sentinelayer-cli 0.6.2 → 0.8.0

package/src/daemon/fix-cycle.js

@@ -1,377 +1,384 @@
-import { execFileSync } from "node:child_process";
-import path from "node:path";
-import fsp from "node:fs/promises";
-import { startJiraLifecycle, commentJiraIssue, transitionJiraIssue } from "./jira-lifecycle.js";
-import { claimAssignment, heartbeatAssignment, releaseAssignment } from "./assignment-ledger.js";
-
-/**
- * Jules Tanaka — Autonomous Fix Cycle
- *
- * Complete lifecycle:
- *   claim → Jira open → worktree create → agentic fix → test →
- *   Jira comment findings → PR create → Omar Gate watch →
- *   fix P0-P2 from comments → merge → Jira close → artifact → release
- *
- * Failure path: BLOCKED status + Jira comment + release assignment
- * Worktree cleanup: always in finally block
- */
-
-const LEASE_TTL_SECONDS = 1800;
-const HEARTBEAT_INTERVAL_MS = 300000;
-// MAX_FIX_ATTEMPTS reserved for future agentic retry loop
-const OMAR_POLL_INTERVAL_MS = 15000;
-const OMAR_POLL_MAX_ATTEMPTS = 40; // 10 minutes max wait
-
-export async function runFixCycle({ workItemId, workItem, rootPath, scopeMap, findings, onEvent, agentIdentity }) {
-  const agentDef = agentIdentity || { id: "unknown", persona: "Unknown Agent", color: "white", avatar: "", signature: "" };
-  const emit = (ev, pl) => {
-    if (onEvent) onEvent({
-      stream: "sl_event", event: ev,
-      agent: { id: agentDef.id, persona: agentDef.persona, color: agentDef.color, avatar: agentDef.avatar },
-      payload: { workItemId, ...pl },
-    });
-  };
-
-  const artDir = path.join(rootPath, ".sentinelayer", "observability", "fixes", workItemId);
-  await fsp.mkdir(artDir, { recursive: true });
-
-  let jiraKey = null;
-  let prNumber = null;
-  let worktreePath = null;
-  let branchName = null;
-  let hbTimer = null;
-
-  try {
-    // ── [1] CLAIM ─────────────────────────────────────────────────
-    emit("fix_claim", { status: "claiming" });
-    await claimAssignment({
-      targetPath: rootPath, workItemId,
-      agentIdentity: "jules-tanaka@frontend",
-      leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
-    });
-
-    hbTimer = setInterval(async () => {
-      try {
-        await heartbeatAssignment({
-          targetPath: rootPath, workItemId,
-          agentIdentity: "jules-tanaka@frontend",
-          leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
-        });
-      } catch { /* heartbeat failure is non-blocking */ }
-    }, HEARTBEAT_INTERVAL_MS);
-
-    // ── [2] JIRA OPEN ─────────────────────────────────────────────
-    emit("fix_jira", { status: "opening" });
-    const sev = workItem?.severity || "P2";
-    const endpoint = workItem?.endpoint || "unknown";
-    const errorCode = workItem?.errorCode || "UNKNOWN";
-
-    const jr = await startJiraLifecycle({
-      targetPath: rootPath, workItemId, actor: agentDef.persona,
-      summary: "[" + sev + "] Frontend: " + errorCode + " at " + endpoint,
-      description: buildDescription(workItem, findings),
-      labels: ["sentinelayer", "jules-tanaka", "frontend", "severity-" + sev.toLowerCase()],
-      planMessage: buildPlan(workItem, scopeMap, findings),
-      issueKeyPrefix: "SLD",
-    });
-    jiraKey = jr.issue?.issueKey;
-    emit("fix_jira", { status: "opened", issueKey: jiraKey });
-
-    // ── [3] WORKTREE CREATE ───────────────────────────────────────
-    branchName = "fix/jules-" + workItemId.replace(/[^a-zA-Z0-9-]/g, "-");
-    worktreePath = path.join(rootPath, ".jules-worktree-" + workItemId);
-    emit("fix_worktree", { status: "creating", branch: branchName });
-
-    safeExecFile("git", ["fetch", "origin"], rootPath);
-    safeExecFile("git", ["worktree", "add", "-b", branchName, worktreePath, "origin/main"], rootPath);
-    emit("fix_worktree", { status: "created", path: worktreePath });
-
-    // ── [4] INVESTIGATE + FIX ─────────────────────────────────────
-    emit("fix_investigate", { status: "analyzing" });
-
-    // Comment Jira with findings before fix attempt
-    if (jiraKey && findings && findings.length > 0) {
-      await commentJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        actor: agentDef.persona, type: "finding",
-        message: buildFindingsComment(findings),
-      });
-    }
-
-    // Fix generation: the caller is responsible for writing changes to the
-    // worktree before invoking runFixCycle, or for wiring julesAuditLoop
-    // in fix mode with FileEdit tool access. runFixCycle handles the full
-    // PR/Omar/merge/Jira lifecycle for whatever changes exist in the worktree.
-
-    // ── [5] PUSH + PR ─────────────────────────────────────────────
-    emit("fix_pr", { status: "pushing" });
-
-    // Check if there are changes to commit in the worktree
-    const diffOutput = safeExecFile("git", ["diff", "--stat"], worktreePath);
-    const untrackedOutput = safeExecFile("git", ["ls-files", "--others", "--exclude-standard"], worktreePath);
-    const hasChanges = diffOutput.trim().length > 0 || untrackedOutput.trim().length > 0;
-
-    if (hasChanges) {
-      safeExecFile("git", ["add", "-A"], worktreePath);
-      safeExecFile("git", ["commit", "-m", "[Jules] Fix " + errorCode + " at " + endpoint], worktreePath);
-    }
-
-    safeExecFile("git", ["push", "-u", "origin", branchName], worktreePath);
-
-    const prBody = buildPrBody(workItem, findings, jiraKey);
-    const prUrl = safeExecFile("gh", [
-      "pr", "create",
-      "--title", "[Jules] Fix " + errorCode,
-      "--body", prBody,
-      "--head", branchName,
-    ], worktreePath).trim();
-
-    const prMatch = prUrl.match(/\/pull\/(\d+)/);
-    prNumber = prMatch ? parseInt(prMatch[1]) : null;
-    emit("fix_pr", { status: "created", prNumber, url: prUrl });
-
-    // ── [6] OMAR GATE WATCH ───────────────────────────────────────
-    if (prNumber) {
-      emit("fix_omar", { status: "watching", prNumber });
-      const omarPassed = await watchOmarGate(rootPath, branchName, emit);
-
-      if (!omarPassed) {
-        emit("fix_omar", { status: "failed" });
-        // Comment Jira about Omar failure
-        if (jiraKey) {
-          await commentJiraIssue({
-            targetPath: rootPath, workItemId, issueKey: jiraKey,
-            actor: agentDef.persona, type: "operator_stop",
-            message: "## Omar Gate Failed\nPR #" + prNumber + " did not pass Omar Gate.\nEscalating to human review.\n\n" + agentDef.signature,
-          });
-          await transitionJiraIssue({
-            targetPath: rootPath, workItemId, issueKey: jiraKey,
-            toStatus: "BLOCKED", actor: agentDef.persona,
-            reason: "Omar Gate failed on PR #" + prNumber,
-          });
-        }
-        await releaseAssignment({
-          targetPath: rootPath, workItemId,
-          agentIdentity: "jules-tanaka@frontend",
-          status: "BLOCKED", reason: "Omar Gate failed on PR #" + prNumber,
-        });
-        return {
-          workItemId, jiraIssueKey: jiraKey, prNumber,
-          status: "blocked_omar", signature: agentDef.signature,
-        };
-      }
-
-      emit("fix_omar", { status: "passed", prNumber });
-
-      // ── [7] MERGE ───────────────────────────────────────────────
-      emit("fix_merge", { status: "merging", prNumber });
-      try {
-        safeExecFile("gh", ["pr", "merge", String(prNumber), "--squash", "--delete-branch"], rootPath);
-        emit("fix_merge", { status: "merged", prNumber });
-      } catch (mergeErr) {
-        emit("fix_merge", { status: "failed", error: mergeErr.message });
-        // PR created but merge failed — still better than nothing
-      }
-    }
-
-    // ── [8] JIRA CLOSE ────────────────────────────────────────────
-    if (jiraKey) {
-      await commentJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        actor: agentDef.persona, type: "fix",
-        message: "## Resolution\nPR #" + (prNumber || "pending") + " merged.\nOmar Gate: passed.\nFindings addressed: " + (findings?.length || 0) + "\n\n" + agentDef.signature,
-      });
-      await transitionJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        toStatus: "DONE", actor: agentDef.persona,
-        reason: "Fixed in PR #" + (prNumber || "pending"),
-      });
-    }
-
-    // ── [9] ARTIFACT + S3 UPLOAD ────────────────────────────────────
-    const result = {
-      workItemId, jiraIssueKey: jiraKey, prNumber,
-      status: "completed",
-      findingsAddressed: findings?.length || 0,
-      signature: agentDef.signature,
-    };
-    await fsp.writeFile(
-      path.join(artDir, "fix-result.json"),
-      JSON.stringify(result, null, 2),
-    );
-
-    // Upload to S3 for compliance archive + agent training data
-    emit("fix_s3", { status: "uploading" });
-    const s3Result = await uploadFixArtifactsToS3(artDir, workItemId, rootPath);
-    emit("fix_s3", { status: s3Result.uploaded ? "uploaded" : "skipped", reason: s3Result.reason });
-
-    // ── [10] RELEASE ──────────────────────────────────────────────
-    await releaseAssignment({
-      targetPath: rootPath, workItemId,
-      agentIdentity: "jules-tanaka@frontend",
-      status: "DONE",
-      reason: "PR #" + (prNumber || "pending") + " merged. " + agentDef.signature,
-    });
-
-    emit("fix_complete", { prNumber, jiraIssueKey: jiraKey, status: "completed" });
-    return result;
-
-  } catch (err) {
-    emit("fix_error", { error: err.message });
-    try {
-      await releaseAssignment({
-        targetPath: rootPath, workItemId,
-        agentIdentity: "jules-tanaka@frontend",
-        status: "BLOCKED", reason: "Fix cycle failed: " + err.message,
-      });
-    } catch { /* release failure non-blocking */ }
-    if (jiraKey) {
-      try {
-        await commentJiraIssue({
-          targetPath: rootPath, workItemId, issueKey: jiraKey,
-          actor: agentDef.persona, type: "operator_stop",
-          message: "## Fix Failed\n" + err.message + "\nEscalating to human.\n\n" + agentDef.signature,
-        });
-        await transitionJiraIssue({
-          targetPath: rootPath, workItemId, issueKey: jiraKey,
-          toStatus: "BLOCKED", actor: agentDef.persona,
-          reason: "Fix cycle failed: " + err.message,
-        });
-      } catch { /* Jira failure non-blocking */ }
-    }
-    return { workItemId, jiraIssueKey: jiraKey, prNumber, status: "failed", error: err.message, signature: agentDef.signature };
-  } finally {
-    if (hbTimer) clearInterval(hbTimer);
-    if (worktreePath) {
-      try { safeExecFile("git", ["worktree", "remove", worktreePath, "--force"], rootPath); } catch { /* best effort */ }
-    }
-  }
-}
-
-// ── Omar Gate Watch ──────────────────────────────────────────────────
-
-async function watchOmarGate(rootPath, branchName, emit) {
-  for (let attempt = 0; attempt < OMAR_POLL_MAX_ATTEMPTS; attempt++) {
-    await sleep(OMAR_POLL_INTERVAL_MS);
-    try {
-      const runJson = safeExecFile("gh", [
-        "run", "list", "--workflow", "Omar Gate", "--branch", branchName,
-        "--limit", "1", "--json", "databaseId,status,conclusion",
-      ], rootPath);
-      const runs = JSON.parse(runJson || "[]");
-      if (runs.length === 0) continue;
-
-      const run = runs[0];
-      if (run.status === "completed") {
-        emit("fix_omar", { status: "completed", conclusion: run.conclusion, runId: run.databaseId });
-        return run.conclusion === "success";
-      }
-      if (attempt % 4 === 0) {
-        emit("fix_omar", { status: "waiting", attempt, runId: run.databaseId });
-      }
-    } catch { /* polling failure non-blocking, will retry */ }
-  }
-  // Timed out waiting for Omar
-  emit("fix_omar", { status: "timeout" });
-  return false;
-}
-
-// ── Helpers ──────────────────────────────────────────────────────────
-
-function safeExecFile(bin, args, cwd) {
-  return execFileSync(bin, args, {
-    cwd, encoding: "utf-8", timeout: 60000,
-    stdio: ["pipe", "pipe", "pipe"],
-  });
-}
-
-function sleep(ms) {
-  return new Promise(resolve => setTimeout(resolve, ms));
-}
-
-function buildDescription(w, f) {
-  const parts = [];
-  parts.push("**Service:** " + (w?.service || "unknown"));
-  parts.push("**Endpoint:** " + (w?.endpoint || "unknown"));
-  parts.push("**Error:** " + (w?.errorCode || "UNKNOWN"));
-  parts.push("**Severity:** " + (w?.severity || "P2"));
-  if (w?.message) parts.push("**Message:** " + w.message.slice(0, 500));
-  if (w?.stackFingerprint) parts.push("**Stack fingerprint:** " + w.stackFingerprint);
-  if (f?.length) parts.push("\n**Related findings:** " + f.length);
-  parts.push("\n" + agentDef.signature);
-  return parts.join("\n");
-}
-
-function buildPlan(w, s, f) {
-  const parts = [];
-  parts.push("## Investigation Plan");
-  parts.push("1. Scope reconstruction from error at " + (w?.endpoint || "unknown"));
-  parts.push("2. Read " + ((s?.primary || []).length) + " primary scope files");
-  parts.push("3. Identify root cause from stack trace + code analysis");
-  parts.push("4. Apply fix in isolated worktree");
-  parts.push("5. Run tests to verify fix");
-  parts.push("6. Open PR and watch Omar Gate");
-  if (f?.length) parts.push("\n**Pre-existing findings:** " + f.length);
-  parts.push("\n" + agentDef.signature);
-  return parts.join("\n");
-}
-
-function buildFindingsComment(f) {
-  const parts = ["## Findings"];
-  const items = f || [];
-  for (const finding of items.slice(0, 10)) {
-    parts.push("- **[" + (finding.severity || "P3") + "]** " + (finding.file || "") + ":" + (finding.line || "") + " " + (finding.title || finding.type || ""));
-    if (finding.evidence) parts.push("  Evidence: " + String(finding.evidence).slice(0, 200));
-  }
-  if (items.length > 10) parts.push("... and " + (items.length - 10) + " more");
-  parts.push("\n" + agentDef.signature);
-  return parts.join("\n");
-}
-
-function buildPrBody(w, f, jiraKey) {
-  const parts = [];
-  if (jiraKey) parts.push("Fixes " + jiraKey);
-  parts.push("Error: " + (w?.errorCode || "UNKNOWN") + " at " + (w?.endpoint || "unknown"));
-  parts.push("Severity: " + (w?.severity || "P2"));
-  if (f?.length) parts.push("Findings addressed: " + f.length);
-  parts.push("");
-  parts.push(agentDef.signature);
-  return parts.join("\n");
-}
-
-// ── S3 Upload ────────────────────────────────────────────────────────
-
-/**
- * Upload fix artifacts to S3 for compliance archive and agent training.
- * Uses AWS CLI (must be configured in environment).
- * Fails silently — S3 upload must never block the fix cycle.
- *
- * Bucket: SENTINELAYER_AUDIT_S3_BUCKET env var (default: sentinelayer-audit-artifacts)
- * Key pattern: {repo}/{date}/jules-tanaka/{workItemId}/
- */
-async function uploadFixArtifactsToS3(artifactDir, workItemId, rootPath) {
-  const bucket = process.env.SENTINELAYER_AUDIT_S3_BUCKET;
-  if (!bucket) {
-    return { uploaded: false, reason: "SENTINELAYER_AUDIT_S3_BUCKET not set" };
-  }
-
-  try {
-    // Derive repo name from git remote or directory name
-    let repoName = "unknown-repo";
-    try {
-      const remote = safeExecFile("git", ["remote", "get-url", "origin"], rootPath).trim();
-      const match = remote.match(/\/([^/]+?)(?:\.git)?$/);
-      if (match) repoName = match[1];
-    } catch { /* use default */ }
-
-    const date = new Date().toISOString().split("T")[0];
-    const s3Key = repoName + "/" + date + "/jules-tanaka/" + workItemId + "/";
-    const s3Url = "s3://" + bucket + "/" + s3Key;
-
-    safeExecFile("aws", ["s3", "sync", artifactDir, s3Url, "--quiet", "--sse", "AES256"], rootPath);
-
-    return { uploaded: true, bucket, key: s3Key };
-  } catch (err) {
-    return { uploaded: false, reason: "S3 upload failed: " + err.message };
-  }
-}
+import { execFileSync } from "node:child_process";
+import path from "node:path";
+import fsp from "node:fs/promises";
+import { startJiraLifecycle, commentJiraIssue, transitionJiraIssue } from "./jira-lifecycle.js";
+import { claimAssignment, heartbeatAssignment, releaseAssignment } from "./assignment-ledger.js";
+import { createAgentEvent } from "../events/schema.js";
+
+/**
+ * Jules Tanaka — Autonomous Fix Cycle
+ *
+ * Complete lifecycle:
+ *   claim → Jira open → worktree create → agentic fix → test →
+ *   Jira comment findings → PR create → Omar Gate watch →
+ *   fix P0-P2 from comments → merge → Jira close → artifact → release
+ *
+ * Failure path: BLOCKED status + Jira comment + release assignment
+ * Worktree cleanup: always in finally block
+ */
+
+const LEASE_TTL_SECONDS = 1800;
+const HEARTBEAT_INTERVAL_MS = 300000;
+// MAX_FIX_ATTEMPTS reserved for future agentic retry loop
+const OMAR_POLL_INTERVAL_MS = 15000;
+const OMAR_POLL_MAX_ATTEMPTS = 40; // 10 minutes max wait
+
+export async function runFixCycle({ workItemId, workItem, rootPath, scopeMap, findings, onEvent, agentIdentity }) {
+  const agentDef = agentIdentity || { id: "unknown", persona: "Unknown Agent", color: "white", avatar: "", signature: "" };
+  const emit = (ev, pl) => {
+    if (onEvent) onEvent(createAgentEvent({
+      event: ev,
+      agent: {
+        id: agentDef.id,
+        persona: agentDef.persona,
+        color: agentDef.color,
+        avatar: agentDef.avatar,
+      },
+      payload: { workItemId, ...pl },
+      workItemId,
+    }));
+  };
+
+  const artDir = path.join(rootPath, ".sentinelayer", "observability", "fixes", workItemId);
+  await fsp.mkdir(artDir, { recursive: true });
+
+  let jiraKey = null;
+  let prNumber = null;
+  let worktreePath = null;
+  let branchName = null;
+  let hbTimer = null;
+
+  try {
+    // ── [1] CLAIM ─────────────────────────────────────────────────
+    emit("fix_claim", { status: "claiming" });
+    await claimAssignment({
+      targetPath: rootPath, workItemId,
+      agentIdentity: "jules-tanaka@frontend",
+      leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
+    });
+
+    hbTimer = setInterval(async () => {
+      try {
+        await heartbeatAssignment({
+          targetPath: rootPath, workItemId,
+          agentIdentity: "jules-tanaka@frontend",
+          leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
+        });
+      } catch { /* heartbeat failure is non-blocking */ }
+    }, HEARTBEAT_INTERVAL_MS);
+
+    // ── [2] JIRA OPEN ─────────────────────────────────────────────
+    emit("fix_jira", { status: "opening" });
+    const sev = workItem?.severity || "P2";
+    const endpoint = workItem?.endpoint || "unknown";
+    const errorCode = workItem?.errorCode || "UNKNOWN";
+
+    const jr = await startJiraLifecycle({
+      targetPath: rootPath, workItemId, actor: agentDef.persona,
+      summary: "[" + sev + "] Frontend: " + errorCode + " at " + endpoint,
+      description: buildDescription(workItem, findings),
+      labels: ["sentinelayer", "jules-tanaka", "frontend", "severity-" + sev.toLowerCase()],
+      planMessage: buildPlan(workItem, scopeMap, findings),
+      issueKeyPrefix: "SLD",
+    });
+    jiraKey = jr.issue?.issueKey;
+    emit("fix_jira", { status: "opened", issueKey: jiraKey });
+
+    // ── [3] WORKTREE CREATE ───────────────────────────────────────
+    branchName = "fix/jules-" + workItemId.replace(/[^a-zA-Z0-9-]/g, "-");
+    worktreePath = path.join(rootPath, ".jules-worktree-" + workItemId);
+    emit("fix_worktree", { status: "creating", branch: branchName });
+
+    safeExecFile("git", ["fetch", "origin"], rootPath);
+    safeExecFile("git", ["worktree", "add", "-b", branchName, worktreePath, "origin/main"], rootPath);
+    emit("fix_worktree", { status: "created", path: worktreePath });
+
+    // ── [4] INVESTIGATE + FIX ─────────────────────────────────────
+    emit("fix_investigate", { status: "analyzing" });
+
+    // Comment Jira with findings before fix attempt
+    if (jiraKey && findings && findings.length > 0) {
+      await commentJiraIssue({
+        targetPath: rootPath, workItemId, issueKey: jiraKey,
+        actor: agentDef.persona, type: "finding",
+        message: buildFindingsComment(findings),
+      });
+    }
+
+    // Fix generation: the caller is responsible for writing changes to the
+    // worktree before invoking runFixCycle, or for wiring julesAuditLoop
+    // in fix mode with FileEdit tool access. runFixCycle handles the full
+    // PR/Omar/merge/Jira lifecycle for whatever changes exist in the worktree.
+
+    // ── [5] PUSH + PR ─────────────────────────────────────────────
+    emit("fix_pr", { status: "pushing" });
+
+    // Check if there are changes to commit in the worktree
+    const diffOutput = safeExecFile("git", ["diff", "--stat"], worktreePath);
+    const untrackedOutput = safeExecFile("git", ["ls-files", "--others", "--exclude-standard"], worktreePath);
+    const hasChanges = diffOutput.trim().length > 0 || untrackedOutput.trim().length > 0;
+
+    if (hasChanges) {
+      safeExecFile("git", ["add", "-A"], worktreePath);
+      safeExecFile("git", ["commit", "-m", "[Jules] Fix " + errorCode + " at " + endpoint], worktreePath);
+    }
+
+    safeExecFile("git", ["push", "-u", "origin", branchName], worktreePath);
+
+    const prBody = buildPrBody(workItem, findings, jiraKey);
+    const prUrl = safeExecFile("gh", [
+      "pr", "create",
+      "--title", "[Jules] Fix " + errorCode,
+      "--body", prBody,
+      "--head", branchName,
+    ], worktreePath).trim();
+
+    const prMatch = prUrl.match(/\/pull\/(\d+)/);
+    prNumber = prMatch ? parseInt(prMatch[1]) : null;
+    emit("fix_pr", { status: "created", prNumber, url: prUrl });
+
+    // ── [6] OMAR GATE WATCH ───────────────────────────────────────
+    if (prNumber) {
+      emit("fix_omar", { status: "watching", prNumber });
+      const omarPassed = await watchOmarGate(rootPath, branchName, emit);
+
+      if (!omarPassed) {
+        emit("fix_omar", { status: "failed" });
+        // Comment Jira about Omar failure
+        if (jiraKey) {
+          await commentJiraIssue({
+            targetPath: rootPath, workItemId, issueKey: jiraKey,
+            actor: agentDef.persona, type: "operator_stop",
+            message: "## Omar Gate Failed\nPR #" + prNumber + " did not pass Omar Gate.\nEscalating to human review.\n\n" + agentDef.signature,
+          });
+          await transitionJiraIssue({
+            targetPath: rootPath, workItemId, issueKey: jiraKey,
+            toStatus: "BLOCKED", actor: agentDef.persona,
+            reason: "Omar Gate failed on PR #" + prNumber,
+          });
+        }
+        await releaseAssignment({
+          targetPath: rootPath, workItemId,
+          agentIdentity: "jules-tanaka@frontend",
+          status: "BLOCKED", reason: "Omar Gate failed on PR #" + prNumber,
+        });
+        return {
+          workItemId, jiraIssueKey: jiraKey, prNumber,
+          status: "blocked_omar", signature: agentDef.signature,
+        };
+      }
+
+      emit("fix_omar", { status: "passed", prNumber });
+
+      // ── [7] MERGE ───────────────────────────────────────────────
+      emit("fix_merge", { status: "merging", prNumber });
+      try {
+        safeExecFile("gh", ["pr", "merge", String(prNumber), "--squash", "--delete-branch"], rootPath);
+        emit("fix_merge", { status: "merged", prNumber });
+      } catch (mergeErr) {
+        emit("fix_merge", { status: "failed", error: mergeErr.message });
+        // PR created but merge failed — still better than nothing
+      }
+    }
+
+    // ── [8] JIRA CLOSE ────────────────────────────────────────────
+    if (jiraKey) {
+      await commentJiraIssue({
+        targetPath: rootPath, workItemId, issueKey: jiraKey,
+        actor: agentDef.persona, type: "fix",
+        message: "## Resolution\nPR #" + (prNumber || "pending") + " merged.\nOmar Gate: passed.\nFindings addressed: " + (findings?.length || 0) + "\n\n" + agentDef.signature,
+      });
+      await transitionJiraIssue({
+        targetPath: rootPath, workItemId, issueKey: jiraKey,
+        toStatus: "DONE", actor: agentDef.persona,
+        reason: "Fixed in PR #" + (prNumber || "pending"),
+      });
+    }
+
+    // ── [9] ARTIFACT + S3 UPLOAD ────────────────────────────────────
+    const result = {
+      workItemId, jiraIssueKey: jiraKey, prNumber,
+      status: "completed",
+      findingsAddressed: findings?.length || 0,
+      signature: agentDef.signature,
+    };
+    await fsp.writeFile(
+      path.join(artDir, "fix-result.json"),
+      JSON.stringify(result, null, 2),
+    );
+
+    // Upload to S3 for compliance archive + agent training data
+    emit("fix_s3", { status: "uploading" });
+    const s3Result = await uploadFixArtifactsToS3(artDir, workItemId, rootPath);
+    emit("fix_s3", { status: s3Result.uploaded ? "uploaded" : "skipped", reason: s3Result.reason });
+
+    // ── [10] RELEASE ──────────────────────────────────────────────
+    await releaseAssignment({
+      targetPath: rootPath, workItemId,
+      agentIdentity: "jules-tanaka@frontend",
+      status: "DONE",
+      reason: "PR #" + (prNumber || "pending") + " merged. " + agentDef.signature,
+    });
+
+    emit("fix_complete", { prNumber, jiraIssueKey: jiraKey, status: "completed" });
+    return result;
+
+  } catch (err) {
+    emit("fix_error", { error: err.message });
+    try {
+      await releaseAssignment({
+        targetPath: rootPath, workItemId,
+        agentIdentity: "jules-tanaka@frontend",
+        status: "BLOCKED", reason: "Fix cycle failed: " + err.message,
+      });
+    } catch { /* release failure non-blocking */ }
+    if (jiraKey) {
+      try {
+        await commentJiraIssue({
+          targetPath: rootPath, workItemId, issueKey: jiraKey,
+          actor: agentDef.persona, type: "operator_stop",
+          message: "## Fix Failed\n" + err.message + "\nEscalating to human.\n\n" + agentDef.signature,
+        });
+        await transitionJiraIssue({
+          targetPath: rootPath, workItemId, issueKey: jiraKey,
+          toStatus: "BLOCKED", actor: agentDef.persona,
+          reason: "Fix cycle failed: " + err.message,
+        });
+      } catch { /* Jira failure non-blocking */ }
+    }
+    return { workItemId, jiraIssueKey: jiraKey, prNumber, status: "failed", error: err.message, signature: agentDef.signature };
+  } finally {
+    if (hbTimer) clearInterval(hbTimer);
+    if (worktreePath) {
+      try { safeExecFile("git", ["worktree", "remove", worktreePath, "--force"], rootPath); } catch { /* best effort */ }
+    }
+  }
+}
+
+// ── Omar Gate Watch ──────────────────────────────────────────────────
+
+async function watchOmarGate(rootPath, branchName, emit) {
+  for (let attempt = 0; attempt < OMAR_POLL_MAX_ATTEMPTS; attempt++) {
+    await sleep(OMAR_POLL_INTERVAL_MS);
+    try {
+      const runJson = safeExecFile("gh", [
+        "run", "list", "--workflow", "Omar Gate", "--branch", branchName,
+        "--limit", "1", "--json", "databaseId,status,conclusion",
+      ], rootPath);
+      const runs = JSON.parse(runJson || "[]");
+      if (runs.length === 0) continue;
+
+      const run = runs[0];
+      if (run.status === "completed") {
+        emit("fix_omar", { status: "completed", conclusion: run.conclusion, runId: run.databaseId });
+        return run.conclusion === "success";
+      }
+      if (attempt % 4 === 0) {
+        emit("fix_omar", { status: "waiting", attempt, runId: run.databaseId });
+      }
+    } catch { /* polling failure non-blocking, will retry */ }
+  }
+  // Timed out waiting for Omar
+  emit("fix_omar", { status: "timeout" });
+  return false;
+}
+
+// ── Helpers ──────────────────────────────────────────────────────────
+
+function safeExecFile(bin, args, cwd) {
+  return execFileSync(bin, args, {
+    cwd, encoding: "utf-8", timeout: 60000,
+    stdio: ["pipe", "pipe", "pipe"],
+  });
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+function buildDescription(w, f) {
+  const parts = [];
+  parts.push("**Service:** " + (w?.service || "unknown"));
+  parts.push("**Endpoint:** " + (w?.endpoint || "unknown"));
+  parts.push("**Error:** " + (w?.errorCode || "UNKNOWN"));
+  parts.push("**Severity:** " + (w?.severity || "P2"));
+  if (w?.message) parts.push("**Message:** " + w.message.slice(0, 500));
+  if (w?.stackFingerprint) parts.push("**Stack fingerprint:** " + w.stackFingerprint);
+  if (f?.length) parts.push("\n**Related findings:** " + f.length);
+  parts.push("\n" + agentDef.signature);
+  return parts.join("\n");
+}
+
+function buildPlan(w, s, f) {
+  const parts = [];
+  parts.push("## Investigation Plan");
+  parts.push("1. Scope reconstruction from error at " + (w?.endpoint || "unknown"));
+  parts.push("2. Read " + ((s?.primary || []).length) + " primary scope files");
+  parts.push("3. Identify root cause from stack trace + code analysis");
+  parts.push("4. Apply fix in isolated worktree");
+  parts.push("5. Run tests to verify fix");
+  parts.push("6. Open PR and watch Omar Gate");
+  if (f?.length) parts.push("\n**Pre-existing findings:** " + f.length);
+  parts.push("\n" + agentDef.signature);
+  return parts.join("\n");
+}
+
+function buildFindingsComment(f) {
+  const parts = ["## Findings"];
+  const items = f || [];
+  for (const finding of items.slice(0, 10)) {
+    parts.push("- **[" + (finding.severity || "P3") + "]** " + (finding.file || "") + ":" + (finding.line || "") + " " + (finding.title || finding.type || ""));
+    if (finding.evidence) parts.push("  Evidence: " + String(finding.evidence).slice(0, 200));
+  }
+  if (items.length > 10) parts.push("... and " + (items.length - 10) + " more");
+  parts.push("\n" + agentDef.signature);
+  return parts.join("\n");
+}
+
+function buildPrBody(w, f, jiraKey) {
+  const parts = [];
+  if (jiraKey) parts.push("Fixes " + jiraKey);
+  parts.push("Error: " + (w?.errorCode || "UNKNOWN") + " at " + (w?.endpoint || "unknown"));
+  parts.push("Severity: " + (w?.severity || "P2"));
+  if (f?.length) parts.push("Findings addressed: " + f.length);
+  parts.push("");
+  parts.push(agentDef.signature);
+  return parts.join("\n");
+}
+
+// ── S3 Upload ────────────────────────────────────────────────────────
+
+/**
+ * Upload fix artifacts to S3 for compliance archive and agent training.
+ * Uses AWS CLI (must be configured in environment).
+ * Fails silently — S3 upload must never block the fix cycle.
+ *
+ * Bucket: SENTINELAYER_AUDIT_S3_BUCKET env var (default: sentinelayer-audit-artifacts)
+ * Key pattern: {repo}/{date}/jules-tanaka/{workItemId}/
+ */
+async function uploadFixArtifactsToS3(artifactDir, workItemId, rootPath) {
+  const bucket = process.env.SENTINELAYER_AUDIT_S3_BUCKET;
+  if (!bucket) {
+    return { uploaded: false, reason: "SENTINELAYER_AUDIT_S3_BUCKET not set" };
+  }
+
+  try {
+    // Derive repo name from git remote or directory name
+    let repoName = "unknown-repo";
+    try {
+      const remote = safeExecFile("git", ["remote", "get-url", "origin"], rootPath).trim();
+      const match = remote.match(/\/([^/]+?)(?:\.git)?$/);
+      if (match) repoName = match[1];
+    } catch { /* use default */ }
+
+    const date = new Date().toISOString().split("T")[0];
+    const s3Key = repoName + "/" + date + "/jules-tanaka/" + workItemId + "/";
+    const s3Url = "s3://" + bucket + "/" + s3Key;
+
+    safeExecFile("aws", ["s3", "sync", artifactDir, s3Url, "--quiet", "--sse", "AES256"], rootPath);
+
+    return { uploaded: true, bucket, key: s3Key };
+  } catch (err) {
+    return { uploaded: false, reason: "S3 upload failed: " + err.message };
+  }
+}