github2gerrit 0.1.6__py3-none-any.whl → 0.1.8__py3-none-any.whl

github2gerrit/core.py

@@ -30,7 +30,10 @@ import logging
 import os
 import re
 import shlex
+import shutil
+import socket
 import stat
+import tempfile
 import urllib.parse
 import urllib.request
 from collections.abc import Iterable
@@ -39,6 +42,7 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 
+from .commit_normalization import normalize_commit_title
 from .gerrit_urls import create_gerrit_url_builder
 from .github_api import build_client
 from .github_api import close_pr
@@ -50,6 +54,7 @@ from .github_api import get_repo_from_env
 from .github_api import iter_open_pulls
 from .gitutils import CommandError
 from .gitutils import GitError
+from .gitutils import _parse_trailers
 from .gitutils import git_cherry_pick
 from .gitutils import git_commit_amend
 from .gitutils import git_commit_new
@@ -59,6 +64,10 @@ from .gitutils import git_show
 from .gitutils import run_cmd
 from .models import GitHubContext
 from .models import Inputs
+from .pr_content_filter import filter_pr_body
+from .ssh_common import merge_known_hosts_content
+from .utils import env_bool
+from .utils import log_exception_conditionally
 
 
 try:
@@ -76,18 +85,19 @@ except ImportError:
     auto_discover_gerrit_host_keys = None  # type: ignore[assignment]
     SSHDiscoveryError = Exception  # type: ignore[misc,assignment]
 
+try:
+    from .ssh_agent_setup import SSHAgentManager
+    from .ssh_agent_setup import setup_ssh_agent_auth
+except ImportError:
+    # Fallback if ssh_agent_setup module is not available
+    from typing import TYPE_CHECKING
 
-def _is_verbose_mode() -> bool:
-    """Check if verbose mode is enabled via environment variable."""
-    return os.getenv("G2G_VERBOSE", "").lower() in ("true", "1", "yes")
-
-
-def _log_exception_conditionally(logger: logging.Logger, message: str, *args: Any) -> None:
-    """Log exception with traceback only if verbose mode is enabled."""
-    if _is_verbose_mode():
-        logger.exception(message, *args)
+    if TYPE_CHECKING:
+        from .ssh_agent_setup import SSHAgentManager
+        from .ssh_agent_setup import setup_ssh_agent_auth
     else:
-        logger.error(message, *args)
+        SSHAgentManager = None
+        setup_ssh_agent_auth = None
 
 
 log = logging.getLogger("github2gerrit.core")
@@ -166,11 +176,22 @@ def _match_first_group(pattern: str, text: str) -> str | None:
 
 
 def _is_valid_change_id(value: str) -> bool:
-    # Gerrit Change-Id usually matches I<40-hex> but the shell workflow
-    # uses a looser grep. Keep validation permissive for now.
+    # Gerrit Change-Id should match I<40-hex-chars> format
+    # Be more strict to avoid accepting invalid Change-IDs
     if not value:
         return False
-    return bool(re.fullmatch(r"[A-Za-z0-9._-]+", value))
+    # Standard Gerrit format: I followed by exactly 40 hex characters
+    if len(value) == 41 and re.fullmatch(r"I[0-9a-fA-F]{40}", value):
+        return True
+    # Fallback for legacy or non-standard formats (keep some permissiveness)
+    # but require it to start with 'I' and be reasonable length (10-40 chars)
+    # and NOT look like a malformed hex ID
+    return (
+        value.startswith("I")
+        and 10 <= len(value) <= 40
+        and not re.fullmatch(r"I[0-9a-fA-F]+", value)  # Exclude hex-like patterns
+        and bool(re.fullmatch(r"I[A-Za-z0-9._-]+", value))
+    )
 
 
 @dataclass(frozen=True)
@@ -231,6 +252,8 @@ class Orchestrator:
         # SSH configuration paths (set by _setup_ssh)
         self._ssh_key_path: Path | None = None
         self._ssh_known_hosts_path: Path | None = None
+        self._ssh_agent_manager: SSHAgentManager | None = None
+        self._use_ssh_agent: bool = False
 
     # ---------------
     # Public API
@@ -246,6 +269,10 @@ class Orchestrator:
         This method defines the high-level call order. Sub-steps are
         placeholders and must be implemented with real logic. Until then,
         this raises NotImplementedError after logging the intended plan.
+
+        Note: This method is "pure" with respect to external outputs (no direct
+        GitHub output writes), but does perform internal environment mutations
+        (e.g., G2G_TMP_BRANCH) for subprocess coordination within the workflow.
         """
         log.info("Starting PR -> Gerrit pipeline")
         self._guard_pull_request_context(gh)
@@ -256,9 +283,12 @@ class Orchestrator:
 
         gitreview = self._read_gitreview(self.workspace / ".gitreview", gh)
         repo_names = self._derive_repo_names(gitreview, gh)
+        log.debug("execute: inputs.dry_run=%s, inputs.ci_testing=%s", inputs.dry_run, inputs.ci_testing)
         gerrit = self._resolve_gerrit_info(gitreview, inputs, repo_names)
 
+        log.debug("execute: resolved gerrit info: %s", gerrit)
         if inputs.dry_run:
+            log.debug("execute: entering dry-run mode due to inputs.dry_run=True")
             # Perform preflight validations and exit without making changes
             self._dry_run_preflight(gerrit=gerrit, inputs=inputs, gh=gh, repo=repo_names)
             log.info("Dry run complete; skipping write operations to Gerrit")
@@ -485,7 +515,16 @@ class Orchestrator:
         repo: RepoNames,
     ) -> GerritInfo:
         """Resolve Gerrit connection info from .gitreview or inputs."""
+        log.debug("_resolve_gerrit_info: inputs.ci_testing=%s", inputs.ci_testing)
+        log.debug("_resolve_gerrit_info: gitreview=%s", gitreview)
+
+        # If CI testing flag is set, ignore .gitreview and use environment
+        if inputs.ci_testing:
+            log.info("CI_TESTING enabled: ignoring .gitreview file")
+            gitreview = None
+
         if gitreview:
+            log.debug("Using .gitreview settings: %s", gitreview)
             return gitreview
 
         host = inputs.gerrit_server.strip()
@@ -534,34 +573,126 @@ class Orchestrator:
             log.debug("SSH private key not provided, skipping SSH setup")
             return
 
-        # Auto-discover host keys if not provided
+        # Auto-discover or augment host keys (merge missing types/[host]:port entries)
         effective_known_hosts = inputs.gerrit_known_hosts
-        if not effective_known_hosts and auto_discover_gerrit_host_keys is not None:
-            log.info("GERRIT_KNOWN_HOSTS not provided, attempting auto-discovery...")
+        if auto_discover_gerrit_host_keys is not None:
             try:
-                discovered_keys = auto_discover_gerrit_host_keys(
-                    gerrit_hostname=gerrit.host,
-                    gerrit_port=gerrit.port,
-                    organization=inputs.organization,
-                    save_to_config=True,
-                )
-                if discovered_keys:
-                    effective_known_hosts = discovered_keys
-                    log.info(
-                        "Successfully auto-discovered SSH host keys for %s:%d",
-                        gerrit.host,
-                        gerrit.port,
+                if not effective_known_hosts:
+                    log.info("GERRIT_KNOWN_HOSTS not provided, attempting auto-discovery...")
+                    discovered_keys = auto_discover_gerrit_host_keys(
+                        gerrit_hostname=gerrit.host,
+                        gerrit_port=gerrit.port,
+                        organization=inputs.organization,
+                        save_to_config=True,
                     )
+                    if discovered_keys:
+                        effective_known_hosts = discovered_keys
+                        log.info(
+                            "Successfully auto-discovered SSH host keys for %s:%d",
+                            gerrit.host,
+                            gerrit.port,
+                        )
+                    else:
+                        log.warning("Auto-discovery failed, SSH host key verification may fail")
                 else:
-                    log.warning("Auto-discovery failed, SSH host key verification may fail")
+                    # Provided known_hosts exists; ensure it contains [host]:port entries and modern key types
+                    lower = effective_known_hosts.lower()
+                    bracket_host = f"[{gerrit.host}]:{gerrit.port}"
+                    bracket_lower = bracket_host.lower()
+                    needs_discovery = False
+                    if bracket_lower not in lower:
+                        needs_discovery = True
+                    else:
+                        # Confirm at least one known key type exists for the bracketed host
+                        if (
+                            f"{bracket_lower} ssh-ed25519" not in lower
+                            and f"{bracket_lower} ecdsa-sha2" not in lower
+                            and f"{bracket_lower} ssh-rsa" not in lower
+                        ):
+                            needs_discovery = True
+                    if needs_discovery:
+                        log.info(
+                            "Augmenting provided GERRIT_KNOWN_HOSTS with discovered entries for %s:%d",
+                            gerrit.host,
+                            gerrit.port,
+                        )
+                        discovered_keys = auto_discover_gerrit_host_keys(
+                            gerrit_hostname=gerrit.host,
+                            gerrit_port=gerrit.port,
+                            organization=inputs.organization,
+                            save_to_config=True,
+                        )
+                        if discovered_keys:
+                            # Use centralized merging logic
+                            effective_known_hosts = merge_known_hosts_content(effective_known_hosts, discovered_keys)
+                            log.info(
+                                "Known hosts augmented with discovered entries for %s:%d",
+                                gerrit.host,
+                                gerrit.port,
+                            )
+                        else:
+                            log.warning("Auto-discovery returned no keys; known_hosts not augmented")
             except Exception as exc:
-                log.warning("SSH host key auto-discovery failed: %s", exc)
+                log.warning("SSH host key auto-discovery/augmentation failed: %s", exc)
 
         if not effective_known_hosts:
             log.debug("No SSH host keys available (manual or auto-discovered), skipping SSH setup")
             return
 
-        log.info("Setting up temporary SSH configuration for Gerrit")
+        # Check if SSH agent authentication is preferred
+        use_ssh_agent = env_bool("G2G_USE_SSH_AGENT", default=True)
+
+        if use_ssh_agent and setup_ssh_agent_auth is not None:
+            # Try SSH agent first as it's more secure and avoids file permission issues
+            if self._try_ssh_agent_setup(inputs, effective_known_hosts):
+                return
+
+            # Fall back to file-based SSH if agent setup fails
+            log.info("Falling back to file-based SSH authentication")
+
+        self._setup_file_based_ssh(inputs, effective_known_hosts)
+
+    def _try_ssh_agent_setup(self, inputs: Inputs, effective_known_hosts: str) -> bool:
+        """Try to setup SSH agent-based authentication.
+
+        Args:
+            inputs: Validated input configuration
+            effective_known_hosts: Known hosts content
+
+        Returns:
+            True if SSH agent setup succeeded, False otherwise
+        """
+        if setup_ssh_agent_auth is None:
+            log.debug("SSH agent module not available, falling back to file-based SSH")  # type: ignore[unreachable]
+            return False
+
+        try:
+            log.info("Setting up SSH agent-based authentication (more secure)")
+            self._ssh_agent_manager = setup_ssh_agent_auth(
+                workspace=self.workspace,
+                private_key_content=inputs.gerrit_ssh_privkey_g2g,
+                known_hosts_content=effective_known_hosts,
+            )
+            self._use_ssh_agent = True
+            log.info("SSH agent authentication configured successfully")
+
+        except Exception as exc:
+            log.warning("SSH agent setup failed, falling back to file-based SSH: %s", exc)
+            if self._ssh_agent_manager:
+                self._ssh_agent_manager.cleanup()
+                self._ssh_agent_manager = None
+            return False
+        else:
+            return True
+
+    def _setup_file_based_ssh(self, inputs: Inputs, effective_known_hosts: str) -> None:
+        """Setup file-based SSH authentication as fallback.
+
+        Args:
+            inputs: Validated input configuration
+            effective_known_hosts: Known hosts content
+        """
+        log.info("Setting up file-based SSH configuration for Gerrit")
         log.debug("Using workspace-specific SSH files to avoid user changes")
 
         # Create tool-specific SSH directory in workspace to avoid touching
@@ -569,13 +700,26 @@ class Orchestrator:
         tool_ssh_dir = self.workspace / ".ssh-g2g"
         tool_ssh_dir.mkdir(mode=0o700, exist_ok=True)
 
-        # Write SSH private key to tool-specific location
+        # Write SSH private key to tool-specific location with secure permissions
         key_path = tool_ssh_dir / "gerrit_key"
-        with open(key_path, "w", encoding="utf-8") as f:
-            f.write(inputs.gerrit_ssh_privkey_g2g.strip() + "\n")
-        key_path.chmod(0o600)
-        log.debug("SSH private key written to %s", key_path)
-        log.debug("Key file is tool-specific and won't interfere with user SSH")
+
+        # Use a more robust approach for creating the file with secure permissions
+        key_content = inputs.gerrit_ssh_privkey_g2g.strip() + "\n"
+
+        # Multiple strategies to create secure key file
+        success = self._create_secure_key_file(key_path, key_content)
+
+        if not success:
+            # If all permission strategies fail, create in memory directory
+            success = self._create_key_in_memory_fs(key_path, key_content)
+
+        if not success:
+            msg = (
+                "Failed to create SSH key file with secure permissions. "
+                "This may be due to CI environment restrictions. "
+                "Consider using G2G_USE_SSH_AGENT=true (default) for SSH agent authentication."
+            )
+            raise RuntimeError(msg)
 
         # Write known hosts to tool-specific location
         known_hosts_path = tool_ssh_dir / "known_hosts"
@@ -589,58 +733,191 @@ class Orchestrator:
         self._ssh_key_path = key_path
         self._ssh_known_hosts_path = known_hosts_path
 
+    def _create_secure_key_file(self, key_path: Path, key_content: str) -> bool:
+        """Try multiple strategies to create a secure SSH key file.
+
+        Args:
+            key_path: Path where to create the key file
+            key_content: SSH key content
+
+        Returns:
+            True if successful, False otherwise
+        """
+
+        strategies = [
+            ("touch+chmod", self._strategy_touch_chmod),
+            ("open+fchmod", self._strategy_open_fchmod),
+            ("umask+open", self._strategy_umask_open),
+            ("stat_constants", self._strategy_stat_constants),
+        ]
+
+        for strategy_name, strategy_func in strategies:
+            try:
+                log.debug("Trying SSH key creation strategy: %s", strategy_name)
+
+                # Remove file if it exists to start fresh
+                if key_path.exists():
+                    key_path.unlink()
+
+                # Try the strategy
+                strategy_func(key_path, key_content)
+
+                # Verify permissions
+                actual_perms = oct(key_path.stat().st_mode)[-3:]
+                if actual_perms == "600":
+                    log.debug("SSH key created successfully with strategy: %s", strategy_name)
+                    return True
+                else:
+                    log.debug("Strategy %s resulted in permissions %s", strategy_name, actual_perms)
+
+            except Exception as exc:
+                log.debug("Strategy %s failed: %s", strategy_name, exc)
+                if key_path.exists():
+                    try:
+                        key_path.unlink()
+                    except Exception as cleanup_exc:
+                        log.debug("Failed to cleanup key file: %s", cleanup_exc)
+
+        return False
+
+    def _strategy_touch_chmod(self, key_path: Path, key_content: str) -> None:
+        """Strategy: touch with mode, then write, then chmod."""
+        key_path.touch(mode=0o600)
+        with open(key_path, "w", encoding="utf-8") as f:
+            f.write(key_content)
+        key_path.chmod(0o600)
+
+    def _strategy_open_fchmod(self, key_path: Path, key_content: str) -> None:
+        """Strategy: open with os.open and specific flags, then fchmod."""
+
+        flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
+        mode = stat.S_IRUSR | stat.S_IWUSR  # 0o600
+
+        fd = os.open(str(key_path), flags, mode)
+        try:
+            os.fchmod(fd, mode)
+            os.write(fd, key_content.encode("utf-8"))
+        finally:
+            os.close(fd)
+
+    def _strategy_umask_open(self, key_path: Path, key_content: str) -> None:
+        """Strategy: set umask, create file, restore umask."""
+
+        original_umask = os.umask(0o077)  # Only owner can read/write
+        try:
+            with open(key_path, "w", encoding="utf-8") as f:
+                f.write(key_content)
+            key_path.chmod(0o600)
+        finally:
+            os.umask(original_umask)
+
+    def _strategy_stat_constants(self, key_path: Path, key_content: str) -> None:
+        """Strategy: use stat constants for permission setting."""
+
+        with open(key_path, "w", encoding="utf-8") as f:
+            f.write(key_content)
+
+        # Try multiple permission setting approaches
+        mode = stat.S_IRUSR | stat.S_IWUSR
+        os.chmod(str(key_path), mode)
+        key_path.chmod(mode)
+
+    def _create_key_in_memory_fs(self, key_path: Path, key_content: str) -> bool:
+        """Fallback: try to create key in memory filesystem."""
+        try:
+            # Try to create in memory filesystem if available
+            # Use secure temporary directories
+
+            temp_dir = tempfile.gettempdir()
+            memory_dirs = [temp_dir]
+
+            # Only add /dev/shm if it exists and is accessible
+            import os
+
+            dev_shm = Path("/dev/shm")  # noqa: S108
+            if dev_shm.exists() and os.access("/dev/shm", os.W_OK):  # noqa: S108
+                memory_dirs.insert(0, "/dev/shm")  # noqa: S108
+
+            for memory_dir in memory_dirs:
+                if not Path(memory_dir).exists():
+                    continue
+
+                tmp_path = None
+                try:
+                    with tempfile.NamedTemporaryFile(
+                        mode="w", dir=memory_dir, prefix="g2g_key_", suffix=".tmp", delete=False
+                    ) as tmp_file:
+                        tmp_file.write(key_content)
+                        tmp_path = Path(tmp_file.name)
+
+                    # Try to set permissions
+                    tmp_path.chmod(0o600)
+                    actual_perms = oct(tmp_path.stat().st_mode)[-3:]
+
+                    if actual_perms == "600":
+                        # Move to final location
+                        shutil.move(str(tmp_path), str(key_path))
+                        log.debug("Successfully created SSH key using memory filesystem: %s", memory_dir)
+                        return True
+                    else:
+                        tmp_path.unlink()
+
+                except Exception as exc:
+                    log.debug("Memory filesystem strategy failed for %s: %s", memory_dir, exc)
+                    try:
+                        if tmp_path is not None and tmp_path.exists():
+                            tmp_path.unlink()
+                    except Exception as cleanup_exc:
+                        log.debug("Failed to cleanup temporary key file: %s", cleanup_exc)
+
+        except Exception as exc:
+            log.debug("Memory filesystem fallback failed: %s", exc)
+
+        return False
+
     @property
-    def _git_ssh_command(self) -> str | None:
+    def _build_git_ssh_command(self) -> str | None:
         """Generate GIT_SSH_COMMAND for secure, isolated SSH configuration.
 
         This prevents SSH from scanning the user's SSH agent or using
         unintended keys by setting IdentitiesOnly=yes and specifying
         exact key and known_hosts files.
         """
+        if self._use_ssh_agent and self._ssh_agent_manager:
+            return self._ssh_agent_manager.get_git_ssh_command()
+
         if not self._ssh_key_path or not self._ssh_known_hosts_path:
             return None
 
-        # Build SSH command with strict options to prevent key scanning
-        ssh_options = [
-            "-F /dev/null",
-            f"-i {self._ssh_key_path}",
-            f"-o UserKnownHostsFile={self._ssh_known_hosts_path}",
-            "-o IdentitiesOnly=yes",  # Critical: prevents SSH agent scanning
-            "-o IdentityAgent=none",
-            "-o BatchMode=yes",
-            "-o PreferredAuthentications=publickey",
-            "-o StrictHostKeyChecking=yes",
-            "-o PasswordAuthentication=no",
-            "-o PubkeyAcceptedKeyTypes=+ssh-rsa",
-            "-o ConnectTimeout=10",
-        ]
+        # Delegate to centralized SSH command builder
+        from .ssh_common import build_git_ssh_command
 
-        ssh_cmd = f"ssh {' '.join(ssh_options)}"
-        masked_cmd = ssh_cmd.replace(str(self._ssh_key_path), "[KEY_PATH]")
-        log.debug("Generated SSH command: %s", masked_cmd)
-        return ssh_cmd
+        return build_git_ssh_command(
+            key_path=self._ssh_key_path,
+            known_hosts_path=self._ssh_known_hosts_path,
+        )
 
     def _ssh_env(self) -> dict[str, str]:
         """Centralized non-interactive SSH/Git environment."""
-        cmd = self._git_ssh_command or (
-            "ssh -F /dev/null "
-            "-o IdentitiesOnly=yes "
-            "-o IdentityAgent=none "
-            "-o BatchMode=yes "
-            "-o PreferredAuthentications=publickey "
-            "-o StrictHostKeyChecking=yes "
-            "-o PasswordAuthentication=no "
-            "-o PubkeyAcceptedKeyTypes=+ssh-rsa "
-            "-o ConnectTimeout=10"
-        )
-        return {
-            "GIT_SSH_COMMAND": cmd,
-            "SSH_AUTH_SOCK": "",
-            "SSH_AGENT_PID": "",
-            "SSH_ASKPASS": "/usr/bin/false",
-            "DISPLAY": "",
-            "SSH_ASKPASS_REQUIRE": "never",
-        }
+        from .ssh_common import build_non_interactive_ssh_env
+
+        env = build_non_interactive_ssh_env()
+
+        # Set GIT_SSH_COMMAND based on available configuration
+        cmd = self._build_git_ssh_command
+        if cmd:
+            env["GIT_SSH_COMMAND"] = cmd
+        else:
+            # Fallback to basic non-interactive SSH command
+            from .ssh_common import build_git_ssh_command
+
+            env["GIT_SSH_COMMAND"] = build_git_ssh_command()
+
+        # Override SSH agent settings if using SSH agent
+        if self._use_ssh_agent and self._ssh_agent_manager:
+            env.update(self._ssh_agent_manager.get_ssh_env())
+
+        return env
 
     def _cleanup_ssh(self) -> None:
         """Clean up temporary SSH files created by this tool.
@@ -648,10 +925,15 @@ class Orchestrator:
         Removes the workspace-specific .ssh-g2g directory and all contents.
         This ensures no temporary files are left behind.
         """
-        if not hasattr(self, "_ssh_key_path") or not hasattr(self, "_ssh_known_hosts_path"):
-            return
+        log.debug("Cleaning up temporary SSH configuration files")
 
         try:
+            # Clean up SSH agent if we used it
+            if self._ssh_agent_manager:
+                self._ssh_agent_manager.cleanup()
+                self._ssh_agent_manager = None
+                self._use_ssh_agent = False
+
             # Remove temporary SSH directory and all contents
             tool_ssh_dir = self.workspace / ".ssh-g2g"
             if tool_ssh_dir.exists():
@@ -849,7 +1131,10 @@ class Orchestrator:
                 ", ".join(uniq_ids),
             )
         else:
-            log.warning("No Change-IDs generated for PR #%s", gh.pr_number)
+            log.debug(
+                "No Change-IDs collected during preparation for PR #%s (will be ensured via commit-msg hook)",
+                gh.pr_number,
+            )
         return PreparedChange(change_ids=uniq_ids, commit_shas=[])
 
     def _prepare_squashed_commit(
@@ -910,10 +1195,9 @@ class Orchestrator:
                         continue
                     if not ln.startswith(("  ", "-", "dependency-")) and ln.strip():
                         in_metadata_section = False
+                # Skip Change-Id lines from body - they should only be in footer
                 if ln.startswith("Change-Id:"):
-                    cid = ln.split(":", 1)[1].strip()
-                    if cid:
-                        change_ids.append(cid)
+                    log.debug("Skipping Change-Id from commit body: %s", ln.strip())
                     continue
                 if ln.startswith("Signed-off-by:"):
                     signed_off.append(ln)
@@ -944,6 +1228,20 @@ class Orchestrator:
                 else:
                     words = title_line[:100].split()
                     title_line = " ".join(words[:-1]) if len(words) > 1 else title_line[:100].rstrip()
+
+            # Apply conventional commit normalization if enabled
+            if inputs.normalise_commit and gh.pr_number:
+                try:
+                    # Get PR author for normalization context
+                    client = build_client()
+                    repo = get_repo_from_env(client)
+                    pr_obj = get_pull(repo, int(gh.pr_number))
+                    author = getattr(pr_obj, "user", {})
+                    author_login = getattr(author, "login", "") if author else ""
+                    title_line = normalize_commit_title(title_line, author_login, self.workspace)
+                except Exception as e:
+                    log.debug("Failed to apply commit normalization in squash mode: %s", e)
+
             return title_line
 
         def _build_clean_message_lines(message_lines: list[str]) -> list[str]:
@@ -996,10 +1294,16 @@ class Orchestrator:
         ) -> str:
             msg = "\n".join(lines_in).strip()
             msg = _insert_issue_id_into_commit_message(msg, inputs.issue_id)
+
+            # Build footer with proper trailer ordering
+            footer_parts = []
             if signed_off:
-                msg += "\n\n" + "\n".join(signed_off)
+                footer_parts.extend(signed_off)
             if reuse_cid:
-                msg += f"\n\nChange-Id: {reuse_cid}"
+                footer_parts.append(f"Change-Id: {reuse_cid}")
+
+            if footer_parts:
+                msg += "\n\n" + "\n".join(footer_parts)
             return msg
 
         # Build message parts
@@ -1038,7 +1342,19 @@ class Orchestrator:
                 ", ".join(cids),
             )
         else:
-            log.warning("No Change-ID generated for PR #%s", gh.pr_number)
+            # Fallback detection: re-scan commit message for Change-Id trailers
+            msg_after = run_cmd(["git", "show", "-s", "--pretty=format:%B", "HEAD"], cwd=self.workspace).stdout
+
+            found = [m.strip() for m in re.findall(r"(?mi)^Change-Id:\s*([A-Za-z0-9._-]+)\s*$", msg_after)]
+            if found:
+                log.info(
+                    "Detected Change-ID(s) after amend for PR #%s: %s",
+                    gh.pr_number,
+                    ", ".join(found),
+                )
+                cids = found
+            else:
+                log.warning("No Change-Id detected for PR #%s", gh.pr_number)
         return PreparedChange(change_ids=cids, commit_shas=[])
 
     def _apply_pr_title_body_if_requested(
@@ -1062,6 +1378,11 @@ class Orchestrator:
         title = (title or "").strip()
         body = (body or "").strip()
 
+        # Filter PR body content for Dependabot and other automated PRs
+        author = getattr(pr_obj, "user", {})
+        author_login = getattr(author, "login", "") if author else ""
+        body = filter_pr_body(title, body, author_login)
+
         # Clean up title to ensure it's a proper first line for commit message
         if title:
             # Remove markdown links like [text](url) and keep just the text
@@ -1078,6 +1399,10 @@ class Orchestrator:
             title = re.sub(r"[*_`]", "", title)
             title = title.strip()
 
+            # Apply conventional commit normalization if enabled
+            if inputs.normalise_commit:
+                title = normalize_commit_title(title, author_login, self.workspace)
+
         # Compose message; preserve existing trailers at footer
         # (Signed-off-by, Change-Id)
         current_body = git_show("HEAD", fmt="%B", cwd=self.workspace)
@@ -1108,7 +1433,11 @@ class Orchestrator:
         # Build trailers: Signed-off-by first, Change-Id last.
         trailers_out: list[str] = []
         if signed_lines:
-            trailers_out.extend(signed_lines)
+            seen_so: set[str] = set()
+            for ln in signed_lines:
+                if ln not in seen_so:
+                    trailers_out.append(ln)
+                    seen_so.add(ln)
         if change_id_lines:
             trailers_out.append(change_id_lines[-1])
         if trailers_out:
@@ -1151,6 +1480,10 @@ class Orchestrator:
         prefix = os.getenv("G2G_TOPIC_PREFIX", "GH").strip() or "GH"
         pr_num = os.getenv("PR_NUMBER", "").strip()
         topic = f"{prefix}-{repo.project_github}-{pr_num}" if pr_num else f"{prefix}-{repo.project_github}"
+
+        # Use our specific SSH configuration
+        env = self._ssh_env()
+
         try:
             args = [
                 "git",
@@ -1160,21 +1493,29 @@ class Orchestrator:
                 "-t",
                 topic,
             ]
-            revs = [r.strip() for r in (reviewers or "").split(",") if r.strip()]
+            revs = [r.strip() for r in (reviewers or "").split(",") if r.strip() and "@" in r and r.strip() != branch]
             for r in revs:
                 args.extend(["--reviewer", r])
             # Branch as positional argument (not a flag)
             args.append(branch)
 
-            # Use our specific SSH configuration
-            env = self._ssh_env()
+            if env_bool("CI_TESTING", False):
+                log.info("CI_TESTING enabled: using synthetic orphan commit push path")
+                self._create_orphan_commit_and_push(gerrit, repo, branch, reviewers, topic, env)
+                return
             log.debug("Executing git review command: %s", " ".join(args))
             run_cmd(args, cwd=self.workspace, env=env)
             log.info("Successfully pushed changes to Gerrit")
         except CommandError as exc:
+            # Check if this is a "no common ancestry" error in CI_TESTING mode
+            if self._should_handle_unrelated_history(exc):
+                log.info("Detected unrelated repository history. Creating orphan commit for CI testing...")
+                self._create_orphan_commit_and_push(gerrit, repo, branch, reviewers, topic, env)
+                return
+
             # Analyze the specific failure reason from git review output
             error_details = self._analyze_gerrit_push_failure(exc)
-            _log_exception_conditionally(log, "Gerrit push failed: %s", error_details)
+            log_exception_conditionally(log, "Gerrit push failed: %s", error_details)
             msg = f"Failed to push changes to Gerrit with git-review: {error_details}"
             raise OrchestratorError(msg) from exc
         # Cleanup temporary branch used during preparation
@@ -1194,6 +1535,113 @@ class Orchestrator:
                 env=env,
             )
 
+    def _should_handle_unrelated_history(self, exc: CommandError) -> bool:
+        """Check if we should handle unrelated repository history in CI testing mode."""
+        if not env_bool("CI_TESTING", False):
+            return False
+
+        stdout = exc.stdout or ""
+        stderr = exc.stderr or ""
+        combined_output = f"{stdout}\n{stderr}"
+
+        combined_lower = combined_output.lower()
+        phrases = (
+            "no common ancestry",
+            "no common ancestor",
+            "do not have a common ancestor",
+            "have no common ancestor",
+            "have no commits in common",
+            "refusing to merge unrelated histories",
+            "unrelated histories",
+            "unrelated history",
+            "no merge base",
+        )
+        return any(p in combined_lower for p in phrases)
+
+    def _create_orphan_commit_and_push(
+        self, gerrit: GerritInfo, repo: RepoNames, branch: str, reviewers: str, topic: str, env: dict[str, str]
+    ) -> None:
+        """Create a synthetic commit on top of the remote base with the PR tree (CI testing mode)."""
+        log.info("CI_TESTING: Creating synthetic commit on top of remote base for unrelated repository")
+
+        try:
+            # Capture the current PR commit message and tree
+            commit_msg = run_cmd(["git", "log", "--format=%B", "-n", "1", "HEAD"], cwd=self.workspace).stdout.strip()
+            pr_tree = run_cmd(["git", "show", "--quiet", "--format=%T", "HEAD"], cwd=self.workspace).stdout.strip()
+
+            # Create/update a synthetic branch based on the remote base branch
+            synth_branch = f"synth-{topic}"
+            # Ensure remote ref exists locally (best-effort)
+            run_cmd(["git", "fetch", "gerrit", branch], cwd=self.workspace, env=env, check=False)
+            run_cmd(["git", "checkout", "-B", synth_branch, f"remotes/gerrit/{branch}"], cwd=self.workspace, env=env)
+
+            # Replace working tree contents with the PR tree
+            # 1) Remove current tracked files (ignore errors if none)
+            run_cmd(["git", "rm", "-r", "--quiet", "."], cwd=self.workspace, env=env, check=False)
+            # 2) Clean untracked files/dirs (preserve our SSH known_hosts dir)
+            run_cmd(
+                ["git", "clean", "-fdx", "-e", ".ssh-g2g", "-e", ".ssh-g2g/**"],
+                cwd=self.workspace,
+                env=env,
+                check=False,
+            )
+            # 3) Checkout the PR tree into working directory
+            run_cmd(["git", "checkout", pr_tree, "--", "."], cwd=self.workspace, env=env)
+            run_cmd(["git", "add", "-A"], cwd=self.workspace, env=env)
+
+            # Commit synthetic change with the same message (should already include Change-Id)
+            import tempfile as _tempfile
+            from pathlib import Path as _Path
+
+            with _tempfile.NamedTemporaryFile("w", delete=False, encoding="utf-8") as _tf:
+                # Ensure Signed-off-by for current committer (uploader) is present in the footer
+                try:
+                    committer_name = run_cmd(
+                        ["git", "config", "--get", "user.name"],
+                        cwd=self.workspace,
+                    ).stdout.strip()
+                except Exception:
+                    committer_name = ""
+                try:
+                    committer_email = run_cmd(
+                        ["git", "config", "--get", "user.email"],
+                        cwd=self.workspace,
+                    ).stdout.strip()
+                except Exception:
+                    committer_email = ""
+                msg_to_write = commit_msg
+                if committer_name and committer_email:
+                    sob_line = f"Signed-off-by: {committer_name} <{committer_email}>"
+                    if sob_line not in msg_to_write:
+                        if not msg_to_write.endswith("\n"):
+                            msg_to_write += "\n"
+                        if not msg_to_write.endswith("\n\n"):
+                            msg_to_write += "\n"
+                        msg_to_write += sob_line
+                _tf.write(msg_to_write)
+                _tf.flush()
+                _tmp_msg_path = _Path(_tf.name)
+            try:
+                run_cmd(["git", "commit", "-F", str(_tmp_msg_path)], cwd=self.workspace, env=env)
+            finally:
+                from contextlib import suppress
+
+                with suppress(Exception):
+                    _tmp_msg_path.unlink(missing_ok=True)
+
+            # Push directly to refs/for/<branch> with topic and reviewers to avoid rebase behavior
+            push_ref = f"refs/for/{branch}%topic={topic}"
+            revs = [r.strip() for r in (reviewers or "").split(",") if r.strip() and "@" in r and r.strip() != branch]
+            for r in revs:
+                push_ref += f",r={r}"
+            run_cmd(["git", "push", "--no-follow-tags", "gerrit", f"HEAD:{push_ref}"], cwd=self.workspace, env=env)
+            log.info("Successfully pushed synthetic commit to Gerrit")
+
+        except CommandError as orphan_exc:
+            error_details = self._analyze_gerrit_push_failure(orphan_exc)
+            msg = f"Failed to push orphan commit to Gerrit: {error_details}"
+            raise OrchestratorError(msg) from orphan_exc
+
     def _analyze_gerrit_push_failure(self, exc: CommandError) -> str:
         """Analyze git review failure and provide helpful error message."""
         stdout = exc.stdout or ""
@@ -1278,7 +1726,9 @@ class Orchestrator:
         """Query Gerrit for change URL/number and patchset sha via REST."""
         log.info("Querying Gerrit for submitted change(s) via REST")
 
-        # Create centralized URL builder
+        # pygerrit2 netrc filter is already applied in execute() unless verbose mode
+
+        # Create centralized URL builder (auto-discovers base path)
         url_builder = create_gerrit_url_builder(gerrit.host)
 
         # Get authentication credentials
@@ -1294,8 +1744,12 @@ class Orchestrator:
             if http_user and http_pass:
                 if HTTPBasicAuth is None:
                     raise OrchestratorError(_MSG_PYGERRIT2_REQUIRED_AUTH)
+                if GerritRestAPI is None:
+                    raise OrchestratorError(_MSG_PYGERRIT2_REQUIRED_REST)
                 return GerritRestAPI(url=base_url, auth=HTTPBasicAuth(http_user, http_pass))
             else:
+                if GerritRestAPI is None:
+                    raise OrchestratorError(_MSG_PYGERRIT2_REQUIRED_REST)
                 return GerritRestAPI(url=base_url)
 
         # Try API URLs in order of preference (client creation happens in retry loop)
@@ -1309,29 +1763,23 @@ class Orchestrator:
             # include current revision
             query = f"limit:1 is:open project:{repo.project_gerrit} {cid}"
             path = f"/changes/?q={query}&o=CURRENT_REVISION&n=1"
-            # Try API URLs in order of preference (handles fallbacks automatically)
-            api_candidates = url_builder.get_api_url_candidates(path)
-            changes = None
-            last_error = None
-
-            for api_url in api_candidates:
-                try:
-                    # Create a new client for each URL attempt
-                    current_rest = _create_rest_client(api_url.rsplit(path, 1)[0])
-                    changes = current_rest.get(path)
-                    break  # Success, exit the retry loop
-                except Exception as exc:
-                    last_error = exc
-                    log.debug("Failed API attempt for %s at %s: %s", cid, api_url, exc)
-                    continue
+            # Build single API base URL via centralized discovery
+            api_base_url = url_builder.api_url()
+            # Build Gerrit REST client with retry/timeout
+            from .gerrit_rest import build_client_for_host
 
-            if changes is None:
-                log.warning(
-                    "Failed to query change via REST for %s (tried %d URLs): %s",
-                    cid,
-                    len(api_candidates),
-                    last_error,
-                )
+            client = build_client_for_host(
+                gerrit.host,
+                timeout=8.0,
+                max_attempts=5,
+                http_user=http_user or None,
+                http_password=http_pass or None,
+            )
+            try:
+                log.debug("Gerrit API base URL (discovered): %s", api_base_url)
+                changes = client.get(path)
+            except Exception as exc:
+                log.warning("Failed to query change via REST for %s: %s", cid, exc)
                 continue
             if not changes:
                 continue
@@ -1350,21 +1798,19 @@ class Orchestrator:
                 nums.append(num)
             if current_rev:
                 shas.append(current_rev)
-        # Export env variables (compat)
-        if urls:
-            os.environ["GERRIT_CHANGE_REQUEST_URL"] = "\n".join(urls)
-        if nums:
-            os.environ["GERRIT_CHANGE_REQUEST_NUM"] = "\n".join(nums)
-        if shas:
-            os.environ["GERRIT_COMMIT_SHA"] = "\n".join(shas)
+
         return SubmissionResult(change_urls=urls, change_numbers=nums, commit_shas=shas)
 
     def _setup_git_workspace(self, inputs: Inputs, gh: GitHubContext) -> None:
         """Initialize and set up git workspace for PR processing."""
         from .gitutils import run_cmd
 
-        # Initialize git repository
-        run_cmd(["git", "init"], cwd=self.workspace)
+        # Try modern git init with explicit branch first
+        try:
+            run_cmd(["git", "init", "--initial-branch=master"], cwd=self.workspace)
+        except Exception:
+            # Fallback for older git versions (hint filtered at logging level)
+            run_cmd(["git", "init"], cwd=self.workspace)
 
         # Add GitHub remote
         repo_full = gh.repository.strip() if gh.repository else ""
@@ -1398,64 +1844,69 @@ class Orchestrator:
 
     def _install_commit_msg_hook(self, gerrit: GerritInfo) -> None:
         """Manually install commit-msg hook from Gerrit."""
-        from .gitutils import run_cmd
+        from .external_api import curl_download
 
         hooks_dir = self.workspace / ".git" / "hooks"
         hooks_dir.mkdir(exist_ok=True)
         hook_path = hooks_dir / "commit-msg"
 
-        # Download commit-msg hook using SSH
+        # Download commit-msg hook using centralized curl framework
         try:
-            # Use curl to download the hook (more reliable than scp)
             # Create centralized URL builder for hook URLs
             url_builder = create_gerrit_url_builder(gerrit.host)
-            candidates = url_builder.get_hook_url_candidates("commit-msg")
-
-            last_error = ""
-            installed = False
-            for candidate_url in candidates:
-                try:
-                    curl_cmd = [
-                        "curl",
-                        "-fL",
-                        "-o",
-                        str(hook_path),
-                        candidate_url,
-                    ]
-                    run_cmd(curl_cmd, cwd=self.workspace)
-                    # Make hook executable
-                    hook_path.chmod(hook_path.stat().st_mode | stat.S_IEXEC)
-                    log.debug(
-                        "Successfully installed commit-msg hook from %s",
-                        candidate_url,
-                    )
-                    installed = True
-                    break
-                except Exception as exc2:
-                    last_error = f"{candidate_url}: {exc2}"
-                    log.debug(
-                        "Failed to fetch commit-msg hook from %s: %s",
-                        candidate_url,
-                        exc2,
-                    )
-
-            def _raise_install_error() -> None:
-                raise RuntimeError("Hook install failed")  # noqa: TRY301, TRY003
+            hook_url = url_builder.hook_url("commit-msg")
+
+            # Localized error raiser and short messages to satisfy TRY rules
+            def _raise_orch(msg: str) -> None:
+                raise OrchestratorError(msg)  # noqa: TRY301
+
+            _MSG_HOOK_SIZE_BOUNDS = "commit-msg hook size outside expected bounds"
+            _MSG_HOOK_READ_FAILED = "failed reading commit-msg hook"
+            _MSG_HOOK_NO_SHEBANG = "commit-msg hook missing shebang"
+            _MSG_HOOK_BAD_CONTENT = "commit-msg hook content lacks expected markers"
+
+            # Use centralized curl download with retry/logging/metrics
+            return_code, status_code = curl_download(
+                url=hook_url,
+                output_path=str(hook_path),
+                timeout=30.0,
+                follow_redirects=True,
+                silent=True,
+            )
 
-            if not installed:
-                # Log detailed reason separately to satisfy linting rules
-                log.error(
-                    "All commit-msg hook URLs failed. Last error: %s",
-                    last_error,
-                )
-                _raise_install_error()
+            size = hook_path.stat().st_size
+            log.debug(
+                "curl fetch of commit-msg: url=%s http_status=%s size=%dB rc=%s",
+                hook_url,
+                status_code,
+                size,
+                return_code,
+            )
+            # Sanity checks on size
+            if size < 128 or size > 65536:
+                _raise_orch(_MSG_HOOK_SIZE_BOUNDS)
 
-            # Make hook executable
+            # Validate content characteristics
+            text_head = ""
+            try:
+                with open(hook_path, "rb") as fh:
+                    head = fh.read(2048)
+                text_head = head.decode("utf-8", errors="ignore")
+            except Exception:
+                _raise_orch(_MSG_HOOK_READ_FAILED)
+
+            if not text_head.startswith("#!"):
+                _raise_orch(_MSG_HOOK_NO_SHEBANG)
+            # Look for recognizable strings
+            if not any(m in text_head for m in ("Change-Id", "Gerrit Code Review", "add_change_id")):
+                _raise_orch(_MSG_HOOK_BAD_CONTENT)
+
+            # Make hook executable (single chmod)
             hook_path.chmod(hook_path.stat().st_mode | stat.S_IEXEC)
-            log.debug("Successfully installed commit-msg hook via curl")
+            log.debug("Successfully installed commit-msg hook from %s", hook_url)
 
         except Exception as exc:
-            log.warning("Failed to install commit-msg hook via curl: %s", exc)
+            log.warning("Failed to install commit-msg hook via centralized curl: %s", exc)
             msg = f"Could not install commit-msg hook: {exc}"
             raise OrchestratorError(msg) from exc
 
@@ -1465,51 +1916,163 @@ class Orchestrator:
         Installs the commit-msg hook and amends the commit if needed.
         """
         trailers = git_last_commit_trailers(keys=["Change-Id"], cwd=self.workspace)
-        if not trailers.get("Change-Id"):
-            log.debug("No Change-Id found; attempting to install commit-msg hook and amend commit")
-            try:
-                self._install_commit_msg_hook(gerrit)
-                git_commit_amend(
-                    no_edit=True,
-                    signoff=True,
-                    author=author,
-                    cwd=self.workspace,
-                )
-            except Exception as exc:
-                log.warning(
-                    "Commit-msg hook installation failed, falling back to direct Change-Id injection: %s",
-                    exc,
-                )
-                # Fallback: generate a Change-Id and append to the commit
-                # message directly
-                import time
+        existing_change_ids = trailers.get("Change-Id", [])
 
-                current_msg = run_cmd(
-                    ["git", "show", "-s", "--pretty=format:%B", "HEAD"],
-                    cwd=self.workspace,
-                ).stdout
-                seed = f"{current_msg}\n{time.time()}"
-                import hashlib as _hashlib  # local alias to satisfy linters
-
-                change_id = "I" + _hashlib.sha256(seed.encode("utf-8")).hexdigest()[:40]
-                if "Change-Id:" not in current_msg:
-                    new_msg = current_msg.rstrip() + "\n\n" + f"Change-Id: {change_id}\n"
-                    git_commit_amend(
-                        no_edit=False,
-                        signoff=True,
-                        author=author,
-                        message=new_msg,
-                        cwd=self.workspace,
-                    )
-            # Debug: Check commit message after amend
-            actual_msg = run_cmd(
+        if existing_change_ids:
+            log.debug("Found existing Change-Id(s) in footer: %s", existing_change_ids)
+            # Clean up any duplicate Change-IDs in the message body
+            self._clean_change_ids_from_body(author)
+            return [c for c in existing_change_ids if c]
+
+        log.debug("No Change-Id found; attempting to install commit-msg hook and amend commit")
+        try:
+            self._install_commit_msg_hook(gerrit)
+            git_commit_amend(
+                no_edit=True,
+                signoff=True,
+                author=author,
+                cwd=self.workspace,
+            )
+        except Exception as exc:
+            log.warning(
+                "Commit-msg hook installation failed, falling back to direct Change-Id injection: %s",
+                exc,
+            )
+            # Fallback: generate a Change-Id and append to the commit
+            # message directly
+            import time
+
+            current_msg = run_cmd(
                 ["git", "show", "-s", "--pretty=format:%B", "HEAD"],
                 cwd=self.workspace,
-            ).stdout.strip()
-            log.debug("Commit message after amend:\n%s", actual_msg)
-            trailers = git_last_commit_trailers(keys=["Change-Id"], cwd=self.workspace)
+            ).stdout
+            seed = f"{current_msg}\n{time.time()}"
+            import hashlib as _hashlib  # local alias to satisfy linters
+
+            change_id = "I" + _hashlib.sha256(seed.encode("utf-8")).hexdigest()[:40]
+
+            # Clean message and ensure proper footer placement
+            cleaned_msg = self._clean_commit_message_for_change_id(current_msg)
+            new_msg = cleaned_msg.rstrip() + "\n\n" + f"Change-Id: {change_id}\n"
+            git_commit_amend(
+                no_edit=False,
+                signoff=True,
+                author=author,
+                message=new_msg,
+                cwd=self.workspace,
+            )
+        # Debug: Check commit message after amend
+        actual_msg = run_cmd(
+            ["git", "show", "-s", "--pretty=format:%B", "HEAD"],
+            cwd=self.workspace,
+        ).stdout.strip()
+        log.debug("Commit message after amend:\n%s", actual_msg)
+        trailers = git_last_commit_trailers(keys=["Change-Id"], cwd=self.workspace)
         return [c for c in trailers.get("Change-Id", []) if c]
 
+    def _clean_change_ids_from_body(self, author: str) -> None:
+        """Remove any Change-Id lines from the commit message body, keeping only footer trailers."""
+        current_msg = run_cmd(
+            ["git", "show", "-s", "--pretty=format:%B", "HEAD"],
+            cwd=self.workspace,
+        ).stdout
+
+        cleaned_msg = self._clean_commit_message_for_change_id(current_msg)
+
+        if cleaned_msg != current_msg:
+            log.debug("Cleaned Change-Id lines from commit message body")
+            git_commit_amend(
+                no_edit=False,
+                signoff=True,
+                author=author,
+                message=cleaned_msg,
+                cwd=self.workspace,
+            )
+
+    def _clean_commit_message_for_change_id(self, message: str) -> str:
+        """Remove Change-Id lines from message body while preserving footer trailers."""
+        lines = message.splitlines()
+
+        # Parse proper trailers using the fixed trailer parser
+        trailers = _parse_trailers(message)
+        change_id_trailers = trailers.get("Change-Id", [])
+        signed_off_trailers = trailers.get("Signed-off-by", [])
+        other_trailers = {k: v for k, v in trailers.items() if k not in ["Change-Id", "Signed-off-by"]}
+
+        # Find trailer section by working backwards to find continuous trailer block
+        trailer_start = len(lines)
+
+        # Work backwards to find where trailers start
+        for i in range(len(lines) - 1, -1, -1):
+            line = lines[i].strip()
+            if not line:
+                # Found blank line - trailers are after this
+                trailer_start = i + 1
+                break
+            elif ":" not in line:
+                # Non-trailer line - trailers start after this
+                trailer_start = i + 1
+                break
+            else:
+                # Potential trailer line - check if it's a valid trailer
+                key, val = line.split(":", 1)
+                k = key.strip()
+                v = val.strip()
+                if not (k and v and not k.startswith(" ") and not k.startswith("\t")):
+                    # Invalid trailer format - trailers start after this
+                    trailer_start = i + 1
+                    break
+
+        # Process body lines (before trailers) and remove any Change-Id references
+        body_lines = []
+        for i in range(trailer_start):
+            line = lines[i]
+            # Remove any Change-Id references from body lines
+            if "Change-Id:" in line:
+                # If line starts with Change-Id:, skip it entirely
+                if line.strip().startswith("Change-Id:"):
+                    log.debug("Removing Change-Id line from body: %s", line.strip())
+                    continue
+                else:
+                    # If Change-Id is mentioned within the line, remove that part
+                    original_line = line
+                    # Remove Change-Id: followed by the ID value
+
+                    # Pattern to match "Change-Id: <value>" where value can contain word chars, hyphens, etc.
+                    line = re.sub(r"Change-Id:\s*[A-Za-z0-9._-]+\b", "", line)
+                    # Clean up extra whitespace
+                    line = re.sub(r"\s+", " ", line).strip()
+                    if line != original_line:
+                        log.debug("Cleaned Change-Id reference from body line: %s -> %s", original_line.strip(), line)
+            body_lines.append(line)
+
+        # Remove trailing empty lines from body
+        while body_lines and not body_lines[-1].strip():
+            body_lines.pop()
+
+        result = "\n".join(body_lines)
+
+        # Add proper footer trailers if any exist
+        footer_parts = []
+        if signed_off_trailers:
+            _seen_so: set[str] = set()
+            _uniq_so: list[str] = []
+            for s in signed_off_trailers:
+                if s not in _seen_so:
+                    _uniq_so.append(s)
+                    _seen_so.add(s)
+            footer_parts.extend([f"Signed-off-by: {s}" for s in _uniq_so])
+        # Add other trailers
+        for key, values in other_trailers.items():
+            footer_parts.extend([f"{key}: {v}" for v in values])
+        if change_id_trailers:
+            footer_parts.extend([f"Change-Id: {c}" for c in change_id_trailers])
+
+        if footer_parts:
+            result += "\n\n" + "\n".join(footer_parts)
+
+        return result
+
     def _add_backref_comment_in_gerrit(
         self,
         *,
@@ -1545,10 +2108,9 @@ class Orchestrator:
                 continue
             try:
                 log.debug("Executing SSH command for commit %s", csha)
-                # Build SSH command. If isolated SSH key/known_hosts are
-                # available, use strict options; otherwise fall back to the
-                # minimal form expected by tests.
+                # Build SSH command based on available authentication method
                 if self._ssh_key_path and self._ssh_known_hosts_path:
+                    # File-based SSH authentication
                     ssh_cmd = [
                         "ssh",
                         "-F",
@@ -1583,9 +2145,44 @@ class Orchestrator:
                             f"{shlex.quote(csha)}"
                         ),
                     ]
+                elif self._use_ssh_agent and self._ssh_agent_manager and self._ssh_agent_manager.known_hosts_path:
+                    # SSH agent authentication with known_hosts
+                    ssh_cmd = [
+                        "ssh",
+                        "-F",
+                        "/dev/null",
+                        "-o",
+                        f"UserKnownHostsFile={self._ssh_agent_manager.known_hosts_path}",
+                        "-o",
+                        "IdentitiesOnly=no",
+                        "-o",
+                        "BatchMode=yes",
+                        "-o",
+                        "PreferredAuthentications=publickey",
+                        "-o",
+                        "StrictHostKeyChecking=yes",
+                        "-o",
+                        "PasswordAuthentication=no",
+                        "-o",
+                        "PubkeyAcceptedKeyTypes=+ssh-rsa",
+                        "-o",
+                        "ConnectTimeout=10",
+                        "-n",
+                        "-p",
+                        str(gerrit.port),
+                        f"{user}@{server}",
+                        (
+                            "gerrit review -m "
+                            f"{shlex.quote(message)} "
+                            "--branch "
+                            f"{shlex.quote(branch)} "
+                            "--project "
+                            f"{shlex.quote(repo.project_gerrit)} "
+                            f"{shlex.quote(csha)}"
+                        ),
+                    ]
                 else:
-                    # Strict non-interactive SSH without
-                    # isolated key/known_hosts
+                    # Fallback - minimal SSH command (for tests)
                     ssh_cmd = [
                         "ssh",
                         "-F",
@@ -1660,6 +2257,10 @@ class Orchestrator:
         result: SubmissionResult,
     ) -> None:
         """Post a comment on the PR with the Gerrit change URL(s)."""
+        # Respect CI_TESTING: do not attempt to update the source/origin PR
+        if os.getenv("CI_TESTING", "").strip().lower() in ("1", "true", "yes"):
+            log.debug("Source/origin pull request will NOT be updated with Gerrit change when CI_TESTING set true")
+            return
         log.info("Adding reference comment on PR #%s", gh.pr_number)
         if not gh.pr_number:
             return
@@ -1736,7 +2337,6 @@ class Orchestrator:
         - Verify GitHub token by fetching repository and PR metadata
         - Do NOT perform any write operations
         """
-        import socket
 
         log.info("Dry-run: starting preflight checks")
         if os.getenv("G2G_DRYRUN_DISABLE_NETWORK", "").strip().lower() in (
@@ -1831,7 +2431,11 @@ class Orchestrator:
         http_user: str,
         http_pass: str,
     ) -> None:
-        """Probe Gerrit REST endpoint with optional auth and '/r' fallback."""
+        """Probe Gerrit REST endpoint with optional auth.
+
+        Uses the centralized URL builder to construct the API endpoint
+        for consistent URL handling across the application.
+        """
 
         def _build_client(url: str) -> Any:
             if http_user and http_pass:
@@ -1859,51 +2463,17 @@ class Orchestrator:
 
         # Create centralized URL builder for REST probing
         url_builder = create_gerrit_url_builder(host, base_path)
-        api_candidates = url_builder.get_api_url_candidates()
-
-        # Try API URLs in order of preference
-        probe_successful = False
-        last_error = None
+        api_url = url_builder.api_url()
 
-        for api_url in api_candidates:
-            try:
-                _probe(api_url)
-                probe_successful = True
-                break
-            except Exception as exc:
-                last_error = exc
-                log.debug("Gerrit REST probe failed for %s: %s", api_url, exc)
-                continue
-
-        if not probe_successful and last_error:
-            log.warning(
-                "Gerrit REST probe did not succeed (tried %d URLs): %s",
-                len(api_candidates),
-                last_error,
-            )
+        try:
+            _probe(api_url)
+        except Exception as exc:
+            log.warning("Gerrit REST probe failed for %s: %s", api_url, exc)
 
     # ---------------
     # Helpers
     # ---------------
 
-    def _append_github_output(self, outputs: dict[str, str]) -> None:
-        gh_out = os.getenv("GITHUB_OUTPUT")
-        if not gh_out:
-            return
-        try:
-            with open(gh_out, "a", encoding="utf-8") as fh:
-                for key, val in outputs.items():
-                    if not val:
-                        continue
-                    if "\n" in val and os.getenv("GITHUB_ACTIONS") == "true":
-                        fh.write(f"{key}<<G2G\n")
-                        fh.write(f"{val}\n")
-                        fh.write("G2G\n")
-                    else:
-                        fh.write(f"{key}={val}\n")
-        except Exception as exc:
-            log.debug("Failed to write GITHUB_OUTPUT: %s", exc)
-
     def _resolve_target_branch(self) -> str:
         # Preference order:
         # 1) GERRIT_BRANCH (explicit override)