@pushpalsdev/cli 1.0.41 → 1.0.43

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pushpalsdev/cli",
-  "version": "1.0.41",
+  "version": "1.0.43",
   "description": "PushPals terminal CLI for LocalBuddy -> RemoteBuddy orchestration",
   "license": "MIT",
   "repository": {

package/runtime/prompts/review_agent/merge_conflict_instruction.md

@@ -1,4 +1,5 @@
 Resolve merge conflicts for PR #{{pr_number}} ({{pr_url}}) on branch {{pr_head_ref}}.
 This PR already passed ReviewAgent ({{review_score}}/10) but GitHub reports it is not mergeable due to conflicts.
 Rebase {{pr_head_ref}} onto {{pr_base_ref}}, resolve all conflicts, keep intended behavior, run relevant tests, and push updates to the same branch.
+If the worker sandbox already prepared an isolated branch or in-progress rebase state, use that current repo state as authoritative instead of re-deriving branch topology.
 Do not create a new PR; update only the existing PR branch.

package/runtime/prompts/workerpals/openai_codex_task_execute_system_prompt.md

@@ -6,6 +6,7 @@ Non-negotiable runtime invariants:
 - Do not modify tests or production code to bypass, stub, or remove Codex CLI usage due to assumed environment limitations.
 - Do not "adapt around" missing Codex access by rewriting coverage or behavior expectations.
 - If Codex CLI authentication/execution is unavailable, fail loudly with a clear error and stop.
+- When worker guidance provides exact repo/branch/conflict state, treat that prepared sandbox state as authoritative and start from the current checkout instead of re-discovering topology.
 
 Execution rules:
 

package/runtime/sandbox/apps/workerpals/src/execute_job.ts

@@ -3,7 +3,7 @@
  * Used by both the host Worker (direct mode) and the Docker job runner.
  */
 
-import { readFileSync, unlinkSync } from "fs";
+import { existsSync, readFileSync, unlinkSync } from "fs";
 import { resolve } from "path";
 import {
   deriveAutonomyComponentArea,
@@ -26,6 +26,7 @@ import {
 export { compactJobOutput, truncate, streamLines } from "./common/execution_utils.js";
 export { extractClarificationQuestionFromOutput } from "./backends/openhands_task_execute.js";
 import { getBackendTaskExecutor } from "./backends/task_execute_registry.js";
+import { extractMergeConflictReviewContext } from "./merge_conflict_job.js";
 
 const DEFAULT_CONFIG = loadPushPalsConfig();
 
@@ -80,6 +81,23 @@ interface CriticReview {
   raw: string;
 }
 
+export interface ReviewFixContext {
+  resolutionType: "review_fix";
+  prHeadRef: string | null;
+  prBaseRef: string | null;
+  previousReviewScore: number | null;
+  reviewThreshold: number | null;
+  previousReviewSummary: string;
+  reviewerFindings: string[];
+}
+
+export interface QualityGatePolicy {
+  mode: "default" | "review_fix";
+  maxAutoRevisions: number;
+  softPassOnExhausted: boolean;
+  criticMinScore: number;
+}
+
 // ─── Utilities ───────────────────────────────────────────────────────────────
 
 export function shouldCommit(
@@ -223,6 +241,102 @@ export function resolveReviewNoChangeCompletionBranch(
   return resolved.overridden ? resolved.branch : null;
 }
 
+function toFiniteReviewScore(value: unknown): number | null {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed)) return null;
+  return Math.max(0, Math.min(10, parsed));
+}
+
+function toNonEmptyReviewStringArray(value: unknown, limit: number = 8): string[] {
+  if (!Array.isArray(value)) return [];
+  return value
+    .map((entry) => String(entry ?? "").trim())
+    .filter(Boolean)
+    .slice(0, limit);
+}
+
+export function extractReviewFixContext(
+  params: Record<string, unknown> | null | undefined,
+): ReviewFixContext | null {
+  if (!params || typeof params !== "object" || Array.isArray(params)) return null;
+  const reviewAgent =
+    params.reviewAgent &&
+    typeof params.reviewAgent === "object" &&
+    !Array.isArray(params.reviewAgent)
+      ? (params.reviewAgent as Record<string, unknown>)
+      : null;
+  if (!reviewAgent) return null;
+  const resolutionType = String(reviewAgent.resolutionType ?? "")
+    .trim()
+    .toLowerCase();
+  if (resolutionType === "merge_conflict") return null;
+  const looksLikeLegacyReviewFix =
+    typeof reviewAgent.prHeadRef === "string" ||
+    typeof reviewAgent.previousReviewSummary === "string" ||
+    Number.isFinite(Number(reviewAgent.previousReviewScore)) ||
+    Array.isArray(reviewAgent.reviewerFindings);
+  if (resolutionType && resolutionType !== "review_fix") return null;
+  if (!resolutionType && !looksLikeLegacyReviewFix) return null;
+  return {
+    resolutionType: "review_fix",
+    prHeadRef: typeof reviewAgent.prHeadRef === "string" ? reviewAgent.prHeadRef.trim() || null : null,
+    prBaseRef: typeof reviewAgent.prBaseRef === "string" ? reviewAgent.prBaseRef.trim() || null : null,
+    previousReviewScore: toFiniteReviewScore(reviewAgent.previousReviewScore),
+    reviewThreshold: toFiniteReviewScore(reviewAgent.reviewThreshold),
+    previousReviewSummary: String(reviewAgent.previousReviewSummary ?? "").trim(),
+    reviewerFindings: toNonEmptyReviewStringArray(reviewAgent.reviewerFindings),
+  };
+}
+
+export function shouldEnqueueNoChangeReviewCompletion(
+  params: Record<string, unknown> | null | undefined,
+): boolean {
+  return extractReviewFixContext(params) == null;
+}
+
+export function deriveQualityGatePolicy(
+  params: Record<string, unknown> | null | undefined,
+  runtimeConfig: WorkerpalsRuntimeConfig = DEFAULT_CONFIG,
+): QualityGatePolicy {
+  const baseMaxAutoRevisions = Math.max(
+    0,
+    Math.min(
+      10,
+      Number.isFinite(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
+        ? Math.floor(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
+        : 4,
+    ),
+  );
+  const baseSoftPassOnExhausted =
+    typeof runtimeConfig.workerpals.qualitySoftPassOnExhausted === "boolean"
+      ? runtimeConfig.workerpals.qualitySoftPassOnExhausted
+      : true;
+  const baseCriticMinScore = (() => {
+    const value = Number(runtimeConfig.workerpals.qualityCriticMinScore);
+    if (!Number.isFinite(value)) return 8;
+    return Math.max(0, Math.min(10, value));
+  })();
+  const reviewFix = extractReviewFixContext(params);
+  if (!reviewFix) {
+    return {
+      mode: "default",
+      maxAutoRevisions: baseMaxAutoRevisions,
+      softPassOnExhausted: baseSoftPassOnExhausted,
+      criticMinScore: baseCriticMinScore,
+    };
+  }
+  const tightenedCriticMinScore =
+    reviewFix.reviewThreshold != null
+      ? Math.max(baseCriticMinScore, Math.max(0, Math.min(10, reviewFix.reviewThreshold - 0.2)))
+      : baseCriticMinScore;
+  return {
+    mode: "review_fix",
+    maxAutoRevisions: Math.max(baseMaxAutoRevisions, 2),
+    softPassOnExhausted: false,
+    criticMinScore: tightenedCriticMinScore,
+  };
+}
+
 function normalizeChatCompletionsEndpoint(endpoint: string): string {
   const source = endpoint.trim().replace(/\/+$/, "");
   if (!source) return "http://127.0.0.1:1234/v1/chat/completions";
@@ -907,13 +1021,39 @@ async function runTaskCriticReview(
   }
 }
 
-function buildQualityRevisionHint(
+export function buildQualityRevisionHint(
   issues: string[],
   critic: CriticReview | null,
   planning: TaskExecutePlanning,
+  reviewFixContext?: ReviewFixContext | null,
 ): string {
   const lines: string[] = [];
   lines.push("Quality revision required before completion.");
+  if (reviewFixContext) {
+    lines.push("Rejected PR retry requirements:");
+    if (reviewFixContext.previousReviewScore != null) {
+      lines.push(
+        `Previous ReviewAgent score: ${reviewFixContext.previousReviewScore.toFixed(1)} / 10`,
+      );
+    }
+    if (reviewFixContext.reviewThreshold != null) {
+      lines.push(
+        `Required approval threshold: ${reviewFixContext.reviewThreshold.toFixed(1)} / 10`,
+      );
+    }
+    if (reviewFixContext.previousReviewSummary) {
+      lines.push(
+        `Previous reviewer summary: ${toSingleLine(reviewFixContext.previousReviewSummary, 220)}`,
+      );
+    }
+    if (reviewFixContext.reviewerFindings.length > 0) {
+      lines.push("Previous reviewer must-fix items:");
+      for (const finding of reviewFixContext.reviewerFindings.slice(0, 5)) {
+        lines.push(`- ${finding}`);
+      }
+    }
+    lines.push("Raise the score above the approval threshold without reopening already accepted behavior.");
+  }
   if (issues.length > 0) {
     lines.push("Deterministic quality issues:");
     for (const issue of issues) lines.push(`- ${issue}`);
@@ -1200,6 +1340,9 @@ export async function createJobCommit(
     defaultPublicBranchName,
   );
   const publicBranchName = resolvedPublicBranch.branch;
+  if (extractMergeConflictReviewContext(job.params ?? null)) {
+    return createMergeConflictJobCommit(repo, workerId, job, publicBranchName, runtimeConfig);
+  }
   const requirePush = runtimeConfig.workerpals.requirePush || resolvedPublicBranch.overridden;
   const pushAgentBranch =
     requirePush || runtimeConfig.workerpals.pushAgentBranch || resolvedPublicBranch.overridden;
@@ -1865,6 +2008,220 @@ async function currentRefSha(repo: string, ref: string): Promise<string | null>
   return result.stdout.trim() || null;
 }
 
+async function currentBranchName(repo: string): Promise<string | null> {
+  const result = await git(repo, ["symbolic-ref", "--quiet", "--short", "HEAD"]);
+  if (!result.ok) return null;
+  return result.stdout.trim() || null;
+}
+
+async function gitDirPath(repo: string): Promise<string | null> {
+  const result = await git(repo, ["rev-parse", "--git-dir"]);
+  if (!result.ok) return null;
+  const gitDir = result.stdout.trim();
+  if (!gitDir) return null;
+  return resolve(repo, gitDir);
+}
+
+async function activeGitOperation(repo: string): Promise<"rebase" | "merge" | "cherry-pick" | null> {
+  const gitDir = await gitDirPath(repo);
+  if (!gitDir) return null;
+  if (existsSync(resolve(gitDir, "rebase-merge")) || existsSync(resolve(gitDir, "rebase-apply"))) {
+    return "rebase";
+  }
+  if (existsSync(resolve(gitDir, "MERGE_HEAD"))) return "merge";
+  if (existsSync(resolve(gitDir, "CHERRY_PICK_HEAD"))) return "cherry-pick";
+  return null;
+}
+
+async function isAncestorRef(repo: string, ancestor: string, descendant: string): Promise<boolean> {
+  const result = await git(repo, ["merge-base", "--is-ancestor", ancestor, descendant]);
+  return result.ok;
+}
+
+async function refreshMergeConflictTrackingRefs(
+  repo: string,
+  publicBranchName: string,
+  baseBranchName: string,
+): Promise<{ ok: true } | { ok: false; error: string }> {
+  const refspecs = [
+    `+refs/heads/${publicBranchName}:refs/remotes/origin/${publicBranchName}`,
+    `+refs/heads/${baseBranchName}:refs/remotes/origin/${baseBranchName}`,
+  ];
+  const fetch = await git(repo, ["fetch", "--quiet", "origin", ...new Set(refspecs)]);
+  if (!fetch.ok) {
+    return {
+      ok: false,
+      error: `Failed to refresh merge-conflict refs for ${publicBranchName}: ${redactSensitiveText(fetch.stderr || fetch.stdout)}`,
+    };
+  }
+  return { ok: true };
+}
+
+async function createMergeConflictJobCommit(
+  repo: string,
+  workerId: string,
+  job: {
+    id: string;
+    taskId: string;
+    kind: string;
+    params?: Record<string, unknown>;
+  },
+  publicBranchName: string,
+  runtimeConfig: WorkerpalsRuntimeConfig,
+): Promise<{ ok: boolean; branch?: string; sha?: string; error?: string }> {
+  const mergeConflictContext = extractMergeConflictReviewContext(job.params ?? null);
+  if (!mergeConflictContext) {
+    return { ok: false, error: "Merge-conflict context is missing required branch metadata." };
+  }
+
+  const sequencer = await activeGitOperation(repo);
+  if (sequencer) {
+    return {
+      ok: false,
+      error: `Merge-conflict job ${job.id} left a git ${sequencer} in progress. Finish the ${sequencer} before returning control to WorkerPals.`,
+    };
+  }
+
+  const refreshed = await refreshMergeConflictTrackingRefs(
+    repo,
+    publicBranchName,
+    mergeConflictContext.baseBranch,
+  );
+  if (!refreshed.ok) return refreshed;
+
+  const currentBranch = await currentBranchName(repo);
+  if (!currentBranch) {
+    return {
+      ok: false,
+      error: `Merge-conflict job ${job.id} must finish on a local branch inside the isolated sandbox, but HEAD is detached.`,
+    };
+  }
+
+  const remoteHeadSha = await currentRefSha(repo, `refs/remotes/origin/${publicBranchName}`);
+  if (
+    mergeConflictContext.expectedHeadSha &&
+    remoteHeadSha &&
+    remoteHeadSha !== mergeConflictContext.expectedHeadSha
+  ) {
+    return {
+      ok: false,
+      error:
+        `origin/${publicBranchName} moved from expected ${mergeConflictContext.expectedHeadSha.slice(0, 8)} ` +
+        `to ${remoteHeadSha.slice(0, 8)} while the job was running. Requeue on the newer branch head instead of overwriting it.`,
+    };
+  }
+
+  let result: { ok: boolean; stdout: string; stderr: string };
+  const stageArgs = buildStageCommand(job.kind, job.params);
+  if (!stageArgs) {
+    return {
+      ok: false,
+      error: `Unable to determine files to stage for merge-conflict job kind: ${job.kind}`,
+    };
+  }
+  result = await git(repo, stageArgs);
+  if (!result.ok) {
+    const stageErr = result.stderr || result.stdout;
+    if (
+      /pathspec .* did not match any files/i.test(stageErr) ||
+      /invalid path/i.test(stageErr) ||
+      /outside repository/i.test(stageErr)
+    ) {
+      console.warn(
+        `[WorkerPals] Stage target invalid/missing for merge-conflict job ${job.id}; retrying with fallback "git add -A".`,
+      );
+      result = await git(repo, [
+        "add",
+        "-A",
+        "--",
+        ".",
+        ":(exclude)workspace/**",
+        ":(exclude)outputs/**",
+      ]);
+    }
+    if (!result.ok) {
+      return { ok: false, error: `Failed to stage merge-conflict changes: ${result.stderr || result.stdout}` };
+    }
+  }
+
+  const cachedDiffQuiet = await git(repo, ["diff", "--cached", "--quiet"]);
+  let headSha = await currentRefSha(repo, "HEAD");
+  if (!headSha) {
+    return { ok: false, error: `Failed to resolve HEAD SHA for merge-conflict job ${job.id}.` };
+  }
+
+  if (!cachedDiffQuiet.ok) {
+    const cachedDiff = await git(repo, ["diff", "--cached"]);
+    const diff = cachedDiff.ok ? cachedDiff.stdout : "";
+    const cachedNameOnly = await git(repo, ["diff", "--cached", "--name-only"]);
+    const changedPaths = cachedNameOnly.ok
+      ? parseChangedPathsFromNameOnlyOutput(cachedNameOnly.stdout)
+      : [];
+    const jobPlanning = job.params?.planning as Record<string, unknown> | undefined;
+    const jobValidationSteps = toNonEmptyStringArray(
+      jobPlanning?.validationSteps ?? job.params?.validationSteps,
+    );
+    const llmCommitMsg = await generateCommitMessageFromDiff(
+      diff,
+      {
+        instruction: String(job.params?.instruction ?? ""),
+        type: normalizeCommitType(job.kind, job.params),
+        area: inferCommitArea(job.kind, job.params, changedPaths),
+        validationSteps: jobValidationSteps,
+      },
+      repo,
+      runtimeConfig,
+    ).catch(() => null);
+    if (!llmCommitMsg) {
+      console.warn(
+        `[WorkerPals] Commit message generator unavailable for merge-conflict job ${job.id}; using deterministic fallback.`,
+      );
+    }
+    const commitMsg = llmCommitMsg ?? buildWorkerCommitMessage(workerId, job, changedPaths);
+    const commit = await git(repo, ["commit", "-m", commitMsg]);
+    if (!commit.ok) {
+      return { ok: false, error: `Failed to commit merge-conflict resolution: ${commit.stderr}` };
+    }
+    headSha = await currentRefSha(repo, "HEAD");
+    if (!headSha) {
+      return { ok: false, error: `Failed to resolve committed HEAD SHA for merge-conflict job ${job.id}.` };
+    }
+  }
+
+  const baseRemoteRef = `refs/remotes/origin/${mergeConflictContext.baseBranch}`;
+  const rebasedOntoBase = await isAncestorRef(repo, baseRemoteRef, "HEAD");
+  if (!rebasedOntoBase) {
+    return {
+      ok: false,
+      error:
+        `Merge-conflict job ${job.id} did not finish rebased onto origin/${mergeConflictContext.baseBranch}. ` +
+        `Current branch ${currentBranch} must be a descendant of ${baseRemoteRef} before WorkerPals will push it.`,
+    };
+  }
+
+  if (remoteHeadSha && remoteHeadSha === headSha) {
+    return { ok: true, branch: publicBranchName, sha: headSha };
+  }
+
+  const pushArgs = [
+    "push",
+    mergeConflictContext.expectedHeadSha
+      ? `--force-with-lease=refs/heads/${publicBranchName}:${mergeConflictContext.expectedHeadSha}`
+      : "--force-with-lease",
+    "origin",
+    `HEAD:refs/heads/${publicBranchName}`,
+  ];
+  const push = await git(repo, pushArgs);
+  if (!push.ok) {
+    return {
+      ok: false,
+      error: `Failed to push rebased merge-conflict branch ${publicBranchName}: ${redactSensitiveText(push.stderr || push.stdout)}`,
+    };
+  }
+
+  return { ok: true, branch: publicBranchName, sha: headSha };
+}
+
 async function autoResolveRebaseConflicts(
   repo: string,
   maxPasses = 8,
@@ -2983,29 +3340,30 @@ export async function executeJob(
   };
   const executionBudgetMs = Number(planning.executionBudgetMs);
   const finalizationBudgetMs = Number(planning.finalizationBudgetMs);
-  const qualityMaxAutoRevisions = Math.max(
-    0,
-    Math.min(
-      10,
-      Number.isFinite(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
-        ? Math.floor(Number(runtimeConfig.workerpals.qualityMaxAutoRevisions))
-        : 4,
-    ),
-  );
-  const qualitySoftPassOnExhausted =
-    typeof runtimeConfig.workerpals.qualitySoftPassOnExhausted === "boolean"
-      ? runtimeConfig.workerpals.qualitySoftPassOnExhausted
-      : true;
-  const qualityCriticMinScore = (() => {
-    const value = Number(runtimeConfig.workerpals.qualityCriticMinScore);
-    if (!Number.isFinite(value)) return 8;
-    return Math.max(0, Math.min(10, value));
-  })();
+  const reviewFixContext = extractReviewFixContext(normalizedParams);
+  const qualityGatePolicy = deriveQualityGatePolicy(normalizedParams, runtimeConfig);
+  const qualityMaxAutoRevisions = qualityGatePolicy.maxAutoRevisions;
+  const qualitySoftPassOnExhausted = qualityGatePolicy.softPassOnExhausted;
+  const qualityCriticMinScore = qualityGatePolicy.criticMinScore;
 
   onLog?.(
     "stdout",
     `[QualityGate] Policy: max_auto_revisions=${qualityMaxAutoRevisions}, soft_pass_on_exhausted=${qualitySoftPassOnExhausted ? "true" : "false"}, critic_min_score=${qualityCriticMinScore}`,
   );
+  if (qualityGatePolicy.mode === "review_fix") {
+    const priorScore =
+      reviewFixContext?.previousReviewScore != null
+        ? reviewFixContext.previousReviewScore.toFixed(1)
+        : "unknown";
+    const threshold =
+      reviewFixContext?.reviewThreshold != null
+        ? reviewFixContext.reviewThreshold.toFixed(1)
+        : qualityCriticMinScore.toFixed(1);
+    onLog?.(
+      "stdout",
+      `[QualityGate] review_fix override active: prior_score=${priorScore}, target_threshold=${threshold}, soft_pass_on_exhausted=false.`,
+    );
+  }
 
   let revisionAttempt = 0;
   let revisionHint = "";
@@ -3102,7 +3460,7 @@ export async function executeJob(
     }
 
     revisionAttempt += 1;
-    revisionHint = buildQualityRevisionHint(issues, critic, planning);
+    revisionHint = buildQualityRevisionHint(issues, critic, planning, reviewFixContext);
     onLog?.(
       "stderr",
       `[QualityGate] Quality gate requested revision ${revisionAttempt}/${qualityMaxAutoRevisions}: ${toSingleLine(

package/runtime/sandbox/apps/workerpals/src/job_runner.ts

@@ -18,6 +18,11 @@
 import { executeJob, shouldCommit, createJobCommit } from "./execute_job.js";
 import { loadPushPalsConfig } from "shared";
 import { writeFileSync } from "fs";
+import {
+  applyMergeConflictExecutionHints,
+  isMergeConflictResolutionParams,
+  prepareMergeConflictTaskRepo,
+} from "./merge_conflict_job.js";
 
 const CONFIG = loadPushPalsConfig();
 
@@ -125,69 +130,91 @@ async function main(): Promise<void> {
   // Setup git credentials for pushing
   setupGitCredentials();
   // Execute inside the mounted job worktree (docker -w), not the baked image copy.
-  const jobRepo = process.cwd();
-  const result = await executeJob(
-    spec.kind,
-    spec.params,
-    jobRepo,
-    (stream, line) => {
-      log(stream, line);
-    },
-    CONFIG,
-  );
-  // Build result object
-  const jobResult: JobResult = {
-    ok: result.ok,
-    summary: result.summary,
-    stdout: result.stdout,
-    stderr: result.stderr,
-    exitCode: result.exitCode,
-  };
-  // Create commit for file-modifying jobs
-  if (result.ok && shouldCommit(spec.kind, CONFIG)) {
-    log("stdout", `[JobRunner] Job modified files, creating commit...`);
-    const commitResult = await createJobCommit(
+  const mountedJobRepo = process.cwd();
+  let jobRepo = mountedJobRepo;
+  let cleanupJobRepo: (() => void) | null = null;
+  let effectiveParams = spec.params;
+  try {
+    if (isMergeConflictResolutionParams(spec.params)) {
+      const prepared = await prepareMergeConflictTaskRepo(
+        mountedJobRepo,
+        spec.jobId,
+        spec.params,
+        log,
+      );
+      jobRepo = prepared.repoPath;
+      cleanupJobRepo = prepared.cleanup;
+      effectiveParams = applyMergeConflictExecutionHints(spec.params, prepared);
+      log(
+        "stdout",
+        `[JobRunner] Merge-conflict job ${spec.jobId} is running in isolated sandbox repo ${jobRepo}`,
+      );
+    }
+    const result = await executeJob(
+      spec.kind,
+      effectiveParams,
       jobRepo,
-      spec.workerId,
-      {
-        id: spec.jobId,
-        taskId: spec.taskId,
-        kind: spec.kind,
-        params: spec.params,
-        context: "docker",
+      (stream, line) => {
+        log(stream, line);
       },
       CONFIG,
     );
-
-    if (commitResult.ok && commitResult.sha && commitResult.branch) {
-      jobResult.commit = {
-        branch: commitResult.branch!,
-        sha: commitResult.sha,
-      };
-      if (commitResult.sha === "no-changes") {
-        log("stdout", `[JobRunner] No changes to commit for ${spec.jobId}`);
+    // Build result object
+    const jobResult: JobResult = {
+      ok: result.ok,
+      summary: result.summary,
+      stdout: result.stdout,
+      stderr: result.stderr,
+      exitCode: result.exitCode,
+    };
+    // Create commit for file-modifying jobs
+    if (result.ok && shouldCommit(spec.kind, CONFIG)) {
+      log("stdout", `[JobRunner] Job modified files, creating commit...`);
+      const commitResult = await createJobCommit(
+        jobRepo,
+        spec.workerId,
+        {
+          id: spec.jobId,
+          taskId: spec.taskId,
+          kind: spec.kind,
+          params: effectiveParams,
+          context: "docker",
+        },
+        CONFIG,
+      );
+
+      if (commitResult.ok && commitResult.sha && commitResult.branch) {
+        jobResult.commit = {
+          branch: commitResult.branch!,
+          sha: commitResult.sha,
+        };
+        if (commitResult.sha === "no-changes") {
+          log("stdout", `[JobRunner] No changes to commit for ${spec.jobId}`);
+        } else {
+          log("stdout", `[JobRunner] Created commit ${commitResult.sha} on ${commitResult.branch}`);
+        }
       } else {
-        log("stdout", `[JobRunner] Created commit ${commitResult.sha} on ${commitResult.branch}`);
+        const commitError =
+          commitResult.error ??
+          `Commit metadata missing for ${spec.kind} (${spec.jobId}) while running in Docker mode`;
+        jobResult.ok = false;
+        jobResult.summary = `Failed to create commit for ${spec.kind}`;
+        jobResult.stderr = [jobResult.stderr, commitError].filter(Boolean).join("\n");
+        jobResult.exitCode = jobResult.exitCode && jobResult.exitCode !== 0 ? jobResult.exitCode : 1;
+        log("stderr", `[JobRunner] Failed to create commit: ${commitError}`);
       }
-    } else {
-      const commitError =
-        commitResult.error ??
-        `Commit metadata missing for ${spec.kind} (${spec.jobId}) while running in Docker mode`;
-      jobResult.ok = false;
-      jobResult.summary = `Failed to create commit for ${spec.kind}`;
-      jobResult.stderr = [jobResult.stderr, commitError].filter(Boolean).join("\n");
-      jobResult.exitCode = jobResult.exitCode && jobResult.exitCode !== 0 ? jobResult.exitCode : 1;
-      log("stderr", `[JobRunner] Failed to create commit: ${commitError}`);
     }
-  }
 
-  // Output result with sentinel
-  const resultJson = JSON.stringify(jobResult);
-  // eslint-disable-next-line no-console
-  console.log(`___RESULT___ ${resultJson}`);
+    // Output result with sentinel
+    const resultJson = JSON.stringify(jobResult);
+    // eslint-disable-next-line no-console
+    console.log(`___RESULT___ ${resultJson}`);
 
-  // Exit with appropriate code
-  process.exit(jobResult.exitCode ?? (jobResult.ok ? 0 : 1));
+    // Exit with appropriate code
+    process.exit(jobResult.exitCode ?? (jobResult.ok ? 0 : 1));
+  } finally {
+    cleanupJobRepo?.();
+  }
 }
 
 main().catch((err) => {

package/runtime/sandbox/apps/workerpals/src/merge_conflict_job.ts

@@ -0,0 +1,359 @@
+import { mkdirSync, mkdtempSync, rmSync } from "fs";
+import { tmpdir } from "os";
+import { basename, dirname, join, resolve } from "path";
+
+type LogFn = (stream: "stdout" | "stderr", line: string) => void;
+
+type GitResult = {
+  ok: boolean;
+  stdout: string;
+  stderr: string;
+};
+
+type MergeConflictReviewContext = {
+  publicBranch: string;
+  baseBranch: string;
+  expectedHeadSha: string;
+  mergeError: string;
+};
+
+export type MergeConflictSandboxPreparation = {
+  repoPath: string;
+  cleanup: () => void;
+  conflictPaths: string[];
+  plannerGuidance: string;
+  rebasedCleanly: boolean;
+  currentHeadSha: string;
+};
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  return value as Record<string, unknown>;
+}
+
+function normalizeBranchName(value: unknown): string {
+  const trimmed = String(value ?? "").trim().replace(/^refs\/heads\//, "");
+  const normalized = trimmed
+    .replace(/\\/g, "/")
+    .replace(/\/+/g, "/")
+    .replace(/^\/+|\/+$/g, "");
+  if (!normalized.startsWith("agent/")) return "";
+  if (
+    normalized.includes("..") ||
+    normalized.includes("@{") ||
+    normalized.endsWith(".") ||
+    normalized.endsWith(".lock")
+  ) {
+    return "";
+  }
+  if (/[~^:?*\[\]\s]/.test(normalized)) return "";
+  return normalized;
+}
+
+function normalizeBaseBranch(value: unknown): string {
+  return String(value ?? "")
+    .trim()
+    .replace(/^refs\/heads\//, "")
+    .replace(/\\/g, "/")
+    .replace(/\/+/g, "/")
+    .replace(/^\/+|\/+$/g, "");
+}
+
+function isMergeConflictOutput(text: string): boolean {
+  const normalized = String(text ?? "").toLowerCase();
+  return (
+    normalized.includes("could not apply") ||
+    normalized.includes("resolve all conflicts manually") ||
+    normalized.includes("merge conflict") ||
+    normalized.includes("fix conflicts and then run")
+  );
+}
+
+async function git(cwd: string, args: string[]): Promise<GitResult> {
+  const proc = Bun.spawn(["git", ...args], {
+    cwd,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  const [stdout, stderr, exitCode] = await Promise.all([
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+    proc.exited,
+  ]);
+  return {
+    ok: exitCode === 0,
+    stdout: stdout.trim(),
+    stderr: stderr.trim(),
+  };
+}
+
+async function mustGit(cwd: string, args: string[], label: string): Promise<string> {
+  const result = await git(cwd, args);
+  if (!result.ok) {
+    throw new Error(`${label} failed: git ${args.join(" ")}\n${result.stderr || result.stdout}`);
+  }
+  return result.stdout;
+}
+
+function dedupeStrings(values: string[], maxItems = 16): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  for (const entry of values) {
+    const trimmed = String(entry ?? "").trim();
+    if (!trimmed || seen.has(trimmed)) continue;
+    seen.add(trimmed);
+    out.push(trimmed);
+    if (out.length >= maxItems) break;
+  }
+  return out;
+}
+
+function deriveLikelyDirs(paths: string[]): string[] {
+  return dedupeStrings(
+    paths
+      .map((entry) => dirname(entry).replace(/\\/g, "/"))
+      .filter((entry) => entry && entry !== "."),
+    12,
+  );
+}
+
+function deriveRipgrepQueries(paths: string[]): string[] {
+  return dedupeStrings(paths.map((entry) => basename(entry)).filter(Boolean), 8);
+}
+
+function isTestPath(path: string): boolean {
+  return /(^tests\/|__tests__\/|\.test\.[cm]?[jt]sx?$|\.spec\.[cm]?[jt]sx?$)/i.test(path);
+}
+
+function deriveValidationSteps(existing: unknown, conflictPaths: string[]): string[] {
+  const preserved = Array.isArray(existing)
+    ? existing.map((entry) => String(entry ?? "").trim()).filter(Boolean)
+    : [];
+  const targeted = conflictPaths.filter(isTestPath).map((entry) => `bun test ${entry}`);
+  const merged = dedupeStrings([...targeted, ...preserved], 8);
+  return merged.length > 0 ? merged : ["bun test"];
+}
+
+function extractConflictPaths(stdout: string): string[] {
+  return dedupeStrings(
+    String(stdout ?? "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean),
+    32,
+  );
+}
+
+function buildPlannerGuidance(
+  context: MergeConflictReviewContext,
+  conflictPaths: string[],
+  rebasedCleanly: boolean,
+): string {
+  const lines = [
+    "Merge-conflict sandbox state:",
+    `- You are on local branch ${context.publicBranch} inside an isolated container-local clone. This branch exists only inside the worker sandbox and does not switch the user's active checkout.`,
+    `- Remote push target: origin/${context.publicBranch}`,
+    `- Rebase target: origin/${context.baseBranch}`,
+  ];
+  if (context.expectedHeadSha) {
+    lines.push(
+      `- Expected remote lease SHA for push-back: ${context.expectedHeadSha}. If origin/${context.publicBranch} moved, stop and report the mismatch instead of overwriting newer work.`,
+    );
+  }
+  if (context.mergeError) {
+    lines.push(`- GitHub mergeability error: ${context.mergeError}`);
+  }
+  if (rebasedCleanly) {
+    lines.push(
+      `- The branch already rebased cleanly onto origin/${context.baseBranch} in this sandbox. Validate the rebased result and leave the repo clean for finalization.`,
+    );
+  } else {
+    lines.push(
+      `- The sandbox branch is already paused mid-rebase onto origin/${context.baseBranch}. Resolve the conflicts in the current repo state instead of re-discovering branch topology.`,
+    );
+    if (conflictPaths.length > 0) {
+      lines.push(`- Unresolved conflict files: ${conflictPaths.join(", ")}`);
+    }
+    lines.push(
+      "- After editing, run `git add <files>` and `git -c core.editor=true rebase --continue` until the rebase completes.",
+    );
+  }
+  lines.push("- Do not create a new PR or alternate branch. Update only the existing PR branch.");
+  return lines.join("\n");
+}
+
+export function extractMergeConflictReviewContext(
+  params: Record<string, unknown> | null | undefined,
+): MergeConflictReviewContext | null {
+  const reviewAgent = asRecord(params?.reviewAgent);
+  if (!reviewAgent) return null;
+  const resolutionType = String(reviewAgent.resolutionType ?? "").trim().toLowerCase();
+  if (resolutionType !== "merge_conflict") return null;
+
+  const publicBranch = normalizeBranchName(params?.completionBranch ?? reviewAgent.prHeadRef);
+  const baseBranch = normalizeBaseBranch(reviewAgent.prBaseRef);
+  if (!publicBranch || !baseBranch) return null;
+
+  return {
+    publicBranch,
+    baseBranch,
+    expectedHeadSha: String(reviewAgent.prHeadSha ?? "").trim(),
+    mergeError: String(reviewAgent.mergeError ?? "").trim(),
+  };
+}
+
+export function isMergeConflictResolutionParams(
+  params: Record<string, unknown> | null | undefined,
+): boolean {
+  return extractMergeConflictReviewContext(params) !== null;
+}
+
+export function applyMergeConflictExecutionHints(
+  params: Record<string, unknown>,
+  preparation: MergeConflictSandboxPreparation,
+): Record<string, unknown> {
+  const next: Record<string, unknown> = { ...params };
+  const planning = asRecord(next.planning) ? { ...(next.planning as Record<string, unknown>) } : {};
+  const existingGuidance = String(next.plannerWorkerInstruction ?? "").trim();
+  next.plannerWorkerInstruction = [existingGuidance, preparation.plannerGuidance]
+    .filter(Boolean)
+    .join("\n\n");
+
+  const hintedPaths = preparation.conflictPaths;
+  if (hintedPaths.length > 0) {
+    const currentTargetPaths = Array.isArray(planning.targetPaths)
+      ? planning.targetPaths.map((entry) => String(entry ?? "")).filter(Boolean)
+      : [];
+    planning.targetPaths = dedupeStrings([...hintedPaths, ...currentTargetPaths], 24);
+
+    const discovery = asRecord(planning.discovery)
+      ? { ...(planning.discovery as Record<string, unknown>) }
+      : {};
+    const likelyDirs = Array.isArray(discovery.likelyDirs)
+      ? discovery.likelyDirs.map((entry) => String(entry ?? "")).filter(Boolean)
+      : [];
+    const ripgrepQueries = Array.isArray(discovery.ripgrepQueries)
+      ? discovery.ripgrepQueries.map((entry) => String(entry ?? "")).filter(Boolean)
+      : [];
+    discovery.likelyDirs = dedupeStrings([...deriveLikelyDirs(hintedPaths), ...likelyDirs], 16);
+    discovery.ripgrepQueries = dedupeStrings(
+      [...deriveRipgrepQueries(hintedPaths), ...ripgrepQueries],
+      16,
+    );
+    planning.discovery = discovery;
+    planning.validationSteps = deriveValidationSteps(planning.validationSteps, hintedPaths);
+  }
+
+  next.planning = planning;
+  const reviewAgent = asRecord(next.reviewAgent);
+  if (reviewAgent) {
+    next.reviewAgent = {
+      ...reviewAgent,
+      preparedWorkspaceMode: "isolated_container_clone",
+      preparedRebaseState: preparation.rebasedCleanly ? "clean" : "conflicted",
+      preparedConflictPaths: preparation.conflictPaths,
+      preparedHeadSha: preparation.currentHeadSha,
+    };
+  }
+  return next;
+}
+
+export async function prepareMergeConflictTaskRepo(
+  sourceRepo: string,
+  jobId: string,
+  params: Record<string, unknown>,
+  onLog?: LogFn,
+): Promise<MergeConflictSandboxPreparation> {
+  const context = extractMergeConflictReviewContext(params);
+  if (!context) {
+    return {
+      repoPath: sourceRepo,
+      cleanup: () => {},
+      conflictPaths: [],
+      plannerGuidance: "",
+      rebasedCleanly: false,
+      currentHeadSha: "",
+    };
+  }
+
+  const remoteUrl = await mustGit(sourceRepo, ["remote", "get-url", "origin"], "read origin URL");
+  const sourceUserName = (await git(sourceRepo, ["config", "--get", "user.name"])).stdout.trim();
+  const sourceUserEmail = (await git(sourceRepo, ["config", "--get", "user.email"])).stdout.trim();
+  const sandboxRoot = mkdtempSync(join(tmpdir(), "pushpals-merge-conflict-"));
+  const repoPath = join(sandboxRoot, "repo");
+  mkdirSync(repoPath, { recursive: true });
+
+  const cleanup = () => {
+    rmSync(sandboxRoot, { recursive: true, force: true });
+  };
+
+  try {
+    await mustGit(repoPath, ["init", "--quiet"], "init sandbox repo");
+    await mustGit(repoPath, ["remote", "add", "origin", remoteUrl], "add origin");
+    await mustGit(
+      repoPath,
+      ["config", "user.name", sourceUserName || "PushPals WorkerPal"],
+      "configure user.name",
+    );
+    await mustGit(
+      repoPath,
+      ["config", "user.email", sourceUserEmail || "pushpals-worker@local"],
+      "configure user.email",
+    );
+    await mustGit(repoPath, ["config", "rerere.enabled", "true"], "enable rerere");
+    await mustGit(repoPath, ["config", "rerere.autoupdate", "true"], "enable rerere autoupdate");
+
+    const fetchArgs = [
+      "fetch",
+      "--quiet",
+      "origin",
+      `+refs/heads/${context.publicBranch}:refs/remotes/origin/${context.publicBranch}`,
+      `+refs/heads/${context.baseBranch}:refs/remotes/origin/${context.baseBranch}`,
+    ];
+    await mustGit(repoPath, fetchArgs, "fetch merge-conflict refs");
+    await mustGit(
+      repoPath,
+      ["checkout", "-B", context.publicBranch, `refs/remotes/origin/${context.publicBranch}`],
+      "checkout PR branch in sandbox",
+    );
+    await mustGit(
+      repoPath,
+      ["branch", "--set-upstream-to", `origin/${context.publicBranch}`, context.publicBranch],
+      "set sandbox upstream",
+    );
+
+    const baseRemoteRef = `refs/remotes/origin/${context.baseBranch}`;
+    const rebase = await git(repoPath, ["-c", "core.editor=true", "rebase", baseRemoteRef]);
+    let conflictPaths: string[] = [];
+    let rebasedCleanly = false;
+    if (rebase.ok) {
+      rebasedCleanly = true;
+      const note = `[MergeConflictSandbox] ${jobId}: ${context.publicBranch} rebased cleanly onto origin/${context.baseBranch}.`;
+      onLog?.("stdout", note);
+    } else if (isMergeConflictOutput(`${rebase.stderr}\n${rebase.stdout}`)) {
+      const unresolved = await mustGit(
+        repoPath,
+        ["diff", "--name-only", "--diff-filter=U"],
+        "list unresolved conflict paths",
+      );
+      conflictPaths = extractConflictPaths(unresolved);
+      const note = `[MergeConflictSandbox] ${jobId}: prepared isolated sandbox for ${context.publicBranch} with ${conflictPaths.length} unresolved file(s).`;
+      onLog?.("stdout", note);
+    } else {
+      throw new Error(rebase.stderr || rebase.stdout || "unknown rebase failure");
+    }
+
+    const currentHeadSha = await mustGit(repoPath, ["rev-parse", "HEAD"], "resolve sandbox HEAD");
+    return {
+      repoPath: resolve(repoPath),
+      cleanup,
+      conflictPaths,
+      plannerGuidance: buildPlannerGuidance(context, conflictPaths, rebasedCleanly),
+      rebasedCleanly,
+      currentHeadSha,
+    };
+  } catch (error) {
+    cleanup();
+    throw error;
+  }
+}

package/runtime/sandbox/apps/workerpals/src/workerpals_main.ts

@@ -39,6 +39,7 @@ import {
   git,
   redactSensitiveText,
   resolveReviewNoChangeCompletionBranch,
+  shouldEnqueueNoChangeReviewCompletion,
   type JobResult,
 } from "./execute_job.js";
 import { DockerExecutionExhaustedError, DockerExecutor } from "./docker_executor.js";
@@ -852,6 +853,19 @@ async function resolveReReviewNoChangeCommit(
   return null;
 }
 
+function failNoChangeReviewFixJob(jobId: string, result: WorkerJobResult): WorkerJobResult {
+  return {
+    ...result,
+    ok: false,
+    summary:
+      `Rejected review-fix job ${jobId} produced no code changes; refusing unchanged branch re-review.`,
+    stderr: [result.stderr, "Apply at least one concrete fix before requesting another review."]
+      .filter(Boolean)
+      .join("\n"),
+    exitCode: typeof result.exitCode === "number" ? result.exitCode : 4,
+  };
+}
+
 async function enqueueCompletion(
   server: string,
   headers: Record<string, string>,
@@ -1289,6 +1303,11 @@ async function workerLoop(
               if (result.commit) {
                 if (result.commit.sha !== "no-changes") {
                   completionCommit = result.commit;
+                } else if (!shouldEnqueueNoChangeReviewCompletion(parsedParams)) {
+                  console.warn(
+                    `[WorkerPals] Job ${job.id} produced no code changes for a rejected review-fix request; marking the job failed instead of enqueueing unchanged branch re-review.`,
+                  );
+                  result = failNoChangeReviewFixJob(job.id, result);
                 } else {
                   const reReviewCommit = await resolveReReviewNoChangeCommit(
                     executionRepo,
@@ -1336,6 +1355,11 @@ async function workerLoop(
                       branch: commitResult.branch,
                       sha: commitResult.sha,
                     };
+                  } else if (!shouldEnqueueNoChangeReviewCompletion(parsedParams)) {
+                    console.warn(
+                      `[WorkerPals] Job ${job.id} produced no staged review-fix changes; marking the job failed instead of enqueueing unchanged branch re-review.`,
+                    );
+                    result = failNoChangeReviewFixJob(job.id, result);
                   }
                 } else if (commitResult.error) {
                   console.error(`[WorkerPals] Failed to create commit: ${commitResult.error}`);

package/runtime/sandbox/prompts/workerpals/openai_codex_task_execute_system_prompt.md

@@ -6,6 +6,7 @@ Non-negotiable runtime invariants:
 - Do not modify tests or production code to bypass, stub, or remove Codex CLI usage due to assumed environment limitations.
 - Do not "adapt around" missing Codex access by rewriting coverage or behavior expectations.
 - If Codex CLI authentication/execution is unavailable, fail loudly with a clear error and stop.
+- When worker guidance provides exact repo/branch/conflict state, treat that prepared sandbox state as authoritative and start from the current checkout instead of re-discovering topology.
 
 Execution rules: