staged: worktree-20260606-211401 -> staged-e90a943c6116-1780846417

[joeoakhart]

Staged promotion (PR-C two-PR flow)

This is the first PR of a two-PR session→main promotion. The worktree branch worktree-20260606-211401 is being merged into the staged ref staged-e90a943c6116-1780846417, which was created from origin/main HEAD.

The sub-PR ruleset's required_workflows rule requires review-sub-pr to run successfully on this PR before merge. Once this PR merges, the merge-to-main script will open PR2 from staged-e90a943c6116-1780846417 → main.

🤖 Generated by merge-to-main-pr.sh

---

Summary by Gitar

• Ruleset & Workflow Hardening (story 830c):
  • Updated check-ruleset-preflight.sh to enforce review-gate and required_linear_history on the main ruleset.
  • Updated create-sprint-draft-pr.sh to provide a descriptive, long-lived umbrella lifecycle body.
  • Refined merge-to-main-pr.sh to generate descriptive PR1 titles based on commit subjects rather than generic branch arrows.
• Documentation & Testing:
  • Updated ADR-0020, WORKFLOW-STABILITY-CHECKS.md, and CI-INTEGRATION.md to document the completed 3ee4 enforce-flip and rebase-not-merge cutover.
  • Added regression coverage in test-merge-to-main-pr.sh for descriptive PR1 titles and in test-check-ruleset-preflight.sh for main ruleset enforcement assertions.
• Maintenance:
  • Bumped plugins/dso/.claude-plugin/plugin.json to version 1.17.144.

_{This will update automatically on new commits.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)

• main

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6f8a598b-1963-4c0e-8e5c-7386cc19b9a9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-20260606-211401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

DSO-Review-Cycle: 1 pr_number=700 commit_sha=da931e4bc3fa7cad47c52cf4f87626eb6d1e4b3f findings_hash=3b2b9d6fb39258e1 tuples=[[".github/workflows/review-gate.yml", "", "design"], ["plugins/dso/scripts/lib/review-coverage-lib.sh", "", "correctness"], ["tests/scripts/test-rc-a3b-should-exclude.sh", "", "verification"], ["tests/scripts/test-review-coverage-invariant.sh", "", "verification"], ["tests/scripts/test-review-coverage-invariant.sh", "", "verification"]]

[github-actions]

DSO llm-review — finding 1/5

[critical] plugins/dso/scripts/lib/review-coverage-lib.sh:267 (correctness)

FATAL AWK LOGIC ERROR in rc_a3b_should_exclude (line 267). The awk expression `NF==1{print NF-1}` is incorrect. When git rev-list outputs a normal 1-parent commit as 'SHA parent1', that is 2 fields (NF=2), so the condition NF==1 NEVER MATCHES. The output is empty, _pc defaults to empty, and the subsequent check `[[ "$_pc" == "1" ]]` fails, causing return 0 (EXCLUDE) for every 1-parent commit. This inverts the intended semantics: 1-parent rebase/squash tips (which should be KEPT per the spec at line 259) are always EXCLUDED. Correct awk is: `_pc="$(git rev-list --parents -n1 "$_sha" 2>/dev/null | awk '{print NF-1}')"` (no conditional; unconditional NF-1 computes parent count). With this bug, every rebase-merged PR's merge_commit_sha points to a 1-parent tip that is incorrectly excluded, marking it UNREVIEWED and blocking merge in enforce mode. The diff activates enforce mode and makes review-gate required, so this bug will wedge EVERY staged→main promotion.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 2/5

[important] plugins/dso/scripts/lib/review-coverage-lib.sh:254 plugins/dso/scripts/lib/review-coverage-lib.sh:259 (verification)

INCOMPLETE TEST COVERAGE FOR PARALLEL CODE PATHS. The diff modifies rc_sha_is_reviewed (review-coverage-lib.sh) AND verify-session-provenance.sh G3 routine to both call the shared rc_a3b_should_exclude function (lines 254-259 explicitly warn this is a DIVERGENCE-PROOF requiring single-sourcing). New tests T14/T15 in test-review-coverage-invariant.sh exercise rc_sha_is_reviewed's A3b path. However, verify-session-provenance.sh's G3 routine (which also calls rc_a3b_should_exclude at the new code ~line 640 in the diff) has NO new or existing test coverage. The G3 path is exercised only implicitly through integration tests of verify-session-provenance.sh, not through targeted unit or integration tests that would catch deviations. Since the A3b guard is explicitly documented as a SHARED decision that cannot diverge, leaving one of the two callsites without dedicated test coverage creates a maintenance hazard: a future modification to the G3 path could diverge from rc_sha_is_reviewed without detection.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 3/5

[important] tests/scripts/test-rc-a3b-should-exclude.sh:50 tests/scripts/test-rc-a3b-should-exclude.sh:53 (verification)

TEST FILE FUNCTION-AVAILABILITY GAP. test-rc-a3b-should-exclude.sh (line 50) sources review-coverage-lib.sh but does not validate that rc_a3b_should_exclude was successfully defined before invoking it. The test has `set -uo pipefail` but NOT `set -e`, so if the function definition fails to source (e.g., syntax error, parse failure in review-coverage-lib.sh), the _verdict helper (line 53) will silently invoke a non-existent function. In bash without `set -e`, a command not found returns 0 in a subshell, so `_verdict "$ONE" 1` would echo 0, and assertions like `_assert "self-merge match + 1-parent tip -> keep" "$(_verdict ...)" 1` would compare 0 vs 1 and fail—but the root cause (function not sourced) would be masked. If the awk error in review-coverage-lib.sh breaks the function definition, this test could silently pass or fail for the wrong reason.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 4/5

[important] tests/scripts/test-review-coverage-invariant.sh:269 (verification)

DANGLING REFERENCE IN NEW TEST FIXTURE. test-review-coverage-invariant.sh T14 fixture (lines 268-269) sets up a covering merged PR #50 with merge_commit_sha == the rebase tip, and a covering check 'cov50'. However, the test does not verify that _checks function actually creates valid check-run output for 'cov50'. The test assumes _checks success > "$md/checks_cov50" will create a file that rc_sha_is_reviewed can parse. If the file is missing or malformed, the test assertion at line 272 (`grep -q 'every SHA proven reviewed'`) may pass or fail for reasons unrelated to the A3b narrowing. The test file should include inline validation of fixture structure before running _run.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[github-actions]

DSO llm-review — finding 5/5

[important] .github/workflows/review-gate.yml:13 .github/workflows/review-gate.yml:82 (design)

ARCHITECTURAL READINESS CONCERN: Enforce mode activation without pre-deployment validation. The diff flips DSO_REVIEW_GATE_MODE to 'enforce' (.github/workflows/review-gate.yml line 82) and makes review-gate a required check (.github/required-checks.txt line 29). This enables fail-closed blocking of all staged→main merges. However, the critical awk bug in rc_a3b_should_exclude means every rebase-merged PR will be incorrectly marked UNREVIEWED and blocked. The diff's own tests (T14/T15) are designed to verify that rebase tips are KEPT under the narrowed A3b (they should pass the covering-PR filter). If those tests are run pre-merge, they WILL FAIL due to the awk bug, serving as a canary. However, if the tests are not run or if the awk error is not caught before merge, enforce mode will activate with a broken implementation, wedging all promotions. The diff should include a pre-activation checklist or canary test that explicitly validates rc_a3b_should_exclude behavior before flipping the mode.

---

Posted by dso_ci_review.runner; resolve this comment when addressed.

[gitar-bot]

⚠️ Bug: A3b helper ignores GIT_REPO_PATH; runs git in cwd

rc_a3b_should_exclude (review-coverage-lib.sh:262-268) determines the parent count with a bare git rev-list --parents -n1 "$_sha", which operates on the current working directory rather than a passed repo path. In verify-session-provenance.sh every other local git operation is scoped with git -C "$GIT_REPO_PATH", and the two sibling cwd-dependent lib helpers (rc_diff_is_tickets_only, rc_diff_is_empty_net) are deliberately invoked inside a ( cd "$GIT_REPO_PATH" 2>/dev/null && ... ) subshell precisely because they use bare git. The new A3b call at verify-session-provenance.sh:637 is NOT wrapped that way.

When DSO_REPO_PATH is set to a path other than the process cwd (a supported override, default .), git rev-list will not find $sha, producing an empty parent count. The function then takes the fail-closed branch and EXCLUDEs the covering PR, marking a legitimate 1-parent rebase/squash tip as UNREVIEWED — reintroducing the exact promotion-wedge regression that bug 374f set out to fix. In CI today cwd happens to equal the repo, so it works, but this is a latent inconsistency with the established pattern.

Fix: pass the repo path through and run git with -C, or wrap the call in the same ( cd "$GIT_REPO_PATH" && ... ) subshell used for the other shared helpers.

Invoke the shared A3b helper with cwd == GIT_REPO_PATH, matching the existing pattern used for rc_diff_is_tickets_only / rc_diff_is_empty_net so the bare git rev-list resolves the SHA in the correct repository.:

if ( cd "$GIT_REPO_PATH" 2>/dev/null && rc_a3b_should_exclude "$sha" "${_cov_mcs_match:-0}" ); then
    continue
fi

• Apply fix

_{Check the box to apply the fix or reply for a change | Was this helpful? React with 👍 / 👎}

[JoeOakhartNava]

FP_RECOVERY: pr_number=700 manual_reviewer_hash=eaced51157e67e3e7212bc68b5d90001df73b18cf2d52deeba941d0458bc8388 fp_rationale=review-sub-pr finding-1 [critical] misread awk 'NR==1{print NF-1}' as NF==1 (refuted: 1-parent commit -> NF=2 -> parent_count=1, unit test green); findings 2-5 [important] were test-robustness nitpicks. Neutral opus dso:code-reviewer-standard re-review (no priming) returned 0cr/0imp/0fragile (18 calls, 137s). Also cleared by a 4-lens panel + convergence (epic 588e protocol). All other required checks green.

[gitar-bot]

CI failed: The CI pipeline failed because the automated LLM-based reviewer identified 1 critical and 4 important code quality findings in the PR.

Overview

The build failed during the llm-review stage. The automated reviewer flagged several blocking issues that prevent the PR from passing the review gate, indicating that the changes introduced do not meet the project's quality or security standards.

Failures

LLM Review Blocked (confidence: high)

• Type: test
• Affected jobs: 79971536701
• Related to change: yes
• Root cause: The PR introduced code (likely related to merge-pipeline checks or coverage logic) that triggered blocking violations detected by the LLM-based code review tool.
• Suggested fix: Review the specific comments left by the automated reviewer on the PR or examine the findings.json artifact to address the 1 critical and 4 important issues identified. Focus on the changes made to the review gate configuration and coverage scripts.

Summary

• Change-related failures: 1 (LLM review blocking findings).
• Infrastructure/flaky failures: 0.
• Recommended action: Address the feedback provided by the automated reviewer in the PR comments and commit the necessary fixes to resolve the reported code quality violations.

Code Review ⚠️ Changes requested 0 resolved / 1 findings

Implements two-tier UX fixes, workflow hardening, and version bumps, but the A3b helper incorrectly executes Git commands in the current working directory instead of using GIT_REPO_PATH.

⚠️ Bug: A3b helper ignores GIT_REPO_PATH; runs git in cwd

📄 plugins/dso/scripts/verify-session-provenance.sh:631-639 📄 plugins/dso/scripts/lib/review-coverage-lib.sh:262-268

rc_a3b_should_exclude (review-coverage-lib.sh:262-268) determines the parent count with a bare git rev-list --parents -n1 "$_sha", which operates on the current working directory rather than a passed repo path. In verify-session-provenance.sh every other local git operation is scoped with git -C "$GIT_REPO_PATH", and the two sibling cwd-dependent lib helpers (rc_diff_is_tickets_only, rc_diff_is_empty_net) are deliberately invoked inside a ( cd "$GIT_REPO_PATH" 2>/dev/null && ... ) subshell precisely because they use bare git. The new A3b call at verify-session-provenance.sh:637 is NOT wrapped that way.

When DSO_REPO_PATH is set to a path other than the process cwd (a supported override, default .), git rev-list will not find $sha, producing an empty parent count. The function then takes the fail-closed branch and EXCLUDEs the covering PR, marking a legitimate 1-parent rebase/squash tip as UNREVIEWED — reintroducing the exact promotion-wedge regression that bug 374f set out to fix. In CI today cwd happens to equal the repo, so it works, but this is a latent inconsistency with the established pattern.

Fix: pass the repo path through and run git with -C, or wrap the call in the same ( cd "$GIT_REPO_PATH" && ... ) subshell used for the other shared helpers.

Invoke the shared A3b helper with cwd == GIT_REPO_PATH, matching the existing pattern used for rc_diff_is_tickets_only / rc_diff_is_empty_net so the bare `git rev-list` resolves the SHA in the correct repository.

if ( cd "$GIT_REPO_PATH" 2>/dev/null && rc_a3b_should_exclude "$sha" "${_cov_mcs_match:-0}" ); then
    continue
fi

🤖 Prompt for agents

Code Review: Implements two-tier UX fixes, workflow hardening, and version bumps, but the A3b helper incorrectly executes Git commands in the current working directory instead of using GIT_REPO_PATH.

1. ⚠️ Bug: A3b helper ignores GIT_REPO_PATH; runs git in cwd
   Files: plugins/dso/scripts/verify-session-provenance.sh:631-639, plugins/dso/scripts/lib/review-coverage-lib.sh:262-268

   `rc_a3b_should_exclude` (review-coverage-lib.sh:262-268) determines the parent count with a bare `git rev-list --parents -n1 "$_sha"`, which operates on the current working directory rather than a passed repo path. In verify-session-provenance.sh every other local git operation is scoped with `git -C "$GIT_REPO_PATH"`, and the two sibling cwd-dependent lib helpers (`rc_diff_is_tickets_only`, `rc_diff_is_empty_net`) are deliberately invoked inside a `( cd "$GIT_REPO_PATH" 2>/dev/null && ... )` subshell precisely because they use bare `git`. The new A3b call at verify-session-provenance.sh:637 is NOT wrapped that way.
   
   When `DSO_REPO_PATH` is set to a path other than the process cwd (a supported override, default `.`), `git rev-list` will not find `$sha`, producing an empty parent count. The function then takes the fail-closed branch and EXCLUDEs the covering PR, marking a legitimate 1-parent rebase/squash tip as UNREVIEWED — reintroducing the exact promotion-wedge regression that bug 374f set out to fix. In CI today cwd happens to equal the repo, so it works, but this is a latent inconsistency with the established pattern.
   
   Fix: pass the repo path through and run git with `-C`, or wrap the call in the same `( cd "$GIT_REPO_PATH" && ... )` subshell used for the other shared helpers.

   Fix (Invoke the shared A3b helper with cwd == GIT_REPO_PATH, matching the existing pattern used for rc_diff_is_tickets_only / rc_diff_is_empty_net so the bare `git rev-list` resolves the SHA in the correct repository.):
   if ( cd "$GIT_REPO_PATH" 2>/dev/null && rc_a3b_should_exclude "$sha" "${_cov_mcs_match:-0}" ); then
       continue
   fi

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}