4 changed files with 185 additions and 659 deletions
--- a/deploy/setup-infra-mirror.sh
+++ b/deploy/setup-infra-mirror.sh
@ -1,120 +0,0 @@
 #!/bin/bash
 # One-time setup: prepare the bare mirror repo for teleo-infrastructure.
 #
 # Prerequisites (must happen BEFORE running this):
 #   1. GitHub repo `living-ip/teleo-infrastructure` created (manual via web or
 #      `gh repo create` — the deploy PAT is fine-grained to teleo-codex only
 #      and cannot create new repos in the org).
 #   2. GitHub PAT updated to include push access on the new repo (or rotate
 #      to a classic PAT with `repo` scope covering both).
 #
 # This script is idempotent — safe to re-run.
 set -euo pipefail
 MIRROR_BASE="/opt/teleo-eval/mirror"
 REPO_DIR="$MIRROR_BASE/teleo-infrastructure.git"
 FORGEJO_URL="http://localhost:3000/teleo/teleo-infrastructure.git"
 GITHUB_REPO="living-ip/teleo-infrastructure"
 FORGEJO_TOKEN_FILE="/opt/teleo-eval/secrets/forgejo-admin-token"
 GITHUB_PAT_FILE="/opt/teleo-eval/secrets/github-pat"
 if [ ! -f "$FORGEJO_TOKEN_FILE" ]; then
    echo "ERROR: missing $FORGEJO_TOKEN_FILE" >&2
    exit 1
 fi
 if [ ! -f "$GITHUB_PAT_FILE" ]; then
    echo "ERROR: missing $GITHUB_PAT_FILE" >&2
    exit 1
 fi
 FORGEJO_TOKEN=$(cat "$FORGEJO_TOKEN_FILE" | tr -d '[:space:]')
 GITHUB_PAT=$(cat "$GITHUB_PAT_FILE" | tr -d '[:space:]')
 # Sanity check: GitHub repo must exist before we point a remote at it.
 echo "Verifying GitHub repo $GITHUB_REPO exists..."
 GH_STATUS=$(curl -sS -o /dev/null -w "%{http_code}" \
    -H "Authorization: Bearer $GITHUB_PAT" \
    "https://api.github.com/repos/$GITHUB_REPO")
 if [ "$GH_STATUS" != "200" ]; then
    echo "ERROR: GitHub repo $GITHUB_REPO not accessible (HTTP $GH_STATUS)" >&2
    echo "Create it first: gh repo create $GITHUB_REPO --public --description 'Pipeline + diagnostics infra for the LivingIP collective'" >&2
    exit 2
 fi
 echo "  OK — $GITHUB_REPO accessible"
 # Sanity check: Forgejo repo must exist.
 echo "Verifying Forgejo repo teleo/teleo-infrastructure exists..."
 FG_STATUS=$(curl -sS -o /dev/null -w "%{http_code}" \
    -H "Authorization: token $FORGEJO_TOKEN" \
    "http://localhost:3000/api/v1/repos/teleo/teleo-infrastructure")
 if [ "$FG_STATUS" != "200" ]; then
    echo "ERROR: Forgejo repo teleo/teleo-infrastructure not accessible (HTTP $FG_STATUS)" >&2
    exit 3
 fi
 echo "  OK — Forgejo repo accessible"
 # Init bare mirror if missing
 if [ -d "$REPO_DIR" ]; then
    echo "Bare repo already exists at $REPO_DIR — skipping init"
 else
    echo "Creating bare repo at $REPO_DIR..."
    mkdir -p "$REPO_DIR"
    cd "$REPO_DIR"
    git init --bare >/dev/null
    chown -R teleo:teleo "$REPO_DIR"
    echo "  OK — bare repo initialized"
 fi
 cd "$REPO_DIR"
 # Configure remotes (idempotent: set-url succeeds whether remote exists or not)
 # Forgejo remote (origin convention is reversed in this codebase: origin=GitHub,
 # forgejo=Forgejo, matching the existing teleo-codex.git layout).
 FORGEJO_REMOTE_URL="http://github-mirror:${FORGEJO_TOKEN}@localhost:3000/teleo/teleo-infrastructure.git"
 # NOTE: "m3taversal" is a placeholder username — for fine-grained PATs the
 # username field is decorative; the token does the auth. Matches the existing
 # teleo-codex.git remote for consistency. (Ganymede review nit #4.)
 GITHUB_REMOTE_URL="https://m3taversal:${GITHUB_PAT}@github.com/${GITHUB_REPO}.git"
 if git remote get-url forgejo >/dev/null 2>&1; then
    git remote set-url forgejo "$FORGEJO_REMOTE_URL"
    echo "  Updated forgejo remote URL"
 else
    git remote add forgejo "$FORGEJO_REMOTE_URL"
    echo "  Added forgejo remote"
 fi
 if git remote get-url origin >/dev/null 2>&1; then
    git remote set-url origin "$GITHUB_REMOTE_URL"
    echo "  Updated origin remote URL"
 else
    git remote add origin "$GITHUB_REMOTE_URL"
    echo "  Added origin remote"
 fi
 # Initial fetch from Forgejo
 echo "Fetching from Forgejo..."
 git fetch forgejo --prune 2>&1 | sed 's/^/  /'
 # Initial push to GitHub (will populate the empty repo)
 # main_only mode: push ONLY refs/heads/main + tags, mirroring what sync-mirror.sh
 # does for this repo on the recurring path. Agent review branches stay Forgejo-only.
 echo "Pushing initial main + tags to GitHub..."
 git update-ref refs/heads/main refs/remotes/forgejo/main 2>/dev/null || {
    echo "ERROR: forgejo/main ref missing — fetch may have failed" >&2
    exit 1
 }
 git push origin "refs/heads/main:refs/heads/main" 2>&1 | sed 's/^/  /' || {
    echo "WARN: initial push failed — you may need to authorize the PAT for $GITHUB_REPO" >&2
 }
 git push origin --tags 2>&1 | sed 's/^/  /' || true
 # Final permissions sweep
 chown -R teleo:teleo "$REPO_DIR"
 echo
 echo "Setup complete. Verify with:"
 echo "  ssh teleo@77.42.65.182 ls -la $REPO_DIR/refs/heads"
 echo "  /opt/teleo-eval/sync-mirror.sh && tail -50 /opt/teleo-eval/logs/sync.log"
--- a/deploy/sync-mirror.sh
+++ b/deploy/sync-mirror.sh
@ -2,35 +2,22 @@
 # Bidirectional sync: Forgejo (authoritative) <-> GitHub (public mirror)
 # Forgejo wins on conflict. Runs every 2 minutes via cron.
 #
 # Repos handled (see MIRROR_REPOS below):
 #   - teleo-codex (mode=bidirectional): full PR roundtrip — fork PR refs from
 #     GitHub, auto-create Forgejo PR mirrors, link github_pr in pipeline.db.
 #   - teleo-infrastructure (mode=main_only): one-way sync of branches+tags from
 #     Forgejo to GitHub. No PR roundtrip — pipeline doesn't process infra PRs;
 #     external infra PRs land on GitHub for visibility, get reviewed manually.
 #
 # Security note: GitHub->Forgejo path is for external contributor convenience.
 # Never auto-process branches arriving via this path without a PR.
 # Eval pipeline and extract cron only act on PRs, not raw branches.
 set -euo pipefail
 REPO_DIR="/opt/teleo-eval/mirror/teleo-codex.git"
 LOG="/opt/teleo-eval/logs/sync.log"
 LOCKFILE="/tmp/sync-mirror.lock"
 PIPELINE_DB="/opt/teleo-eval/pipeline/pipeline.db"
 GITHUB_PAT_FILE="/opt/teleo-eval/secrets/github-pat"
 GITHUB_REPO="living-ip/teleo-codex"
-# (forgejo_owner_repo, github_owner_repo, bare_path, mode)
+log() { echo "[$(date -Iseconds)] $1" >> "$LOG"; }
 # mode: bidirectional | main_only
 MIRROR_REPOS=(
    "teleo/teleo-codex          living-ip/teleo-codex          /opt/teleo-eval/mirror/teleo-codex.git          bidirectional"
    "teleo/teleo-infrastructure living-ip/teleo-infrastructure /opt/teleo-eval/mirror/teleo-infrastructure.git main_only"
 )
-REPO_TAG="main"
+# Lockfile — prevent concurrent runs
 log() { echo "[$(date -Iseconds)] [$REPO_TAG] $1" >> "$LOG"; }
 # Lockfile — prevent concurrent runs (single lock for whole script)
 if [ -f "$LOCKFILE" ]; then
    pid=$(cat "$LOCKFILE" 2>/dev/null)
    if kill -0 "$pid" 2>/dev/null; then
@ -41,58 +28,38 @@ fi
 echo $$ > "$LOCKFILE"
 trap 'rm -f "$LOCKFILE"' EXIT
-
+# Pre-flight: fix permissions if another user touched the mirror dir (Rhea)
-# ─────────────────────────────────────────────────────────────────────────────
+BAD_PERMS=$(find "$REPO_DIR" ! -user teleo 2>/dev/null | head -1 || true)
-# sync_repo: process one mirror entry. Sets module-level FORGEJO_REPO,
+if [ -n "$BAD_PERMS" ]; then
 # GITHUB_REPO, REPO_DIR, MODE, REPO_TAG used by inner steps.
 # ─────────────────────────────────────────────────────────────────────────────
 sync_repo() {
    FORGEJO_REPO="$1"   # e.g. teleo/teleo-codex (path on Forgejo)
    GITHUB_REPO="$2"    # e.g. living-ip/teleo-codex (path on GitHub)
    REPO_DIR="$3"       # bare mirror dir
    MODE="$4"           # bidirectional | main_only
    REPO_TAG="${FORGEJO_REPO##*/}"  # short name for log prefix
    # Pre-flight: bare repo must exist
    if [ ! -d "$REPO_DIR" ]; then
        log "ERROR: bare repo missing at $REPO_DIR — skipping"
        return 0
    fi
    # Pre-flight: fix permissions if another user touched the mirror dir (Rhea)
    BAD_PERMS=$(find "$REPO_DIR" ! -user teleo 2>/dev/null | head -1 || true)
    if [ -n "$BAD_PERMS" ]; then
    log "Fixing mirror permissions (found: $BAD_PERMS)"
-        chown -R teleo:teleo "$REPO_DIR" 2>/dev/null || true
+    chown -R teleo:teleo "$REPO_DIR" 2>/dev/null
-    fi
+fi
-    cd "$REPO_DIR" || { log "ERROR: cannot cd to $REPO_DIR"; return 0; }
+cd "$REPO_DIR" || { log "ERROR: cannot cd to $REPO_DIR"; exit 1; }
-    # Step 1: Fetch from Forgejo (must succeed — it's authoritative)
+# Step 1: Fetch from Forgejo (must succeed — it's authoritative)
-    log "Fetching from Forgejo..."
+log "Fetching from Forgejo..."
-    if ! git fetch forgejo --prune >> "$LOG" 2>&1; then
+if ! git fetch forgejo --prune >> "$LOG" 2>&1; then
-        log "ERROR: Forgejo fetch failed — skipping this repo"
+    log "ERROR: Forgejo fetch failed — aborting"
-        return 0
+    exit 1
-    fi
+fi
-    # Step 2: Fetch from GitHub (warn on failure, don't abort)
+# Step 2: Fetch from GitHub (warn on failure, don't abort)
-    log "Fetching from GitHub..."
+log "Fetching from GitHub..."
-    git fetch origin --prune >> "$LOG" 2>&1 || log "WARN: GitHub fetch failed"
+git fetch origin --prune >> "$LOG" 2>&1 || log "WARN: GitHub fetch failed"
-    # Step 2.1: Fetch GitHub fork PR refs (bidirectional only)
+# Step 2.1: Fetch GitHub fork PR refs
-    # Fork-based PRs don't create branches on origin — they create refs/pull/N/head.
+# Fork-based PRs don't create branches on origin — they create refs/pull/N/head
-    # main_only repos don't accept fork PRs through the mirror path.
+# Fetch these so we can push them to Forgejo for evaluation
-    if [ "$MODE" = "bidirectional" ]; then
+GITHUB_PAT_STEP2=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
-        local PAT
+if [ -n "$GITHUB_PAT_STEP2" ]; then
        PAT=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
        if [ -n "$PAT" ]; then
            local OPEN_PRS
    OPEN_PRS=$(curl -sf "https://api.github.com/repos/$GITHUB_REPO/pulls?state=open&per_page=100" \
-                -H "Authorization: token $PAT" 2>/dev/null || echo "[]")
+        -H "Authorization: token $GITHUB_PAT_STEP2" 2>/dev/null || echo "[]")
    echo "$OPEN_PRS" | python3 -c "
 import sys, json
 prs = json.load(sys.stdin)
 for pr in prs:
    head = pr.get('head', {})
    # Only process fork PRs (repo differs from base repo)
    base_repo = pr.get('base', {}).get('repo', {}).get('full_name', '')
    head_repo = head.get('repo', {}) or {}
    head_full = head_repo.get('full_name', '')
@ -100,24 +67,23 @@ for pr in prs:
        print(f\"{pr['number']} {head.get('ref', '')} {head.get('sha', '')}\")
 " 2>/dev/null | while read pr_num branch_name head_sha; do
        if [ -z "$pr_num" ] || [ -z "$branch_name" ]; then continue; fi
-                local PR_BRANCH="gh-pr-${pr_num}/${branch_name}"
+        PR_BRANCH="gh-pr-${pr_num}/${branch_name}"
-                local EXISTING
+        # Check if we already have this ref at the right SHA
        EXISTING=$(git rev-parse "refs/heads/$PR_BRANCH" 2>/dev/null || true)
        if [ "$EXISTING" = "$head_sha" ]; then continue; fi
        # Fetch the PR ref and create a local branch
        git fetch origin "refs/pull/${pr_num}/head:refs/heads/$PR_BRANCH" >> "$LOG" 2>&1 && \
            log "Fetched fork PR #$pr_num -> $PR_BRANCH" || \
            log "WARN: Failed to fetch fork PR #$pr_num"
    done
-        fi
+fi
    fi
-    # Step 2.5: GitHub main -> Forgejo main (ff-only)
+# Step 2.5: GitHub main -> Forgejo main (ff-only)
-    # If a PR was merged on GitHub, GitHub main is ahead of Forgejo main.
+# If a PR was merged on GitHub, GitHub main is ahead of Forgejo main.
-    # Fast-forward Forgejo main to match — safe because ff-only guarantees no divergence.
+# Fast-forward Forgejo main to match — safe because ff-only guarantees no divergence.
-    local GITHUB_MAIN_FF FORGEJO_MAIN_FF
+GITHUB_MAIN_FF=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
-    GITHUB_MAIN_FF=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
+FORGEJO_MAIN_FF=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
-    FORGEJO_MAIN_FF=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
+if [ -n "$GITHUB_MAIN_FF" ] && [ -n "$FORGEJO_MAIN_FF" ]; then
    if [ -n "$GITHUB_MAIN_FF" ] && [ -n "$FORGEJO_MAIN_FF" ]; then
    if [ "$GITHUB_MAIN_FF" != "$FORGEJO_MAIN_FF" ]; then
        if git merge-base --is-ancestor "$FORGEJO_MAIN_FF" "$GITHUB_MAIN_FF"; then
            log "GitHub main ($GITHUB_MAIN_FF) ahead of Forgejo main ($FORGEJO_MAIN_FF) — fast-forwarding"
@ -126,83 +92,50 @@ for pr in prs:
                log "WARN: Failed to fast-forward Forgejo main"
        fi
    fi
-    fi
+fi
-    # Step 3: Forgejo -> GitHub (primary direction)
+# Step 3: Forgejo -> GitHub (primary direction)
-    log "Syncing Forgejo -> GitHub..."
+# Update local refs from Forgejo remote refs using process substitution (avoids subshell)
-    while read branch; do
+log "Syncing Forgejo -> GitHub..."
 while read branch; do
    [ "$branch" = "HEAD" ] && continue
    git update-ref "refs/heads/$branch" "refs/remotes/forgejo/$branch" 2>/dev/null || \
        log "WARN: Failed to update ref $branch"
-    done < <(git for-each-ref --format="%(refname:lstrip=3)" refs/remotes/forgejo/)
+done < <(git for-each-ref --format="%(refname:lstrip=3)" refs/remotes/forgejo/)
-    # Safety: verify Forgejo main descends from GitHub main before force-pushing
+# Safety: verify Forgejo main descends from GitHub main before force-pushing
-    local GITHUB_MAIN FORGEJO_MAIN PUSH_MAIN
+GITHUB_MAIN=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
-    GITHUB_MAIN=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
+FORGEJO_MAIN=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
-    FORGEJO_MAIN=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
+PUSH_MAIN=true
-    PUSH_MAIN=true
+if [ -n "$GITHUB_MAIN" ] && [ -n "$FORGEJO_MAIN" ]; then
    if [ -n "$GITHUB_MAIN" ] && [ -n "$FORGEJO_MAIN" ]; then
    if ! git merge-base --is-ancestor "$GITHUB_MAIN" "$FORGEJO_MAIN"; then
        log "CRITICAL: Forgejo main is NOT a descendant of GitHub main — skipping main push"
        log "CRITICAL: GitHub main: $GITHUB_MAIN, Forgejo main: $FORGEJO_MAIN"
        PUSH_MAIN=false
    fi
-    fi
+fi
-    if [ "$MODE" = "main_only" ]; then
+if [ "$PUSH_MAIN" = true ]; then
        # Infra-style mirror: push main + tags ONLY. Pre-review agent branches
        # (epimetheus/*, ganymede/*, etc.) carry internal context — agent UUIDs,
        # in-flight discussion, WIP — and must not land in the public GitHub
        # history. (Ganymede review, finding #1.)
        if [ "$PUSH_MAIN" = true ]; then
            git push origin --force "refs/heads/main:refs/heads/main" >> "$LOG" 2>&1 || \
                log "WARN: main push to GitHub failed"
        fi
    else
        # Bidirectional mirror (codex): push all branches so external
        # contributors can fork from any branch, not just main.
        if [ "$PUSH_MAIN" = true ]; then
    git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed"
-        else
+else
-            # Push all branches except main when main is divergent
+    # Push all branches except main
    while read branch; do
        [ "$branch" = "main" ] && continue
        [ "$branch" = "HEAD" ] && continue
        git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \
            log "WARN: Failed to push $branch to GitHub"
    done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/)
-        fi
+fi
-    fi
+git push origin --tags --force >> "$LOG" 2>&1 || log "WARN: Tag push to GitHub failed"
    git push origin --tags --force >> "$LOG" 2>&1 || log "WARN: Tag push to GitHub failed"
-    # Step 4: GitHub -> Forgejo + Forgejo PR auto-create (bidirectional only)
+# Step 4: GitHub -> Forgejo (external contributions only)
-    if [ "$MODE" = "bidirectional" ]; then
+# Only push branches that exist on GitHub but NOT on Forgejo
-        sync_github_to_forgejo_with_prs
+log "Checking GitHub-only branches..."
-    fi
+GITHUB_ONLY=$(comm -23 \
    # Step 6: Divergence alerting (applies to both modes)
    check_divergence
 }
 # ─────────────────────────────────────────────────────────────────────────────
 # Step 4 split out: codex-specific GitHub→Forgejo branch push + PR auto-create.
 # Reads FORGEJO_REPO, GITHUB_REPO, PIPELINE_DB, REPO_TAG from sync_repo scope.
 # ─────────────────────────────────────────────────────────────────────────────
 sync_github_to_forgejo_with_prs() {
    log "Checking GitHub-only branches..."
    local FORGEJO_HOST="http://localhost:3000/api/v1/repos/$FORGEJO_REPO"
    local GITHUB_ONLY
    GITHUB_ONLY=$(comm -23 \
    <(git for-each-ref --format="%(refname:lstrip=3)" refs/remotes/origin/ | grep -v HEAD | sort) \
    <(git for-each-ref --format="%(refname:lstrip=3)" refs/remotes/forgejo/ | grep -v HEAD | sort))
-    if [ -z "$GITHUB_ONLY" ]; then
+if [ -n "$GITHUB_ONLY" ]; then
        log "No new GitHub-only branches"
        return 0
    fi
    local FORGEJO_TOKEN
    FORGEJO_TOKEN=$(cat /opt/teleo-eval/secrets/forgejo-admin-token 2>/dev/null)
    for branch in $GITHUB_ONLY; do
        log "New from GitHub: $branch -> Forgejo"
@ -218,21 +151,20 @@ sync_github_to_forgejo_with_prs() {
                continue
            }
        fi
-        # Skip pipeline-internal branch prefixes (no PR creation)
+        # Auto-create PR on Forgejo for mirrored branches (external contributor path)
        # Skip pipeline-internal branches
        case "$branch" in
            extract/*|ingestion/*) continue ;;
        esac
-        if [ -z "$FORGEJO_TOKEN" ]; then continue; fi
+        if [ -n "$FORGEJO_TOKEN" ]; then
            # Check if PR already exists for this branch (open or closed)
            # NOTE: Forgejo ?head= filter is broken (ignores head value, returns all PRs).
            # Workaround: fetch open+closed PRs, pipe to Python, check head.ref.
        local HAS_PR
            HAS_PR=$( {
-            curl -sf "$FORGEJO_HOST/pulls?state=open&limit=50" \
+                curl -sf "http://localhost:3000/api/v1/repos/teleo/teleo-codex/pulls?state=open&limit=50" \
                    -H "Authorization: token $FORGEJO_TOKEN" 2>/dev/null || echo "[]"
                echo ""
-            curl -sf "$FORGEJO_HOST/pulls?state=closed&sort=created&limit=50" \
+                curl -sf "http://localhost:3000/api/v1/repos/teleo/teleo-codex/pulls?state=closed&sort=created&limit=50" \
                    -H "Authorization: token $FORGEJO_TOKEN" 2>/dev/null || echo "[]"
            } | python3 -c "
 import sys, json
@ -247,92 +179,83 @@ for line in sys.stdin:
    except: pass
 print('no')
 " "$branch" 2>/dev/null || echo "no")
-
+            if [ "$HAS_PR" = "no" ]; then
        if [ "$HAS_PR" = "yes" ]; then continue; fi
                # Build PR title — for fork PRs, use the GitHub PR title
        local PR_TITLE PAYLOAD RESULT PR_NUM GH_PR_NUM
                if [[ "$branch" == gh-pr-* ]]; then
            local FORK_GH_NUM PAT_T
                    FORK_GH_NUM=$(echo "$branch" | sed 's|gh-pr-\([0-9]*\)/.*|\1|')
-            PAT_T=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
+                    GITHUB_PAT_T=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
                    PR_TITLE=$(curl -sf "https://api.github.com/repos/$GITHUB_REPO/pulls/$FORK_GH_NUM" \
-                -H "Authorization: token $PAT_T" 2>/dev/null | \
+                        -H "Authorization: token $GITHUB_PAT_T" 2>/dev/null | \
                        python3 -c "import sys,json; print(json.load(sys.stdin).get('title',''))" 2>/dev/null || true)
                    [ -z "$PR_TITLE" ] && PR_TITLE=$(echo "$branch" | sed 's|/|: |;s/-/ /g')
                else
                    PR_TITLE=$(echo "$branch" | sed 's|/|: |;s/-/ /g')
                fi
                PAYLOAD=$(python3 -c "import sys,json; print(json.dumps({'title':sys.argv[1],'head':sys.argv[2],'base':'main'}))" "$PR_TITLE" "$branch")
-        RESULT=$(curl -sf -X POST "$FORGEJO_HOST/pulls" \
+                RESULT=$(curl -sf -X POST "http://localhost:3000/api/v1/repos/teleo/teleo-codex/pulls" \
                    -H "Authorization: token $FORGEJO_TOKEN" \
                    -H "Content-Type: application/json" \
                    -d "$PAYLOAD" 2>/dev/null || echo "")
                PR_NUM=$(echo "$RESULT" | grep -o '"number":[0-9]*' | head -1 | grep -o "[0-9]*" || true)
-        if [ -z "$PR_NUM" ]; then
+                if [ -n "$PR_NUM" ]; then
            log "WARN: Failed to auto-create PR for $branch"
            continue
        fi
                    log "Auto-created PR #$PR_NUM on Forgejo for $branch"
                    # Step 4.5: Link GitHub PR to Forgejo PR in pipeline DB
                    if [[ "$branch" == gh-pr-* ]]; then
                        GH_PR_NUM=$(echo "$branch" | sed 's|gh-pr-\([0-9]*\)/.*|\1|')
                    else
-            local PAT
+                        GITHUB_PAT=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
            PAT=$(cat "$GITHUB_PAT_FILE" 2>/dev/null | tr -d '[:space:]')
                        GH_PR_NUM=""
-            if [ -n "$PAT" ]; then
+                        if [ -n "$GITHUB_PAT" ]; then
                            GH_PR_NUM=$(curl -sf "https://api.github.com/repos/$GITHUB_REPO/pulls?head=living-ip:$branch&state=all" \
-                    -H "Authorization: token $PAT" 2>/dev/null | \
+                                -H "Authorization: token $GITHUB_PAT" 2>/dev/null | \
                                python3 -c "import sys,json; prs=json.load(sys.stdin); print(prs[0]['number'] if prs else '')" 2>/dev/null || true)
                        fi
                    fi
                    if [[ "$GH_PR_NUM" =~ ^[0-9]+$ ]] && [[ "$PR_NUM" =~ ^[0-9]+$ ]]; then
-            sqlite3 "$PIPELINE_DB" "UPDATE prs SET github_pr = $GH_PR_NUM, source_channel = 'github' WHERE number = $PR_NUM;" 2>/dev/null && \
+                        sqlite3 "$PIPELINE_DB" "UPDATE prs SET github_pr = $GH_PR_NUM WHERE number = $PR_NUM;" 2>/dev/null && \
                            log "Linked GitHub PR #$GH_PR_NUM -> Forgejo PR #$PR_NUM" || \
                            log "WARN: Failed to link GitHub PR #$GH_PR_NUM to Forgejo PR #$PR_NUM in DB"
                    fi
                else
                    log "WARN: Failed to auto-create PR for $branch"
                fi
            fi
        fi
    done
-}
+else
    log "No new GitHub-only branches"
 fi
 # Step 6: Divergence alerting
 # After all sync steps, check if GitHub and Forgejo main still differ.
 # 2 consecutive divergent cycles (4 min) triggers a one-shot Telegram alert.
 DIVERGENCE_FILE="/opt/teleo-eval/logs/.divergence-count"
 git fetch forgejo main --quiet 2>/dev/null || true
 git fetch origin main --quiet 2>/dev/null || true
 GH_MAIN_FINAL=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
 FG_MAIN_FINAL=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
-# ─────────────────────────────────────────────────────────────────────────────
+if [ -n "$GH_MAIN_FINAL" ] && [ -n "$FG_MAIN_FINAL" ] && [ "$GH_MAIN_FINAL" != "$FG_MAIN_FINAL" ]; then
 # Step 6 split out: divergence alerting. Per-repo state file so each repo
 # has its own divergence counter and alert state.
 # ─────────────────────────────────────────────────────────────────────────────
 check_divergence() {
    local DIVERGENCE_FILE="/opt/teleo-eval/logs/.divergence-count.${REPO_TAG}"
    git fetch forgejo main --quiet 2>/dev/null || true
    git fetch origin main --quiet 2>/dev/null || true
    local GH_MAIN_FINAL FG_MAIN_FINAL
    GH_MAIN_FINAL=$(git rev-parse refs/remotes/origin/main 2>/dev/null || true)
    FG_MAIN_FINAL=$(git rev-parse refs/remotes/forgejo/main 2>/dev/null || true)
    if [ -n "$GH_MAIN_FINAL" ] && [ -n "$FG_MAIN_FINAL" ] && [ "$GH_MAIN_FINAL" != "$FG_MAIN_FINAL" ]; then
        local PREV
    PREV=$(cat "$DIVERGENCE_FILE" 2>/dev/null || echo "0")
    if [ "$PREV" = "alerted" ]; then
        log "DIVERGENCE: still diverged (already alerted)"
    else
-            local COUNT=$((PREV + 1))
+        COUNT=$((PREV + 1))
        echo "$COUNT" > "$DIVERGENCE_FILE"
        log "DIVERGENCE: cycle $COUNT — GitHub=$GH_MAIN_FINAL Forgejo=$FG_MAIN_FINAL"
        if [ "$COUNT" -ge 2 ]; then
                local BOT_TOKEN ADMIN_CHAT
            BOT_TOKEN=$(cat /opt/teleo-eval/secrets/telegram-bot-token 2>/dev/null || true)
            ADMIN_CHAT=$(cat /opt/teleo-eval/secrets/admin-chat-id 2>/dev/null || true)
            if [ -n "$BOT_TOKEN" ] && [ -n "$ADMIN_CHAT" ]; then
                    local ALERT_MSG
                ALERT_MSG=$(python3 -c "
 import json, sys
-msg = '⚠️ Mirror divergence detected (' + sys.argv[5] + ')\\n\\n'
+msg = '⚠️ Mirror divergence detected\\n\\n'
 msg += f'GitHub main: {sys.argv[1][:8]}\\n'
 msg += f'Forgejo main: {sys.argv[2][:8]}\\n'
 msg += f'Diverged for {sys.argv[3]} consecutive cycles ({int(sys.argv[3])*2} min)\\n\\n'
 msg += 'Check sync-mirror.sh logs: /opt/teleo-eval/logs/sync.log'
 print(json.dumps({'chat_id': sys.argv[4], 'text': msg, 'parse_mode': 'HTML'}))
-" "$GH_MAIN_FINAL" "$FG_MAIN_FINAL" "$COUNT" "$ADMIN_CHAT" "$REPO_TAG")
+" "$GH_MAIN_FINAL" "$FG_MAIN_FINAL" "$COUNT" "$ADMIN_CHAT")
                if curl -sf -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
                    -H "Content-Type: application/json" \
                    -d "$ALERT_MSG" >> "$LOG" 2>&1; then
@ -346,60 +269,14 @@ print(json.dumps({'chat_id': sys.argv[4], 'text': msg, 'parse_mode': 'HTML'}))
            fi
        fi
    fi
-    else
+else
    if [ -f "$DIVERGENCE_FILE" ]; then
            local PREV
        PREV=$(cat "$DIVERGENCE_FILE" 2>/dev/null || echo "0")
        if [ "$PREV" != "0" ]; then
            log "DIVERGENCE: resolved — repos back in sync"
        fi
        rm -f "$DIVERGENCE_FILE"
    fi
    fi
 }
 # ─────────────────────────────────────────────────────────────────────────────
 # Main: process each configured mirror in sequence.
 # A failure on one repo doesn't block subsequent repos — sync_repo returns 0
 # on most error paths to keep the loop going.
 # ─────────────────────────────────────────────────────────────────────────────
 REPO_TAG="main"
 log "Starting sync cycle"
 # Step 0: self-heal any gh-pr-* PR rows missing github_pr.
 # Runs FIRST — before per-repo work (branch-mirror loop, auto-create-PR block).
 # Recovers from races/transient failures in Step 4.5's one-shot link UPDATE.
 # Idempotent: SELECT empty when clean, zero-cost path. Same SELECT/UPDATE
 # heals historical orphans (PR 4066 picked up on first cron tick post-deploy)
 # and future races on subsequent ticks. The branch name encodes the GitHub PR
 # number deterministically (gh-pr-{N}/...) so no API call is required.
 if [ -f "$PIPELINE_DB" ]; then
    sqlite3 -separator '|' "$PIPELINE_DB" \
        "SELECT number, branch FROM prs WHERE branch LIKE 'gh-pr-%' AND github_pr IS NULL;" \
        2>/dev/null | while IFS='|' read -r pr_num branch; do
        # Regex requires >=1 digit — empty/non-numeric branches fail to parse here,
        # not just at the empty-guard below. Keeps SQL-integer-safety load-bearing
        # on the regex alone. [0-9][0-9]* is the portable BRE form of [0-9]+,
        # works on both GNU sed (VPS) and BSD sed (dev macs).
        gh_pr_num=$(echo "$branch" | sed -n 's|^gh-pr-\([0-9][0-9]*\)/.*|\1|p')
        [ -z "$gh_pr_num" ] && continue
        # Both interpolated values are integer-validated upstream (pr_num from
        # INTEGER `number` column, gh_pr_num from regex above). No parametric
        # binding available in bash sqlite3 — safety relies on those invariants.
        if sqlite3 "$PIPELINE_DB" \
            "UPDATE prs SET github_pr = $gh_pr_num, source_channel = 'github' WHERE number = $pr_num;" \
            2>/dev/null; then
            log "self-heal: linked Forgejo PR #$pr_num -> GitHub PR #$gh_pr_num"
        fi
    done
 fi
-for entry in "${MIRROR_REPOS[@]}"; do
+log "Sync complete"
    # Read the 4 fields. `read` splits on $IFS (whitespace) by default.
    read -r forgejo_repo github_repo bare_path mode <<< "$entry"
    sync_repo "$forgejo_repo" "$github_repo" "$bare_path" "$mode"
 done
 REPO_TAG="main"
 log "Sync cycle complete"
--- a/lib/config.py
+++ b/lib/config.py
@ -84,14 +84,6 @@ MAX_EXTRACT_WORKERS = int(os.environ.get("MAX_EXTRACT_WORKERS", "5"))
 MAX_EVAL_WORKERS = int(os.environ.get("MAX_EVAL_WORKERS", "7"))
 MAX_MERGE_WORKERS = 1  # domain-serialized, but one merge at a time per domain
 # --- External GitHub PR merge strategy ---
 # When True, gh-pr-N/* branches merge with --no-ff (preserves contributor SHA in
 # main's history → GitHub recognizes "merged" badge). When False, fall back to
 # cherry-pick (the default for all other branches). Default True; flip to False
 # as an emergency backout if the no-ff path destabilizes merge throughput.
 # Phase 2 of external contributor merge flow (Ship architecture review Apr 28).
 EXTERNAL_PR_NO_FF_MERGE = True
 # --- Timeouts (seconds) ---
 EXTRACT_TIMEOUT = 600  # 10 min
 EVAL_TIMEOUT = 120  # 2 min — routine Sonnet/Gemini Flash calls (was 600, caused 10-min stalls)
--- a/lib/merge.py
+++ b/lib/merge.py
@ -429,171 +429,6 @@ async def _cherry_pick_onto_main(branch: str) -> tuple[bool, str]:
            await _git("branch", "-D", clean_branch)
 _GH_PR_BRANCH_RE = re.compile(r"^gh-pr-(\d+)/(.+)$")
 async def _merge_no_ff_external(branch: str) -> tuple[bool, str]:
    """Merge an external GitHub fork PR with --no-ff so contributor SHA lands in main.
    Why this differs from _cherry_pick_onto_main:
    - Cherry-pick rewrites the contributor's commit SHA → GitHub's "is PR head SHA
      an ancestor of main?" check returns false → "merged" badge never fires.
    - --no-ff preserves the contributor's commit SHA as a parent of the merge
      commit. After ff-push to main (the existing dispatch step), GitHub sees
      the SHA in ancestry and marks the PR merged.
    Mechanics:
    1. Fetch origin/main + origin/{branch}
    2. Worktree on local branch _merged-{slug} from origin/main
    3. git merge --no-ff origin/{branch} with verbose message:
       "Merge external GitHub PR #{N}: {branch_slug}"
    4. Push merge commit to origin/_merged/{branch} (synthetic audit ref)
    5. ff-push merge_sha → origin/main directly (function owns the push, NOT
       dispatch — see sentinel return below)
    The merge commit M has parents [main_sha, branch_sha]. M is a fast-forward
    descendant of main_sha (via first-parent chain), so the push to main
    works without --force.
    Synthetic branch (Ship review Apr 28): we deliberately do NOT force-push
    the contributor's gh-pr-N/* branch. Force-pushing it would rewrite the
    branch tip with a merge commit the contributor didn't author, showing as
    a confusing bot force-push in Forgejo's PR UI. The synthetic _merged/*
    audit ref lets us track the merge commit without touching the contributor's
    branch. Mirrors the _clean/* synthetic branch pattern in cherry-pick.
    Sentinel return: function pushes merge_sha → main itself (dispatch's ff-push
    can't, since origin/{branch} is unchanged and not a descendant of main).
    Returns a "merged --no-ff" sentinel string that dispatch detects to skip
    its ff-push step and route directly to PR-close + mark_merged + audit.
    The full 40-char merge SHA is in the return string for dispatch to extract.
    Conflict handling: same auto-resolve pattern as cherry-pick — entity-only
    conflicts take main's version (--ours = current worktree HEAD = main),
    other conflicts abort and return False with detail.
    Phase 2 of external contributor merge flow (Ship architecture review Apr 28).
    """
    m = _GH_PR_BRANCH_RE.match(branch)
    if not m:
        return False, f"branch {branch} doesn't match gh-pr-N/* format"
    gh_pr_num = m.group(1)
    branch_slug = m.group(2)
    slug = branch.replace("/", "-")
    worktree_path = f"/tmp/teleo-merge-{slug}"
    local_branch = f"_merged-{slug}"  # local working branch in worktree
    audit_ref = f"_merged/{branch}"   # remote synthetic ref (preserves hierarchy)
    # Fetch latest state — separate calls (long branch names break combined refspec)
    rc, out = await _git("fetch", "origin", "main", timeout=15)
    if rc != 0:
        return False, f"fetch main failed: {out}"
    rc, out = await _git("fetch", "origin", branch, timeout=15)
    if rc != 0:
        return False, f"fetch branch failed: {out}"
    # Up-to-date check (mirrors cherry-pick path semantics)
    rc, merge_base = await _git("merge-base", "origin/main", f"origin/{branch}")
    rc2, main_sha = await _git("rev-parse", "origin/main")
    if rc == 0 and rc2 == 0 and merge_base.strip() == main_sha.strip():
        rc_diff, diff_out = await _git(
            "diff", "--stat", f"origin/main..origin/{branch}", timeout=10,
        )
        if rc_diff != 0 or not diff_out.strip():
            return True, "already up to date"
        logger.info("External PR branch %s is descendant of main but has new content — proceeding", branch)
    async with _bare_repo_lock:
        # Clean up any stale local branch from a prior failed run
        await _git("branch", "-D", local_branch)
        rc, out = await _git("worktree", "add", "-b", local_branch, worktree_path, "origin/main")
    if rc != 0:
        return False, f"worktree add failed: {out}"
    try:
        merge_msg = f"Merge external GitHub PR #{gh_pr_num}: {branch_slug}"
        rc, out = await _git(
            "merge", "--no-ff", f"origin/{branch}",
            "-m", merge_msg,
            cwd=worktree_path, timeout=60,
        )
        if rc != 0:
            # Identify conflicts
            rc_ls, conflicting = await _git(
                "diff", "--name-only", "--diff-filter=U", cwd=worktree_path,
            )
            conflict_files = [
                f.strip() for f in conflicting.split("\n") if f.strip()
            ] if rc_ls == 0 else []
            if conflict_files and all(f.startswith("entities/") for f in conflict_files):
                # Entity-only conflicts: take main's version (entities are recoverable)
                # In merge: --ours = branch we're ON (worktree HEAD = main)
                #          --theirs = branch merging in (origin/{branch})
                for cf in conflict_files:
                    await _git("checkout", "--ours", cf, cwd=worktree_path)
                    await _git("add", cf, cwd=worktree_path)
                # Complete the merge using the prepared MERGE_MSG (no editor)
                rc_cont, cont_out = await _git(
                    "-c", "core.editor=true",
                    "commit", "--no-edit",
                    cwd=worktree_path, timeout=60,
                )
                if rc_cont != 0:
                    await _git("merge", "--abort", cwd=worktree_path)
                    return False, f"merge entity resolution failed for PR #{gh_pr_num}: {cont_out}"
                logger.info(
                    "External PR #%s merge: entity conflict auto-resolved (dropped %s)",
                    gh_pr_num, ", ".join(sorted(conflict_files)),
                )
            else:
                conflict_detail = ", ".join(conflict_files) if conflict_files else out[:200]
                await _git("merge", "--abort", cwd=worktree_path)
                return False, f"merge conflict on PR #{gh_pr_num}: {conflict_detail}"
        # Capture the merge commit SHA before any pushes
        rc, merge_sha = await _git("rev-parse", "HEAD", cwd=worktree_path)
        if rc != 0:
            return False, f"rev-parse merge HEAD failed: {merge_sha}"
        merge_sha = merge_sha.strip().split("\n")[0]
        # Push to synthetic audit ref _merged/{branch} (does not touch contributor's
        # gh-pr-N/* branch). Plain --force: the audit ref is bot-owned and per-PR;
        # if a prior aborted attempt left a stale ref, overwriting it is the
        # intended behavior, and there's no concurrent writer to lease against.
        rc, out = await _git(
            "push", "--force", "origin", f"HEAD:refs/heads/{audit_ref}",
            cwd=worktree_path, timeout=30,
        )
        if rc != 0:
            return False, f"push to audit ref {audit_ref} failed: {out}"
        # ff-push the merge commit to main. This is a true fast-forward (M is a
        # descendant of origin/main via its first parent), so no --force needed.
        # Forgejo's branch protection allows ff-push to main from authorized users.
        rc, out = await _git(
            "push", "origin", f"{merge_sha}:main",
            cwd=worktree_path, timeout=30,
        )
        if rc != 0:
            # Roll back audit ref if main push failed — keeps state consistent.
            await _git("push", "--delete", "origin", f"refs/heads/{audit_ref}",
                       cwd=worktree_path, timeout=15)
            return False, f"ff-push to main failed: {out}"
        # Sentinel return: "merged --no-ff" prefix triggers dispatch's external-PR
        # close path (skips ff-push, does PR-close + mark_merged + audit).
        # Full 40-char merge SHA in the message so dispatch can parse it for audit.
        return True, f"merged --no-ff (external PR #{gh_pr_num}, M={merge_sha}, audit_ref={audit_ref})"
    finally:
        async with _bare_repo_lock:
            await _git("worktree", "remove", "--force", worktree_path)
            await _git("branch", "-D", local_branch)
 from .frontmatter import (
    REWEAVE_EDGE_FIELDS,
    parse_yaml_frontmatter,
@ -898,12 +733,6 @@ async def _merge_domain_queue(conn, domain: str) -> tuple[int, int]:
                # (Ganymede: manifest approach, Theseus: superset assertion + order-preserving dedup)
                if branch.startswith("reweave/"):
                    merge_fn = _merge_reweave_pr(branch)
                elif branch.startswith("gh-pr-") and config.EXTERNAL_PR_NO_FF_MERGE:
                    # External GitHub fork PRs: --no-ff merge so contributor SHA lands
                    # in main's history → GitHub recognizes "merged" badge.
                    # Backout via config.EXTERNAL_PR_NO_FF_MERGE = False (falls back to cherry-pick).
                    # Phase 2 of external contributor merge flow (Ship architecture review Apr 28).
                    merge_fn = _merge_no_ff_external(branch)
                else:
                    # Extraction commits ADD new files — cherry-pick applies cleanly.
                    merge_fn = _cherry_pick_onto_main(branch)
@ -957,58 +786,6 @@ async def _merge_domain_queue(conn, domain: str) -> tuple[int, int]:
                succeeded += 1
                continue
            # External GitHub PR (gh-pr-*): _merge_no_ff_external already pushed
            # the merge commit to origin/main + the synthetic _merged/{branch}
            # audit ref. Skip dispatch's ff-push (would fail — origin/{branch} is
            # the contributor's untouched branch, not a descendant of main).
            # Just close PR + mark_merged + audit, parsing merge SHA from sentinel.
            if pick_msg.startswith("merged --no-ff"):
                m = re.search(r"M=([a-f0-9]{40})", pick_msg)
                merge_sha = m.group(1) if m else None
                m_ref = re.search(r"audit_ref=(\S+?)\)", pick_msg)
                audit_ref = m_ref.group(1) if m_ref else None
                m_pr = re.search(r"external PR #(\d+)", pick_msg)
                gh_pr_num = m_pr.group(1) if m_pr else None
                # Surface drift between dispatch and _merge_no_ff_external if the
                # success-message contract changes. Merge already succeeded; this
                # is signal-only, not a gate on the close path.
                if not (m and m_ref and m_pr):
                    logger.warning(
                        "PR #%d sentinel parse incomplete: M=%s, audit_ref=%s, gh_pr=%s, msg=%r",
                        pr_num, bool(m), bool(m_ref), bool(m_pr), pick_msg,
                    )
                leo_token = get_agent_token("leo")
                comment_body = (
                    f"Merged via --no-ff into main.\n"
                    f"Merge commit: `{merge_sha}`\n"
                    f"Audit ref: `{audit_ref}`\n"
                    f"Branch: `{branch}` (preserved unchanged)"
                )
                await forgejo_api("POST", repo_path(f"issues/{pr_num}/comments"),
                                  {"body": comment_body})
                result = await forgejo_api("PATCH", repo_path(f"pulls/{pr_num}"),
                                           {"state": "closed"}, token=leo_token)
                if result is None:
                    logger.error("PR #%d: Forgejo close failed (no-ff path), skipping DB update", pr_num)
                    failed += 1
                    continue
                mark_merged(conn, pr_num)
                db.audit(conn, "merge", "merged", json.dumps({
                    "pr": pr_num, "branch": branch, "method": "no-ff",
                    "merge_commit_sha": merge_sha,
                    "audit_ref": audit_ref,
                    "github_pr": gh_pr_num,
                }))
                # NOTE: do NOT _delete_remote_branch(branch) here. The contributor's
                # gh-pr-N/* branch is the mirror of their fork PR head — leaving it
                # in place lets sync-mirror keep the GitHub PR <-> Forgejo PR link
                # observable. The synthetic _merged/{branch} ref carries the merge.
                logger.info("PR #%d merged via --no-ff (M=%s)", pr_num,
                            merge_sha[:8] if merge_sha else "?")
                succeeded += 1
                continue
            # Local ff-push: cherry-picked branch is a descendant of origin/main.
            # Regular push = fast-forward. Non-ff rejected by default (same safety).
            # --force-with-lease removed: Forgejo categorically blocks it on protected branches.