid === 'boolean'
+                ? ((value.changeContract as Record<string, unknown>).valid as boolean)
+                : null,
+            planId:
+              typeof (value.changeContract as Record<string, unknown>).planId === 'string'
+                ? ((value.changeContract as Record<string, unknown>).planId as string)
+                : null,
+            contractId:
+              typeof (value.changeContract as Record<string, unknown>).contractId === 'string'
+                ? ((value.changeContract as Record<string, unknown>).contractId as string)
+                : null,
+            violations: Array.isArray((value.changeContract as Record<string, unknown>).violations)
+              ? ((value.changeContract as Record<string, unknown>).violations as unknown[])
+                  .filter((item): item is Record<string, unknown> => !!item && typeof item === 'object')
+                  .map((item) => ({
+                    code: typeof item.code === 'string' ? item.code : undefined,
+                    message: typeof item.message === 'string' ? item.message : undefined,
+                  }))
+              : [],
+          }
+        : undefined,
+  };
+}
+
+function parseShipSummary(output: string): ShipSummaryResult | null {
+  const parsed = extractLastJsonObject(output);
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return null;
+
+  const value = parsed as Record<string, unknown>;
+  if (typeof value.status !== 'string' || typeof value.finalPlanId !== 'string') {
+    return null;
+  }
+
+  const verificationRaw = value.verification;
+  const testsRaw = value.tests;
+
+  if (!verificationRaw || typeof verificationRaw !== 'object' || Array.isArray(verificationRaw)) {
+    return null;
+  }
+  if (!testsRaw || typeof testsRaw !== 'object' || Array.isArray(testsRaw)) {
+    return null;
+  }
+
+  const verification = verificationRaw as Record<string, unknown>;
+  const tests = testsRaw as Record<string, unknown>;
+
+  const artifactsRaw = value.artifacts;
+  const artifacts = artifactsRaw && typeof artifactsRaw === 'object' && !Array.isArray(artifactsRaw)
+    ? {
+      jsonPath: typeof (artifactsRaw as Record<string, unknown>).jsonPath === 'string'
+        ? (artifactsRaw as Record<string, unknown>).jsonPath as string
+        : undefined,
+      markdownPath: typeof (artifactsRaw as Record<string, unknown>).markdownPath === 'string'
+        ? (artifactsRaw as Record<string, unknown>).markdownPath as string
+        : undefined,
+    }
+    : undefined;
+
+  const shareCardRaw = value.shareCard;
+  const shareCard = shareCardRaw && typeof shareCardRaw === 'object' && !Array.isArray(shareCardRaw)
+    ? {
+      id: String((shareCardRaw as Record<string, unknown>).id || ''),
+      shareToken: String((shareCardRaw as Record<string, unknown>).shareToken || ''),
+      shareUrl: String((shareCardRaw as Record<string, unknown>).shareUrl || ''),
+      createdAt: String((shareCardRaw as Record<string, unknown>).createdAt || ''),
+    }
+    : null;
+
+  return {
+    status: value.status as ShipSummaryResult['status'],
+    finalPlanId: value.finalPlanId,
+    mergeConfidence: typeof value.mergeConfidence === 'number' ? value.mergeConfidence : 0,
+    riskScore: typeof value.riskScore === 'number' ? value.riskScore : 0,
+    verification: {
+      verdict: typeof verification.verdict === 'string' ? verification.verdict : 'UNKNOWN',
+      grade: typeof verification.grade === 'string' ? verification.grade : 'N/A',
+      score: typeof verification.score === 'number' ? verification.score : 0,
+      violations: typeof verification.violations === 'number' ? verification.violations : 0,
+    },
+    tests: {
+      skipped: tests.skipped === true,
+      passed: tests.passed === true,
+    },
+    artifacts,
+    shareCard,
+  };
+}
+
+async function runCommand(
+  cmd: string,
+  args: string[],
+  options: {
+    cwd: string;
+    env?: Record<string, string>;
+  }
+): Promise<CommandResult> {
+  let output = '';
+  const safeEnv: Record<string, string> = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (typeof value === 'string') {
+      safeEnv[key] = value;
+    }
+  }
+  if (options.env) {
+    Object.assign(safeEnv, options.env);
+  }
+
+  const execOptions: exec.ExecOptions = {
+    cwd: options.cwd,
+    ignoreReturnCode: true,
+    env: safeEnv,
+    listeners: {
+      stdout: (data: Buffer) => {
+        output += data.toString();
+      },
+      stderr: (data: Buffer) => {
+        output += data.toString();
+      },
+    },
+  };
+
+  try {
+    const exitCode = await exec.exec(cmd, args, execOptions);
+    return { exitCode, output };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      exitCode: 127,
+      output: `${output}${message ? `${message}\n` : ''}`,
+    };
+  }
+}
+
+async function maybeCommitAndPushRemediation(input: {
+  cwd: string;
+  pr: any;
+  baselineDirty: boolean;
+  enabled: boolean;
+  pushEnabled: boolean;
+  pushRetries: number;
+  pushRetryDelaySeconds: number;
+  commitMessage: string;
+  gitUserName: string;
+  gitUserEmail: string;
+}): Promise<{
+  committed: boolean;
+  pushed: boolean;
+  commitSha?: string;
+  message: string;
+}> {
+  if (!input.enabled) {
+    return { committed: false, pushed: false, message: 'Remediation commit disabled' };
+  }
+
+  if (!canPushToPullRequestBranch(input.pr)) {
+    return {
+      committed: false,
+      pushed: false,
+      message: 'Skipped remediation commit (not a same-repo pull request branch)',
+    };
+  }
+
+  const statusBefore = await runCommand('git', ['status', '--porcelain'], { cwd: input.cwd });
+  if (statusBefore.exitCode !== 0) {
+    return {
+      committed: false,
+      pushed: false,
+      message: 'Skipped remediation commit (failed to inspect git status)',
+    };
+  }
+  if (!hasWorkingTreeChanges(statusBefore.output)) {
+    return {
+      committed: false,
+      pushed: false,
+      message: 'No remediation changes to commit',
+    };
+  }
+  if (input.baselineDirty) {
+    return {
+      committed: false,
+      pushed: false,
+      message:
+        `Skipped remediation commit because working tree was already dirty before remediation ` +
+        `(${countWorkingTreeChanges(statusBefore.output)} path(s) currently changed).`,
+    };
+  }
+
+  await runCommand('git', ['config', 'user.name', input.gitUserName], { cwd: input.cwd });
+  await runCommand('git', ['config', 'user.email', input.gitUserEmail], { cwd: input.cwd });
+
+  const addResult = await runCommand('git', ['add', '-A'], { cwd: input.cwd });
+  if (addResult.exitCode !== 0) {
+    return {
+      committed: false,
+      pushed: false,
+      message: 'Failed to stage remediation changes',
+    };
+  }
+
+  const commitResult = await runCommand('git', ['commit', '-m', input.commitMessage], { cwd: input.cwd });
+  if (commitResult.exitCode !== 0) {
+    const statusAfter = await runCommand('git', ['status', '--porcelain'], { cwd: input.cwd });
+    if (!hasWorkingTreeChanges(statusAfter.output)) {
+      return {
+        committed: false,
+        pushed: false,
+        message: 'No commit created (nothing new to commit)',
+      };
+    }
+    return {
+      committed: false,
+      pushed: false,
+      message: 'Failed to create remediation commit',
+    };
+  }
+
+  const shaResult = await runCommand('git', ['rev-parse', 'HEAD'], { cwd: input.cwd });
+  const commitSha = shaResult.exitCode === 0 ? stripAnsi(shaResult.output).trim() : undefined;
+
+  if (!input.pushEnabled) {
+    return {
+      committed: true,
+      pushed: false,
+      commitSha,
+      message: 'Remediation commit created locally (push disabled)',
+    };
+  }
+
+  const targetRef = input.pr.head.ref;
+  const maxAttempts = Math.max(1, input.pushRetries + 1);
+  let pushOutput = '';
+  let rebaseFailed = false;
+  for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+    const pushResult = await runCommand('git', ['push', 'origin', `HEAD:${targetRef}`], { cwd: input.cwd });
+    pushOutput = pushResult.output;
+    if (pushResult.exitCode === 0) {
+      return {
+        committed: true,
+        pushed: true,
+        commitSha,
+        message: `Remediation commit pushed to ${targetRef}`,
+      };
+    }
+
+    const canRetry = isNonFastForwardPushFailure(pushResult.output) && attempt < maxAttempts;
+    if (!canRetry) {
+      break;
+    }
+
+    core.warning(
+      `Remediation push hit non-fast-forward (attempt ${attempt}/${maxAttempts}). Rebasing onto origin/${targetRef} and retrying...`
+    );
+    const fetchResult = await runCommand('git', ['fetch', 'origin', targetRef], { cwd: input.cwd });
+    if (fetchResult.exitCode !== 0) {
+      pushOutput += `\n${fetchResult.output}`;
+      break;
+    }
+
+    const rebaseResult = await runCommand('git', ['rebase', `origin/${targetRef}`], { cwd: input.cwd });
+    if (rebaseResult.exitCode !== 0) {
+      rebaseFailed = true;
+      pushOutput += `\n${rebaseResult.output}`;
+      await runCommand('git', ['rebase', '--abort'], { cwd: input.cwd });
+      break;
+    }
+
+    if (input.pushRetryDelaySeconds > 0) {
+      await sleep(input.pushRetryDelaySeconds * 1000);
+    }
+  }
+
+  const reason = rebaseFailed
+    ? 'rebase conflict while retrying non-fast-forward push'
+    : isNonFastForwardPushFailure(pushOutput)
+      ? `non-fast-forward after ${maxAttempts} attempt(s)`
+      : 'push failed';
+  const detail = stripAnsi(pushOutput).trim().split('\n').slice(-3).join(' | ');
+  return {
+    committed: true,
+    pushed: false,
+    commitSha,
+    message: detail
+      ? `Remediation commit created, but ${reason}: ${detail}`
+      : `Remediation commit created, but ${reason}`,
+  };
+}
+
+async function ensureCliInstalled(input: {
+  version: string;
+  cwd: string;
+  source: CliInstallSource;
+  workspacePath: string;
+}): Promise<CliInvocation> {
+  const existing = await resolveCliInvocation(input.cwd);
+  if (existing) {
+    core.info(`Using existing neurcode CLI (${existing.description})`);
+    return existing;
+  }
+
+  let install: CommandResult;
+  if (input.source === 'workspace') {
+    const workspaceCliPath = resolve(process.cwd(), input.workspacePath || 'packages/cli');
+    if (!existsSync(join(workspaceCliPath, 'package.json'))) {
+      throw new Error(
+        `Workspace CLI source selected, but package.json not found at: ${workspaceCliPath}`
+      );
+    }
+    core.info(`Installing workspace CLI from ${workspaceCliPath}...`);
+    install = await runCommand('npm', ['install', '-g', workspaceCliPath], { cwd: input.cwd });
+  } else {
+    core.info(`Installing @neurcode-ai/cli@${input.version}...`);
+    install = await runCommand('npm', ['install', '-g', `@neurcode-ai/cli@${input.version}`], { cwd: input.cwd });
+  }
+  if (install.exitCode !== 0) {
+    throw new Error(
+      input.source === 'workspace'
+        ? 'Failed to install workspace Neurcode CLI'
+        : `Failed to install @neurcode-ai/cli@${input.version}`
+    );
+  }
+
+  let installed = await resolveCliInvocation(input.cwd);
+  if (installed) {
+    core.info(`Installed neurcode CLI (${installed.description})`);
+    return installed;
+  }
+
+  if (input.source === 'workspace') {
+    core.warning(
+      'Workspace CLI install succeeded but executable was not discoverable. Falling back to npm registry install.'
+    );
+    const fallbackInstall = await runCommand('npm', ['install', '-g', `@neurcode-ai/cli@${input.version}`], {
+      cwd: input.cwd,
+    });
+    if (fallbackInstall.exitCode !== 0) {
+      throw new Error(
+        `Failed to install fallback @neurcode-ai/cli@${input.version}: ${stripAnsi(fallbackInstall.output).trim()}`
+      );
+    }
+    installed = await resolveCliInvocation(input.cwd);
+    if (installed) {
+      core.info(`Installed fallback neurcode CLI (${installed.description})`);
+      return installed;
+    }
+  }
+
+  const sourceLabel = input.source === 'workspace' ? 'workspace + npm fallback' : 'npm';
+  throw new Error(`Neurcode CLI is not available after install flow (${sourceLabel}).`);
+}
+
+function withCliCommandTimeout(
+  cli: CliInvocation,
+  args: string[],
+  timeoutMinutes: number
+): {
+  cmd: string;
+  args: string[];
+  timeoutApplied: boolean;
+} {
+  return withCommandTimeout(cli.cmd, [...cli.argsPrefix, ...args], timeoutMinutes);
+}
+
+async function resolveCliInvocation(cwd: string): Promise<CliInvocation | null> {
+  const direct = await runCommand('neurcode', ['--version'], { cwd });
+  if (direct.exitCode === 0) {
+    return {
+      cmd: 'neurcode',
+      argsPrefix: [],
+      description: `neurcode (${stripAnsi(direct.output).trim()})`,
+    };
+  }
+
+  const prefixResult = await runCommand('npm', ['config', 'get', 'prefix'], { cwd });
+  if (prefixResult.exitCode === 0) {
+    const npmPrefix = stripAnsi(prefixResult.output).trim();
+    if (npmPrefix) {
+      const binDir = process.platform === 'win32' ? npmPrefix : resolve(npmPrefix, 'bin');
+      core.addPath(binDir);
+
+      const fromPath = await runCommand('neurcode', ['--version'], { cwd });
+      if (fromPath.exitCode === 0) {
+        return {
+          cmd: 'neurcode',
+          argsPrefix: [],
+          description: `neurcode via PATH (${stripAnsi(fromPath.output).trim()})`,
+        };
+      }
+
+      const binCandidates = process.platform === 'win32'
+        ? [join(npmPrefix, 'neurcode.cmd'), join(npmPrefix, 'neurcode')]
+        : [join(npmPrefix, 'bin', 'neurcode')];
+
+      for (const binPath of binCandidates) {
+        if (!existsSync(binPath)) continue;
+        const absoluteProbe = await runCommand(binPath, ['--version'], { cwd });
+        if (absoluteProbe.exitCode === 0) {
+          return {
+            cmd: binPath,
+            argsPrefix: [],
+            description: `${binPath} (${stripAnsi(absoluteProbe.output).trim()})`,
+          };
+        }
+      }
+    }
+  }
+
+  const globalRoot = await runCommand('npm', ['root', '-g'], { cwd });
+  if (globalRoot.exitCode === 0) {
+    const rootPath = stripAnsi(globalRoot.output).trim();
+    const distEntry = join(rootPath, '@neurcode-ai', 'cli', 'dist', 'index.js');
+    if (existsSync(distEntry)) {
+      const nodeProbe = await runCommand('node', [distEntry, '--version'], { cwd });
+      if (nodeProbe.exitCode === 0) {
+        return {
+          cmd: 'node',
+          argsPrefix: [distEntry],
+          description: `node ${distEntry} (${stripAnsi(nodeProbe.output).trim()})`,
+        };
+      }
+    }
+  }
+
+  return null;
+}
+
+
+function buildRemediationGoal(
+  explicitGoal: string,
+  verifyResult: NeurcodeVerifyResult | null,
+  prTitle?: string
+): string {
+  if (explicitGoal.trim()) {
+    return explicitGoal.trim();
+  }
+
+  const violations = verifyResult?.violations || [];
+  const topViolations = violations.slice(0, 5)
+    .map((v) => `${v.file} [${v.severity}] ${v.rule}${v.message ? `: ${v.message}` : ''}`)
+    .join('; ');
+
+  const titlePart = prTitle ? ` for PR: ${prTitle}` : '';
+  if (topViolations) {
+    return `Apply minimal safe fixes${titlePart} so neurcode verify passes. Focus on: ${topViolations}`;
+  }
+
+  return `Apply minimal safe fixes${titlePart} so neurcode verify passes and merge confidence is READY_TO_MERGE.`;
+}
+
+function buildShipArgs(input: {
+  goal: string;
+  projectId?: string;
+  maxAttempts: number;
+  skipTests: boolean;
+  allowDirty: boolean;
+  shipTestCommand?: string;
+  record: boolean;
+  publishMergeCard: boolean;
+}): string[] {
+  const args = [
+    'ship',
+    input.goal,
+    '--json',
+    '--max-fix-attempts',
+    String(input.maxAttempts),
+  ];
+
+  if (input.projectId) args.push('--project-id', input.projectId);
+  if (input.skipTests) args.push('--skip-tests');
+  if (input.allowDirty) args.push('--allow-dirty');
+  if (input.shipTestCommand && input.shipTestCommand.trim()) {
+    args.push('--test-command', input.shipTestCommand.trim());
+  }
+  if (!input.record) args.push('--no-record');
+  if (!input.publishMergeCard) args.push('--no-publish-card');
+
+  return args;
+}
+
+function generateMarkdown(
+  verifyResult: NeurcodeVerifyResult | null,
+  remediation: ShipSummaryResult | null,
+  remediationCommit?: {
+    committed: boolean;
+    pushed: boolean;
+    commitSha?: string;
+    message: string;
+  } | null
+): string {
+  if (!verifyResult) {
+    return [
+      '### ⚠️ Neurcode Gatekeeper',
+      '',
+      'Neurcode ran, but JSON output could not be parsed reliably.',
+      'Check workflow logs for full details.',
+    ].join('\n');
+  }
+
+  const isPass = verifyResult.verdict === 'PASS' || (
+    verifyResult.verdict === 'INFO' && !isTierLimitedInfoVerifyResult(verifyResult)
+  );
+  const icon = isPass ? '✅' : '❌';
+
+  const lines: string[] = [
+    `### ${icon} Neurcode Gatekeeper: ${verifyResult.verdict}`,
+    '',
+    `**Score:** \`${verifyResult.score}/100\` | **Grade:** \`${verifyResult.grade}\``,
+  ];
+
+  if (verifyResult.message) {
+    lines.push(`> ${verifyResult.message}`);
+  }
+  if (verifyResult.tier) {
+    lines.push(`- Verification tier: \`${verifyResult.tier}\``);
+  }
+  if (isTierLimitedInfoVerifyResult(verifyResult)) {
+    lines.push('- ⚠️ Tier-limited verification: governance policy checks were not fully evaluated.');
+  }
+  if (verifyResult.policyCompilation?.fingerprint) {
+    lines.push(
+      `- Policy compilation: \`${verifyResult.policyCompilation.fingerprint.slice(0, 12)}\` (${verifyResult.policyCompilation.deterministicRuleCount || 0} deterministic rules)`
+    );
+  }
+  if (verifyResult.changeContract?.exists) {
+    const contractState =
+      verifyResult.changeContract.valid === true
+        ? 'valid'
+        : verifyResult.changeContract.valid === false
+          ? 'drift_detected'
+          : 'not_evaluated';
+    lines.push(`- Change contract: **${contractState}**${verifyResult.changeContract.enforced ? ' (enforced)' : ''}`);
+    if ((verifyResult.changeContract.violations || []).length > 0) {
+      lines.push(`- Change contract violations: ${(verifyResult.changeContract.violations || []).length}`);
+    }
+  }
+
+  if (verifyResult.scopeGuardPassed === false) {
+    lines.push('', '**⚠️ Scope Violation:** Changes detected outside the approved plan.');
+  }
+
+  if (verifyResult.violations.length > 0) {
+    lines.push('', '### 🚨 Policy Violations', '', '| Severity | File | Message |', '| :--- | :--- | :--- |');
+    for (const v of verifyResult.violations.slice(0, 15)) {
+      const sevIcon = v.severity === 'block' ? '🔴' : '🟡';
+      lines.push(`| ${sevIcon} **${v.severity}** | \`${v.file}\` | ${v.message || v.rule} |`);
+    }
+    if (verifyResult.violations.length > 15) {
+      lines.push(`| … | … | ${verifyResult.violations.length - 15} more violation(s) omitted |`);
+    }
+  }
+
+  if (remediation) {
+    const remIcon = remediation.status === 'READY_TO_MERGE' ? '🛠️✅' : '🛠️⚠️';
+    lines.push('', `### ${remIcon} Auto-Remediation`);
+    lines.push(`- Result: **${remediation.status}**`);
+    lines.push(`- Final plan: \`${remediation.finalPlanId}\``);
+    lines.push(`- Merge confidence: **${remediation.mergeConfidence}/100**`);
+    lines.push(`- Risk score: **${remediation.riskScore}/100**`);
+    lines.push(`- Verification after remediation: **${remediation.verification.verdict}** (${remediation.verification.grade}, score ${remediation.verification.score})`);
+    lines.push(`- Tests: **${remediation.tests.passed ? 'PASS' : 'FAIL'}**${remediation.tests.skipped ? ' (skipped)' : ''}`);
+
+    if (remediation.shareCard?.shareUrl) {
+      lines.push(`- Share card: [Open merge confidence card](${remediation.shareCard.shareUrl})`);
+    }
+  }
+
+  if (remediationCommit) {
+    lines.push('', '### 🧾 Remediation Commit');
+    lines.push(`- ${remediationCommit.message}`);
+    if (remediationCommit.commitSha) {
+      lines.push(`- Commit: \`${remediationCommit.commitSha}\``);
+    }
+  }
+
+  lines.push('', '---', '[View Full Report in Dashboard](https://dashboard.neurcode.com)');
+  return lines.join('\n');
+}
+
+async function postComment(
+  token: string,
+  prNumber: number,
+  verifyResult: NeurcodeVerifyResult | null,
+  remediation: ShipSummaryResult | null,
+  remediationCommit?: {
+    committed: boolean;
+    pushed: boolean;
+    commitSha?: string;
+    message: string;
+  } | null
+): Promise<void> {
+  const octokit = github.getOctokit(token);
+  const body = generateMarkdown(verifyResult, remediation, remediationCommit);
+
+  const { data: comments } = await octokit.rest.issues.listComments({
+    ...github.context.repo,
+    issue_number: prNumber,
+  });
+
+  const botComment = comments.find((comment) => comment.body?.includes('Neurcode Gatekeeper'));
+
+  if (botComment) {
+    await octokit.rest.issues.updateComment({
+      ...github.context.repo,
+      comment_id: botComment.id,
+      body,
+    });
+  } else {
+    await octokit.rest.issues.createComment({
+      ...github.context.repo,
+      issue_number: prNumber,
+      body,
+    });
+  }
+}
+
+async function run(): Promise<void> {
+  try {
+    const thresholdInput = core.getInput('threshold');
+    const parsedThreshold = normalizeGrade(thresholdInput);
+    const threshold = parsedThreshold || 'C';
+    if (thresholdInput && !parsedThreshold) {
+      core.warning(`Invalid threshold "${thresholdInput}" provided; defaulting to "C".`);
+    }
+    const apiKey = core.getInput('api_key') || core.getInput('api-key') || process.env.NEURCODE_API_KEY;
+    const githubToken = core.getInput('github_token') || process.env.GITHUB_TOKEN;
+    const failOnViolation = parseBoolean(core.getInput('fail_on_violation'), true);
+    const planId = core.getInput('plan_id') || core.getInput('plan-id');
+    const projectId = core.getInput('project_id') || core.getInput('project-id');
+    const orgId = core.getInput('org_id') || core.getInput('org-id') || process.env.NEURCODE_ORG_ID || '';
+    const baseRefInput = core.getInput('base_ref') || '';
+    const workingDirectory = core.getInput('working_directory') || '.';
+    const record = parseBoolean(core.getInput('record'), true);
+    const cliVersion = core.getInput('neurcode_cli_version') || 'latest';
+    const cliInstallSource = parseCliInstallSource(core.getInput('neurcode_cli_source'));
+    const cliWorkspacePath = core.getInput('neurcode_cli_workspace_path') || 'packages/cli';
+    const verifyTimeoutMinutes = parsePositiveInt(core.getInput('verify_timeout_minutes'), 8, 1, 120);
+    const verifyPolicyOnly = parseBoolean(core.getInput('verify_policy_only'), false);
+    const compiledPolicyPath = (core.getInput('compiled_policy_path') || 'neurcode.policy.compiled.json').trim();
+    const changeContractPath = (core.getInput('change_contract_path') || '.neurcode/change-contract.json').trim();
+    const enforceChangeContract = parseBoolean(core.getInput('enforce_change_contract'), false);
+    const changedFilesOnly = parseBoolean(core.getInput('changed_files_only'), false);
+
+    const autoRemediate = parseBoolean(core.getInput('auto_remediate'), false);
+    const remediationGoalInput = core.getInput('remediation_goal') || '';
+    const remediationMaxAttempts = parsePositiveInt(core.getInput('remediation_max_attempts'), 2, 1, 5);
+    const remediationSkipTests = parseBoolean(core.getInput('remediation_skip_tests'), true);
+    const remediationAllowDirty = parseBoolean(core.getInput('remediation_allow_dirty'), true);
+    const publishMergeCard = parseBoolean(core.getInput('publish_merge_card'), true);
+    const shipTestCommand = core.getInput('ship_test_command') || '';
+    const shipTimeoutMinutes = parsePositiveInt(core.getInput('ship_timeout_minutes'), 20, 1, 180);
+    const shipNetworkRetries = parsePositiveInt(core.getInput('ship_network_retries'), 1, 0, 3);
+    const shipNetworkRetryDelaySeconds = parsePositiveInt(
+      core.getInput('ship_network_retry_delay_seconds'),
+      5,
+      0,
+      30
+    );
+    const remediationCommit = parseBoolean(core.getInput('remediation_commit'), false);
+    const remediationPush = parseBoolean(core.getInput('remediation_push'), false);
+    const enforceStrictVerification = parseBoolean(core.getInput('enforce_strict_verification'), false);
+    const verifyAfterRemediation = parseBoolean(core.getInput('verify_after_remediation'), true);
+    const verifyAfterRemediationTimeoutMinutes = parsePositiveInt(
+      core.getInput('verify_after_remediation_timeout_minutes'),
+      verifyTimeoutMinutes,
+      1,
+      120
+    );
+    const requireRemediationPushSuccess = parseBoolean(core.getInput('require_remediation_push_success'), false);
+    const remediationPushRetries = parsePositiveInt(core.getInput('remediation_push_retries'), 2, 0, 5);
+    const remediationPushRetryDelaySeconds = parsePositiveInt(
+      core.getInput('remediation_push_retry_delay_seconds'),
+      2,
+      0,
+      30
+    );
+    const remediationCommitMessage =
+      core.getInput('remediation_commit_message') || 'chore(neurcode): auto-remediate verify failures';
+    const remediationGitUserName = core.getInput('remediation_git_user_name') || 'neurcode-bot';
+    const remediationGitUserEmail =
+      core.getInput('remediation_git_user_email') || 'neurcode-bot@users.noreply.github.com';
+
+    const cwd = resolve(process.cwd(), workingDirectory);
+
+    if (remediationPush && !remediationCommit) {
+      throw new Error('Invalid action configuration: remediation_push=true requires remediation_commit=true.');
+    }
+    if (requireRemediationPushSuccess && !remediationPush) {
+      throw new Error(
+        'Invalid action configuration: require_remediation_push_success=true requires remediation_push=true.'
+      );
+    }
+
+    if (!apiKey) {
+      core.warning('No Neurcode API key provided. Neurcode may fail if auth is required.');
+    } else {
+      seedCiAuthFile(cwd, apiKey, orgId || undefined);
+    }
+
+    const cliInvocation = await ensureCliInstalled({
+      version: cliVersion,
+      cwd,
+      source: cliInstallSource,
+      workspacePath: cliWorkspacePath,
+    });
+
+    const pr = github.context.payload.pull_request;
+    const defaultBaseRef = pr ? `origin/${pr.base.ref}` : 'HEAD~1';
+    const baseRef = baseRefInput.trim() || defaultBaseRef;
+    core.info(pr
+      ? `Running verify in PR context against ${baseRef}`
+      : `Running verify in push context against ${baseRef}`);
+    core.info(`Verification mode: ${verifyPolicyOnly ? 'policy-only' : 'plan-aware'}`);
+
+    let changedFiles = new Set<string>();
+    if (changedFilesOnly) {
+      const changedFilesRun = await runCommand('git', ['diff', '--name-only', `${baseRef}...HEAD`], { cwd });
+      if (changedFilesRun.exitCode === 0) {
+        changedFiles = parseChangedFiles(changedFilesRun.output);
+        core.info(`Changed-files-only mode: detected ${changedFiles.size} changed file(s).`);
+      } else {
+        core.warning('Changed-files-only mode enabled, but changed files could not be resolved. Falling back to full set.');
+      }
+    }
+
+    let effectiveVerifyPolicyOnly = verifyPolicyOnly;
+    const hasExplicitPlanId = Boolean(planId && planId.trim());
+    let policyOnlyFallbackUsed = false;
+    let fallbackFailureHint: string | null = null;
+    let verifyArgs = buildVerifyArgs({
+      baseRef,
+      planId: planId || undefined,
+      projectId: projectId || undefined,
+      policyOnly: effectiveVerifyPolicyOnly,
+      record,
+      compiledPolicyPath: compiledPolicyPath || undefined,
+      changeContractPath: changeContractPath || undefined,
+      enforceChangeContract,
+    });
+
+    let verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
+    let verifyRun = await runCommand(verifyCommand.cmd, verifyCommand.args, {
+      cwd,
+      env: apiKey ? { NEURCODE_API_KEY: apiKey } : undefined,
+    });
+    if (verifyCommand.timeoutApplied && verifyRun.exitCode === 124) {
+      core.setFailed(`Neurcode verify timed out after ${verifyTimeoutMinutes} minute(s).`);
+      return;
+    }
+
+    const fallbackDecision = getVerifyFallbackDecision({
+      verifyExitCode: verifyRun.exitCode,
+      policyOnlyRequested: effectiveVerifyPolicyOnly,
+      hasExplicitPlanId,
+      verifyOutput: verifyRun.output,
+    });
+
+    // Safety fallback: if plan-aware verify fails only because plan context is missing,
+    // rerun in policy-only mode to match expected enterprise fallback behavior.
+    if (fallbackDecision.shouldRetryPolicyOnly) {
+      core.warning(
+        'Plan-aware verification failed due to missing plan context. Retrying with --policy-only fallback.'
+      );
+      policyOnlyFallbackUsed = true;
+      effectiveVerifyPolicyOnly = true;
+      verifyArgs = buildVerifyArgs({
+        baseRef,
+        projectId: projectId || undefined,
+        planId: undefined,
+        policyOnly: true,
+        record,
+        compiledPolicyPath: compiledPolicyPath || undefined,
+        changeContractPath: changeContractPath || undefined,
+        enforceChangeContract,
+      });
+      verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
+      verifyRun = await runCommand(verifyCommand.cmd, verifyCommand.args, {
+        cwd,
+        env: apiKey ? { NEURCODE_API_KEY: apiKey } : undefined,
+      });
+      if (verifyCommand.timeoutApplied && verifyRun.exitCode === 124) {
+        core.setFailed(`Neurcode verify timed out after ${verifyTimeoutMinutes} minute(s).`);
+        return;
+      }
+      if (verifyRun.exitCode !== 0) {
+        fallbackFailureHint =
+          'Plan context was unavailable, and policy-only fallback verification also failed. Review policy violations in the action logs.';
+      }
+    } else if (
+      verifyRun.exitCode !== 0 &&
+      fallbackDecision.reason === 'explicit_plan_id' &&
+      isMissingPlanVerificationFailure(verifyRun.output)
+    ) {
+      fallbackFailureHint =
+        'Plan-aware verification failed because the provided plan_id could not be validated for this repository scope.';
+    }
+
+    let remediation: ShipSummaryResult | null = null;
+    let remediationCommitResult: {
+      committed: boolean;
+      pushed: boolean;
+      commitSha?: string;
+      message: string;
+    } | null = null;
+    let baselineDirty = false;
+    let finalExitCode = verifyRun.exitCode;
+    let failureReason: string | null = fallbackFailureHint;
+    let actionableViolations: Violation[] = [];
+    let actionableBlockViolations: Violation[] = [];
+
+    let verifyResult = parseVerifyResult(verifyRun.output);
+    if (!verifyResult) {
+      core.warning('Unable to parse JSON result from neurcode verify output.');
+    }
+    if (changedFilesOnly && verifyResult && changedFiles.size > 0) {
+      actionableViolations = collectActionableViolations(verifyResult.violations, changedFiles);
+      actionableBlockViolations = actionableViolations.filter(
+        (violation) => violation.severity.toLowerCase() === 'block'
+      );
+      core.info(
+        `Actionable violations in changed files: ${actionableViolations.length} total, ` +
+        `${actionableBlockViolations.length} block.`
+      );
+      if (finalExitCode !== 0 && actionableBlockViolations.length === 0) {
+        core.info(
+          'No BLOCK violations found in changed files; treating baseline-only violations as non-blocking.'
+        );
+        finalExitCode = 0;
+        failureReason = null;
+      }
+    }
+    if (enforceStrictVerification && isTierLimitedInfoVerifyResult(verifyResult)) {
+      core.warning('Strict verification is enabled: tier-limited INFO verify result is treated as failure.');
+      finalExitCode = verifyRun.exitCode === 0 ? 2 : verifyRun.exitCode;
+      failureReason = 'Strict verification requires full governance evaluation; received tier-limited INFO result.';
+    }
+
+    if (finalExitCode !== 0 && autoRemediate) {
+      const baselineStatus = await runCommand('git', ['status', '--porcelain'], { cwd });
+      if (baselineStatus.exitCode === 0) {
+        baselineDirty = hasWorkingTreeChanges(baselineStatus.output);
+        if (baselineDirty) {
+          core.warning(
+            `Working tree has ${countWorkingTreeChanges(baselineStatus.output)} pre-existing change(s) before remediation; ` +
+            'remediation commit push will be skipped for safety.'
+          );
+        }
+      } else {
+        core.warning('Unable to inspect baseline git status before remediation.');
+      }
+
+      const remediationGoal = buildRemediationGoal(
+        remediationGoalInput,
+        verifyResult,
+        pr?.title
+      );
+
+      core.info(`Auto-remediation enabled. Running neurcode ship with goal: ${remediationGoal}`);
+
+      const shipArgs = buildShipArgs({
+        goal: remediationGoal,
+        projectId: projectId || undefined,
+        maxAttempts: remediationMaxAttempts,
+        skipTests: remediationSkipTests,
+        allowDirty: remediationAllowDirty,
+        shipTestCommand,
+        record,
+        publishMergeCard,
+      });
+
+      const shipCommand = withCliCommandTimeout(cliInvocation, shipArgs, shipTimeoutMinutes);
+      const maxShipAttempts = Math.max(1, shipNetworkRetries + 1);
+      let shipRun: CommandResult = { exitCode: 1, output: '' };
+      for (let attempt = 1; attempt <= maxShipAttempts; attempt += 1) {
+        shipRun = await runCommand(shipCommand.cmd, shipCommand.args, {
+          cwd,
+          env: apiKey ? { NEURCODE_API_KEY: apiKey } : undefined,
+        });
+        if (shipCommand.timeoutApplied && shipRun.exitCode === 124) {
+          core.warning(`Auto-remediation timed out after ${shipTimeoutMinutes} minute(s).`);
+        }
+        if (shipRun.exitCode === 0) {
+          break;
+        }
+
+        const canRetry =
+          attempt < maxShipAttempts &&
+          shipRun.exitCode !== 124 &&
+          isLikelyTransientNetworkFailure(shipRun.output);
+        if (!canRetry) {
+          break;
+        }
+
+        core.warning(
+          `Auto-remediation failed with a transient network error (attempt ${attempt}/${maxShipAttempts}); retrying...`
+        );
+        if (shipNetworkRetryDelaySeconds > 0) {
+          await sleep(shipNetworkRetryDelaySeconds * 1000);
+        }
+      }
+
+      remediation = parseShipSummary(shipRun.output);
+      if (!remediation) {
+        core.warning('Auto-remediation finished but ship JSON output could not be parsed.');
+      } else {
+        core.info(`Auto-remediation result: ${remediation.status} (confidence=${remediation.mergeConfidence})`);
+      }
+
+      if (remediation?.status === 'READY_TO_MERGE') {
+        finalExitCode = 0;
+      } else {
+        finalExitCode = shipRun.exitCode;
+      }
+
+      if (remediation?.status === 'READY_TO_MERGE') {
+        if (verifyAfterRemediation) {
+          const postVerifyCommand = withCliCommandTimeout(
+            cliInvocation,
+            verifyArgs,
+            verifyAfterRemediationTimeoutMinutes
+          );
+          const postVerifyRun = await runCommand(postVerifyCommand.cmd, postVerifyCommand.args, {
+            cwd,
+            env: apiKey ? { NEURCODE_API_KEY: apiKey } : undefined,
+          });
+          if (postVerifyCommand.timeoutApplied && postVerifyRun.exitCode === 124) {
+            core.warning(
+              `Post-remediation verify timed out after ${verifyAfterRemediationTimeoutMinutes} minute(s).`
+            );
+            finalExitCode = 124;
+          } else {
+            finalExitCode = postVerifyRun.exitCode;
+          }
+          const postVerifyResult = parseVerifyResult(postVerifyRun.output);
+          if (!postVerifyResult) {
+            core.warning('Post-remediation verify JSON output could not be parsed.');
+            if (enforceStrictVerification) {
+              finalExitCode = finalExitCode === 0 ? 2 : finalExitCode;
+              failureReason = 'Post-remediation verify output was not parseable under strict verification mode.';
+            }
+          } else {
+            verifyResult = postVerifyResult;
+          }
+          if (enforceStrictVerification && isTierLimitedInfoVerifyResult(verifyResult)) {
+            core.warning(
+              'Strict verification is enabled: post-remediation verify is tier-limited INFO and is treated as failure.'
+            );
+            finalExitCode = finalExitCode === 0 ? 2 : finalExitCode;
+            failureReason =
+              'Strict verification requires full governance evaluation; post-remediation verify is tier-limited INFO.';
+          }
+        }
+
+        const remediationVerificationPassed = finalExitCode === 0;
+        if (remediationCommit && remediationVerificationPassed) {
+          remediationCommitResult = await maybeCommitAndPushRemediation({
+            cwd,
+            pr,
+            baselineDirty,
+            enabled: remediationCommit,
+            pushEnabled: remediationPush,
+            pushRetries: remediationPushRetries,
+            pushRetryDelaySeconds: remediationPushRetryDelaySeconds,
+            commitMessage: remediationCommitMessage,
+            gitUserName: remediationGitUserName,
+            gitUserEmail: remediationGitUserEmail,
+          });
+          core.info(remediationCommitResult.message);
+          if (requireRemediationPushSuccess && remediationPush && !remediationCommitResult.pushed) {
+            core.warning('remediation_push is required to succeed, but remediation commit push did not complete.');
+            finalExitCode = finalExitCode === 0 ? 3 : finalExitCode;
+            failureReason = 'Auto-remediation produced changes but failed to push remediation commit to PR branch.';
+          }
+        } else if (remediationCommit && !remediationVerificationPassed) {
+          remediationCommitResult = {
+            committed: false,
+            pushed: false,
+            message: 'Skipped remediation commit because post-remediation verification did not pass.',
+          };
+          core.info(remediationCommitResult.message);
+        }
+      } else if (remediationCommit) {
+        remediationCommitResult = {
+          committed: false,
+          pushed: false,
+          message: 'Skipped remediation commit because remediation did not reach READY_TO_MERGE',
+        };
+      }
+    }
+
+    if (githubToken && pr) {
+      await postComment(githubToken, pr.number, verifyResult, remediation, remediationCommitResult);
+    }
+
+    if (verifyResult) {
+      core.setOutput('verdict', verifyResult.verdict);
+      core.setOutput('grade', verifyResult.grade);
+      core.setOutput('score', verifyResult.score);
+      core.setOutput('violations', verifyResult.violations.length);
+      if (verifyResult.verificationSource) {
+        core.setOutput('verification_source', verifyResult.verificationSource);
+      }
+      if (verifyResult.tier) {
+        core.setOutput('verification_tier', verifyResult.tier);
+      }
+      core.setOutput('tier_limited', isTierLimitedInfoVerifyResult(verifyResult) ? 'true' : 'false');
+      if (verifyResult.blastRadius?.riskScore) {
+        core.setOutput('risk_level', verifyResult.blastRadius.riskScore);
+      }
+      if (verifyResult.suspiciousChange) {
+        core.setOutput('suspicious_change_flagged', verifyResult.suspiciousChange.flagged ? 'true' : 'false');
+        core.setOutput(
+          'suspicious_change_confidence',
+          verifyResult.suspiciousChange.confidence || 'unknown'
+        );
+      }
+      if (verifyResult.governanceDecision?.decision) {
+        core.setOutput('governance_decision', verifyResult.governanceDecision.decision);
+      }
+      if (typeof verifyResult.governanceDecision?.averageRelevanceScore === 'number') {
+        core.setOutput(
+          'average_relevance_score',
+          verifyResult.governanceDecision.averageRelevanceScore.toString()
+        );
+      }
+      if (verifyResult.aiChangeLog?.integrity) {
+        core.setOutput(
+          'ai_change_log_integrity_valid',
+          verifyResult.aiChangeLog.integrity.valid === true ? 'true' : 'false'
+        );
+        core.setOutput(
+          'ai_change_log_signed',
+          verifyResult.aiChangeLog.integrity.signed === true ? 'true' : 'false'
+        );
+      }
+      if (verifyResult.orgGovernance) {
+        core.setOutput(
+          'org_manual_approval_required',
+          verifyResult.orgGovernance.requireManualApproval === true ? 'true' : 'false'
+        );
+        if (typeof verifyResult.orgGovernance.minimumManualApprovals === 'number') {
+          core.setOutput(
+            'org_minimum_manual_approvals',
+            verifyResult.orgGovernance.minimumManualApprovals.toString()
+          );
+        }
+      }
+      if (verifyResult.policyCompilation?.fingerprint) {
+        core.setOutput('policy_compilation_fingerprint', verifyResult.policyCompilation.fingerprint);
+      }
+      if (typeof verifyResult.policyCompilation?.deterministicRuleCount === 'number') {
+        core.setOutput(
+          'policy_compilation_rule_count',
+          verifyResult.policyCompilation.deterministicRuleCount.toString()
+        );
+      }
+      if (verifyResult.changeContract?.exists !== undefined) {
+        core.setOutput(
+          'change_contract_exists',
+          verifyResult.changeContract.exists === true ? 'true' : 'false'
+        );
+      }
+      if (verifyResult.changeContract?.valid !== undefined && verifyResult.changeContract.valid !== null) {
+        core.setOutput(
+          'change_contract_valid',
+          verifyResult.changeContract.valid === true ? 'true' : 'false'
+        );
+      }
+      if (verifyResult.changeContract?.enforced !== undefined) {
+        core.setOutput(
+          'change_contract_enforced',
+          verifyResult.changeContract.enforced === true ? 'true' : 'false'
+        );
+      }
+      if (verifyResult.changeContract?.contractId) {
+        core.setOutput('change_contract_id', verifyResult.changeContract.contractId);
+      }
+      const thresholdCheck = isGradeBelowThreshold(verifyResult.grade, threshold);
+      core.setOutput('threshold', threshold);
+      core.setOutput(
+        'threshold_passed',
+        thresholdCheck === null ? 'unknown' : (thresholdCheck ? 'false' : 'true')
+      );
+      if (changedFilesOnly) {
+        core.setOutput('changed_files_only', 'true');
+        core.setOutput('changed_files_count', String(changedFiles.size));
+        core.setOutput('actionable_violations', String(actionableViolations.length));
+        core.setOutput('actionable_block_violations', String(actionableBlockViolations.length));
+      }
+    }
+    const verifyModeOutput = effectiveVerifyPolicyOnly
+      ? policyOnlyFallbackUsed
+        ? 'policy_only_fallback'
+        : 'policy_only'
+      : hasExplicitPlanId
+        ? 'plan_enforced_explicit'
+        : 'plan_aware';
+    core.setOutput('verify_mode', verifyModeOutput);
+    core.setOutput('policy_only_fallback_used', policyOnlyFallbackUsed ? 'true' : 'false');
+
+    if (remediation) {
+      core.setOutput('remediation_status', remediation.status);
+      core.setOutput('merge_confidence', remediation.mergeConfidence);
+      if (remediation.shareCard?.shareUrl) {
+        core.setOutput('share_card_url', remediation.shareCard.shareUrl);
+      }
+    }
+    if (remediationCommitResult) {
+      core.setOutput('remediation_commit_created', remediationCommitResult.committed ? 'true' : 'false');
+      core.setOutput('remediation_commit_pushed', remediationCommitResult.pushed ? 'true' : 'false');
+      if (remediationCommitResult.commitSha) {
+        core.setOutput('remediation_commit_sha', remediationCommitResult.commitSha);
+      }
+    }
+
+    if (verifyResult && failOnViolation && !changedFilesOnly) {
+      const thresholdCheck = isGradeBelowThreshold(verifyResult.grade, threshold);
+      if (thresholdCheck === true) {
+        finalExitCode = finalExitCode === 0 ? 4 : finalExitCode;
+        failureReason = failureReason || `Verification grade ${verifyResult.grade} is below threshold ${threshold}.`;
+      } else if (thresholdCheck === null) {
+        core.warning(
+          `Verification grade "${verifyResult.grade}" is not comparable to threshold ${threshold}; ` +
+          'threshold check skipped.'
+        );
+      }
+    }
+
+    if (finalExitCode !== 0 && failOnViolation) {
+      if (failureReason) {
+        core.setFailed(failureReason);
+      } else {
+        const verdict = verifyResult?.verdict || 'FAIL';
+        core.setFailed(`Neurcode verification failed with verdict: ${verdict}`);
+      }
+    }
+  } catch (error) {
+    if (error instanceof Error) {
+      core.setFailed(error.message);
+    } else {
+      core.setFailed('Unknown Neurcode Action failure');
+    }
+  }
+}
+
+run();