patchrelay 0.75.3 → 0.77.0

package/dist/run-failure-policy.js

@@ -0,0 +1,463 @@
+import { buildRunFailureActivity } from "./linear-session-reporting.js";
+import { getRemainingZombieRecoveryDelayMs, getZombieRecoveryBudget } from "./run-budgets.js";
+import { resolvePostRunFactoryState } from "./run-completion-policy.js";
+import { isRequestedChangesRunType } from "./reactive-pr-state.js";
+import { settleRun } from "./run-settlement.js";
+const WRITER = "run-failure-policy";
+// Roll back the attempt counter consumed by the interrupted run and clear the
+// attempted-failure provenance for repair runs, as a single issue update so
+// the whole repair commits (and conflict-recomputes) atomically.
+function buildInterruptedAttemptRepairUpdate(runType, issue) {
+    const counter = runType === "ci_repair" && issue.ciRepairAttempts > 0
+        ? { ciRepairAttempts: issue.ciRepairAttempts - 1 }
+        : runType === "queue_repair" && issue.queueRepairAttempts > 0
+            ? { queueRepairAttempts: issue.queueRepairAttempts - 1 }
+            : isRequestedChangesRunType(runType) && issue.reviewFixAttempts > 0
+                ? { reviewFixAttempts: issue.reviewFixAttempts - 1 }
+                : undefined;
+    const provenance = runType === "ci_repair" || runType === "queue_repair"
+        ? {
+            lastAttemptedFailureHeadSha: null,
+            lastAttemptedFailureSignature: null,
+            lastAttemptedFailureAt: null,
+        }
+        : undefined;
+    if (!counter && !provenance)
+        return undefined;
+    return {
+        projectId: issue.projectId,
+        linearIssueId: issue.linearIssueId,
+        ...counter,
+        ...provenance,
+    };
+}
+function resolveRetryRunType(runType, context) {
+    if (runType === "branch_upkeep") {
+        return "branch_upkeep";
+    }
+    return context?.reviewFixMode === "branch_upkeep" || context?.branchUpkeepRequired === true
+        ? "branch_upkeep"
+        : "review_fix";
+}
+// Plan §B4: the one run-failure policy. Merges the former
+// RunRecoveryService (zombie retry/escalate + backoff) and
+// InterruptedRunRecovery (interrupted-turn handling, counter decrements,
+// re-enqueue) into a single module that answers: given a stranded or
+// failed run + its issue — retry (with which backoff/budget), re-enqueue
+// (which runType/context), or escalate?
+//
+// Ownership: run-reconciler and service-startup-recovery only DETECT
+// stranded states and hand them here; this policy DECIDES; execution of
+// the run/slot writes goes through settleRun, and dispatch of follow-up
+// work goes through the WakeDispatcher.
+export class RunFailurePolicy {
+    db;
+    logger;
+    linearSync;
+    withHeldLease;
+    releaseLease;
+    appendWakeEventWithLease;
+    wakeDispatcher;
+    restoreIdleWorktree;
+    completionPolicy;
+    resolveProject;
+    feed;
+    constructor(db, logger, linearSync, withHeldLease, releaseLease, appendWakeEventWithLease, wakeDispatcher, restoreIdleWorktree, completionPolicy, resolveProject, feed) {
+        this.db = db;
+        this.logger = logger;
+        this.linearSync = linearSync;
+        this.withHeldLease = withHeldLease;
+        this.releaseLease = releaseLease;
+        this.appendWakeEventWithLease = appendWakeEventWithLease;
+        this.wakeDispatcher = wakeDispatcher;
+        this.restoreIdleWorktree = restoreIdleWorktree;
+        this.completionPolicy = completionPolicy;
+        this.resolveProject = resolveProject;
+        this.feed = feed;
+    }
+    // ─── Stranded runs (zombie / stale thread) ───────────────────────
+    /**
+     * Detector entry point: the reconciler found a run that can never make
+     * progress (no Codex thread after a restart, or the thread is gone).
+     * Settle the run (mark failed, release the slot) and decide retry vs
+     * escalate via the zombie budget/backoff.
+     */
+    settleStrandedRunAndRecover(params) {
+        const { run, issue } = params;
+        this.withHeldLease(run.projectId, run.linearIssueId, (lease) => settleRun({
+            db: this.db,
+            run,
+            finish: { status: "failed", failureReason: params.failureReason },
+            lease,
+        }));
+        this.recoverOrEscalate({ issue, runType: run.runType, reason: params.reason });
+    }
+    /**
+     * Decide what happens after a run died without doing its work: PR
+     * already merged → done; zombie budget exhausted → escalate; backoff
+     * not elapsed → keep the wake but defer; otherwise consume one budget
+     * unit, append a recovery wake, and dispatch.
+     */
+    recoverOrEscalate(params) {
+        const { issue, runType, reason } = params;
+        const fresh = this.db.issues.getIssue(issue.projectId, issue.linearIssueId);
+        if (!fresh)
+            return;
+        if (isRequestedChangesRunType(runType)) {
+            const updated = this.withHeldLease(fresh.projectId, fresh.linearIssueId, (lease) => {
+                this.db.issueSessions.clearPendingIssueSessionEventsWithLease(lease);
+                this.db.issueSessions.commitIssueState({
+                    writer: WRITER,
+                    lease,
+                    update: {
+                        projectId: fresh.projectId,
+                        linearIssueId: fresh.linearIssueId,
+                        pendingRunType: null,
+                        pendingRunContextJson: null,
+                        factoryState: "escalated",
+                    },
+                });
+                return true;
+            });
+            if (!updated) {
+                this.logger.warn({ issueKey: fresh.issueKey, reason }, "Skipping review-fix recovery escalation after losing issue-session lease");
+                this.releaseLease(fresh.projectId, fresh.linearIssueId);
+                return;
+            }
+            this.logger.warn({ issueKey: fresh.issueKey, reason }, "Requested-changes run failed before a new head was published - escalating");
+            this.feed?.publish({
+                level: "error",
+                kind: "workflow",
+                issueKey: fresh.issueKey,
+                projectId: fresh.projectId,
+                stage: runType,
+                status: "escalated",
+                summary: `Requested-changes run failed before publishing a new head (${reason})`,
+            });
+            this.releaseLease(fresh.projectId, fresh.linearIssueId);
+            return;
+        }
+        if (fresh.prState === "merged") {
+            const updated = this.withHeldLease(fresh.projectId, fresh.linearIssueId, (lease) => {
+                this.db.issueSessions.commitIssueState({
+                    writer: WRITER,
+                    lease,
+                    update: {
+                        projectId: fresh.projectId,
+                        linearIssueId: fresh.linearIssueId,
+                        factoryState: "done",
+                        zombieRecoveryAttempts: 0,
+                        lastZombieRecoveryAt: null,
+                    },
+                });
+                return true;
+            });
+            if (!updated) {
+                this.logger.warn({ issueKey: fresh.issueKey, reason }, "Skipping merged recovery completion after losing issue-session lease");
+                this.releaseLease(fresh.projectId, fresh.linearIssueId);
+                return;
+            }
+            this.logger.info({ issueKey: fresh.issueKey, reason }, "Recovery: PR already merged - transitioning to done");
+            this.releaseLease(fresh.projectId, fresh.linearIssueId);
+            return;
+        }
+        const zombieRecoveryBudget = getZombieRecoveryBudget(this.resolveProject(fresh.projectId));
+        const attempts = fresh.zombieRecoveryAttempts + 1;
+        if (attempts > zombieRecoveryBudget) {
+            const updated = this.withHeldLease(fresh.projectId, fresh.linearIssueId, (lease) => {
+                this.db.issueSessions.commitIssueState({
+                    writer: WRITER,
+                    lease,
+                    update: {
+                        projectId: fresh.projectId,
+                        linearIssueId: fresh.linearIssueId,
+                        factoryState: "escalated",
+                    },
+                });
+                return true;
+            });
+            if (!updated) {
+                this.logger.warn({ issueKey: fresh.issueKey, attempts, reason }, "Skipping recovery escalation after losing issue-session lease");
+                this.releaseLease(fresh.projectId, fresh.linearIssueId);
+                return;
+            }
+            this.logger.warn({ issueKey: fresh.issueKey, attempts, reason }, "Recovery: budget exhausted - escalating");
+            this.feed?.publish({
+                level: "error",
+                kind: "workflow",
+                issueKey: fresh.issueKey,
+                projectId: fresh.projectId,
+                stage: "escalated",
+                status: "budget_exhausted",
+                summary: `${reason} recovery failed after ${zombieRecoveryBudget} attempts`,
+            });
+            this.releaseLease(fresh.projectId, fresh.linearIssueId);
+            return;
+        }
+        if (fresh.lastZombieRecoveryAt) {
+            const remainingDelayMs = getRemainingZombieRecoveryDelayMs(fresh.lastZombieRecoveryAt, fresh.zombieRecoveryAttempts);
+            if (remainingDelayMs > 0) {
+                this.withHeldLease(fresh.projectId, fresh.linearIssueId, (lease) => {
+                    this.appendWakeEventWithLease(lease, fresh, runType, undefined, `recovery:${attempts}`);
+                });
+                this.logger.debug({ issueKey: fresh.issueKey, attempts: fresh.zombieRecoveryAttempts, remainingDelayMs }, "Recovery: backoff not elapsed, deferring retry");
+                return;
+            }
+        }
+        const requeued = this.withHeldLease(fresh.projectId, fresh.linearIssueId, (lease) => {
+            // `attempts` is read-modify-write against the fresh row read above; on
+            // conflict recompute the counter from the current row.
+            const buildRequeueUpdate = (record) => ({
+                projectId: fresh.projectId,
+                linearIssueId: fresh.linearIssueId,
+                pendingRunType: null,
+                pendingRunContextJson: null,
+                zombieRecoveryAttempts: record.zombieRecoveryAttempts + 1,
+                lastZombieRecoveryAt: new Date().toISOString(),
+            });
+            this.db.issueSessions.commitIssueState({
+                writer: WRITER,
+                lease,
+                expectedVersion: fresh.version,
+                update: buildRequeueUpdate(fresh),
+                onConflict: (current) => buildRequeueUpdate(current),
+            });
+            return this.appendWakeEventWithLease(lease, fresh, runType, undefined, `recovery:${attempts}`);
+        });
+        if (!requeued) {
+            this.logger.warn({ issueKey: fresh.issueKey, attempts, reason }, "Skipping recovery re-enqueue after losing issue-session lease");
+            this.releaseLease(fresh.projectId, fresh.linearIssueId);
+            return;
+        }
+        this.wakeDispatcher.dispatchIfWakePending(fresh.projectId, fresh.linearIssueId);
+        this.logger.info({ issueKey: fresh.issueKey, attempts, reason }, "Recovery: re-enqueued with backoff");
+    }
+    // ─── Terminal decisions ──────────────────────────────────────────
+    escalate(params) {
+        const { issue, runType, reason } = params;
+        this.logger.warn({ issueKey: issue.issueKey, runType, reason }, "Escalating to human");
+        const escalated = this.withHeldLease(issue.projectId, issue.linearIssueId, (lease) => {
+            // Escalation is an operator-facing decision: the issue write and the
+            // run release ride in the held-lease transaction. When a run still
+            // holds the slot, settleRun owns the paired run-release + slot-clear;
+            // it refuses to clear a slot that was re-pointed at another run.
+            const escalateFields = {
+                pendingRunType: null,
+                pendingRunContextJson: null,
+                factoryState: "escalated",
+            };
+            if (issue.activeRunId !== undefined) {
+                const settled = settleRun({
+                    db: this.db,
+                    run: { id: issue.activeRunId, projectId: issue.projectId, linearIssueId: issue.linearIssueId },
+                    finish: { status: "released" },
+                    lease,
+                    buildIssueUpdate: () => escalateFields,
+                });
+                if (!settled.slotCleared)
+                    return false;
+            }
+            else {
+                const commit = this.db.issueSessions.commitIssueState({
+                    writer: WRITER,
+                    lease,
+                    update: {
+                        projectId: issue.projectId,
+                        linearIssueId: issue.linearIssueId,
+                        ...escalateFields,
+                    },
+                });
+                if (commit.outcome !== "applied")
+                    return false;
+            }
+            this.db.issueSessions.clearPendingIssueSessionEventsWithLease(lease);
+            return true;
+        });
+        if (!escalated) {
+            this.logger.warn({ issueKey: issue.issueKey, runType }, "Skipping escalation write after losing issue-session lease");
+            this.releaseLease(issue.projectId, issue.linearIssueId);
+            return;
+        }
+        this.feed?.publish({
+            level: "error",
+            kind: "workflow",
+            issueKey: issue.issueKey,
+            projectId: issue.projectId,
+            stage: runType,
+            status: "escalated",
+            summary: `Escalated: ${reason}`,
+        });
+        const escalatedIssue = this.db.issues.getIssue(issue.projectId, issue.linearIssueId) ?? issue;
+        void this.linearSync.emitActivity(escalatedIssue, {
+            type: "error",
+            body: `PatchRelay needs human help to continue.\n\n${reason}`,
+        });
+        void this.linearSync.syncSession(escalatedIssue);
+        this.releaseLease(issue.projectId, issue.linearIssueId);
+    }
+    failRunAndClear(params) {
+        const { run, message, nextState } = params;
+        const updated = this.withHeldLease(run.projectId, run.linearIssueId, (lease) => {
+            settleRun({
+                db: this.db,
+                run,
+                finish: { status: "failed", failureReason: message },
+                lease,
+                buildIssueUpdate: () => ({ factoryState: nextState }),
+            });
+            if (nextState === "failed" || nextState === "escalated" || nextState === "awaiting_input" || nextState === "done") {
+                this.db.issueSessions.clearPendingIssueSessionEventsWithLease(lease);
+            }
+            return true;
+        });
+        if (!updated) {
+            this.logger.warn({ runId: run.id, issueId: run.linearIssueId }, "Skipping failure cleanup after losing issue-session lease");
+        }
+        this.releaseLease(run.projectId, run.linearIssueId);
+    }
+    // ─── Interrupted turns (formerly InterruptedRunRecovery) ─────────
+    async handleInterruptedRun(run, issue) {
+        this.logger.warn({ issueKey: issue.issueKey, runType: run.runType, threadId: run.threadId }, "Run has interrupted turn - marking as failed");
+        const repairedCounters = this.withHeldLease(issue.projectId, issue.linearIssueId, (lease) => {
+            // The decrement is read-modify-write against an issue row read before
+            // the awaits that led here; on conflict, recompute from the fresh row.
+            const update = buildInterruptedAttemptRepairUpdate(run.runType, issue);
+            if (update) {
+                this.db.issueSessions.commitIssueState({
+                    writer: WRITER,
+                    lease,
+                    expectedVersion: issue.version,
+                    update,
+                    onConflict: (current) => buildInterruptedAttemptRepairUpdate(run.runType, current),
+                });
+            }
+            return true;
+        });
+        if (!repairedCounters) {
+            this.logger.warn({ runId: run.id, issueId: run.linearIssueId }, "Skipping interrupted-run recovery after losing issue-session lease");
+            this.releaseLease(run.projectId, run.linearIssueId);
+            return;
+        }
+        if (isRequestedChangesRunType(run.runType)) {
+            await this.handleInterruptedRequestedChangesRun(run, issue);
+            return;
+        }
+        if (run.runType === "implementation" && !issue.prNumber) {
+            await this.handleInterruptedImplementationRun(run, issue);
+            return;
+        }
+        const recoveredState = resolvePostRunFactoryState(this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? issue, run, { outcome: "recovered" });
+        this.failRunAndClear({ run, message: "Codex turn was interrupted", nextState: recoveredState ?? "failed" });
+        await this.restoreIdleWorktree(issue);
+        const failedIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? issue;
+        if (recoveredState) {
+            this.feed?.publish({
+                level: "info",
+                kind: "stage",
+                issueKey: issue.issueKey,
+                projectId: run.projectId,
+                stage: recoveredState,
+                status: "reconciled",
+                summary: `Interrupted ${run.runType} recovered -> ${recoveredState}`,
+            });
+        }
+        else {
+            void this.linearSync.emitActivity(failedIssue, buildRunFailureActivity(run.runType, "The Codex turn was interrupted."));
+        }
+        void this.linearSync.syncSession(failedIssue, { activeRunType: run.runType });
+        this.releaseLease(run.projectId, run.linearIssueId);
+    }
+    async handleInterruptedImplementationRun(run, issue) {
+        const interruptedMessage = "Implementation run was interrupted before PatchRelay could publish a PR";
+        this.failRunAndClear({ run, message: "Codex turn was interrupted", nextState: "delegated" });
+        await this.restoreIdleWorktree(issue);
+        const refreshedIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? issue;
+        this.db.issueSessions.appendIssueSessionEventRespectingActiveLease(run.projectId, run.linearIssueId, {
+            projectId: run.projectId,
+            linearIssueId: run.linearIssueId,
+            eventType: "delegated",
+            dedupeKey: `interrupted_implementation:implementation:${run.linearIssueId}`,
+        });
+        if (!this.db.workflowWakes.peekIssueWake(run.projectId, run.linearIssueId)) {
+            const failedIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? refreshedIssue;
+            this.feed?.publish({
+                level: "error",
+                kind: "workflow",
+                issueKey: issue.issueKey,
+                projectId: run.projectId,
+                stage: run.runType,
+                status: "escalated",
+                summary: interruptedMessage,
+            });
+            void this.linearSync.emitActivity(failedIssue, buildRunFailureActivity(run.runType, interruptedMessage));
+            void this.linearSync.syncSession(failedIssue, { activeRunType: run.runType });
+            this.releaseLease(run.projectId, run.linearIssueId);
+            return;
+        }
+        this.feed?.publish({
+            level: "warn",
+            kind: "workflow",
+            issueKey: issue.issueKey,
+            projectId: run.projectId,
+            stage: run.runType,
+            status: "retry_queued",
+            summary: "Implementation run was interrupted; PatchRelay will retry automatically",
+        });
+        const recoveredIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? refreshedIssue;
+        void this.linearSync.syncSession(recoveredIssue, { activeRunType: run.runType });
+        this.wakeDispatcher.dispatchIfWakePending(run.projectId, run.linearIssueId);
+        this.releaseLease(run.projectId, run.linearIssueId);
+    }
+    async handleInterruptedRequestedChangesRun(run, issue) {
+        const freshIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? issue;
+        const refreshedIssue = await this.completionPolicy.refreshIssueAfterReactivePublish(run, freshIssue);
+        const retryContext = await this.completionPolicy.resolveRequestedChangesWakeContext(refreshedIssue, run.runType, run.runType === "branch_upkeep"
+            ? {
+                branchUpkeepRequired: true,
+                reviewFixMode: "branch_upkeep",
+                wakeReason: "branch_upkeep",
+            }
+            : undefined);
+        const retryRunType = resolveRetryRunType(run.runType, retryContext);
+        const recoveredState = resolvePostRunFactoryState(refreshedIssue, run, { outcome: "recovered" }) ?? "failed";
+        const interruptedMessage = "Requested-changes run was interrupted before PatchRelay could verify that a new PR head was published";
+        this.failRunAndClear({ run, message: interruptedMessage, nextState: recoveredState });
+        await this.restoreIdleWorktree(issue);
+        const recoveredIssue = this.db.issues.getIssue(run.projectId, run.linearIssueId) ?? refreshedIssue;
+        if (recoveredState === "changes_requested") {
+            this.db.issueSessions.commitIssueState({
+                writer: WRITER,
+                update: {
+                    projectId: run.projectId,
+                    linearIssueId: run.linearIssueId,
+                    pendingRunType: retryRunType,
+                    pendingRunContextJson: retryContext ? JSON.stringify(retryContext) : null,
+                },
+            });
+            this.feed?.publish({
+                level: "warn",
+                kind: "workflow",
+                issueKey: issue.issueKey,
+                projectId: run.projectId,
+                stage: run.runType,
+                status: "retry_queued",
+                summary: "Requested-changes run was interrupted; PatchRelay will retry from fresh GitHub truth",
+            });
+            this.wakeDispatcher.dispatchIfWakePending(run.projectId, run.linearIssueId);
+        }
+        else {
+            this.feed?.publish({
+                level: "error",
+                kind: "workflow",
+                issueKey: issue.issueKey,
+                projectId: run.projectId,
+                stage: run.runType,
+                status: "escalated",
+                summary: interruptedMessage,
+            });
+        }
+        void this.linearSync.emitActivity(recoveredIssue, buildRunFailureActivity(run.runType, interruptedMessage));
+        void this.linearSync.syncSession(recoveredIssue, { activeRunType: run.runType });
+        this.releaseLease(run.projectId, run.linearIssueId);
+    }
+}

package/dist/run-finalizer.js

@@ -2,10 +2,12 @@ import { CLEARED_FAILURE_PROVENANCE } from "./failure-provenance.js";
 import { buildStageReport, countEventMethods } from "./run-reporting.js";
 import { buildRunCompletedActivity, buildRunFailureActivity } from "./linear-session-reporting.js";
 import { handleNoPrCompletionCheck } from "./no-pr-completion-check.js";
-import { resolveCompletedRunState } from "./run-completion-policy.js";
+import { resolvePostRunFactoryState } from "./run-completion-policy.js";
 import { computeChangeIdentityFromWorktree } from "./change-identity.js";
 import { inspectGitWorktreeStatus, isRepairRunType } from "./git-worktree-status.js";
 import { buildRunOutcomeSummary } from "./run-outcome-summary.js";
+import { settleRun } from "./run-settlement.js";
+const WRITER = "run-finalizer";
 function parseEventJson(eventJson) {
     if (!eventJson)
         return undefined;
@@ -150,12 +152,16 @@ export class RunFinalizer {
         });
         if (!identity.patchId && !identity.integrationTreeId)
             return;
-        this.db.issues.upsertIssue({
-            projectId: issue.projectId,
-            linearIssueId: issue.linearIssueId,
-            ...(identity.patchId ? { lastPublishedPatchId: identity.patchId } : {}),
-            ...(identity.integrationTreeId ? { lastPublishedIntegrationTreeId: identity.integrationTreeId } : {}),
-            lastPublishedHeadSha: issue.prHeadSha,
+        this.db.issueSessions.commitIssueState({
+            writer: WRITER,
+            expectedVersion: issue.version,
+            update: {
+                projectId: issue.projectId,
+                linearIssueId: issue.linearIssueId,
+                ...(identity.patchId ? { lastPublishedPatchId: identity.patchId } : {}),
+                ...(identity.integrationTreeId ? { lastPublishedIntegrationTreeId: identity.integrationTreeId } : {}),
+                lastPublishedHeadSha: issue.prHeadSha,
+            },
         });
         this.logger.info({
             issueKey: issue.issueKey,
@@ -194,12 +200,15 @@ export class RunFinalizer {
                 ...(completedTurnId ? { turnId: completedTurnId } : {}),
                 failureReason: run.failureReason ?? "approved on the same head; further publication suppressed",
             });
-            this.db.issues.upsertIssue({
-                projectId: run.projectId,
-                linearIssueId: run.linearIssueId,
-                activeRunId: null,
-                pendingRunType: null,
-                pendingRunContextJson: null,
+            this.db.issueSessions.commitIssueState({
+                writer: WRITER,
+                update: {
+                    projectId: run.projectId,
+                    linearIssueId: run.linearIssueId,
+                    activeRunId: null,
+                    pendingRunType: null,
+                    pendingRunContextJson: null,
+                },
             });
         });
         this.clearProgressAndRelease(run);
@@ -274,23 +283,33 @@ export class RunFinalizer {
                 report: params.report,
                 outcomeSummary,
             }));
-            this.db.issueSessions.upsertIssueWithLease(lease, {
+            // The attempt decrements are read-modify-write against the issue row;
+            // on conflict, recompute them from the fresh row instead of writing
+            // counters derived from a stale read.
+            const buildContinueUpdate = (record) => ({
                 projectId: params.run.projectId,
                 linearIssueId: params.run.linearIssueId,
                 activeRunId: null,
                 factoryState: "delegated",
                 pendingRunType: null,
                 pendingRunContextJson: null,
-                ...(params.run.runType === "ci_repair" && params.issue.ciRepairAttempts > 0
-                    ? { ciRepairAttempts: params.issue.ciRepairAttempts - 1 }
+                ...(params.run.runType === "ci_repair" && record.ciRepairAttempts > 0
+                    ? { ciRepairAttempts: record.ciRepairAttempts - 1 }
                     : {}),
-                ...(params.run.runType === "queue_repair" && params.issue.queueRepairAttempts > 0
-                    ? { queueRepairAttempts: params.issue.queueRepairAttempts - 1 }
+                ...(params.run.runType === "queue_repair" && record.queueRepairAttempts > 0
+                    ? { queueRepairAttempts: record.queueRepairAttempts - 1 }
                     : {}),
-                ...((params.run.runType === "review_fix" || params.run.runType === "branch_upkeep") && params.issue.reviewFixAttempts > 0
-                    ? { reviewFixAttempts: params.issue.reviewFixAttempts - 1 }
+                ...((params.run.runType === "review_fix" || params.run.runType === "branch_upkeep") && record.reviewFixAttempts > 0
+                    ? { reviewFixAttempts: record.reviewFixAttempts - 1 }
                     : {}),
             });
+            this.db.issueSessions.commitIssueState({
+                writer: WRITER,
+                lease,
+                expectedVersion: params.issue.version,
+                update: buildContinueUpdate(params.issue),
+                onConflict: (current) => buildContinueUpdate(current),
+            });
             return Boolean(this.db.issueSessions.appendIssueSessionEventWithLease(lease, {
                 projectId: params.run.projectId,
                 linearIssueId: params.run.linearIssueId,
@@ -358,7 +377,9 @@ export class RunFinalizer {
         }
         const verifiedRepairError = await this.completionPolicy.verifyReactiveRunAdvancedBranch(run, freshIssue);
         if (verifiedRepairError) {
-            const holdState = params.resolveRecoverableRunState(freshIssue) ?? "failed";
+            // The run failed verification — it did not do its work, so resolve
+            // the hold state from GitHub truth like any other recovery path.
+            const holdState = resolvePostRunFactoryState(freshIssue, run, { outcome: "recovered" }) ?? "failed";
             this.failRunAndClear(run, verifiedRepairError, holdState);
             this.syncFailureOutcome({
                 run,
@@ -428,30 +449,42 @@ export class RunFinalizer {
         // any git error returns undefined and we leave the cache as-is.
         this.maybeUpdateLastPublishedIdentity(run, refreshedIssue);
         const postRunFollowUp = await this.completionPolicy.resolvePostRunFollowUp(run, refreshedIssue);
-        const postRunState = postRunFollowUp?.factoryState ?? resolveCompletedRunState(refreshedIssue, run);
+        const postRunState = postRunFollowUp?.factoryState ?? resolvePostRunFactoryState(refreshedIssue, run);
         const outcomeSummary = this.buildOutcomeSummary({
             run,
             issue: refreshedIssue,
             postRunState,
             latestAssistantSummary: report.assistantMessages.at(-1),
         });
-        const completed = this.withHeldLease(run.projectId, run.linearIssueId, (lease) => {
-            this.db.runs.finishRun(run.id, this.buildCompletedRunUpdate({
-                threadId,
-                ...(params.completedTurnId ? { completedTurnId: params.completedTurnId } : {}),
-                report,
-                outcomeSummary,
-            }));
-            this.db.issues.upsertIssue({
-                projectId: run.projectId,
-                linearIssueId: run.linearIssueId,
-                activeRunId: null,
-                ...(postRunState ? { factoryState: postRunState } : {}),
+        // `refreshedIssue` was read before several async policy checks; a webhook
+        // may have landed mid-finalize. settleRun re-reads the row inside its
+        // transaction and resolves the post-run state from that fresh truth, so
+        // we never regress it (e.g. the PR merged while we were verifying the
+        // publish). settleRun also owns the slot clear (plan §B1): it refuses to
+        // touch a slot that no longer points at this run.
+        const buildCompletionUpdate = (record) => {
+            const state = postRunFollowUp?.factoryState ?? resolvePostRunFactoryState(record, run);
+            return {
+                ...(state ? { factoryState: state } : {}),
                 pendingRunType: null,
                 pendingRunContextJson: null,
-                ...(postRunFollowUp ? {} : (postRunState === "awaiting_queue" || postRunState === "done"
+                ...(postRunFollowUp ? {} : (state === "awaiting_queue" || state === "done"
                     ? { ...CLEARED_FAILURE_PROVENANCE }
                     : {})),
+            };
+        };
+        const completed = this.withHeldLease(run.projectId, run.linearIssueId, (lease) => {
+            settleRun({
+                db: this.db,
+                run,
+                finish: this.buildCompletedRunUpdate({
+                    threadId,
+                    ...(params.completedTurnId ? { completedTurnId: params.completedTurnId } : {}),
+                    report,
+                    outcomeSummary,
+                }),
+                lease,
+                buildIssueUpdate: buildCompletionUpdate,
             });
             if (postRunFollowUp) {
                 return this.appendWakeEventWithLease(lease, issue, postRunFollowUp.pendingRunType, postRunFollowUp.context, "post_run");