switchman-dev 0.1.6 → 0.1.7

package/src/core/pipeline.js

@@ -1,13 +1,15 @@
 import { spawn, spawnSync } from 'child_process';
-import { mkdirSync, writeFileSync } from 'fs';
-import { join } from 'path';
+import { existsSync, mkdirSync, realpathSync, writeFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { basename, join } from 'path';
 
-import { completeLeaseTask, createTask, failLeaseTask, getTaskSpec, listAuditEvents, listLeases, listTasks, listWorktrees, logAuditEvent, retryTask, startTaskLease, upsertTaskSpec } from './db.js';
+import { completeLeaseTask, createTask, createTempResource, failLeaseTask, finishOperationJournalEntry, getTaskSpec, listAuditEvents, listBoundaryValidationStates, listDependencyInvalidations, listLeases, listMergeQueue, listPolicyOverrides, listTasks, listTempResources, listWorktrees, logAuditEvent, retryTask, startOperationJournalEntry, startTaskLease, updateTempResource, upsertTaskSpec } from './db.js';
 import { scanAllWorktrees } from './detector.js';
 import { runAiMergeGate } from './merge-gate.js';
 import { evaluateTaskOutcome } from './outcome.js';
+import { loadChangePolicy } from './policy.js';
 import { buildTaskSpec, planPipelineTasks } from './planner.js';
-import { getWorktreeBranch } from './git.js';
+import { getWorktreeBranch, gitBranchExists, gitMaterializeIntegrationBranch, gitPrepareIntegrationRecoveryWorktree, gitRemoveWorktree, gitRevParse, listGitWorktrees } from './git.js';
 
 function sleepSync(ms) {
   if (ms > 0) {
@@ -37,6 +39,10 @@ function parseDependencies(description) {
     .filter(Boolean);
 }
 
+function stringifyResourceDetails(details) {
+  return JSON.stringify(details);
+}
+
 function getPipelineMetadata(db, pipelineId) {
   const events = listAuditEvents(db, { eventType: 'pipeline_created', limit: 500 });
   for (const event of events) {
@@ -52,6 +58,276 @@ function getPipelineMetadata(db, pipelineId) {
   return null;
 }
 
+function parseAuditDetails(details) {
+  try {
+    return JSON.parse(details || '{}');
+  } catch {
+    return {};
+  }
+}
+
+function pipelineOwnsAuditEvent(event, pipelineId) {
+  if (event.task_id?.startsWith(`${pipelineId}-`)) return true;
+  const details = parseAuditDetails(event.details);
+  if (details.pipeline_id === pipelineId) return true;
+  if (details.source_pipeline_id === pipelineId) return true;
+  if (Array.isArray(details.task_ids) && details.task_ids.some((taskId) => String(taskId).startsWith(`${pipelineId}-`))) {
+    return true;
+  }
+  return false;
+}
+
+function buildPipelineTrustAudit(db, pipelineId, { limit = 8 } = {}) {
+  const interestingEventTypes = new Set([
+    'boundary_validation_state',
+    'dependency_invalidations_updated',
+    'pipeline_followups_created',
+    'policy_override_created',
+    'policy_override_revoked',
+    'task_retried',
+    'pipeline_task_retry_scheduled',
+  ]);
+
+  const events = listAuditEvents(db, { limit: 2000 })
+    .filter((event) => interestingEventTypes.has(event.event_type))
+    .filter((event) => pipelineOwnsAuditEvent(event, pipelineId))
+    .slice(0, limit);
+
+  const mappedEvents = events.map((event) => {
+    const details = parseAuditDetails(event.details);
+
+    switch (event.event_type) {
+      case 'boundary_validation_state': {
+        const missing = details.missing_task_types || [];
+        const summary = details.status === 'satisfied'
+          ? 'Policy validation requirements are currently satisfied.'
+          : missing.length > 0
+            ? `Policy validation is waiting on ${missing.join(', ')}.`
+            : `Policy validation state changed to ${details.status || 'pending'}.`;
+        return {
+          category: 'policy',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary,
+          missing_task_types: missing,
+          next_action: missing.length > 0 ? `switchman pipeline review ${pipelineId}` : `switchman pipeline status ${pipelineId}`,
+        };
+      }
+      case 'dependency_invalidations_updated':
+        {
+          const reasonTypes = details.reason_types || [];
+          const revalidationSets = details.revalidation_sets || [];
+          const reasonSummary = revalidationSets.length > 0
+            ? ` across ${revalidationSets.join(', ')} revalidation`
+            : reasonTypes.length > 0
+              ? ` across ${reasonTypes.join(', ')}`
+              : '';
+        return {
+          category: 'stale',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: `A shared change marked ${details.stale_count || 0} dependent task${details.stale_count === 1 ? '' : 's'} stale${reasonSummary}.`,
+          affected_task_ids: details.affected_task_ids || [],
+          next_action: `switchman explain stale --pipeline ${pipelineId}`,
+        };
+        }
+      case 'pipeline_followups_created':
+        return {
+          category: 'remediation',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: details.created_count > 0
+            ? `Created ${details.created_count} follow-up task${details.created_count === 1 ? '' : 's'} to satisfy validation or policy work.`
+            : 'No new follow-up tasks were needed after review.',
+          created_count: details.created_count || 0,
+          next_action: details.created_count > 0 ? `switchman pipeline status ${pipelineId}` : `switchman pipeline status ${pipelineId}`,
+        };
+      case 'policy_override_created':
+        return {
+          category: 'policy',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: `Policy override ${details.override_id || 'unknown'} was approved${details.task_types?.length ? ` for ${details.task_types.join(', ')}` : ''}${details.reason ? `: ${details.reason}` : ''}.`,
+          next_action: `switchman pipeline status ${pipelineId}`,
+        };
+      case 'policy_override_revoked':
+        return {
+          category: 'policy',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: `Policy override ${details.override_id || 'unknown'} was revoked${details.revoked_reason ? `: ${details.revoked_reason}` : ''}.`,
+          next_action: `switchman pipeline status ${pipelineId}`,
+        };
+      case 'task_retried':
+      case 'pipeline_task_retry_scheduled':
+        return {
+          category: 'remediation',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: `Scheduled revalidation for ${event.task_id || 'a pipeline task'}.`,
+          task_id: event.task_id || null,
+          next_action: `switchman pipeline status ${pipelineId}`,
+        };
+      default:
+        return {
+          category: 'trust',
+          created_at: event.created_at,
+          event_type: event.event_type,
+          status: event.status,
+          reason_code: event.reason_code || null,
+          summary: event.event_type,
+          next_action: `switchman pipeline status ${pipelineId}`,
+        };
+    }
+  });
+
+  const staleClusterEntries = buildStaleClusters(listDependencyInvalidations(db, { pipelineId }), { pipelineId })
+    .map((cluster) => ({
+      category: 'stale',
+      created_at: cluster.invalidations[0]?.created_at || null,
+      event_type: 'stale_cluster_active',
+      status: cluster.severity === 'block' ? 'denied' : 'warn',
+      reason_code: 'dependent_work_stale',
+      summary: `${cluster.title}.`,
+      affected_task_ids: cluster.affected_task_ids,
+      next_action: cluster.next_action,
+    }));
+
+  const staleWaveEntries = summarizeStaleCausalWaves(
+    buildStaleClusters(listDependencyInvalidations(db, { pipelineId }), { pipelineId }),
+  ).map((wave) => ({
+    category: 'stale',
+    created_at: null,
+    event_type: 'stale_wave_active',
+    status: 'warn',
+    reason_code: 'dependent_work_stale',
+    summary: `${wave.summary}. Affects ${wave.affected_pipeline_ids.join(', ') || 'unknown'} across ${wave.cluster_count} stale cluster${wave.cluster_count === 1 ? '' : 's'}.`,
+    affected_pipeline_ids: wave.affected_pipeline_ids,
+    next_action: `switchman explain stale --pipeline ${pipelineId}`,
+  }));
+
+  return [...mappedEvents, ...staleWaveEntries, ...staleClusterEntries]
+    .sort((a, b) => String(b.created_at || '').localeCompare(String(a.created_at || '')))
+    .slice(0, limit);
+}
+
+function buildPipelinePolicyEvidence(status, requiredTaskTypes = [], { completedLeaseByTask = new Map(), completionAuditByTask = new Map() } = {}) {
+  const completedTasks = (status.tasks || []).filter((task) => task.status === 'done' && task.task_spec?.task_type);
+  const pipelineId = status.pipeline_id;
+  const evidenceObjects = [];
+  const evidenceByTaskType = {};
+
+  for (const taskType of requiredTaskTypes) {
+    evidenceByTaskType[taskType] = completedTasks
+      .filter((task) => task.task_spec?.task_type === taskType)
+      .map((task) => {
+        const lease = completedLeaseByTask.get(task.id) || null;
+        const auditEvent = completionAuditByTask.get(task.id) || null;
+        const evidence = {
+          evidence_id: `policy-evidence:${pipelineId}:${taskType}:${task.id}`,
+          schema_version: 1,
+          requirement_key: `completed_task_type:${taskType}`,
+          requirement_type: 'completed_task_type',
+          pipeline_id: pipelineId,
+          task_id: task.id,
+          title: task.title,
+          task_type: task.task_spec?.task_type || null,
+          worktree: task.worktree || task.suggested_worktree || null,
+          artifact_path: task.task_spec?.primary_output_path || null,
+          subsystem_tags: task.task_spec?.subsystem_tags || [],
+          satisfied_at: task.completed_at || auditEvent?.created_at || null,
+          satisfied_by: {
+            actor_type: lease?.agent ? 'agent' : 'task_completion',
+            agent: lease?.agent || null,
+            worktree: lease?.worktree || task.worktree || task.suggested_worktree || null,
+            lease_id: lease?.id || null,
+            audit_event_id: auditEvent?.id || null,
+            audit_event_type: auditEvent?.event_type || null,
+          },
+        };
+        evidenceObjects.push(evidence);
+        return evidence;
+      });
+  }
+
+  return {
+    evidence_by_task_type: evidenceByTaskType,
+    evidence_objects: evidenceObjects,
+  };
+}
+
+function buildPipelinePolicySatisfactionHistory(policyState) {
+  return (policyState.evidence_objects || [])
+    .map((evidence) => ({
+      category: 'policy',
+      created_at: evidence.satisfied_at || null,
+      event_type: 'policy_requirement_satisfied',
+      status: 'allowed',
+      reason_code: null,
+      summary: `Policy requirement ${evidence.requirement_key} is satisfied by ${evidence.task_id}.`,
+      requirement_key: evidence.requirement_key,
+      evidence_id: evidence.evidence_id,
+      task_id: evidence.task_id,
+      satisfied_by: evidence.satisfied_by,
+      next_action: `switchman pipeline status ${policyState.pipeline_id || '<pipelineId>'}`,
+    }))
+    .sort((a, b) => String(b.created_at || '').localeCompare(String(a.created_at || '')));
+}
+
+function buildPipelinePolicyOverrideState(db, pipelineId, requiredTaskTypes = []) {
+  if (!db || !pipelineId) {
+    return {
+      active_overrides: [],
+      active_task_types: [],
+      active_requirement_keys: [],
+      override_history: [],
+    };
+  }
+
+  const overrides = listPolicyOverrides(db, { pipelineId, limit: 200 });
+  const activeOverrides = overrides.filter((entry) => entry.status === 'active');
+  const activeTaskTypes = uniq(activeOverrides.flatMap((entry) => entry.task_types || []));
+  const activeRequirementKeys = uniq(activeOverrides.flatMap((entry) => entry.requirement_keys || []));
+
+  const overrideHistory = overrides.map((entry) => ({
+    category: 'policy',
+    created_at: entry.status === 'active' ? entry.created_at : (entry.revoked_at || entry.created_at),
+    event_type: entry.status === 'active' ? 'policy_override_active' : 'policy_override_revoked',
+    status: entry.status === 'active' ? 'warn' : 'info',
+    reason_code: entry.status === 'active' ? 'policy_override' : 'policy_override_revoked',
+    override_id: entry.id,
+    task_types: entry.task_types || [],
+    requirement_keys: entry.requirement_keys || [],
+    approved_by: entry.approved_by || null,
+    summary: entry.status === 'active'
+      ? `Policy override ${entry.id} allows ${entry.task_types?.join(', ') || 'governed requirements'} for pipeline ${pipelineId}.`
+      : `Policy override ${entry.id} was revoked${entry.revoked_reason ? `: ${entry.revoked_reason}` : ''}.`,
+    next_action: `switchman pipeline status ${pipelineId}`,
+  }));
+
+  const missingButOverridden = requiredTaskTypes.filter((taskType) => activeTaskTypes.includes(taskType));
+
+  return {
+    active_overrides: activeOverrides,
+    active_task_types: activeTaskTypes,
+    active_requirement_keys: activeRequirementKeys,
+    missing_but_overridden: missingButOverridden,
+    override_history: overrideHistory,
+  };
+}
+
 function withTaskSpec(db, task) {
   return {
     ...task,
@@ -67,6 +343,373 @@ function nextPipelineTaskId(tasks, pipelineId) {
   return `${pipelineId}-${String(nextNumber).padStart(2, '0')}`;
 }
 
+function rankEnforcement(level = 'none') {
+  return level === 'blocked' ? 2 : level === 'warn' ? 1 : 0;
+}
+
+function normalizeDependencyInvalidation(item) {
+  const details = item.details || {};
+  const objectNames = Array.isArray(details.object_names) ? details.object_names : [];
+  const contractNames = Array.isArray(details.contract_names) ? details.contract_names : [];
+  const modulePaths = Array.isArray(details.module_paths) ? details.module_paths : [];
+  return {
+    ...item,
+    severity: item.severity || details.severity || (item.reason_type === 'semantic_contract_drift' ? 'blocked' : 'warn'),
+    details,
+    revalidation_set: details.revalidation_set || (item.reason_type === 'semantic_contract_drift' ? 'contract' : item.reason_type === 'semantic_object_overlap' ? 'semantic_object' : item.reason_type === 'shared_module_drift' ? 'shared_module' : item.reason_type === 'subsystem_overlap' ? 'subsystem' : 'scope'),
+    stale_area: item.reason_type === 'subsystem_overlap'
+      ? `subsystem:${item.subsystem_tag}`
+      : item.reason_type === 'semantic_contract_drift'
+        ? `contract:${contractNames.join('|') || 'unknown'}`
+      : item.reason_type === 'semantic_object_overlap'
+        ? `object:${objectNames.join('|') || 'unknown'}`
+      : item.reason_type === 'shared_module_drift'
+        ? `module:${modulePaths.join('|') || 'unknown'}`
+      : `${item.source_scope_pattern} ↔ ${item.affected_scope_pattern}`,
+    summary: item.reason_type === 'semantic_contract_drift'
+      ? `${details?.source_task_title || item.source_task_id} changed shared contract ${contractNames.join(', ') || 'unknown'}`
+      : item.reason_type === 'semantic_object_overlap'
+      ? `${details?.source_task_title || item.source_task_id} changed shared exported object ${objectNames.join(', ') || 'unknown'}`
+      : item.reason_type === 'shared_module_drift'
+        ? `${details?.source_task_title || item.source_task_id} changed shared module ${modulePaths.join(', ') || 'unknown'} used by ${(details.dependent_files || []).join(', ') || item.affected_task_id}`
+      : `${details?.source_task_title || item.source_task_id} changed shared ${item.reason_type === 'subsystem_overlap' ? `subsystem:${item.subsystem_tag}` : 'scope'}`,
+  };
+}
+
+function buildStaleClusters(invalidations = [], { pipelineId = null } = {}) {
+  const clusters = new Map();
+  for (const invalidation of invalidations.map(normalizeDependencyInvalidation)) {
+    if (pipelineId && invalidation.affected_pipeline_id !== pipelineId) continue;
+    const clusterKey = invalidation.affected_pipeline_id
+      ? `pipeline:${invalidation.affected_pipeline_id}`
+      : `task:${invalidation.affected_task_id}`;
+    if (!clusters.has(clusterKey)) {
+      clusters.set(clusterKey, {
+        key: clusterKey,
+        affected_pipeline_id: invalidation.affected_pipeline_id || null,
+        affected_task_ids: new Set(),
+        source_task_titles: new Set(),
+        source_worktrees: new Set(),
+        stale_areas: new Set(),
+        revalidation_sets: new Set(),
+        dependent_files: new Set(),
+        dependent_areas: new Set(),
+        module_paths: new Set(),
+        invalidations: [],
+        severity: 'warn',
+        highest_affected_priority: 0,
+        highest_source_priority: 0,
+      });
+    }
+    const cluster = clusters.get(clusterKey);
+    cluster.invalidations.push(invalidation);
+    cluster.affected_task_ids.add(invalidation.affected_task_id);
+    if (invalidation.details?.source_task_title) cluster.source_task_titles.add(invalidation.details.source_task_title);
+    if (invalidation.source_worktree) cluster.source_worktrees.add(invalidation.source_worktree);
+    cluster.stale_areas.add(invalidation.stale_area);
+    if (invalidation.revalidation_set) cluster.revalidation_sets.add(invalidation.revalidation_set);
+    for (const filePath of invalidation.details?.dependent_files || []) cluster.dependent_files.add(filePath);
+    for (const area of invalidation.details?.dependent_areas || []) cluster.dependent_areas.add(area);
+    for (const modulePath of invalidation.details?.module_paths || []) cluster.module_paths.add(modulePath);
+    if (invalidation.severity === 'blocked') cluster.severity = 'block';
+    cluster.highest_affected_priority = Math.max(cluster.highest_affected_priority, Number(invalidation.details?.affected_task_priority || 0));
+    cluster.highest_source_priority = Math.max(cluster.highest_source_priority, Number(invalidation.details?.source_task_priority || 0));
+  }
+
+  const clusterEntries = [...clusters.values()].map((cluster) => ({
+    key: cluster.key,
+    affected_pipeline_id: cluster.affected_pipeline_id,
+    affected_task_ids: [...cluster.affected_task_ids],
+    invalidation_count: cluster.invalidations.length,
+    source_task_ids: [...new Set(cluster.invalidations.map((item) => item.source_task_id).filter(Boolean))],
+    source_pipeline_ids: [...new Set(cluster.invalidations.map((item) => item.source_pipeline_id).filter(Boolean))],
+    source_task_titles: [...cluster.source_task_titles],
+    source_worktrees: [...cluster.source_worktrees],
+    stale_areas: [...cluster.stale_areas],
+    revalidation_sets: [...cluster.revalidation_sets],
+    dependent_files: [...cluster.dependent_files],
+    dependent_areas: [...cluster.dependent_areas],
+    module_paths: [...cluster.module_paths],
+    revalidation_set_type: cluster.revalidation_sets.has('contract')
+      ? 'contract'
+      : cluster.revalidation_sets.has('shared_module')
+        ? 'shared_module'
+      : cluster.revalidation_sets.has('semantic_object')
+        ? 'semantic_object'
+        : cluster.revalidation_sets.has('subsystem')
+          ? 'subsystem'
+          : 'scope',
+    rerun_priority: cluster.severity === 'block'
+      ? (cluster.revalidation_sets.has('contract') || cluster.highest_affected_priority >= 8 ? 'urgent' : 'high')
+      : cluster.revalidation_sets.has('shared_module') && cluster.dependent_files.size >= 3
+        ? 'high'
+      : cluster.highest_affected_priority >= 8
+        ? 'high'
+        : cluster.highest_affected_priority >= 5
+          ? 'medium'
+          : 'low',
+    rerun_priority_score: (cluster.severity === 'block' ? 100 : 0)
+      + (cluster.revalidation_sets.has('contract') ? 30 : cluster.revalidation_sets.has('shared_module') ? 20 : cluster.revalidation_sets.has('semantic_object') ? 15 : 0)
+      + (cluster.highest_affected_priority * 3)
+      + (cluster.dependent_files.size * 4)
+      + (cluster.dependent_areas.size * 2)
+      + cluster.module_paths.size
+      + cluster.invalidations.length,
+    rerun_breadth_score: (cluster.dependent_files.size * 4) + (cluster.dependent_areas.size * 2) + cluster.module_paths.size,
+    highest_affected_priority: cluster.highest_affected_priority,
+    highest_source_priority: cluster.highest_source_priority,
+    severity: cluster.severity,
+    invalidations: cluster.invalidations,
+    title: cluster.affected_pipeline_id
+      ? `Pipeline ${cluster.affected_pipeline_id} has ${cluster.invalidations.length} stale ${cluster.revalidation_sets.has('contract') ? 'contract' : cluster.revalidation_sets.has('shared_module') ? 'shared-module' : cluster.revalidation_sets.has('semantic_object') ? 'semantic-object' : 'dependency'} invalidation${cluster.invalidations.length === 1 ? '' : 's'}`
+      : `${[...cluster.affected_task_ids][0]} has ${cluster.invalidations.length} stale ${cluster.revalidation_sets.has('contract') ? 'contract' : cluster.revalidation_sets.has('shared_module') ? 'shared-module' : cluster.revalidation_sets.has('semantic_object') ? 'semantic-object' : 'dependency'} invalidation${cluster.invalidations.length === 1 ? '' : 's'}`,
+    detail: `${[...cluster.source_task_titles][0] || cluster.invalidations[0]?.source_task_id || 'unknown source'} (${[...cluster.stale_areas].join(', ')})`,
+    next_action: cluster.affected_pipeline_id
+      ? `switchman task retry-stale --pipeline ${cluster.affected_pipeline_id}`
+      : `switchman task retry ${[...cluster.affected_task_ids][0]}`,
+  }));
+
+  const causeGroups = new Map();
+  for (const cluster of clusterEntries) {
+    const primary = cluster.invalidations[0] || {};
+    const details = primary.details || {};
+    const causeKey = cluster.revalidation_set_type === 'contract'
+      ? `contract:${(details.contract_names || []).join('|') || cluster.stale_areas.join('|')}|source:${cluster.source_task_ids.join('|') || 'unknown'}`
+      : cluster.revalidation_set_type === 'shared_module'
+        ? `shared_module:${(details.module_paths || cluster.module_paths || []).join('|') || cluster.stale_areas.join('|')}|source:${cluster.source_task_ids.join('|') || 'unknown'}`
+        : cluster.revalidation_set_type === 'semantic_object'
+          ? `semantic_object:${(details.object_names || []).join('|') || cluster.stale_areas.join('|')}|source:${cluster.source_task_ids.join('|') || 'unknown'}`
+          : `dependency:${cluster.stale_areas.join('|')}|source:${cluster.source_task_ids.join('|') || 'unknown'}`;
+    if (!causeGroups.has(causeKey)) causeGroups.set(causeKey, []);
+    causeGroups.get(causeKey).push(cluster);
+  }
+
+  for (const [causeKey, relatedClusters] of causeGroups.entries()) {
+    const relatedPipelines = [...new Set(relatedClusters.map((cluster) => cluster.affected_pipeline_id).filter(Boolean))];
+    const primary = relatedClusters[0];
+    const details = primary.invalidations[0]?.details || {};
+    const causeSummary = primary.revalidation_set_type === 'contract'
+      ? `shared contract drift in ${(details.contract_names || []).join(', ') || 'unknown contract'}`
+      : primary.revalidation_set_type === 'shared_module'
+        ? `shared module drift in ${(details.module_paths || primary.module_paths || []).join(', ') || 'unknown module'}`
+        : primary.revalidation_set_type === 'semantic_object'
+          ? `shared exported object drift in ${(details.object_names || []).join(', ') || 'unknown object'}`
+          : `shared dependency drift across ${primary.stale_areas.join(', ')}`;
+    for (let index = 0; index < relatedClusters.length; index += 1) {
+      relatedClusters[index].causal_group_id = `cause-${causeKey}`;
+      relatedClusters[index].causal_group_size = relatedClusters.length;
+      relatedClusters[index].causal_group_rank = index + 1;
+      relatedClusters[index].causal_group_summary = causeSummary;
+      relatedClusters[index].related_affected_pipelines = relatedPipelines;
+    }
+  }
+
+  return clusterEntries.sort((a, b) =>
+    b.rerun_priority_score - a.rerun_priority_score
+    || (a.severity === 'block' ? -1 : 1) - (b.severity === 'block' ? -1 : 1)
+    || (a.revalidation_set_type === 'contract' ? -1 : 1) - (b.revalidation_set_type === 'contract' ? -1 : 1)
+    || (a.revalidation_set_type === 'shared_module' ? -1 : 1) - (b.revalidation_set_type === 'shared_module' ? -1 : 1)
+    || b.invalidation_count - a.invalidation_count);
+}
+
+export function summarizeStaleCausalWaves(staleClusters = []) {
+  const grouped = new Map();
+  for (const cluster of staleClusters) {
+    if (!cluster.causal_group_id) continue;
+    if (!grouped.has(cluster.causal_group_id)) {
+      grouped.set(cluster.causal_group_id, {
+        causal_group_id: cluster.causal_group_id,
+        summary: cluster.causal_group_summary || cluster.title,
+        revalidation_set_type: cluster.revalidation_set_type,
+        source_task_ids: [...(cluster.source_task_ids || [])],
+        source_pipeline_ids: [...(cluster.source_pipeline_ids || [])],
+        related_affected_pipelines: new Set(cluster.related_affected_pipelines || []),
+        affected_pipeline_ids: new Set(),
+        cluster_count: 0,
+        invalidation_count: 0,
+        highest_rerun_priority_score: 0,
+      });
+    }
+    const entry = grouped.get(cluster.causal_group_id);
+    if (cluster.affected_pipeline_id) entry.affected_pipeline_ids.add(cluster.affected_pipeline_id);
+    for (const pipelineId of cluster.related_affected_pipelines || []) entry.related_affected_pipelines.add(pipelineId);
+    entry.cluster_count += 1;
+    entry.invalidation_count += cluster.invalidation_count || 0;
+    entry.highest_rerun_priority_score = Math.max(entry.highest_rerun_priority_score, cluster.rerun_priority_score || 0);
+  }
+
+  return [...grouped.values()]
+    .map((entry) => ({
+      ...entry,
+      affected_pipeline_ids: [...entry.affected_pipeline_ids],
+      related_affected_pipelines: [...entry.related_affected_pipelines],
+    }))
+    .sort((a, b) =>
+      b.highest_rerun_priority_score - a.highest_rerun_priority_score
+      || b.cluster_count - a.cluster_count
+      || b.invalidation_count - a.invalidation_count
+      || String(a.summary).localeCompare(String(b.summary)));
+}
+
+export function getPipelineStaleWaveContext(db, pipelineId) {
+  if (!pipelineId) {
+    return {
+      stale_clusters: [],
+      stale_causal_waves: [],
+      shared_wave_count: 0,
+      largest_wave_size: 0,
+      primary_wave: null,
+    };
+  }
+
+  const staleClusters = buildStaleClusters(listDependencyInvalidations(db), {});
+  const staleCausalWaves = summarizeStaleCausalWaves(staleClusters)
+    .filter((wave) => wave.affected_pipeline_ids.includes(pipelineId));
+
+  return {
+    stale_clusters: staleClusters.filter((cluster) => cluster.affected_pipeline_id === pipelineId),
+    stale_causal_waves: staleCausalWaves,
+    shared_wave_count: staleCausalWaves.length,
+    largest_wave_size: staleCausalWaves.reduce((max, wave) => Math.max(max, Number(wave.cluster_count || 0)), 0),
+    primary_wave: staleCausalWaves[0] || null,
+  };
+}
+
+export function summarizePipelinePolicyState(db, status, changePolicy, boundaryValidations = []) {
+  const tasks = status.tasks || [];
+  const implementationTasks = tasks.filter((task) => task.task_spec?.task_type === 'implementation');
+  const completedTasks = tasks.filter((task) => task.status === 'done' && task.task_spec?.task_type);
+  const completedLeaseByTask = new Map();
+  for (const lease of status.leases || []) {
+    if (lease.status !== 'completed') continue;
+    if (!completedLeaseByTask.has(lease.task_id)) {
+      completedLeaseByTask.set(lease.task_id, lease);
+    }
+  }
+  const completionAuditByTask = new Map();
+  for (const event of status.audit_events || []) {
+    if (event.event_type !== 'task_completed' || !event.task_id) continue;
+    if (!completionAuditByTask.has(event.task_id)) {
+      completionAuditByTask.set(event.task_id, event);
+    }
+  }
+  const completedTaskTypes = new Set(completedTasks.map((task) => task.task_spec?.task_type).filter(Boolean));
+  const governedDomains = uniq(
+    implementationTasks
+      .flatMap((task) => task.task_spec?.subsystem_tags || [])
+      .filter((domain) => changePolicy.domain_rules?.[domain]),
+  );
+  const activeRules = governedDomains.map((domain) => ({
+    domain,
+    ...(changePolicy.domain_rules?.[domain] || { required_completed_task_types: [], enforcement: 'none', rationale: [] }),
+  }));
+  const requiredTaskTypes = uniq([
+    ...implementationTasks.flatMap((task) => task.task_spec?.validation_rules?.required_completed_task_types || []),
+    ...activeRules.flatMap((rule) => rule.required_completed_task_types || []),
+  ]);
+  const rawMissingTaskTypes = uniq([
+    ...boundaryValidations.flatMap((validation) => validation.missing_task_types || []),
+    ...requiredTaskTypes.filter((taskType) => !completedTaskTypes.has(taskType)),
+  ]);
+  const overrideState = buildPipelinePolicyOverrideState(db, status.pipeline_id, rawMissingTaskTypes);
+  const missingTaskTypes = rawMissingTaskTypes.filter((taskType) => !overrideState.active_task_types.includes(taskType));
+  const overriddenTaskTypes = rawMissingTaskTypes.filter((taskType) => overrideState.active_task_types.includes(taskType));
+  const satisfiedTaskTypes = requiredTaskTypes.filter((taskType) => completedTaskTypes.has(taskType));
+  const evidenceState = buildPipelinePolicyEvidence(status, requiredTaskTypes, {
+    completedLeaseByTask,
+    completionAuditByTask,
+  });
+  const evidenceByTaskType = evidenceState.evidence_by_task_type;
+  const requirementStatus = requiredTaskTypes.map((taskType) => ({
+    task_type: taskType,
+    satisfied: satisfiedTaskTypes.includes(taskType),
+    overridden: overriddenTaskTypes.includes(taskType),
+    override_ids: overrideState.active_overrides
+      .filter((entry) => (entry.task_types || []).includes(taskType))
+      .map((entry) => entry.id),
+    evidence: evidenceByTaskType[taskType] || [],
+  }));
+  const rationale = uniq([
+    ...implementationTasks.flatMap((task) => task.task_spec?.validation_rules?.rationale || []),
+    ...activeRules.flatMap((rule) => rule.rationale || []),
+    ...boundaryValidations.flatMap((validation) => validation.rationale || validation.details?.rationale || []),
+  ]);
+  const enforcement = [...implementationTasks.map((task) => task.task_spec?.validation_rules?.enforcement || 'none'), ...activeRules.map((rule) => rule.enforcement || 'none')]
+    .reduce((highest, current) => rankEnforcement(current) > rankEnforcement(highest) ? current : highest, 'none');
+
+  const policyState = {
+    active: governedDomains.length > 0 || boundaryValidations.length > 0,
+    domains: governedDomains,
+    active_rules: activeRules,
+    required_task_types: requiredTaskTypes,
+    satisfied_task_types: satisfiedTaskTypes,
+    raw_missing_task_types: rawMissingTaskTypes,
+    missing_task_types: missingTaskTypes,
+    overridden_task_types: overriddenTaskTypes,
+    requirement_status: requirementStatus,
+    evidence_by_task_type: evidenceByTaskType,
+    evidence_schema_version: 1,
+    evidence_objects: evidenceState.evidence_objects,
+    satisfaction_history: [],
+    overrides: overrideState.active_overrides,
+    override_history: overrideState.override_history,
+    pipeline_id: status.pipeline_id,
+    enforcement,
+    rationale,
+    blocked_validations: boundaryValidations.filter((validation) => validation.severity === 'blocked').length,
+    warned_validations: boundaryValidations.filter((validation) => validation.severity !== 'blocked').length,
+    summary: governedDomains.length === 0
+      ? 'No explicit governed-domain policy requirements are active for this pipeline.'
+      : missingTaskTypes.length > 0
+        ? `Governed domains ${governedDomains.join(', ')} still require ${missingTaskTypes.join(', ')} before landing.`
+        : overriddenTaskTypes.length > 0
+          ? `Governed domains ${governedDomains.join(', ')} are currently allowed to proceed with overrides for ${overriddenTaskTypes.join(', ')}.`
+        : `Governed domains ${governedDomains.join(', ')} have satisfied their current policy requirements.`,
+  };
+
+  policyState.satisfaction_history = [
+    ...buildPipelinePolicySatisfactionHistory(policyState),
+    ...overrideState.override_history,
+  ].sort((a, b) => String(b.created_at || '').localeCompare(String(a.created_at || '')));
+  return policyState;
+}
+
+function buildPipelinePolicyRemediationCommand(status, policyState) {
+  if (policyState.missing_task_types.length === 0) {
+    return `switchman pipeline status ${status.pipeline_id}`;
+  }
+
+  return `switchman pipeline review ${status.pipeline_id}`;
+}
+
+export async function evaluatePipelinePolicyGate(db, repoRoot, pipelineId) {
+  const status = getPipelineStatus(db, pipelineId);
+  const aiGate = await runAiMergeGate(db, repoRoot);
+  const changePolicy = loadChangePolicy(repoRoot);
+  const policyState = summarizePipelinePolicyState(db, status, changePolicy, aiGate.boundary_validations || []);
+  const blocked = policyState.active
+    && policyState.enforcement === 'blocked'
+    && policyState.missing_task_types.length > 0;
+  const nextAction = blocked ? buildPipelinePolicyRemediationCommand(status, policyState) : null;
+  const overrideApplied = policyState.overridden_task_types.length > 0;
+  const overrideSummary = overrideApplied
+    ? `Policy override active for ${policyState.overridden_task_types.join(', ')} by ${policyState.overrides.map((entry) => entry.approved_by || 'unknown').join(', ')}.`
+    : null;
+
+  return {
+    ok: !blocked,
+    pipeline_id: pipelineId,
+    reason_code: blocked ? 'policy_requirements_incomplete' : null,
+    summary: blocked
+      ? `Policy blocked landing for governed domains ${policyState.domains.join(', ')} because ${policyState.missing_task_types.join(', ')} is still required.`
+      : policyState.summary,
+    next_action: nextAction,
+    policy_state: policyState,
+    override_applied: overrideApplied,
+    override_summary: overrideSummary,
+  };
+}
+
 export function startPipeline(db, { title, description = null, priority = 5, pipelineId = null, maxTasks = 5 }) {
   const resolvedPipelineId = pipelineId || makePipelineId();
   const registeredWorktrees = listWorktrees(db);
@@ -151,6 +794,8 @@ export function getPipelineStatus(db, pipelineId) {
     description: metadata?.description || null,
     priority: metadata?.priority || tasks[0].priority,
     counts,
+    leases: listLeases(db),
+    audit_events: listAuditEvents(db, { limit: 2000 }).filter((event) => pipelineOwnsAuditEvent(event, pipelineId)),
     tasks: tasks.map((task) => {
       const dependencies = parseDependencies(task.description);
       const blockedBy = dependencies.filter((dependencyId) =>
@@ -174,6 +819,35 @@ export function getPipelineStatus(db, pipelineId) {
   };
 }
 
+export function inferPipelineIdFromBranch(db, branch) {
+  const normalizedBranch = String(branch || '').trim();
+  if (!normalizedBranch) return null;
+
+  const landingPrefix = 'switchman/pipeline-landing/';
+  if (normalizedBranch.startsWith(landingPrefix)) {
+    return normalizedBranch.slice(landingPrefix.length) || null;
+  }
+
+  const worktreesByName = new Map(listWorktrees(db).map((worktree) => [worktree.name, worktree]));
+  const matchingPipelines = new Set();
+
+  for (const task of listTasks(db)) {
+    const taskSpec = getTaskSpec(db, task.id);
+    const pipelineId = taskSpec?.pipeline_id || null;
+    if (!pipelineId || !task.worktree) continue;
+    const worktree = worktreesByName.get(task.worktree);
+    if (worktree?.branch === normalizedBranch) {
+      matchingPipelines.add(pipelineId);
+    }
+  }
+
+  if (matchingPipelines.size === 1) {
+    return [...matchingPipelines][0];
+  }
+
+  return null;
+}
+
 function parseTaskFailure(description) {
   const lines = String(description || '')
     .split('\n')
@@ -593,6 +1267,7 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
   const status = getPipelineStatus(db, pipelineId);
   const report = await scanAllWorktrees(db, repoRoot);
   const aiGate = await runAiMergeGate(db, repoRoot);
+  const changePolicy = loadChangePolicy(repoRoot);
   const allLeases = listLeases(db);
   const ciGateOk = report.conflicts.length === 0
     && report.fileConflicts.length === 0
@@ -629,6 +1304,15 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
   }));
   const changedFiles = uniq(worktreeChanges.flatMap((entry) => entry.files));
   const subsystemTags = uniq(completedTasks.flatMap((task) => task.task_spec?.subsystem_tags || []));
+  const policyState = summarizePipelinePolicyState(db, status, changePolicy, aiGate.boundary_validations || []);
+  const policyOverrideSummary = policyState.overridden_task_types.length > 0
+    ? `Landing currently relies on policy overrides for ${policyState.overridden_task_types.join(', ')}.`
+    : null;
+  const staleClusters = buildStaleClusters(aiGate.dependency_invalidations || [], { pipelineId });
+  const staleCausalWaves = summarizeStaleCausalWaves(staleClusters);
+  const trustAudit = [...policyState.satisfaction_history, ...buildPipelineTrustAudit(db, pipelineId)]
+    .sort((a, b) => String(b.created_at || '').localeCompare(String(a.created_at || '')))
+    .slice(0, 8);
   const riskNotes = [];
   if (!ciGateOk) riskNotes.push('Repo gate is blocked by conflicts, unmanaged changes, or stale worktrees.');
   if (aiGate.status !== 'pass') riskNotes.push(aiGate.summary);
@@ -647,10 +1331,15 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
   const reviewerChecklist = [
     ciGateOk ? 'Repo gate passed' : 'Resolve repo gate failures before merge',
     aiGate.status === 'pass' ? 'AI merge gate passed' : `Review AI merge gate findings: ${aiGate.summary}`,
+    policyState.active
+      ? (policyState.missing_task_types.length > 0
+        ? `Complete policy requirements: ${policyState.missing_task_types.join(', ')}`
+        : `Confirm governed domains remain satisfied: ${policyState.domains.join(', ')}`)
+      : null,
     completedTasks.some((task) => task.task_spec?.risk_level === 'high')
       ? 'Confirm high-risk tasks have the expected tests and docs'
       : 'Review changed files and task outcomes',
-  ];
+  ].filter(Boolean);
   const prTitle = status.title.startsWith('Implement:')
     ? status.title.replace(/^Implement:\s*/i, '')
     : status.title;
@@ -663,6 +1352,33 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
     '## Validation',
     `- Repo gate: ${ciGateOk ? 'pass' : 'blocked'}`,
     `- AI merge gate: ${aiGate.status}`,
+    ...(policyState.active
+      ? [
+        `- Policy domains: ${policyState.domains.join(', ')}`,
+        `- Policy enforcement: ${policyState.enforcement}`,
+        `- Policy requirements: ${policyState.required_task_types.join(', ') || 'none'}`,
+        `- Policy evidence: ${policyState.satisfied_task_types.map((taskType) => `${taskType}:${(policyState.evidence_by_task_type?.[taskType] || []).map((entry) => entry.task_id).join(',')}`).join(' | ') || 'none'}`,
+        `- Policy evidence objects: ${policyState.evidence_objects.map((entry) => `${entry.evidence_id}:${entry.satisfied_by.agent || entry.satisfied_by.worktree || 'task_completion'}`).join(' | ') || 'none'}`,
+        `- Policy missing: ${policyState.missing_task_types.join(', ') || 'none'}`,
+        `- Policy overrides: ${policyState.overrides.map((entry) => `${entry.id}:${(entry.task_types || []).join(',') || 'all'}:${entry.approved_by || 'unknown'}`).join(' | ') || 'none'}`,
+        ...(policyOverrideSummary ? [`- Policy override effect: ${policyOverrideSummary}`] : []),
+      ]
+      : []),
+    ...(staleClusters.length > 0
+      ? [
+        `- Stale clusters: ${staleClusters.map((cluster) => `${cluster.affected_pipeline_id || cluster.affected_task_ids[0]}:${cluster.invalidation_count}`).join(' | ')}`,
+      ]
+      : []),
+    ...(staleCausalWaves.length > 0
+      ? [
+        `- Stale waves: ${staleCausalWaves.map((wave) => `${wave.summary}:${wave.affected_pipeline_ids.join(',') || 'unknown'}`).join(' | ')}`,
+      ]
+      : []),
+    ...(trustAudit.length > 0
+      ? [
+        `- Trust audit: ${trustAudit.slice(0, 3).map((entry) => `${entry.category}:${entry.summary}`).join(' | ')}`,
+      ]
+      : []),
     '',
     '## Reviewer Checklist',
     ...reviewerChecklist.map((item) => `- ${item}`),
@@ -702,6 +1418,45 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
     '## Reviewer Notes',
     ...reviewerChecklist.map((item) => `- ${item}`),
     '',
+    ...(policyState.active
+      ? [
+        '## Policy Requirements',
+        `- Domains: ${policyState.domains.join(', ')}`,
+        `- Enforcement: ${policyState.enforcement}`,
+        `- Required task types: ${policyState.required_task_types.join(', ') || 'none'}`,
+        `- Satisfied task types: ${policyState.satisfied_task_types.join(', ') || 'none'}`,
+        `- Missing task types: ${policyState.missing_task_types.join(', ') || 'none'}`,
+        `- Overridden task types: ${policyState.overridden_task_types.join(', ') || 'none'}`,
+        ...policyState.requirement_status
+          .filter((requirement) => requirement.evidence.length > 0)
+          .map((requirement) => `- Evidence for ${requirement.task_type}: ${requirement.evidence.map((entry) => entry.artifact_path ? `${entry.task_id} (${entry.artifact_path}, by ${entry.satisfied_by?.agent || entry.satisfied_by?.worktree || 'task_completion'})` : `${entry.task_id} (by ${entry.satisfied_by?.agent || entry.satisfied_by?.worktree || 'task_completion'})`).join(', ')}`),
+        ...policyState.overrides.slice(0, 5).map((entry) => `- Override ${entry.id}: ${(entry.task_types || []).join(', ') || 'all requirements'} by ${entry.approved_by || 'unknown'} (${entry.reason})`),
+        ...policyState.satisfaction_history.slice(0, 5).map((entry) => `- Satisfaction history: ${entry.summary}`),
+        ...policyState.rationale.slice(0, 5).map((item) => `- ${item}`),
+        '',
+      ]
+      : []),
+    ...(staleClusters.length > 0
+      ? [
+        '## Stale Clusters',
+        ...staleClusters.map((cluster) => `- ${cluster.title}: ${cluster.detail} -> ${cluster.next_action}`),
+        '',
+      ]
+      : []),
+    ...(staleCausalWaves.length > 0
+      ? [
+        '## Stale Waves',
+        ...staleCausalWaves.map((wave) => `- ${wave.summary}: affects ${wave.affected_pipeline_ids.join(', ') || 'unknown'} -> ${wave.cluster_count} cluster(s), ${wave.invalidation_count} invalidation(s)`),
+        '',
+      ]
+      : []),
+    ...(trustAudit.length > 0
+      ? [
+        '## Policy & Stale Audit',
+        ...trustAudit.map((entry) => `- ${entry.created_at}: [${entry.category}] ${entry.summary} -> ${entry.next_action}`),
+        '',
+      ]
+      : []),
     '## Provenance',
     ...provenance.map((entry) => `- ${entry.task_id}: ${entry.title} (${entry.task_type || 'unknown'}, ${entry.worktree || 'unassigned'}, lease ${entry.lease_id || 'none'})`),
     ...(provenance.length === 0 ? ['- No completed task provenance yet'] : []),
@@ -736,6 +1491,11 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
       risk_notes: riskNotes,
       changed_files: changedFiles,
       subsystem_tags: subsystemTags,
+      policy_state: policyState,
+      policy_override_summary: policyOverrideSummary,
+      stale_clusters: staleClusters,
+      stale_causal_waves: staleCausalWaves,
+      trust_audit: trustAudit,
     },
     counts: status.counts,
     ci_gate: {
@@ -747,23 +1507,210 @@ export async function buildPipelinePrSummary(db, repoRoot, pipelineId) {
       status: aiGate.status,
       summary: aiGate.summary,
     },
+    policy_state: policyState,
+    stale_clusters: staleClusters,
+    stale_causal_waves: staleCausalWaves,
+    trust_audit: trustAudit,
     worktree_changes: worktreeChanges,
     markdown,
   };
 }
 
+export async function buildPipelineLandingSummary(db, repoRoot, pipelineId) {
+  const status = getPipelineStatus(db, pipelineId);
+  const changePolicy = loadChangePolicy(repoRoot);
+  const aiGate = await runAiMergeGate(db, repoRoot);
+  const policyState = summarizePipelinePolicyState(db, status, changePolicy, aiGate.boundary_validations || []);
+  const policyOverrideSummary = policyState.overridden_task_types.length > 0
+    ? `Landing currently relies on policy overrides for ${policyState.overridden_task_types.join(', ')}.`
+    : null;
+  const staleClusters = buildStaleClusters(listDependencyInvalidations(db, { pipelineId }), { pipelineId });
+  const staleCausalWaves = summarizeStaleCausalWaves(staleClusters);
+  const trustAudit = [...policyState.satisfaction_history, ...buildPipelineTrustAudit(db, pipelineId)]
+    .sort((a, b) => String(b.created_at || '').localeCompare(String(a.created_at || '')))
+    .slice(0, 8);
+  let landing;
+  let landingError = null;
+  try {
+    landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+      requireCompleted: false,
+    });
+  } catch (err) {
+    landingError = String(err.message || 'Landing branch is not ready yet.');
+    landing = {
+      branch: null,
+      strategy: 'unavailable',
+      synthetic: false,
+      component_branches: [],
+      stale: false,
+      last_failure: null,
+    };
+  }
+  const readyToQueue = status.counts.failed === 0
+    && status.counts.pending === 0
+    && status.counts.in_progress === 0
+    && status.counts.done > 0
+    && !landingError
+    && !landing.stale
+    && staleClusters.length === 0
+    && !landing.last_failure;
+  const nextAction = staleClusters[0]?.next_action
+    || (landingError
+      ? `switchman pipeline status ${pipelineId}`
+      : landing.last_failure?.command
+        || (landing.stale
+          ? `switchman pipeline land ${pipelineId} --refresh`
+          : `switchman queue add --pipeline ${pipelineId}`));
+  const queueItems = listMergeQueue(db)
+    .filter((item) => item.source_pipeline_id === pipelineId)
+    .sort((a, b) => Number.parseInt(b.id.slice(1), 10) - Number.parseInt(a.id.slice(1), 10));
+  const currentQueueItem = queueItems[0] || null;
+  const queueState = {
+    status: currentQueueItem?.status || 'not_queued',
+    item_id: currentQueueItem?.id || null,
+    target_branch: currentQueueItem?.target_branch || 'main',
+    merged_commit: currentQueueItem?.merged_commit || null,
+    next_action: currentQueueItem?.next_action || (currentQueueItem
+      ? null
+      : (readyToQueue ? `switchman queue add --pipeline ${pipelineId}` : nextAction)),
+    last_error_code: currentQueueItem?.last_error_code || null,
+    last_error_summary: currentQueueItem?.last_error_summary || null,
+    policy_override_summary: policyOverrideSummary,
+  };
+  const recoveryState = landing.last_recovery
+    ? {
+      status: landing.last_recovery.state?.status || 'prepared',
+      recovery_path: landing.last_recovery.recovery_path || null,
+      inspect_command: landing.last_recovery.inspect_command || null,
+      resume_command: landing.last_recovery.resume_command || null,
+    }
+    : null;
+
+  const markdown = [
+    `# Pipeline Landing Summary: ${status.title}`,
+    '',
+    `- Pipeline: \`${pipelineId}\``,
+    `- Ready to queue: ${readyToQueue ? 'yes' : 'no'}`,
+    `- Landing branch: ${landing.branch ? `\`${landing.branch}\`` : 'not resolved yet'}`,
+    `- Strategy: ${landing.strategy}`,
+    `- Synthetic: ${landing.synthetic ? 'yes' : 'no'}`,
+    '',
+    '## Component Branches',
+    ...(landing.component_branches.length > 0
+      ? landing.component_branches.map((branch) => `- ${branch}`)
+      : ['- None inferred yet']),
+    '',
+    '## Landing State',
+    ...(landingError
+      ? [`- ${landingError}`]
+      : landing.last_failure
+      ? [
+        `- Failure: ${landing.last_failure.reason_code || 'landing_branch_materialization_failed'}`,
+        ...(landing.last_failure.failed_branch ? [`- Failed branch: ${landing.last_failure.failed_branch}`] : []),
+        ...(landing.last_failure.conflicting_files?.length ? [`- Conflicts: ${landing.last_failure.conflicting_files.join(', ')}`] : []),
+      ]
+      : landing.stale
+        ? landing.stale_reasons.map((reason) => `- Stale: ${reason.summary}`)
+        : staleClusters.length > 0
+          ? staleClusters.map((cluster) => `- Stale cluster: ${cluster.title}`)
+        : ['- Current and ready for queueing']),
+    '',
+    '## Recovery State',
+    ...(recoveryState
+      ? [
+        `- Status: ${recoveryState.status}`,
+        ...(recoveryState.recovery_path ? [`- Path: ${recoveryState.recovery_path}`] : []),
+        ...(recoveryState.resume_command ? [`- Resume: ${recoveryState.resume_command}`] : []),
+      ]
+      : ['- No active recovery worktree']),
+    '',
+    ...(staleClusters.length > 0
+      ? [
+        '## Stale Clusters',
+        ...staleClusters.map((cluster) => `- ${cluster.title}: ${cluster.detail} -> ${cluster.next_action}`),
+        '',
+      ]
+      : []),
+    ...(staleCausalWaves.length > 0
+      ? [
+        '## Stale Waves',
+        ...staleCausalWaves.map((wave) => `- ${wave.summary}: affects ${wave.affected_pipeline_ids.join(', ') || 'unknown'} -> ${wave.cluster_count} cluster(s), ${wave.invalidation_count} invalidation(s)`),
+        '',
+      ]
+      : []),
+    ...(trustAudit.length > 0
+      ? [
+        '## Policy & Stale Audit',
+        ...trustAudit.map((entry) => `- ${entry.created_at}: [${entry.category}] ${entry.summary} -> ${entry.next_action}`),
+        '',
+      ]
+      : []),
+    '',
+    ...(policyState.active
+      ? [
+        '## Policy Record',
+        `- Domains: ${policyState.domains.join(', ')}`,
+        `- Enforcement: ${policyState.enforcement}`,
+        `- Required task types: ${policyState.required_task_types.join(', ') || 'none'}`,
+        `- Missing task types: ${policyState.missing_task_types.join(', ') || 'none'}`,
+        `- Overridden task types: ${policyState.overridden_task_types.join(', ') || 'none'}`,
+        ...policyState.requirement_status
+          .filter((requirement) => requirement.evidence.length > 0)
+          .map((requirement) => `- Evidence for ${requirement.task_type}: ${requirement.evidence.map((entry) => `${entry.task_id} by ${entry.satisfied_by?.agent || entry.satisfied_by?.worktree || 'task_completion'}`).join(', ')}`),
+        ...policyState.overrides.slice(0, 5).map((entry) => `- Override ${entry.id}: ${(entry.task_types || []).join(', ') || 'all requirements'} by ${entry.approved_by || 'unknown'} (${entry.reason})`),
+        ...(policyOverrideSummary ? [`- Override effect: ${policyOverrideSummary}`] : []),
+        '',
+      ]
+      : []),
+    '',
+    '## Queue State',
+    `- Status: ${queueState.status}`,
+    ...(queueState.item_id ? [`- Item: ${queueState.item_id}`] : []),
+    `- Target branch: ${queueState.target_branch}`,
+    ...(queueState.merged_commit ? [`- Merged commit: ${queueState.merged_commit}`] : []),
+    ...(queueState.last_error_summary ? [`- Queue error: ${queueState.last_error_summary}`] : []),
+    ...(queueState.policy_override_summary ? [`- Policy override: ${queueState.policy_override_summary}`] : []),
+    '',
+    `## Next Action`,
+    `- ${queueState.next_action || nextAction}`,
+  ].join('\n');
+
+  return {
+    pipeline_id: pipelineId,
+    title: status.title,
+    ready_to_queue: readyToQueue,
+    counts: status.counts,
+    policy_state: policyState,
+    landing,
+    recovery_state: recoveryState,
+    stale_clusters: staleClusters,
+    stale_causal_waves: staleCausalWaves,
+    trust_audit: trustAudit,
+    queue_state: queueState,
+    policy_override_summary: policyOverrideSummary,
+    landing_error: landingError,
+    next_action: queueState.next_action || nextAction,
+    markdown,
+  };
+}
+
 export async function exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir = null) {
   const summary = await buildPipelinePrSummary(db, repoRoot, pipelineId);
+  const landingSummary = await buildPipelineLandingSummary(db, repoRoot, pipelineId);
   const bundleDir = outputDir || join(repoRoot, '.switchman', 'pipelines', pipelineId);
   mkdirSync(bundleDir, { recursive: true });
 
   const summaryJsonPath = join(bundleDir, 'pr-summary.json');
   const summaryMarkdownPath = join(bundleDir, 'pr-summary.md');
   const prBodyPath = join(bundleDir, 'pr-body.md');
+  const landingSummaryJsonPath = join(bundleDir, 'pipeline-landing-summary.json');
+  const landingSummaryMarkdownPath = join(bundleDir, 'pipeline-landing-summary.md');
 
   writeFileSync(summaryJsonPath, `${JSON.stringify(summary, null, 2)}\n`);
   writeFileSync(summaryMarkdownPath, `${summary.markdown}\n`);
   writeFileSync(prBodyPath, `${summary.pr_artifact.body}\n`);
+  writeFileSync(landingSummaryJsonPath, `${JSON.stringify(landingSummary, null, 2)}\n`);
+  writeFileSync(landingSummaryMarkdownPath, `${landingSummary.markdown}\n`);
 
   logAuditEvent(db, {
     eventType: 'pipeline_pr_bundle_exported',
@@ -772,7 +1719,7 @@ export async function exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir
     details: JSON.stringify({
       pipeline_id: pipelineId,
       output_dir: bundleDir,
-      files: [summaryJsonPath, summaryMarkdownPath, prBodyPath],
+      files: [summaryJsonPath, summaryMarkdownPath, prBodyPath, landingSummaryJsonPath, landingSummaryMarkdownPath],
     }),
   });
 
@@ -783,90 +1730,1310 @@ export async function exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir
       summary_json: summaryJsonPath,
       summary_markdown: summaryMarkdownPath,
       pr_body_markdown: prBodyPath,
+      landing_summary_json: landingSummaryJsonPath,
+      landing_summary_markdown: landingSummaryMarkdownPath,
     },
     summary,
+    landing_summary: landingSummary,
   };
 }
 
-function resolvePipelineHeadBranch(db, repoRoot, pipelineStatus, explicitHeadBranch = null) {
-  if (explicitHeadBranch) return explicitHeadBranch;
+function resolvePipelineBranchForTask(worktreesByName, task) {
+  const worktreeName = task.worktree || task.suggested_worktree || null;
+  const branch = worktreeName ? worktreesByName.get(worktreeName)?.branch || null : null;
+  return branch && branch !== 'main' && branch !== 'unknown' ? branch : null;
+}
 
+function collectPipelineLandingCandidates(db, pipelineStatus) {
   const worktreesByName = new Map(listWorktrees(db).map((worktree) => [worktree.name, worktree]));
-  const resolveBranchForTask = (task) => {
-    const worktreeName = task.worktree || task.suggested_worktree || null;
-    const branch = worktreeName ? worktreesByName.get(worktreeName)?.branch || null : null;
-    return branch && branch !== 'main' && branch !== 'unknown' ? branch : null;
-  };
+  const orderedBranches = [];
+  const branchToWorktree = new Map();
+
+  for (const task of pipelineStatus.tasks) {
+    const branch = resolvePipelineBranchForTask(worktreesByName, task);
+    if (!branch) continue;
+    if (!branchToWorktree.has(branch) && task.worktree) {
+      branchToWorktree.set(branch, task.worktree);
+    }
+    if (!orderedBranches.includes(branch)) {
+      orderedBranches.push(branch);
+    }
+  }
 
   const implementationBranches = uniq(
     pipelineStatus.tasks
       .filter((task) => task.task_spec?.task_type === 'implementation')
-      .map(resolveBranchForTask)
+      .map((task) => resolvePipelineBranchForTask(worktreesByName, task))
       .filter(Boolean),
   );
-  if (implementationBranches.length === 1) {
-    return implementationBranches[0];
-  }
+  const candidateBranches = uniq(orderedBranches);
+  const prioritizedBranches = [
+    ...implementationBranches,
+    ...candidateBranches.filter((branch) => !implementationBranches.includes(branch)),
+  ];
 
-  const candidateBranches = uniq(
-    pipelineStatus.tasks
-      .map(resolveBranchForTask)
-      .filter(Boolean),
-  );
+  return {
+    implementationBranches,
+    candidateBranches,
+    prioritizedBranches,
+    branchToWorktree,
+    worktreesByName,
+  };
+}
 
-  if (candidateBranches.length === 1) {
-    return candidateBranches[0];
-  }
+function getPipelineLandingBranchName(pipelineId, landingBranch = null) {
+  return landingBranch || `switchman/pipeline-landing/${pipelineId}`;
+}
+
+function listPipelineLandingEvents(db, pipelineId, branch) {
+  return listAuditEvents(db, {
+    eventType: 'pipeline_landing_branch_materialized',
+    status: 'allowed',
+    limit: 500,
+  }).flatMap((event) => {
+    try {
+      const details = JSON.parse(event.details || '{}');
+      if (details.pipeline_id !== pipelineId || details.branch !== branch) {
+        return [];
+      }
+      return [{
+        audit_id: event.id,
+        created_at: event.created_at,
+        ...details,
+      }];
+    } catch {
+      return [];
+    }
+  });
+}
+
+function getLatestLandingResolvedEvent(db, pipelineId, branch) {
+  return listAuditEvents(db, {
+    eventType: 'pipeline_landing_recovery_resumed',
+    status: 'allowed',
+    limit: 200,
+  }).flatMap((event) => {
+    try {
+      const details = JSON.parse(event.details || '{}');
+      if (details.pipeline_id !== pipelineId || details.branch !== branch) {
+        return [];
+      }
+      return [{
+        audit_id: event.id,
+        created_at: event.created_at,
+        ...details,
+      }];
+    } catch {
+      return [];
+    }
+  })[0] || null;
+}
+
+function getLatestLandingRecoveryPrepared(db, pipelineId, branch) {
+  return listAuditEvents(db, {
+    eventType: 'pipeline_landing_recovery_prepared',
+    status: 'allowed',
+    limit: 200,
+  }).flatMap((event) => {
+    try {
+      const details = JSON.parse(event.details || '{}');
+      if (details.pipeline_id !== pipelineId || details.branch !== branch) {
+        return [];
+      }
+      return [{
+        audit_id: event.id,
+        created_at: event.created_at,
+        ...details,
+      }];
+    } catch {
+      return [];
+    }
+  })[0] || null;
+}
+
+function getLatestLandingRecoveryCleared(db, pipelineId, branch) {
+  return listAuditEvents(db, {
+    eventType: 'pipeline_landing_recovery_cleared',
+    status: 'allowed',
+    limit: 200,
+  }).flatMap((event) => {
+    try {
+      const details = JSON.parse(event.details || '{}');
+      if (details.pipeline_id !== pipelineId || details.branch !== branch) {
+        return [];
+      }
+      return [{
+        audit_id: event.id,
+        created_at: event.created_at,
+        ...details,
+      }];
+    } catch {
+      return [];
+    }
+  })[0] || null;
+}
 
-  const currentBranch = getWorktreeBranch(repoRoot);
-  if (currentBranch && currentBranch !== 'main') {
-    return currentBranch;
+function buildRecoveryState(repoRoot, branch, recoveryRecord, latestResolved) {
+  if (!recoveryRecord) return null;
+  const recoveryPath = recoveryRecord.recovery_path || null;
+  const pathExists = recoveryPath ? existsSync(recoveryPath) : false;
+  const gitWorktrees = listGitWorktrees(repoRoot);
+  const normalizedRecoveryPath = recoveryPath
+    ? (pathExists ? realpathSync(recoveryPath) : recoveryPath)
+    : null;
+  const tracked = recoveryPath
+    ? gitWorktrees.some((worktree) => worktree.path === recoveryPath || worktree.path === normalizedRecoveryPath)
+    : false;
+  const branchWorktree = branch
+    ? gitWorktrees.find((worktree) => worktree.branch === branch) || null
+    : null;
+  const resolved = Boolean(latestResolved && latestResolved.audit_id > recoveryRecord.audit_id);
+  let status;
+
+  if (resolved) {
+    if (tracked) {
+      status = 'resolved';
+    } else if (branchWorktree) {
+      status = 'resolved_moved';
+    } else if (pathExists) {
+      status = 'resolved_untracked';
+    } else {
+      status = 'resolved_missing';
+    }
+  } else if (tracked) {
+    status = 'active';
+  } else if (branchWorktree) {
+    status = 'moved';
+  } else if (pathExists) {
+    status = 'untracked';
+  } else {
+    status = 'missing';
   }
 
-  return null;
+  return {
+    path: recoveryPath,
+    exists: pathExists,
+    tracked,
+    branch_worktree_path: branchWorktree?.path || null,
+    status,
+  };
 }
 
-export async function publishPipelinePr(
+function getLatestLandingFailure(db, pipelineId, branch) {
+  return listAuditEvents(db, {
+    eventType: 'pipeline_landing_branch_materialized',
+    status: 'denied',
+    limit: 200,
+  }).flatMap((event) => {
+    try {
+      const details = JSON.parse(event.details || '{}');
+      if (details.pipeline_id !== pipelineId || details.branch !== branch) {
+        return [];
+      }
+      return [{
+        audit_id: event.id,
+        created_at: event.created_at,
+        reason_code: event.reason_code || null,
+        ...details,
+      }];
+    } catch {
+      return [];
+    }
+  })[0] || null;
+}
+
+function collectBranchHeadCommits(repoRoot, branches) {
+  return Object.fromEntries(
+    branches.map((branch) => [branch, gitRevParse(repoRoot, branch)]),
+  );
+}
+
+export function getPipelineLandingBranchStatus(
   db,
   repoRoot,
   pipelineId,
   {
     baseBranch = 'main',
-    headBranch = null,
-    draft = false,
-    ghCommand = 'gh',
-    outputDir = null,
+    landingBranch = null,
+    requireCompleted = true,
   } = {},
 ) {
-  const bundle = await exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir);
-  const status = getPipelineStatus(db, pipelineId);
-  const resolvedHeadBranch = resolvePipelineHeadBranch(db, repoRoot, status, headBranch);
-
-  if (!resolvedHeadBranch) {
-    throw new Error(`Could not determine a head branch for pipeline ${pipelineId}. Pass --head <branch>.`);
+  const pipelineStatus = getPipelineStatus(db, pipelineId);
+  if (requireCompleted) {
+    const unfinishedTasks = pipelineStatus.tasks.filter((task) => task.status !== 'done');
+    if (unfinishedTasks.length > 0) {
+      throw new Error(`Pipeline ${pipelineId} is not ready to land. Complete remaining tasks first: ${unfinishedTasks.map((task) => task.id).join(', ')}.`);
+    }
   }
 
-  const args = [
-    'pr',
-    'create',
-    '--base',
-    baseBranch,
-    '--head',
-    resolvedHeadBranch,
-    '--title',
-    bundle.summary.pr_artifact.title,
-    '--body-file',
-    bundle.files.pr_body_markdown,
-  ];
-
-  if (draft) {
-    args.push('--draft');
+  const { candidateBranches, prioritizedBranches } = collectPipelineLandingCandidates(db, pipelineStatus);
+  if (candidateBranches.length === 0) {
+    throw new Error(`Pipeline ${pipelineId} has no landed worktree branch to materialize.`);
   }
 
-  const result = spawnSync(ghCommand, args, {
-    cwd: repoRoot,
-    encoding: 'utf8',
-  });
+  if (candidateBranches.length === 1) {
+    const branch = candidateBranches[0];
+    return {
+      pipeline_id: pipelineId,
+      branch,
+      base_branch: baseBranch,
+      synthetic: false,
+      branch_exists: Boolean(gitRevParse(repoRoot, branch)),
+      branch_head_commit: gitRevParse(repoRoot, branch),
+      component_branches: [branch],
+      component_commits: { [branch]: gitRevParse(repoRoot, branch) },
+      strategy: 'single_branch',
+      stale: false,
+      stale_reasons: [],
+      last_materialized: null,
+    };
+  }
+
+  const resolvedLandingBranch = getPipelineLandingBranchName(pipelineId, landingBranch);
+  const branchExists = gitBranchExists(repoRoot, resolvedLandingBranch);
+  const branchHeadCommit = branchExists ? gitRevParse(repoRoot, resolvedLandingBranch) : null;
+  const baseCommit = gitRevParse(repoRoot, baseBranch);
+  const componentCommits = collectBranchHeadCommits(repoRoot, prioritizedBranches);
+  const latestMaterialized = listPipelineLandingEvents(db, pipelineId, resolvedLandingBranch)[0] || null;
+  const latestResolved = getLatestLandingResolvedEvent(db, pipelineId, resolvedLandingBranch);
+  const latestRecoveryPreparedCandidate = getLatestLandingRecoveryPrepared(db, pipelineId, resolvedLandingBranch);
+  const latestRecoveryCleared = getLatestLandingRecoveryCleared(db, pipelineId, resolvedLandingBranch);
+  const latestRecoveryPrepared = latestRecoveryPreparedCandidate
+    && (!latestRecoveryCleared || latestRecoveryPreparedCandidate.audit_id > latestRecoveryCleared.audit_id)
+    ? latestRecoveryPreparedCandidate
+    : null;
+  const recoveryState = buildRecoveryState(repoRoot, resolvedLandingBranch, latestRecoveryPrepared, latestResolved);
+  const latestEvent = latestResolved && (!latestMaterialized || latestResolved.audit_id > latestMaterialized.audit_id)
+    ? latestResolved
+    : latestMaterialized;
+  const latestFailureCandidate = getLatestLandingFailure(db, pipelineId, resolvedLandingBranch);
+  const latestFailure = latestFailureCandidate && (!latestEvent || latestFailureCandidate.audit_id > latestEvent.audit_id)
+    ? latestFailureCandidate
+    : null;
+  const staleReasons = [];
+
+  if (!latestEvent) {
+    staleReasons.push({
+      code: 'not_materialized',
+      summary: 'Landing branch has not been materialized yet.',
+    });
+  } else {
+    if (!branchExists) {
+      staleReasons.push({
+        code: 'landing_branch_missing',
+        summary: `Landing branch ${resolvedLandingBranch} no longer exists.`,
+      });
+    }
+
+    const recordedComponents = Array.isArray(latestEvent.component_branches)
+      ? latestEvent.component_branches
+      : [];
+    if (recordedComponents.join('\n') !== prioritizedBranches.join('\n')) {
+      staleReasons.push({
+        code: 'component_set_changed',
+        summary: 'The pipeline now resolves to a different set of component branches.',
+      });
+    }
+
+    if (latestEvent.base_commit && baseCommit && latestEvent.base_commit !== baseCommit) {
+      staleReasons.push({
+        code: 'base_branch_moved',
+        summary: `${baseBranch} moved from ${latestEvent.base_commit.slice(0, 12)} to ${baseCommit.slice(0, 12)}.`,
+      });
+    }
+
+    const recordedCommits = latestEvent.component_commits || {};
+    for (const branch of prioritizedBranches) {
+      const previousCommit = recordedCommits[branch] || null;
+      const currentCommit = componentCommits[branch] || null;
+      if (previousCommit && currentCommit && previousCommit !== currentCommit) {
+        staleReasons.push({
+          code: 'component_branch_moved',
+          branch,
+          summary: `${branch} moved from ${previousCommit.slice(0, 12)} to ${currentCommit.slice(0, 12)}.`,
+        });
+      }
+    }
+
+    if (
+      latestEvent.head_commit &&
+      branchHeadCommit &&
+      latestEvent.head_commit !== branchHeadCommit
+    ) {
+      staleReasons.push({
+        code: 'landing_branch_drifted',
+        summary: `Landing branch head changed from ${latestEvent.head_commit.slice(0, 12)} to ${branchHeadCommit.slice(0, 12)} outside Switchman.`,
+      });
+    }
+  }
+
+  return {
+    pipeline_id: pipelineId,
+    branch: resolvedLandingBranch,
+    base_branch: baseBranch,
+    synthetic: true,
+    branch_exists: branchExists,
+    branch_head_commit: branchHeadCommit,
+    component_branches: prioritizedBranches,
+    component_commits: componentCommits,
+    strategy: 'synthetic_integration_branch',
+    stale: staleReasons.some((reason) => reason.code !== 'not_materialized'),
+    stale_reasons: staleReasons.filter((reason) => reason.code !== 'not_materialized'),
+    last_failure: latestFailure ? {
+      audit_id: latestFailure.audit_id,
+      created_at: latestFailure.created_at,
+      reason_code: latestFailure.reason_code || null,
+      failed_branch: latestFailure.failed_branch || null,
+      conflicting_files: Array.isArray(latestFailure.conflicting_files) ? latestFailure.conflicting_files : [],
+      output: latestFailure.output || null,
+      command: latestFailure.command || null,
+      next_action: latestFailure.next_action || null,
+    } : null,
+    last_recovery: latestRecoveryPrepared ? {
+      audit_id: latestRecoveryPrepared.audit_id,
+      created_at: latestRecoveryPrepared.created_at,
+      recovery_path: latestRecoveryPrepared.recovery_path || null,
+      failed_branch: latestRecoveryPrepared.failed_branch || null,
+      conflicting_files: Array.isArray(latestRecoveryPrepared.conflicting_files) ? latestRecoveryPrepared.conflicting_files : [],
+      inspect_command: latestRecoveryPrepared.inspect_command || null,
+      resume_command: latestRecoveryPrepared.resume_command || null,
+      state: recoveryState,
+    } : null,
+    last_materialized: latestEvent ? {
+      audit_id: latestEvent.audit_id,
+      created_at: latestEvent.created_at,
+      head_commit: latestEvent.head_commit || null,
+      base_commit: latestEvent.base_commit || null,
+      component_branches: Array.isArray(latestEvent.component_branches) ? latestEvent.component_branches : [],
+      component_commits: latestEvent.component_commits || {},
+    } : null,
+  };
+}
+
+export function resolvePipelineLandingTarget(
+  db,
+  repoRoot,
+  pipelineStatus,
+  {
+    explicitHeadBranch = null,
+    requireCompleted = false,
+    allowCurrentBranchFallback = true,
+  } = {},
+) {
+  if (explicitHeadBranch) {
+    return {
+      branch: explicitHeadBranch,
+      worktree: null,
+      strategy: 'explicit',
+    };
+  }
+
+  if (requireCompleted) {
+    const unfinishedTasks = pipelineStatus.tasks.filter((task) => task.status !== 'done');
+    if (unfinishedTasks.length > 0) {
+      throw new Error(`Pipeline ${pipelineStatus.pipeline_id} is not ready to queue. Complete remaining tasks first: ${unfinishedTasks.map((task) => task.id).join(', ')}.`);
+    }
+  }
+
+  const { implementationBranches, candidateBranches, branchToWorktree } = collectPipelineLandingCandidates(db, pipelineStatus);
+  if (implementationBranches.length === 1) {
+    const branch = implementationBranches[0];
+    const worktree = branchToWorktree.get(branch) || null;
+    return { branch, worktree, strategy: 'implementation_branch' };
+  }
+
+  if (candidateBranches.length === 1) {
+    const branch = candidateBranches[0];
+    const worktree = branchToWorktree.get(branch) || null;
+    return { branch, worktree, strategy: 'single_branch' };
+  }
+
+  if (allowCurrentBranchFallback) {
+    const currentBranch = getWorktreeBranch(repoRoot);
+    if (currentBranch && currentBranch !== 'main') {
+      return { branch: currentBranch, worktree: null, strategy: 'current_branch' };
+    }
+  }
+
+  throw new Error(`Pipeline ${pipelineStatus.pipeline_id} spans multiple branches (${candidateBranches.join(', ') || 'none inferred'}). Queue a branch or worktree explicitly.`);
+}
+
+export function materializePipelineLandingBranch(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    landingBranch = null,
+    requireCompleted = true,
+    refresh = false,
+  } = {},
+) {
+  const pipelineStatus = getPipelineStatus(db, pipelineId);
+  const { candidateBranches, prioritizedBranches, branchToWorktree } = collectPipelineLandingCandidates(db, pipelineStatus);
+  const landingStatus = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+    baseBranch,
+    landingBranch,
+    requireCompleted,
+  });
+
+  if (candidateBranches.length === 1) {
+    const branch = candidateBranches[0];
+    return {
+      pipeline_id: pipelineId,
+      branch,
+      base_branch: baseBranch,
+      worktree: branchToWorktree.get(branch) || null,
+      synthetic: false,
+      component_branches: [branch],
+      strategy: 'single_branch',
+      head_commit: null,
+    };
+  }
+
+  if (landingStatus.last_materialized && !landingStatus.stale) {
+    return {
+      pipeline_id: pipelineId,
+      branch: landingStatus.branch,
+      base_branch: baseBranch,
+      worktree: null,
+      synthetic: true,
+      component_branches: landingStatus.component_branches,
+      component_commits: landingStatus.component_commits,
+      strategy: 'synthetic_integration_branch',
+      head_commit: landingStatus.branch_head_commit,
+      refreshed: false,
+      reused_existing: true,
+      stale: false,
+      stale_reasons: [],
+      last_materialized: landingStatus.last_materialized,
+    };
+  }
+
+  if (landingStatus.stale && !refresh) {
+    const summaries = landingStatus.stale_reasons.map((reason) => reason.summary).join(' ');
+    throw new Error(`Landing branch ${landingStatus.branch} is stale. ${summaries} Run \`switchman pipeline land ${pipelineId} --refresh${landingBranch ? ` --branch ${landingBranch}` : ''}\` to rebuild it.`);
+  }
+
+  const resolvedLandingBranch = getPipelineLandingBranchName(pipelineId, landingBranch);
+  const tempWorktreePath = join(tmpdir(), `switchman-landing-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`);
+  let materialized;
+  const landingOperation = startOperationJournalEntry(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationType: 'landing_materialize',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: resolvedLandingBranch,
+      base_branch: baseBranch,
+      component_branches: prioritizedBranches,
+      refresh: Boolean(refresh),
+    }),
+  });
+  const landingTempResource = createTempResource(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationId: landingOperation.id,
+    resourceType: 'landing_temp_worktree',
+    path: tempWorktreePath,
+    branch: resolvedLandingBranch,
+    details: stringifyResourceDetails({
+      pipeline_id: pipelineId,
+      branch: resolvedLandingBranch,
+      base_branch: baseBranch,
+      component_branches: prioritizedBranches,
+      operation_type: 'landing_materialize',
+    }),
+  });
+  try {
+    materialized = gitMaterializeIntegrationBranch(repoRoot, {
+      branch: resolvedLandingBranch,
+      baseBranch,
+      mergeBranches: prioritizedBranches,
+      tempWorktreePath,
+    });
+    finishOperationJournalEntry(db, landingOperation.id, {
+      status: 'completed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: resolvedLandingBranch,
+        base_branch: baseBranch,
+        component_branches: prioritizedBranches,
+        head_commit: materialized.head_commit,
+        refresh: Boolean(refresh),
+      }),
+    });
+  } catch (err) {
+    finishOperationJournalEntry(db, landingOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: resolvedLandingBranch,
+        base_branch: baseBranch,
+        component_branches: prioritizedBranches,
+        reason_code: err?.code || 'landing_branch_materialization_failed',
+        failed_branch: err?.details?.failed_branch || null,
+        error: String(err?.message || err),
+      }),
+    });
+    const reasonCode = err?.code || 'landing_branch_materialization_failed';
+    const nextAction = reasonCode === 'landing_branch_merge_conflict'
+      ? `open a recovery worktree with switchman pipeline land ${pipelineId} --recover`
+      : reasonCode === 'landing_branch_missing_component'
+        ? `restore the missing branch and rerun switchman pipeline land ${pipelineId} --refresh`
+        : reasonCode === 'landing_branch_missing_base'
+          ? `restore ${baseBranch} and rerun switchman pipeline land ${pipelineId} --refresh`
+          : `inspect the landing failure and rerun switchman pipeline land ${pipelineId} --refresh`;
+    logAuditEvent(db, {
+      eventType: 'pipeline_landing_branch_materialized',
+      status: 'denied',
+      reasonCode,
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: resolvedLandingBranch,
+        base_branch: baseBranch,
+        component_branches: prioritizedBranches,
+        failed_branch: err?.details?.failed_branch || null,
+        conflicting_files: err?.details?.conflicting_files || [],
+        output: err?.details?.output || String(err.message || '').slice(0, 1000),
+        command: reasonCode === 'landing_branch_merge_conflict'
+          ? `switchman pipeline land ${pipelineId} --recover`
+          : `switchman pipeline land ${pipelineId} --refresh`,
+        next_action: nextAction,
+      }),
+    });
+    const wrapped = new Error(`${String(err.message || 'Landing branch materialization failed.')}\nnext: switchman explain landing ${pipelineId}`);
+    wrapped.code = reasonCode;
+    throw wrapped;
+  } finally {
+    updateTempResource(db, landingTempResource.id, {
+      status: existsSync(tempWorktreePath) ? 'active' : 'released',
+      details: stringifyResourceDetails({
+        pipeline_id: pipelineId,
+        branch: resolvedLandingBranch,
+        base_branch: baseBranch,
+        component_branches: prioritizedBranches,
+        operation_type: 'landing_materialize',
+        released_by: existsSync(tempWorktreePath) ? null : 'materialize_cleanup',
+      }),
+    });
+  }
+  const baseCommit = gitRevParse(repoRoot, baseBranch);
+  const componentCommits = collectBranchHeadCommits(repoRoot, prioritizedBranches);
+
+  logAuditEvent(db, {
+    eventType: 'pipeline_landing_branch_materialized',
+    status: 'allowed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: resolvedLandingBranch,
+      base_branch: baseBranch,
+      base_commit: baseCommit,
+      component_branches: prioritizedBranches,
+      component_commits: componentCommits,
+      head_commit: materialized.head_commit,
+    }),
+  });
+
+  return {
+    pipeline_id: pipelineId,
+    branch: resolvedLandingBranch,
+    base_branch: baseBranch,
+    worktree: null,
+    synthetic: true,
+    component_branches: prioritizedBranches,
+    component_commits: componentCommits,
+    strategy: 'synthetic_integration_branch',
+    head_commit: materialized.head_commit,
+    refreshed: refresh || Boolean(landingStatus.last_materialized),
+    reused_existing: false,
+    stale: false,
+    stale_reasons: [],
+    last_materialized: {
+      head_commit: materialized.head_commit,
+      base_commit: baseCommit,
+      component_branches: prioritizedBranches,
+      component_commits: componentCommits,
+    },
+  };
+}
+
+export function getPipelineLandingExplainReport(
+  db,
+  repoRoot,
+  pipelineId,
+  options = {},
+) {
+  const landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+    requireCompleted: false,
+    ...options,
+  });
+  const nextAction = landing.last_failure?.next_action
+    || (landing.stale
+      ? `switchman pipeline land ${pipelineId} --refresh`
+      : landing.synthetic
+        ? `switchman queue add --pipeline ${pipelineId}`
+        : `switchman queue add ${landing.branch}`);
+  return {
+    pipeline_id: pipelineId,
+    landing,
+    next_action: nextAction,
+  };
+}
+
+export function preparePipelineLandingRecovery(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    landingBranch = null,
+    recoveryPath = null,
+    replaceExisting = false,
+  } = {},
+) {
+  const landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+    baseBranch,
+    landingBranch,
+    requireCompleted: true,
+  });
+  if (!landing.synthetic) {
+    throw new Error(`Pipeline ${pipelineId} does not need a synthetic landing recovery worktree.`);
+  }
+  if (landing.last_failure?.reason_code !== 'landing_branch_merge_conflict') {
+    if (
+      !replaceExisting
+      && landing.last_recovery?.state?.status === 'active'
+      && landing.last_recovery?.recovery_path
+    ) {
+      return {
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        base_branch: baseBranch,
+        recovery_path: landing.last_recovery.recovery_path,
+        failed_branch: landing.last_recovery.failed_branch || null,
+        conflicting_files: landing.last_recovery.conflicting_files || [],
+        inspect_command: landing.last_recovery.inspect_command || `git -C ${JSON.stringify(landing.last_recovery.recovery_path)} status`,
+        resume_command: landing.last_recovery.resume_command || `switchman queue add --pipeline ${pipelineId}`,
+        reused_existing: true,
+      };
+    }
+    throw new Error(`Pipeline ${pipelineId} does not have a merge-conflict landing failure to recover.`);
+  }
+  if (landing.last_recovery?.state?.status && !replaceExisting) {
+    if (landing.last_recovery.state.status === 'active' && landing.last_recovery.recovery_path) {
+      return {
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        base_branch: baseBranch,
+        recovery_path: landing.last_recovery.recovery_path,
+        failed_branch: landing.last_recovery.failed_branch || null,
+        conflicting_files: landing.last_recovery.conflicting_files || [],
+        inspect_command: landing.last_recovery.inspect_command || `git -C ${JSON.stringify(landing.last_recovery.recovery_path)} status`,
+        resume_command: landing.last_recovery.resume_command || `switchman queue add --pipeline ${pipelineId}`,
+        reused_existing: true,
+      };
+    }
+    throw new Error(`Recovery worktree already exists for ${pipelineId} at ${landing.last_recovery.recovery_path}. Reuse it or rerun with \`switchman pipeline land ${pipelineId} --recover --replace-recovery\`.`);
+  }
+  if (landing.last_recovery?.state?.path && replaceExisting) {
+    cleanupPipelineLandingRecovery(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      recoveryPath: landing.last_recovery.state.path,
+      reason: 'replaced',
+    });
+  }
+
+  const resolvedRecoveryPath = recoveryPath || join(
+    tmpdir(),
+    `${basename(repoRoot)}-landing-recover-${pipelineId}-${Date.now()}`,
+  );
+  const recoveryPrepareOperation = startOperationJournalEntry(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationType: 'landing_recovery_prepare',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      recovery_path: resolvedRecoveryPath,
+    }),
+  });
+  const recoveryResource = createTempResource(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationId: recoveryPrepareOperation.id,
+    resourceType: 'landing_recovery_worktree',
+    path: resolvedRecoveryPath,
+    branch: landing.branch,
+    details: stringifyResourceDetails({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      operation_type: 'landing_recovery_prepare',
+      recovery_path: resolvedRecoveryPath,
+    }),
+  });
+  const prepared = gitPrepareIntegrationRecoveryWorktree(repoRoot, {
+    branch: landing.branch,
+    baseBranch,
+    mergeBranches: landing.component_branches,
+    recoveryPath: resolvedRecoveryPath,
+  });
+  if (prepared.ok) {
+    try {
+      gitRemoveWorktree(repoRoot, resolvedRecoveryPath);
+    } catch {
+      // Best-effort cleanup; repair will reconcile any leftover tracked resource.
+    }
+    updateTempResource(db, recoveryResource.id, {
+      status: existsSync(resolvedRecoveryPath) ? 'active' : 'released',
+      details: stringifyResourceDetails({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        base_branch: baseBranch,
+        operation_type: 'landing_recovery_prepare',
+        recovery_path: resolvedRecoveryPath,
+        released_by: existsSync(resolvedRecoveryPath) ? null : 'recovery_prepare_cleanup',
+        reason: 'conflict_already_resolved',
+      }),
+    });
+    finishOperationJournalEntry(db, recoveryPrepareOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        base_branch: baseBranch,
+        recovery_path: resolvedRecoveryPath,
+        error: 'Recovery preparation no longer needed because the landing merge conflict is already resolved.',
+      }),
+    });
+    throw new Error(`Pipeline ${pipelineId} no longer has an unresolved landing merge conflict to recover.`);
+  }
+
+  const inspectCommand = `git -C ${JSON.stringify(prepared.recovery_path)} status`;
+  const resumeCommand = `switchman queue add --pipeline ${pipelineId}`;
+
+  logAuditEvent(db, {
+    eventType: 'pipeline_landing_recovery_prepared',
+    status: 'allowed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      recovery_path: prepared.recovery_path,
+      failed_branch: prepared.failed_branch,
+      conflicting_files: prepared.conflicting_files,
+      inspect_command: inspectCommand,
+      resume_command: resumeCommand,
+    }),
+  });
+  finishOperationJournalEntry(db, recoveryPrepareOperation.id, {
+    status: 'completed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      recovery_path: prepared.recovery_path,
+      failed_branch: prepared.failed_branch,
+      conflicting_files: prepared.conflicting_files,
+    }),
+  });
+  updateTempResource(db, recoveryResource.id, {
+    status: 'active',
+    details: stringifyResourceDetails({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      operation_type: 'landing_recovery_prepare',
+      recovery_path: prepared.recovery_path,
+      failed_branch: prepared.failed_branch,
+      conflicting_files: prepared.conflicting_files,
+    }),
+  });
+
+  return {
+    pipeline_id: pipelineId,
+    branch: landing.branch,
+    base_branch: baseBranch,
+    recovery_path: prepared.recovery_path,
+    failed_branch: prepared.failed_branch,
+    conflicting_files: prepared.conflicting_files,
+    inspect_command: inspectCommand,
+    resume_command: resumeCommand,
+    reused_existing: false,
+  };
+}
+
+export function resumePipelineLandingRecovery(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    landingBranch = null,
+    recoveryPath = null,
+  } = {},
+) {
+  const landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+    baseBranch,
+    landingBranch,
+    requireCompleted: true,
+  });
+  if (!landing.synthetic) {
+    throw new Error(`Pipeline ${pipelineId} does not need a synthetic landing recovery worktree.`);
+  }
+
+  const resolvedRecoveryPath = recoveryPath || landing.last_recovery?.recovery_path || null;
+  if (!landing.last_failure && landing.last_materialized && landing.branch_head_commit) {
+    return {
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      recovery_path: resolvedRecoveryPath,
+      head_commit: landing.branch_head_commit,
+      resume_command: `switchman queue add --pipeline ${pipelineId}`,
+      already_resumed: true,
+    };
+  }
+  if (!resolvedRecoveryPath) {
+    throw new Error(`No recovery worktree is recorded for ${pipelineId}. Run \`switchman pipeline land ${pipelineId} --recover\` first.`);
+  }
+  const recoveryResumeOperation = startOperationJournalEntry(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationType: 'landing_recovery_resume',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      recovery_path: resolvedRecoveryPath,
+    }),
+  });
+
+  const currentBranch = getWorktreeBranch(resolvedRecoveryPath);
+  if (currentBranch !== landing.branch) {
+    finishOperationJournalEntry(db, recoveryResumeOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        recovery_path: resolvedRecoveryPath,
+        error: `Recovery worktree is on ${currentBranch || 'no branch'}.`,
+      }),
+    });
+    throw new Error(`Recovery worktree must be on ${landing.branch}, but is on ${currentBranch || 'no branch'}.`);
+  }
+
+  const statusResult = spawnSync('git', ['status', '--porcelain'], {
+    cwd: resolvedRecoveryPath,
+    encoding: 'utf8',
+  });
+  if (statusResult.status !== 0) {
+    finishOperationJournalEntry(db, recoveryResumeOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        recovery_path: resolvedRecoveryPath,
+        error: `Could not inspect recovery worktree ${resolvedRecoveryPath}.`,
+      }),
+    });
+    throw new Error(`Could not inspect recovery worktree ${resolvedRecoveryPath}.`);
+  }
+  const pendingChanges = String(statusResult.stdout || '').trim();
+  if (pendingChanges) {
+    finishOperationJournalEntry(db, recoveryResumeOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        recovery_path: resolvedRecoveryPath,
+        error: 'Recovery worktree still has unresolved or uncommitted changes.',
+      }),
+    });
+    throw new Error(`Recovery worktree ${resolvedRecoveryPath} still has unresolved or uncommitted changes. Commit the resolved landing branch first.`);
+  }
+
+  const recoveredHead = gitRevParse(resolvedRecoveryPath, 'HEAD');
+  const branchHead = gitRevParse(repoRoot, landing.branch);
+  if (!recoveredHead || !branchHead || recoveredHead !== branchHead) {
+    finishOperationJournalEntry(db, recoveryResumeOperation.id, {
+      status: 'failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        recovery_path: resolvedRecoveryPath,
+        error: 'Recovery worktree head is not aligned with the landing branch head.',
+      }),
+    });
+    throw new Error(`Recovery worktree ${resolvedRecoveryPath} is not aligned with ${landing.branch}. Push or commit the resolved landing branch there first.`);
+  }
+
+  const componentCommits = collectBranchHeadCommits(repoRoot, landing.component_branches);
+  logAuditEvent(db, {
+    eventType: 'pipeline_landing_recovery_resumed',
+    status: 'allowed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      base_branch: baseBranch,
+      base_commit: gitRevParse(repoRoot, baseBranch),
+      head_commit: branchHead,
+      component_branches: landing.component_branches,
+      component_commits: componentCommits,
+      recovery_path: resolvedRecoveryPath,
+      resume_command: `switchman queue add --pipeline ${pipelineId}`,
+    }),
+  });
+  finishOperationJournalEntry(db, recoveryResumeOperation.id, {
+    status: 'completed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      recovery_path: resolvedRecoveryPath,
+      head_commit: branchHead,
+    }),
+  });
+  const activeRecoveryResources = listTempResources(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    resourceType: 'landing_recovery_worktree',
+    status: 'active',
+    limit: 20,
+  }).filter((resource) => resource.path === resolvedRecoveryPath);
+  for (const resource of activeRecoveryResources) {
+    updateTempResource(db, resource.id, {
+      status: 'resolved',
+      details: stringifyResourceDetails({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        operation_type: 'landing_recovery_resume',
+        recovery_path: resolvedRecoveryPath,
+        head_commit: branchHead,
+      }),
+    });
+  }
+
+  return {
+    pipeline_id: pipelineId,
+    branch: landing.branch,
+    base_branch: baseBranch,
+    recovery_path: resolvedRecoveryPath,
+    head_commit: branchHead,
+    resume_command: `switchman queue add --pipeline ${pipelineId}`,
+    already_resumed: false,
+  };
+}
+
+export function cleanupPipelineLandingRecovery(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    landingBranch = null,
+    recoveryPath = null,
+    reason = 'manual_cleanup',
+  } = {},
+) {
+  const landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+    baseBranch,
+    landingBranch,
+    requireCompleted: true,
+  });
+  const targetPath = recoveryPath || landing.last_recovery?.recovery_path || null;
+  if (!targetPath) {
+    throw new Error(`No recovery worktree is recorded for ${pipelineId}.`);
+  }
+  const recoveryCleanupOperation = startOperationJournalEntry(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    operationType: 'landing_recovery_cleanup',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      recovery_path: targetPath,
+      reason,
+    }),
+  });
+
+  const exists = existsSync(targetPath);
+  const normalizedTargetPath = exists ? realpathSync(targetPath) : targetPath;
+  const tracked = listGitWorktrees(repoRoot).some((worktree) =>
+    worktree.path === targetPath || worktree.path === normalizedTargetPath,
+  );
+  if (tracked && exists) {
+    gitRemoveWorktree(repoRoot, targetPath);
+  }
+  const trackedRecoveryResources = listTempResources(db, {
+    scopeType: 'pipeline',
+    scopeId: pipelineId,
+    resourceType: 'landing_recovery_worktree',
+    limit: 20,
+  }).filter((resource) => resource.path === targetPath && resource.status !== 'released');
+  for (const resource of trackedRecoveryResources) {
+    const nextStatus = resource.status === 'abandoned' && !existsSync(targetPath)
+      ? 'abandoned'
+      : existsSync(targetPath)
+        ? 'active'
+        : 'released';
+    updateTempResource(db, resource.id, {
+      status: nextStatus,
+      details: stringifyResourceDetails({
+        pipeline_id: pipelineId,
+        branch: landing.branch,
+        operation_type: 'landing_recovery_cleanup',
+        recovery_path: targetPath,
+        removed: tracked && exists,
+        reason,
+        prior_status: resource.status,
+      }),
+    });
+  }
+
+  logAuditEvent(db, {
+    eventType: 'pipeline_landing_recovery_cleared',
+    status: 'allowed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      recovery_path: targetPath,
+      existed: exists,
+      tracked,
+      reason,
+    }),
+  });
+  finishOperationJournalEntry(db, recoveryCleanupOperation.id, {
+    status: 'completed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      branch: landing.branch,
+      recovery_path: targetPath,
+      removed: tracked && exists,
+      reason,
+    }),
+  });
+
+  return {
+    pipeline_id: pipelineId,
+    branch: landing.branch,
+    recovery_path: targetPath,
+    existed: exists,
+    tracked,
+    removed: tracked && exists,
+    reason,
+  };
+}
+
+export function repairPipelineState(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    landingBranch = null,
+  } = {},
+) {
+  const actions = [];
+  let notes = [];
+  let landing;
+
+  try {
+    landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: false,
+    });
+  } catch (err) {
+    return {
+      pipeline_id: pipelineId,
+      repaired: false,
+      actions,
+      notes: [String(err.message || 'Pipeline repair found no landing state to repair.')],
+      next_action: `switchman pipeline status ${pipelineId}`,
+    };
+  }
+
+  const recoveryStatus = landing.last_recovery?.state?.status || null;
+  if (['missing', 'resolved_missing', 'untracked', 'resolved_untracked', 'moved', 'resolved_moved'].includes(recoveryStatus) && landing.last_recovery?.recovery_path) {
+    const cleared = cleanupPipelineLandingRecovery(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      recoveryPath: landing.last_recovery.recovery_path,
+      reason: `repair_${recoveryStatus}_recovery`,
+    });
+    actions.push({
+      kind: 'recovery_state_cleared',
+      recovery_path: cleared.recovery_path,
+      removed: cleared.removed,
+      recovery_status: recoveryStatus,
+      branch_worktree_path: landing.last_recovery?.state?.branch_worktree_path || null,
+    });
+    landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: false,
+    });
+  }
+
+  const needsLandingRefresh = landing.synthetic
+    && !landing.last_failure
+    && (
+      landing.stale
+      || (landing.branch_exists && !landing.last_materialized)
+    );
+
+  if (needsLandingRefresh) {
+    const refreshed = materializePipelineLandingBranch(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: false,
+      refresh: true,
+    });
+    actions.push({
+      kind: landing.last_materialized ? 'landing_branch_refreshed' : 'landing_branch_reconciled',
+      branch: refreshed.branch,
+      head_commit: refreshed.head_commit || null,
+    });
+    landing = getPipelineLandingBranchStatus(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: false,
+    });
+  }
+
+  if (actions.length === 0) {
+    notes = ['No repair action was needed.'];
+  }
+
+  const nextAction = landing.last_failure?.next_action
+    || (landing.synthetic
+      ? `switchman queue add --pipeline ${pipelineId}`
+      : landing.branch
+        ? `switchman queue add ${landing.branch}`
+        : `switchman pipeline status ${pipelineId}`);
+
+  return {
+    pipeline_id: pipelineId,
+    repaired: actions.length > 0,
+    actions,
+    notes,
+    landing,
+    next_action: nextAction,
+  };
+}
+
+export function preparePipelineLandingTarget(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    explicitHeadBranch = null,
+    requireCompleted = false,
+    allowCurrentBranchFallback = true,
+    landingBranch = null,
+  } = {},
+) {
+  const pipelineStatus = getPipelineStatus(db, pipelineId);
+  const completedPipeline = pipelineStatus.tasks.length > 0 && pipelineStatus.tasks.every((task) => task.status === 'done');
+  const { candidateBranches } = collectPipelineLandingCandidates(db, pipelineStatus);
+
+  if (!explicitHeadBranch && completedPipeline && candidateBranches.length > 1) {
+    return materializePipelineLandingBranch(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: true,
+      refresh: true,
+    });
+  }
+
+  try {
+    const resolved = resolvePipelineLandingTarget(db, repoRoot, pipelineStatus, {
+      explicitHeadBranch,
+      requireCompleted,
+      allowCurrentBranchFallback,
+    });
+    return {
+      pipeline_id: pipelineId,
+      ...resolved,
+      synthetic: false,
+      component_branches: [resolved.branch],
+      head_commit: null,
+    };
+  } catch (err) {
+    if (!String(err.message || '').includes('spans multiple branches')) {
+      throw err;
+    }
+    return materializePipelineLandingBranch(db, repoRoot, pipelineId, {
+      baseBranch,
+      landingBranch,
+      requireCompleted: true,
+      refresh: true,
+    });
+  }
+}
+
+export async function publishPipelinePr(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    baseBranch = 'main',
+    headBranch = null,
+    draft = false,
+    ghCommand = 'gh',
+    outputDir = null,
+  } = {},
+) {
+  const policyGate = await evaluatePipelinePolicyGate(db, repoRoot, pipelineId);
+  if (!policyGate.ok) {
+    logAuditEvent(db, {
+      eventType: 'pipeline_pr_published',
+      status: 'denied',
+      reasonCode: policyGate.reason_code,
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        base_branch: baseBranch,
+        head_branch: headBranch,
+        policy_state: policyGate.policy_state,
+        next_action: policyGate.next_action,
+      }),
+    });
+    throw new Error(`${policyGate.summary} Next: ${policyGate.next_action}`);
+  }
+
+  const bundle = await exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir);
+  const resolvedLandingTarget = preparePipelineLandingTarget(db, repoRoot, pipelineId, {
+    baseBranch,
+    explicitHeadBranch: headBranch,
+    requireCompleted: false,
+    allowCurrentBranchFallback: true,
+  });
+  const resolvedHeadBranch = resolvedLandingTarget.branch;
+
+  const args = [
+    'pr',
+    'create',
+    '--base',
+    baseBranch,
+    '--head',
+    resolvedHeadBranch,
+    '--title',
+    bundle.summary.pr_artifact.title,
+    '--body-file',
+    bundle.files.pr_body_markdown,
+  ];
+
+  if (draft) {
+    args.push('--draft');
+  }
+
+  const result = spawnSync(ghCommand, args, {
+    cwd: repoRoot,
+    encoding: 'utf8',
+  });
 
   const ok = !result.error && result.status === 0;
   const output = `${result.stdout || ''}${result.stderr || ''}`.trim();
@@ -894,16 +3061,149 @@ export async function publishPipelinePr(
     pipeline_id: pipelineId,
     base_branch: baseBranch,
     head_branch: resolvedHeadBranch,
+    landing_strategy: resolvedLandingTarget.strategy,
     draft,
     bundle,
     output,
   };
 }
 
+export async function commentPipelinePr(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    prNumber,
+    ghCommand = 'gh',
+    outputDir = null,
+    updateExisting = false,
+  } = {},
+) {
+  if (!prNumber) {
+    throw new Error('A pull request number is required.');
+  }
+
+  const bundle = await exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir);
+  const args = [
+    'pr',
+    'comment',
+    String(prNumber),
+    '--body-file',
+    bundle.files.landing_summary_markdown,
+  ];
+
+  if (updateExisting) {
+    args.push('--edit-last', '--create-if-none');
+  }
+
+  const result = spawnSync(ghCommand, args, {
+    cwd: repoRoot,
+    encoding: 'utf8',
+  });
+
+  const ok = !result.error && result.status === 0;
+  const output = `${result.stdout || ''}${result.stderr || ''}`.trim();
+
+  logAuditEvent(db, {
+    eventType: 'pipeline_pr_commented',
+    status: ok ? 'allowed' : 'denied',
+    reasonCode: ok ? null : 'pr_comment_failed',
+    details: JSON.stringify({
+      pipeline_id: pipelineId,
+      pr_number: String(prNumber),
+      gh_command: ghCommand,
+      update_existing: updateExisting,
+      body_file: bundle.files.landing_summary_markdown,
+      exit_code: result.status,
+      output: output.slice(0, 500),
+    }),
+  });
+
+  if (!ok) {
+    throw new Error(result.error?.message || output || `gh pr comment failed with status ${result.status}`);
+  }
+
+  return {
+    pipeline_id: pipelineId,
+    pr_number: String(prNumber),
+    bundle,
+    output,
+    updated_existing: updateExisting,
+  };
+}
+
+export async function syncPipelinePr(
+  db,
+  repoRoot,
+  pipelineId,
+  {
+    prNumber,
+    ghCommand = 'gh',
+    outputDir = null,
+    updateExisting = true,
+  } = {},
+) {
+  const bundle = await exportPipelinePrBundle(db, repoRoot, pipelineId, outputDir);
+  let comment = null;
+
+  if (prNumber) {
+    const args = [
+      'pr',
+      'comment',
+      String(prNumber),
+      '--body-file',
+      bundle.files.landing_summary_markdown,
+    ];
+
+    if (updateExisting) {
+      args.push('--edit-last', '--create-if-none');
+    }
+
+    const result = spawnSync(ghCommand, args, {
+      cwd: repoRoot,
+      encoding: 'utf8',
+    });
+    const ok = !result.error && result.status === 0;
+    const output = `${result.stdout || ''}${result.stderr || ''}`.trim();
+
+    logAuditEvent(db, {
+      eventType: 'pipeline_pr_synced',
+      status: ok ? 'allowed' : 'denied',
+      reasonCode: ok ? null : 'pr_sync_failed',
+      details: JSON.stringify({
+        pipeline_id: pipelineId,
+        pr_number: String(prNumber),
+        gh_command: ghCommand,
+        update_existing: updateExisting,
+        body_file: bundle.files.landing_summary_markdown,
+        exit_code: result.status,
+        output: output.slice(0, 500),
+      }),
+    });
+
+    if (!ok) {
+      throw new Error(result.error?.message || output || `gh pr comment failed with status ${result.status}`);
+    }
+
+    comment = {
+      pr_number: String(prNumber),
+      output,
+      updated_existing: updateExisting,
+    };
+  }
+
+  return {
+    pipeline_id: pipelineId,
+    bundle,
+    comment,
+  };
+}
+
 export async function createPipelineFollowupTasks(db, repoRoot, pipelineId) {
   const status = getPipelineStatus(db, pipelineId);
   const report = await scanAllWorktrees(db, repoRoot);
   const aiGate = await runAiMergeGate(db, repoRoot);
+  const changePolicy = loadChangePolicy(repoRoot);
   const existingTitles = new Set(status.tasks.map((task) => task.title));
   const hasPlannedTestsTask = status.tasks.some((task) =>
     task.task_spec?.task_type === 'tests' && !task.title.startsWith('Add missing tests'),
@@ -973,6 +3273,46 @@ export async function createPipelineFollowupTasks(db, repoRoot, pipelineId) {
     }
   }
 
+  const implementationTasks = status.tasks.filter((task) => task.task_spec?.task_type === 'implementation');
+  for (const task of implementationTasks) {
+    const taskDomains = task.task_spec?.subsystem_tags || [];
+    const requiredTaskTypes = new Set(task.task_spec?.validation_rules?.required_completed_task_types || []);
+    for (const domain of taskDomains) {
+      const rule = changePolicy.domain_rules?.[domain];
+      for (const taskType of rule?.required_completed_task_types || []) {
+        requiredTaskTypes.add(taskType);
+      }
+    }
+
+    const completedTypes = new Set(
+      status.tasks
+        .filter((candidate) => candidate.status === 'done')
+        .map((candidate) => candidate.task_spec?.task_type)
+        .filter(Boolean),
+    );
+
+    if (requiredTaskTypes.has('tests') && !completedTypes.has('tests')) {
+      maybeCreateTask(
+        `Add policy-required tests for ${task.title}`,
+        `Policy-triggered follow-up for ${task.id}. Domains: ${taskDomains.join(', ')}.`,
+      );
+    }
+
+    if (requiredTaskTypes.has('docs') && !completedTypes.has('docs')) {
+      maybeCreateTask(
+        `Add policy-required docs for ${task.title}`,
+        `Policy-triggered follow-up for ${task.id}. Domains: ${taskDomains.join(', ')}.`,
+      );
+    }
+
+    if (requiredTaskTypes.has('governance') && !completedTypes.has('governance')) {
+      maybeCreateTask(
+        `Add policy review for ${task.title}`,
+        `Policy-triggered governance follow-up for ${task.id}. Domains: ${taskDomains.join(', ')}.`,
+      );
+    }
+  }
+
   logAuditEvent(db, {
     eventType: 'pipeline_followups_created',
     status: created.length > 0 ? 'allowed' : 'info',