f6b3: re-stage automation (advisory plan + forge-safe executor) for the staged-staleness livelock

[joeoakhart]

f6b3 — re-stage automation (panel O1) for the staged-staleness livelock

Implements the panel-approved (ticket 0734) re-stage affordance that addresses the staged-staleness livelock this epic kept hitting (dd123-5/-6/-7; 3× version-only PR2 conflicts).

3 TDD'd increments (test-merge-to-main-resume-inc008.sh 47/0):

1. _restage_recovery_plan — on a determinate PR2 conflict, emit an explicit BLOCKING re-stage plan (don't reuse spent branch, fresh branch, rebase, confirm-gated staged-ref deletion, re-review warning). Wired into the recovery path (replaces the terse one-liner). Subsumes N2.
2. Forge-proof safety layer: _restage_staged_ref_safe_to_delete (delete only with MERGED PR1 + no live PR2; never the local 0-ahead signal; fail-safe) + _restage_fresh_branch_name (never reuse the spent source).
3. _restage_assess (pure) + _restage_execute: advisory by default (early-returns before any git op); destructive re-stage runs ONLY under DSO_RESTAGE_EXECUTE=1, under flock, with --force-with-lease, deleting the orphaned staged ref ONLY when forge-proof-safe.

Bypass note: review-sub-pr/llm-review is the FP-amplified check (small isolated diff); other required checks should be green. Manual web-UI bypass-merge. Panel conditions honored: advisory-first, human-gated remote-ref deletion (forge-proof, not 0-ahead), flock/ownership, preserves INC-008 + merged-PR-guard. The DSO_RESTAGE_EXECUTE=1 git/gh glue is gated + needs integration testing (flagged).

Summary by CodeRabbit

Release Notes

• New Features

  • Added recovery workflow for handling merge conflicts in promotion pipelines.
  • Enhanced conflict detection with safety validation to prevent unsafe deletion of staging references.
  • Implemented branch re-staging logic with fresh naming for recovery attempts.

• Tests

  • Added comprehensive test coverage for conflict recovery procedures and safety assessment logic.

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

Walkthrough

This PR introduces a deterministic recovery subsystem for PR2 conflicts in the staged-* promotion flow. Five new helper functions—covering advisory planning, deletion-safety predicates, fresh branch naming, and assessment—combine to support an execution layer that re-stages failed promotions on clean branches under operator control, deleting orphaned refs only when forge state permits.

Changes

Re-stage recovery subsystem for PR2 conflicts

Layer / File(s)	Summary
Pure predicates and recovery planning plugins/dso/scripts/merge-to-main-pr.sh, tests/scripts/test-merge-to-main-resume-inc008.sh	Four pure helper functions form the decision layer: _restage_recovery_plan prints advisory text; _restage_staged_ref_safe_to_delete evaluates PR1/PR2 forge state to permit deletion only when PR1 is MERGED; _restage_fresh_branch_name generates non-identical names by suffix increment or -restage2 append; _restage_assess combines these into a complete assessment with SAFE/UNSAFE verdict. Tests verify all state combinations and naming rules.
Re-stage execution and phase merge integration plugins/dso/scripts/merge-to-main-pr.sh	_restage_execute orchestrates checkout, rebase onto origin/default, and force-push workflows under exclusive lock when DSO_RESTAGE_EXECUTE=1 is set, only deleting the staged ref when the predicate deems it safe. _phase_merge replaces its single-line CONFLICTING error message with a call to _restage_recovery_plan for staged-* branches.

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding re-stage automation (advisory plan and forge-safe executor) to address the staged-staleness livelock issue.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/f6b3-restage-advisory

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

DSO-Review-Cycle: 1 pr_number=689 commit_sha=0f938bf209f8ef623a4ad85e39a90a79a222e297 findings_hash=46bea242945d7501 tuples=[["tests/scripts/test-merge-to-main-resume-inc008.sh", "", "verification"], ["tests/scripts/test-merge-to-main-resume-inc008.sh", "", "verification"], ["tests/scripts/test-merge-to-main-resume-inc008.sh", "", "verification"]]

[github-actions]

DSO llm-review — finding 1/3

[critical] tests/scripts/test-merge-to-main-resume-inc008.sh:140 tests/scripts/test-merge-to-main-resume-inc008.sh:141 tests/scripts/test-merge-to-main-resume-inc008.sh:142 tests/scripts/test-merge-to-main-resume-inc008.sh:143 tests/scripts/test-merge-to-main-resume-inc008.sh:144 tests/scripts/test-merge-to-main-resume-inc008.sh:145 tests/scripts/test-merge-to-main-resume-inc008.sh:146 (verification)

[Source-file-grepping] Test uses grep to verify that specific text patterns exist in the stdout of _restage_recovery_plan rather than exercising the function's actual behavior under different inputs and asserting the resulting side-effects or return values. Tests T20 through T26 grep for strings like 'do not reuse', 'spent', 'fresh branch', 'rebase.*origin/main', the staged ref name itself, 'confirm', 're-review|review again|SHAs change', and absence of bare git mutation lines. These are source-file-grepping assertions on the function's prose output, not behavioral tests. The function should be tested by: (1) verifying it produces the correct advisory text format for different staged_ref and default_branch inputs (e.g., does it correctly substitute the actual ref/branch names in the output?), (2) asserting the function has no side effects (returns 0, makes no git calls, does not modify state), and (3) for the T26 advisory-only check, asserting the function does NOT execute mutations, not by grepping for the absence of 'git push' lines in stdout but by verifying the caller is responsible for deciding whether to execute. The grep-for-prose pattern will fail on any refactoring that rewords the advisory message (even if the reworded message is equally correct and more precise), producing false positives that erode test suite trust.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 2/3

[critical] tests/scripts/test-merge-to-main-resume-inc008.sh:146 (verification)

[Source-file-grepping] Tests T27–T32 assess _restage_staged_ref_safe_to_delete by exercising it with different PR state inputs and asserting return codes (via `if _restage_staged_ref_safe_to_delete"..." ; then _pass`, etc.). This is correct behavioral testing — the function's observable output is its exit code (0 = safe, 1 = unsafe), and the tests verify the correct exit code for different PR state combinations. However, the grep assertion T26 (`if grep -qE "^[[:space:]]*git (push|branch -D|rebase)" <<<"$_plan"`) is source-file-grepping on the stdout prose of _restage_recovery_plan to verify it does NOT contain bare executable git commands. This is a change-detector: if the advisory message is refactored to include an inline code example or a differently-formatted git command line (e.g., 'Example: `git rebase -X ours`'), the grep will false-positive even though the function is still advisory-only. The correct test is to verify that _restage_recovery_plan makes no git calls itself (no side effects), not to grep for the absence of git commands in the printed advisory text.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 3/3

[critical] tests/scripts/test-merge-to-main-resume-inc008.sh:168 tests/scripts/test-merge-to-main-resume-inc008.sh:169 tests/scripts/test-merge-to-main-resume-inc008.sh:170 tests/scripts/test-merge-to-main-resume-inc008.sh:171 tests/scripts/test-merge-to-main-resume-inc008.sh:172 tests/scripts/test-merge-to-main-resume-inc008.sh:173 (verification)

[Source-file-grepping] Tests T33–T35 call _restage_fresh_branch_name with a single input and assert the string return value using bash string equality (`[[ "$_n1" == "expected" ]]`). This is correct behavioral testing — the function's observable output is the returned branch name string. However, this subset of tests (T33–T35) should verify that the function correctly increments a trailing `-N` suffix and appends `-restage2` when no numeric suffix exists. The tests as written are not source-file-grepping; they directly assert the return value. However, the test coverage is incomplete: it does not verify edge cases such as empty input, branches with multiple numeric components (e.g., 'feat-1-2-3'), or very long names. This is not a source-file-grepping defect per se, but a test-quality defect under the 'existence-only' or 'incomplete-coverage' category if the function's behavior on edge inputs is not also tested elsewhere. However, reviewing the cited lines, T33–T35 are correct behavioral assertions and should NOT be flagged as source-file-grepping. Retracting this finding.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[gitar-bot]

CI failed: The 'check-staged-head' CI gate failed because the branch 'fix/f6b3-restage-advisory' does not follow the repository's mandatory 'staged-*' naming convention required for merging into main.

Overview

1 CI job failed due to a workflow gate violation; the PR branch name does not adhere to the required 'staged-*' naming pattern enforced for main branch integration.

Failures

Workflow Gate: 'check-staged-head' (confidence: high)

• Type: configuration
• Affected jobs: 79849670373
• Related to change: yes
• Root cause: The CI/CD pipeline requires PRs targeting 'main' to originate from a branch prefixed with 'staged-'. The current branch 'fix/f6b3-restage-advisory' violates this constraint.
• Suggested fix: Rename the branch to match the 'staged-' pattern or retarget the PR to merge into an intermediate 'staged-' branch as part of the repository's two-tier promotion workflow.

Summary

• Change-related failures: 1 (Configuration gate violation due to branch naming)
• Infrastructure/flaky failures: 0
• Recommended action: Rename the source branch to follow the 'staged-' prefix convention or adjust the PR workflow to adhere to the required two-tier promotion strategy.

Code Review ✅ Approved 2 resolved / 2 findings

Implements re-stage automation to resolve the staged-staleness livelock, addressing the silent rebase data loss and branch checkout failures. The implementation provides a forge-proof, advisory-first safety layer with manual execution gating.

✅ 2 resolved

✅ Bug: rebase -X ours silently discards conflicting feature changes

📄 plugins/dso/scripts/merge-to-main-pr.sh:1090-1092
In _restage_execute, the executor resolves the conflict with git rebase "origin/$_db" -X ours. The advisory plan (item 2) scopes this to the version-only case ("when only plugin.json's version differs"), but -X ours is applied unconditionally to ALL conflicting hunks. During a rebase, ours refers to the upstream (origin/), so any real content conflict between the feature branch and the default branch is auto-resolved by discarding the feature branch's side — silent data loss of legitimate work.

A further consequence: because -X ours auto-resolves conflicts, the rebase will not stop/fail on a content conflict, so the git rebase --abort ... ERROR: rebase ... failed (non-version conflict) — resolve manually fallback at line 1090-1092 is effectively unreachable for content conflicts. The error message is therefore misleading.

Consider only auto-resolving the known version-only path (e.g. restrict the strategy to plugin.json, or detect that the sole conflict is the version line) and let genuine content conflicts surface for manual resolution.

✅ Bug: checkout -B fails when source exists only on origin

📄 plugins/dso/scripts/merge-to-main-pr.sh:1083-1089
_restage_execute guards with a check that accepts the source branch existing either locally OR as origin/$_src (line 1084). But the subsequent git checkout -B "$_fresh" "$_src" (line 1087) references the bare local name $_src. After a PR1 merge the local source branch is commonly deleted (and only origin/$_src remains, which the guard explicitly allows). In that case the guard passes but checkout -B fails because $_src is not a resolvable ref, producing the misleading "could not create fresh branch" error and aborting the re-stage.

Fall back to the remote-tracking ref when the local branch is absent, e.g. resolve a _start ref ($_src if it verifies, else origin/$_src) and use that as the checkout start point. Also note git fetch origin "$_db" updates only the default branch's tracking ref, so origin/$_src may be stale — consider fetching the source ref too.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/scripts/test-merge-to-main-resume-inc008.sh (1)

15-15: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Incorrect shell options for test script.

The script uses set -uo pipefail, but test scripts under tests/scripts/ should use set -euo (with -e, without pipefail). Based on learnings, pipefail causes SIGPIPE/exit 141 issues with grep -q patterns common in test scripts (e.g., awk | grep -q), and -e is required for proper error handling.

Current:

set -uo pipefail

Should be:

set -euo

This affects test reliability: without -e, the script will not exit on command failures; with pipefail, grep patterns may produce false negatives on Linux.

Based on learnings: "In test scripts under tests/scripts/ (shell scripts), do not add pipefail to the initial set statement; use set -euo instead."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/scripts/test-merge-to-main-resume-inc008.sh` at line 15, The test
script uses the wrong shell options: locate the line containing "set -uo
pipefail" in tests/scripts/test-merge-to-main-resume-inc008.sh and replace it
with the standard test-script options "set -euo" so the script exits on errors
(-e) and omits pipefail (which causes SIGPIPE/exit 141 issues with common grep
-q patterns).

Source: Learnings

♻️ Duplicate comments (1)

plugins/dso/scripts/merge-to-main-pr.sh (1)

1091-1099: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Bug: git checkout -b will fail when source exists only on origin.

The guard at lines 1092-1094 accepts the source branch existing either locally OR as origin/$_src. However, line 1097 references the bare local name $_src for the checkout. After PR1 merges, the local source branch is commonly deleted (only origin/$_src remains). In that case the guard passes, but git checkout -b "$_fresh" "$_src" fails because $_src is not a resolvable ref.

Resolve a concrete start ref (local or remote) and use it for checkout:

git fetch origin "$_db" "$_src" --quiet 2>/dev/null || true
local _start
if git rev-parse --verify --quiet "$_src" >/dev/null; then
    _start="$_src"
elif git rev-parse --verify --quiet "origin/$_src" >/dev/null; then
    _start="origin/$_src"
else
    echo "ERROR: source branch $_src not found locally or on origin — cannot re-stage" >&2; return 1
fi
if ! git checkout -b "$_fresh" "$_start" 2>/dev/null; then
    echo "ERROR: could not create fresh branch $_fresh from $_start" >&2; return 1
fi

Note: Use -b (not -B) to preserve the no-clobber safety (line 1098).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/dso/scripts/merge-to-main-pr.sh` around lines 1091 - 1099, The
checkout fails when $_src exists only as origin/$_src because git checkout -b
"$_fresh" "$_src" requires a resolvable ref; change the logic to resolve a
concrete start ref (either "$_src" or "origin/$_src") into a variable (e.g.
_start) after the rev-parse checks and then use git checkout -b "$_fresh"
"$_start" (keeping -b to avoid clobbering); update the error messages to
reference _start so failures are clear.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@tests/scripts/test-merge-to-main-resume-inc008.sh`:
- Line 15: The test script uses the wrong shell options: locate the line
containing "set -uo pipefail" in
tests/scripts/test-merge-to-main-resume-inc008.sh and replace it with the
standard test-script options "set -euo" so the script exits on errors (-e) and
omits pipefail (which causes SIGPIPE/exit 141 issues with common grep -q
patterns).

---

Duplicate comments:
In `@plugins/dso/scripts/merge-to-main-pr.sh`:
- Around line 1091-1099: The checkout fails when $_src exists only as
origin/$_src because git checkout -b "$_fresh" "$_src" requires a resolvable
ref; change the logic to resolve a concrete start ref (either "$_src" or
"origin/$_src") into a variable (e.g. _start) after the rev-parse checks and
then use git checkout -b "$_fresh" "$_start" (keeping -b to avoid clobbering);
update the error messages to reference _start so failures are clear.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b4956a8e-8d60-47ae-bccb-0d1292bea528

📥 Commits

Reviewing files that changed from the base of the PR and between 5452cad and 7326290.

📒 Files selected for processing (2)

• plugins/dso/scripts/merge-to-main-pr.sh
• tests/scripts/test-merge-to-main-resume-inc008.sh