loreli 1.0.0 → 2.0.0

package/packages/review/prompts/reviewer.md

@@ -0,0 +1,158 @@
+You are **{{name}}**, a code review agent for the repository **{{{repo}}}**.
+
+<instructions>
+
+## Objective
+
+Review pull requests and approve only when the work meets all acceptance criteria. Your review is the last automated quality gate before merge — missed issues ship to production.
+
+### Evaluation Process
+
+Evaluate the PR against each criterion below in order. Only after assessing all criteria, synthesize your findings into your review:
+
+1. **Correctness**: Does the code do what the issue asks? Are edge cases handled?
+2. **Testing**: Are there tests? Do they cover the acceptance criteria and edge cases? Are tests written first (TDD)?
+3. **Documentation**: Are new APIs documented? Are comments meaningful and non-obvious?
+4. **Security**: Any hardcoded secrets, injection vectors, or unsafe input handling?
+5. **Performance**: Are there obvious performance concerns (N+1 queries, unbounded loops, memory leaks)?
+6. **DX**: Is the code readable and maintainable? Could another developer understand it without context?
+7. **Risk Assessment**: Does this PR introduce destructive changes? Large-scale deletions, removal of critical infrastructure files, or scope beyond the issue should be escalated using the **plan** tool (action: `escalate`).
+8. **Documentation completeness**: If the PR introduces architectural changes, verify architecture docs are created or updated. If new error handling is added, verify error resolution documentation exists. If new APIs are added, verify JSDoc and README updates. Missing documentation for structural changes is grounds for REQUEST_CHANGES.
+
+### Hard Blocking Criteria (Mandatory REQUEST_CHANGES)
+
+These are non-negotiable blockers for functional code changes:
+
+1. **Bug fix without a regression test for corrected behavior** -> `REQUEST_CHANGES`
+2. **Feature change without comprehensive tests for expected behavior** -> `REQUEST_CHANGES`
+3. **AI-slop patterns without local-file precedent** -> `REQUEST_CHANGES`
+
+Docs-only or non-functional changes are exempt from the strict functional test gate, but any functional behavior change must be covered by tests.
+
+### AI-Slop Blockers
+
+Treat these as blocking when they are inconsistent with local file conventions:
+
+- Gratuitous or inconsistent comments a human contributor would not normally add in that area.
+- Abnormal defensive checks or `try/catch` wrappers on trusted or validated code paths.
+- `any` casts or equivalent type escapes used to bypass type-safety issues.
+- Style that is inconsistent with surrounding file patterns without explicit justification.
+
+### Feedback Style
+
+- Be specific: reference exact files and lines, and provide concrete suggestions.
+- Be constructive: explain *why* something should change, not just *that* it should.
+- Be adversarial: challenge assumptions and push for quality.
+- Acknowledge good work when you see it — positive signals help calibrate future agents.
+
+### Tools
+
+Use these Loreli MCP tools for all GitHub operations:
+
+- **pr** (action: `review`) — Submit your review. Provide `event` ("APPROVE" or "REQUEST_CHANGES"), `body` with your assessment, and `reasoning` documenting your evaluation. Your agent stamp is applied automatically.
+- **read** — Read any issue, PR, or discussion by number. Use this to look up acceptance criteria in linked issues or understand PR context.
+- **comment** — Post a comment on your current work item for follow-up or clarification.
+- **plan** (action: `escalate`) — Flag a concern or discovery as a new discussion. Provide `title` and `body`.
+
+### Sign-off
+
+Approve only when ALL acceptance criteria from the linked issue are met. If the PR introduces scope beyond the issue, request it be split — unscoped work bypasses the planning process and creates conflicts with parallel agents.
+
+### Rules
+
+- Do not approve out of convenience — a rubber-stamp approval means bugs ship unchallenged.
+- If the PR introduces scope beyond the issue, request it be split.
+- If you discover new concerns, use the **plan** tool (action: `escalate`) to flag them.
+
+</instructions>
+
+<output_format>
+
+Structure your review `body` as:
+
+1. **Summary**: One sentence stating your decision and the primary reason.
+2. **Criterion-level findings**: For each criterion that influenced your decision, reference specific files/lines and explain what is strong or needs change.
+3. **Decision**: APPROVE or REQUEST_CHANGES.
+
+Structure your `reasoning` parameter as:
+
+- How you evaluated the code against acceptance criteria.
+- Key concerns or positive observations.
+- Why you chose APPROVE or REQUEST_CHANGES.
+
+</output_format>
+
+<examples>
+
+<example title="Review approving a well-implemented PR">
+**Summary**: Approving — all five acceptance criteria are met, tests cover edge cases, and the retry logic is cleanly isolated.
+
+**Correctness**: The retry wrapper correctly classifies 429 and 5xx as retryable. The `isRetryable` guard in `client.js:42` handles the boundary correctly — 399 falls through, 429 retries, 430 falls through.
+
+**Testing**: Five test scenarios match the issue's TDD strategy. The jitter test at `test/retry.test.js:78` uses a statistical assertion (100 runs, checks variance) rather than exact matching — good approach for non-deterministic behavior.
+
+**Security**: No secrets, no user input in retry paths.
+
+**Decision**: APPROVE
+</example>
+
+<example title="Review requesting changes">
+**Summary**: Requesting changes — the retry logic is correct but the error handling silently swallows non-retryable failures.
+
+**Correctness**: `client.js:55` catches all errors and returns `null` instead of rethrowing non-retryable errors. This means 401 (auth expired) and 404 (not found) return `null` instead of surfacing the error to callers. The acceptance criteria require non-retryable errors to "propagate immediately."
+
+**Testing**: The test at `test/retry.test.js:45` asserts `result === null` for 401, but the acceptance criteria say 401 should throw. The test is passing but testing the wrong behavior.
+
+**DX**: The `sleep` utility in `utils.js:12` duplicates `setTimeout` promisification already available via `node:timers/promises`. Use `import { setTimeout } from 'node:timers/promises'` instead.
+
+**Decision**: REQUEST_CHANGES
+</example>
+
+</examples>
+
+{{#pullRequest}}
+<context>
+
+## Pull Request to Review
+
+**PR #{{number}}**: {{title}} (by **{{author}}**, {{authorProvider}})
+**Branch**: `{{{head}}}` -> `{{{base}}}`
+**Issue**: {{issue}}
+
+### Files Changed
+
+{{#files}}
+
+#### `{{filename}}` ({{status}}: +{{additions}} -{{deletions}})
+
+{{#patch}}
+
+```diff
+{{{patch}}}
+```
+
+{{/patch}}
+{{/files}}
+
+Review this PR against the acceptance criteria in the linked issue, then submit your review using the **pr** tool (action: `review`).
+
+</context>
+{{/pullRequest}}
+
+{{#riskContext}}
+<context>
+
+## Risk Warning
+
+The risk agent flagged concerns with this PR:
+
+{{{assessment}}}
+
+Pay special attention to these signals during your review.
+
+</context>
+{{/riskContext}}
+
+<agent_metadata>
+Faction: {{faction}} | Provider: {{provider}}
+</agent_metadata>

package/packages/review/src/index.js

@@ -83,10 +83,11 @@ export class ReviewWorkflow extends Workflow {
   /**
    * PRs that have been fully processed (merged, failed, or escalated).
    * Prevents scan() from re-adding PRs after land() removes them.
+   * Entries are `{ addedAt: number }` for TTL-based pruning.
    *
-   * @type {Set<number>}
+   * @type {Map<number, number>}
    */
-  _completed = new Set();
+  _completed = new Map();
 
   /**
    * Preserved round counts for evicted PRs. When a reviewer is evicted
@@ -94,11 +95,19 @@ export class ReviewWorkflow extends Workflow {
    * the round count must carry over so the escalation threshold
    * (maxRounds) is eventually reached. Without this, evict → scan
    * cycles reset rounds to 0 indefinitely.
+   * Entries are `{ rounds, addedAt }` for TTL-based pruning.
    *
-   * @type {Map<number, number>}
+   * @type {Map<number, {rounds: number, addedAt: number}>}
    */
   _evictedRounds = new Map();
 
+  /**
+   * TTL for completed/evicted entries (1 hour). Entries older than
+   * this are pruned during hydrate() to prevent unbounded growth.
+   * @type {number}
+   */
+  static PRUNE_TTL = 3_600_000;
+
   /**
    * Extract linked issue numbers from a PR body using GitHub closing
    * keywords (`Closes #N`, `Fixes #N`, `Resolves #N`).
@@ -218,7 +227,7 @@ export class ReviewWorkflow extends Workflow {
    */
   async demand(repo) {
     const prs = await this.hub.pulls(repo, { state: 'open' });
-    const skipRisk = this.orchestrator.cfg?.get?.('review.skipRiskAssessment') ?? false;
+    const skipRisk = this.orchestrator.cfg?.get?.('workflows.risk.skip') ?? false;
     let allowSameSide = false;
 
     try {
@@ -237,7 +246,7 @@ export class ReviewWorkflow extends Workflow {
       if (!skipRisk) {
         const hasRiskLabel = pr.labels?.some(function isRisk(l) {
           const name = l.name ?? l;
-          return name.endsWith('-risk') && name.startsWith('loreli:');
+          return (name.endsWith('-risk') || name === 'loreli:risk-unassessed') && name.startsWith('loreli:');
         });
         if (!hasRiskLabel) continue;
 
@@ -245,6 +254,11 @@ export class ReviewWorkflow extends Workflow {
           return (l.name ?? l) === 'loreli:critical-risk';
         });
         if (isCritical) continue;
+
+        const isUnassessed = pr.labels?.some(function isUn(l) {
+          return (l.name ?? l) === 'loreli:risk-unassessed';
+        });
+        if (isUnassessed) continue;
       }
 
       // Collect action providers from PR labels so scale() can spawn
@@ -346,7 +360,7 @@ export class ReviewWorkflow extends Workflow {
                name === 'loreli:merge-failed';
       });
       if (isTerminal) {
-        this._completed.add(pr.number);
+        this._completed.set(pr.number, Date.now());
         continue;
       }
 
@@ -370,14 +384,30 @@ export class ReviewWorkflow extends Workflow {
 
       // Round count from CHANGES_REQUESTED reviews
       const reviews = await this.hub.reviews(repo, pr.number);
-      const rounds = reviews.filter(function isCR(r) {
+      const crReviews = reviews.filter(function isCR(r) {
         return r.state === 'CHANGES_REQUESTED';
-      }).length;
+      });
+      const rounds = crReviews.length;
+
+      // Restore lastReviewId by finding the latest feedback marker
+      // and matching it to the CHANGES_REQUESTED review that triggered it.
+      let lastReviewId = null;
+      const feedbackMarker = [...comments].reverse().find(function isFeedback(c) {
+        return has(c.body, 'feedback');
+      });
+      if (feedbackMarker && crReviews.length) {
+        const markerTime = new Date(feedbackMarker.created).getTime();
+        const processed = crReviews.filter(function before(r) {
+          return new Date(r.submitted).getTime() <= markerTime;
+        }).at(-1);
+        lastReviewId = processed?.id ?? null;
+      }
 
       this._watched.set(pr.number, {
         agent: agentName,
         reviewer: reviewerName,
         rounds,
+        lastReviewId,
         dispatchedAt: new Date(claim.created ?? claim.created_at).getTime()
       });
     }
@@ -388,9 +418,19 @@ export class ReviewWorkflow extends Workflow {
     for (const prNum of this._watched.keys()) {
       if (!prs.some(function match(p) { return p.number === prNum; })) {
         this._watched.delete(prNum);
-        this._completed.add(prNum);
+        this._completed.set(prNum, Date.now());
       }
     }
+
+    // Prune stale entries to prevent unbounded growth in long-running sessions
+    const ttl = ReviewWorkflow.PRUNE_TTL;
+    const now = Date.now();
+    for (const [prNum, addedAt] of this._completed) {
+      if (now - addedAt > ttl) this._completed.delete(prNum);
+    }
+    for (const [prNum, entry] of this._evictedRounds) {
+      if (now - entry.addedAt > ttl) this._evictedRounds.delete(prNum);
+    }
   }
 
   // ── Signoff Protocol ──────────────────────────────────
@@ -448,7 +488,7 @@ export class ReviewWorkflow extends Workflow {
         // be evicted immediately — no proof-of-life needed.
         if (this.orchestrator._removed?.has(tracking.reviewer)) {
           log.info(`scan: evicting PR #${prNum} — reviewer ${tracking.reviewer} was locally removed`);
-          this._evictedRounds.set(prNum, tracking.rounds);
+          this._evictedRounds.set(prNum, { rounds: tracking.rounds, addedAt: Date.now() });
           this._watched.delete(prNum);
           await this._releaseReviewer(repo, prNum, tracking.reviewer,
             `Review claim released — reviewer \`${tracking.reviewer}\` is no longer active.`);
@@ -462,7 +502,7 @@ export class ReviewWorkflow extends Workflow {
           continue;
         }
         log.info(`scan: evicting PR #${prNum} — reviewer ${tracking.reviewer} proof-of-life expired`);
-        this._evictedRounds.set(prNum, tracking.rounds);
+        this._evictedRounds.set(prNum, { rounds: tracking.rounds, addedAt: Date.now() });
         this._watched.delete(prNum);
         await this._releaseReviewer(repo, prNum, tracking.reviewer,
           `Review claim released — no proof of life from \`${tracking.reviewer}\`.`);
@@ -475,7 +515,7 @@ export class ReviewWorkflow extends Workflow {
       // recovery.
       if (reviewer.state === 'dormant') {
         log.info(`scan: evicting PR #${prNum} — reviewer ${tracking.reviewer} is dormant`);
-        this._evictedRounds.set(prNum, tracking.rounds);
+        this._evictedRounds.set(prNum, { rounds: tracking.rounds, addedAt: Date.now() });
         this._watched.delete(prNum);
         await this._releaseReviewer(repo, prNum, tracking.reviewer,
           `Review claim released — reviewer \`${tracking.reviewer}\` is dormant.`);
@@ -498,7 +538,7 @@ export class ReviewWorkflow extends Workflow {
           });
           if (!submitted) {
             log.warn(`scan: evicting PR #${prNum} — reviewer ${tracking.reviewer} dispatched ${Math.round(elapsed / 1000)}s ago with no review`);
-            this._evictedRounds.set(prNum, tracking.rounds);
+            this._evictedRounds.set(prNum, { rounds: tracking.rounds, addedAt: Date.now() });
             this._watched.delete(prNum);
             await this._releaseReviewer(repo, prNum, tracking.reviewer,
               `Review claim released — reviewer \`${tracking.reviewer}\` stalled (${Math.round(elapsed / 1000)}s, no review submitted).`);
@@ -516,7 +556,7 @@ export class ReviewWorkflow extends Workflow {
           continue;
         }
         log.info(`scan: evicting PR #${prNum} — reviewer ${tracking.reviewer} confirmed stalled via PoL`);
-        this._evictedRounds.set(prNum, tracking.rounds);
+        this._evictedRounds.set(prNum, { rounds: tracking.rounds, addedAt: Date.now() });
         this._watched.delete(prNum);
         await this._releaseReviewer(repo, prNum, tracking.reviewer,
           `Review claim released — reviewer \`${tracking.reviewer}\` confirmed stalled.`);
@@ -537,7 +577,7 @@ export class ReviewWorkflow extends Workflow {
     const actions = [...this.orchestrator.agents.values()]
       .filter(function isAction(a) { return a.role === 'action'; });
 
-    const skipRisk = this.orchestrator.cfg?.get?.('review.skipRiskAssessment') ?? false;
+    const skipRisk = this.orchestrator.cfg?.get?.('workflows.risk.skip') ?? false;
     let allowSameSide = false;
 
     try {
@@ -610,13 +650,14 @@ export class ReviewWorkflow extends Workflow {
         ?? 'unknown';
 
       // Label gate: only dispatch reviewer for PRs that have been
-      // risk-assessed (carry a loreli:*-risk label), or when risk
-      // assessment is disabled. RiskWorkflow runs first in the
-      // reactor chain and applies labels before this handler fires.
+      // risk-assessed (carry a loreli:*-risk label) or flagged as
+      // unassessed, or when risk assessment is disabled. RiskWorkflow
+      // runs first in the reactor chain and applies labels before
+      // this handler fires.
       if (!skipRisk) {
         const hasRiskLabel = pr.labels?.some(function isRisk(l) {
           const name = l.name ?? l;
-          return name.endsWith('-risk') && name.startsWith('loreli:');
+          return (name.endsWith('-risk') || name === 'loreli:risk-unassessed') && name.startsWith('loreli:');
         });
         if (!hasRiskLabel) continue;
 
@@ -631,10 +672,27 @@ export class ReviewWorkflow extends Workflow {
           } catch (err) {
             log.warn(`scan: HITL failed for CRITICAL PR #${pr.number}: ${err.message}`);
           }
-          this._completed.add(pr.number);
+          this._completed.set(pr.number, Date.now());
           log.info(`scan: PR #${pr.number} escalated to HITL — risk verdict CRITICAL`);
           continue;
         }
+
+        // Unassessed PRs (risk agent crashed, timed out, or failed to
+        // dispatch) carry risk-unassessed and must escalate to HITL.
+        // Fail-safe: never let unassessed changes through to automated review.
+        const isUnassessed = pr.labels?.some(function isUn(l) {
+          return (l.name ?? l) === 'loreli:risk-unassessed';
+        });
+        if (isUnassessed) {
+          try {
+            await this.hitl(repo, pr.number);
+          } catch (err) {
+            log.warn(`scan: HITL failed for unassessed PR #${pr.number}: ${err.message}`);
+          }
+          this._completed.set(pr.number, Date.now());
+          log.info(`scan: PR #${pr.number} escalated to HITL — risk assessment failed`);
+          continue;
+        }
       }
 
       // Attach risk context for MEDIUM PRs so the reviewer sees the warning
@@ -696,7 +754,8 @@ export class ReviewWorkflow extends Workflow {
         await checkout(reviewerCwd, pr.head, base, options);
         log.info(`scan: checked out ${pr.head} in ${reviewer.identity.name}'s workspace`);
       } catch (err) {
-        log.warn(`scan: branch checkout failed for ${reviewer.identity.name}: ${err.message}`);
+        log.warn(`scan: branch checkout failed for ${reviewer.identity.name}: ${err.message} — skipping PR`);
+        continue;
       }
 
       const files = await this.hub.files(repo, pr.number);
@@ -729,7 +788,7 @@ export class ReviewWorkflow extends Workflow {
       await this.dispatch(reviewer, templateVars);
       this.orchestrator.activity(reviewer.identity.name);
 
-      const restored = this._evictedRounds.get(pr.number) ?? 0;
+      const restored = this._evictedRounds.get(pr.number)?.rounds ?? 0;
       this._evictedRounds.delete(pr.number);
 
       this._watched.set(pr.number, {
@@ -814,7 +873,7 @@ export class ReviewWorkflow extends Workflow {
     }
 
     this._watched.delete(prNum);
-    this._completed.add(prNum);
+    this._completed.set(prNum, Date.now());
 
     // Kill the reviewer — the PR is closed, no review needed.
     if (tracking.reviewer && this.orchestrator.agents.has(tracking.reviewer)) {
@@ -906,18 +965,22 @@ export class ReviewWorkflow extends Workflow {
 
       const feedbackEnabled = this.orchestrator.cfg?.get?.('feedback.enabled') ?? true;
       if (feedbackEnabled && latest.body) {
-        const categories = this.orchestrator.cfg?.get?.('feedback.categories');
-        const { category, confidence } = classify(latest.body, { categories });
-        if (confidence > 0) {
-          const identity = this.orchestrator.clientIdentity;
-          const provider = this.orchestrator.agents.get(tracking.reviewer)?.identity?.provider ?? 'unknown';
-          const marker = mark('feedback', { category, confidence: confidence.toFixed(2), provider });
-          const visible = `Feedback routing note: classified latest review as **${category}** (${confidence.toFixed(2)} confidence).`;
-          try {
-            if (identity) await this.hub.as(identity, 'orchestrator').comment(repo, prNum, `${marker}\n${visible}`);
-            log.debug(`forward: classified feedback on PR #${prNum} as ${category} (${confidence.toFixed(2)})`);
-          } catch (err) { log.debug(`forward: feedback marker failed: ${err.message}`); }
-        }
+        try {
+          const { category, confidence } = await classify(latest.body, {
+            backends: this.orchestrator.backendRegistry,
+            config: this.orchestrator.cfg
+          });
+          if (confidence > 0) {
+            const identity = this.orchestrator.clientIdentity;
+            const provider = this.orchestrator.agents.get(tracking.reviewer)?.identity?.provider ?? 'unknown';
+            const marker = mark('feedback', { category, confidence: confidence.toFixed(2), provider });
+            const visible = `Feedback routing note: classified latest review as **${category}** (${confidence.toFixed(2)} confidence).`;
+            try {
+              if (identity) await this.hub.as(identity, 'orchestrator').comment(repo, prNum, `${marker}\n${visible}`);
+              log.debug(`forward: classified feedback on PR #${prNum} as ${category} (${confidence.toFixed(2)})`);
+            } catch (err) { log.debug(`forward: feedback marker failed: ${err.message}`); }
+          }
+        } catch (err) { log.debug(`forward: feedback classification unavailable, skipping marker: ${err.message}`); }
       }
 
       // Reset so _redispatch can fire again when the action agent
@@ -929,6 +992,47 @@ export class ReviewWorkflow extends Workflow {
       log.info(`forward: relayed feedback on PR #${prNum} to ${tracking.agent} (round ${tracking.rounds})`);
     }
 
+    // ── Conflict nudge ──────────────────────────────────
+    // Check watched PRs for merge conflicts and nudge the action agent
+    // to rebase. GitHub computes mergeable asynchronously on single-PR
+    // fetches — null means pending, skip until next tick.
+    for (const [prNum, tracking] of this._watched) {
+      const agent = this.orchestrator.agents.get(tracking.agent);
+      if (!agent) continue;
+
+      let pr;
+      try {
+        pr = await this.hub.pull(repo, prNum);
+      } catch (err) {
+        log.debug(`forward: conflict check skipped for PR #${prNum}: ${err.message}`);
+        continue;
+      }
+      if (pr.mergeable == null) continue;
+
+      if (pr.mergeable) {
+        if (tracking.conflictNotifiedSha) {
+          log.info(`forward: PR #${prNum} conflict resolved`);
+          tracking.conflictNotifiedSha = null;
+        }
+        continue;
+      }
+
+      if (tracking.conflictNotifiedSha === pr.headSha) continue;
+
+      if (agent.state === 'dormant') await agent.spawn();
+
+      const base = pr.base || 'main';
+      await agent.send(
+        `Your pull request #${prNum} has merge conflicts with \`${base}\`. ` +
+        `Rebase your branch onto \`origin/${base}\`, resolve the conflicts, ` +
+        `and force-push to update the PR.`
+      );
+      this.orchestrator.activity(agent.identity.name);
+      tracking.conflictNotifiedSha = pr.headSha;
+
+      log.info(`forward: nudged ${tracking.agent} to resolve conflict on PR #${prNum}`);
+    }
+
     return forwarded;
   }
 
@@ -939,13 +1043,14 @@ export class ReviewWorkflow extends Workflow {
  * approval. Auto-merges or triggers Human In The Loop (HITL).
    *
    * @param {string} repo - Repository in "owner/name" format.
-   * @returns {Promise<Array<{pr: number, merged: boolean, gated: boolean}>>}
+   * @returns {Promise<Array<{pr: number, merged: boolean, gated: boolean, agent: string}>>}
    */
   async land(repo) {
     if (!this._watched.size) return [];
 
     const method = this.orchestrator.cfg?.get?.('merge.method') ?? 'squash';
-    const hitlEnabled = this.orchestrator.cfg?.get?.('merge.hitl') ?? false;
+    const globalHitl = this.orchestrator.cfg?.get?.('merge.hitl') ?? false;
+    const feedbackHitl = this.orchestrator.cfg?.get?.('feedback.hitl') ?? false;
     const humanReviewers = this.orchestrator.cfg?.get?.('reviewers') ?? [];
     let dualSide = true;
 
@@ -984,39 +1089,63 @@ export class ReviewWorkflow extends Workflow {
         await this.signoff(repo, prNum, reviewer.identity, reviewer.role ?? 'reviewer');
       }
 
-      if (hitlEnabled && humanReviewers.length) {
+      let needsHitl = globalHitl;
+
+      if (!needsHitl && feedbackHitl !== false) {
+        const prData = await this.hub.read(repo, prNum);
+        const closesMatch = prData.body?.match(/Closes #(\d+)/);
+        if (closesMatch) {
+          try {
+            const issueData = await this.hub.read(repo, Number(closesMatch[1]));
+            const fbLabel = (issueData.labels ?? []).find(function isFeedback(l) {
+              const name = typeof l === 'string' ? l : l.name;
+              return name?.startsWith('loreli:feedback:');
+            });
+            if (fbLabel) {
+              const category = (typeof fbLabel === 'string' ? fbLabel : fbLabel.name)
+                .replace('loreli:feedback:', '');
+              needsHitl = feedbackHitl === true || feedbackHitl.includes(category);
+            }
+          } catch (err) {
+            log.warn(`land: feedback HITL check failed for PR #${prNum}: ${err.message}`);
+          }
+        }
+      }
+
+      if (needsHitl && humanReviewers.length) {
         await this.hitl(repo, prNum);
         this._watched.delete(prNum);
-        this._completed.add(prNum);
-        landed.push({ pr: prNum, merged: false, gated: true });
+        this._completed.set(prNum, Date.now());
+        landed.push({ pr: prNum, merged: false, gated: true, agent: tracking.agent });
         log.info(`land: PR #${prNum} escalated to HITL`);
       } else {
         try {
           await this.hub.merge(repo, prNum, { method });
           await this.reconcile(repo, prNum);
           this._watched.delete(prNum);
-          this._completed.add(prNum);
-          landed.push({ pr: prNum, merged: true, gated: false });
+          this._completed.set(prNum, Date.now());
+          landed.push({ pr: prNum, merged: true, gated: false, agent: tracking.agent });
           log.info(`land: PR #${prNum} merged via ${method}`);
         } catch (err) {
           // Merge failure escalation: alert humans instead of silently
           // abandoning. 405 = not mergeable, 409 = merge conflict.
           this._watched.delete(prNum);
-          this._completed.add(prNum);
-          landed.push({ pr: prNum, merged: false, gated: false });
+          this._completed.set(prNum, Date.now());
+          landed.push({ pr: prNum, merged: false, gated: false, agent: tracking.agent });
 
-          const signer = this.agents()[0]?.identity ?? this.orchestrator.clientIdentity;
-          if (signer) {
-            try {
-              const scoped = this.hub.as(signer, 'reviewer');
-              await scoped.comment(repo, prNum,
-                `${mark('hitl')}\n**Merge failed — needs human attention**\n\n` +
-                `Auto-merge failed: \`${err.message}\`\n\n` +
-                `Please resolve the issue and merge manually.`);
-              await this.hub.label(repo, prNum, ['loreli:needs-attention', 'loreli:merge-failed']);
-            } catch (labelErr) {
-              log.warn(`land: failed to label merge-failure on PR #${prNum}: ${labelErr.message}`);
+          try {
+            const signer = this.agents()[0]?.identity ?? this.orchestrator.clientIdentity;
+            const body = `${mark('hitl')}\n**Merge failed — needs human attention**\n\n` +
+              `Auto-merge failed: \`${err.message}\`\n\n` +
+              `Please resolve the issue and merge manually.`;
+            if (signer) {
+              await this.hub.as(signer, 'reviewer').comment(repo, prNum, body);
+            } else {
+              await this.hub.comment(repo, prNum, body);
             }
+            await this.hub.label(repo, prNum, ['loreli:needs-attention', 'loreli:merge-failed']);
+          } catch (labelErr) {
+            log.warn(`land: failed to label merge-failure on PR #${prNum}: ${labelErr.message}`);
           }
 
           log.warn(`land: merge failed for PR #${prNum}: ${err.message}`);
@@ -1036,26 +1165,17 @@ export class ReviewWorkflow extends Workflow {
       }
     }
 
-    // Kill action agents when all watched PRs have been finalized.
-    // GitHub's issue auto-close ("Closes #N") is asynchronous — the
-    // linked issue may still appear "open" milliseconds after merge.
-    // Checking issue state here causes a race: land() sees open issues,
-    // skips the kill, and the action agent stays "working" forever
-    // (reap only touches dormant agents). Instead, unconditionally
-    // kill action agents when no PRs remain in flight. If new issues
-    // appear (human-created or from another planning cycle), the
-    // reactor's next tick will re-enlist fresh agents via start_work.
-    if (landed.length > 0 && this._watched.size === 0) {
-      const actions = [...this.orchestrator.agents.values()]
-        .filter(function isAction(a) { return a.role === 'action'; });
-
-      for (const a of actions) {
-        try {
-          await this.orchestrator.kill(a.identity.name);
-          log.info(`land: stopped action agent ${a.identity.name} — all PRs finalized`);
-        } catch (err) {
-          log.warn(`land: failed to stop action agent ${a.identity.name}: ${err.message}`);
-        }
+    // Kill action agents whose PRs were finalized (merged, gated, or
+    // failed). Only targets agents that owned a landed PR — unrelated
+    // action agents working on other issues are left untouched.
+    const landedAgents = new Set(landed.map(function agent(l) { return l.agent; }));
+    for (const name of landedAgents) {
+      if (!name || !this.orchestrator.agents.has(name)) continue;
+      try {
+        await this.orchestrator.kill(name);
+        log.info(`land: stopped action agent ${name} — PR finalized`);
+      } catch (err) {
+        log.warn(`land: failed to stop action agent ${name}: ${err.message}`);
       }
     }
 
@@ -1253,7 +1373,7 @@ export class ReviewWorkflow extends Workflow {
     if (humanReviewers.length) {
       await this.hitl(repo, prNum);
       this._watched.delete(prNum);
-      this._completed.add(prNum);
+      this._completed.set(prNum, Date.now());
       log.info(`escalate: PR #${prNum} handed to human reviewers after ${tracking.rounds} rounds`);
       return;
     }