patchrelay 0.77.0 → 0.78.1

package/dist/build-info.json

@@ -1,6 +1,6 @@
 {
   "service": "patchrelay",
-  "version": "0.77.0",
-  "commit": "618168f38a38",
-  "builtAt": "2026-06-10T04:00:01.424Z"
+  "version": "0.78.1",
+  "commit": "6907b2e338b5",
+  "builtAt": "2026-06-10T20:42:13.572Z"
 }

package/dist/db/webhook-event-store.js

@@ -1,3 +1,10 @@
+/**
+ * Rows older than this that are still `pending` were abandoned by a crash or
+ * restart mid-processing. They are never replayed — recovery is re-derivation
+ * from GitHub/Linear via reconciliation — so the startup sweep marks them
+ * `abandoned`, which makes them archiveable like any other terminal status.
+ */
+export const ABANDONED_PENDING_WEBHOOK_AGE_MS = 15 * 60 * 1000;
 export class WebhookEventStore {
     connection;
     constructor(connection) {
@@ -39,6 +46,21 @@ export class WebhookEventStore {
     markWebhookProcessed(id, status) {
         this.connection.prepare("UPDATE webhook_events SET processing_status = ? WHERE id = ?").run(status, id);
     }
+    /**
+     * Startup maintenance (core simplification plan, phase C2): mark rows stuck
+     * at `pending` since before the cutoff as `abandoned` so the retention pass
+     * can archive them. Returns the number of rows marked — each one is a
+     * crash-interrupted processing attempt worth surfacing to the operator.
+     */
+    markAbandonedPendingEventsBefore(cutoffIso) {
+        const result = this.connection.prepare(`
+      UPDATE webhook_events
+      SET processing_status = 'abandoned'
+      WHERE processing_status = 'pending'
+        AND received_at < ?
+    `).run(cutoffIso);
+        return Number(result.changes ?? 0);
+    }
     assignWebhookProject(id, projectId) {
         this.connection.prepare("UPDATE webhook_events SET project_id = ? WHERE id = ?").run(projectId, id);
     }

package/dist/failure-provenance.js

@@ -21,3 +21,43 @@ export const CLEARED_FAILURE_PROVENANCE = {
     lastAttemptedFailureSignature: null,
     lastAttemptedFailureAt: null,
 };
+/**
+ * The single rule for clearing failure provenance (core simplification plan,
+ * phase C1): provenance may be cleared only when the observed evidence is
+ * NEWER than the recorded failure —
+ *
+ * 1. the PR merged or closed (nothing left to repair), or
+ * 2. the PR's current head differs from `lastGitHubFailureHeadSha` (the
+ *    failing commit was superseded), or
+ * 3. the same kind of check that recorded the failure succeeded on the
+ *    recorded failure head (the failure was actually fixed):
+ *    - `queue_eviction` failures require the eviction check itself to
+ *      succeed — a green *branch* gate proves nothing about integration
+ *      with main (the swallowed-repair bug), while
+ *    - `branch_ci` (and unclassified) failures are cleared by a green gate
+ *      or a green eviction check on the failure head.
+ *
+ * A poll that merely "looks green" on the same head never clears a queue
+ * incident, and a stale check event for an unrelated head never clears
+ * anything.
+ */
+export function mayClearFailureProvenance(current, observed) {
+    if (observed.prState === "merged" || observed.prState === "closed") {
+        return true;
+    }
+    const failureHeadSha = current.lastGitHubFailureHeadSha;
+    if (!failureHeadSha) {
+        // Nothing concrete recorded to preserve — clearing is harmless.
+        return true;
+    }
+    if (observed.headSha && observed.headIsCurrentTruth && observed.headSha !== failureHeadSha) {
+        return true;
+    }
+    if (observed.headSha === failureHeadSha) {
+        if (current.lastGitHubFailureSource === "queue_eviction") {
+            return observed.evictionCheckSucceeded === true;
+        }
+        return observed.gateCheckStatus === "success" || observed.evictionCheckSucceeded === true;
+    }
+    return false;
+}

package/dist/github-webhook-late-publication-guard.js

@@ -1,3 +1,4 @@
+import { isTerminalRunStatus } from "./run-settlement.js";
 function isPatchRelayBot(login) {
     return login === "patchrelay[bot]" || login === "app/patchrelay";
 }
@@ -7,6 +8,25 @@ function parseRepo(repoFullName) {
         return undefined;
     return { owner, repo };
 }
+/**
+ * Late-publication guard (core simplification plan, phase C3).
+ *
+ * Detects a PatchRelay-authored `pr_opened` for an issue with no recorded PR
+ * while the latest implementation run is already settled — settleRun owns
+ * settlement, so a terminal run can no longer claim this PR as its own
+ * publication. Every such PR gets an operator-feed alert.
+ *
+ * Autonomous action is limited to one case: a run with status `released`,
+ * which PatchRelay itself stopped before publication (issue blocked,
+ * undelegated, or superseded mid-implementation) — its PR is unwanted by
+ * construction and is auto-closed. For any other settled status (`completed`,
+ * `failed`, `superseded`) the run may have legitimately published right at
+ * the end (the webhook can race settlement), so the PR is linked normally
+ * and the operator decides.
+ *
+ * Returns `true` when the PR was suppressed (closed) and the webhook should
+ * not be projected onto the issue.
+ */
 export async function maybeCloseLatePublishedImplementationPr(params) {
     const { db, logger, feed, issue, event, fetchImpl } = params;
     if (event.triggerEvent !== "pr_opened")
@@ -20,8 +40,32 @@ export async function maybeCloseLatePublishedImplementationPr(params) {
     const latestRun = db.runs.getLatestRunForIssue(issue.projectId, issue.linearIssueId);
     if (!latestRun || latestRun.runType !== "implementation")
         return false;
-    if (latestRun.status === "running" || latestRun.status === "completed")
+    // A non-terminal run (queued/running) is still allowed to publish — this
+    // is the normal mid-run PR creation path.
+    if (!isTerminalRunStatus(latestRun.status))
         return false;
+    // Detection: the implementation run is settled, yet a bot PR just arrived.
+    logger.warn({
+        issueKey: issue.issueKey,
+        prNumber: event.prNumber,
+        latestRunId: latestRun.id,
+        latestRunStatus: latestRun.status,
+    }, "Late PatchRelay PR detected after the implementation run was settled");
+    feed?.publish({
+        level: "warn",
+        kind: "github",
+        issueKey: issue.issueKey,
+        projectId: issue.projectId,
+        stage: issue.factoryState,
+        status: "late_pr_detected",
+        summary: `Detected late PR #${event.prNumber} from a settled implementation run (${latestRun.status})`,
+        detail: latestRun.failureReason ?? `Latest implementation run status: ${latestRun.status}`,
+    });
+    if (latestRun.status !== "released") {
+        // The run may have published legitimately just before settling; link the
+        // PR and leave the decision to the operator.
+        return false;
+    }
     const repo = parseRepo(event.repoFullName);
     const token = process.env.GITHUB_TOKEN ?? process.env.GH_TOKEN;
     if (!repo || !token) {
@@ -30,17 +74,7 @@ export async function maybeCloseLatePublishedImplementationPr(params) {
             prNumber: event.prNumber,
             latestRunId: latestRun.id,
             latestRunStatus: latestRun.status,
-        }, "Late PatchRelay PR was detected after the implementation run had already stopped, but PatchRelay could not auto-close it");
-        feed?.publish({
-            level: "warn",
-            kind: "github",
-            issueKey: issue.issueKey,
-            projectId: issue.projectId,
-            stage: issue.factoryState,
-            status: "late_pr_detected",
-            summary: `Detected late PR #${event.prNumber} from an inactive implementation run`,
-            detail: latestRun.failureReason ?? `Latest implementation run status: ${latestRun.status}`,
-        });
+        }, "Late PatchRelay PR from a released implementation run could not be auto-closed (missing repo or token)");
         return false;
     }
     const response = await fetchImpl(`https://api.github.com/repos/${encodeURIComponent(repo.owner)}/${encodeURIComponent(repo.repo)}/pulls/${event.prNumber}`, {
@@ -61,7 +95,7 @@ export async function maybeCloseLatePublishedImplementationPr(params) {
             status: response.status,
             latestRunId: latestRun.id,
             latestRunStatus: latestRun.status,
-        }, "Failed to auto-close late PatchRelay PR from an inactive implementation run");
+        }, "Failed to auto-close late PatchRelay PR from a released implementation run");
         feed?.publish({
             level: "warn",
             kind: "github",
@@ -79,7 +113,7 @@ export async function maybeCloseLatePublishedImplementationPr(params) {
         prNumber: event.prNumber,
         latestRunId: latestRun.id,
         latestRunStatus: latestRun.status,
-    }, "Auto-closed late PatchRelay PR from an inactive implementation run");
+    }, "Auto-closed late PatchRelay PR from a released implementation run");
     feed?.publish({
         level: "warn",
         kind: "github",
@@ -87,7 +121,7 @@ export async function maybeCloseLatePublishedImplementationPr(params) {
         projectId: issue.projectId,
         stage: issue.factoryState,
         status: "late_pr_closed",
-        summary: `Auto-closed late PR #${event.prNumber} from an inactive implementation run`,
+        summary: `Auto-closed late PR #${event.prNumber} from a released implementation run`,
         detail: latestRun.failureReason ?? `Latest implementation run status: ${latestRun.status}`,
     });
     return true;

package/dist/github-webhook-policy.js

@@ -1,5 +1,6 @@
-import { resolveFactoryStateFromGitHub } from "./factory-state.js";
+import { mayClearFailureProvenance } from "./failure-provenance.js";
 import { resolveMergeQueueProtocol, } from "./merge-queue-protocol.js";
+import { deriveFactoryStateFromPrFacts } from "./pr-facts-derivation.js";
 const DEFAULT_GATE_CHECK_NAMES = ["verify", "tests"];
 /**
  * GitHub sends both check_run and check_suite completion events.
@@ -61,28 +62,38 @@ export function isSettledBranchFailure(db, issue, event, project) {
         return false;
     return snapshot?.gateCheckStatus === "failure" && snapshot.headSha === event.headSha;
 }
+/**
+ * Webhook adapter over {@link mayClearFailureProvenance} — translates a
+ * normalized GitHub event into the evidence object the shared rule expects.
+ * Check events can arrive out of order, so their head SHA only clears
+ * provenance when the success covers the recorded failure head; a
+ * `pr_synchronize` carries the freshly pushed head, which IS current truth.
+ */
 export function canClearFailureProvenance(issue, event, project) {
-    if (event.triggerEvent !== "check_passed")
+    if (event.triggerEvent === "pr_merged" || event.triggerEvent === "pr_closed") {
         return true;
-    if (isQueueEvictionFailure(issue, event, project)) {
-        return !issue.lastGitHubFailureHeadSha || issue.lastGitHubFailureHeadSha === event.headSha;
     }
-    if (!isGateCheckEvent(event, project)) {
+    if (event.triggerEvent === "pr_synchronize") {
+        return mayClearFailureProvenance(issue, {
+            headSha: event.headSha,
+            headIsCurrentTruth: true,
+        });
+    }
+    if (event.triggerEvent !== "check_passed") {
         return true;
     }
-    if (isStaleGateEvent(issue, event)) {
-        return false;
+    if (isQueueEvictionFailure(issue, event, project)) {
+        return mayClearFailureProvenance(issue, {
+            headSha: event.headSha,
+            evictionCheckSucceeded: true,
+        });
     }
-    return !issue.lastGitHubFailureHeadSha || issue.lastGitHubFailureHeadSha === event.headSha;
+    return mayClearFailureProvenance(issue, {
+        headSha: event.headSha,
+        gateCheckStatus: "success",
+    });
 }
 export function resolveGitHubFactoryStateForEvent(issue, event, project, activeRun) {
-    if (event.triggerEvent === "pr_closed") {
-        return undefined;
-    }
-    const effectiveCurrentState = (issue.factoryState === "awaiting_input" || issue.factoryState === "delegated")
-        && (event.prState === "open" || event.prNumber !== undefined)
-        ? "pr_open"
-        : issue.factoryState;
     // Classify check_failed events so the rule table can route them.
     // The duplicate short-circuit that lived here before is gone — the
     // table now handles queue_eviction via failureSource (plan §4.3).
@@ -92,19 +103,19 @@ export function resolveGitHubFactoryStateForEvent(issue, event, project, activeR
     const approvalHeadSha = event.triggerEvent === "review_approved"
         ? (event.reviewCommitId ?? event.headSha)
         : undefined;
-    const resolved = resolveFactoryStateFromGitHub(event.triggerEvent, effectiveCurrentState, {
+    return deriveFactoryStateFromPrFacts({
+        source: "webhook",
+        triggerEvent: event.triggerEvent,
+        prState: event.prState,
+        prNumber: event.prNumber,
+        headSha: event.headSha,
+        failureSource,
+        ...(approvalHeadSha ? { approvalHeadSha } : {}),
+    }, {
+        factoryState: issue.factoryState,
         prReviewState: issue.prReviewState,
         activeRunId: issue.activeRunId,
-        failureSource,
         ...(activeRun?.runType ? { activeRunType: activeRun.runType } : {}),
         ...(activeRun?.sourceHeadSha ? { activeRunSourceHeadSha: activeRun.sourceHeadSha } : {}),
-        ...(approvalHeadSha ? { approvalHeadSha } : {}),
     });
-    if (resolved !== undefined) {
-        return resolved;
-    }
-    if (effectiveCurrentState !== issue.factoryState) {
-        return effectiveCurrentState;
-    }
-    return undefined;
 }

package/dist/github-webhook-sequence-backstop.js

@@ -1,3 +1,8 @@
+const MAX_CACHED_FILE_SETS = 512;
+export function createSequenceBackstopCaches() {
+    return { alertedPrPairs: new Set(), changedFilesByHead: new Map() };
+}
+const processCaches = createSequenceBackstopCaches();
 // Plan §8.2: backstop for missed sequence-checks. When a PR is
 // opened and its changed-file set overlaps with another in-flight
 // PR's, surface an operator event so the agent can be re-prompted
@@ -7,6 +12,7 @@
 export async function maybeRunSequenceBackstop(params) {
     const { db, logger, feed, event } = params;
     const fetchImpl = params.fetchImpl ?? fetch;
+    const caches = params.caches ?? processCaches;
     if (event.triggerEvent !== "pr_opened")
         return;
     if (!event.repoFullName || event.prNumber === undefined)
@@ -17,7 +23,15 @@ export async function maybeRunSequenceBackstop(params) {
     const [owner, repo] = event.repoFullName.split("/", 2);
     if (!owner || !repo)
         return;
-    const newPrFiles = await listChangedFiles(fetchImpl, token, owner, repo, event.prNumber).catch(() => undefined);
+    const newPrFiles = await listChangedFilesCached({
+        caches,
+        fetchImpl,
+        token,
+        owner,
+        repo,
+        prNumber: event.prNumber,
+        headSha: event.headSha,
+    });
     if (!newPrFiles || newPrFiles.size === 0)
         return;
     const candidates = db.issues
@@ -28,12 +42,24 @@ export async function maybeRunSequenceBackstop(params) {
         && issue.branchName !== undefined
         && issue.branchName !== event.branchName);
     for (const candidate of candidates) {
-        const candidateFiles = await listChangedFiles(fetchImpl, token, owner, repo, candidate.prNumber).catch(() => undefined);
+        const pairKey = `${owner}/${repo}#${event.prNumber}->#${candidate.prNumber}`;
+        if (caches.alertedPrPairs.has(pairKey))
+            continue;
+        const candidateFiles = await listChangedFilesCached({
+            caches,
+            fetchImpl,
+            token,
+            owner,
+            repo,
+            prNumber: candidate.prNumber,
+            headSha: candidate.prHeadSha,
+        });
         if (!candidateFiles)
             continue;
         const overlap = intersect(newPrFiles, candidateFiles);
         if (overlap.length === 0)
             continue;
+        caches.alertedPrPairs.add(pairKey);
         logger.info({
             event: "sequence_backstop_overlap_detected",
             prNumber: event.prNumber,
@@ -53,6 +79,23 @@ export async function maybeRunSequenceBackstop(params) {
         return;
     }
 }
+async function listChangedFilesCached(params) {
+    const { caches } = params;
+    const cacheKey = params.headSha ? `${params.owner}/${params.repo}@${params.headSha}` : undefined;
+    if (cacheKey) {
+        const cached = caches.changedFilesByHead.get(cacheKey);
+        if (cached)
+            return cached;
+    }
+    const files = await listChangedFiles(params.fetchImpl, params.token, params.owner, params.repo, params.prNumber).catch(() => undefined);
+    if (cacheKey && files) {
+        if (caches.changedFilesByHead.size >= MAX_CACHED_FILE_SETS) {
+            caches.changedFilesByHead.clear();
+        }
+        caches.changedFilesByHead.set(cacheKey, files);
+    }
+    return files;
+}
 async function listChangedFiles(fetchImpl, token, owner, repo, prNumber) {
     const result = new Set();
     let page = 1;

package/dist/github-webhook-state-projector.js

@@ -123,6 +123,9 @@ export async function projectGitHubWebhookState(deps, issue, event, project, lin
     }
     const freshIssue = deps.db.issues.getIssue(issue.projectId, issue.linearIssueId) ?? issue;
     if (event.triggerEvent === "pr_synchronize" && !freshIssue.activeRunId) {
+        // A push always resets the repair budgets and the CI snapshot for the new
+        // head; failure provenance is only cleared when the pushed head actually
+        // supersedes the recorded failure (mayClearFailureProvenance — phase C1).
         deps.db.issueSessions.commitIssueState({
             writer: WRITER,
             update: {
@@ -130,22 +133,12 @@ export async function projectGitHubWebhookState(deps, issue, event, project, lin
                 linearIssueId: issue.linearIssueId,
                 ciRepairAttempts: 0,
                 queueRepairAttempts: 0,
-                lastGitHubFailureSource: null,
-                lastGitHubFailureHeadSha: null,
-                lastGitHubFailureSignature: null,
-                lastGitHubFailureCheckName: null,
-                lastGitHubFailureCheckUrl: null,
-                lastGitHubFailureContextJson: null,
-                lastGitHubFailureAt: null,
+                ...(canClearFailureProvenance(freshIssue, event, project) ? CLEARED_FAILURE_PROVENANCE : {}),
                 lastGitHubCiSnapshotHeadSha: event.headSha ?? null,
                 lastGitHubCiSnapshotGateCheckName: getPrimaryGateCheckName(project),
                 lastGitHubCiSnapshotGateCheckStatus: "pending",
                 lastGitHubCiSnapshotJson: null,
                 lastGitHubCiSnapshotSettledAt: null,
-                lastQueueIncidentJson: null,
-                lastAttemptedFailureHeadSha: null,
-                lastAttemptedFailureSignature: null,
-                lastAttemptedFailureAt: null,
             },
         });
     }
@@ -370,7 +363,7 @@ async function updateGitHubFailureProvenance(deps, issue, event, project, failur
     if ((event.triggerEvent === "check_passed" && (!isMetadataOnlyCheckEvent(event) || isQueueEvictionFailure(issue, event, project) || isGateCheckEvent(event, project)))
         || event.triggerEvent === "pr_synchronize"
         || event.triggerEvent === "pr_merged") {
-        if (event.triggerEvent === "check_passed" && !canClearFailureProvenance(issue, event, project)) {
+        if (!canClearFailureProvenance(issue, event, project)) {
             return;
         }
         deps.db.issueSessions.commitIssueState({

package/dist/idle-reconciliation.js

@@ -1,5 +1,6 @@
 import { TERMINAL_STATES } from "./factory-state.js";
-import { CLEARED_FAILURE_PROVENANCE } from "./failure-provenance.js";
+import { CLEARED_FAILURE_PROVENANCE, mayClearFailureProvenance, } from "./failure-provenance.js";
+import { deriveFactoryStateFromPrFacts } from "./pr-facts-derivation.js";
 import { DEPLOY_WATCH_TIMEOUT_MS, evaluateDeploy, isDeployTrackingEnabled, } from "./post-merge-deploy.js";
 import { buildBranchUpkeepContext, buildFailureContext, getGateCheckNames, hasCompletedReviewQuillVerdict, hasFailureProvenance, isDuplicateRepairAttempt, isFailingCheckStatus, isReviewDecisionApproved, isReviewDecisionReviewRequired, } from "./idle-reconciliation-helpers.js";
 import { resolveMergeQueueProtocol } from "./merge-queue-protocol.js";
@@ -73,11 +74,13 @@ export class IdleIssueReconciler {
                 if (issue.prNumber) {
                     await this.reconcileFromGitHub(issue);
                 }
-                else if (issue.factoryState !== "awaiting_queue") {
-                    this.advanceIdleIssue(issue, "awaiting_queue", { clearFailureProvenance: true });
-                }
-                else if (hasFailureProvenance(issue)) {
-                    this.advanceIdleIssue(issue, "awaiting_queue", { clearFailureProvenance: true });
+                else {
+                    // No PR to poll means no fresh GitHub evidence — provenance may
+                    // only be cleared when nothing concrete is recorded to preserve.
+                    const clear = hasFailureProvenance(issue) && mayClearFailureProvenance(issue, {});
+                    if (issue.factoryState !== "awaiting_queue" || clear) {
+                        this.advanceIdleIssue(issue, "awaiting_queue", clear ? { clearFailureProvenance: true } : {});
+                    }
                 }
                 continue;
             }
@@ -526,8 +529,12 @@ export class IdleIssueReconciler {
         if (!snapshot.ok) {
             this.logger.debug({ issueKey: issue.issueKey, error: snapshot.error.message }, "Failed to query GitHub PR state during reconciliation");
             if (issue.prReviewState === "approved") {
-                if (issue.factoryState !== "awaiting_queue" || hasFailureProvenance(issue)) {
-                    this.advanceIdleIssue(issue, "awaiting_queue", hasFailureProvenance(issue) ? { clearFailureProvenance: true } : {});
+                // The poll failed, so there is no fresh evidence: never clear
+                // recorded failure provenance on this path (a green-looking local
+                // row must not swallow a pending repair).
+                const clear = hasFailureProvenance(issue) && mayClearFailureProvenance(issue, {});
+                if (issue.factoryState !== "awaiting_queue" || clear) {
+                    this.advanceIdleIssue(issue, "awaiting_queue", clear ? { clearFailureProvenance: true } : {});
                 }
             }
             return;
@@ -537,6 +544,34 @@ export class IdleIssueReconciler {
             const previousHeadSha = issue.prHeadSha;
             const gateCheckNames = getGateCheckNames(project);
             const gateCheckStatus = deriveGateCheckStatusFromRollup(pr.statusCheckRollup, gateCheckNames);
+            const headAdvanced = Boolean(pr.headRefOid && pr.headRefOid !== previousHeadSha);
+            const prState = pr.state === "MERGED" ? "merged" : pr.state === "CLOSED" ? "closed" : "open";
+            // Normalized level observation shared with the webhook path (plan §C1):
+            // every factory-state decision below goes through
+            // deriveFactoryStateFromPrFacts so both ingestion paths derive the same
+            // state from the same facts.
+            const observed = {
+                source: "poll",
+                prState,
+                prNumber,
+                ...(pr.reviewDecision ? { reviewDecision: pr.reviewDecision } : {}),
+                ...(gateCheckStatus ? { gateCheckStatus } : {}),
+                ...(pr.headRefOid ? { headSha: pr.headRefOid } : {}),
+                headAdvanced,
+                ...(prState === "closed" ? { closedPrDisposition: resolveClosedPrDisposition(issue) } : {}),
+            };
+            const currentFacts = (record) => ({
+                factoryState: record.factoryState,
+                prReviewState: record.prReviewState,
+                activeRunId: record.activeRunId,
+            });
+            // Evidence for the provenance rule: the polled head is current truth.
+            const provenanceEvidence = {
+                prState,
+                ...(pr.headRefOid ? { headSha: pr.headRefOid } : {}),
+                headIsCurrentTruth: true,
+                ...(gateCheckStatus ? { gateCheckStatus } : {}),
+            };
             const factsCommit = this.db.issueSessions.commitIssueState({
                 writer: WRITER,
                 update: {
@@ -560,7 +595,9 @@ export class IdleIssueReconciler {
                 return;
             }
             if (pr.state === "CLOSED") {
-                const closedPrDisposition = resolveClosedPrDisposition(issue);
+                // State decision shared with the webhook path; a closed PR is always
+                // newer evidence than any recorded failure, so clearing is allowed.
+                const closedState = deriveFactoryStateFromPrFacts(observed, currentFacts(issue));
                 const closedCommit = this.db.issueSessions.commitIssueState({
                     writer: WRITER,
                     update: {
@@ -573,12 +610,12 @@ export class IdleIssueReconciler {
                 if (closedCommit.outcome === "applied") {
                     issue = closedCommit.issue;
                 }
-                if (closedPrDisposition === "done") {
+                if (closedState === "done") {
                     this.logger.info({ issueKey: issue.issueKey, prNumber: issue.prNumber }, "Reconciliation: PR was closed for an already completed issue; preserving done state");
                     this.advanceIdleIssue(issue, "done", { clearFailureProvenance: true });
                     return;
                 }
-                if (closedPrDisposition === "terminal") {
+                if (closedState === undefined) {
                     this.logger.info({ issueKey: issue.issueKey, prNumber: issue.prNumber, factoryState: issue.factoryState }, "Reconciliation: PR was closed on a terminal issue; preserving terminal state");
                     return;
                 }
@@ -595,9 +632,9 @@ export class IdleIssueReconciler {
                 }
                 return;
             }
-            const headAdvanced = Boolean(pr.headRefOid && pr.headRefOid !== previousHeadSha);
-            if (issue.factoryState !== "awaiting_input") {
-                const terminalRecoveryState = this.deriveTerminalRecoveryState(issue, pr.reviewDecision, gateCheckStatus, headAdvanced);
+            if (issue.factoryState !== "awaiting_input"
+                && (issue.factoryState === "escalated" || issue.factoryState === "failed")) {
+                const terminalRecoveryState = deriveFactoryStateFromPrFacts(observed, currentFacts(issue));
                 if (terminalRecoveryState) {
                     this.logger.info({
                         issueKey: issue.issueKey,
@@ -608,7 +645,8 @@ export class IdleIssueReconciler {
                         reviewDecision: pr.reviewDecision,
                         headAdvanced,
                     }, "Reconciliation: recovered terminal issue from newer GitHub truth");
-                    this.advanceIdleIssue(issue, terminalRecoveryState, { clearFailureProvenance: true });
+                    const clear = mayClearFailureProvenance(issue, provenanceEvidence);
+                    this.advanceIdleIssue(issue, terminalRecoveryState, clear ? { clearFailureProvenance: true } : {});
                     return;
                 }
             }
@@ -669,7 +707,7 @@ export class IdleIssueReconciler {
                 this.advanceIdleIssue(issue, reactiveIntent.compatibilityFactoryState, {
                     pendingRunType: reactiveIntent.runType,
                     ...(pendingRunContext ? { pendingRunContext } : {}),
-                    clearFailureProvenance: true,
+                    ...(mayClearFailureProvenance(issue, provenanceEvidence) ? { clearFailureProvenance: true } : {}),
                 });
                 return;
             }
@@ -684,7 +722,7 @@ export class IdleIssueReconciler {
                 }, "Reconciliation: re-queued requested-changes follow-up from GitHub truth");
                 this.advanceIdleIssue(issue, reactiveIntent.compatibilityFactoryState, {
                     pendingRunType: reactiveIntent.runType,
-                    clearFailureProvenance: true,
+                    ...(mayClearFailureProvenance(issue, provenanceEvidence) ? { clearFailureProvenance: true } : {}),
                 });
                 this.feed?.publish({
                     level: "warn",
@@ -744,9 +782,14 @@ export class IdleIssueReconciler {
                         prReviewState: "approved",
                     },
                 });
-                if (issue.factoryState !== "awaiting_queue" || hasFailureProvenance(issue)) {
-                    const options = hasFailureProvenance(issue) ? { clearFailureProvenance: true } : undefined;
-                    this.advanceIdleIssue(issue, "awaiting_queue", options);
+                const approvedState = deriveFactoryStateFromPrFacts(observed, currentFacts(issue));
+                if (approvedState === "awaiting_queue") {
+                    // Provenance survives unless the polled evidence is newer than the
+                    // recorded failure (head advanced, gate green on the failure head).
+                    const clear = hasFailureProvenance(issue) && mayClearFailureProvenance(issue, provenanceEvidence);
+                    if (issue.factoryState !== "awaiting_queue" || clear) {
+                        this.advanceIdleIssue(issue, "awaiting_queue", clear ? { clearFailureProvenance: true } : undefined);
+                    }
                 }
                 return;
             }
@@ -755,22 +798,4 @@ export class IdleIssueReconciler {
             }
         }
     }
-    deriveTerminalRecoveryState(issue, reviewDecision, gateCheckStatus, headAdvanced) {
-        if (issue.factoryState !== "escalated" && issue.factoryState !== "failed") {
-            return undefined;
-        }
-        if (isReviewDecisionApproved(reviewDecision) && !isFailingCheckStatus(gateCheckStatus)) {
-            return "awaiting_queue";
-        }
-        if (gateCheckStatus === "pending") {
-            return "pr_open";
-        }
-        if (headAdvanced && !isFailingCheckStatus(gateCheckStatus)) {
-            return "pr_open";
-        }
-        if (isReviewDecisionReviewRequired(reviewDecision) && !isFailingCheckStatus(gateCheckStatus)) {
-            return "pr_open";
-        }
-        return undefined;
-    }
 }

package/dist/pr-facts-derivation.js

@@ -0,0 +1,81 @@
+import { resolveFactoryStateFromGitHub } from "./factory-state.js";
+import { isFailingCheckStatus, isReviewDecisionApproved, isReviewDecisionReviewRequired, } from "./idle-reconciliation-helpers.js";
+/**
+ * Pure factory-state derivation shared by the webhook projector and the idle
+ * reconciler. Returns the state the issue should move to, or `undefined`
+ * when the observation is a no-op for the current state.
+ */
+export function deriveFactoryStateFromPrFacts(observed, current) {
+    if (observed.triggerEvent !== undefined) {
+        return deriveFromTriggerEvent(observed.triggerEvent, observed, current);
+    }
+    return deriveFromPolledLevel(observed, current);
+}
+// ── Delta observations (webhook trigger events) ─────────────────────
+// The transition-rule table in factory-state.ts is the spec; this wrapper
+// adds the awaiting_input/delegated lifting that the webhook path applies
+// before consulting the table.
+function deriveFromTriggerEvent(triggerEvent, observed, current) {
+    if (triggerEvent === "pr_closed") {
+        // The terminal-PR handler owns the closed-PR decision on the webhook path.
+        return undefined;
+    }
+    const effectiveCurrentState = (current.factoryState === "awaiting_input" || current.factoryState === "delegated")
+        && (observed.prState === "open" || observed.prNumber !== undefined)
+        ? "pr_open"
+        : current.factoryState;
+    const resolved = resolveFactoryStateFromGitHub(triggerEvent, effectiveCurrentState, {
+        prReviewState: current.prReviewState,
+        activeRunId: current.activeRunId,
+        failureSource: observed.failureSource,
+        ...(current.activeRunType ? { activeRunType: current.activeRunType } : {}),
+        ...(current.activeRunSourceHeadSha ? { activeRunSourceHeadSha: current.activeRunSourceHeadSha } : {}),
+        ...(observed.approvalHeadSha ? { approvalHeadSha: observed.approvalHeadSha } : {}),
+    });
+    if (resolved !== undefined) {
+        return resolved;
+    }
+    if (effectiveCurrentState !== current.factoryState) {
+        return effectiveCurrentState;
+    }
+    return undefined;
+}
+// ── Level observations (polled snapshot) ────────────────────────────
+function deriveFromPolledLevel(observed, current) {
+    if (observed.prState === "closed") {
+        if (observed.closedPrDisposition === "done")
+            return "done";
+        if (observed.closedPrDisposition === "terminal")
+            return undefined;
+        return "delegated";
+    }
+    if (observed.prState === "merged") {
+        // Mirrors the pr_merged transition rule: with an active run the
+        // finalizer owns the completion; deploy tracking may map "done" to
+        // "deploying" at the call site.
+        return current.activeRunId === undefined ? "done" : undefined;
+    }
+    if (current.factoryState === "escalated" || current.factoryState === "failed") {
+        // Terminal recovery: newer GitHub truth reopens a stuck terminal issue.
+        // No fall-through to the generic approved rule — an escalated issue with
+        // a red gate stays escalated (the failure provenance keeps the repair
+        // routable; auto-reopening would swallow it).
+        if (isReviewDecisionApproved(observed.reviewDecision) && !isFailingCheckStatus(observed.gateCheckStatus)) {
+            return "awaiting_queue";
+        }
+        if (observed.gateCheckStatus === "pending") {
+            return "pr_open";
+        }
+        if (observed.headAdvanced && !isFailingCheckStatus(observed.gateCheckStatus)) {
+            return "pr_open";
+        }
+        if (isReviewDecisionReviewRequired(observed.reviewDecision) && !isFailingCheckStatus(observed.gateCheckStatus)) {
+            return "pr_open";
+        }
+        return undefined;
+    }
+    if (isReviewDecisionApproved(observed.reviewDecision)) {
+        return "awaiting_queue";
+    }
+    return undefined;
+}

package/dist/service.js

@@ -14,6 +14,7 @@ import { ServiceStartupRecovery } from "./service-startup-recovery.js";
 import { WakeDispatcher } from "./wake-dispatcher.js";
 import { WebhookHandler } from "./webhook-handler.js";
 import { acceptIncomingWebhook } from "./service-webhooks.js";
+import { ABANDONED_PENDING_WEBHOOK_AGE_MS } from "./db/webhook-event-store.js";
 import { runWebhookEventRetention } from "./event-retention.js";
 import { parseStringArray, TrackedIssueListQuery } from "./tracked-issue-list-query.js";
 import { AgentInputService } from "./agent-input-service.js";
@@ -103,6 +104,7 @@ export class PatchRelayService {
     }
     async start() {
         this.db.issueSessions.releaseExpiredIssueSessionLeases();
+        this.sweepAbandonedWebhookEvents();
         const repairedInstallations = this.db.linearInstallations.repairProjectInstallations(this.config.projects.map((project) => project.id));
         for (const repair of repairedInstallations) {
             this.logger.info({ projectId: repair.projectId, installationId: repair.installationId, reason: repair.reason }, "Repaired Linear project installation link");
@@ -287,6 +289,26 @@ export class PatchRelayService {
     getReadiness() {
         return this.runtime.getReadiness();
     }
+    // Core simplification plan §C2: webhook_events is a dedupe + forensics log,
+    // not a replay queue. A row stuck at 'pending' means a crash or restart
+    // interrupted processing; the event will never be replayed (recovery is
+    // re-derivation from GitHub/Linear via reconciliation), so mark it
+    // 'abandoned' — making it archiveable — and surface the count to the
+    // operator, because every abandoned row is a crash worth seeing.
+    sweepAbandonedWebhookEvents() {
+        const cutoffIso = new Date(Date.now() - ABANDONED_PENDING_WEBHOOK_AGE_MS).toISOString();
+        const abandoned = this.db.webhookEvents.markAbandonedPendingEventsBefore(cutoffIso);
+        if (abandoned === 0)
+            return;
+        this.logger.warn({ abandoned, cutoffIso }, "Marked stale pending webhook events as abandoned at startup");
+        this.feed.publish({
+            level: "warn",
+            kind: "webhook",
+            status: "abandoned_events",
+            summary: `Startup: marked ${abandoned} stale pending webhook event(s) as abandoned`,
+            detail: "Processing was interrupted (crash/restart). State recovers via reconciliation; the rows stay archiveable for forensics.",
+        });
+    }
     scheduleEventRetention(delayMs = 24 * 60 * 60 * 1000) {
         if (this.eventRetentionTimer !== undefined) {
             clearTimeout(this.eventRetentionTimer);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "patchrelay",
-  "version": "0.77.0",
+  "version": "0.78.1",
   "license": "MIT",
   "type": "module",
   "repository": {
@@ -49,7 +49,7 @@
     "start": "node dist/index.js serve",
     "doctor": "node dist/index.js doctor",
     "restart": "node dist/index.js service restart",
-    "deploy": "pnpm build && pnpm add -g . && node dist/index.js service restart",
+    "deploy": "pnpm pack --out /tmp/patchrelay-deploy.tgz && pnpm add -g /tmp/patchrelay-deploy.tgz && patchrelay service restart",
     "lint": "oxlint --ignore-path .gitignore .",
     "typecheck": "tsgo -p tsconfig.json --noEmit",
     "check": "pnpm typecheck",