fix(merge): wire pr_already_merged guard into deployer merge path (idempotent re-merge)

The pr_already_merged guard was defined + unit-tested but consulted by zero production code, while ADR-001 Р-3 / README / CHANGELOG claimed the merge path consults it before a repeat merge (reviewer P1, ORCH-065 attempt 2/3). The actual merge actor is the LLM deployer agent (it merges the feature PR at the start of the `deploy` stage), so on a reaper re-drive of an already-merged PR the deployer would blindly re-merge → Gitea error → false БАГ-8 rollback; AC-11 ("no second merge") was not met deterministically. Wire the guard at the real consultation point — the deployer prompt — so it runs merge_gate.pr_already_merged before any (re-)merge and no-ops when the PR is already merged. check_branch_mergeable is left untouched (AC-13: check_* behaviour unchanged; it runs on the first deploy-staging→deploy edge, not on a deploy-stage re-drive where the second-merge risk lives). - .openclaw/agents/deployer.md: idempotent pre-merge guard step + general rule. - src/merge_gate.py: docstring names the deployer-prompt consultation point. - docs/architecture/README.md, CHANGELOG.md: state the consultation point so golden-source matches implementation. - tests/test_merge_gate.py: regression test asserting the deployer prompt wires the guard (so it can't silently become dead code again). pytest tests/ -q: 743 passed. Refs: ORCH-065 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-07 15:45:24 +00:00
parent dbf14e3d5a
commit a6b444c356
5 changed files with 73 additions and 3 deletions
--- a/.openclaw/agents/deployer.md
+++ b/.openclaw/agents/deployer.md
@@ -91,6 +91,30 @@ The verdict contract is unchanged: `docs/work-items/<work_item_id>/14-deploy-log
 frontmatter field `deploy_status: SUCCESS|FAILED` (the gate `check_deploy_status` parses ONLY this).
 **What changed (ORCH-36): WHO and WHEN writes that verdict, for the self-hosting repo.**

+### ⚠️ Idempotent merge guard — consult `pr_already_merged` BEFORE merging (ORCH-065)
+
+The `deploy` stage can be **re-driven**: if a process/monitor thread died after the PR
+merged but before the job finalised, the job-reaper requeues it and this stage runs **again**
+(ADR-001 ORCH-065, Р-3). A blind second merge of an already-merged PR makes Gitea return a
+merge error → a false БАГ-8 rollback. To stay idempotent, **before you merge the feature
+branch PR into `main`, consult the deterministic guard** `merge_gate.pr_already_merged(repo, branch)`:
+
+```bash
+# Already merged?  exit 0 = yes (skip the merge), exit 1 = no (merge normally).
+python3 -c "import sys; from src.merge_gate import pr_already_merged; \
+sys.exit(0 if pr_already_merged('<repo>', '<branch>') else 1)" && MERGED=1 || MERGED=0
+```
+
+- `MERGED=1` (PR already merged) → **do NOT merge again** (no second merge, no error).
+  Treat the merge as already done and continue to write the deploy verdict
+  (`deploy_status: SUCCESS` once the deploy itself is health-ok). This is the AC-11 no-op.
+- `MERGED=0` (not merged) → merge the PR normally, then proceed.
+
+The guard is **never-raise** (any Gitea/parse error → `False` → "not known-merged", so a real
+merge is never silently skipped). This is the single consultation point ADR-001 Р-3 /
+README / CHANGELOG refer to: the **merge path (deployer/merge) consults the guard before a
+(repeat) merge**.
+
 ### Self-hosting repo (`orchestrator`) — you do NOT deploy yourself

 For `orchestrator` the `deploy` stage is orchestrated by **deterministic code** in
@@ -124,4 +148,7 @@ deploys go through `scripts/orchestrator-deploy-hook.sh` (parametrised; defaults

 - Always write machine-readable YAML frontmatter — the quality gates parse ONLY the frontmatter fields, never the body prose.
 - Never push directly to `main`. Always use a PR or the artifact merge pattern.
+- **Idempotent merge (ORCH-065):** before any (re-)merge of a feature PR into `main`, consult
+  `merge_gate.pr_already_merged(repo, branch)` (see the `deploy` stage section). Already merged
+  → no second merge, no error — the stage is a no-op on the merge and proceeds to its verdict.
 - Never modify `.env`, `.env.staging`, `docker-compose.yml`, or production infrastructure.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/docs/architecture/README.md
+++ b/docs/architecture/README.md
@@ -224,7 +224,12 @@ ORCH-065 вводит фоновый watchdog, чтобы смерть проц
 - **Идемпотентная финализация merge** — без новой merge-логики: re-drive через
  reaper→`queued`→переисполнение стадии / reconciler; дорогие шаги не повторяются
  (`branch_is_behind_main==False`); добавлен never-raise guard `pr_already_merged`
-  (читает состояние PR) — уже слит = no-op.
+  (читает состояние PR) — уже слит = no-op. **Консультируется самим merge-актором:**
+  фактический merge PR в `main` делает агент `deployer` (в начале стадии `deploy`),
+  поэтому wiring — в его промпте `.openclaw/agents/deployer.md`, который вызывает
+  `pr_already_merged` ПЕРЕД любым (повторным) merge (AC-11). Чек `check_branch_mergeable`
+  НЕ меняется (AC-13): он на ПЕРВОМ ребре `deploy-staging → deploy`, а риск второго
+  merge — на re-drive самой стадии `deploy`.
 - **Схема БД:** единственное изменение — `jobs.pid INTEGER` через идемпотентный
  `_ensure_column` (live-safe). `STAGE_TRANSITIONS`, `QG_CHECKS`, `check_*`, БАГ-8,
  exit-коды хука, файл-схема lease — без изменений.
@@ -295,4 +300,4 @@ ORCH-065 вводит фоновый watchdog, чтобы смерть проц
 Схема БД, потоки данных, resilience-слой, детали Dockerfile — [internals.md](internals.md).

 ---
-*Актуально на 2026-06-07. Обновлять при изменении src/stages.py, src/qg/checks.py, src/main.py. Статусы доработок: ORCH-036 (исполняемый самодеплой `deploy`, adr-0007) — реализовано; ORCH-043 (merge-gate, adr-0006) — design, ветка feature/ORCH-043; ORCH-053 (reconciler, adr-0007, src/reconciler.py) — реализовано; ORCH-060 (F-1 skip escalated/Blocked/Needs-Input, `docs/work-items/ORCH-060/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-060 (Guard 1 `developer_retry_count>=MAX_DEVELOPER_RETRIES` + Guard 2 `plane_sync.fetch_issue_state` Blocked/Needs-Input, флаг `ORCH_RECONCILE_SKIP_BLOCKED_ENABLED`); ORCH-058 (провенанс staging-образа: check_staging_image_fresh + staging_check свежего образа + хук-guard, adr-0008) — реализовано в ветке feature/ORCH-058 (обновлять также при изменении src/image_freshness.py, scripts/orchestrator-deploy-hook.sh, Dockerfile); ORCH-061 (толерантность staging-вердикта к инфра-FAIL C9a/C9b, adr-0009, `docs/work-items/ORCH-061/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-061 (обновлять также при изменении src/staging_verdict.py, scripts/staging_check.py, флаг staging_infra_tolerance_enabled); ORCH-021 (post-deploy наблюдение прода + реакция на деградацию, adr-0010, `docs/work-items/ORCH-021/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-021-post-deploy-rollback (reserved-agent job `post-deploy-monitor`: арм в src/stage_engine.py блок `next_stage == "done"`, тик `run_post_deploy_monitor` + перехват в src/agents/launcher.py ДО _spawn; чистая логика src/post_deploy.py never-raise; флаги `post_deploy_*` в src/config.py; блок `post_deploy` в `/queue`; артефакт 16-post-deploy-log.md; self-hosting всегда ALERT_ONLY — тик не рестартит прод; обновлять также при изменении src/post_deploy.py / арм-блока / launcher-перехвата); ORCH-065 (job-reaper + проактивный реклейм merge-lease + идемпотентная финализация merge, adr-0011, `docs/work-items/ORCH-065/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-065 (новый daemon-поток src/job_reaper.py + старт/стоп в src/main.py lifespan; колонка `jobs.pid` через _ensure_column + проставление в src/agents/launcher.py `_spawn`; функции реклейма lease `pid_alive`/`reclaim_stale_lease` + guard `pr_already_merged` в src/merge_gate.py; флаги `reaper_*`/`lease_reclaim_*` в src/config.py; блок `reaper` в `/queue`; обновлять также при изменении этих мест).*
+*Актуально на 2026-06-07. Обновлять при изменении src/stages.py, src/qg/checks.py, src/main.py. Статусы доработок: ORCH-036 (исполняемый самодеплой `deploy`, adr-0007) — реализовано; ORCH-043 (merge-gate, adr-0006) — design, ветка feature/ORCH-043; ORCH-053 (reconciler, adr-0007, src/reconciler.py) — реализовано; ORCH-060 (F-1 skip escalated/Blocked/Needs-Input, `docs/work-items/ORCH-060/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-060 (Guard 1 `developer_retry_count>=MAX_DEVELOPER_RETRIES` + Guard 2 `plane_sync.fetch_issue_state` Blocked/Needs-Input, флаг `ORCH_RECONCILE_SKIP_BLOCKED_ENABLED`); ORCH-058 (провенанс staging-образа: check_staging_image_fresh + staging_check свежего образа + хук-guard, adr-0008) — реализовано в ветке feature/ORCH-058 (обновлять также при изменении src/image_freshness.py, scripts/orchestrator-deploy-hook.sh, Dockerfile); ORCH-061 (толерантность staging-вердикта к инфра-FAIL C9a/C9b, adr-0009, `docs/work-items/ORCH-061/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-061 (обновлять также при изменении src/staging_verdict.py, scripts/staging_check.py, флаг staging_infra_tolerance_enabled); ORCH-021 (post-deploy наблюдение прода + реакция на деградацию, adr-0010, `docs/work-items/ORCH-021/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-021-post-deploy-rollback (reserved-agent job `post-deploy-monitor`: арм в src/stage_engine.py блок `next_stage == "done"`, тик `run_post_deploy_monitor` + перехват в src/agents/launcher.py ДО _spawn; чистая логика src/post_deploy.py never-raise; флаги `post_deploy_*` в src/config.py; блок `post_deploy` в `/queue`; артефакт 16-post-deploy-log.md; self-hosting всегда ALERT_ONLY — тик не рестартит прод; обновлять также при изменении src/post_deploy.py / арм-блока / launcher-перехвата); ORCH-065 (job-reaper + проактивный реклейм merge-lease + идемпотентная финализация merge, adr-0011, `docs/work-items/ORCH-065/06-adr/ADR-001`) — реализовано в ветке feature/ORCH-065 (новый daemon-поток src/job_reaper.py + старт/стоп в src/main.py lifespan; колонка `jobs.pid` через _ensure_column + проставление в src/agents/launcher.py `_spawn`; функции реклейма lease `pid_alive`/`reclaim_stale_lease` + guard `pr_already_merged` в src/merge_gate.py (консультируется merge-актором — промпт `.openclaw/agents/deployer.md`); флаги `reaper_*`/`lease_reclaim_*` в src/config.py; блок `reaper` в `/queue`; обновлять также при изменении этих мест).*
--- a/src/merge_gate.py
+++ b/src/merge_gate.py
@@ -453,6 +453,15 @@ def pr_already_merged(repo: str, branch: str) -> bool:
    merge-related helper and it does NOT merge — it only READS the PR state via
    the existing Gitea client, so it does not introduce duplicate merge logic.

+    Consultation point: the actual merge actor is the **deployer agent** (it merges
+    the feature PR at the start of the ``deploy`` stage — see webhooks/gitea.py),
+    so the wiring lives in the deployer prompt (``.openclaw/agents/deployer.md``),
+    which runs this exact function before any (re-)merge. The merge-gate quality
+    check (``qg.checks.check_branch_mergeable``) is intentionally NOT modified
+    (ORCH-065 AC-13: ``check_*`` behaviour unchanged) — it runs on the FIRST
+    deploy-staging -> deploy edge and does not re-run on a ``deploy``-stage re-drive,
+    which is exactly where the second-merge risk lives.
+
    Queries Gitea ``GET /repos/{owner}/{repo}/pulls?state=all&head=<branch>`` and
    reports True when any matching PR has ``merged == True``. Never raises (AC-9):
    any HTTP/parse error -> ``False`` (conservative: "not known-merged" lets the
--- a/tests/test_merge_gate.py
+++ b/tests/test_merge_gate.py
@@ -353,3 +353,32 @@ def test_tc16_pr_non_200_false(monkeypatch):
        httpx, "get", lambda *a, **k: _FakeResp(500, None),
    )
    assert merge_gate.pr_already_merged("orchestrator", "feature/x") is False
+
+
+# ---------------------------------------------------------------------------
+# ORCH-065 / TC-16 (wiring): the merge path consults the guard.
+#
+# pr_already_merged is consulted by the actual merge actor — the deployer agent
+# (webhooks/gitea.py: "the deployer merges the PR at the START of its run"). The
+# `deploy` stage can be re-driven by the job-reaper, so the deployer prompt MUST
+# instruct an idempotent pre-merge consult of pr_already_merged (ADR-001 Р-3 /
+# README / CHANGELOG). This test fails if that wiring regresses, so the guard can
+# never silently become dead code again while the docs claim it is consulted.
+# ---------------------------------------------------------------------------
+def test_tc16_deployer_prompt_consults_guard():
+    """The deployer prompt (merge path) wires the idempotent merge guard."""
+    repo_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    prompt_path = os.path.join(repo_root, ".openclaw", "agents", "deployer.md")
+    with open(prompt_path, "r", encoding="utf-8") as f:
+        prompt = f.read()
+
+    # The guard function is named and the prompt instructs consulting it BEFORE merge.
+    assert "pr_already_merged" in prompt, "deployer prompt must name the guard"
+    lowered = prompt.lower()
+    assert "before" in lowered and "merge" in lowered, (
+        "deployer prompt must instruct consulting the guard BEFORE merging"
+    )
+    # The idempotent no-op contract (already merged -> no second merge) is documented.
+    assert "no second merge" in lowered, (
+        "deployer prompt must document the already-merged no-op (AC-11)"
+    )