chore: linear-vercel — current with main + #247 orchestration + Linear-MCP attachments (CI-only draft)

.gitleaks.toml

@@ -19,6 +19,17 @@ stopwords = ["wat-opaque-123"]
 description = "Test fixture signing secret in Slack verification unit test (not a real credential)."
 stopwords = ["test-signing-secret-abc123"]
 
+[[allowlists]]
+# #247: the orchestration idempotencyKey fixtures (`orch_<id>_<subissue>`) are
+# made-up test values, but generic-api-key flags the key-ish assignment. Scope
+# the exemption to the orchestration test files (no real credentials there).
+description = "Orchestration idempotencyKey test fixtures (not real credentials)."
+targetRules = ["generic-api-key"]
+paths = [
+    "^cdk/test/handlers/shared/orchestration-release\\.test\\.ts$",
+    "^cdk/test/handlers/orchestration-reconciler\\.test\\.ts$",
+]
+
 # Catch bare 12-digit AWS account IDs. The default ruleset does not flag these,
 # which is how a real account ID reached a committed comment in the #236 integ
 # work. RE2 (Go) has no lookarounds, so the non-digit neighbours are captured in

agent/src/config.py

@@ -17,14 +17,22 @@
 # id whose ``requires_repo`` is false. Used by the load-failure fallback to
 # decide repo-optionality without loading the file.
 REPO_LESS_DEFAULT_WORKFLOW_ID = "default/agent-v1"
-# First-party workflow ids that operate on an existing pull request.
-PR_WORKFLOW_IDS = frozenset(("coding/pr-iteration-v1", "coding/pr-review-v1"))
+# First-party workflow ids that operate on an existing pull request — they
+# check out the existing PR branch instead of creating a fresh one. restack-v1
+# (#305 A6) re-merges a changed predecessor into an existing stacked-child PR.
+PR_WORKFLOW_IDS = frozenset(("coding/pr-iteration-v1", "coding/pr-review-v1", "coding/restack-v1"))
 # First-party workflow ids that are writeable (NOT read-only). Used only by the
 # load-failure fallback to bias an unrecognised id toward read-only (fail closed
 # on the write-deny invariant). pr-review-v1 is intentionally excluded (it is
 # read-only); default/agent-v1 is excluded because its conservative posture
 # should fail closed too.
-_KNOWN_WRITEABLE_WORKFLOW_IDS = frozenset(("coding/new-task-v1", "coding/pr-iteration-v1"))
+_KNOWN_WRITEABLE_WORKFLOW_IDS = frozenset(
+    (
+        "coding/new-task-v1",
+        "coding/pr-iteration-v1",
+        "coding/restack-v1",
+    )
+)
 
 
 def resolve_github_token() -> str:
@@ -459,9 +467,13 @@ def build_config(
     dry_run: bool = False,
     task_id: str = "",
     system_prompt_overrides: str = "",
+    build_command: str = "",
+    lint_command: str = "",
     resolved_workflow: dict | None = None,
     branch_name: str = "",
     pr_number: str = "",
+    base_branch: str | None = None,
+    merge_branches: list[str] | None = None,
     channel_source: str = "",
     channel_metadata: dict[str, str] | None = None,
     trace: bool = False,
@@ -565,6 +577,8 @@ def build_config(
         max_turns=max_turns,
         max_budget_usd=max_budget_usd,
         system_prompt_overrides=system_prompt_overrides,
+        build_command=build_command,
+        lint_command=lint_command,
         resolved_workflow=workflow,
         policy_principal=policy_principal,
         read_only=workflow_read_only,
@@ -573,6 +587,8 @@ def build_config(
         is_pr_workflow=is_pr_workflow,
         branch_name=branch_name,
         pr_number=pr_number,
+        base_branch=base_branch,
+        merge_branches=merge_branches or [],
         task_id=task_id or uuid.uuid4().hex[:12],
         channel_source=channel_source,
         channel_metadata=channel_metadata or {},

agent/src/models.py

@@ -158,6 +158,13 @@ class TaskConfig(BaseModel):
     max_turns: int = 10
     max_budget_usd: float | None = None
     system_prompt_overrides: str = ""
+    # Per-repo build/lint verification commands (#1 build-gate fix). When set
+    # (from the blueprint, via the payload), the agent runs these instead of
+    # the hardcoded ``mise run build`` / ``mise run lint`` to gate build/lint
+    # regressions. Empty → default to mise. Set for non-mise repos (e.g.
+    # ``npm run build``) so gating actually runs the repo's real command.
+    build_command: str = ""
+    lint_command: str = ""
     # The pinned workflow this task runs ({"id", "version"}), resolved at the
     # create-task boundary and threaded through the payload (#248). None on
     # local/batch runs, where the pipeline defaults to coding/new-task-v1.
@@ -237,6 +244,11 @@ class TaskConfig(BaseModel):
     approval_gate_cap: int | None = None
     issue: GitHubIssue | None = None
     base_branch: str | None = None
+    # #247 A4: predecessor branches to merge into this child's branch
+    # before work, for a diamond child (2+ predecessors) that branches off
+    # main but must see all predecessors' code. Empty for root + linear
+    # children (linear children stack via ``base_branch`` instead).
+    merge_branches: list[str] = Field(default_factory=list)
     # Attachments from the orchestrator payload (Phase 3). Validated as
     # AttachmentConfig models. Empty list for tasks without attachments.
     attachments: list[AttachmentConfig] = Field(default_factory=list)
@@ -294,6 +306,13 @@ class RepoSetup(BaseModel):
     build_before: bool = True
     lint_before: bool = True
     default_branch: str = "main"
+    # #1: True when the build verification command is INERT — it could not run
+    # at all (no build task / command not found) AND no explicit build_command
+    # was configured. In that state build-regression gating is effectively OFF
+    # (a change that breaks the build still reports success), so the agent
+    # surfaces a one-time warning on the PR. Distinct from a genuinely red build
+    # (command ran, exited non-zero), which IS meaningful gating signal.
+    build_gate_inert: bool = False
 
 
 class TokenUsage(BaseModel):

agent/src/pipeline.py

@@ -574,11 +574,15 @@ def run_task(
     task_id: str = "",
     hydrated_context: dict | None = None,
     system_prompt_overrides: str = "",
+    build_command: str = "",
+    lint_command: str = "",
     prompt_version: str = "",
     memory_id: str = "",
     resolved_workflow: dict | None = None,
     branch_name: str = "",
     pr_number: str = "",
+    base_branch: str | None = None,
+    merge_branches: list[str] | None = None,
     cedar_policies: list[str] | None = None,
     approval_timeout_s: int | None = None,
     initial_approvals: list[str] | None = None,
@@ -616,9 +620,13 @@ def run_task(
         aws_region=aws_region,
         task_id=task_id,
         system_prompt_overrides=system_prompt_overrides,
+        build_command=build_command,
+        lint_command=lint_command,
         resolved_workflow=resolved_workflow,
         branch_name=branch_name,
         pr_number=pr_number,
+        base_branch=base_branch,
+        merge_branches=merge_branches,
         channel_source=channel_source,
         channel_metadata=channel_metadata,
         trace=trace,
@@ -1012,8 +1020,8 @@ def _on_trace_truncated(max_bytes: int, first_dropped: int) -> None:
                 safety_committed = False if workflow_read_only else ensure_committed(setup.repo_dir)
                 post_span.set_attribute("safety_net.committed", safety_committed)
 
-                build_passed = verify_build(setup.repo_dir)
-                lint_passed = verify_lint(setup.repo_dir)
+                build_passed = verify_build(setup.repo_dir, config.build_command)
+                lint_passed = verify_lint(setup.repo_dir, config.lint_command)
                 pr_url = ensure_pr(
                     config,
                     setup,

agent/src/post_hooks.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import re
+import shlex
 import subprocess
 from typing import TYPE_CHECKING
 
@@ -11,14 +12,64 @@
 if TYPE_CHECKING:
     from models import AgentResult, RepoSetup, TaskConfig
 
+# Default verification commands (#1 build-gate fix). A repo that uses mise gets
+# these for free; a non-mise repo sets ``pipeline.buildCommand`` /
+# ``lintCommand`` in its blueprint (threaded to the agent as build_command /
+# lint_command) so gating runs the repo's real command.
+DEFAULT_BUILD_COMMAND = "mise run build"
+DEFAULT_LINT_COMMAND = "mise run lint"
 
-def verify_build(repo_dir: str) -> bool:
-    """Run mise run build after agent completion to verify the build."""
-    log("POST", "Running post-agent build verification (mise run build)...")
+# POSIX shell exit code for "command not found" — an inert build signal (the
+# configured verify command isn't installed), not a genuine build failure.
+SHELL_COMMAND_NOT_FOUND = 127
+
+
+def is_verify_command_inert(returncode: int, stderr: str) -> bool:
+    """True when a verify command did not actually RUN (vs ran-and-failed).
+
+    Distinguishes the #1 inert-gate state — the build/lint command isn't
+    runnable in this repo, so gating is effectively OFF — from a genuine red
+    build (command executed, exited non-zero), which IS meaningful signal.
+
+    Heuristics (conservative — only the unambiguous "couldn't run" signals):
+      - exit 127: shell "command not found" (e.g. ``gradle`` not installed).
+      - mise "no tasks defined" / "no task named" / "not found": the configured
+        (or default ``mise run build``) task does not exist in the repo.
+    A repo that genuinely fails its build returns some other non-zero code with
+    real compiler/test output, which this does NOT flag.
+    """
+    if returncode == SHELL_COMMAND_NOT_FOUND:
+        return True
+    s = (stderr or "").lower()
+    return (
+        "no tasks defined" in s
+        or "no task named" in s
+        or ("mise" in s and "not found" in s)
+        or "command not found" in s
+    )
+
+
+def resolve_verify_argv(command: str | None, default: str) -> list[str]:
+    """Split a configured verify command into argv, falling back to the default.
+
+    Empty/whitespace/None ``command`` → the default (mise). Parsed with ``shlex`` so
+    a configured ``'npm run build && npm test'`` would need a shell — we keep it
+    simple argv here; chained shell commands should be wrapped in a mise/npm
+    task by the repo. A single command with args (``npm run build``) splits
+    cleanly.
+    """
+    cmd = (command or "").strip() or default
+    return shlex.split(cmd)
+
+
+def verify_build(repo_dir: str, command: str = "") -> bool:
+    """Run the configured build command (default ``mise run build``) to verify the build."""
+    argv = resolve_verify_argv(command, DEFAULT_BUILD_COMMAND)
+    log("POST", f"Running post-agent build verification ({' '.join(argv)})...")
     try:
         result = run_cmd(
-            ["mise", "run", "build"],
-            label="mise-run-build-post",
+            argv,
+            label="verify-build-post",
             cwd=repo_dir,
             check=False,
         )
@@ -32,13 +83,14 @@ def verify_build(repo_dir: str) -> bool:
     return True
 
 
-def verify_lint(repo_dir: str) -> bool:
-    """Run mise run lint after agent completion to verify lint passes."""
-    log("POST", "Running post-agent lint verification (mise run lint)...")
+def verify_lint(repo_dir: str, command: str = "") -> bool:
+    """Run the configured lint command (default ``mise run lint``) to verify lint passes."""
+    argv = resolve_verify_argv(command, DEFAULT_LINT_COMMAND)
+    log("POST", f"Running post-agent lint verification ({' '.join(argv)})...")
     try:
         result = run_cmd(
-            ["mise", "run", "lint"],
-            label="mise-run-lint-post",
+            argv,
+            label="verify-lint-post",
             cwd=repo_dir,
             check=False,
         )
@@ -343,19 +395,35 @@ def ensure_pr(
 
     build_status = "PASS" if build_passed else "FAIL"
     lint_status = "PASS" if lint_passed else "FAIL"
+    # #1: show the actual commands run (default mise), not a hardcoded label.
+    build_label = (config.build_command or DEFAULT_BUILD_COMMAND).strip()
+    lint_label = (config.lint_command or DEFAULT_LINT_COMMAND).strip()
 
     cost_line = ""
     if agent_result and agent_result.cost_usd is not None:
         cost_line = f"- Agent cost: **${agent_result.cost_usd:.4f}**\n"
 
+    # #1: when build-regression gating is inert (no runnable build command, none
+    # configured), say so plainly — otherwise a green "build: PASS" misleads:
+    # nothing was actually verified.
+    gate_warning = ""
+    if getattr(setup, "build_gate_inert", False):
+        gate_warning = (
+            "> ⚠️ **Build-regression gating is OFF for this repo.** No runnable "
+            f"`{DEFAULT_BUILD_COMMAND}` task was found and no build command is configured, "
+            "so a change that breaks the build still reports success. To enable gating, set "
+            "`pipeline.buildCommand` in this repo's ABCA blueprint (e.g. `npm run build`).\n\n"
+        )
+
     pr_body = (
         f"## Summary\n\n"
         f"{task_source}"
         f"### Commits\n\n"
         f"```\n{commits}\n```\n\n"
         f"## Verification\n\n"
-        f"- `mise run build` (post-agent): **{build_status}**\n"
-        f"- `mise run lint` (post-agent): **{lint_status}**\n"
+        f"{gate_warning}"
+        f"- `{build_label}` (post-agent): **{build_status}**\n"
+        f"- `{lint_label}` (post-agent): **{lint_status}**\n"
         f"{cost_line}\n"
         f"---\n\n"
         f"By submitting this pull request, I confirm that you can use, modify, copy, "