@seanyao/roll 2.602.5 → 2.604.1

package/bin/roll

@@ -4,7 +4,7 @@ set -euo pipefail
 # Roll — AI Agent Convention Manager
 # Single source of truth for how all AI coding agents behave.
 
-VERSION="2.602.5"
+VERSION="2.604.1"
 ROLL_HOME="${ROLL_HOME:-${HOME}/.roll}"
 ROLL_CONFIG="${ROLL_HOME}/config.yaml"
 ROLL_GLOBAL="${ROLL_HOME}/conventions/global"
@@ -4046,6 +4046,11 @@ _peer_call() {
     _watchdog_pid=$!
     wait "$_peer_pid" 2>/dev/null || _peer_exit=$?
     # Cancel watchdog if agent finished on time.
+    # FIX-181: kill children (sleep) first so they cannot outlive the
+    # watchdog and later hit a reused PID, then kill the watchdog itself.
+    if command -v pkill >/dev/null 2>&1; then
+      pkill -P "$_watchdog_pid" 2>/dev/null || true
+    fi
     kill "$_watchdog_pid" 2>/dev/null || true
     wait "$_watchdog_pid" 2>/dev/null || true
     output="$(cat "$_out" 2>/dev/null || true)"
@@ -5519,26 +5524,20 @@ import prices_fetcher as pf
 
 snapshot_dir = os.path.join(lib_dir, "prices")
 
-# FIX-116: vendor-specific default URLs.
-VENDOR_URLS = {
-    "anthropic": "https://platform.claude.com/docs/en/about-claude/pricing",
-    "deepseek":  "https://api-docs.deepseek.com/quick_start/pricing",
-    "kimi":      "https://platform.kimi.com/docs/pricing/chat",
-}
-
 if vendor:
-    default_url = VENDOR_URLS.get(vendor)
-    if not default_url:
+    if vendor not in pf.VENDOR_REGISTRY:
         print(f"$(msg prices_refresh.roll_unknown_vendor_vendor)", file=sys.stderr)
         print(f"$(msg prices_refresh.roll_known_vendors_join_sorted_vendor)", file=sys.stderr)
         sys.exit(1)
-    url = override_url or default_url
-    pf.DEFAULT_SOURCE_URL = url
 else:
-    url = override_url or pf.DEFAULT_SOURCE_URL
+    vendor = "anthropic"
 
 try:
-    action, changes = pf.refresh(snapshot_dir=snapshot_dir, url=url)
+    action, changes = pf.refresh(
+        snapshot_dir=snapshot_dir,
+        vendor=vendor,
+        url=override_url or None,
+    )
 except pf.FetchError as exc:
     print(f"[roll] fetch failed: {exc}", file=sys.stderr)
     print("[roll] keeping existing snapshot, no changes written  保留旧快照，未写入新文件",
@@ -5577,42 +5576,155 @@ cmd_prices() {
   esac
 }
 
+# FIX-178: AI-style a deterministic changelog draft into the project voice via
+# the configured agent (roll agent use). Content-preserving polish only — same
+# items + (ID)s, bold-lead style anchored on the last 3 released versions. Echoes
+# the styled draft on success; empty output on any failure so the caller falls
+# back to the deterministic raw draft. Bounded by a 150s watchdog (macOS lacks
+# timeout(1)). Uses the same agent path as peer review (_agent_argv).
+_changelog_ai_style() {
+  local raw="$1"
+  [ -n "$raw" ] || return 1
+  local agent; agent=$(_project_agent)
+  local anchors; anchors=$(_changelog_style_anchors CHANGELOG.md 2>/dev/null || true)
+  local prompt
+  prompt="你是 roll 的 changelog 编辑。把【原始草稿】改写成发布说明,严格遵守:
+1) 不增删条目、不改事实;每条保留它的(ID)。只润色措辞。
+2) 每条格式:\`- **简短标题(ID)** — 补充说明\`;若原条目结尾有 \`[loop]\` 则保留。
+3) 保留每个 ### 分类标题与分组。只输出 markdown,从 '## Unreleased' 开始,前后不要任何解释。
+
+【风格锚点·最近版本】
+${anchors}
+
+【原始草稿】
+${raw}"
+  _agent_argv "$agent" text "$prompt" 2>/dev/null || return 1
+  _agent_bypass_claude_perms
+  local out; out=$(mktemp)
+  "${_AGENT_ARGV[@]}" >"$out" 2>/dev/null &
+  local pid=$!
+  local waited=0
+  while kill -0 "$pid" 2>/dev/null; do
+    sleep 1; waited=$((waited + 1))
+    if [ "$waited" -ge 150 ]; then
+      kill "$pid" 2>/dev/null; sleep 1; kill -9 "$pid" 2>/dev/null; break
+    fi
+  done
+  wait "$pid" 2>/dev/null
+  # Normalize agent chrome before extracting: some agents (e.g. kimi) prefix the
+  # rendered answer with a "• " marker and indent the body. Changelog markdown is
+  # flat (##, ###, -, blank), so stripping a leading "• " and any leading
+  # whitespace is safe and is a no-op for plain agents (e.g. claude -p). Then
+  # keep from the first '## Unreleased' line onward (drops any preamble).
+  sed -E 's/^[[:space:]]*•[[:space:]]?//; s/^[[:space:]]+//' "$out" \
+    | awk '/^## Unreleased/{f=1} f{print}'
+  rm -f "$out"
+}
+
+# FIX-178: replace (or insert) the ## Unreleased section of CHANGELOG.md with
+# the given draft (which itself begins with '## Unreleased'). getline-from-file
+# keeps the multi-line draft intact.
+_changelog_write_unreleased() {
+  local draft="$1" cl="${2:-CHANGELOG.md}"
+  local dfile; dfile=$(mktemp); printf '%s\n' "$draft" > "$dfile"
+  local tmp; tmp=$(mktemp)
+  if [ -f "$cl" ] && grep -q '^## Unreleased' "$cl"; then
+    awk -v df="$dfile" '
+      /^## Unreleased/ && !done { while ((getline line < df) > 0) print line; print ""; skip=1; done=1; next }
+      skip && /^## / { skip=0 }
+      skip { next }
+      { print }
+    ' "$cl" > "$tmp"
+  else
+    { [ -f "$cl" ] && head -1 "$cl" || echo "# Changelog"; echo; cat "$dfile"; echo;
+      [ -f "$cl" ] && tail -n +2 "$cl"; } > "$tmp"
+  fi
+  mv "$tmp" "$cl"; rm -f "$dfile"
+}
+
 # FIX-113: changelog audit — list PRs merged to main since latest release
 # tag that don't appear in CHANGELOG.md's ## Unreleased section.
 # US-CL-006: changelog generate — deterministic draft from backlog Done stories.
+# FIX-178: generate now AI-styles the deterministic draft via the configured
+# agent by default (content-preserving); --no-ai / --json stay deterministic.
 cmd_changelog() {
-  local subcmd="${1:-audit}"
+  local subcmd="${1:-generate}"
   shift || true
   case "$subcmd" in
-    audit)
-      python3 "${ROLL_PKG_DIR}/lib/changelog_audit.py" "$@"
-      ;;
     generate)
-      python3 "${ROLL_PKG_DIR}/lib/changelog_generate.py" "$@"
+      local want_ai=1 to_write=0 is_json=0 pyargs=()
+      local a
+      for a in "$@"; do
+        case "$a" in
+          --no-ai) want_ai=0 ;;
+          --write) to_write=1 ;;
+          --json)  is_json=1; want_ai=0; pyargs+=("$a") ;;
+          *)       pyargs+=("$a") ;;
+        esac
+      done
+      local raw
+      raw=$(python3 "${ROLL_PKG_DIR}/lib/changelog_generate.py" ${pyargs[@]+"${pyargs[@]}"}) || return 1
+      if [ "$is_json" = 1 ]; then printf '%s\n' "$raw"; return 0; fi
+      local final="$raw"
+      if [ "$want_ai" = 1 ]; then
+        local styled; styled=$(_changelog_ai_style "$raw" 2>/dev/null || true)
+        if [ -n "$styled" ] && printf '%s' "$styled" | grep -q '^- '; then
+          final="$styled"
+        else
+          warn "changelog: AI 润色不可用/失败,输出确定性草稿(可加 --no-ai 跳过)"
+        fi
+      fi
+      if [ "$to_write" = 1 ]; then
+        _changelog_write_unreleased "$final"
+        info "Updated CHANGELOG.md"
+      else
+        printf '%s\n' "$final"
+      fi
       ;;
     --help|-h|help)
       cat <<EOF
-Usage: roll changelog <subcommand>
-
-  audit [--since <tag>] [--json]        发版前体检
-    Scan PRs merged to main since latest v* tag; flag ones that look user-visible
-    (carry US-/FIX-/REFACTOR- id) but are missing from CHANGELOG.md '## Unreleased'.
-
-  generate [--write] [--json]           从 backlog 生成草稿
-    Extract ✅ Done stories from .roll/backlog.md, filter internal entries,
-    apply lint, and produce a draft ## Unreleased section.
-
-  roll changelog audit                  # check against latest v* tag
-  roll changelog audit --since v2026.520.1
-  roll changelog audit --json           # machine-readable
-  roll changelog generate               # preview draft to stdout
-  roll changelog generate --write       # append draft to CHANGELOG.md
-  roll changelog generate --json        # machine-readable
+Usage: roll changelog generate [options]
+
+  从 backlog ✅ Done 故事 + 上次发布以来的提交,生成 ## Unreleased 发布说明。
+  默认用配置的 agent(roll agent use)按项目风格润色;失败自动回退确定性草稿。
+
+  roll changelog generate               # 预览(AI 润色)
+  roll changelog generate --write       # 写入 CHANGELOG.md(AI 润色)
+  roll changelog generate --no-ai       # 仅确定性草稿,不调 AI
+  roll changelog generate --json        # 机器可读(确定性)
 EOF
       ;;
     *)
       err "$(msg changelog.unknown_subcommand ${subcmd})"
-      err "Try: roll changelog audit | roll changelog generate"
+      err "Try: roll changelog generate"
+      return 1
+      ;;
+  esac
+}
+
+# ─── roll consistency check — unified consistency orchestrator (US-CONSIST-001) ──
+cmd_consistency() {
+  local subcmd="${1:-check}"
+  shift || true
+  case "$subcmd" in
+    check)
+      python3 "${ROLL_PKG_DIR}/lib/consistency_check.py" "$@"
+      ;;
+    --help|-h|help)
+      cat <<EOF
+Usage: roll consistency <subcommand>
+
+  check [--json] [--project-dir DIR]    逐维度跑一致性检查
+    Run checks across five dimensions (code, docs, i18n, tests, site)
+    and produce a structured pass/gap report.
+
+  roll consistency check                # human-readable report
+  roll consistency check --json         # machine-readable JSON
+EOF
+      ;;
+    *)
+      err "$(msg consistency.unknown_sub "$subcmd")"
+      err "Try: roll consistency check"
       return 1
       ;;
   esac
@@ -6113,14 +6225,14 @@ cmd_review_pr() {
 
   local slug; slug=$(_gh_repo_slug) || { err "Not a GitHub repo — review-pr requires GitHub remote"; return 1; }
 
-  local pr_json
-  pr_json=$(gh -R "$slug" pr view "$pr_number" --json title,body,diff 2>&1) \
+  local pr_json diff
+  pr_json=$(gh -R "$slug" pr view "$pr_number" --json title,body 2>&1) \
     || { err "gh pr view failed: ${pr_json}"; return 1; }
+  diff=$(gh -R "$slug" pr diff "$pr_number" 2>/dev/null) || true
 
   local title body diff
   title=$(echo "$pr_json" | jq -r '.title // ""')
   body=$(echo "$pr_json" | jq -r '.body // ""')
-  diff=$(echo "$pr_json" | jq -r '.diff // ""')
 
   if echo "$body" | grep -qF '[skip-ai-review]'; then
     gh -R "$slug" pr review "$pr_number" --approve -b "Auto-approved: [skip-ai-review] detected" 2>/dev/null || true
@@ -8222,86 +8334,6 @@ PRRUNNER
   chmod +x "$script_path"
 }
 
-# _write_ci_loop_runner_script <script_path> <project_path> <roll_bin> <log_path>
-#   US-AUTO-045 Phase 2: the script the com.roll.ci.<slug> launchd plist runs
-#   every 5 min. Mirrors _write_pr_loop_runner_script — lightweight (no agent,
-#   no tmux): portable PATH, a single-flight re-entry lock (pid+ts, 15-min
-#   staleness so a crashed pass self-heals next tick), then drives the _ci_scan
-#   orchestrator via the `roll _ci_scan` dispatch.
-_write_ci_loop_runner_script() {
-  local script_path="$1" project_path="$2" roll_bin="$3" log_path="$4"
-  mkdir -p "$(dirname "$script_path")"
-  local lock="${project_path}/.roll/loop/.ci-loop.lock"
-  cat > "$script_path" << CIRUNNER
-#!/bin/bash -l
-set -o pipefail
-# Portable PATH: launchd delivers a bare PATH missing brew/local tools. Idempotent.
-for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin" "\$HOME/.kimi-code/bin"; do
-  case ":\$PATH:" in *":\$_d:"*) ;; *) [ -d "\$_d" ] && PATH="\$_d:\$PATH" ;; esac
-done
-export PATH
-# Single-flight re-entry guard: one CI-loop pass at a time. 5-min cadence;
-# 15-min (900s) staleness so a crashed/hung pass self-heals on the next tick.
-LOCK="${lock}"
-mkdir -p "\$(dirname "\$LOCK")"
-if [ -f "\$LOCK" ]; then
-  _pp=""; _pt=""
-  IFS=: read -r _pp _pt < "\$LOCK" 2>/dev/null || true
-  _now=\$(date -u +%s)
-  if [ -n "\$_pp" ] && [ -n "\$_pt" ] && kill -0 "\$_pp" 2>/dev/null && [ "\$((_now - _pt))" -lt 900 ]; then
-    exit 0
-  fi
-  rm -f "\$LOCK"
-fi
-printf '%s:%s\n' "\$\$" "\$(date -u +%s)" > "\$LOCK"
-trap 'rm -f "\$LOCK"' EXIT
-cd "${project_path}" || exit 0
-bash "${roll_bin}" _ci_scan >> "${log_path}" 2>&1 || true
-CIRUNNER
-  chmod +x "$script_path"
-}
-
-# _write_alert_loop_runner_script <script_path> <project_path> <roll_bin> <log_path>
-#   US-AUTO-046 Phase 2: the script the com.roll.alert.<slug> launchd plist runs
-#   every 1 min. Mirrors _write_ci_loop_runner_script — lightweight (no agent,
-#   no tmux): portable PATH, a single-flight re-entry lock (pid+ts), then drives
-#   the Phase-1 _alert_dispatch consumer via the `roll _alert_dispatch` dispatch.
-#   _alert_dispatch reads $_LOOP_ALERT, parses + notifies + records to
-#   alert-log.jsonl, then rotates the file. Staleness is 180s (3 ticks at the
-#   1-min cadence) so a crashed/hung pass self-heals quickly.
-_write_alert_loop_runner_script() {
-  local script_path="$1" project_path="$2" roll_bin="$3" log_path="$4"
-  mkdir -p "$(dirname "$script_path")"
-  local lock="${project_path}/.roll/loop/.alert-loop.lock"
-  cat > "$script_path" << ALERTRUNNER
-#!/bin/bash -l
-set -o pipefail
-# Portable PATH: launchd delivers a bare PATH missing brew/local tools. Idempotent.
-for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin" "\$HOME/.kimi-code/bin"; do
-  case ":\$PATH:" in *":\$_d:"*) ;; *) [ -d "\$_d" ] && PATH="\$_d:\$PATH" ;; esac
-done
-export PATH
-# Single-flight re-entry guard: one alert-loop pass at a time. 1-min cadence;
-# 180s staleness so a crashed/hung pass self-heals within a few ticks.
-LOCK="${lock}"
-mkdir -p "\$(dirname "\$LOCK")"
-if [ -f "\$LOCK" ]; then
-  _pp=""; _pt=""
-  IFS=: read -r _pp _pt < "\$LOCK" 2>/dev/null || true
-  _now=\$(date -u +%s)
-  if [ -n "\$_pp" ] && [ -n "\$_pt" ] && kill -0 "\$_pp" 2>/dev/null && [ "\$((_now - _pt))" -lt 180 ]; then
-    exit 0
-  fi
-  rm -f "\$LOCK"
-fi
-printf '%s:%s\n' "\$\$" "\$(date -u +%s)" > "\$LOCK"
-trap 'rm -f "\$LOCK"' EXIT
-cd "${project_path}" || exit 0
-bash "${roll_bin}" _alert_dispatch >> "${log_path}" 2>&1 || true
-ALERTRUNNER
-  chmod +x "$script_path"
-}
-
 # Like _write_runner_script but prepends an active window guard.
 # Silently exits when current hour is outside [active_start, active_end).
 # When tmux is available, wraps the inner command in a detached tmux session
@@ -8559,6 +8591,11 @@ _runs_append() {
   if [ -n "\$_story_field" ]; then
     _stype_field="\${_story_field%%-*}"
   fi
+  # US-LOOP-068: target field — roll-meta for roll-meta stories, empty otherwise
+  local _target_field=""
+  if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+    _target_field="roll-meta"
+  fi
   # US-EVAL-002: compute the objective result_eval block from this cycle's
   # facts via the US-EVAL-001 pure-function rubric. Best-effort — when python3
   # or the scorer script is unavailable the row is written WITHOUT result_eval
@@ -8608,6 +8645,7 @@ _runs_append() {
     --arg tier "\$_tier_field" \\
     --arg fallback_from "\$_fallback_from_field" \\
     --arg story_type "\$_stype_field" \\
+    --arg target "\$_target_field" \\
     --argjson built "\$_built" \\
     --argjson skipped '[]' \\
     --argjson alerts '[]' \\
@@ -8618,6 +8656,7 @@ _runs_append() {
       cycle_id:\$cycle_id, agent:\$agent, tier:\$tier, fallback_from:\$fallback_from,
       story_type:\$story_type, built:\$built, skipped:\$skipped, alerts:\$alerts,
       tcr_count:\$tcr_count, duration_sec:\$duration_sec, phases:\$phases}
+     + (if \$target == "" then {} else {target:\$target} end)
      + (if \$result_eval == null then {} else {result_eval:\$result_eval} end)' \\
     > "\$_tmp" 2>/dev/null || { rm -f "\$_tmp"; return 0; }
   # FIX-157: ensure target exists before append; missing file silently drops
@@ -8849,6 +8888,10 @@ for _orphan_wt in "\${_SHARED_ROOT}/worktrees/${slug}-cycle-"*; do
       ( cd "\$_orphan_wt" && _loop_publish_pr "\$_orphan_branch" "recover orphan \${_orphan_branch}" ) && _orphan_ok=1
     fi
     if [ "\$_orphan_ok" -eq 1 ]; then
+      # US-LOOP-068: if orphan contains a roll-meta worktree, clean it first
+      if [ -d "\${_orphan_wt}/.roll/.git" ]; then
+        _loop_roll_meta_worktree_cleanup "\$_orphan_wt" "\$_orphan_branch" "${project_path}" 2>/dev/null || true
+      fi
       _worktree_cleanup "\$_orphan_wt" "\$_orphan_branch"
       echo "[loop] FIX-040: orphan recovered and cleaned: \$_orphan_branch"
     else
@@ -8856,6 +8899,10 @@ for _orphan_wt in "\${_SHARED_ROOT}/worktrees/${slug}-cycle-"*; do
     fi
   else
     echo "[loop] FIX-040: orphan worktree \$_orphan_wt has no commits; cleaning up"
+    # US-LOOP-068: if orphan contains a roll-meta worktree, clean it first
+    if [ -d "\${_orphan_wt}/.roll/.git" ]; then
+      _loop_roll_meta_worktree_cleanup "\$_orphan_wt" "\$_orphan_branch" "${project_path}" 2>/dev/null || true
+    fi
     _worktree_cleanup "\$_orphan_wt" "\$_orphan_branch"
   fi
 done
@@ -8873,6 +8920,16 @@ if _worktree_fetch_origin main \\
   # because .roll/ is gitignored and the clean clone has no backlog
   # for Claude to read or skill entry points to dispatch to.
   _worktree_sync_meta "\$WT" 2>/dev/null || true
+  # US-LOOP-068: for roll-meta stories, replace the synced .roll/ with a
+  # real roll-meta git worktree so commits land in roll-meta remote.
+  if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+    if _loop_roll_meta_worktree_setup "\$WT" "\$BRANCH" "${project_path}" 2>/dev/null; then
+      echo "[loop] cycle \${CYCLE_ID}: roll-meta worktree \${WT}/.roll on \$BRANCH"
+    else
+      echo "[loop] cycle \${CYCLE_ID}: roll-meta worktree setup failed — falling back to normal"
+      _ROLL_META_TARGET=0
+    fi
+  fi
   echo "[loop] cycle \${CYCLE_ID}: worktree \$WT on \$BRANCH"
   _loop_event cycle_start "\${CYCLE_ID}" "" "" || true
   # US-AGENT-006: per-story routing — pick the next Todo, route to an agent
@@ -8929,6 +8986,15 @@ if _worktree_fetch_origin main \\
   fi
   CYCLE_AGENT="\${ROLL_LOOP_ROUTED_AGENT:-\$(_project_agent)}"
   _loop_event agent_used "\${CYCLE_ID}" "\${CYCLE_AGENT}" "primary" || true
+  # US-LOOP-068: detect roll-meta target after routing is complete
+  _ROLL_META_TARGET=0
+  if [ -n "\$ROLL_LOOP_ROUTED_STORY" ]; then
+    if _loop_is_roll_meta_story "\$ROLL_LOOP_ROUTED_STORY" "\${ROLL_MAIN_PROJECT}/.roll/backlog.md" 2>/dev/null; then
+      _ROLL_META_TARGET=1
+      echo "[loop] story \${ROLL_LOOP_ROUTED_STORY} is roll-meta target"
+    fi
+  fi
+  export ROLL_LOOP_ROLL_META_TARGET="\${_ROLL_META_TARGET}"
   _phase_end worktree_setup ok
 else
   # P3 fix: skip the cycle entirely when worktree isolation fails.
@@ -9071,12 +9137,25 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
   if [ "\$_exit" -ne 0 ]; then
     _cycle_status="failed"
   else
-    _cycle_commits_pre=\$(cd "\$WT" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    # US-LOOP-068: for roll-meta stories, count commits in the roll-meta worktree
+    if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+      _cycle_commits_pre=\$(cd "\$WT/.roll" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    else
+      _cycle_commits_pre=\$(cd "\$WT" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    fi
     if [ "\$_cycle_commits_pre" -gt 0 ]; then
       _cycle_status="built"
-      _cycle_tcr=\$(cd "\$WT" && git log --oneline origin/main..HEAD -- 2>/dev/null | grep -c ' tcr:' || echo 0)
+      if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+        _cycle_tcr=\$(cd "\$WT/.roll" && git log --oneline origin/main..HEAD -- 2>/dev/null | grep -c ' tcr:' || echo 0)
+      else
+        _cycle_tcr=\$(cd "\$WT" && git log --oneline origin/main..HEAD -- 2>/dev/null | grep -c ' tcr:' || echo 0)
+      fi
       if command -v jq >/dev/null 2>&1; then
-        _cycle_built=\$(cd "\$WT" && git diff origin/main -- .roll/backlog.md 2>/dev/null | grep '✅ Done' | grep -oE '\[[A-Z]+-[0-9]+\]' | sed 's/^.//;s/.\$//' | jq -R -s 'split("\n") | map(select(length>0))' 2>/dev/null || echo "[]")
+        if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+          _cycle_built=\$(cd "\$WT/.roll" && git diff origin/main -- backlog.md 2>/dev/null | grep '✅ Done' | grep -oE '\[[A-Z]+-[0-9]+\]' | sed 's/^.//;s/.\$//' | jq -R -s 'split("\n") | map(select(length>0))' 2>/dev/null || echo "[]")
+        else
+          _cycle_built=\$(cd "\$WT" && git diff origin/main -- .roll/backlog.md 2>/dev/null | grep '✅ Done' | grep -oE '\[[A-Z]+-[0-9]+\]' | sed 's/^.//;s/.\$//' | jq -R -s 'split("\n") | map(select(length>0))' 2>/dev/null || echo "[]")
+        fi
       fi
     fi
   fi
@@ -9097,8 +9176,17 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
   if [ "\$_exit" -eq 0 ]; then
     # Idle cycle — no commits ahead of origin/main means nothing was built;
     # skip publish and reclaim the worktree immediately.
-    _cycle_commits=\$(cd "\$WT" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    # US-LOOP-068: for roll-meta stories, count commits in roll-meta worktree
+    if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+      _cycle_commits=\$(cd "\$WT/.roll" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    else
+      _cycle_commits=\$(cd "\$WT" && git rev-list --count origin/main..HEAD 2>/dev/null || echo 0)
+    fi
     if [ "\$_cycle_commits" -eq 0 ]; then
+      # US-LOOP-068: clean up roll-meta worktree before product worktree
+      if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+        _loop_roll_meta_worktree_cleanup "\$WT" "\$BRANCH" "${project_path}" 2>/dev/null || true
+      fi
       _worktree_cleanup "\$WT" "\$BRANCH"
       _loop_event idle "\${CYCLE_ID}" "" "" || true
       # FIX-F (2026-05-25): explicitly write the terminal "idle" cycle_end +
@@ -9115,12 +9203,42 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
       echo "[loop] cycle \${CYCLE_ID}: idle (no new commits); worktree cleaned"
     else
       _is_doc_only=0
-      ( cd "\$WT" && _loop_is_doc_only_change ) && _is_doc_only=1
+      # US-LOOP-068: for roll-meta stories, doc-only check runs in roll-meta worktree
+      if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+        ( cd "\$WT/.roll" && _loop_is_doc_only_change ) && _is_doc_only=1
+      else
+        ( cd "\$WT" && _loop_is_doc_only_change ) && _is_doc_only=1
+      fi
+      # US-LOOP-069: roll-meta boundary guard — abort if a roll-meta story touched product files
+      if ! _loop_guard_roll_meta_boundary "\$WT" "\$ROLL_LOOP_ROUTED_STORY"; then
+        _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
+        _phases_guard=\$(_phases_to_json 2>/dev/null); [ -z "\$_phases_guard" ] && _phases_guard='{}'
+        _runs_append "failed" 0 "[]" "\$_phases_guard" 2>/dev/null || true
+        echo "[loop] cycle \${CYCLE_ID}: US-LOOP-069 blocked — roll-meta story touched product files; worktree preserved at \$WT"
+        trap '_inner_cleanup' EXIT
+        exit 0
+      fi
+      # US-LOOP-068: roll-meta test gate — run roll-meta tests when ops/ changed
+      if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+        if ! _loop_roll_meta_test_gate "\$WT"; then
+          _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
+          _phases_test=\$(_phases_to_json 2>/dev/null); [ -z "\$_phases_test" ] && _phases_test='{}'
+          _runs_append "failed" 0 "[]" "\$_phases_test" 2>/dev/null || true
+          echo "[loop] cycle \${CYCLE_ID}: roll-meta test gate failed; worktree preserved at \$WT"
+          trap '_inner_cleanup' EXIT
+          exit 0
+        fi
+      fi
       _phase_begin publish_push
-      if [ "\$_is_doc_only" -eq 1 ]; then
-        ( cd "\$WT" && _loop_publish_doc_pr "\$BRANCH" "doc: loop cycle \${CYCLE_ID}" )
+      # US-LOOP-068: roll-meta stories publish to roll-meta remote
+      if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+        _loop_roll_meta_publish "\$WT" "\$BRANCH" "loop cycle \${CYCLE_ID}"
       else
-        ( cd "\$WT" && _loop_publish_pr "\$BRANCH" "loop cycle \${CYCLE_ID}" )
+        if [ "\$_is_doc_only" -eq 1 ]; then
+          ( cd "\$WT" && _loop_publish_doc_pr "\$BRANCH" "doc: loop cycle \${CYCLE_ID}" )
+        else
+          ( cd "\$WT" && _loop_publish_pr "\$BRANCH" "loop cycle \${CYCLE_ID}" )
+        fi
       fi
       _publish_status=\$?
       if [ "\$_publish_status" -eq 0 ]; then
@@ -9140,6 +9258,10 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
         # so dashboard renders #NN ✓/↩/… correctly. Must run while branch ref
         # is still resolvable on remote — gh pr view <branch> needs the head ref.
         _loop_emit_pr_final "\$BRANCH" 2>/dev/null || true
+        # US-LOOP-068: clean up roll-meta worktree before product worktree
+        if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+          _loop_roll_meta_worktree_cleanup "\$WT" "\$BRANCH" "${project_path}" 2>/dev/null || true
+        fi
         _worktree_cleanup "\$WT" "\$BRANCH"
         _loop_event cycle_end "\${CYCLE_ID}" "" "done" || true; _CYCLE_END_WRITTEN=1
         # US-OBS-014: normal-completion path — push a fresh status snapshot.
@@ -9147,15 +9269,42 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
         _phase_end cleanup ok
         echo "[loop] cycle \${CYCLE_ID}: published; worktree cleaned"
       elif [ "\$_publish_status" -eq 2 ]; then
-        if ( cd "${project_path}" && _worktree_merge_back "\$BRANCH" ); then
+        # US-LOOP-068: for roll-meta, merge_back doesn't apply — skip straight to
+        # the orphan-push safety net (roll-meta commits live on a different remote).
+        _merged_back=0
+        if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+          :
+        elif ( cd "${project_path}" && _worktree_merge_back "\$BRANCH" ); then
           _worktree_cleanup "\$WT" "\$BRANCH"
           # US-LOOP-005 T3: gh unavailable + ff merge_back OK → cycle_end done
           _loop_event cycle_end "\${CYCLE_ID}" "" "done" || true; _CYCLE_END_WRITTEN=1
           echo "[loop] cycle \${CYCLE_ID}: gh unavailable; merged via ff and cleaned up"
+          _merged_back=1
+        fi
+        # FIX-039: gh unavailable + merge_back failed — push orphan branch+tag to origin
+        # as final safety net so code is never local-only before worktree cleanup.
+        # Skip entirely when merge_back already finalized the cycle (the worktree is
+        # gone, so re-pushing from \$WT would spuriously fail and raise a false alert).
+        # US-LOOP-068: for roll-meta, push from roll-meta worktree
+        if [ "\$_merged_back" -ne 1 ]; then
+        _orphan_tag="loop-orphan-\${CYCLE_ID}"
+        if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+          if ( cd "\$WT/.roll" && git push origin "\$BRANCH" 2>/dev/null \
+               && git tag "\$_orphan_tag" 2>/dev/null \
+               && git push origin "\$_orphan_tag" 2>/dev/null ); then
+            _loop_roll_meta_worktree_cleanup "\$WT" "\$BRANCH" "${project_path}" 2>/dev/null || true
+            _worktree_cleanup "\$WT" "\$BRANCH"
+            # US-LOOP-005 T4: gh unavailable + orphan push OK → cycle_end orphan
+            _loop_event cycle_end "\${CYCLE_ID}" "" "orphan" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: gh+merge_back failed; FIX-039 pushed orphan+tag \${_orphan_tag}; worktree cleaned"
+            echo "[loop] cycle \${CYCLE_ID}: FIX-039: orphan branch+tag \${_orphan_tag} pushed; worktree cleaned"
+          else
+            # US-LOOP-005 T5: gh unavailable + all failed → cycle_end failed
+            _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: gh+merge_back+push all failed; worktree preserved at \$WT"
+            echo "[loop] cycle \${CYCLE_ID}: all publish paths failed; worktree preserved at \$WT"
+          fi
         else
-          # FIX-039: gh unavailable + merge_back failed — push orphan branch+tag to origin
-          # as final safety net so code is never local-only before worktree cleanup.
-          _orphan_tag="loop-orphan-\${CYCLE_ID}"
           if ( cd "\$WT" && git push origin "\$BRANCH" 2>/dev/null \
                && git tag "\$_orphan_tag" 2>/dev/null \
                && git push origin "\$_orphan_tag" 2>/dev/null ); then
@@ -9171,23 +9320,43 @@ if [ "\$_USE_WORKTREE" = "1" ]; then
             echo "[loop] cycle \${CYCLE_ID}: all publish paths failed; worktree preserved at \$WT"
           fi
         fi
+        fi
       else
         # FIX-039: PR publish failed — push orphan branch+tag to origin as safety net.
         # (_loop_publish_pr may have already pushed the branch; git push is idempotent.)
+        # US-LOOP-068: for roll-meta, push from roll-meta worktree
         _orphan_tag="loop-orphan-\${CYCLE_ID}"
-        if ( cd "\$WT" && git push origin "\$BRANCH" 2>/dev/null \
-             && git tag "\$_orphan_tag" 2>/dev/null \
-             && git push origin "\$_orphan_tag" 2>/dev/null ); then
-          _worktree_cleanup "\$WT" "\$BRANCH"
-          # US-LOOP-005 T6: PR publish failed + orphan push OK → cycle_end orphan
-          _loop_event cycle_end "\${CYCLE_ID}" "" "orphan" || true; _CYCLE_END_WRITTEN=1
-          _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; FIX-039 pushed orphan+tag \${_orphan_tag}; worktree cleaned"
-          echo "[loop] cycle \${CYCLE_ID}: FIX-039: orphan branch+tag \${_orphan_tag} pushed; worktree cleaned"
+        if [ "\${_ROLL_META_TARGET:-0}" = "1" ]; then
+          if ( cd "\$WT/.roll" && git push origin "\$BRANCH" 2>/dev/null \
+               && git tag "\$_orphan_tag" 2>/dev/null \
+               && git push origin "\$_orphan_tag" 2>/dev/null ); then
+            _loop_roll_meta_worktree_cleanup "\$WT" "\$BRANCH" "${project_path}" 2>/dev/null || true
+            _worktree_cleanup "\$WT" "\$BRANCH"
+            # US-LOOP-005 T6: PR publish failed + orphan push OK → cycle_end orphan
+            _loop_event cycle_end "\${CYCLE_ID}" "" "orphan" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; FIX-039 pushed orphan+tag \${_orphan_tag}; worktree cleaned"
+            echo "[loop] cycle \${CYCLE_ID}: FIX-039: orphan branch+tag \${_orphan_tag} pushed; worktree cleaned"
+          else
+            # US-LOOP-005 T7: PR publish failed + orphan push failed → cycle_end failed
+            _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT (branch \$BRANCH)"
+            echo "[loop] cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT"
+          fi
         else
-          # US-LOOP-005 T7: PR publish failed + orphan push failed → cycle_end failed
-          _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
-          _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT (branch \$BRANCH)"
-          echo "[loop] cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT"
+          if ( cd "\$WT" && git push origin "\$BRANCH" 2>/dev/null \
+               && git tag "\$_orphan_tag" 2>/dev/null \
+               && git push origin "\$_orphan_tag" 2>/dev/null ); then
+            _worktree_cleanup "\$WT" "\$BRANCH"
+            # US-LOOP-005 T6: PR publish failed + orphan push OK → cycle_end orphan
+            _loop_event cycle_end "\${CYCLE_ID}" "" "orphan" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; FIX-039 pushed orphan+tag \${_orphan_tag}; worktree cleaned"
+            echo "[loop] cycle \${CYCLE_ID}: FIX-039: orphan branch+tag \${_orphan_tag} pushed; worktree cleaned"
+          else
+            # US-LOOP-005 T7: PR publish failed + orphan push failed → cycle_end failed
+            _loop_event cycle_end "\${CYCLE_ID}" "" "failed" || true; _CYCLE_END_WRITTEN=1
+            _worktree_alert "cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT (branch \$BRANCH)"
+            echo "[loop] cycle \${CYCLE_ID}: PR publish failed; worktree preserved at \$WT"
+          fi
         fi
       fi
     fi
@@ -9507,15 +9676,11 @@ _install_launchd_plists() {
 
   # US-AUTO-044: "pr" is the 4th service — a 5-min PR Loop (period=5, empty hour
   # → StartInterval=300). No skill (it drives _loop_pr_inbox, not an agent).
-  # US-AUTO-045: "ci" is the 5th service — a 5-min CI Loop (period=5, empty hour
-  # → StartInterval=300). No skill (it drives _ci_scan, not an agent).
-  # US-AUTO-046: "alert" is the 6th service — a 1-min Alert Loop (period=1, empty
-  # hour → StartInterval=60). No skill (it drives _alert_dispatch, not an agent).
-  local services=("loop" "dream" "brief" "pr" "ci" "alert")
-  local skill_names=("roll-loop" "roll-.dream" "roll-brief" "" "" "")
-  local periods=("$loop_period" "60" "60" "5" "5" "1")
-  local offsets=("$loop_offset" "$dream_minute" "$brief_minute" "0" "0" "0")
-  local hours=("" "$dream_hour" "$brief_hour" "" "" "")
+  local services=("loop" "dream" "pr")
+  local skill_names=("roll-loop" "roll-.dream" "")
+  local periods=("$loop_period" "60" "5")
+  local offsets=("$loop_offset" "$dream_minute" "0")
+  local hours=("" "$dream_hour" "")
 
   local updated=0
   local slug; slug=$(_project_slug "$project_path")
@@ -9548,22 +9713,8 @@ _install_launchd_plists() {
       local pr_log="${project_path}/.roll/loop/pr.log"
       mkdir -p "${project_path}/.roll/loop"
       _write_pr_loop_runner_script "$runner" "$project_path" "${ROLL_PKG_DIR}/bin/roll" "$pr_log"
-    elif [[ "$svc" == "ci" ]]; then
-      # US-AUTO-045 Phase 2: lightweight CI Loop runner — drives _ci_scan every
-      # 5 min (no agent, no tmux). Records run timing, auto-reruns transient
-      # failures, and surfaces flaky / degradation stories.
-      local ci_log="${project_path}/.roll/loop/ci.log"
-      mkdir -p "${project_path}/.roll/loop"
-      _write_ci_loop_runner_script "$runner" "$project_path" "${ROLL_PKG_DIR}/bin/roll" "$ci_log"
-    elif [[ "$svc" == "alert" ]]; then
-      # US-AUTO-046 Phase 2: lightweight Alert Loop runner — drives _alert_dispatch
-      # every 1 min (no agent, no tmux). Consumes _LOOP_ALERT: parse → notify →
-      # record to alert-log.jsonl → rotate the file.
-      local alert_log="${project_path}/.roll/loop/alert.log"
-      mkdir -p "${project_path}/.roll/loop"
-      _write_alert_loop_runner_script "$runner" "$project_path" "${ROLL_PKG_DIR}/bin/roll" "$alert_log"
     else
-      # IDEA-051: dream/brief cron logs are project-local, mirroring loop (FIX-139).
+      # dream cron log is project-local, mirroring loop (FIX-139).
       local log="${project_path}/.roll/${svc}/cron.log"
       mkdir -p "${project_path}/.roll/${svc}"
       _write_runner_script "$runner" "$project_path" "cd \"${project_path}\" && ${cmd}" "$log"
@@ -9761,7 +9912,7 @@ _loop_on() {
     # does not disturb the overrides DB.
     local uid; uid=$(id -u)
     local all_loaded=true
-    for svc in loop dream brief pr ci alert; do
+    for svc in loop dream pr; do
       local label; label=$(_launchd_label "$svc" "$project_path")
       local plist; plist=$(_launchd_plist_path "$svc" "$project_path")
       if ! _launchd_is_loaded "$label"; then
@@ -9828,7 +9979,7 @@ _loop_off() {
   if [[ "$(uname)" == "Darwin" ]]; then
     local any_loaded=false
     local _skip_off; _launchd_should_skip_registry && _skip_off=1 || _skip_off=0
-    for svc in loop dream brief pr ci alert; do
+    for svc in loop dream pr; do
       local label; label=$(_launchd_label "$svc" "$project_path")
       if _launchd_is_loaded "$label"; then
         any_loaded=true
@@ -9843,7 +9994,7 @@ _loop_off() {
     fi
     local slug; slug=$(_project_slug "$project_path")
     local uid; uid=$(id -u)
-    for svc in loop dream brief pr ci alert; do
+    for svc in loop dream pr; do
       rm -f "${_SHARED_ROOT}/${svc}/run-${slug}.sh"
       # FIX-081: reverse the FIX-059 auto-bootstrap guard. `_install_launchd_plists`
       # writes `launchctl disable gui/<UID>/<label>` for every brand-new plist
@@ -10179,7 +10330,7 @@ _legacy_loop_status() {
   echo ""
   if [[ "$(uname)" == "Darwin" ]]; then
     echo -e "  Services   Agent: ${CYAN}${agent}${NC}"
-    for svc in loop dream brief pr ci alert; do
+    for svc in loop dream pr; do
       local state; state=$(_launchd_svc_state "$svc" "$project_path")
       if [[ "$svc" == "loop" ]] && $_is_paused; then
         local _paused_at; _paused_at=$(grep '^paused_at:' "$_LOOP_STATE" 2>/dev/null | awk '{print $2}' | tr -d '"')
@@ -10193,7 +10344,7 @@ _legacy_loop_status() {
         echo -e "    ${YELLOW}loop     ⏸ paused${NC}${_dur}   run: roll loop resume"
       else
         local _tick_age=""
-        case "$svc" in pr|ci|alert)
+        case "$svc" in pr)
           _tick_age=$(_loop_tick_age "$svc")
           [ -n "$_tick_age" ] && _tick_age="  tick ${_tick_age}"
         esac
@@ -11375,7 +11526,7 @@ _loop_pr_heal_self() {
 
   local agent; agent="$(_project_agent 2>/dev/null)"; agent="${agent:-claude}"
 
-  ( echo "$BASHPID" > "$lock"
+  ( echo "${BASHPID:-$$}" > "$lock"
     _loop_pr_do_heal "$num" "$head_ref" "$slug" "$agent" >/dev/null 2>&1
     rm -f "$lock"
   ) &
@@ -11434,7 +11585,10 @@ _loop_pr_do_heal() {
 _loop_pr_merge_approved() {
   local num="$1" ci_state="$2" mergeable="$3" slug="$4"
   [ -n "$num" ] && [ -n "$slug" ] || return 0
-  [ "$ci_state" = "success" ] && [ "$mergeable" = "MERGEABLE" ] || return 0
+  [ "$ci_state" = "success" ] || return 0
+  # MERGEABLE (GraphQL mergeable) or CLEAN (mergeStateStatus) — see
+  # _loop_pr_merge_self_eager for why both spellings must be accepted.
+  case "$mergeable" in MERGEABLE|CLEAN) ;; *) return 0 ;; esac
   if gh -R "$slug" pr merge "$num" --squash --delete-branch >/dev/null 2>&1; then
     info "PR #${num}: human-approved + CI green — merged"
   else
@@ -11490,7 +11644,7 @@ EOF
 # can enforce them at Step 2 (story pickup). Pure functions, no side effects.
 #
 # BACKLOG row format (relevant fragments):
-#   | [US-AUTO-033](...) | desc `depends-on:US-AUTO-037` `manual-only:true` | 📋 Todo |
+#   | [US-AUTO-033](...) | desc `depends-on:US-AUTO-037` | 📋 Todo |
 #   | FIX-100 | desc `depends-on:US-A,US-B` | 📋 Todo |
 #
 # Row matching is anchored on `^| [?<id>\b` so a story-id appearing in some
@@ -11539,15 +11693,14 @@ _loop_check_depends_on() {
   return 0
 }
 
-# _loop_is_manual_only <story-id> [backlog-path]
-#   Exit 0: story's own row carries any manual-only:<value> tag.
-#   Exit 1: tag absent, story-id not found, or backlog missing.
-#
-# FIX-109: loop used to accept only the literal `manual-only:true` value;
-# anything else (e.g. `manual-only:roll-meta`, `manual-only:sean-yao`) was
-# ignored and the story got picked. Now any non-empty `manual-only:<value>`
-# qualifies — lets users tag rows reserved for a specific human or scope.
-_loop_is_manual_only() {
+# FIX-172: detect whether a story routes its output to roll-meta — path-based,
+# never tag-based. A story is a roll-meta target iff its declared deliverable
+# **Files:** include a path under .roll/ that is NOT a status-management file
+# (.roll/backlog.md, .roll/features/). Every cycle flips its own backlog/feature
+# status under .roll/, so "touches .roll/" must NOT flag a product story; only a
+# genuine roll-meta deliverable (e.g. .roll/ops/watch.sh) counts.
+# Returns 0 when the story delivers to roll-meta.
+_loop_is_roll_meta_story() {
   local id="$1"
   local backlog="${2:-.roll/backlog.md}"
   [ -n "$id" ] || return 1
@@ -11557,7 +11710,30 @@ _loop_is_manual_only() {
   row=$(grep -E "^\| \[?${id}[]| ]" "$backlog" | head -1)
   [ -n "$row" ] || return 1
 
-  echo "$row" | grep -qE 'manual-only:[A-Za-z0-9_.-]+'
+  # Resolve the feature file from the row's markdown link: [id](path.md#anchor).
+  # Links appear in two relative forms — ".roll/features/x.md" (rel. to product
+  # root) or "features/x.md" (rel. to .roll). Normalise from "features/" onward
+  # and resolve against the backlog's own directory (the roll-meta root).
+  local link featrel metadir feat
+  link=$(printf '%s\n' "$row" | grep -oE '\([^)]+\.md' | head -1 | sed -E 's/^\(//')
+  [ -n "$link" ] || return 1
+  featrel=$(printf '%s\n' "$link" | sed -E 's#^.*(features/.*)#\1#')
+  metadir=$(dirname "$backlog")
+  feat="${metadir}/${featrel}"
+  [ -f "$feat" ] || return 1
+
+  # Extract this story's **Files:** block, then test for a roll-meta deliverable
+  # path (under .roll/ but not the universal status-management files).
+  awk -v id="$id" '
+    $0 ~ ("^## " id "( |$)") {insec=1; next}
+    insec && /^## / {exit}
+    insec && /^\*\*Files:\*\*/ {infiles=1; next}
+    insec && infiles && /^\*\*/ {exit}
+    insec && infiles {print}
+  ' "$feat" \
+    | grep -oE '\.roll/[A-Za-z0-9_./-]+' \
+    | grep -vE '^\.roll/backlog\.md$|^\.roll/features/' \
+    | grep -q .
 }
 
 # US-AUTO-034: PR-first inbox — loop processes open PRs before scanning BACKLOG.
@@ -11577,40 +11753,25 @@ _loop_is_manual_only() {
 
 # _loop_pr_classify <head_ref> <human_review_state> <ci_state> <mergeable_state>
 #   Prints one of:
-#     loop_self
-#     blocked_human_request_changes
-#     blocked_human_approved
-#     stale
-#     eligible
-#   Exit 0 always — callers parse the printed token.
+#     ci_red    — CI failed → heal
+#     stale     — needs rebase / conflicting / behind
+#     ready     — CI green + clean → merge
+#   Human review intentionally irrelevant — CI is the only gate.
 _loop_pr_classify() {
   local head_ref="${1:-}"
   local human_review="${2:-}"
   local ci_state="${3:-}"
   local mergeable="${4:-}"
 
-  case "$head_ref" in
-    loop/*)
-      # US-LOOP-049: loop/* PRs with CI failure get their own classification
-      # so _loop_pr_inbox can route them to the PR hot-fix path.
-      if [[ "$ci_state" == "failure" ]]; then
-        echo "loop_self_ci_red"; return 0
-      fi
-      echo "loop_self"; return 0
-      ;;
-  esac
-
-  case "$human_review" in
-    CHANGES_REQUESTED) echo "blocked_human_request_changes"; return 0 ;;
-    APPROVED)          echo "blocked_human_approved";         return 0 ;;
+  case "$mergeable" in
+    BEHIND|DIRTY|CONFLICTING) echo "stale"; return 0 ;;
   esac
 
-  if [ "$ci_state" = "failure" ] || [ "$mergeable" = "CONFLICTING" ] || [ "$mergeable" = "BEHIND" ]; then
-    echo "stale"
-    return 0
+  if [ "$ci_state" = "failure" ]; then
+    echo "ci_red"; return 0
   fi
 
-  echo "eligible"
+  echo "ready"
 }
 
 # _loop_pr_rebase_circuit <pr_number>
@@ -11748,6 +11909,9 @@ _loop_pr_rebase_stale() {
   fi
 
   git fetch origin "$head_ref" 2>/dev/null || return 0
+  # Reset local tracking branch to the freshly-fetched remote state
+  # before rebasing, otherwise force-push destroys commits pushed by others.
+  git checkout -B "$head_ref" "origin/$head_ref" 2>/dev/null || return 0
 
   # FIX-159: save original branch so we can restore it unconditionally
   local _orig
@@ -11795,7 +11959,12 @@ _loop_pr_rebase_stale() {
 #   spec name. Both coexist until Phase 2 collapses the inbox path.
 _loop_pr_merge_self_eager() {
   local num="$1" ci_state="$2" mergeable="$3" slug="$4"
-  [ "$ci_state" = "success" ] && [ "$mergeable" = "MERGEABLE" ] || return 0
+  [ "$ci_state" = "success" ] || return 0
+  # Accept both the GraphQL `mergeable` enum (MERGEABLE) and the
+  # `mergeStateStatus` enum (CLEAN). _loop_pr_inbox feeds mergeStateStatus, so
+  # a ready-to-merge PR arrives as CLEAN in production — without it the eager
+  # merge never fired and self-PRs silently waited on repo-level auto-merge.
+  case "$mergeable" in MERGEABLE|CLEAN) ;; *) return 0 ;; esac
   gh -R "$slug" pr merge "$num" --squash --delete-branch >/dev/null 2>&1 \
     && info "PR #${num}: loop_self CI green — merged" \
     || warn "PR #${num}: loop_self merge failed — left open"
@@ -11847,7 +12016,7 @@ _loop_pr_inbox() {
       # All gates cleared (bot-approved + CI green + no conflicts) → merge directly.
       # Relying on repo-level auto-merge being configured is not reliable; loop
       # owns the decision here since it already ran the review.
-      if [ "$ci_state" = "success" ] && [ "$mergeable" = "MERGEABLE" ]; then
+      if [ "$ci_state" = "success" ] && { [ "$mergeable" = "MERGEABLE" ] || [ "$mergeable" = "CLEAN" ]; }; then
         gh -R "$slug" pr merge "$num" --squash --delete-branch >/dev/null 2>&1 \
           && info "PR #${num}: bot-approved + CI green — merged" \
           || warn "PR #${num}: merge failed (bot-approved + CI green) — left open"
@@ -11865,30 +12034,29 @@ _loop_pr_inbox() {
     verdict=$(_loop_pr_classify "$head_ref" "$human_review" "$ci_state" "$mergeable")
 
     case "$verdict" in
-      loop_self)
-        _loop_pr_merge_self_eager "$num" "$ci_state" "$mergeable" "$slug"
-        ;;
-      loop_self_ci_red)
-        # US-LOOP-062a: a red loop/* PR (classified by US-LOOP-049) is now
-        # background-healed: bounded retries via heal budget + dynamic agent,
-        # falling back to the deduped [TYPE:loop-pr-ci-red] ALERT (FIX-158's
-        # surfacing) when heal is disabled/exhausted. Re-wires US-LOOP-050.
+      ci_red)
         _loop_pr_heal_self "$num" "$head_ref" "$slug" || true
         ;;
-      blocked_human_request_changes)
-        : # skip — last human review requested changes; wait for the author
-        ;;
-      blocked_human_approved)
-        # US-LOOP-062b: human approved — merge directly when green + mergeable
-        # (don't wait for repo auto-merge, which may be off).
-        _loop_pr_merge_approved "$num" "$ci_state" "$mergeable" "$slug" || true
-        ;;
       stale)
         _loop_pr_rebase_circuit "$num" || true
-        _loop_pr_rebase_stale "$num" "$head_ref" || true
+        if _loop_pr_rebase_stale "$num" "$head_ref" || true; then
+          # Re-fetch PR state after rebase — if now clean, merge immediately.
+          local _re_view
+          _re_view=$(gh -R "$slug" pr view "$num" --json mergeStateStatus,statusCheckRollup 2>/dev/null) || true
+          if [ -n "$_re_view" ]; then
+            local _re_ci _re_mb
+            _re_ci=$(echo "$_re_view" | jq -r '
+              if (.statusCheckRollup | length) == 0 then ""
+              elif any(.statusCheckRollup[]?; .conclusion == "FAILURE") then "failure"
+              elif all(.statusCheckRollup[]?; .conclusion == "SUCCESS" or .conclusion == "SKIPPED") then "success"
+              else "pending" end' 2>/dev/null)
+            _re_mb=$(echo "$_re_view" | jq -r '.mergeStateStatus // ""' 2>/dev/null)
+            _loop_pr_merge_self_eager "$num" "$_re_ci" "$_re_mb" "$slug"
+          fi
+        fi
         ;;
-      eligible)
-        _loop_pr_review_external "$num" || true
+      ready)
+        _loop_pr_merge_self_eager "$num" "$ci_state" "$mergeable" "$slug"
         ;;
     esac
 
@@ -11902,7 +12070,7 @@ _loop_pr_inbox() {
 #
 # Loop-safe building blocks for the future PR Loop (com.roll.pr.<slug>.plist,
 # 5-min cadence). Phase 1 ships the helpers + tests only; Phase 2 (runner /
-# plist / main-loop wiring) is manual-only and out of scope here.
+# plist / main-loop wiring) is wired by hand and out of scope here.
 #
 # All helpers are lenient on a missing `gh` binary or any gh failure: they
 # return 0 so a loop iteration never aborts on a single bad PR. State writes
@@ -12086,558 +12254,13 @@ _loop_pr_route() {
   return 0
 }
 
-# US-AUTO-045 Phase 1: dedicated CI Loop helpers (loop-safe pure additions).
-#
-# These six helpers collect CI timing data, classify failures, auto-rerun
-# transient flakes, and surface flaky / degradation signals as backlog
-# entries. They are NOT yet wired into any runner or launchd plist — that is
-# Phase 2 (manual-only:true). Each is unit-tested in
-# tests/unit/roll_loop_ci_loop.bats with gh stubbed. Do not delete or inline.
-#
-# State lives under project-local .roll/state/:
-#   ci-timing.jsonl       append-only NDJSON, one line per recorded CI run
-#   ci-rerun-state.yaml   minimal YAML: rerun attempt count per run_id
-# _LOOP_ALERT is the existing shared alert file (real failures, rerun limits).
-
-# _ci_state_dir
-#   Echo the project-local CI state directory, creating it if needed.
-#   Resolves relative to the current working dir's .roll/ (tests cd into a
-#   sandbox; the live loop runner cds into the project root).
-_ci_state_dir() {
+# _alert_log_file — echo path to alert-log.jsonl (used by `roll alert log` CLI).
+_alert_log_file() {
   local dir=".roll/state"
   mkdir -p "$dir" 2>/dev/null || true
-  echo "$dir"
-}
-
-# _ci_record_timing <run_json>
-#   Parse one `gh run list --json ...` object and append a flat NDJSON line to
-#   ci-timing.jsonl. Idempotent: a run_id already present in the file is
-#   skipped. Duration is computed from createdAt → updatedAt (gh exposes no
-#   native duration field). Returns 0 always (loop-safe).
-_ci_record_timing() {
-  local json="$1"
-  [ -n "$json" ] || return 0
-
-  local run_id workflow conclusion status created updated
-  run_id=$(echo "$json" | jq -r '.databaseId // ""' 2>/dev/null)
-  [ -n "$run_id" ] || return 0
-
-  local dir; dir=$(_ci_state_dir)
-  local file="${dir}/ci-timing.jsonl"
-
-  # Idempotency: skip if this run_id is already recorded.
-  if [ -f "$file" ] && grep -q "\"run_id\":${run_id}," "$file" 2>/dev/null; then
-    return 0
-  fi
-
-  workflow=$(echo "$json" | jq -r '.workflowName // .name // ""' 2>/dev/null)
-  conclusion=$(echo "$json" | jq -r '.conclusion // ""' 2>/dev/null)
-  status=$(echo "$json" | jq -r '.status // ""' 2>/dev/null)
-  created=$(echo "$json" | jq -r '.createdAt // ""' 2>/dev/null)
-  updated=$(echo "$json" | jq -r '.updatedAt // ""' 2>/dev/null)
-
-  # Duration in seconds from ISO-8601 timestamps; 0 if either is missing or
-  # unparseable. `date -j` (BSD) and `date -d` (GNU) differ — try both.
-  local dur=0 c_epoch u_epoch
-  if [ -n "$created" ] && [ -n "$updated" ]; then
-    c_epoch=$(_ci_iso_to_epoch "$created")
-    u_epoch=$(_ci_iso_to_epoch "$updated")
-    if [ -n "$c_epoch" ] && [ -n "$u_epoch" ] && [ "$u_epoch" -ge "$c_epoch" ] 2>/dev/null; then
-      dur=$((u_epoch - c_epoch))
-    fi
-  fi
-
-  printf '{"run_id":%s,"workflow":"%s","conclusion":"%s","status":"%s","duration_sec":%s,"recorded_at":"%s"}\n' \
-    "$run_id" "$workflow" "$conclusion" "$status" "$dur" \
-    "$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$file"
-  return 0
-}
-
-# _ci_iso_to_epoch <iso8601>
-#   Convert an ISO-8601 UTC timestamp (2026-05-30T10:00:00Z) to epoch seconds.
-#   Echoes nothing on failure. Handles both BSD (macOS) and GNU date.
-_ci_iso_to_epoch() {
-  local iso="$1"
-  [ -n "$iso" ] || return 0
-  local e
-  # GNU date
-  e=$(date -u -d "$iso" +%s 2>/dev/null) && { echo "$e"; return 0; }
-  # BSD date (strip trailing Z, parse explicit format)
-  local trimmed="${iso%Z}"
-  e=$(date -u -j -f "%Y-%m-%dT%H:%M:%S" "$trimmed" +%s 2>/dev/null) && { echo "$e"; return 0; }
-  return 0
-}
-
-# _ci_classify_failure <run_id>
-#   Inspect `gh run view <id> --log-failed` and classify the failure as
-#   "transient" (infra flake: network, timeout, runner death) or "real"
-#   (genuine test/build failure). Echoes "transient" or "real".
-#   Empty / unavailable logs default to "real" (fail safe — don't auto-rerun
-#   something we can't read).
-_ci_classify_failure() {
-  local run_id="$1"
-  [ -n "$run_id" ] || { echo "real"; return 0; }
-  local slug; _gh_resolve slug 2>/dev/null || slug=""
-
-  local log
-  if [ -n "$slug" ]; then
-    log=$(gh -R "$slug" run view "$run_id" --log-failed 2>/dev/null)
-  else
-    log=$(gh run view "$run_id" --log-failed 2>/dev/null)
-  fi
-
-  # Transient signatures: network/infra failures that a rerun typically clears.
-  if echo "$log" | grep -qiE 'ETIMEDOUT|ECONNRESET|ENOTFOUND|EAI_AGAIN|shutdown signal|runner.*(error|lost|terminated)|The runner has received a shutdown|503 Service|connection reset|TLS handshake|i/o timeout|could not resolve host'; then
-    echo "transient"
-    return 0
-  fi
-  echo "real"
-  return 0
-}
-
-# _ci_rerun_state_file
-#   Echo path to ci-rerun-state.yaml (creating the dir).
-_ci_rerun_state_file() {
-  local dir; dir=$(_ci_state_dir)
-  echo "${dir}/ci-rerun-state.yaml"
-}
-
-# _ci_rerun_attempts <run_id>
-#   Echo the recorded rerun attempt count for <run_id> (0 if none).
-_ci_rerun_attempts() {
-  local run_id="$1"
-  local file; file=$(_ci_rerun_state_file)
-  [ -f "$file" ] || { echo 0; return 0; }
-  local n
-  n=$(awk -v key="\"${run_id}\":" '$1 == key { print $2 }' "$file" 2>/dev/null | head -1)
-  case "$n" in
-    ''|*[!0-9]*) echo 0 ;;
-    *) echo "$n" ;;
-  esac
-}
-
-# _ci_rerun_state_write <run_id> <attempts>
-#   Set the attempt count for <run_id> in ci-rerun-state.yaml. Minimal YAML
-#   writer (we own the schema): one `"<run_id>": <n>` line per run.
-_ci_rerun_state_write() {
-  local run_id="$1" attempts="$2"
-  local file; file=$(_ci_rerun_state_file)
-  [ -f "$file" ] || : > "$file"
-  local tmp; tmp=$(mktemp)
-  awk -v key="\"${run_id}\":" -v val="$attempts" '
-    $1 == key { print key " " val; found=1; next }
-    { print }
-    END { if (!found) print key " " val }
-  ' "$file" > "$tmp" && mv "$tmp" "$file"
-}
-
-# _ci_rerun_transient <run_id>
-#   Auto-rerun a transient CI failure, capped at 2 attempts. attempt<2 →
-#   `gh run rerun`; attempt>=2 → write an error ALERT. Echoes the action taken
-#   ("rerun" / "limit"). Loop-safe (returns 0).
-_ci_rerun_transient() {
-  local run_id="$1"
-  [ -n "$run_id" ] || return 0
-  local slug; _gh_resolve slug 2>/dev/null || slug=""
-
-  local attempts; attempts=$(_ci_rerun_attempts "$run_id")
-  if [ "$attempts" -ge 2 ]; then
-    local alert="$_LOOP_ALERT"
-    mkdir -p "$(dirname "$alert")" 2>/dev/null || true
-    printf '[%s] [error] [TYPE:ci-rerun-limit] CI rerun reached limit: run #%s (%s attempts)\n' \
-      "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$run_id" "$attempts" >> "$alert"
-    echo "limit"
-    return 0
-  fi
-
-  if [ -n "$slug" ]; then
-    gh -R "$slug" run rerun "$run_id" >/dev/null 2>&1 || true
-  else
-    gh run rerun "$run_id" >/dev/null 2>&1 || true
-  fi
-  _ci_rerun_state_write "$run_id" "$((attempts + 1))"
-  echo "rerun"
-  return 0
-}
-
-# _ci_open_story <type> <title>
-#   Append a FIX or US row to .roll/backlog.md's `| ID | Description | Status |`
-#   table. Idempotent: if a 📋 Todo row with the same title already exists, skip
-#   (echo "skip"). New IDs auto-increment from the max existing <TYPE>-NNN.
-#   Echoes the new ID on success, "skip" if already queued.
-_ci_open_story() {
-  local type="$1" title="$2"
-  [ -n "$type" ] && [ -n "$title" ] || return 0
-
-  # Resolve the backlog file (project-local).
-  local backlog=".roll/backlog.md"
-  [ -f "$backlog" ] || { echo "skip"; return 0; }
-
-  # Idempotency: same title already queued as Todo → skip.
-  if grep -F "$title" "$backlog" 2>/dev/null | grep -q '📋 Todo'; then
-    echo "skip"
-    return 0
-  fi
-
-  # Auto-increment: find the max existing <TYPE>-NNN id.
-  local prefix max next
-  prefix=$(echo "$type" | tr '[:lower:]' '[:upper:]')
-  max=$(grep -oE "${prefix}-[0-9]+" "$backlog" 2>/dev/null \
-        | sed "s/${prefix}-//" \
-        | sort -n | tail -1)
-  case "$max" in ''|*[!0-9]*) max=0 ;; esac
-  # 10# prefix forces base-10: a zero-padded id like 008/009 would otherwise be
-  # parsed as octal and either misnumber (010→8) or error ("value too great").
-  next=$((10#$max + 1))
-  local id
-  id=$(printf '%s-%03d' "$prefix" "$next")
-
-  printf '| %s | %s | 📋 Todo |\n' "$id" "$title" >> "$backlog"
-  echo "$id"
-  return 0
-}
-
-# _ci_detect_flaky
-#   Scan the last 20 ci-timing.jsonl lines, group by workflow, and flag any
-#   workflow whose recent runs have a 20%–80% failure rate (2..8 failures of
-#   the last 10) as flaky — opening a FIX story. Returns 0 (loop-safe).
-_ci_detect_flaky() {
-  local dir; dir=$(_ci_state_dir)
-  local file="${dir}/ci-timing.jsonl"
-  [ -f "$file" ] || return 0
-
-  # Per workflow: count total + failures over the most recent 10 records.
-  # awk reads last 20 lines (tail), keeps last 10 per workflow. Output is
-  # collected into a variable (not piped to `while`) so an empty result or
-  # an intermediate nonzero exit cannot trip a caller's ERR trap.
-  local flaky_wfs
-  flaky_wfs=$(tail -n 20 "$file" 2>/dev/null | awk '
-    {
-      # crude field extraction from flat JSON line
-      wf=""; concl="";
-      if (match($0, /"workflow":"[^"]*"/)) { wf=substr($0,RSTART+12,RLENGTH-13) }
-      if (match($0, /"conclusion":"[^"]*"/)) { concl=substr($0,RSTART+14,RLENGTH-15) }
-      if (wf=="") next
-      order[wf]=order[wf]" "NR
-      val[wf"|"NR]=concl
-    }
-    END {
-      for (wf in order) {
-        n=split(order[wf], idx, " ")
-        # keep most recent 10
-        start=1; if (n-10 > 0) start=n-9
-        total=0; fail=0
-        for (i=start;i<=n;i++) {
-          if (idx[i]=="") continue
-          total++
-          c=val[wf"|"idx[i]]
-          if (c=="failure" || c=="timed_out" || c=="cancelled") fail++
-        }
-        if (total>=4 && fail>=2 && fail<=8 && fail*100 <= total*80 && fail*100 >= total*20) {
-          print wf
-        }
-      }
-    }
-  ' || true)
-
-  local wf
-  for wf in $flaky_wfs; do
-    [ -n "$wf" ] && _ci_open_story FIX "flaky: ${wf}" >/dev/null || true
-  done
-  return 0
-}
-
-# _ci_detect_degradation
-#   Scan the last 20 ci-timing.jsonl lines, compute mean duration per workflow,
-#   and open a US story when a workflow crosses its threshold:
-#     unit*        > 300s  (5 min)
-#     integration* > 900s  (15 min)
-#   Returns 0 (loop-safe).
-_ci_detect_degradation() {
-  local dir; dir=$(_ci_state_dir)
-  local file="${dir}/ci-timing.jsonl"
-  [ -f "$file" ] || return 0
-
-  local degraded
-  degraded=$(tail -n 20 "$file" 2>/dev/null | awk '
-    {
-      wf=""; dur=0;
-      if (match($0, /"workflow":"[^"]*"/)) { wf=substr($0,RSTART+12,RLENGTH-13) }
-      if (match($0, /"duration_sec":[0-9]+/)) { dur=substr($0,RSTART+15,RLENGTH-15)+0 }
-      if (wf=="") next
-      sum[wf]+=dur; cnt[wf]++
-    }
-    END {
-      for (wf in sum) {
-        if (cnt[wf]==0) continue
-        avg=sum[wf]/cnt[wf]
-        lc=tolower(wf)
-        if (index(lc,"unit")>0 && avg>300)        { print wf "\t" int(avg) }
-        else if (index(lc,"integration")>0 && avg>900) { print wf "\t" int(avg) }
-      }
-    }
-  ' || true)
-
-  local line wf avg
-  # IFS=newline so each "wf<TAB>avg" record is one iteration; field-split on TAB.
-  local _oifs="$IFS"
-  IFS='
-'
-  for line in $degraded; do
-    IFS="$_oifs"
-    wf=$(printf '%s' "$line" | cut -f1)
-    avg=$(printf '%s' "$line" | cut -f2)
-    [ -n "$wf" ] && _ci_open_story US "CI degradation: ${wf} avg ${avg}s exceeds threshold" >/dev/null || true
-    IFS='
-'
-  done
-  IFS="$_oifs"
-  return 0
-}
-
-# _ci_scan
-#   US-AUTO-045 Phase 2 orchestrator: the entry the CI Loop runner drives every
-#   5 min. Lists recent `main`-branch CI runs, records each run's timing, and on
-#   a `failure` conclusion classifies it — auto-rerunning transient infra
-#   flakes. After the loop it runs the flaky + degradation detectors over the
-#   accumulated history. Lenient on gh unavailability (missing / failed list →
-#   return 0) so the service never errors out a tick.
-_ci_scan() {
-  local slug; _gh_resolve slug 2>/dev/null || { _loop_write_tick "ci" "idle" "gh_unavailable"; return 0; }
-
-  local runs_json
-  runs_json=$(gh -R "$slug" run list --branch main \
-    --json databaseId,workflowName,name,conclusion,status,createdAt,updatedAt \
-    2>/dev/null) || { _loop_write_tick "ci" "idle" "gh_error"; return 0; }
-  [ -n "$runs_json" ] || { _loop_write_tick "ci" "idle" "empty_response"; return 0; }
-
-  # An empty list ("[]") still falls through to the detectors below: they run
-  # over accumulated history, not just this tick's runs.
-  local count; count=$(echo "$runs_json" | jq 'length' 2>/dev/null || echo 0)
-  case "$count" in ''|*[!0-9]*) count=0 ;; esac
-
-  local i=0
-  while [ "$i" -lt "$count" ]; do
-    local run_json conclusion run_id
-    run_json=$(echo "$runs_json" | jq -c ".[$i]" 2>/dev/null)
-    _ci_record_timing "$run_json"
-
-    conclusion=$(echo "$run_json" | jq -r '.conclusion // ""' 2>/dev/null)
-    if [ "$conclusion" = "failure" ]; then
-      run_id=$(echo "$run_json" | jq -r '.databaseId // ""' 2>/dev/null)
-      if [ -n "$run_id" ]; then
-        local kind; kind=$(_ci_classify_failure "$run_id")
-        [ "$kind" = "transient" ] && _ci_rerun_transient "$run_id" >/dev/null
-      fi
-    fi
-    i=$((i + 1))
-  done
-
-  _ci_detect_flaky
-  _ci_detect_degradation
-  _loop_write_tick "ci" "acted" "scan_done"
-  return 0
-}
-
-# ═══════════════════════════════════════════════════════════════════════════════
-# US-AUTO-046 Phase 1: dedicated Alert Loop helpers (loop-safe, pure bash)
-# ═══════════════════════════════════════════════════════════════════════════════
-# These consume the existing $_LOOP_ALERT file — until now a write-only dumb file
-# that every loop appends to but nobody reads. The Alert Loop turns it into a
-# real consumer: parse → dedup (1h per category) → notify (error always) →
-# log → rotate. They are NOT yet wired into any runner or launchd plist — that
-# is Phase 2 (manual-only:true). Each is unit-tested in
-# tests/unit/roll_loop_alert_loop.bats with _notify stubbed. Do not delete or
-# inline.
-#
-# State lives under project-local .roll/state/ (shared with the CI Loop):
-#   alert-log.jsonl   append-only NDJSON, one line per consumed alert
-# $_LOOP_ALERT.prev is the rotated copy (kept for debugging).
-#
-# Line format ($_LOOP_ALERT) — new tagged format, old format read-compatible:
-#   [2026-05-26T10:00:00] [error] [TYPE:ci-real-failure] CI failed: run #123
-#   [2026-05-26T10:00:00] some legacy message        → level=warn category=legacy
-
-# _alert_parse_file [file]
-#   Parse each non-empty line of $_LOOP_ALERT (or <file>) into a TAB-separated
-#   record `ts<TAB>level<TAB>category<TAB>message`, one per output line. The
-#   leading `[ts]` is extracted when present; optional `[level]` and
-#   `[TYPE:category]` tags follow. Untagged (legacy) lines default to
-#   level=warn, category=legacy, with the whole remainder as the message.
-#   Markdown headers / ack footers (lines starting with `#` or `**`) are skipped.
-#   Echoes nothing for a missing/empty file. Loop-safe (returns 0).
-_alert_parse_file() {
-  local file="${1:-$_LOOP_ALERT}"
-  [ -n "$file" ] && [ -f "$file" ] || return 0
-
-  awk '
-    {
-      line=$0
-      # skip blank lines and markdown chrome (headers, ack footers)
-      if (line ~ /^[ \t]*$/) next
-      if (line ~ /^[ \t]*#/) next
-      if (line ~ /^[ \t]*\*\*/) next
-
-      ts=""; level=""; category=""
-
-      # leading [timestamp]
-      if (match(line, /^\[[^]]*\]/)) {
-        ts=substr(line, RSTART+1, RLENGTH-2)
-        line=substr(line, RSTART+RLENGTH)
-        sub(/^[ \t]+/, "", line)
-      }
-      # optional [level]  (error|warn|info)
-      if (match(line, /^\[(error|warn|info)\]/)) {
-        level=substr(line, RSTART+1, RLENGTH-2)
-        line=substr(line, RSTART+RLENGTH)
-        sub(/^[ \t]+/, "", line)
-      }
-      # optional [TYPE:category]
-      if (match(line, /^\[TYPE:[^]]*\]/)) {
-        category=substr(line, RSTART+6, RLENGTH-7)
-        line=substr(line, RSTART+RLENGTH)
-        sub(/^[ \t]+/, "", line)
-      }
-
-      # legacy "ALERT:" prefix on the remaining message — strip the keyword
-      sub(/^ALERT:[ \t]*/, "", line)
-
-      if (level=="") level="warn"
-      if (category=="") category="legacy"
-
-      printf "%s\t%s\t%s\t%s\n", ts, level, category, line
-    }
-  ' "$file"
-  return 0
-}
-
-# _alert_log_file
-#   Echo path to .roll/state/alert-log.jsonl (creating the dir). Reuses the
-#   CI Loop's _ci_state_dir so both loops share one project-local state dir.
-_alert_log_file() {
-  local dir; dir=$(_ci_state_dir)
   echo "${dir}/alert-log.jsonl"
 }
 
-# _alert_should_notify <category> <level>
-#   Decide whether an alert should fire a notification.
-#     error          → always true (immediate, never throttled)
-#     warn | info    → true unless a same-category alert was already notified
-#                      within the last hour (rate-limit / dedup)
-#   The 1h window is read from alert-log.jsonl (notified=1 entries only).
-#   Echoes "true" / "false".
-_alert_should_notify() {
-  local category="$1" level="$2"
-  [ "$level" = "error" ] && { echo "true"; return 0; }
-
-  local file; file=$(_alert_log_file)
-  [ -f "$file" ] || { echo "true"; return 0; }
-
-  local now; now=$(date -u +%s)
-  # Most recent notified=1 entry for this category → its recorded_at epoch.
-  local last
-  last=$(grep -F "\"category\":\"${category}\"" "$file" 2>/dev/null \
-         | grep -F '"notified":1' \
-         | tail -1 \
-         | sed -n 's/.*"recorded_at":"\([^"]*\)".*/\1/p')
-  [ -n "$last" ] || { echo "true"; return 0; }
-
-  local last_epoch; last_epoch=$(_ci_iso_to_epoch "$last")
-  [ -n "$last_epoch" ] || { echo "true"; return 0; }
-
-  # Within 1h (3600s) → throttle (false); otherwise allow.
-  if [ "$((now - last_epoch))" -lt 3600 ] 2>/dev/null; then
-    echo "false"
-  else
-    echo "true"
-  fi
-  return 0
-}
-
-# _alert_write_log <ts> <level> <category> <message> <notified>
-#   Append one NDJSON record to alert-log.jsonl. <notified> is the literal
-#   string "true"/"false" (or 1/0) and is normalized to 1/0. recorded_at is the
-#   consumption time (UTC), distinct from the alert's own <ts>. Quotes in the
-#   message are escaped so the line stays valid JSON. Loop-safe (returns 0).
-_alert_write_log() {
-  local ts="$1" level="$2" category="$3" message="$4" notified="$5"
-  local file; file=$(_alert_log_file)
-
-  local n=0
-  case "$notified" in true|1) n=1 ;; esac
-
-  # Escape backslashes then double-quotes for JSON string safety.
-  local esc
-  esc=$(printf '%s' "$message" | sed 's/\\/\\\\/g; s/"/\\"/g')
-
-  printf '{"ts":"%s","level":"%s","category":"%s","message":"%s","notified":%s,"recorded_at":"%s"}\n' \
-    "$ts" "$level" "$category" "$esc" "$n" \
-    "$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$file"
-  return 0
-}
-
-# _alert_rotate [file]
-#   Snapshot $_LOOP_ALERT (or <file>) to <file>.prev and truncate it in place.
-#   Idempotent: a missing source is a no-op (the .prev from a prior run is
-#   left untouched). Loop-safe (returns 0).
-#
-#   US-AUTO-046 (kimi peer-review Q2): copy+truncate instead of mv. `mv` swaps
-#   the inode at the path, so a producer loop (main/pr/ci) that opened its `>>`
-#   fd *before* the rotation but writes *after* it would land in `.prev` and be
-#   silently lost. Copying keeps the original inode at the path; the subsequent
-#   `:>` truncates that same inode, so any concurrent appender's fd still points
-#   at the live alert file and its write is read on the next 1-min tick.
-_alert_rotate() {
-  local file="${1:-$_LOOP_ALERT}"
-  [ -n "$file" ] || return 0
-  if [ -f "$file" ]; then
-    cat "$file" > "${file}.prev" 2>/dev/null || true
-    : > "$file"
-  fi
-  return 0
-}
-
-# _alert_dispatch [file]
-#   Main consumer entry point. Parse $_LOOP_ALERT → for each alert decide
-#   notify → fire _notify + record to alert-log.jsonl → rotate the file.
-#   A missing/empty alert file is a no-op (no rotate, no log). Loop-safe.
-_alert_dispatch() {
-  local file="${1:-$_LOOP_ALERT}"
-  [ -n "$file" ] && [ -f "$file" ] || { _loop_write_tick "alert" "idle" "no_file"; return 0; }
-  # Empty file → nothing to consume, leave it in place.
-  [ -s "$file" ] || { _loop_write_tick "alert" "idle" "empty_file"; return 0; }
-
-  local parsed; parsed=$(_alert_parse_file "$file")
-  [ -n "$parsed" ] || { _alert_rotate "$file"; _loop_write_tick "alert" "idle" "no_parsed"; return 0; }
-
-  local line ts level category message notify
-  local _oifs="$IFS"
-  IFS='
-'
-  for line in $parsed; do
-    IFS="$_oifs"
-    ts=$(printf '%s' "$line" | cut -f1)
-    level=$(printf '%s' "$line" | cut -f2)
-    category=$(printf '%s' "$line" | cut -f3)
-    message=$(printf '%s' "$line" | cut -f4-)
-
-    notify=$(_alert_should_notify "$category" "$level")
-    if [ "$notify" = "true" ]; then
-      _notify "roll alert: ${level}" "${message}" || true
-      _alert_write_log "$ts" "$level" "$category" "$message" "true"
-    else
-      _alert_write_log "$ts" "$level" "$category" "$message" "false"
-    fi
-    IFS='
-'
-  done
-  IFS="$_oifs"
-
-  _alert_rotate "$file"
-  _loop_write_tick "alert" "acted" "dispatch_done"
-  return 0
-}
-
 # FIX-070: flip a story row in the main repo's .roll/backlog.md between
 # 📋 Todo and 🔨 In Progress. The cycle worktree is gitignored at .roll/,
 # so editing the worktree copy + committing leaves no trace in git — and
@@ -12856,7 +12479,13 @@ _skill_write_self_score() {
     *) err "_skill_write_self_score: verdict must be good / ok / regression (got '$verdict')"; return 1 ;;
   esac
 
+  # FIX-176: anchor notes to <project>/.roll/notes regardless of cwd. When
+  # invoked with cwd already inside the .roll dir (e.g. a self-score run from
+  # within .roll), the bare ".roll/notes" doubled to .roll/.roll/notes.
   local notes_dir=".roll/notes"
+  if [ "$(basename "$PWD")" = ".roll" ]; then
+    notes_dir="notes"
+  fi
   mkdir -p "$notes_dir"
   local ts; ts=$(date -u +%Y-%m-%dT%H:%M:%SZ)
   local date_part="${ts%%T*}"
@@ -13113,7 +12742,7 @@ _changelog_audit_gate() {
 # US-AUTO-036: worktree helpers (loop-safe pure additions).
 #
 # Phase 1 of worktree isolation — these helpers are NOT yet called by
-# runner.sh. US-AUTO-037 (manual-only) wires them into
+# runner.sh. US-AUTO-037 (wired by hand) wires them into
 # _write_loop_runner_script. Do not delete or inline; they are unit-tested
 # in tests/unit/roll_worktree.bats.
 
@@ -13214,6 +12843,58 @@ _worktree_sync_meta() {
   fi
 }
 
+# US-LOOP-068: set up .roll/ inside the product worktree as a roll-meta git worktree.
+# Must be called after the product worktree is created.
+# Returns 0 on success, 1 on failure.
+_loop_roll_meta_worktree_setup() {
+  local wt="$1" branch="$2" project_path="$3"
+  local meta_repo="${project_path}/.roll"
+  [ -d "$meta_repo/.git" ] || { echo "[loop] roll-meta setup: ${meta_repo} is not a git repo"; return 1; }
+  rm -rf "${wt}/.roll"
+  git -C "$meta_repo" worktree add "${wt}/.roll" -b "$branch" "origin/main"
+}
+
+# US-LOOP-068: clean up the roll-meta worktree inside the product worktree.
+_loop_roll_meta_worktree_cleanup() {
+  local wt="$1" branch="$2" project_path="$3"
+  local meta_repo="${project_path}/.roll"
+  [ -d "$meta_repo/.git" ] || return 0
+  git -C "$meta_repo" worktree remove --force "${wt}/.roll" 2>/dev/null || true
+  rm -rf "${wt}/.roll" 2>/dev/null || true
+  git -C "$meta_repo" branch -D "$branch" 2>/dev/null || true
+}
+
+# US-LOOP-068: publish a PR from the roll-meta worktree.
+_loop_roll_meta_publish() {
+  local wt="$1" branch="$2" title="$3"
+  (cd "${wt}/.roll" && _loop_publish_pr "$branch" "$title")
+}
+
+# US-LOOP-068: run roll-meta test gate when .roll/ops/ files are modified.
+# Returns 0 when no ops changes or tests pass; 1 when tests fail.
+_loop_roll_meta_test_gate() {
+  local wt="$1"
+  local _ops_changed
+  _ops_changed=$(cd "${wt}/.roll" && git diff --name-only origin/main..HEAD 2>/dev/null | grep '^ops/' || true)
+  [ -n "$_ops_changed" ] || return 0
+  if ! command -v bats >/dev/null 2>&1; then
+    echo "[loop] roll-meta ops/ changed but bats not installed — skipping test gate"
+    return 0
+  fi
+  local _test_dir="${wt}/.roll/ops/tests"
+  if [ ! -d "$_test_dir" ]; then
+    echo "[loop] roll-meta ops/ changed but no $_test_dir found — skipping test gate"
+    return 0
+  fi
+  echo "[loop] roll-meta test gate: bats ${_test_dir}"
+  if ! bats "${_test_dir}" 2>/dev/null; then
+    echo "[loop] roll-meta test gate failed"
+    return 1
+  fi
+  echo "[loop] roll-meta test gate passed"
+  return 0
+}
+
 # _worktree_merge_back <branch>
 #   Caller must be in the main worktree (cwd = main). Steps:
 #     1. git pull --ff-only origin main   (sync local main with remote)
@@ -13412,8 +13093,8 @@ refs/heads/claude/*"
 # v1 type/est/risk routing). lib/agent_routes_lint.py is no longer invoked.
 
 # FIX-146: per-story eligibility gate, reusable for pick and re-validation.
-# Exit 0 when the story id is eligible to be worked (📋 Todo, not manual-only,
-# deps satisfied, no open PR). Exit 1 otherwise.
+# Exit 0 when the story id is eligible to be worked (📋 Todo, deps satisfied,
+# no open PR). Exit 1 otherwise.
 # Args: <story-id> [backlog-path] [open-pr-titles]
 _loop_story_is_eligible() {
   local id="$1"
@@ -13431,13 +13112,10 @@ _loop_story_is_eligible() {
   _status=$(printf '%s\n' "$row" | awk -F'|' '{for(i=NF;i>=1;i--) if($i ~ /[^ \t]/) {gsub(/^[ \t]+|[ \t]+$/, "", $i); print $i; exit}}')
   [ "$_status" = "📋 Todo" ] || return 1
 
-  # Gate 1: manual-only
-  _loop_is_manual_only "$id" "$backlog" 2>/dev/null && return 1
-
-  # Gate 2: depends-on
+  # Gate 1: depends-on
   _loop_check_depends_on "$id" "$backlog" >/dev/null 2>&1 || return 1
 
-  # Gate 3 (FIX-141): skip if an open PR already references this story id.
+  # Gate 2 (FIX-141): skip if an open PR already references this story id.
   if [ -n "$open_pr_titles" ] && printf '%s\n' "$open_pr_titles" | grep -qE "${id}([^0-9A-Za-z]|$)"; then
     return 1
   fi
@@ -13448,9 +13126,8 @@ _loop_story_is_eligible() {
 # US-AGENT-006: pick the next eligible 📋 Todo story from .roll/backlog.md
 # applying the same gates as the roll-loop SKILL Step 2:
 #   1. Status = 📋 Todo
-#   2. NOT manual-only:* tagged
-#   3. depends-on:* (if any) all ✅ Done
-#   4. Priority order: FIX > US > REFACTOR
+#   2. depends-on:* (if any) all ✅ Done
+#   3. Priority order: FIX > US > REFACTOR
 #
 # stdout: chosen story id (single line)
 # exit 0 when picked, 1 when nothing eligible.
@@ -13947,6 +13624,38 @@ _loop_is_doc_only_change() {
   return 0
 }
 
+# _loop_guard_roll_meta_boundary <worktree> <story_id>
+# US-LOOP-069: for roll-meta-target stories (deliverable under .roll/), verify
+# that no product-repo tracked files were modified in the worktree. Returns 0 if
+# safe (or not a roll-meta story), returns 1 if product files were touched and
+# writes ALERT. FIX-172: roll-meta-ness is path-based, not tag-based.
+_loop_guard_roll_meta_boundary() {
+  local wt="$1" story_id="$2"
+  [ -n "$story_id" ] || return 0
+  [ -d "$wt" ] || return 0
+
+  local _backlog="${ROLL_MAIN_PROJECT:-.}/.roll/backlog.md"
+  [ -f "$_backlog" ] || return 0
+
+  _loop_is_roll_meta_story "$story_id" "$_backlog" || return 0
+
+  local _changed _violations
+  _changed=$(cd "$wt" && git diff --name-only origin/main..HEAD 2>/dev/null || true)
+  [ -n "$_changed" ] || return 0
+
+  _violations=$(printf '%s\n' "$_changed" | grep -v '^\.roll/' || true)
+  if [ -n "$_violations" ]; then
+    local _alert
+    _alert="US-LOOP-069 guard blocked roll-meta story ${story_id}"
+    _alert="${_alert}"$'\n'"Touched product files (only .roll/ is allowed):"
+    _alert="${_alert}"$'\n'"${_violations}"
+    _worktree_alert "$_alert"
+    return 1
+  fi
+
+  return 0
+}
+
 # _loop_publish_doc_pr <branch> [title]
 #   Like _loop_publish_pr but merges immediately with --admin (no CI wait).
 #   For doc-only changes where CI is not meaningful.
@@ -14099,7 +13808,7 @@ _loop_monitor() {
       dream_sched=$(printf "%02d:%02d" "$dream_hour" "$dream_minute")
       brief_sched=$(printf "%02d:%02d" "$brief_hour" "$brief_minute")
 
-      local svcs=("loop" "dream" "brief")
+      local svcs=("loop" "dream" "pr")
       local scheds=("$loop_sched" "$dream_sched" "$brief_sched")
       for i in "${!svcs[@]}"; do
         local svc="${svcs[$i]}" schedule="${scheds[$i]}"
@@ -15528,11 +15237,10 @@ main() {
     test)          cmd_test "$@" ;;
     prices)        cmd_prices "$@" ;;
     changelog)     cmd_changelog "$@" ;;
+    consistency)   cmd_consistency "$@" ;;
     config)        cmd_config "$@" ;;
     _loop_render_exit_summary) _loop_render_exit_summary "$@" ;;
     _loop_pr_inbox) _loop_pr_inbox "$@" ;;
-    _ci_scan) _ci_scan "$@" ;;
-    _alert_dispatch) _alert_dispatch "$@" ;;
     version|--version|-v) echo "roll v${VERSION}" ;;
     help|--help|-h) _help "$@" ;;
     "") [[ -f ".roll/backlog.md" ]] && _home || { _help; _show_changelog; } ;;