fix(merge_gate): retry transient Gitea merge errors + already-in-main guard

merge_pr now wraps ONLY the mutating POST /pulls/{n}/merge in a bounded
exponential-backoff retry-loop on TRANSIENT outcomes (405 "try again later",
408, any 5xx, network/timeout, and 409|422 while the PR is still mergeable);
TERMINAL outcomes (403/404/real conflict via mergeable==False) -> fast honest
False, so the ORCH-071/081 not-merged HOLD backstop is unchanged. Fixes the
ORCH-063 false HOLD + manual re-merge on Gitea's post-push mergeability hiccup.

ensure_open_pr gains an "already fully in main" guard (_branch_fully_in_main,
git merge-base --is-ancestor HEAD origin/main) BEFORE creating a PR -> new
"already-in-main" outcome avoids the garbage empty PR on a re-driven finalizer;
_handle_merge_verify skips merge_pr on that outcome and lets the authoritative
SHA-in-main check confirm -> done (not a HOLD). git error of the guard fails
OPEN to the create path.

New ORCH_MERGE_RETRY_* settings (kill-switch merge_retry_enabled -> one-shot,
max_attempts=3, backoff base=2/max=5). INV-4 (merge only via Gitea PR-merge API,
never push/force-push main), never-raise, STAGE_TRANSITIONS/QG_CHECKS/DB schema
unchanged. Docs (README merge-verify section, CLAUDE.md, CHANGELOG, .env.example)
updated in the same PR. Tests: test_merge_gate.py TC-01..12, test_config.py
TC-13, test_merge_verify.py TC-14..16; full suite green (1389).

Refs: ORCH-093

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/config.py

@@ -549,6 +549,31 @@ class Settings(BaseSettings):
     merge_pr_timeout_s: int = 60
     merge_verify_timeout_s: int = 60
 
+    # ORCH-093: deterministic merge-actor retry of TRANSIENT Gitea merge errors.
+    # The incident ORCH-063 had a green self-deploy + an open, mergeable PR, yet
+    # POST /pulls/{n}/merge returned HTTP 405 ("Please try again later") because
+    # Gitea was still recomputing `mergeable` right after the push — the one-shot
+    # merge_pr returned False, the ORCH-071/081 backstop HELD the task on `deploy`,
+    # and a human had to re-merge by hand. merge_pr now wraps ONLY the mutating
+    # POST in a bounded exponential-backoff retry-loop on TRANSIENT outcomes
+    # (405/408/5xx/network-timeout, and 409|422 while the PR is still mergeable);
+    # TERMINAL outcomes (403/404/real conflict) -> fast honest False (the HOLD
+    # protection is unchanged). Mirrors the ci_poll_* idiom of check_ci_green.
+    #   merge_retry_enabled        -> kill-switch; False -> exactly one POST
+    #                                 (byte-for-byte the prior one-shot behaviour,
+    #                                 env ORCH_MERGE_RETRY_ENABLED).
+    #   merge_retry_max_attempts   -> max POST attempts on a transient outcome
+    #                                 (env ORCH_MERGE_RETRY_MAX_ATTEMPTS).
+    #   merge_retry_backoff_base_s -> exponential backoff base seconds
+    #                                 (env ORCH_MERGE_RETRY_BACKOFF_BASE_S).
+    #   merge_retry_backoff_max_s  -> per-sleep backoff ceiling seconds; total sleep
+    #                                 is bounded by (N-1) * max so the monitor-thread
+    #                                 is never wedged (env ORCH_MERGE_RETRY_BACKOFF_MAX_S).
+    merge_retry_enabled: bool = True
+    merge_retry_max_attempts: int = 3
+    merge_retry_backoff_base_s: int = 2
+    merge_retry_backoff_max_s: int = 5
+
     # ORCH-026: intra-repo merge serialisation (Level A) + declarative task
     # dependencies (Level B). Level A reuses the ORCH-043/065 merge-lease window
     # (no new mechanism) — the merge-lease already serialises "merge -> main-updated"